K3s has released version v1.29.0+k3s1, an update to its lightweight, highly available Kubernetes distribution. This release includes several important changes and updates, including an upgrade to Kubernetes v1.29.0. However, before upgrading, users are advised to read the Urgent Upgrade Notes from Kubernetes.

There are two important changes to note in this release. The first is the removal of the experimental rotate-keys subcommand, due to changes in Kubernetes upstream for KMSv2. This subcommand may be added back in future releases. The second change is the removal of the multi-cluster-cidr flag, as support for this alpha feature has been completely removed from Kubernetes upstream.

Other notable changes in this release include fixing an overlapping address range, updating the stable channel to November 2023, adding runtime classes for wasm/nvidia/crun, and bumping containerd/runc to v1.7.10-k3s1/v1.1.10. Additionally, there are updates to containerd, removal of GA feature-gates, improvements to code coverage, and an update to flannel.

Embedded component versions in this release include Kubernetes v1.29.0, Kine v0.11.0, SQLite 3.42.0, Etcd v3.5.9-k3s1, Containerd v1.7.11-k3s2, Runc v1.1.10, Flannel v0.24.0, Metrics-server v0.6.3, Traefik v2.10.5, CoreDNS v1.10.1, Helm-controller v0.15.4, and Local-path-provisioner v0.0.24.

Gitea has announced the release of version 1.21.3. This update includes 18 merged pull requests and fixes for a security vulnerability. Users are strongly encouraged to update to this version for important bug fixes.

One notable improvement in this release is that it is built with the latest released version of Golang to resolve the announced CVE with Golang. The specific CVE addressed is CVE-2023-48795.

The problem that was fixed in this release was contributed by @wxiaoguang.

For those interested in updating to Gitea 1.21.3, the software can be downloaded from the downloads page. The installation guide provides more information on how to install the update.

For a full list of changes in Gitea 1.21.3, refer to the Changelog.

openSUSE Tumbleweed and MicroOS have made some significant changes to their boot loader and full disk encryption (FDE) capabilities. The new image now uses systemd-boot as the boot loader and implements full disk encryption based on systemd. This update aims to improve the security of the distribution while simplifying the design.

systemd-boot

The previous boot loader used by openSUSE, GRUB2, is feature-rich but complex and slow to develop. The openSUSE package for GRUB2 contains over 200 patches, some of which have been present for many years. While GRUB2 supports various systems and file systems, the introduction of UEFI made many of its features redundant, as the system firmware already provided similar functionalities.

As a result, more straightforward boot loaders focused on UEFI, such as gummiboot, emerged. Eventually, this code was integrated into systemd and renamed systemd-boot. Compared to GRUB2, systemd-boot is much simpler and serves as a small EFI binary that presents a menu with different boot loader entries and delegates the execution to the selected kernel.

systemd-boot can also work with unified kernel images (UKI) that aggregate the kernel, command line, and initrd into a single unit. openSUSE plans to support UKIs in the future.

openSUSE has been planning to provide systemd-boot as an alternative to GRUB2 for some time, and in August 2023, Tumbleweed started supporting systemd-boot. The yast-bootloader tool also gained support for systemd-boot for new installations.

While supporting another boot loader comes with challenges, such as decreased support for different architectures and compatibility issues with btrfs file systems, openSUSE is actively working on addressing these problems.

Full Disk Encryption

openSUSE has also introduced support for full disk encryption based on systemd. While GRUB2 already supported unlocking LUKS volumes, systemd offers some additional features, such as partial support for LUKS2 encryption and integration with TPM2 devices.

The TPM2 (Trusted Platform Module 2) is a cryptographic device that can unlock secrets only when certain conditions related to the system’s state are met. The TPM2 will unlock the secret if the system is in a known good state, ensuring that the firmware, boot loader, kernel, and initrd have not been tampered with.

To take advantage of TPM2 for FDE, openSUSE has developed a policy that instructs the TPM2 to decrypt a secret only if certain platform configuration registers (PCR) contain the expected values. The PCR values are measured during the boot process, and any changes to the system will result in different PCR values, preventing the secret from being decrypted.

openSUSE has also improved the prediction of PCR values using the pcr-oracle tool, which can encrypt a key under a set of PCR values that can change. This allows for flexible unlocking mechanisms and better system integrity checks.

Using systemd for Disk Encryption

While GRUB2 is still functional for FDE, the use of systemd-boot provides an alternative architecture that works with any boot loader that follows the Boot Loader Specification (BLS). With systemd-boot, the kernel and initrd are placed in the unencrypted EFI system partition (ESP), and the unlock of the sysroot (where the system is located) is done from inside the initrd using systemd-cryptsetup options.

To support this new architecture, openSUSE provides a MicroOS image named kvm-and-xen-sdboot that showcases the new FDE capabilities. This image includes systemd-boot, sdbootutil scripts for synchronizing boot entries, pcr-oracle for predicting PCR values, disk-encryption-tool for encrypting the sysroot device, and dracut-pcr-signature, a dracut module that loads predictions into the initrd from the ESP.

The tools work together to ensure a secure and seamless boot process. The VM with a virtual TPM2 device measures the executed code and data, extending the PCR values. systemd-boot then reads the correct boot entry, and the disk-encryption-tool script encrypts the sysroot device. Finally, the jeos-firstboot modules handle the enrollment of FIDO2 keys and provide recovery key information.

Future Improvements

While the current implementation is a sound proof of concept, there are several areas for improvement. The disk-encryption-tool should be integrated into the installer, and the jeos-firstboot modules should also live in the installer or be merged with the functionality provided by the encryption tool. Separating system keys from user keys and enabling the use of TPM2 and FIDO2 keys simultaneously are also potential improvements.

Additionally, openSUSE aims to work with upstream projects, such as systemd and GRUB2, to incorporate the current tools and features. The diagnosis of TPM2 rejection for unlocking the LUKS2 key could be improved, and the integration of multiple encrypted disks should be validated and enhanced.

Ultimately, openSUSE is considering the use of unified kernel images and further standardization to simplify the architecture. The generation and registration of new keys, as well as the selection of PCR values, may be automated or better documented to streamline the process.

Youyeetoo has released the Youyeetoo R1, a feature-rich single-board computer (SBC) powered by the Rockchip RK3588S. The compact 100×69.3mm board offers two M.2 sockets for NVME/SSD or 4G LTE, a WiFi and Bluetooth connector, NFC support, four display interfaces, and two MIPI CSI camera interfaces.

The Youyeetoo R1 comes with various configuration options, including up to 32GB of RAM and 256GB of eMMC flash. The board also features a gigabit Ethernet port, five USB interfaces, a built-in microphone, multiple audio inputs/outputs, a 30-pin header for expansion, and HDMI input via an adapter connected to one of the MIPI CSI ports.

Specifications:

• SoC: Rockchip RK3588S with octa-core processor (4x Cortex-A76 cores @ up to 2.2-2.4 GHz, 4x Cortex-A55 cores @ up to 1.8 GHz), Arm Mali-G610 GPU, 8Kp60 video decoder, and 6 TOPS NPU for AI acceleration
• System Memory: 4GB, 8GB, 16GB, or 32GB LPDDR4x
• Storage: 32GB, 64GB, 128GB, or 256GB eMMC flash, M.2 M-Key socket for NVMe or SATA SSD, MicroSD card socket
• Video Output: HDMI 2.1 port up to 8Kp60 or 4Kp120, 2x MIPI DSI connectors up to 4Kp60, USB Type-C with DP1.4 support up to 8Kp30
• Video Input: 2x 4-lane MIPI CSI connectors, optional HDMI input via RK628D adapter board
• Audio: 3.5mm earphone jack with microphone, digital audio output via HDMI, on-board microphone, 4-pin header with R/L/GND/MIC, 2-pin header for microphone
• Networking and connectivity: Gigabit Ethernet RJ45, M.2 E-Key socket for WiFi 5 and Bluetooth 5.0 module or WiFi 6 and Bluetooth 5.2 module, M.2 M-Key socket for 4G LTE module, NFC via external antenna
• USB: 1x USB 3.0 Type-A port, 2x USB 2.0 Type-A ports, 1x USB 3.1 OTG Type-C port with DisplayPort Alt mode, 4-pin header with USB 2.0 interface
• Expansion: M.2 2242 M-Key socket for PCIe/SATA SSD or 4G LTE module, M.2 2230 E-Key socket for WiFi & Bluetooth module, 30-pin GPIO header with various I2C, UART, CAN, PWM, ADC, SPI, and GPIO signals
• Debugging: Debug UART connector
• Misc: Power, Recovery, Reset, and Boot buttons, 2x red/green user LEDs, RTC battery connector, fan connector
• Power Supply: 12V/3A via 5.5×2.1mm DC jack or 2-pin socket
• Dimensions: 100 x 69.3 mm

The SBC supports Android 13, Debian 11, Ubuntu 22.04, and Buildroot, all based on Linux 5.10. The documentation for the board is still being developed, but previous reviews of Youyeetoo products have shown decent documentation quality.

The Youyeetoo R1 will be available at $99. Higher configuration options such as 8GB/64GB are available. 16GB/128GB and 32GB/256GB models expected to be released in the future.

Source: CNX Software – Embedded Systems News.

QEMU 8.2, the latest update for the open-source processor emulator, has been released. This release brings several new features and improvements to the open-source Linux virtualization stack.

Some of the key highlights of QEMU 8.2 include:

• Addition of a new VirtIO-Sound device that allows capture and playback from inside a guest using the audio backend of the host machine.

• Introduction of a new VirtIO-GPU “Rutabaga” device, which enables various abstractions of GPU and display virtualization. This feature is primarily intended for use with the Android Emulator on QEMU and comes from the Android/CrosVM graphics stack.

• Support for UFS (Universal Flash Storage) emulation through new ufs and ufs-lu devices.

• P2P support for VFIO migration.

• Preparation changes for the new IOMMUFD back-end.

• Continued active development of RISC-V software support. QEMU 8.2 now supports several new RISC-V ISA extensions, virtual IRQs and IRQ filtering, and RISC-V vector crypto v1.0.

• Improved emulation for QEMU’s 68k Macintosh Quadra 800, allowing it to boot MacOS 7.1, A/UX 3.0.1, Linux, and NetBSD 9.3.

• Addition of new Arm CPU types, including Cortex-A710 and Neoverse-N2. QEMU also provides support for emulating newer ARM architecture extensions.

• QEMU on LoongArch now supports the LASX and PRELDX instructions, along with support for 4K page sizes and ongoing LoongArch enablement work.

• HAX(M), the Hardware Accelerated Execution Manager, is no longer supported by QEMU since Intel discontinued its development earlier this year.

For more information and downloads, you can visit the QEMU 8.2 feature release page on wiki.qemu.org.

Source: Phoronix.

Kubernetes has announced the release of version 1.29, named Mandala (The Universe). This release introduces new stable, beta, and alpha features, continuing the tradition of delivering top-notch releases. The v1.29 release includes 49 enhancements, with 11 graduating to Stable, 19 entering Beta, and 19 graduating to Alpha.

Some of the stable improvements in v1.29 include:

• ReadWriteOncePod PersistentVolume access mode, which allows multiple pods on the same node to read from and write to the same volume.
• Node volume expansion Secret support for CSI drivers, which allows secrets to be sent as part of the node expansion process.
• KMS v2 encryption at rest, which provides improvements in performance, key rotation, health check & status, and observability for encrypting persisted API data.

Beta improvements in v1.29 include:

• QueueingHint feature for optimizing the efficiency of requeueing in the scheduler.
• Separation of node lifecycle from taint management, allowing for more granular control over taint-based pod eviction.
• Clean up for legacy Secret-based ServiceAccount tokens, marking them as invalid if they have not been used for a long time.

Alpha features in v1.29 include:

• Defining Pod affinity or anti-affinity using matchLabelKeys, improving calculation accuracy during rolling updates.
• nftables backend for kube-proxy, providing a new backend based on nftables for packet filtering and processing.
• APIs to manage IP address ranges for Services, allowing for dynamic allocation and resizing of IP ranges.
• Support for image pull per runtime class in containerd/kubelet/CRI, enabling the pulling of different images based on the runtime class specified.
• In-place updates for Pod resources for Windows Pods, allowing for changes to the desired resource requests and limits without restarting the Pod.

The release also includes the graduation of 11 enhancements to Stable, the deprecation of in-tree integrations with cloud providers, the removal of the v1beta2 flow control API group, the deprecation of the status.nodeInfo.kubeProxyVersion field for Node objects, and the removal of legacy Linux package repositories.

Kubernetes v1.29 is available for download on GitHub, and users can get started with Kubernetes using interactive tutorials or by running local clusters using minikube. The release team, consisting of dedicated community volunteers, has worked hard to deliver this release, with contributions from 888 companies and 1422 individuals during the 14-week release cycle.

For more details about the v1.29 release, including the full list of enhancements and graduations, users can refer to the release notes.