flatcar-install, needed for download verification of releases built from March 2025 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#129)/var/log/journal/ is created early enough for systemd-journald to persist the logs on first boot (bootengine#60, baselayout#29)journalctl --user permission issue (Flatcar#989)/usr/share/amazon/eks/download-kubelet.sh to include download paths for these versions. (scripts#1210)/etc that have a tmpfiles rule that normally would recreate them will now show up again through the /etc lowerdir (Flatcar#1265, bootengine#79)/var/log/sssd is created if it doesn't exist, required for sssd.service (Flatcar#1096)/etc/extensions/ symlinks for the inbuilt Docker/containerd systemd-sysext images on update from Beta 3760.1.0 (update_engine#32)sshkeys.service more robust to only run coreos-metadata-sshkeys@core.service when not masked and also retry on failure (init#112)/usr/share/oem brings the OEM partition contents (Flatcar#1376)flatcar-install and added error reporting for disk write failures (Flatcar#1059)flatcar-reset tool and boot logic for selective OS resets to reconfigure the system with Ignition while avoiding config drift (bootengine#55, init#91)pigz to the image, a parallel gzip implementation, which is useful to speed up the (de)compression for large container image imports/exports (coreos-overlay#2504)/etc is now set up as overlayfs with the original /etc folder being the store for changed files/directories and /usr/share/flatcar/etc providing the lower default directory tree (bootengine#53, scripts#666)/etc that are the same as provided by the booted /usr/share/flatcar/etc default for the overlay mount on /etc are deleted to ensure that future updates of /usr/share/flatcar/etc are propagated - to opt out create /etc/.no-dup-update in case you want to keep an unmodified config file as is or because you fear that a future Flatcar version may use the same file as you at which point your copy is cleaned up and any other future Flatcar changes would be applied (bootengine#54)qemu_uefi_secure is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into qemu_uefi./usr/usr. For Azure images this also means that the image has a normal Python installation available through the sysext image. The OEM software is still not updated but this will be added soon.kvp, vss, and fcopy for better HyperV hypervisor integration with Flatcar guests (scripts#2309).update_engine will not perform torcx sanity checks post-update anymore.btrfs driver entirely in a future version. Please consider migrating your deployments to the overlay2 driver./usr and being part of the OEM A/B updates (flatcar#1146)COREOS_HETZNER_PRIVATE_IPV4_0 Afterburn attribute for Hetzner private IPs (scripts#2141)zip compressed, switching from bzip2 to a built-in available Windows compression - zip (scripts#1878)/usr to make it available on all platforms (scripts#932, Flatcar#1077)/usr/share/oem to /oem. /usr/share/oem became a symlink to /oem for backward compatibility. Despite the move, the initrd images providing files through /usr/share/oem should keep using /usr/share/oem. The move was done to enable activating the OEM sysext images that are placed in the OEM partition.
btrfs storage driver for backwards-compatibility with your deployment.overlay2 drivernvidia.service from /etc on Azure because it's now part of /usr (Flatcar#60)flatcar.autologin kernel cmdline parameter by default as the hypervisor manages access to the console (scripts#1866)/etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning (scripts#1964)/etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning (scripts#1979)/etc/flatcar/enabled-sysext.conf through Ignition and the sysext will be installed during provisioning. ZFS support is experimental and ZFS is not supported for the root partition. (flatcar/scripts#1742)
actool from the image and acbuild from the SDK as these tools are deprecated and not used (scripts#1817)reboot-strategy -> reboot_strategy) (scripts#1687).qcow2 to ease the import on Scaleway (scripts#1953)/etc/ssh/ssh_config and /etc/ssh/sshd_config which include config snippets in /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d, respectively.docker build command will now use buildx as its backend as the old one became deprecated and a loud "DEPRECATED" information is printed every time it's used./etc/docker/daemon.json.Changes since Stable 4081.2.1
flatcar-install, needed for download verification of releases built from March 2025 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#129)toolbox to prevent mounted ctr snapshots from being garbage-collected (toolbox#9)qemu_uefi build target provides the regular qemu and the qemu_uefi_secure artifacts (scripts#1847)update-engine.service to the postinstall script to support fetching OEM systemd-sysext payloads through a proxy (Flatcar#1326)flatcar-update --oem-payloads <yes|no> flag to skip providing OEM payloads, e.g., for downgrades (init#114)flatcar-update -E or with self-hosted Nebraska payloads (Flatcar#1332, Flatcar#1326).gz or .bz2 images)/usr/libexec/kubernetes/kubelet-plugins/volume/exec is now a symlink to the writable folder /var/kubernetes/kubelet-plugins/volume/exec (Flatcar#1193)Changes compared to LTS-2022 3033.3.17
networkd translation to files section when converting from Ignition 2.x to Ignition 3.x (coreos-overlay#1910, flatcar#741)systemd-sysext.service drop-in unit to restore the OEM partition mount after the overlay mounts in /usr are done (init#69)gettext to the OS (Flatcar#849)systemd-networkd default management (Flatcar#808)nodelocaldns and kube-ipvs0 from being managed with systemd-networkd which interfered with the setup (init#89).metal to follow the Ignition upstream change which otherwise resulted in a broken boot when the Flatcar OEM ID pxe was used (bootengine#45)/etc/resolv.conf symlink by pointing it at resolv.conf instead of stub-resolv.conf. This bug was present since the update to systemd v250 (coreos-overlay#2057)core user or group in /etc/passwd or /etc/group (baselayout#26)networkd Ignition translation (Flatcar#812)authorized_keys.d/ignition again and added a call to update-ssh-keys after Ignition ran to create the merged authorized_keys file, which fixes the problem that keys added by Ignition get lost when update-ssh-keys runs (init#66)brd drbd nbd rbd xen-blkfront zram libarc4 lru_cache zsmalloc kernel modules to the initramfs since they were missing compared to the Flatcar 3033.2.x releases where the 5.10 kernel is used (bootengine#40)/usr/share/oem is given as initrd mount point (bootengine#58)ensure-sysext.service if systemd-sysext.service won't be started, to prevent reporting a dependency failure (Flatcar#710)grub.cfg exists, this was fixed by creating it first (bootengine#47)USER environment variable which may not be set in all environments, causing the script to fail unless a workaround was used like prepending an additional sudo invocation (init#58)wireguard (and others) from systemd-networkd management. (init#80)CONFIG_NF_CONNTRACK_BRIDGE (for nf_conntrack_bridge) and CONFIG_NFT_BRIDGE_META (for nft_meta_bridge) to the kernel config to allow using conntrack rules for bridges in nftables and to match on bridge interface names (coreos-overlay#2207)auditd.service but left it disabled by default, a custom configuration can be created by removing /etc/audit/auditd.conf and replacing it with an own file (coreos-overlay#1636)cryptsetup to the initramfs for the Ignition luks directive (flatcar-linux/coreos-overlay#1760)nc to ncat. -q option is not yet supported (flatcar#545)CONFIG_INTEL_RAPL on AMD64 Kernel config to compile intel_rapl_common module in order to allow power monitoring on modern Intel processors (coreos-overlay#1801)systemd-sysext.service to activate systemd-sysext images on boot, to disable you will need to mask it. Also added a helper service ensure-sysext.service which reloads the systemd units to reevaluate the sockets, timers, and multi-user targets when systemd-sysext.service is (re)started, making it possible to enable units that are part of a sysext image (init#65)/usr/lib used to be a symlink to /usr/lib64 but now they became two separate folders as common in other distributions (and was the case for arm64 already). Compatibility symlinks exist in case /usr/lib64 was used to access, e.g., the modules folder or the systemd folder (coreos-overlay#1713, scripts#255)/usr/share/oem is not needed anymore (bootengine#58)--strip-unneeded to --strip-debug when installing kernel modules, which makes kernel stacktraces more accurate and makes debugging issues easier (coreos-overlay#2196)/run/reboot-required flag file for kured (update_engine#15)emerge -C) before an update can happen.SYSEXT_LEVEL=1.0 and ID=flatcar (Flatcar#643)/etc/flatcar/update.conf file, leaving it totally to the user to define the contents as it was unnecessarily overwriting the /use/share/flatcar/update.conf (scripts#212)/etc/hostname from the instance metadata because it used a long FQDN but we can just use use the hostname set via DHCP (Flatcar#707)/etc/hostname from instance metadata with Afterburncoreos-metadata-sshkeys@.service to provision SSH keys from metadata. (Flatcar#817, coreos-overlay#2246)ignition-delete-config.service to remove Ignition config from VM metadata, see also here (coreos-overlay#1948)m3.small.x86 instance by expanding the GRUB check for i386 to x86_64 coreos-overlay#2122flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)Changes since LTS-2022 3033.3.3
Packages:
Architectures:
Changes since LTS 3033.3.2
containerd.service unit, br_netfilter and overlay modules by default to follow Kubernetes requirements (coreos-overlay#1944, init#72)bz2 image, a gz compressed image is published. This helps against hitting the compression timeout that sometimes lets the image import fail.bz2 image, a gz compressed image is published. This allows Glance to directly consume the images by simply passing in the URL of the image.bz2, gz, zip, none, zst. Selecting the image format can now be done by passing the --image_compression_formats option. This flag gets a comma separated list of formats.Changes since LTS 3033.3.1
NVIDIA_DRIVER_VERSION=460.106.00 in /etc/flatcar/nvidia-metadataflatcar-install, needed for download verification of releases built from July 2023 onwards, if you have copies of flatcar-install or the image signing pub key, you need to update them as well (init#92)Changes since LTS-2022 3033.3.0
/etc/flatcar/update.conf exists because it happens to be used as flag file for Ansible (init#71)Changes since LTS-2021 2605.27.1
Update to CGroupsV2: Flatcar Container Linux migrates to the unified cgroup hierarchy (aka cgroups v2)! New nodes will utilize cgroups v2 by default. Existing nodes remain on cgroups v1 and need to be manually migrated to cgroups v2. To learn more about the cgroups v2 on Flatcar Container Linux and the migration guide, please refer to https://flatcar-linux.org/docs/latest/container-runtimes/switching-to-unified-cgroups/
Other notable changes: cri-tools and lbzip2 got added, PAM tally2 got replaced by PAM faillock, only a single Docker version is now shipped (20.10), and rkt, kubelet-wapper, dhcpcd, and containerd-stress got removed.
(Note: Not all fixed issues may have been present in the old versions)
docker-1.12-no got fixed to reference the current Docker version instead of 19.03 which wasn't found on the image, causing Torcx to fail to provide Docker (coreos-overlay#1456)/run/xtables.lock coordination file exists for modifications of the xtables backend from containers (must be bind-mounted) or the iptables-legacy binaries on the host (init#57)policycoreutils used the wrong ROOT to update the SELinux store (coreos-overlay#1502)policycoreutils instead of /var/lib/selinux (flatcar-linux/Flatcar#596)ManageForeignRoutes and ManageForeignRoutingPolicyRules by default to ensure that CNIs like Cilium don't get their routes or routing policy rules discarded on network reconfiguration events (Flatcar#620).fsck[1343]: Failed to stat /dev/disk/by-label/ROOT: No such file or directory when creating a btrfs root filesystem (ignition#35)elf support for iproute2 (coreos-overlay#1256)grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)/etc/flatcar-cgroupv1 through ignition. (coreos-overlay#1666)Changes since Stable 3033.2.4
ManageForeignRoutes and ManageForeignRoutingPolicyRules settings are now disabled through a drop-in file and thus can only be enabled again by a drop-in file under /etc/systemd/networkd.conf.d/ because drop-in files take precedence over /etc/systemd/networkd.conf (init#61)grub.cfg (check it taking effect with cat /proc/sys/crypto/fips_enabled) (coreos-overlay#1602)ghcr.io/flatcar/mantle image (coreos-overlay#1827, scripts#275)Packages:
Architectures:
GROUP= setting in /etc/flatcar/update.conf to determine if you need to take action. Please refer to the Flatcar documentation on switching channels to switch to LTS-2022.
Changes since LTS 2605.30.1
flatcar-install (the old expired on 10th August 2022), only an updated flatcar-install script can verify releases signed with the new key (init#79)Note: LTS 2605.32.1 i.e the next release to be release in the month of September would be the last release for LTS-2021. Post that there will be no more releases for the channel. Please upgrade your workloads to LTS-2022 as soon as possible.
Changes since LTS-2021 2605.29.1
Packages:
Architectures:
Changes since LTS 2605.28.1
Changes since LTS-2021 2605.27.1
Packages:
Architectures:
Changes since LTS 2605.26.1
Changes since LTS 2605.25.1
Changes since LTS 2605.24.1
Changes since LTS 2605.23.1
Security Fixes
Updates
Packages:
Architectures:
Changes since LTS 2605.22.1
Security fixes
Bug fixes
Updates
Packages:
Architectures:
Changes since LTS 2605.21.1
Security fixes
Bux fixes
Updates
Packages:
Architectures:
Changes since LTS 2605.20.1
Security fixes
Updates
Packages:
Architectures:
Changes since LTS 2605.19.1
Security fixes
Updates
Packages:
Architectures:
Security fixes
Updates
Packages:
Architectures:
Updates
Packages:
Architectures:
Updates
Packages:
Architectures:
Updates
Packages:
Architectures:
Bug fixes
Updates
Packages:
Architectures:
Updates
Packages:
Architectures:
Bug fixes
Updates
Packages:
Architectures:
Bug fixes
/etc/iscsi/initiatorname.iscsi is generated by the iscsi-init service (#321)Changes
/run/containerd/containerd.sock) and also as a symlink in the previous location (/run/docker/libcontainerd/docker-containerd.sock) (#771)Updates
Packages:
Architectures:
Updates:
Packages:
Architectures: