K3s, the lightweight, highly available, certified Kubernetes distribution, has released version v1.29.1+k3s2. This release is designed for production workloads in unattended, resource-constrained, remote locations, or inside IoT appliances. K3s is packaged as a single <70MB binary, reducing the dependencies and steps needed to install, run, and auto-update a production Kubernetes cluster.

The update to Kubernetes v1.29.1 brings several fixes and improvements. Some of the changes since v1.29.0+k3s1 include:

• Bump Sonobuoy version
• Bump actions/setup-go from 4 to 5
• Update stable channel to v1.28.5+k3s1 and add v1.29 channel
• Added support for env *_PROXY variables for agent loadbalancer
• Add a retry around updating a secrets-encrypt node annotations
• Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM
• Add ServiceLB support for PodHostIPs FeatureGate
• Redirect error stream to null when checking nm-cloud systemd unit
• Dockerfile.dapper: set $HOME properly
• Add system-agent-installer-k3s step to GA release instructions
• Fix install script checksum
• and many more…

For a full list of changes, you can check the Kubernetes release notes.

This release also includes updates to various embedded components, such as Kubernetes v1.29.1, Kine v0.11.0, SQLite 3.42.0, etcd v3.5.9-k3s1, containerd v1.7.11-k3s2, runc v1.1.12-k3s1, Flannel v0.24.0, metrics-server v0.6.3, Traefik v2.10.5, CoreDNS v1.10.1, helm-controller v0.15.8, and local-path-provisioner v0.0.24.

In the latest monthly update for openSUSE Tumbleweed in January 2024, the distribution unveils a new format to better communicate major changes, improvements, and key issues. This update is now recommended by contributors involved in openSUSE’s marketing efforts.

Kernel and Hardware Support

The Linux Kernel receives updates to versions 6.6.7, 6.6.9, 6.6.10, 6.6.11, and 6.7.1, addressing memory management and security vulnerabilities. Notable enhancements include PCI updates for Zhaoxin Root Ports, contributing to improved compatibility and performance for Zhaoxin’s CPUs and motherboards.

Browser and Graphics Updates

Mozilla Firefox is updated to version 121.0 and 121.0.1, resolving issues such as hanging when loading sites with column-based layouts. The KDE Frameworks update to version 5.114.0 brings significant improvements, including fixes in Extra CMake Modules, holiday additions for Kenya, and adjustments for AVIF in KImageFormats.

The Mesa update to version 23.3.3 introduces a new Vulkan driver for NVIDIA hardware (NVK) in the experimental phase. This marks a step forward in support for NVIDIA GPUs, accompanied by enhancements in graphics performance and compatibility for Asahi and RADV.

System Management and PHP Enhancements

Systemd sees updates to version 254.8, focusing on the cautious resolution of reported bugs and ensuring stability in device management systems. PHP is updated from version 8.2.14 to 8.2.15, bringing fixes for SSA integrity verification, improvements in CLI built-in web server timeouts, and resolving issues with stream wrapper registration.

Multimedia and Networking

GStreamer is updated to version 1.22.8, addressing vulnerabilities in the AV1 video codec parser and making improvements in reverse playback and seeking in qtdemux. Samba sees updates to version 4.19.4, resolving issues related to the machine account password, improving documentation generation, and addressing critical vulnerabilities and bugs.

Security and Bug Fixes

The update includes critical security patches across various packages, with notable improvements in Firefox, systemd, Samba, and PHP. Multiple Common Vulnerabilities and Exposures (CVEs) are addressed in packages like xorg-x11-server, xwayland, gnutls, java-11-openjdk, and samba, enhancing overall security and stability.

K3s has released version v1.29.0+k3s1, an update to its lightweight, highly available Kubernetes distribution. This release includes several important changes and updates, including an upgrade to Kubernetes v1.29.0. However, before upgrading, users are advised to read the Urgent Upgrade Notes from Kubernetes.

There are two important changes to note in this release. The first is the removal of the experimental rotate-keys subcommand, due to changes in Kubernetes upstream for KMSv2. This subcommand may be added back in future releases. The second change is the removal of the multi-cluster-cidr flag, as support for this alpha feature has been completely removed from Kubernetes upstream.

Other notable changes in this release include fixing an overlapping address range, updating the stable channel to November 2023, adding runtime classes for wasm/nvidia/crun, and bumping containerd/runc to v1.7.10-k3s1/v1.1.10. Additionally, there are updates to containerd, removal of GA feature-gates, improvements to code coverage, and an update to flannel.

Embedded component versions in this release include Kubernetes v1.29.0, Kine v0.11.0, SQLite 3.42.0, Etcd v3.5.9-k3s1, Containerd v1.7.11-k3s2, Runc v1.1.10, Flannel v0.24.0, Metrics-server v0.6.3, Traefik v2.10.5, CoreDNS v1.10.1, Helm-controller v0.15.4, and Local-path-provisioner v0.0.24.

openSUSE Tumbleweed and MicroOS have made some significant changes to their boot loader and full disk encryption (FDE) capabilities. The new image now uses systemd-boot as the boot loader and implements full disk encryption based on systemd. This update aims to improve the security of the distribution while simplifying the design.

systemd-boot

The previous boot loader used by openSUSE, GRUB2, is feature-rich but complex and slow to develop. The openSUSE package for GRUB2 contains over 200 patches, some of which have been present for many years. While GRUB2 supports various systems and file systems, the introduction of UEFI made many of its features redundant, as the system firmware already provided similar functionalities.

As a result, more straightforward boot loaders focused on UEFI, such as gummiboot, emerged. Eventually, this code was integrated into systemd and renamed systemd-boot. Compared to GRUB2, systemd-boot is much simpler and serves as a small EFI binary that presents a menu with different boot loader entries and delegates the execution to the selected kernel.

systemd-boot can also work with unified kernel images (UKI) that aggregate the kernel, command line, and initrd into a single unit. openSUSE plans to support UKIs in the future.

openSUSE has been planning to provide systemd-boot as an alternative to GRUB2 for some time, and in August 2023, Tumbleweed started supporting systemd-boot. The yast-bootloader tool also gained support for systemd-boot for new installations.

While supporting another boot loader comes with challenges, such as decreased support for different architectures and compatibility issues with btrfs file systems, openSUSE is actively working on addressing these problems.

Full Disk Encryption

openSUSE has also introduced support for full disk encryption based on systemd. While GRUB2 already supported unlocking LUKS volumes, systemd offers some additional features, such as partial support for LUKS2 encryption and integration with TPM2 devices.

The TPM2 (Trusted Platform Module 2) is a cryptographic device that can unlock secrets only when certain conditions related to the system’s state are met. The TPM2 will unlock the secret if the system is in a known good state, ensuring that the firmware, boot loader, kernel, and initrd have not been tampered with.

To take advantage of TPM2 for FDE, openSUSE has developed a policy that instructs the TPM2 to decrypt a secret only if certain platform configuration registers (PCR) contain the expected values. The PCR values are measured during the boot process, and any changes to the system will result in different PCR values, preventing the secret from being decrypted.

openSUSE has also improved the prediction of PCR values using the pcr-oracle tool, which can encrypt a key under a set of PCR values that can change. This allows for flexible unlocking mechanisms and better system integrity checks.

Using systemd for Disk Encryption

While GRUB2 is still functional for FDE, the use of systemd-boot provides an alternative architecture that works with any boot loader that follows the Boot Loader Specification (BLS). With systemd-boot, the kernel and initrd are placed in the unencrypted EFI system partition (ESP), and the unlock of the sysroot (where the system is located) is done from inside the initrd using systemd-cryptsetup options.

To support this new architecture, openSUSE provides a MicroOS image named kvm-and-xen-sdboot that showcases the new FDE capabilities. This image includes systemd-boot, sdbootutil scripts for synchronizing boot entries, pcr-oracle for predicting PCR values, disk-encryption-tool for encrypting the sysroot device, and dracut-pcr-signature, a dracut module that loads predictions into the initrd from the ESP.

The tools work together to ensure a secure and seamless boot process. The VM with a virtual TPM2 device measures the executed code and data, extending the PCR values. systemd-boot then reads the correct boot entry, and the disk-encryption-tool script encrypts the sysroot device. Finally, the jeos-firstboot modules handle the enrollment of FIDO2 keys and provide recovery key information.

Future Improvements

While the current implementation is a sound proof of concept, there are several areas for improvement. The disk-encryption-tool should be integrated into the installer, and the jeos-firstboot modules should also live in the installer or be merged with the functionality provided by the encryption tool. Separating system keys from user keys and enabling the use of TPM2 and FIDO2 keys simultaneously are also potential improvements.

Additionally, openSUSE aims to work with upstream projects, such as systemd and GRUB2, to incorporate the current tools and features. The diagnosis of TPM2 rejection for unlocking the LUKS2 key could be improved, and the integration of multiple encrypted disks should be validated and enhanced.

Ultimately, openSUSE is considering the use of unified kernel images and further standardization to simplify the architecture. The generation and registration of new keys, as well as the selection of PCR values, may be automated or better documented to streamline the process.

Harvester, an open-source hyperconverged infrastructure (HCI) solution built on Kubernetes, has released version v1.3.0-dev-20231208 for testing. Harvester is designed for operators who are looking for a cloud-native HCI solution and runs on bare metal servers. It offers integrated virtualization and distributed storage capabilities, supporting both traditional virtual machines (VMs) and containerized environments through integration with Rancher.

This release is specifically for testing purposes and comes with a few important notes:

• It is not fully tested, so users should proceed with caution.
• Upgrading from previous releases or to future releases is not supported.
• Bug reports are welcome.

Artifacts for this release include the following:

• harvester-v1.3.0-dev-20231208-amd64.iso
• harvester-v1.3.0-dev-20231208-vmlinuz-amd64
• harvester-v1.3.0-dev-20231208-initrd-amd64
• harvester-v1.3.0-dev-20231208-rootfs-amd64.squashfs
• harvester-v1.3.0-dev-20231208-amd64.sha512
• version.yaml

There have been several changes in this release, including bug fixes and feature updates. Notable changes include fixing the SupportBundle CRD additionalPrinterColumns path, restoring the start of VMs if they were voluntarily powered off, and updating various components such as Wharfie, KubeVirt, and Longhorn.

Overall, Harvester’s latest release provides users with an opportunity to test and explore its features and functionalities. However, it is important to remember that this release is not fully tested and should be used at one’s own risk.

K3s, a lightweight and highly available Kubernetes distribution, has released version v1.28.4+k3s1. This certified Kubernetes distribution is specifically designed for production workloads in resource-constrained and unattended environments, such as remote locations or IoT appliances. The new release updates Kubernetes to v1.28.4 and includes several fixes for various issues.

Some of the changes and improvements in this release include:

• Update channels latest to v1.27.7+k3s2
• Add etcd status condition for easy monitoring of etcd status from each node
• Automatic discovery of WebAssembly runtimes
• Improved dualStack log
• Optimized Dockerfile for simplified installation and runtime
• Addition of timezone info in the Docker image, enabling the use of spec.timeZone in CronJobs
• Bumped kine to v0.11.0, resolving issues with postgres and NATS, improving watch channel performance, and enhancing compatibility
• QoS-class resource configuration for containerd
• Addition of agent flag disable-apiserver-lb to disable load balance proxy
• Various bug fixes and improvements

For a full list of changes, please refer to the Kubernetes release notes.

The embedded component versions in this release are as follows:

• Kubernetes v1.28.4
• Kine v0.11.0
• SQLite 3.42.0
• Etcd v3.5.9-k3s1
• Containerd v1.7.7-k3s1
• Runc v1.1.8
• Flannel v0.22.2
• Metrics-server v0.6.3
• Traefik v2.10.5
• CoreDNS v1.10.1
• Helm-controller v0.15.4
• Local-path-provisioner v0.0.24

For more information and resources on K3s, you can visit the official documentation, join the Slack channel, or contribute to the project on GitHub.