coreos-status May 2022

coreos-status@lists.fedoraproject.org

3 participants
3 discussions

Format change for Nutanix artifact
by Sohan Kunkerkar 19 May '22

19 May '22

Hi all, The format of the Fedora CoreOS Nutanix image will change [1] in the next release of the Fedora CoreOS `next` and `testing` streams. Current releases ship the Nutanix image as a qcow2 file wrapped with xz compression (`qcow2.xz`). Future releases will switch to a qcow2 file without any wrapper (`qcow2`), internally compressed with qcow2's built-in compression support. Following the usual release schedule, this change will promote to the `stable` stream two weeks after the `next` and `testing` releases. We are making this change to support direct uploading of Fedora CoreOS images into Nutanix AHV using the Nutanix Prism API. This allows users to avoid manually downloading, decompressing, and re-uploading Fedora CoreOS images when adding them to Nutanix Prism Central. If you use the Nutanix image, you will need to adjust your workflow [2] for adding Fedora CoreOS images to Nutanix AHV. If you do not use the Nutanix image, this change will not affect you. If you have any questions or concerns, or expect this change to break a critical workflow, please contact us via `#fedora-coreos` on Libera.Chat or file an issue in the Fedora CoreOS tracker [3]. --Sohan Kunkerkar, for the Fedora CoreOS team [1]: https://github.com/coreos/coreos-assembler/pull/2848 [2]: https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-nutanix/#_u… [3]: https://github.com/coreos/fedora-coreos-tracker/issues/new/choose

1 0

Ignition config accessible to unprivileged software on VMware
by Benjamin Gilbert 19 May '22

19 May '22

Hi all, Unprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information. Starting with next week's Fedora CoreOS `testing` and `next` releases, Ignition will delete the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor. Existing machines will likewise delete the config when first upgraded to a new release. This change will be promoted to Fedora CoreOS `stable` after two weeks, as usual. Note that in general, we do not recommend storing secrets in Ignition configs [1]. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it's better to store secrets in a dedicated platform such as Hashicorp Vault [2]. If you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent deletion by masking ignition-delete-config.service. For newly-launched machines: variant: fcos version: 1.0.0 systemd: units: - name: ignition-delete-config.service mask: true To prevent upgrades from affecting existing machines: $ sudo systemctl mask ignition-delete-config.service If you have any questions or concerns, contact us in #fedora-coreos on Libera.Chat or open an issue in the Fedora CoreOS tracker [3]. --Benjamin Gilbert, for the Fedora CoreOS team [1]: https://coreos.github.io/ignition/operator-notes/#secrets [2]: https://www.vaultproject.io/ [3]: https://github.com/coreos/fedora-coreos-tracker/issues/new/choose

1 0

Fedora CoreOS streams rebasing to Fedora Linux 36
by Dusty Mabe 09 May '22

09 May '22

Following our scheduling policy around Fedora major version releases [1] we will be rolling out the Fedora Linux 36 rebase over the next few weeks. This will start tomorrow with the `testing` stream. During this development cycle we continued to follow the Fedora Change process more closely [2] in order to provide a smoother transition of incoming Fedora Changes. We also closely watched our package additions/removals [3] to carefully evaluate any changes and determine if they were intentional. Current known issues: - network device IP doesn't get displayed to console [4] Notable transitions in the Fedora 36 rebase: - Podman 4.0, with some backwards incompatible changes [5] - iptables nft by default, along with auto-migration [6] Some highlights of recently added features/improvements: - added a VirtualBox artifact [7] and updated documentation [8] - added a Nutanix artifact [9] - added support for a minimal ISO image [10] - updated the VMWare OVA to use UEFI/SecureBoot by default [11] - added CI testing for Azure [12] Thanks to everyone who participated in the test week [13] and to everyone that follows the `testing` and `next` streams to help us identify and fix issues before they get to `stable`. Dusty Mabe, for the Fedora CoreOS team [1] https://github.com/coreos/fedora-coreos-tracker/blob/main/Design.md#major-f… [2] https://github.com/coreos/fedora-coreos-tracker/issues/918 [3] https://github.com/coreos/fedora-coreos-tracker/issues/1128 [4] https://github.com/coreos/fedora-coreos-tracker/issues/1153 [5] https://discussion.fedoraproject.org/t/fedora-coreos-moving-to-podman-v4/37… [6] https://discussion.fedoraproject.org/t/fedora-coreos-moving-to-iptables-nft… [7] https://github.com/coreos/fedora-coreos-tracker/issues/1008 [8] https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-virtualbox/ [9] https://github.com/coreos/fedora-coreos-tracker/issues/1007 [10] https://github.com/coreos/fedora-coreos-tracker/issues/868 [11] https://github.com/coreos/fedora-coreos-tracker/issues/1140 [12] https://github.com/coreos/fedora-coreos-tracker/issues/1020 [13] https://github.com/coreos/fedora-coreos-tracker/issues/1123#issuecomment-10…

1 0

2025

2024

2023

2022

2021

2020

2019

coreos-status May 2022