The qemu and qemu_uefi_secure images have the same contents as the
qemu_uefi image which wastes space on the release server. A similar
case is the PXE vmlinuz which is the same as the regular one, too.
Set up symlinks for same images, and also detect this when compressing
to set up symlinks there as well. To reduce complexity, the qemu and
qemu_uefi_secure images are not supported anymore and the Jenkins or
GitHub CI will skip over them if specified. Users that build their own
images need to adapt, though.
The 5.6 release contained a backdoor for SSH. The 5.6 release wasn't
used in Flatcar and so far it seems that the backdoor wouldn't even be
compiled for Gentoo. However, we so far don't know whether the other
patches are malicious.
Revert to 5.4.2 as last known-good release (like Gentoo did).
Note that the Flatcar main branch had a copy of the 5.6 ebuild but was
not using it. Flatcar Alpha was on 5.4.6-r1, so before the backdoor but
the malicious contributor did other changes of unclear impact part of
this release. Similarly, Beta is on 5.4.5 and Stable is on 5.4.3. These
should get downgraded, too.
This change updates coreos-cloudinit to the latest flatcar-master commit.
This change disables user-configdrive.service on OpenStack,
as coreos-cloudinit.service already runs on OpenStack when the system is
not configured via ignition.
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
The Flatcar extension images built with build_sysext created directories
in the overlay in a way that masked contents from other layers.
Instead of fixing the way we create directories, make use of
postprocessing to avoid any similar problems show up again in the
future.
This pulls in https://github.com/flatcar/update_engine/pull/38
with two workarounds to read out proxy env vars from the service unit
and to read out the XML response from the journal logs, because the XML
passing and the passing of proxy env vars is not present in old clients.
This pulls in https://github.com/flatcar/init/pull/114 to
support a flag to skip providing OEM payloads, with the goal of easing
downgrades to non-sysext-OEM releases or, when backported to LTS with
the default behavior switched, to opt-in to OEM payloads for airgapped
updates that can't use the fallback download.
