Releases: microsoft/azurelinux
3.0.20240401 Preview
This is the preview release for 3.0.20240401
2.0.20240301
Add golden containers src artifacts (#7664)
Fixed CVE-2023-42282 in nodejs. (#8159)
Patch CVE-2024-22667 in vim (#8147)
Patch CVE-2024-24806 in libuv (#8148)
Patch CVE-2024-24806 in nodejs18 (#8164)
Updates containers source for marinara updates (#8154)
Upgrade bind to 9.16.48 Fix CVE-2023-50387 (#8167)
Upgrade dnsmasq to 2.90 Fix CVE-2023-50387 (#8150)
Upgrade libgit2 to Version 1.6.5 to address CVE-2024-24575 (#8092)
Upgrade moby-compose to version 2.17.3 to address multiple CVEs (#8091)
Upgrade postgresql to version14.11 to fix CVE-2024-0985 (#8161)
Upgrade unbound to 1.19.1 Fix CVE-2023-50387 (#8170)
2.0.20240223
Add cleanup script to base images
Add container images source files to 2.0
Add dracut sub-package overlayfs.
Add epoch to libdwarf spec to fix versioning order
Add memcached container files
Add missing commit subject to patch 27 for kernel-hci
Add mysql user with package install
Add package nss-mdns v0.15.1
Add patch for azure-iot-sdk-c CVE-2024-21646
Add shadow-utils as a hard dependency for mysql package
Add sshkeys to user config
Add support for multiple cache inputs
Add upstream patch to kubevirt to force hp-volume- pod to respect blockdevices (IcM 467224770)
Added a cross-compilation subpackage for aarch64 into gcc.
Added cross-compilation binutils and kernel-headers.
Added initial doc about reading error logs.
Allow dracut info logs to be visible for baremetal base image
Backport Nvidia net/mlx5 patches to support 100G BOM in kernel-hci
Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /toolkit/tools
Enable Broadcom MPI3 Storage Controller Device Driver
Enable CONFIG_X86_IOPL_IOPERM
Fix a bug if condition to not skip processing sshkeys when sshkeypaths is empty
Fix cloud-init's ptest by by pinning pyest to 8.0.0
Fix mariadb install post script
Fix missing nobody user/group for nfs squash
Fix pytest version for python-virtualenv
Fix python urllib3 test
Fix runtime dependency for python3-virtualenv
Fix the change logs to keep correct published order
Fixed cloud-init tests.
Fixed merge leftovers in a coredns patch.
Image Customizer: Ensure ext4 formatting is consistent across build hosts
Image Customizer: Fix special directories and partition customization.
Image Customizer: Make either one of split partitions format and output image format required
Image Customizer: Use safeloopback.Loopback instead of ImageConnection for split partitions
Image Customizer: remove adduser-config.yaml file as it contains password field
Improved toolkit download handling (Specialcased 5XX errors during package downloads.
Introduce Rust virtiofsd package
Kata-CC: Enforce a restrictive pod security policy
Kata-CC: Upgrade to 0.6.3
Kata-cc: remove kernel-uvm-cvm references
Making GitHub Actions' permissions explicit.
Move hiera from Extended to Core
Patch CVE-2021-44716 in jx, cf-cli, keda, csi-driver-lvm, moby-cli,kube-vip-cloud-provider, node-problem-detector,git-lfs, local-path-provisioner, prometheus-node-exporter, rook, cri-tools, flannel, libcontainers-common, application-gateway-kubernetes-ingress
Patch CVE-2022-21698 in application-gateway-kubernetes-ingress, node-problem-detector, moby-buildx, moby-cli, moby-engine, nmi, local-path-provisioner, rook, prometheus-node-exporter, prometheus-process-exporter, kube-vip-cloud-provider
Patch CVE-2022-21698 in keda
Patch CVE-2023-44487 in jx, nginx, cf-cli, moby-containerd-cc, kubevirt, prometheus-node-exporter, keda, git-lfs, vitess, local-path-provisioner
Patch CVE-2023-50711 in cloud-hypervisor
Patch CVE-2024-21626 by patching vendored runc in kubernetes, kubevirt, cri-tools
Patch moby-engine CVEs: 2024-23651 and 2024-23652.
Patch coredns CVE-2023-44487 by patching vendor tar
Patch cve-2022-21698 in kube-vip-cloud-provider
Patch cve-2022-21698 in local-path-provisioner
Patch erlang for CVE-2023-48795
Patch openssl with null checks against ContentInfo
Patch python-jinja2 for CVE-2024-22195
Patch vendored go module quic-go for package coredns to address CVE-2023-49295
Patched CVE-2021-38593 in qt5-qtbase.
Remove /etc/host.conf from filesystem
Remove spec and references of kernel-uvm-cvm
Removed extra double quote in the toolkit.
Set ownership of virtiofsd package to Kata team
Shift user/group creation earlier in image build for rootfs image types
Sort, reorder and color build summary output
Split failing and passing tests in the summary.
Update dracut to allow supressing user confirmation prompt when the liveos overlay is backed by memory.
Upgrade golang to version 1.20.10 -> 1.21.6
Upgrade ca-certificates Msft cert change
Upgrade cloud-init to v23.4.1 and add patch to retain exit code for recoverable errors
Upgrade helm to version 3.13.2 -> 3.14.0 to address CVE-2023-44487
Upgrade kernel to 5.15.148.2 to CVE-2014-0069, CVE-2013-6381, CVE-2022-48619, CVE-2023-6531, CVE-2023-6546, CVE-2023-6622, CVE-2023-6817, CVE-2023-6915, CVE-2023-7192, CVE-2023-6931, CVE-2023-6932, CVE-2023-46343, CVE-2023-46862, CVE-2023-51042, CVE-2023-51043, CVE-2023-51780, CVE-2023-51781, CVE-2023-51782, CVE-2024-0607, CVE-2024-0639, CVE-2024-0641, CVE-2024-22705
Upgrade kernel-mos to 5.15.148.1
Upgrade lz4 to 1.9.4-1 to fix CVE-2021-3520
Upgrade msft-golang to version 1.20.11 -> 1.21.6
Upgrade sos to 4.6.1
Upgrade sriov-network-device-pluginfrom from 3.5.1 to 3.6.2
Upgrade tzdata to 2024a upgrade to version 2024a
Upgrade version skopeo from 1.13.3 -> 1.14.1 to address GHSA-jq35-85cj-fj4p
Upgrade NVIDIA/CUDA Driver to 535.129.03
Use main kernel for baremetal base image
2.0.20240123
This release reverts a change to the filesystem package which caused the use of "localhost" to return "::1" in some situations. Rather than fix the issue, we reverted the change.
2.0.20240117
Add DAILY_BUILD_REPO argument to support local developer builds with daily builds
Add patches for CVE-2023-48795
Containerized-Rpmbuild: Make tools only for build mode
Disable flaky test failures in python-gevent
Fix Skip Dracut Module and Mariner.cfg Update with no Verity Cfg.
Fix fluent-bit CVE-2023-52284
Fix postfix CVE-2023-51764
Fix reaper CVE-2023-26159
Fix sqlite CVE-2023-7104
Image Customizer: Resolves bug with SSH public key paths - support for relative path
Patch moby-cli for CVE-2023-48795
Patch qt5-qtbase for CVE-2023-51714
Remove -fvisibility=hidden build param
Remove CPython from %check pip3 install in cytools
Toolkit: fix worker chroot progress
Upgrade Kernel to version 5.15.145.2 for CVE-2023-6546
Upgrade and move libdwarf from extended to core
Upgrade kernel-mos to 5.15.145.2
Upgrade kured to 1.14.2 for vendored go CVE-2023-39325
Upgrade packer to 1.8.7 for CVE-2023-45286
Upgrade sudo to 1.9.15p5 for CVE-2023-42465
Workflows: bump setup-go to v5
2.0.20240112
Add /etc/host.conf with multi on
Add Backport for installonlypkgs to tdnf for Mariner 2.0
Add Initial Mariner OS Modifier (EMU) Files
Add Kata meta-package
Add grub2-mkconfig macros to initramfs postrans generation
Add moreutils package to mariner
Add package perl-Time-Duration to mariner
Add patch to netplan to force bring up devices with no IP addresses
Add quotatool package to Mariner
Add scriptlet to workaround rpm transaction limitation to update /media symlink to directory
Add support for squashfs image format
Add upstream patch to fix python-virtualenv test config
Add upstream patch, pin test dependency versions to fix python-daemon ptests
Added disable-newgroup-query-when-netgroup-base-is-not-set.patch
Address hyperv-daemon CVE-2023-6111 and CVE-2023-5972
Aligned Go package names with other ones for ccachemanager and azureblobstorage.
Bump gevent version to 21.1.2, add fix for CVE-2020-22217
Changed tools so only non-test package builds produce SRPMs
CodeQL Mariner toolkit
Create sources_dir correctly for containerized-rpmbuild
Disable faulty test_is_writable for python-distlib
Enable SELinux labelling for targzip rootFS image formats
Fix CVE-2020-8694, CVE-2020-8695 and CVE-2020-12912
Fix backtrace parsing in ocaml-ounit
Fix clamav reset of user and group on package update
Fix test runner invocation in future
Fix wget package tests by adding missing test dep
Image Customizer: Add support for kernel command-line
Image Customizer: Fix ext4 formatting
Image Customizer: Refresh initrd when partitions are customized
Image Customizer: Support for partition extraction - raw, raw-zstd
Image Customizer: initial dm-verity enablement by nbd.
Kata-CC: UVM - Enable extended attributes for tmpfs
Kata-containers-cc: add virtiofsd as a requirement
Kata-containers: drop qemu-kvm-core dependency
Move cpp-hocon from extended to core
Move docbook2X package from Extended to Core
Move package catch1 from extended to core
Move package leatherman from extended to core
Move package perl-Class-Accessor from extended to core
Move package perl-Devel-CheckBin from extended to core
Move package perl-IPC-Run from Extended to Core
Move package perl-Sub-Name from Extended to core
Move perl-IO-String from extended to core
Move ruby-augeas from Extended to Core
Move rubygem-deep_merge from Extended to Core
Move rubygem-hocon from Extended to Core
Move rubygem-puppet-resource_api from Extended to Core
Move rubygem-thor from extended to core
Overwrite timestamp logs on different builds
Patch CVE-2023-45866 in bluez
Patch CVE-2023-46218 mysql
Patch CVE-2023-49083 in python-cryptography
Patch OpenSSH to fix CVE-2023-51384 and CVE-2023-51385
Patch fluent-bit for CVE-2023-48105
Patch otel grpc to address CVE-2023-47108
Patch strongSwan for CVE-2023-41913
Patche AppArmor for CVE-2023-50471 and CVE-2023-50472
Patches xorg-x11-server for CVE-2023-6377 and CVE-2023-6478
Preserve yum backend on tdnf package upgrade
Revert "toolkit image build: Fix make error for config files outside …
Set OOMScoreAdjust to -999 for containerd
Set OOMScoreAdjust to -999 for containerd-cc
Skip mypy tests in python-attrs
Sudo ldap netgroup_query bug fix patch
Switched to using Mariner's python-junit-xml.
Switching to using Mariner's version of Python's junit_xml module for test verification
Update ca-certificates-base
Update edk2 to address excessively long DH keys in the vendored source
Update postgresql to v14.10 to fix CVE-2023-5868, CVE-2023-5869 and CVE-2023-5870
Upgrade Ansible to v2.14.12 to fix CVE-2023-5764
Upgrade Kernel to version 5.15.139.1 to fix CVE-2023-1193, CVE-2023-1194
Upgrade Telegraf to 1.28.5
Upgrade curl to 8.5.0 for CVE-2023-46219
Upgrade dbus to v1.15.6 to fix CVE-2023-34969
Upgrade fish to 3.6.2 for CVE-2023-49284
Upgrade helm to version 3.13.2
Upgrade kubernetes to 1.28.4 to fix CVE 2023 5528
Upgrade libgcrypt to 1.10.3
Upgrade libssh to v0.10.6 to fix CVE-2023-48795
Upgrade vim to 9.0.2121 Fix CVE-2023-48706
Zwan/libpcap static
2.0.20231130
Mariner
Add CUSE module for rshim interface support
Add ExtractNameFromRPMPath() to rpm.go
Add additional functions to pkggraph.go
Add cloud native repo to mariner-repos
Add containerized-build downloader to list of tools to build
Add kernel-mos to ccache config
Add linuxptp v3.1.1 with High-Availability patches
Add package python3-junit-xml.
Add package double-conversion to SPECS
Enable CONFIG_ARM_SMMU and CONFIG_ARM_SMMU_V3 in aarch64.
Enable CONFIG_BPF_LSM
Enable SELinux features to busybox
Fix tmux crashing bug
Fix signature checking for local sources to break the build on a mismatch.
Make cascanding rebuilds configurable
Move package glog from Extended to Core
Pass toolchain archive to make in pipeline template
Patch frr to fix CVE-2023-47234 and CVE-2023-47235
Patch opensc CVE-2023-4535
Patch python-werkzeug for CVE-2023-46136
Patch qemu to fix CVE-2023-3354
Patch syslog-ng for CVE-2022-38725
Print blocked node summary
Print chroot-tools progress
Print logs on build/test failure
Print more details on image fetch failures
Update change logs to sync up with the ones in PMC
Update kernel, kernel-hci, kernel-azure BuildRequires to include cpio
Update kernel-mshv, kernel-uvm, kernel-uvm-cvm BuildRequires to inclu…
Upgrade Blobfuse2 to 2.1.2
Upgrade kernel upgrade to version 5.15.138.1 to fix CVE-2023-39198, CVE-2023-5178
Upgrade msft-golang to 1.20.11.
Upgrade mysql to 8.0.35 to fix CVE-2023-22032, CVE-2023-22059, CVE-2023-22064, CVE-2023-22066, CVE-2023-22068, CVE-2023-22070 CVE-2023-22078, CVE-2023-22079, CVE-2023-22084, CVE-2023-22092, CVE-2023-22097, CVE-2023-22103, CVE-2023-22112, CVE-2023-22114
Upgrade valgrind to 3.22.0
Upgrade vim to 9.0.2112 to fix CVE-2023-46246, CVE-2023-48231, CVE-2023-48234, CVE-2023-48236, CVE-2023-48237, CVE-2023-48232, CVE-2023-48233, CVE-2023-48235, CVE-2023-48706,
kubernetes: fix version subcommand for components
Image Customizer:
Add Initial MIC release file
Implement fallback partition customization.
2.0.20231115
Add debug to PR check pipeline to debug intermittent issue
Add kernel-mos with AMDGPU drivers
Add retry workaround when Package Installation fail.
Add tdnf remove cache script and run it for marketplace images
Added CredScan exception for doc and test sample secrets.
Cherry Pick bug and feature template updates to main
Clarify login instructions
Clarify that passwords are not permitted for production use in meta user data configuration file
Cosmetic change with chrony removed references to NetworkManager
Fix safechoot unmount ordering.
Image Customizer: Move partition utils into their own file.
Merge branch 'main' into 2.0
Merge branch 'main' into 2.0
Nopatch kernel CVE-2023-2430, CVE-2023-3338, CVE-2023-39191, CVE-2023-42752 ...
Prepare November 2023 Release
Sparse disk creation bug fix.
Support N+1 goal nodes for scheduler
Switch ccache to using compiler content instead of its modified time.
Toolkit: Add retry to safemount.Close().
Toolkit: Improvements for UpdateFstab and CreateSparseDisk
Toolkit: Move ConfigureDiskBootloader function.
Update multus to v4.0.2
Upgrade blobfuse2 2.1.0 -> 2.1.1
Upgrade kata-containers-cc to 0.6.2
Upgrade kernel-mshv, kernel-uvm, kernel-uvm-cvm
Upgrade moby-containerd-cc to 1.7.2
Use embedded binary resources for grub templates.
Using separate buffer per analyzed spec in rpmssnapshot.go.
Patch frr for CVE-2023-46752 and CVE-2023-46753 - branch main
Patched CVE-2023-46316 for traceroute - branch main.
Patched telegraf CVE-2023-46129. - branch main
Switched to building with fewer CPUs per package. - branch main
Upgrade kured to 1.13.2 for CVEs on vendor code - branch main
Upgrade memcached to v1.6.22: Fixes CVEs 2023-46852 and 2023-46853 - branch main
Upgraded PyYAML to 5.4 to fix CVEs: 2020-1747, CVE-2020-14343. - branch main
Upgrade kernel to version 5.15.137.1 to address CVE-2023-1192 CVE-2023-46813 CVE-2023-5717
containerized-build: Add option to keep container
fix wrong rights for toolkit/imageconfigs/additionalconfigs/configure…
fix wrong rights for toolkit/imageconfigs/postinstallscripts/remove-tdnf-cache.sh
toolkit: fix user instructions on toolchain build error
toolkit: gomod: bump dependencies to address CVEs
toolkit: gomod: upgrade gonum 0.11.0 -> 0.14.0
Upgrade mysql to 8.0.34
Kata-CC: Fixed occasional, sudden node crashes on CC pod start-up (fix in kernel-mshv based on new LSG release)
Kata-CC: Support for container images from private container image registries
Kata-CC: Support for v1 container images for the tardev-snapshotter (still unsupported by the policy feature)
Kata-CC: Support for container image layer sharing between different pod runtime handlers (runc, kernel-isolation, confidential containers)
Kata-CC: Support for updating ConfigMaps/Secrets at pod run time
2.0.20231106
Add /opt/containerd/{bin,lib} to RPMs and cherry-pick fix for systemd-hostnamed default-hostname in SELinux.
Add Perl-Net-IP package to extended specs
Add abort immediately on 404 errors for go-downloader in toolkit.
Add explicit timeout to package builds
Add extra_packages option for containerized-rpmbuild
Add kata-containers-cc patch to retain uvm dependencies
Add kubernetes back to CBL-Mariner
Add rust-cbindgen v0.24.3
Add short test flag to full go test coverage
Add single transaction for image package cloner
Add sodiff to Fasttrack builds and PR checks
Add support for downloading/uploading ccache archives
Add the repoquerywrapper tool.
Add timestamp arguments to build_mariner_toolchain.sh
Add wget replacement go-downloader
Build image if missing for containerized-rpmbuild:
Bump grpc release to rebuild with updated version of Go.
Bump kubernetes release to rebuild against glibc 2.35-6
Bump release to rebuild with updated version of Go.
Disable TestReferenceDOTFile() in toolkit until fix is found
Enable CONFIG_BINFMT_MISC in ARM64
Enable encfs sidecar container to UVM
Enable lzo, snappy, zstd support in crash
Enable zstd support in journald
Fix CCache failure to not fail the build + Allow in-place updates of remote artifacts
Fix cronie crond file
Fix freeradius installation issues
Fix handle --no-clobber correctly without explicit dst in toolkit.
Fix kernel CVE detection issue due to bad date order in changelog
Fix marketplace images to remove unnecessary and inappropriate (on ARM) line to create serial getty
Fix systemd to add missing Requires on zstd-libs
Fix toolkit imagecustomizer to correctly return rootfs partition instead of Boot Partition
Fix toolkit missing package rebuilds.
Fix with_check handling in toolchain
Force chronyd to correctly wait for /dev/ptp_hyperv device on images where it's configured to require /dev/ptp_hyperv
Image Customizer: Add Config struct.
Image Customizer: Add documentation.
Image Customizer: Add support to load and unload modules
Image Customizer: Add to Makefile.
Image Customizer: Add tool version.
Image Customizer: Add/remove packages
Image Customizer: Add/update users.
Image Customizer: Enable/disable services.
Image Customizer: Ensure loopback cleanly detaches.
Image Customizer: Fix TestCustomizeImageCopyFiles.
Image Customizer: Fix XFS disk handling.
Image Customizer: Fix disk corruption
Image Customizer: Handle separate boot partition.
Image Customizer: Improve safemount.
Image Customizer: Support legacy boot images.
Image Customizer: Use absolute path for base config path.
Increase image size for baremetal and qemu guest to 4GB
Libcgroup create drop file folder
Made image build always have full toolchain visibility.
Made pipeline artifact subfolder names customizable.
Make /media a directory
Make rpms-snapshot run faster
Modify running order of yum_add_repo so that it runs before package-update-upgrade-install in cloud-init.
Move cherry-pick automation to ADO
Only query precacher repos if one is passed in
Patch CVE-2023-38545, CVE-2023-38546 for cmake and curl.
Patch Glibc for CVE-2023-4806 and CVE-2023-5156
Patch boost for CVE-2023-45853 in vendored zlib code
Patch cloud-hypervisor for CVE-2023-45853 in vendored zlib code.
Patch cmake to address ve-2023-44487 in vendored nghttp2.
Patch edk2 CVE-2023-3817
Patch golang for CVE-2023-44487
Patch grub2 to fix CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736
Patch hdf5 to address CVE-2021-37501
Patch irqbalance to fix incorrect balancing behavior
Patch libnbd to address CVE-2023-5215
Patch libxml2 for CVE-2023-45322
Patch nginx for CVE-2023-44487
Patch python for CVE-2023-24329 (CP of #6412)
Patch python-gevent to address CVE-2023-41419
Patch rust for CVE-2023-45853 in vendored zlib code.
Patch snappy to fix build with RTTI enabled
Patch tcl for CVE-2023-45853 in vendored zlib code
Patch urllib3 for CVE-2023-43804
Patch vim for CVE-2023-5344
Patch vim for CVE-2023-5441 (CP of #6411)
Patch zchunk for CVE-2023-46228
Patch zlib for CVE-2023-45853
Remove additional error logic from sodiff-check command
Remove error from sodiff to unblock main builds
Removed exit from specs' %check sections.
Replace the sample username and password with user replaceable values
Revert Add scheduler stuck debug code
Running 'PipAuthenticate@1' in each template separately.
Switch ccache to use azure managed identity.
Unify behavior of USE_PREVIEW_REPO on url and repo lists
Update 2.0 workflow to use golang 1.20
Update go-test-coverage.yml with explicit go version
Update rust.spec to use ./x.py instead of x.py
Update selinux-policy to Silence io.containerd.internal.v1.opt denial noise
Updated Ubuntu requirements doc with better Golang instructions.
Upgrade PyYAML to 5.2
Upgrade cloud-init to 23.3
Upgrade cni-plugins to v1.3.0 and set version while building
Upgrade fluent-bit to 2.1.10 upgrade to latest
Upgrade gawk to v5.1.1 to fix CVE 2023-4156
Upgrade golang to 1.20.10 to fix CVE-2023-29409, CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39533
Upgrade httpd to 2.4.58 to address CVE-2023-45802, CVE-2023-43622 & CVE-2023-31122
Upgrade kernel-hci to fix CVE-2023-1859 CVE-2023-2002 CVE-2022-48425 CVE-2023-3111 CVE-2023-22995 CVE-2023-3141
Upgrade kubernetes to 1.28.3 to address CVE-2023-44487 and CVE-2023-39325
Upgrade libX11 to v1.8.7 to fix CVEs 2023-43785, 2023-43786 and 2023-43787
Upgrade libXpm to v3.5.13 to fix CVE 2023-43789 and CVE-2023-43788
Upgrade libdrm to 2.4.115
Upgrade libtiff to v4.6.0 to fix CVE 2023-40745 and 2023-41175
Upgrade libvpx to 1.13.1 to fix CVE-2023-5217
Upgrade nghttp2 to version 1.57.0 to include patches for cve-2023-44487
Upgrade nodejs18 to 18.18.2 for CVE-2023-44487
Upgrade python-urllib3 to 1.26.18 fix CVE-2023-45803
Upgrade redis to 6.2.14 Fixes CVE-2023-45145
Upgrade skopeo to v1.13.3 to fix CVE-2023-33199 in rekor
Upgrade sudo to version 1.9.14p3
Upgrade tensorflow to 2.11.1 to address CVEs (CP of #6418)
Upgrade to version 5.15.135.1 to fix CVE-2023-4623, CVE-2023-44466 CVE-2020-27815 CVE-2014-9940
Upgrade vim to 9.0.2010 to fix CVE-2023-5535
Upgraded keyutils to version 1.6.3 to fix DNS a refreshing issue (CP of #6432)
Use * instead of ! to designate user's password login is disabled for PAM/sshd.
Use test short mode flag.
2.0.20231004-2.0-toolkitfix
This is a toolkit-only fix for occasional go test failures seen on 2.0-stable/2.0.20231004-2.0
The following tests in the toolkit erroneously fail on some machines, and they have been skipped with this change.
TestReferenceDOTFile, TestCustomizeImageEmptyConfig, TestCustomizeImageCopyFiles