nav_order |
---|
9 |
Starting with this release, ignition-validate binaries are signed with the Fedora 38 key.
- Clarify spec terminology for contents of CA bundles, files, and key files
- Improve rendering of spec docs on docs site
- Document that
hash
fields describe decompressed data - Clarify documentation of
passwordHash
fields - Correctly document Tang
advertisement
field as optional
- Support and require xfsprogs ≥ 5.19 in blackbox tests
Starting with this release, ignition-validate binaries are signed with the Fedora 37 key.
- Support offline Tang provisioning via pre-shared advertisement (3.4.0)
- Allow enabling discard passthrough on LUKS devices (3.4.0)
- Allow specifying arbitrary LUKS open options (3.4.0)
- Ship aarch64 macOS ignition-validate binary in GitHub release artifacts
- Mark the 3.4.0 config spec as stable
- No longer accept configs with version 3.4.0-experimental
- Create new 3.5.0-experimental config spec from 3.4.0
- Fail if files/links/dirs conflict with systemd units or dropins
- Warn if template for enabled systemd instance unit has no
Install
section - Warn if filesystem overwrites partitioned disk
- Warn if
wipeTable
overwrites a filesystem that would otherwise be reused - Warn if
user
/group
specified for hard link - Install ignition-apply in
/usr/libexec
- Allow distros to add Ignition command-line arguments from a unit drop-in
- Convert
NEWS
to Markdown and move to docs site - Require Go 1.18+
- Don't overwrite LUKS1 volume when
storage.luks.wipeVolume
is false - Request network when custom Clevis config has
needsNetwork
set - Fix creating LUKS volume with custom Clevis config that uses TPM2
- Avoid logging spurious error when a LUKS volume wasn't previously formatted
- Fix version string in ignition-validate release container
- Fix reproducibility of systemd preset file in ignition-apply output
- Document that
user
/group
fields aren't applied to hard links - Clarify spec docs for
files
/directories
/links
group
fields
Starting with this release, ignition-validate binaries are signed with the Fedora 36 key.
- Support KubeVirt platform
- Support AWS
arn:
URLs for S3 objects and access points (3.4.0-exp) - Support reading configs from Azure IMDS "user data"
- Support S3 fetch via IPv6
- Add
ignition-apply
entrypoint to apply an Ignition config in a container
- Delete userdata after provisioning on VirtualBox and VMware by default (see operator notes for details) (GHSA-hj57-j5cw-2mwp, CVE-2022-1706)
- Support setting setuid/setgid/sticky mode bits (3.4.0-exp)
- Warn if setuid/setgid/sticky mode bits specified (3.0.0 - 3.3.0)
- Support UEFI Secure Boot on VMware
- Add arm64 support to ignition-validate container
- Document S3 fetch semantics in operator notes
- Document considerations for handling secrets in operator notes
- Fix disabling systemd units with pre-existing enablement symlinks
- Fix reuse of statically keyed LUKS volumes (2.12.0 regression)
- Fix
gs://
fetch in GCE instances configured without a service account - Fix error reading VirtualBox guest properties that have flags
- Fix infinite loop if
-root
command-line argument is a relative path
Starting with this release, ignition-validate binaries are signed with the Fedora 35 key.
- Add Nutanix provider
- Switch VirtualBox provider to read from
/Ignition/Config
guest property
- Improve QEMU
fw_cfg
read performance - Warn when QEMU
fw_cfg
config is too large for reasonable performance - Move Ignition report to
/etc/.ignition-result.json
- Improve resilience to filesystem unmount failures
- Run
mkfs.fat
instead of its aliasmkfs.vfat
- Refresh supported platform documentation
- Make
ignition.version
required in JSON schema (3.4.0-exp) - Disallow null
noProxy
array entries in JSON schema (3.4.0-exp)
- Support Azure generation 2 VMs
- Write info about Ignition’s execution to
/var/lib/ignition/result.json
- Access GCP metadata service by IP address to mitigate DNS poisoning attacks
- Document
storage.luks.clevis.threshold
default - Document minimum Ignition release for each spec version
- Fix permissions of mountpoints inside user home directories
- Apply SELinux labels to newly-created
ext4
filesystems
- Drop
ignition-setup-user.service
andignition-firstboot-complete.service
in favor of distro-provided code - Persist some state between Ignition stages using a file in
/run
- Add command-line flag specifying path to
neednet
flag file - Drop
-clear-cache
command-line flag - Fix reboot race in example kargs helper
- Drop support for Go 1.13 and 1.14
- Convert
ClevisCustom.Config
,ClevisCustom.Pin
,LinkEmbedded1.Target
, andRaid.Level
Go fields to pointers (3.3.0)
- Accept
none
instorage.filesystems.format
(3.3.0) - Add
ParseCompatibleVersion()
Go functions to parse any config up to the selected version - Add
powervs
platform
- Mark the 3.3.0 config spec as stable
- No longer accept configs with version 3.3.0-experimental
- Create new 3.4.0-experimental config spec from 3.3.0
- Report specific reason an existing LUKS device cannot be reused
- Validate that
storage.raid.devices
is non-empty - Don't sequence
ignition-setup-user.service
beforemultipathd.service
- Fix misleading error message if spares are requested for a RAID level that doesn't support them
- Fix file mode of
ignition-kargs-helper
script
Starting with this release, ignition-validate binaries are signed with the Fedora 34 key.
- Rename
Custom
struct toClevisCustom
(3.3.0-exp) - Embed
Clevis
andClevisCustom
structs in parents (3.3.0-exp) - Always include interior nodes in merge transcript
- Add kernel argument support (3.3.0-exp)
- Fix fetching userdata on AWS when IMDSv1 is disabled
- Fix creating Tang-based LUKS volumes before network is up
- Document
storage.filesystems.wipeFilesystem
default
- Require
storage.filesystems.format
ifwipeFilesystem
ormountOptions
is specified - Refactor code to address golangci-lint warnings
- Fix fetching configs from S3 resources when running on non-default AWS partitions
- Fix fetching userdata from IMDSv2 on AWS
- Fix crash on partitions with no number or label
- Correctly document
storage.filesystems.path
as optional - Clarify documented semantics of
systemd.units.name
- Correctly merge config fields behind a struct pointer (e.g.
clevis
)
Starting with this release, ignition-validate binaries are signed with the Fedora 33 key.
- Support unmasking systemd units
- Switch system base config from single file to
.d
directory - Add Go merge API that produces a transcript of merge operations
- Support resizing existing partitions (3.2.0)
- Support reusing LUKS devices not bound to Clevis (3.2.0)
- Mark the 3.2.0 config spec as stable
- No longer accept configs with version 3.2.0-experimental
- Create new 3.3.0-experimental config spec from 3.2.0
- Require presence of a config source on CloudStack/OpenStack, and wait indefinitely for it to appear
- When executing in non-default AWS partitions (GovCloud or AWS
China), fetch
s3://
resources from the same partition
- Fix bundled library unconditionally blocking for entropy at startup
- Fix config fetching on AzureStack
- Fix partition offset/length calculation on big-endian systems
- Fix premature logging of successful config fetch
- Add
release
tag to ignition-validate container for latest release - Support creating ephemeral LUKS volumes (3.2.0-exp)
- Support deleting users/groups (3.2.0-exp)
- Request network when needed on CloudStack/OpenStack
- Merge ignition-dracut into the Ignition repository
- Fix udev race determining filesystem type when creating filesystem
- Set LUKS key file directory to mode 700
- Fix nondeterministic config provider precedence causing fetch failures
- Don't relabel symlink to home directory, since it might not be writable
- Fix failure looking up users/groups
- Support creating LUKS volumes with Clevis or static key file (3.2.0-exp)
- Support Google Cloud Storage (
gs://
) resource URLs - Support AWS IMDSv2
- Allow specifying multiple CA certificates in one resource
- Add Azure Stack platform
- Allow OS to avoid starting network if the config doesn't need it
- When creating a filesystem, run
wipefs
on target device first - Warn if filesystem probe finds multiple filesystem signatures
- Don't warn about unset file/directory mode in config
- Fetch AWS metadata version 2019-10-01 instead of 2009-04-04
- Refactor SELinux relabeling
- Fix compressed CA certificates
- Fix hard links to files deeper than the hard link
- Write empty systemd dropin if requested
- Remember to relabel
/etc/systemd/system-preset
- Ensure configs are only fetched during fetch stage
- Clarify docs about interaction between file contents and overwrite
Starting with this release, ignition-validate binaries are signed with the Fedora 32 key.
- Allow specifying HTTP headers when fetching remote resources (3.1.0)
- Support compression for CA certs and merged/replaced configs (3.1.0)
- Support
sha256
verification hashes (3.1.0) - Support compression for
data
URIs - Log structured journal entry when user config is found
- Log structured journal entry when SSH keys are written
- Unify
CaReference
,ConfigReference
,FileContents
structs intoResource
(3.1.0) - Mark the 3.1.0 config spec as stable
- No longer accept configs with version 3.1.0-experimental
- Create new 3.2.0-experimental config spec from 3.1.0
- Fix
ignition-validate
for config versions other than 3.0.0 - Fix config fetch and status reporting on Packet
- Fix build failure on arches other than amd64, arm64, ppc64le, or s390x
- Add Exoscale and Vultr providers
- On QEMU/s390x and QEMU/ppc64le, fetch Ignition config from a virtio block device (experimental)
- Don't relabel
/root
and/home
- Fix enabling systemd instantiated services
- Fail if SSH keys cannot be written
- Fix partition creation on s390x
- Fix panics when processes Ignition starts fail
- An ignition-validate container is now built and can be used instead of the ignition-validate binaries
- Do not panic when filesystem paths are unspecified
- Specify the correct config version HTTP
Accept
headers when fetching configs - Write the config cache file atomically
- Relabel symlinks for masking systemd units
- Fix bug where empty GPT labels were treated as errors
- Do not generate warnings if mode is unset for files with only an
append
section - Validate HTTP(S) proxy urls in spec 3.1.0-experimental
- Ignition now logs the name of the stage it is running
- Ignition now relabels files directly instead of writing systemd units to do so. Requires Linux 5.4.0+ or a patch. See operator notes for more details
- Add optional
fetch
stage to cache the rendered config, but not apply any of it - Add support for
aliyun
cloud - Add support for zVM hypervisor
- Add support for specifying mount options for filesystems in spec 3.1.0-experimental
- Ignition no longer needs the
chroot
orid
binaries in the initramfs
- Fix getting AWS region when networking is slow to come up
- Validate file/directory paths correctly
- Use
/run/ignition/dev_aliases
instead of/dev_aliases
when creating our own symlinks to devices in/dev
- Rename tests to use
dots.with.lowercase
- Replace
config/validate
api withgithub.com/coreos/vcontext
Validate()
functions inconfig/*
now follow thevcontext
validation interface
- Add configuration spec 3.1.0-experimental
- Allow specifying HTTP(S) proxies in spec 3.1.0-experimental
- Validate hard links do not link to directories
- Validate paths do not include links specified in the config
- Include major version in
go.mod
correctly - Fix SELinux relabeling of systemd unit files
- Update documentation for spec 3.0.0+
- Remove all deprecated fields in configuration specs
- Remove
ec2
platform id in favor ofaws
- Remove
pxe
platform as it is not a platform - Fail if files, links, and directories conflict after symlink resolution
- Do not fail when writing directories or links if overwrite is false and a matching directory or link already exists
NOTE: This is an alpha release. While the spec is marked as stable (i.e no "-experimental" suffix) we still reserve the right to change it until the stable 2.0.0 release. However, we do not anticipate any backwards incompatible changes aside from removing deprecated fields.
NOTE: In order to allow types from both the 2.x.y and 3.0.0 specs to be vendored and imported in the same project, we are skipping version 1.0.0. Go mod (and some other tools) treat v0.x and v1.x as the same when importing packages with semantic import versioning.
- Ignition now understands config specification 3.0.0
- Configs are now merged instead of appended
- Configs with version < 3.0.0 are now rejected
- Duplicate entries are now disallowed in lists
- Removal of almost all deprecated fields
- Parallelize filesystem creation
- Increase default config fetch timeout to 2 minutes
- Add
-list
option to list blackbox tests - Skip backward compatibility tests with
-test.short
- When writing files, directories, or links, do not follow symlinks if they are the last path element
- Add support for
?versionId
ons3://
URLs
- Mark the 2.3.0 config spec as stable
- No longer accept configs with version 2.3.0-experimental
- Create new 2.4.0-experimental config spec from 2.3.0
- Don't allow HTTPS connections to block on system entropy pool
- Relabel
/var/home
and/var/roothome
when SELinux is enabled - Fix race where files were relabeled after
systemd-sysctl.service
- Do not run
udevadm settle
after the disks stage if the disks stage did nothing - Allow writing relative symlinks
- Resolve absolute symlinks relative to specified filesystem instead of the initramfs root
- Report status to Packet as
running
instead ofsucceeded
- Fix race with
umount
when running blackbox tests
- Refactor blackbox tests to allow testing disks with 4k sectors
- Correctly detect disks with 4k sectors when scanning existing partitions
- Fix race between HTTP backoff tests
- Set the minimum config versions in tests to the actual minimum required
- Relabel
/root
when SELinux relabeling is enabled
- Ignition is now built as a Position Independent Executable (PIE)
- Blackbox tests now run against all spec versions (within the same major version) greater than their minimum version
- Ignition now reports its status when running on Packet
- Add a compile-time flag to enable SELinux file relabeling after boot
- Directories specified in both base and appended configs are always created with the permissions specified in the appended config
- Call
chdir()
afterchroot()
to silence static checkers
- Support partition matching, specifying that a partition should not exist, and recreating existing partitions
- Fail blackbox tests when Ignition encounters critical-level logs
- Fix an issue in timeout logic causing http(s) requests to sometimes fail
- Do not log non-critical errors with
CRITICAL
log level
- Fix an issue in timeout logic causing http(s) requests to sometimes fail
- Fix an issue in timeout logic causing http(s) requests to sometimes fail
- Blackbox tests can now be run in parallel
- Remove Oracle Cloud Infrastructure support
- No longer leave a stray file when appending to an existing file
- Fix multiple blackbox test validation errors
- Fix v1 config parsing to return
ErrUnknownVersion
if version is unrecognized
- Warn when adding and enabling a systemd unit and there is no
Install
section in the unit contents - Add highlights to reports generated by
Validate
functions on config structs
- Move a helper validation function to the
config/validate
package - Move unit validation helpers to
config/shared/validations
- Add common error types to
config/shared/errors
, refactorconfig/v*
to use these errors
- Latest experimental package has been moved from
config/types
toconfig/v2_3_experimental
. - Each
config
package'sParse
function will now transparently handle any configs of a lesser version than itself (e.g.config/v2_2
will handle a 2.0.0 config). - Validation in
config/v1
reworked to useconfig/validate
. - Common error types from the
config
package moved toconfig/errors
.
- Mark the 2.2.0 config spec as stable
- No longer accept configs with version 2.2.0-experimental
- Create new 2.3.0-experimental config spec from 2.2.0
- Add support for networkd drop-ins
- Add new program,
ignition-validate
, for validating Ignition configs - Add
overwrite
field tofiles
,directories
, andlinks
sections for deleting preexisting items at the node's path - Add
options
field toraid
section for specifying arbitrarymdadm
options - Add
append
field tofiles
section for appending to preexisting files - Add support for specifying additional certificate authorities to use when fetching objects over HTTPS
- Validate that partition labels don't contain colons, as
sgdisk
will silently truncate the label - Remove
-validate
flag from Ignition that was introduced in 0.20.0 - Warn when the mode for a file or directory is unset
- Log retries of HTTP fetches at
info
loglevel so messages appear on console
- Fix issue where unspecified fields in an appended config could "unset" fields specified in a config earlier in the chain
- Use timeouts specified in a config when fetching other configs referenced by it
- Add support for fetching S3 objects from non-default AWS partitions when running in one such partition
- Add
validate
flag for validating Ignition configs without running any stages - Add support for reading user configs from initramfs
- Move
update-ssh-keys
from dependency into internal library - Move constants such as paths for invoked binaries into dedicated package to allow for easy overriding at link time
- Read base and default configs from initramfs instead of hardcoding them
- Use the golang DNS resolver instead of the default glibc DNS resolver
- Add support for CloudStack network metadata
- Add blackbox tests for TFTP URLs
- Remove dependency on
kpartx
for blackbox tests
- Stop adding extra quotes around GECOS field when creating users
- Fix regression in validation logic causing inaccurate line and column reporting
- Fix regression in validation logic where JSON syntax errors were not reported correctly
- Add warning if a non-existent filesystem is specified when creating links and directories
- Fix udev race causing systemd units depending on the Ignition disks stage and a device unit to fail when no filesystems are created
- Fix udev race where symlinks are deleted before Ignition can create its own copy
- On VMWare allow guest variables to override values specified in the OVF environment
- Add partial support for CloudStack
- Add blackbox tests
- Add support for Oracle OCI provider
- Chmod pre-existing directories to match defined permissions in config
- Chown pre-existing links to match defined owner in config
- Add
--homehost any
arguments tomdadm
raid creation to ensure consistent device name under/dev/md
- On GCE, don't bind-mount
docker
binary into Google Cloud SDK container - On GCE, remove
gcutil
alias
- Properly error out when a user or group set by name in the config cannot be resolved to an id
- Fix typo in
gcloud
alias preventing connection to the docker daemon in some cases - Fix partition number validation where multiple partitions on a disk were unable to specify 0 for the next available partition number
- Fix failure to create files/directories/links on correct filesystem
- Fix failure to force filesystem creation when legacy
force
flag was set - Prevent VFAT filesystem creation from unconditionally overwriting existing filesystem
- Fix deprecation warning on
enable
field in OEM systemd units - Fix failure where hard link targets would be on incorrect filesystem, causing creation to fail
- Fix incorrect filesystem UUID check when deciding whether to reuse existing filesystem, causing Ignition to fail
- Fix failure when user data was not provided on EC2 and GCE
- Fix failure to fetch user data on packet.net
- Add support for S3 fetching and IAM role credential use in EC2
- Add
enabled
flag to services to allow disabling services - Add new
vagrant-virtualbox
oem
- Mark 2.1.0 as stable
- No longer accept 2.1.0-experimental configs
- Create new 2.2.0-experimental spec from 2.1.0
- Mask
user-configdrive.service
anduser-configvirtfs.service
onbrightbox
andopenstack
to prevent cloudinit from running a second time - Use value given in
root
flag everywhere, instead of hard coding/sysroot
- Fix TFTP URL validation
- Fix nil pointer dereference when uid or gid for a file is unspecified
- Add support for VFAT filesystem creation
- Fix
raid
device validation
- Validate length of filesystem labels
- Remove all OEM etcd v0 drop-in units
- Remove
xendom0
OEM
- Add support for VMware's OVF environment
- Add support for VirtualBox OEM
- Define the Ignition Config schema in a JSON Schema file. Generate golang structs from this file
- Add partition GUID to the filesystem object, create or modify the partition as appropriate
- Add support for
swap
filesystems - Add support for links, both symbolic and hard
- Deprecate the user level
create
object, add relevant fields directly to the user object - Add support for referencing users and groups by name when creating files, directories, and links
- Deprecate the filesystem level
create
object, add relevant fields directly to the filesystem object - Add support for reusing existing filesystems, toggled via the new
wipeFilesystem
field in the filesystem object - Add filesystem UUID and label to the filesystem object
- Correctly handle timeouts, instead of ignoring timeout settings in the Ignition config
- Fix file path validation on Windows
- On Brightbox correctly fetch the config, instead of failing with a noop
- Fix a race with udev events which could cause filesystem creation to fail
- Modify existing users, instead of attempting to create them
- Support for TFTP URLs
- Update the services for the Azure OEM
- Update the services for the BrightBox OEM
- Update the services for the EC2 OEM
- Update the services for the OpenStack OEM
- Update the services for the Packet OEM
- Update the services for the VMware OEM
- Read from both the config-drive and metadata service when using the OpenStack provider
- Properly reports errors encountered while creating files
- Fix GCE
gcloud
alias to properly invoke the container
- Add support for experimental features via a newer config spec
- Allow file provider's config path to be overridden
- Perform basic syntactic validation on the contents of systemd units
- Add ability to explicitly create directories
- Add configuration for HTTP-related timeouts
- Enable
coreos-metadata-sshkeys
on Packet - Assert validity of
data
URLs during config validation
- Allow kernel command-line parameter to override OEM config
- Correctly set the partition typecode
- Update the services for the GCE OEM
- Fix potential deadlock when waiting for multiple disks
- Add support for DigitalOcean
- Add experimental support for OpenStack
- Fix handling of
oem://
URLs - Use stable symlinks when operating on devices
- Retry failed requests when fetching Packet userdata
- Log the raw configurations instead of the parsed result
- Add support for QEMU Firmware Configuration Device
- Do not retry HTTP requests that result in non-5xx status codes
- Properly validate
data
URLs
- Add detailed configuration validation
- Add retry to all HTTP requests
- Fix potential panic when parsing certain URLs
- Add support for Packet
- Interpret files without a URL to be empty instead of invalid
- HTTP fetches time out while waiting for response header instead of body
- Stream remote assets to disk instead of loading them into memory
- Improve configuration validation
- Allow HTTPS URLs
- Don't overwrite existing data when formatting
ext4
unlessforce
is set - Ensure service unit in
/etc
doesn't exist before masking - Capture and log stdout of subprocesses
- Drop YAML tags from the config package
- All URL schemes (currently
http
,oem
, anddata
) are now supported everywhere a URL can be provided - Add base OEM and default user configurations for GCE
- Add support for GCE
- Write files after users and home directories are created
- Strip support for EC2 SSH keys (these are handled by coreos-metadata now)
- Add OEM-specific base configs and execute even if user config is empty
- Update the config spec to v2.0.0 (see the migration guide for more info)
- v1 configs will be automatically translated to v2.0.0
- Add HTTP
User-Agent
andAccept
headers to all requests
- Use Go's vendor directory for all dependencies
- Split source into a public
config
package andinternal
- Fix compilation errors when building for ARM
- Properly fetch configs from EC2
- Properly decode VMware guest variables before parsing config
- Move config structures from
config
package toconfig/types
- Allow building on non-AMD64 architectures
- Major refactoring of the internal processing of OEMs and providers
- Add support for VMware
- Improve validation of
storage.filesystems
options
- Properly zap GPT tables when they are partially valid
- Recognize and ignore gzipped cloud-configs
- Correctly escape device unit names
- Provide logging to pinpoint JSON errors in invalid configs
- Ensure that
/mnt/oem
exists before mounting - Remove
/sysroot/
prefix from alternate config path
- Mount the oem partition for
oem://
schemes when needed
- Allow empty CustomData on Azure
- Added support for Azure
- Added support for formatting partitions as
xfs
- Removed online timeout for EC2
--fetchtimeout
becomes--online-timeout
--online-timeout
of 0 now represents infinity- Added recognition of
interoute
OEM
- Examples have been removed and supported platforms added
- Various minor cleanups
- Ensure added SSH keys are newline terminated
- Fix
gofmt
invocation from test script to fail when appropriate
- Disable EC2 provider for now
- Add support for
oem://
scheme config urls
- Added guides
- Updated config specification
- Add
DefaultDependencies=false
toWaitOnDevices()
transient unit - Updated JSON configuration keys to match style
- Added script for tagging releases
- Add support for ssh keys on EC2
- Log version at runtime
- Log ssh keys as they are added
- Various small cleanups
- Derive version from
git describe
at build time - Use
bash
build and test scripts instead ofmake
- Fix validation of drop-in names
- Properly handle a lack of userdata on EC2
- Ignore empty configs
- Ignore unsupported CoreOS OEMs
- Panic on incorrect OEM flag configurations
- Initial release of Ignition!
- Support for disk partitioning, partition formatting, writing files, RAID, systemd units, networkd units, users, and groups.
- Supports reading the config from a remote URL (via
config.coreos.url
) or from the Amazon EC2 metadata service.