Packages changed: cilium (1.6.3 -> 1.6.5) grub2 (2.02 -> 2.04) hello-kubic (1.2 -> 1.3) hwdata (0.330 -> 0.331) kernel-firmware (20191118 -> 20200107) metallb (0.8.2 -> 0.8.3) podman (1.6.4 -> 1.7.0) rook (1.1.7+git0.g50c6ca1f -> 1.2.1+git0.gccc10604) transactional-update (2.20 -> 2.20.1) === Details === ==== cilium ==== Version update (1.6.3 -> 1.6.5) - Update to version 1.6.5: * Important Bug Fixes - Envoy is updated to release 1.12.2, including important security fixes (CVE-2019-18801, CVE-1019-18802, CVE-1019-18838) * Bug fixes - Fix disabling health-checks in chaining mode - Delete endpoint xxx_next directories during restore - Fix typo in io.cilium/shared-service annotation - Fix issue where services would not be updated when comparing two services - Fix bugtool support for aead encryption algorithm * Misc - Add github actions to cilium - Fix AKS installation guide - Disable masquerading in all chaining documentation guides - Update golang to 1.12.14 - Add delay between reconnect attempts to containerd - Decrease log level for "service not found" message * CI - Use force flag in Cilium install apply command - Move missed kubectl apply calls to Apply calls - Add nil check for init container terminated state - Remove obsolete Groups tag (fate#326485) ==== grub2 ==== Version update (2.02 -> 2.04) Subpackages: grub2-arm64-efi grub2-snapper-plugin - Correct awk pattern in 20_linux_xen (bsc#900418, bsc#1157912) - Correct linux and initrd handling in 20_linux_xen (bsc#1157912) M grub2-efi-xen-cfg-unquote.patch M grub2-efi-xen-chainload.patch M grub2-efi-xen-cmdline.patch M grub2-efi-xen-removable.patch - Disable btrfs zstd support for i386-pc to workaround core.img too large to be embedded in btrfs bootloader area or MBR gap (boo#1154809) * 0001-btrfs-disable-zstd-support-for-i386-pc.patch - Fix grub2.sleep to load old kernel after hibernation (boo#1154783) - Enable support for riscv64 - Backports from upstream: * risc-v-fix-computation-of-pc-relative-relocation-offset.patch * risc-v-add-clzdi2-symbol.patch * grub-install-define-default-platform-for-risc-v.patch - Version bump to 2.04 * removed - translations-20170427.tar.xz * grub2.spec - Make signed grub-tpm.efi specific to x86_64-efi build, the platform currently shipped with tpm module from upstream codebase - Add shim_lock to signed grub.efi in x86_64-efi build - x86_64: linuxefi now depends on linux, both will verify kernel via shim_lock - Remove translation tarball and po file hacks as it's been included in upstream tarball * rediff - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch - grub2-commands-introduce-read_file-subcommand.patch - grub2-secureboot-add-linuxefi.patch - 0001-add-support-for-UEFI-network-protocols.patch - grub2-efi-HP-workaround.patch - grub2-secureboot-install-signed-grub.patch - grub2-linux.patch - use-grub2-as-a-package-name.patch - grub2-pass-corret-root-for-nfsroot.patch - grub2-secureboot-use-linuxefi-on-uefi.patch - grub2-secureboot-no-insmod-on-sb.patch - grub2-secureboot-provide-linuxefi-config.patch - grub2-secureboot-chainloader.patch - grub2-s390x-01-Changes-made-and-files-added-in-order-to-allow-s390x.patch - grub2-s390x-02-kexec-module-added-to-emu.patch - grub2-s390x-04-grub2-install.patch - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch - grub2-efi-chainloader-root.patch - grub2-ppc64le-disable-video.patch - grub2-ppc64-cas-reboot-support.patch - grub2-Fix-incorrect-netmask-on-ppc64.patch - 0003-bootp-New-net_bootp6-command.patch - 0006-bootp-Add-processing-DHCPACK-packet-from-HTTP-Boot.patch - 0012-tpm-Build-tpm-as-module.patch - grub2-emu-4-all.patch - grub2-btrfs-09-get-default-subvolume.patch - grub2-ppc64le-memory-map.patch - grub2-ppc64-cas-fix-double-free.patch - 0008-efinet-Setting-DNS-server-from-UEFI-protocol.patch * drop upstream patches - grub2-fix-locale-en.mo.gz-not-found-error-message.patch - grub2-fix-build-with-flex-2.6.4.patch - grub2-accept-empty-module.patch - 0001-Fix-packed-not-aligned-error-on-GCC-8.patch - 0001-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled-MMIO-da.patch - unix-exec-avoid-atexit-handlers-when-child-exits.patch - 0001-xfs-Accept-filesystem-with-sparse-inodes.patch - grub2-binutils2.31.patch - grub2-msdos-fix-overflow.patch - 0001-tsc-Change-default-tsc-calibration-method-to-pmtimer.patch - grub2-efi-Move-grub_reboot-into-kernel.patch - grub2-efi-Free-malloc-regions-on-exit.patch - grub2-move-initrd-upper.patch - 0002-Add-Virtual-LAN-support.patch - 0001-ofnet-Initialize-structs-in-bootpath-parser.patch - 0001-misc-fix-invalid-character-recongition-in-strto-l.patch - 0001-tpm-Core-TPM-support.patch - 0002-tpm-Measure-kernel-initrd.patch - 0003-tpm-Add-BIOS-boot-measurement.patch - 0004-tpm-Rework-linux-command.patch - 0005-tpm-Rework-linux16-command.patch - 0006-tpm-Measure-kernel-and-initrd-on-BIOS-systems.patch - 0007-tpm-Measure-the-kernel-commandline.patch - 0008-tpm-Measure-commands.patch - 0009-tpm-Measure-multiboot-images-and-modules.patch - 0010-tpm-Fix-boot-when-there-s-no-TPM.patch - 0011-tpm-Fix-build-error.patch - 0013-tpm-i386-pc-diskboot-img.patch - grub2-freetype-pkgconfig.patch - 0001-cpio-Disable-gcc9-Waddress-of-packed-member.patch - 0002-jfs-Disable-gcc9-Waddress-of-packed-member.patch - 0003-hfs-Fix-gcc9-error-Waddress-of-packed-member.patch - 0004-hfsplus-Fix-gcc9-error-with-Waddress-of-packed-membe.patch - 0005-acpi-Fix-gcc9-error-Waddress-of-packed-member.patch - 0006-usbtest-Disable-gcc9-Waddress-of-packed-member.patch - 0007-chainloader-Fix-gcc9-error-Waddress-of-packed-member.patch - 0008-efi-Fix-gcc9-error-Waddress-of-packed-member.patch - Consistently find btrfs snapshots on s390x. (bsc#1136970) * grub2-s390x-04-grub2-install.patch ==== hello-kubic ==== Version update (1.2 -> 1.3) - Update to version 1.3 - add kustomize support ==== hwdata ==== Version update (0.330 -> 0.331) - Update to version 0.331: * Updated pci, usb and vendor ids. ==== kernel-firmware ==== Version update (20191118 -> 20200107) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20200107 (git commit 67d4ff59bf33): * Mellanox: Add new mlxsw_spectrum firmware xx.2000.2714 * radeon: update oland rlc microcode from amdgpu * amdgpu: update vega20 microcode for 19.50 * amdgpu: update vega12 microcode for 19.50 * amdgpu: update vega10 microcode for 19.50 * amdgpu: update picasso microcode for 19.50 * amdgpu: update raven2 microcode for 19.50 * amdgpu: update raven microcode for 19.50 * amdgpu: update navi10 microcode for 19.50 * amdgpu: update navi14 microcode for 19.50 * amdgpu: add TA microcode for Raven asics * qed: Add firmware 8.42.2.0 * Adjust WHENCE entry to check_whence doesn't complain * qcom: Switch SDM845 WLAN firmware * linux-firmware: add NXP firmware licence file - Update to version 20191220 (git commit 6871bffa79ed): * ath10k: WCN3990 hw1.0: add firmware WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 * ath10k: QCA9984 hw1.0: update firmware-5.bin to 10.4-3.9.0.2-00070 * ath10k: QCA988X hw2.0: update firmware-5.bin to 10.2.4-1.0-00047 * ath10k: QCA9888 hw2.0: update firmware-5.bin to 10.4-3.9.0.2-00070 * ath10k: QCA9887 hw1.0: update firmware-5.bin to 10.2.4-1.0-00047 * ath10k: QCA6174 hw3.0: update board-2.bin - Update to version 20191218 (git commit c4586ffaac0c): * linux-firmware: Update AMD cpu microcode * inside-secure: add new "mini" firmware for the EIP197 driver * WHENCE: Add raspberry-pi4 SDIO file * qcom: update venus firmware files for v5.4 * cxgb4: Update firmware to revision 1.24.11.0 * brcm: Add BCM43455 NVRAM for Raspberry Pi 4 B * qcom: Add SDM845 Compute DSP firmware * qcom: Add SDM845 Audio DSP firmware * qcom: Add SDM845 modem firmware - Update topics and aliases for 5.5 kernels ==== metallb ==== Version update (0.8.2 -> 0.8.3) - Update to version 0.8.3 - Add kustomize.yaml file ==== podman ==== Version update (1.6.4 -> 1.7.0) - Add: 0001-clarify-container-prune-force.patch to fix the --force flag for the "container prune" command. (https://github.com/containers/libpod/issues/4844) - Update podman to v1.7.0 * Features - Added support for setting a static MAC address for containers - Added support for creating macvlan networks with podman network create, allowing Podman containers to be attached directly to networks the host is connected to - The podman image prune and podman container prune commands now support the --filter flag to filter what will be pruned, and now prompts for confirmation when run without --force (#4410 and #4411) - Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363) - Added the podman system reset command to remove all Podman files and perform a factory reset of the Podman installation - Added the --history flag to podman images to display previous names used by images (#4566) - Added the --ignore flag to podman rm and podman stop to not error when requested containers no longer exist - Added the --cidfile flag to podman rm and podman stop to read the IDs of containers to be removed or stopped from a file - The podman play kube command now honors Seccomp annotations (#3111) - The podman play kube command now honors RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman version command has been changed to better match docker version when using the - -format flag - Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup options to the --tmpfs and - -mount type=tmpfs flags to podman create and podman run to control whether the content of directories are copied into tmpfs filesystems mounted over them - Added support for disabling detaching from containers by setting empty detach keys via --detach-keys="" - The podman build command now supports the --pull and - -pull-never flags to control when images are pulled during a build - The podman ps -p command now shows the name of the pod as well as its ID (#4703) - The podman inspect command on containers will now display the command used to create the container - The podman info command now displays information on registry mirrors (#4553) * Bugfixes - Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly - Fixed a bug where the --change flag to podman import and podman commit was not being parsed properly in many cases - Fixed a bug where detach keys specified in libpod.conf were not used by the podman attach and podman exec commands, which always used the global default ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was not able to run podman pod stats even on CGroups v2 enabled systems (#4634) - Fixed a bug where rootless Podman would fail on kernels without the renameat2 syscall (#4570) - Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=B and container B using --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf into the container (#4626) - Fixed a bug where podman run with the --rm flag and without - d could, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited - Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and [#4621]) - Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storage command to complete removal (#3906) - Fixed a bug where checkpointing containers started with --rm was allowed when --export was not specified (the container, and checkpoint, would be removed after checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod prune command would fail if containers were present in the pods and the --force flag was not passed (#4346) - Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500) - Fixed a bug where podman system renumber would always throw an error if a container was mounted when it was run - Fixed a bug where podman container restore would fail with containers using a user namespace - Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed - Fixed a bug where podman history would sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used - Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container - Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353) - Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391) - Fixed a bug where Podman would not verify if files passed to - -authfile existed (#4328) - Fixed a bug where podman images --digest would not always print digests when they were available - Fixed a bug where rootless podman run could hang due to a race with reading and writing events - Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456) - Fixed a bug where podman pull would attempt to fetch from remote registries when pulling an unqualified image using the docker-daemon transport (#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe - Fixed a bug where podman exec could stop accepting input if anything was typed between the command being run and the exec session starting (#4397) - Fixed a bug where podman logs --tail 0 would print all lines of a container's logs, instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug where the podman stats command would print CPU utilizations figures incorrectly (#4409) - Fixed a bug where the podman inspect --size command would not print the size of the container's read/write layer if the size was 0 (#4744) - Fixed a bug where the podman kill command was not properly validating signals before use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps could not be used at the same time - Fixed a bug where the podman stop command was not stopping exec sessions when a container was created without a PID namespace (--pid=host) - Fixed a bug where the podman pod rm --force command was not removing anonymous volumes for containers that were removed - Fixed a bug where the podman checkpoint command would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606) - Fixed a bug where containers started with --rm would not be automatically removed on being stopped if an exec session was running inside the container (#4666) * Misc - The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running - Updated vendored Buildah to v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated vendored containers/image library to v5.1.0 - Kata Containers runtimes (kata-runtime, kata-qemu, and kata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system - Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crun runtime can create containers with significantly less memory - Remove no longer needed workaround for *.5.md man page sources ==== rook ==== Version update (1.1.7+git0.g50c6ca1f -> 1.2.1+git0.gccc10604) - Update to v1.2.1: * Add missing env var `ROOK_CEPH_MON_HOST` for OSDs (#4589) * Avoid logging sensitive info when debug logging is enabled (#4568) * Add missing vol mount for encrypted osds (#4583) * Bumping ceph-operator memory limit to 256Mi (#4561) * Fix object bucket provisioner when rgw not on port 80 (#4508) - Update to v1.2.0: * Security audit completed by Trail of Bits found no major concerns * Ceph: Added a new "crash collector" daemon to send crash telemetry to the Ceph dashboard, support for priority classes, and a new CephClient resource to create user credentials * The minimum version of Kubernetes supported by Rook changed from 1.11 to 1.12. * Device filtering is now configurable for the user by adding an environment variable + A new environment variable DISCOVER_DAEMON_UDEV_BLACKLIST is added through which the user can blacklist the devices + If no device is specified, the default values will be used to blacklist the devices * The topology setting has been removed from the CephCluster CR. To configure the OSD topology, node labels must be applied. * See the OSD topology topic. This setting only affects OSDs when they are first created, thus OSDs will not be impacted during upgrade. * The topology settings only apply to bluestore OSDs on raw devices. The topology labels are not applied to directory-based OSDs. * Creation of new Filestore OSDs on disks is now deprecated. Filestore is in sustaining mode in Ceph. + The storeType storage config setting is now ignored + New OSDs created in directories are always Filestore type + New OSDs created on disks are always Bluestore type + Preexisting disks provisioned as Filestore OSDs will remain as Filestore OSDs * Rook will no longer automatically remove OSDs if nodes are removed from the cluster CR to avoid the risk of destroying OSDs unintentionally. To remove OSDs manually, see the new doc on OSD Management - Update csi-dummy-images.patch - Update flexvolume-dir.patch - Drop outdated patch 0001-bsc-1152690-ceph-csi-Driver-will-fail-with-error.patch ==== transactional-update ==== Version update (2.20 -> 2.20.1) - Update to version 2.20.1 - Add missing documentation about --continue option - Avoid error message about missing fstab file on first snapshot creation. [boo#1160213]