https://www.flatcar.org/ Flatcar :: lts 2026-03-09T16:26:30.115618+00:00 Flatcar Container Linux maintainers@flatcar-linux.org python-feedgen https://www.flatcar.org/media/brand-logo.svg Flatcar Container Linux release feed https://github.com/flatcar/scripts/releases/tag/lts-4081.3.6 4081.3.6 2026-03-09T16:26:30.340924+00:00 Changes since LTS 4081.3.5

Security fixes:

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.106
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-09-15T14:03:10+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.5 4081.3.5 2026-03-09T16:26:30.332135+00:00 Changes since LTS 4081.3.4

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.100
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-08-19T13:10:36+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.4 4081.3.4 2026-03-09T16:26:30.311234+00:00 Changes since LTS 4081.3.3

Security fixes:

Bug fixes:

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.95
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-07-08T15:22:02+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.3 4081.3.3 2026-03-09T16:26:30.294625+00:00 Changes since LTS 4081.3.2

Security fixes:

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.88
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-05-06T11:36:40+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.2 4081.3.2 2026-03-09T16:26:30.283521+00:00 Changes since LTS 4081.3.1

Security fixes:

Bug fixes:

  • Fix update-ca-certificates behavior when concatenating certificates with missing trailing newlines. (flatcar/scripts#2667)

Changes:

  • Added new image signing pub key to flatcar-install, needed for download verification of releases built from March 2025 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#129)

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.83
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-03-20T14:07:30+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.1 4081.3.1 2026-03-09T16:26:30.277548+00:00 Changes since LTS 4081.3.0

Security fixes:

Updates:

  • openssh(9.8_p1-r4)

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.74
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-02-18T15:13:00+00:00 https://github.com/flatcar/scripts/releases/tag/lts-4081.3.0 4081.3.0 2026-03-09T16:26:30.168485+00:00 Changes since LTS 3510.3.6

Bug fixes:

  • Ensured that /var/log/journal/ is created early enough for systemd-journald to persist the logs on first boot (bootengine#60, baselayout#29)
  • Fixed journalctl --user permission issue (Flatcar#989)
  • Added a workaround for old airgapped/proxied update-engine clients to be able to update to this release (Flatcar#1332, update_engine#38)
  • Added AWS EKS support for versions 1.24-1.28. Fixed /usr/share/amazon/eks/download-kubelet.sh to include download paths for these versions. (scripts#1210)
  • Added qemu-guest-agent to ARM64 images (flatcar/flatcar#1593)
  • AWS: Fixed the Amazon SSM agent that was crashing. (Flatcar#1307)
  • CloudSigma: Disabled the new DHCP RapidCommit feature which is enabled by default since systemd 255. CloudSigma provides an incompatible implementation which results in cloud-init not being applied as no IP is issued. See: (flatcar/scripts#2016)- Fixed issue file generation from '/etc/issue.d' (scripts#2018)
  • Deleted files in /etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)
  • Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)
  • Ensured that the folder /var/log/sssd is created if it doesn't exist, required for sssd.service (Flatcar#1096)
  • Fixed a bug resulting in coreos-cloudinit resetting the instance hostname to 'localhost' if no metadata could be found (coreos-cloudinit#25)
  • Fixed a miscompilation of getfacl causing it to dump core when executed (scripts#809)
  • Fixed bad usage of gpg that prevented flatcar-install from being used with custom signing keys (Flatcar#1471)
  • Fixed bug in handling renamed network interfaces when generating login issue (init#102)
  • Fixed iterating over the OEM update payload signatures which prevented the AWS OEM update to 3745.x.y (update-engine#31)
  • Fixed oem-cloudinit.service on Equinix Metal. The availability check now uses the https://metadata.platformequinix.com/metadata endpoint. (scripts#2222)
  • Fixed quotes handling for update-engine (Flatcar#1209)
  • Fixed slow boots PXE and ISO boots caused by the decrypt-root.service. (Flatcar#1514)
  • Fixed supplying extension update payloads with a custom base URL in Nebraska (Flatcar#1281)
  • Fixed that systemd-sysext images can extend directories where Flatcar extensions are also shipping files, e.g., that the sysext-bakery Kubernetes extension works when OEM extensions are present (sysext-bakery#50)
  • Fixed the handling of OEM update payloads in a Nebraska response with self-hosted packages (ue-rs#49)
  • Fixed the initrd option in the QEMU launcher script. It was -R, but this was already taken by the read-only pflash option, so use -r instead. (scripts#2239)
  • Fixed the missing /etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)
  • Fixed the postinstall hook failure when updating from Azure instances without OEM systemd-sysext images to Flatcar Alpha 3745.x.y (update_engine#29)
  • Fixes kubevirt vm creation by ensuring that /dev/vhost-net exists (Flatcar#1336)
  • Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. (scripts#2266)
  • Fix the RemainAfterExit clause in nvidia.service (Flatcar#1169)
  • GCP: Fixed OS Login enabling (scripts#1445)
  • Hetzner: Fixed duplicated prefix in the Afterburn metadata (scripts#2141)
  • Made sshkeys.service more robust to only run coreos-metadata-sshkeys@core.service when not masked and also retry on failure (init#112)
  • Removed custom CloudSigma coreos-cloudinit service configuration since it will be called with the cloudsigma oem anyway. The restart of the service can also cause the serial port to be stuck in an nondeterministic state which breaks future runs.
  • Resolved kmod static nodes creation in bootengine (bootengine#85)
  • Restored support for custom OEMs supplied in the PXE boot where /usr/share/oem brings the OEM partition contents (Flatcar#1376)
  • Restored the reboot warning and delay for non-SSH console sessions (locksmith#21)
  • Set TTY used for fetching server_context to RAW mode before running cloudinit on cloudsigma (scripts#1280)
  • Worked around a bash regression in flatcar-install and added error reporting for disk write failures (Flatcar#1059)

Changes:

  • Added a new flatcar-reset tool and boot logic for selective OS resets to reconfigure the system with Ignition while avoiding config drift (bootengine#55, init#91)
  • Added pigz to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports (coreos-overlay#2504)
  • Enabled elfutils support in systemd-coredump. A backtrace will now appear in the journal for any program that dumps core (coreos-overlay#2489)
  • /etc is now set up as overlayfs with the original /etc folder being the store for changed files/directories and /usr/share/flatcar/etc providing the lower default directory tree (bootengine#53, scripts#666)
  • Improved the OS reset tool to offer preview, backup and restore (init#94)
  • On boot any files in /etc that are the same as provided by the booted /usr/share/flatcar/etc default for the overlay mount on /etc are deleted to ensure that future updates of /usr/share/flatcar/etc are propagated - to opt out create /etc/.no-dup-update in case you want to keep an unmodified config file as is or because you fear that a future Flatcar version may use the same file as you at which point your copy is cleaned up and any other future Flatcar changes would be applied (bootengine#54)
  • Switched systemd log reporting to the combined format of both unit description, as before, and now the unit name to easily find the unit (coreos-overlay#2436)
  • Added zram-generator package to the image (scripts#1772)
  • Added Akamai / Linode images (flatcar/scripts#1806)
  • Added azure-nvme-utils to the image, which is used by udev to create symlinks for NVMe disks on Azure v6 instances under /dev/disk/azure/. (scripts#1950)
  • Added Hetzner images (flatcar/scripts#1880)
  • Added Hyper-V VHDX image (flatcar/scripts#1791)
  • Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server (scripts#1560)
  • Added KubeVirt qcow2 image for amd64/arm64 (flatcar/scripts#1962)
  • Added Scaleway images (flatcar/scripts#1683)
  • Added support for multipart MIME userdata in coreos-cloudinit. Ignition now detects multipart userdata and delegates execution to coreos-cloudinit. (scripts#873)
  • Added support for unlocking the rootfs with a TPM set up by systemd-cryptenroll (bootengine#93)
  • Added TLS Kernel module (scripts#865)
  • Add Intel igc driver to support I225/I226 family NICs. (flatcar/scripts#1786)
  • A new format qemu_uefi_secure is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into qemu_uefi.
  • As part of the update to Catalyst 4 (used to build the SDK), the coreos package repository has been renamed to coreos-overlay to match its directory name. This will be reflected in package listings and package manager output. (flatcar/scripts#2115)
  • AWS OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr
  • Azure and QEMU OEM images now use systemd-sysext images for layering additional platform-specific software on top of /usr. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon.
  • Azure, HyperV: Added daemons kvp, vss, and fcopy for better HyperV hypervisor integration with Flatcar guests (scripts#2309).
  • Backported systemd-sysext mutable overlays functionality from yet-unreleased systemd v256. (flatcar/scripts#1753)
  • Changed coreos-cloudinit to now set the short hostname instead of the FQDN when fetched from the metadata service (coreos-cloudinit#19) (changelog, upstream pr).
  • Change nvidia.service to type oneshot (from the default "simple") so the subsequent services (configured with "Requires/After") are executed after the driver installation is successfully finished (flatcar/Flatcar#1136)
    • Consequently, update_engine will not perform torcx sanity checks post-update anymore.
  • cri-tools, runc, containerd, docker, and docker-cli are now built from Gentoo upstream ebuilds. Docker received a major version upgrade - it was updated to Docker 24 (from Docker 20; see “updates”).
  • Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (flatcar/scripts#1771)
    • Docker will remove the btrfs driver entirely in a future version. Please consider migrating your deployments to the overlay2 driver.
  • Enabled amd-pstate,amd-pstate-epp cpufreq drivers for some AMD CPUs in the kernel. (flatcar/scripts#1770)
  • Enabled ntpd by default on AWS & GCP, enabled chronyd by default on Azure. The native time sync source is used on each cloud. (scripts#1792)
  • Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI (scripts#1861)
  • Enabled the ptp_vmw module in the kernel.
  • Enabled the virtio GPU driver (scripts#830)
  • Enable mpi3mr kernel module for Broadcom Storage/RAID-Controllers (flatcar/scripts#2355)
  • GCP OEM images now use a systemd-sysext image for layering additional platform-specific software on top of /usr and being part of the OEM A/B updates (flatcar#1146)
  • Hetzner: Added COREOS_HETZNER_PRIVATE_IPV4_0 Afterburn attribute for Hetzner private IPs (scripts#2141)
  • Hyper-V images, both .vhd and .vhdx files are available as zip compressed, switching from bzip2 to a built-in available Windows compression - zip (scripts#1878)
  • libcrypt is now provided by the libxcrypt library instead of glibc. Glibc libcrypt was deprecated long time ago.
  • Migrated the NVIDIA installer from the Azure/AWS OEM partition to /usr to make it available on all platforms (scripts#932, Flatcar#1077)
  • Migrate to Type=notify in containerd.service. Changed the unit to Type=notify, utilizing the existing containerd support for sd_notify call after socket setup.
  • Moved a mountpoint of the OEM partition from /usr/share/oem to /oem. /usr/share/oem became a symlink to /oem for backward compatibility. Despite the move, the initrd images providing files through /usr/share/oem should keep using /usr/share/oem. The move was done to enable activating the OEM sysext images that are placed in the OEM partition.
    • NOTE that if you are already using btrfs-backed Docker storage and are upgrading to this new version, Docker will automatically use the btrfs storage driver for backwards-compatibility with your deployment.
    • NOTE The docker btrfs storage driver has been de-prioritised; BTRFS backed storage will now default to the overlay2 driver
  • OEM vendor tools are now A/B updated if they are shipped as systemd-sysext images, the migration happens when both partitions require a systemd-sysext OEM image - note that this will delete the nvidia.service from /etc on Azure because it's now part of /usr (Flatcar#60)
  • OpenStack, Brightbox: Added the flatcar.autologin kernel cmdline parameter by default as the hypervisor manages access to the console (scripts#1866)
  • Provided a Podman Flatcar extension as optional systemd-sysext image with the release. Write 'podman' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning (scripts#1964)
  • Provided a Python Flatcar extension as optional systemd-sysext image with the release. Write 'python' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning (scripts#1979)
  • OpenStack: Changed metadata hostname source order. The service first tries with the config drive then fallback on the metadata service. (bootengine#96)
  • Provided a ZFS-2.2.2 Flatcar extension as optional systemd-sysext image with the release. Write 'zfs' to /etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. (flatcar/scripts#1742)
  • Removed actool from the image and acbuild from the SDK as these tools are deprecated and not used (scripts#1817)
  • ⚠ Removed coreos-cloudinit support for automatic keys conversion (e.g reboot-strategy -> reboot_strategy) (scripts#1687)
  • Removed Linux drivers for Mellanox Technologies Switch ASICs family and Spectrum/Spectrum-2/Spectrum-3/Spectrum-4 Ethernet Switch ASICs to reduce the initrd size on AMD64 by ~5MB (flatcar/scripts#1734). This change is part of the effort to reduce the initrd size (flatcar#1381).
  • Removed unused grub executable duplicate files and removed grub modules that are already assembled in the grub executable (scripts#1955).
  • Replace nmap netcat with openbsd variant. The license didn't get an exception from CNCF. Something about the definition of "derivative works" being too broad.
  • Reworked the VMware OEM software to be shipped as A/B updated systemd-sysext image
  • Scaleway: images are now provided directly as .qcow2 to ease the import on Scaleway (scripts#1953)
  • SDK: Experimental support for prefix builds to create distro independent, portable, self-contained applications w/ all dependencies included. With contributions from chewi and HappyTobi.
  • Started shipping default ssh client and ssh daemon configs in /etc/ssh/ssh_config and /etc/ssh/sshd_config which include config snippets in /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d, respectively.
  • Switched ptp_kvm from kernel builtin to module.
  • The default VM memory was bumped to 2 GB in the Qemu script and for VMware OVFs
  • The docker build command will now use buildx as its backend as the old one became deprecated and a loud "DEPRECATED" information is printed every time it's used.
  • The kernel security module Landlock is now enabled for programs to sandbox themselves (flatcar/scripts#2158)
  • The open-vm-tools package in VMware OEM now comes with vmhgfs-fuse, udev rules, pam and vgauth
    • Torcx entered deprecation 2 years ago in favour of deploying plain Docker binaries
    • Torcx has been removed entirely; if you use torcx to extend the Flatcar base OS image, please refer to our conversion script and to the sysext documentation mentioned above for migrating.
  • torcx was replaced by systemd-sysext in the OS image. Learn more about sysext and how to customise OS images here.
  • Updated locksmith to use non-deprecated resource control options in the systemd unit (Locksmith#20)
  • Update generation SLSA provenance info from v0.2 to v1.0. Using the btrfs driver can still be enforced by creating a respective docker config at /etc/docker/daemon.json.
  • :warning: Dropped support for niftycloud and interoute. For interoute we haven't been generating the images for some time already. (TODO) :warning: (which is now also a legacy option because systemd-sysext offers a more robust and better structured way of customisation, including OS independent updates).

Updates

Changes since Stable 4081.2.1

Security fixes:

Updates:

Packages:

  • containerd 1.7.21
  • docker 26.1.0
  • ignition 2.19.0
  • kernel 6.6.74
  • systemd 255

Architectures:

  • amd64
  • arm64
]]> 2025-01-30T18:31:43+00:00