Release Notes for Alpine 3.14.0

From Alpine Linux
Revision as of 05:22, 15 June 2021 by Ikke (talk | contribs)
Jump to: navigation, search



Use of the faccessat2 syscall has been enabled in musl. Due to runc issue 2151, new system calls incorrectly return EPERM instead of ENOSYS when invoked under a Docker or libseccomp version predating their release. Therefore, Alpine Linux 3.14.0 officially requires the host Docker to be version 20.10.0 (which contains moby commit a181391) or greater and the host libseccomp to be version 2.4.4 (which contains backported libseccomp commit 5696c89) or greater. Docker for Windows issue 8326 tracks the process of updating libseccomp in Docker for Windows.

Therefore, as of writing, the following platforms are not suitable as Docker hosts for Alpine Linux 3.14.0, due to containing out-of-date libseccomp: Alpine Linux 3.12 and earlier, Amazon Linux 1 or 2, CentOS 7 or 8, Debian 10 or earlier without backports enabled, Raspbian stable or earlier, openSUSE Leap (any release), Ubuntu (any release), and Windows. This applies regardless of whether the Linux distribution Docker packages or separate Docker package repositories are used, as the Docker package repositories do not include libseccomp.

To check if your host libseccomp is faccessat2-compatible, invoke scmp_sys_resolver faccessat2. If 439 is returned, faccessat2 is supported. If -1 is returned, faccessat2 is not supported. Note that Docker must still be at least version 20.10.0, regardless of the result of this command.

As a workaround, in order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2, defaultAction changed to SCMP_ACT_TRACE, then --seccomp-profile=default.json can be passed to dockerd, or --security-opt=seccomp=default.json passed to docker create or docker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to faccessat.


xf86-input-{mouse,keyboard} have been removed, as upstream maintainers have explicitly declared that they are for non-Linux platforms only. Users should have already switched to xf86-input-evdev or xf86-input-libinput.

/usr/libexec/Xorg.wrap and the suid bit on /usr/bin/Xorg have been removed. X now requires udev or mdev, and either elogind must be enabled or X users must be in the video and input groups.

The Xorg sysconfdir has been changed from /etc/X11 to /etc. In the unlikely event that you have configuration files in /etc/X11/X11, those must be moved to /etc/X11.

Python upgraded to 3.9

Python has been upgraded to version 3.9, and all python modules have been rebuilt against python 3.9. Make sure that all custom python3 modules are built against python3.9

ClamAV moved to community

The clamav package has been moved from main to community. We cannot support releases for 2 years, which we do for packages in main, and clamav warns that the version is too old. If you need clamav, make sure that you have the community repository enabled in /etc/apk/repositories, but do note that packages in community are only supported for one release (6 months).