046de06639
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in https://github.com/flatcar/init/pull/138 and https://github.com/flatcar/bootengine/pull/115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: https://github.com/systemd/systemd/pull/39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. https://github.com/systemd/systemd/pull/39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found https://github.com/systemd/systemd/pull/39991 for sysext-Get-verity-user-certs-from-given-root https://github.com/systemd/systemd/pull/40063 for sysext-Fix-config-file-support-with-root which relies on https://github.com/systemd/systemd/pull/38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
The changelog directory contains the description of the changes introduced
into the repository. The changes are essentially divided into 4 categories:
- changes: PRs bringing Changes and/or Enhancements
- bugfixes: PRs fixing existing issues
- security: PRs fixing security issues
- updates: PRs updating packages
How to add the file
Based on the category the PR falls into create a new file in the respective
directory with the filename format YYYY-MM-DD-<few-words-about-the-change>.md
(can be generated via: $(date '+%Y-%m-%d')-<few-words-about-the-change>.md).
The file should contain a markdown bullet point entry (- TEXT...).
Example for the bugfix section:
- The Torcx profile `docker-1.12-no` got fixed to reference the current Docker version instead of 19.03 which wasn't found on the image, causing Torcx to fail to provide Docker [scripts#1456](https://github.com/flatcar/scripts/pull/1456)
The contents of the file should describe the changes in a concise manner, and only contain information relevant for the end users. (use the past tense for the change/bugfix description to avoid confusion with the imperative voice for actions the user should do as a result). Security fixes of upstream packages and package updates can be kept short in most cases and follow a standard format.
As Updates refer to the package updates, contents of the file should be of
the following format: - Package Name ([Version](link to changelog)). Example:
- Linux ([5.10.77](https://lwn.net/Articles/874852/)). Note the leading dash
that will create a bullet list in the rendered markdown.
The security section follows this format:
- Package Name ([CVE-NUMBER](NIST-LINK), [CVE-NUMBER](NIST-LINK), ...)
E.g., Linux ([CVE-2021-4002](https://nvd.nist.gov/vuln/detail/CVE-2021-4002), [CVE-2020-27820](https://nvd.nist.gov/vuln/detail/CVE-2020-27820)).