v3.2.0-rc1

#2052

What's Changed

• Update aquasec/trivy Docker tag to v0.55.2 by @renovate in #2867
• Update github/codeql-action action to v3.26.8 by @renovate in #2873
• 🤖 Allow testing provider dev versions by @Itxaka in #2870
• 🐛 Do not bindly install all tpm2 tools by @Itxaka in #2884
• Store logs on earthly by @Itxaka in #2880
• :Robot: Cache triby DB before running the build by @Itxaka in #2885
• Bump framework by @Itxaka in #2891
• Test selecting disk by uuid+label by @Itxaka in #2877
• Don't run both rngd and haveged by @jimmykarily in #2890
• 🤖 Add missing secrets: inherit by @Itxaka in #2897
• Update quay.io/kairos/framework Docker tag to v2.12.1 by @renovate in #2902

Full Changelog: v3.1.3...v3.2.0-rc1

v3.1.3

Release highlights:

• In the previous release, we introduced a fix for the broken permissions of the user's home directory. It turned out that the fix only applied to users created by the top level users: key in the Kairos configuration file. In this release, users created in various stages will also get their home directory permissions fixed. If for some reason, you don't want the script to recursively fix the home directory permissions, you can create a sentinel file to skip the fix and apply it on your own as you see fit.
• Fixed an issue where we didn't calculate the upgrade image size and the always created an image with the default size (#2818)
• Fixed an issue in Kairos upgrades through Kuberentes, where various host directories were also used in image size calculation (kairos-io/kairos-agent#537)
• We now display the webui url below the QR code to avoid people having to plug a keyboard just to find the IP address of the node (#2826)
• Fixed a bug in Alpine flavors where we passed the edgevpn arguments in the openrc service file wrongly (#2789)
• Lots of version bumps on dependencies (mostly automated).

Known Issues

• [Carry over from previous releases] RPi EFI booting no longer supported on kernels shipped with Ubuntu 24.04+ #2249

What's Changed

• Add permissions to generic arm release pipeline by @mauromorales in #2840
• Update tj-actions/changed-files action to v45 by @renovate in #2816
• Add upgrade uki test by @jimmykarily in #2776
• Update dependency go to v1.23.1 by @renovate in #2845
• Generate relative paths to files by @jimmykarily in #2846
• 🤖 Make arm64 workers use docker mirror by @Itxaka in #2850
• 🐛 Fix wifi cloud-config example by @jimmyjones2 in #2820
• 📖 Add alpine wifi cloud-config by @jimmyjones2 in #2819
• Update anchore/grype Docker tag to v0.80.1 by @renovate in #2852
• Update aquasec/trivy Docker tag to v0.55.0 by @renovate in #2781
• Update aquasec/trivy Docker tag to v0.55.1 by @renovate in #2854
• Update github/codeql-action action to v3.26.6 by @renovate in #2799
• Fix test printing old value for debugging by @jimmykarily in #2855
• Update google/osv-scanner-action action to v1.8.5 by @renovate in #2853
• Update quay.io/kairos/framework Docker tag to v2.11.5 by @renovate in #2856
• Update github/codeql-action action to v3.26.7 by @renovate in #2858
• Update quay.io/kairos/framework Docker tag to v2.11.7 by @renovate in #2859
• Split the uploading of trivy and grype results by @jimmykarily in #2860

New Contributors

• @jimmyjones2 made their first contribution in #2820

Full Changelog: v3.1.2...v3.1.3

v3.1.2

⚠️ The following issues have been resolved, so it is safe to upgrade again:

Kairos user ids change on upgrade, breaking ssh login #2797
Long duration hang during boot #2802

What's Changed

• 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
• 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
• 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
• 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808

Full Changelog: v3.1.1...v3.1.2

v3.1.2-rc1

What's Changed

• Update softprops/action-gh-release action to v2.0.8 by @renovate in #2751
• Update manual tests by @mauromorales in #2747
• Update github/codeql-action action to v3.25.13 by @renovate in #2750
• Remove ubuntu 23.10 from the pipelines by @jimmykarily in #2756
• Update tj-actions/changed-files digest to 6b2903b by @renovate in #2746
• Update github/codeql-action digest to 2d79040 by @renovate in #2749
• Update docker/login-action digest to 9780b0c by @renovate in #2754
• Run arm jobs under arm workers by @Itxaka in #2757
• Update github/codeql-action action to v3.25.14 by @renovate in #2763
• Update module github.com/onsi/ginkgo/v2 to v2.19.1 by @renovate in #2768
• Update github/codeql-action action to v3.25.15 by @renovate in #2767
• Add manual test for edgevpn setup by @jimmykarily in #2771
• 🤖 Check that install/recovery services are off during active boot by @Itxaka in #2775
• Update ossf/scorecard-action action to v2.4.0 by @renovate in #2769
• Update docker/setup-buildx-action digest to 988b5a0 by @renovate in #2755
• Update github/codeql-action digest to afb54ba by @renovate in #2762
• Update renovate/renovate Docker tag to v38 by @renovate in #2765
• Update module github.com/onsi/gomega to v1.34.1 by @renovate in #2764
• 🐧 Disable pcrlock for all systemd distros by @Itxaka in #2778
• Update tj-actions/changed-files digest to c65cd88 by @renovate in #2780
• Update quay.io/luet/base Docker tag to v0.35.4 by @renovate in #2783
• 🐛 Empty machine-id instead of removing it by @Itxaka in #2784
• Update actions/upload-artifact digest to 89ef406 by @renovate in #2786
• Update actions/upload-artifact action to v4.3.5 by @renovate in #2787
• 🔧 Allow testing overlya files branches by @Itxaka in #2791
• Update module github.com/mudler/edgevpn to v0.27.0 by @renovate in #2803
• Update actions/upload-artifact action to v4.3.6 by @renovate in #2795
• Update google/osv-scanner-action action to v1.8.3 by @renovate in #2801
• Update dependency go to v1.23.0 by @renovate in #2796
• Update module github.com/mudler/edgevpn to v0.27.2 by @renovate in #2812
• Update github.com/mudler/go-processmanager digest to 8b802d3 by @renovate in #2811
• 🐛 Fix +base-image for Remote Execution by @sdwilsh in #2808
• Update module github.com/onsi/ginkgo/v2 to v2.20.1 by @renovate in #2815
• Update module github.com/mudler/edgevpn to v0.27.3 by @renovate in #2814
• Update google/osv-scanner-action action to v1.8.4 by @renovate in #2817
• Update module github.com/mudler/edgevpn to v0.27.4 by @renovate in #2822
• Update module github.com/onsi/ginkgo/v2 to v2.20.2 by @renovate in #2829
• Update quay.io/luet/base Docker tag to v0.35.5 by @renovate in #2831
• Update module github.com/onsi/gomega to v1.34.2 by @renovate in #2830

Full Changelog: v3.1.1...v3.1.2-rc1

v3.1.1

Upgrade issues

Be advised that there is currently an issue when upgrading from 3.0.x to 3.1.x in which the user ids will change. This will result in any files owned by the user under its /home directory to lose permissions which can lead to not being able to ssh (ssh keys will have a different user id)

We are currently working on a workaround, so you are advised to not upgrade until 3.1.2 is released with a fix for this.

What's Changed

Bug fixes 🐛

• Disable make cache timer on fedora by @Itxaka in #2717
• It's not possible to login on an Alpine 3.19 RPi fixed by @Itxaka #2439
• Expired password on system with no rtc (e.g. rpi4) on Alpine fixed by @Itxaka #1994
• cgroup_memory not mounted in Alpine rpi4 fixed by @Itxaka #2002
• reset from the GRUB menu on alpine, gets stuck in an endless loop @Itxaka #2136

Known Issues

• RPi EFI booting no longer supported on kernels shipped with Ubuntu 24.04+ #2249

Full Changelog: v3.1.0...v3.1.1

v3.1.0

Upgrade issues

Be advised that there is currently an issue when upgrading from 3.0.x to 3.1.x in which the user ids will change. This will result in any files owned by the user under its /home directory to lose permissions which can lead to not being able to ssh (ssh keys will have a different user id)

We are currently working on a workaround, so you are advised to not upgrade until 3.1.2 is released with a fix for this.

Potential Breaking Changes

By default, Uki artifacts (identified by the -uki suffix) no longer include Linux modules and firmware in the image. Real-world testing has shown that many EFI firmwares are very particular about the size of the EFI image, often refusing to boot if the file exceeds 300-400MB. Given the wide variety of EFI firmware implementations, predicting whether a UKI EFI file will boot on different hardware is challenging.

To enhance compatibility, we decided to slim down the UKI files by removing the largest components: the Linux modules and firmware packages. This results in EFI files around 200-300MB, which are much more likely to boot correctly across various EFI implementations.

However, this change comes with a trade-off. Smaller images, while being more compatible with a wide range of EFI firmwares, may lack comprehensive hardware support because they do not include all the Linux modules and firmware packages. This means that certain hardware components may not function correctly or optimally when using these slimmer UKI images.

On the other hand, larger UKI images, which include all necessary modules and firmware for extensive hardware support, provide better functionality and compatibility with a broad range of hardware. However, these larger images are more likely to encounter boot issues due to EFI firmware limitations, as many EFI implementations refuse to boot files larger than 300-400MB.

We publish -uki artifacts ourselves, which are the slimmed versions, as examples of how to build a slimmer UKI artifact. While these serve as a reference, we recommend always building your own custom images to tailor them to your specific hardware needs. If you need to include those packages for full hardware support, you can create a custom artifact to add them back, as detailed in the Kairos docs.

We recommend keeping your UKI EFI files as small as possible to maximize boot success across different EFI firmware implementations. While smaller images offer better compatibility, they may lack full hardware support. Conversely, larger images, which include all necessary modules and firmware, provide comprehensive hardware support but may fail to boot due to EFI firmware constraints.

Check out how to build your own base images with the Kairos Factory

What's Changed

💿 UKI

• UKI: measured systemd-sysext by @Itxaka #2117
• UKI: Verify images signature before upgrade by @Itxaka #2200
• UKI: Enroll keys during setup #2048
• Install limited amount of modules for UKI Ubuntu by @mauromorales in #2566

🐧

• Support for Ubuntu 24.04 LTS by @mauromorales #2138 and deprecation of 23.10
• Support for Fedora 40 by @Itxaka in #2502 and deprecation of previous versions
• refactor debian dockerfile to build arm by @mauromorales in #2542
• Bump opensuse Leap to 15.6 by @mauromorales in #2623

🐛

• fix(nvidia): do not ship nohang in nvidia-arm builds by @mudler in #2433
• Allow https protocol in ipxe by @jimmykarily in #2468
• fix(orin): disable ISCSI in the initramfs generation by @mudler in #2474
• 🐛 Move nfs-utils to common build target in opensuse flavor by @kaiehrhardt in #2495
• 🐛 Install cryptsetup for all arches in opensuse by @Itxaka in #2691

📖

• 📖 chore: fix typos by @xiaoxianBoy in #2441
• readme: add links to project governance by @mudler in #2498
• Update LICENSE by @mudler in #2503
• Add OpenSSF best practices badge by @mauromorales in #2639
• Add clomonitor badge by @mauromorales in #2640
• Link to GH Security Draft Advisory form by @mauromorales in #2650

🔧

• More options for enki outputs by @Itxaka in #2515

New Contributors

• @xiaoxianBoy made their first contribution in #2441

Full Changelog: v3.0.14...v3.1.0

v3.1.0-rc2

What's Changed

• Define permissions following the principle of least privilege by @mauromorales in #2676
• Add osv scanning for PRs by @mauromorales in #2678
• Add missing permissions on master pipeline by @mauromorales in #2687
• Update robinraju/release-downloader action to v1.11 by @renovate in #2685
• Update github/codeql-action action to v3.25.11 by @renovate in #2683
• Update google/osv-scanner-action action to v1.8.1 by @renovate in #2684
• Update aquasec/trivy Docker tag to v0.53.0 by @renovate in #2612
• Add permissions to reusable-provider-tests by @mauromorales in #2688
• Update github/codeql-action digest to b611370 by @renovate in #2681
• 🐛 Install cryptsetup for all arches in opensuse by @Itxaka in #2691
• Update framework by @Itxaka in #2695

Full Changelog: v3.1.0-rc1...v3.1.0-rc2

v3.1.0-rc1

What's Changed

• Update matching text for latest systemd tests by @mauromorales in #2633
• Update softprops/action-gh-release action to v2.0.6 by @renovate in #2636
• Add OpenSSF best practices badge by @mauromorales in #2639
• Add clomonitor badge by @mauromorales in #2640
• Create scorecards.yaml by @mauromorales in #2641
• 🤖 test sysextension on uki by @Itxaka in #2617
• 🤖 Improve renovate by @Itxaka in #2644
• Pin dependencies by @renovate in #2646
• Get digests from earthfile by @Itxaka in #2648
• Fix dangerous workflow by @mauromorales in #2649
• Link to GH Security Draft Advisory form by @mauromorales in #2650
• Update actions/checkout action to v4.1.7 by @renovate in #2642
• Update github/codeql-action action to v3.25.10 by @renovate in #2643
• Remove sha from docker images by @Itxaka in #2655
• Remove leftover by @Itxaka in #2656
• 🔧 : Update to use new osbuilder by @Itxaka in #2645
• 🔧 Bump osbuilder by @Itxaka in #2672
• Add .snyk config by @mauromorales in #2673
• Bump framework to 2.9.0 to get newer dependencies by @jimmykarily in #2671

Full Changelog: v3.1.0-alpha1...v3.1.0-rc1

v3.0.14

Security

• 🔒 Rebuild of kcrypt-discovery-challenger and luet with newer Golang version to address CVE-2024-24790

Full Changelog: v3.0.13...v3.0.14

v3.1.0-alpha1

What's Changed

• fix(nvidia): do not ship nohang in nvidia-arm builds by @mudler in #2433
• Add security scan link to release checklist by @mauromorales in #2436
• Bump fedora from 38 to 39 by @mauromorales in #2446
• Bump framework by @Itxaka in #2448
• fix(deps): update module github.com/kairos-io/kairos-sdk to v0.0.29 by @renovate in #2450
• chore(deps): update dependency kairos-io/kairos-framework to v2.7.27 by @renovate in #2459
• Symlink any /boot/Image* to /boot/vmlinuz by @mauromorales in #2463
• chore(deps): update quay.io/kairos/osbuilder-tools docker tag to v0.200.10 by @renovate in #2453
• chore(deps): update dependency kairos-io/kairos-framework to v2.7.28 by @renovate in #2465
• chore(deps): update quay.io/kairos/osbuilder-tools docker tag to v0.200.11 by @renovate in #2466
• Allow https protocol in ipxe by @jimmykarily in #2468
• Add test for custom partioning by @jimmykarily in #2291
• Add Ubuntu 24.04 to pipelines by @mauromorales in #2447
• Produce 24.04 uki master artifact by @mauromorales in #2470
• Push master ARM images to quay by @mauromorales in #2477
• fix(orin): disable ISCSI in the initramfs generation by @mudler in #2474
• [WIP] reusable nvidia by @mauromorales in #2478
• 📖 chore: fix typos by @xiaoxianBoy in #2441
• Add ubuntu 24.04 arm generic by @mauromorales in #2480
• chore(deps): update tj-actions/changed-files action to v44 by @renovate in #2392
• fix(deps): update module github.com/kairos-io/kairos-sdk to v0.1.0 by @renovate in #2471
• chore(deps): update earthly/earthly docker tag to v0.8.8 by @renovate in #2485
• chore(deps): update robinraju/release-downloader action to v1.10 by @renovate in #2460
• chore(deps): update dependency kairos-io/kairos-framework to v2.8.1 by @renovate in #2472
• fix(deps): update module github.com/kairos-io/kairos-sdk to v0.1.1 by @renovate in #2487
• readme: add links to project governance by @mudler in #2498
• chore(deps): update actions/download-artifact action to v4.1.5 by @renovate in #2490
• chore(deps): update quay.io/kairos/osbuilder-tools docker tag to v0.200.12 by @renovate in #2494
• chore(deps): update quay.io/luet/base docker tag to v0.35.2 by @renovate in #2499
• chore(deps): update actions/download-artifact action to v4.1.6 by @renovate in #2500
• 🐛 Move nfs-utils to common build target in opensuse flavor by @kaiehrhardt in #2495
• Update LICENSE by @mudler in #2503
• 🐧 Bump to Fedora 40 by @Itxaka in #2502
• chore(deps): update aquasec/trivy docker tag to v0.50.2 by @renovate in #2501
• chore(deps): update actions/download-artifact action to v4.1.7 by @renovate in #2507
• chore(deps): update aquasec/trivy docker tag to v0.50.4 by @renovate in #2508
• chore(deps): update earthly/earthly docker tag to v0.8.9 by @renovate in #2509
• Remove 23.10 from the test pipelines by @mauromorales in #2512
• More options for enki outputs by @Itxaka in #2515
• chore(deps): update dependency kairos-io/kairos-framework to v2.8.2 by @renovate in #2530
• 🤖 Fix reusable uki master test by @Itxaka in #2536
• 🤖 Drop profile-build by @Itxaka in #2537
• Remove double brackets from Earthly by @mauromorales in #2541
• refactor debian dockerfile to build arm by @mauromorales in #2542
• bump framework to v2.8.3 by @mauromorales in #2543
• chore(deps): update slackapi/slack-github-action action to v1.26.0 by @renovate in #2491
• chore(deps): update aquasec/trivy docker tag to v0.51.1 by @renovate in #2532
• bump framework to v2.8.4 by @mauromorales in #2546
• Bump action-gh-release to v2.0.5 by @mauromorales in #2544
• Bump osbuilder by @Itxaka in #2551
• 🤖 Do not auto reboot on uki tests by @Itxaka in #2549
• Update earthly/earthly Docker tag to v0.8.10 by @renovate in #2562
• Update earthly/earthly Docker tag to v0.8.12 by @renovate in #2567
• Update aquasec/trivy Docker tag to v0.51.2 by @renovate in #2576
• Update aquasec/trivy Docker tag to v0.51.4 by @renovate in #2590
• Update earthly/earthly Docker tag to v0.8.13 by @renovate in #2600
• Build ubuntu 22 arm rpi on cncf runners by @mauromorales in #2607
• Install limited amount of modules for UKI Ubuntu by @mauromorales in #2566
• Add systemd-continaers to ubuntu by @Itxaka in #2614
• Update earthly/earthly Docker tag to v0.8.14 by @renovate in #2618
• Bump opensuse Leap to 15.6 by @mauromorales in #2623
• 🐧 Add selinux packages to ubuntu 24.04 by @Itxaka in #2625
• Bump framework to v2.8.5 by @mauromorales in #2627

New Contributors

• @xiaoxianBoy made their first contribution in #2441

Full Changelog: v3.0.4...v3.1.0-alpha1