Release Notes for Alpine 3.14.0: Difference between revisions
No edit summary |
m (Add to category) |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
=== faccessat2 === | === faccessat2 === | ||
Use of the faccessat2 syscall has been enabled in musl. Due to [https://github.com/opencontainers/runc/issues/2151 runc issue 2151], new system calls incorrectly | Use of the faccessat2 syscall has been enabled in musl. Due to [https://github.com/opencontainers/runc/issues/2151 runc issue 2151], new system calls incorrectly returned EPERM instead of ENOSYS when invoked under a Docker with libseccomp predating their release. Therefore, Alpine Linux 3.14 requires '''at least one''' of the following: | ||
# runc v1.0.0-rc93 | |||
## if using Docker's Debian repositories, this is part of containerd.io 1.4.3-2 | |||
## if using Docker Desktop for Windows or Mac, this is part of Docker Desktop 3.3.0 | |||
# Docker 20.10.0 (which contains [https://github.com/moby/moby/commit/a18139111d8a203bd211b0861c281ebe77daccd9 moby commit a181391]) or greater, '''''AND''''' libseccomp 2.4.4 (which contains backported [https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01 libseccomp commit 5696c89]) or greater. In this case, to check if your host libseccomp is faccessat2-compatible, invoke <code>scmp_sys_resolver faccessat2</code>. If 439 is returned, faccessat2 is supported. If -1 is returned, faccessat2 is not supported. Note that if runc is older than v1.0.0-rc93, Docker must still be at least version 20.10.0, regardless of the result of this command. | |||
# As a workaround, in order to run under old Docker or libseccomp versions, [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json the moby default seccomp profile] should be downloaded and on line 2, <code>defaultAction</code> changed to <code>SCMP_ACT_TRACE</code>, then <code>--seccomp-profile=default.json</code> can be passed to dockerd, or <code>--security-opt=seccomp=default.json</code> passed to <code>docker create</code> or <code>docker run</code>. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat. | |||
Note also that when using nested Docker, '''every layer''' must meet one of the above requirements, since if '''any layer''' improperly denies the use of faccessat2, Alpine Linux 3.14 will not function correctly. | |||
=== Xorg === | === Xorg === | ||
xf86-input-{mouse,keyboard} have been removed, as upstream maintainers have explicitly declared that they are for non-Linux platforms only. Users should have already switched to xf86-input-evdev or xf86-input-libinput. | xf86-input-{mouse,keyboard} have been removed, as upstream maintainers have explicitly declared that they are for non-Linux platforms only. Users should have already switched to xf86-input-evdev or xf86-input-libinput. | ||
Rootless support has been enabled for Xorg. X now requires udev or mdev, and either elogind must be enabled or X users must be in the video and input groups. | |||
The Xorg sysconfdir has been changed from /etc/X11 to /etc. In the unlikely event that you have configuration files in /etc/X11/X11, those must be moved to /etc/X11. | The Xorg sysconfdir has been changed from /etc/X11 to /etc. In the unlikely event that you have configuration files in /etc/X11/X11, those must be moved to /etc/X11. | ||
Line 23: | Line 25: | ||
=== ClamAV moved to community === | === ClamAV moved to community === | ||
The [https://pkgs.alpinelinux.org/package/edge/ | The [https://pkgs.alpinelinux.org/package/edge/community/x86_64/clamav clamav] package has been moved from main to community. We cannot support releases for 2 years, which we do for packages in main, and clamav warns that the version is too old. If you need clamav, make sure that you have the community repository enabled in <tt>/etc/apk/repositories</tt>, but do note that packages in community are only supported for one release (6 months). | ||
=== openssh flavors === | === openssh flavors === | ||
There was already an OpenSSH flavor with PAM support, but now there has been added a new flavor for krb5 (openssh-server-krb5, openssh-client-krb5). Note that this new flavor includes PAM support, in case you need both. | There was already an OpenSSH flavor with PAM support, but now there has been added a new flavor for krb5 (openssh-server-krb5, openssh-client-krb5). Note that this new flavor includes PAM support, in case you need both. | ||
[[Category:News]] |
Latest revision as of 14:12, 19 February 2023
aports
faccessat2
Use of the faccessat2 syscall has been enabled in musl. Due to runc issue 2151, new system calls incorrectly returned EPERM instead of ENOSYS when invoked under a Docker with libseccomp predating their release. Therefore, Alpine Linux 3.14 requires at least one of the following:
- runc v1.0.0-rc93
- if using Docker's Debian repositories, this is part of containerd.io 1.4.3-2
- if using Docker Desktop for Windows or Mac, this is part of Docker Desktop 3.3.0
- Docker 20.10.0 (which contains moby commit a181391) or greater, AND libseccomp 2.4.4 (which contains backported libseccomp commit 5696c89) or greater. In this case, to check if your host libseccomp is faccessat2-compatible, invoke
scmp_sys_resolver faccessat2
. If 439 is returned, faccessat2 is supported. If -1 is returned, faccessat2 is not supported. Note that if runc is older than v1.0.0-rc93, Docker must still be at least version 20.10.0, regardless of the result of this command. - As a workaround, in order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2,
defaultAction
changed toSCMP_ACT_TRACE
, then--seccomp-profile=default.json
can be passed to dockerd, or--security-opt=seccomp=default.json
passed todocker create
ordocker run
. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.
Note also that when using nested Docker, every layer must meet one of the above requirements, since if any layer improperly denies the use of faccessat2, Alpine Linux 3.14 will not function correctly.
Xorg
xf86-input-{mouse,keyboard} have been removed, as upstream maintainers have explicitly declared that they are for non-Linux platforms only. Users should have already switched to xf86-input-evdev or xf86-input-libinput.
Rootless support has been enabled for Xorg. X now requires udev or mdev, and either elogind must be enabled or X users must be in the video and input groups.
The Xorg sysconfdir has been changed from /etc/X11 to /etc. In the unlikely event that you have configuration files in /etc/X11/X11, those must be moved to /etc/X11.
Python upgraded to 3.9
Python has been upgraded to version 3.9, and all python modules have been rebuilt against python 3.9. Make sure that all custom python3 modules are built against python3.9
ClamAV moved to community
The clamav package has been moved from main to community. We cannot support releases for 2 years, which we do for packages in main, and clamav warns that the version is too old. If you need clamav, make sure that you have the community repository enabled in /etc/apk/repositories, but do note that packages in community are only supported for one release (6 months).
openssh flavors
There was already an OpenSSH flavor with PAM support, but now there has been added a new flavor for krb5 (openssh-server-krb5, openssh-client-krb5). Note that this new flavor includes PAM support, in case you need both.