Re: [atomic-announce] Fedora Atomic Host Two Week Release Announcement: 29.20190219.0

2019-02-20 Thread Robert Fairley 
In this release, two major bugfixes are included:

1. runc container escape to host filesystem (CVE-2019-5736) [1], fixed with
runc RPM version  1.0.0-68.dev.git6635b4f.fc29
2. rpm-ostree labeling of /home symlink to /var/home [2], fixed with
rpm-ostree RPM version 2019.2-1.fc29

To reiterate, Atomic Host systems are protected from the runc exploit due
to two lines of defense: SELinux, and /usr being mounted as read-only (see
[3]). Thus, existing Atomic Host systems should not be affected.

The kernel update to 4.20.3-200.fc29, which introduced bugs that blocked
the 20190204 release [4], is now being tracked at [5] and [6]. Since we
have confirmed the ppc64le image boots with nested kvm/qemu virtualization
on Power9 hardware, we have decided to release.

An example of the diff between this and the previous released version
(for x86_64) is:
ostree diff commit old:
cdcbea2ccac7804770be806befd30895457de080d1525ee6050a5bebdfeefeb7
ostree diff commit new:
d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868
Upgraded:
  checkpolicy 2.8-2.fc29 -> 2.8-3.fc29
  cockpit-bridge 185-1.fc29 -> 187-1.fc29
  cockpit-docker 185-1.fc29 -> 187-1.fc29
  cockpit-networkmanager 185-1.fc29 -> 187-1.fc29
  cockpit-system 185-1.fc29 -> 187-1.fc29
  container-selinux 2:2.77-1.git2c57a17.fc29 -> 2:2.81-2.git484806a.fc29
  crypto-policies 20181026-1.gitd42aaa6.fc29 -> 20190211-2.gite3eacfc.fc29
  curl 7.61.1-6.fc29 -> 7.61.1-9.fc29
  dbus 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-common 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-daemon 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-libs 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  dbus-tools 1:1.12.10-1.fc29 -> 1:1.12.12-1.fc29
  docker 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29
  docker-common 2:1.13.1-62.git9cb56fd.fc29 -> 2:1.13.1-65.git1185cfd.fc29
  docker-rhel-push-plugin 2:1.13.1-62.git9cb56fd.fc29 ->
2:1.13.1-65.git1185cfd.fc29
  elfutils-default-yama-scope 0.174-5.fc29 -> 0.176-1.fc29
  elfutils-libelf 0.174-5.fc29 -> 0.176-1.fc29
  elfutils-libs 0.174-5.fc29 -> 0.176-1.fc29
  file 5.34-7.fc29 -> 5.34-11.fc29
  file-libs 5.34-7.fc29 -> 5.34-11.fc29
  geolite2-city 20181204-1.fc29 -> 20190205-1.fc29
  geolite2-country 20181204-1.fc29 -> 20190205-1.fc29
  glib2 2.58.2-1.fc29 -> 2.58.3-1.fc29
  gnutls 3.6.5-2.fc29 -> 3.6.6-1.fc29
  gpgme 1.11.1-3.fc29 -> 1.12.0-1.fc29
  iproute 4.18.0-3.fc29 -> 4.20.0-1.fc29
  iproute-tc 4.18.0-3.fc29 -> 4.20.0-1.fc29
  kernel 4.19.15-300.fc29 -> 4.20.8-200.fc29
  kernel-core 4.19.15-300.fc29 -> 4.20.8-200.fc29
  kernel-modules 4.19.15-300.fc29 -> 4.20.8-200.fc29
  libcurl 7.61.1-6.fc29 -> 7.61.1-9.fc29
  libidn2 2.0.5-2.fc29 -> 2.1.1a-1.fc29
  libpng 2:1.6.34-6.fc29 -> 2:1.6.34-7.fc29
  libreport-filesystem 2.9.7-2.fc29 -> 2.10.0-1.fc29
  libselinux 2.8-4.fc29 -> 2.8-6.fc29
  libselinux-utils 2.8-4.fc29 -> 2.8-6.fc29
  libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  libsepol 2.8-2.fc29 -> 2.8-3.fc29
  libsolv 0.7.2-1.fc29 -> 0.7.2-2.fc29
  libxcrypt 4.4.2-3.fc29 -> 4.4.3-2.fc29
  libyaml 0.2.1-2.fc29 -> 0.2.1-5.fc29
  linux-firmware 20181219-89.git0f22c852.fc29 ->
20190213-93.git710963fe.fc29
  lua-libs 5.3.5-2.fc29 -> 5.3.5-3.fc29
  nss 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-softokn 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-softokn-freebl 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-sysinit 3.41.0-3.fc29 -> 3.42.1-1.fc29
  nss-util 3.41.0-3.fc29 -> 3.42.1-1.fc29
  oci-umount 2:2.3.4-2.git87f9237.fc29 -> 2:2.5-1.gitc3cda1f.fc29
  openssh 7.9p1-3.fc29 -> 7.9p1-4.fc29
  openssh-clients 7.9p1-3.fc29 -> 7.9p1-4.fc29
  openssh-server 7.9p1-3.fc29 -> 7.9p1-4.fc29
  p11-kit 0.23.14-2.fc29 -> 0.23.15-1.fc29
  p11-kit-trust 0.23.14-2.fc29 -> 0.23.15-1.fc29
  policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  policycoreutils-python-utils 2.8-8.fc29 -> 2.8-17.fc29
  polkit 0.115-4.2.fc29 -> 0.115-4.3.fc29
  polkit-libs 0.115-4.2.fc29 -> 0.115-4.3.fc29
  python2-libselinux 2.8-4.fc29 -> 2.8-6.fc29
  python2-libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  python2-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  python2-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29
  python3 3.7.2-1.fc29 -> 3.7.2-4.fc29
  python3-dateutil 1:2.7.0-3.fc29 -> 1:2.7.5-1.fc29
  python3-jsonschema 2.6.0-5.fc29 -> 2.6.0-6.fc29
  python3-libs 3.7.2-1.fc29 -> 3.7.2-4.fc29
  python3-libselinux 2.8-4.fc29 -> 2.8-6.fc29
  python3-libsemanage 2.8-4.fc29 -> 2.8-8.fc29
  python3-policycoreutils 2.8-8.fc29 -> 2.8-17.fc29
  python3-pyOpenSSL 18.0.0-3.fc29 -> 19.0.0-1.fc29
  rpm-ostree 2018.10-1.fc29 -> 2019.2-1.fc29
  rpm-ostree-libs 2018.10-1.fc29 -> 2019.2-1.fc29
  runc 2:1.0.0-66.dev.gitbbb17ef.fc29 -> 2:1.0.0-68.dev.git6635b4f.fc29
  selinux-policy 3.14.2-47.fc29 -> 3.14.2-49.fc29
  selinux-policy-targeted 3.14.2-47.fc29 -> 3.14.2-49.fc29
  systemd 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-container 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-libs 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-pam 239-8.gite339eae.fc29 -> 239-11.git4dc7dce.fc29
  systemd-udev

[atomic-announce] Fedora Atomic Host Two Week Release Announcement: 29.20190219.0

2019-02-19 Thread noreply 

A new Fedora Atomic Host update is available via an OSTree update:

Version: 29.20190219.0
Commit(x86_64): d00adf110907f93f6cdd05deda0e2878c9bd71c74e0c4c2e9a5250d2f4cc8868
Commit(aarch64): 
b87cb9e59aa668ea0e79c3d2e7c017a340c03dcf79a2f7756fedddb3831ca74e
Commit(ppc64le): 
33ee5adfd3e33c8e03ad460c75fe71858528f0d91cffd9c01c07a92b2ad000c2


We are releasing images from multiple architectures but please note
that x86_64 architecture is the only one that undergoes automated
testing at this time.

Existing systems can be upgraded in place via e.g. `atomic host upgrade`.

Corresponding image media for new installations can be downloaded from:

https://getfedora.org/en/atomic/download/

Alternatively, image artifacts can be found at the following links:
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.qcow2
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0.aarch64.raw.xz
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-ostree-aarch64-29-20190219.0.iso
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.qcow2
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0.ppc64le.raw.xz
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-ostree-ppc64le-29-20190219.0.iso
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.qcow2
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0.x86_64.raw.xz
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-libvirt.box
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-Vagrant-29-20190219.0.x86_64.vagrant-virtualbox.box
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-ostree-x86_64-29-20190219.0.iso

Respective signed CHECKSUM files can be found here:
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/images/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/aarch64/iso/Fedora-AtomicHost-29-20190219.0-aarch64-CHECKSUM
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/images/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/ppc64le/iso/Fedora-AtomicHost-29-20190219.0-ppc64le-CHECKSUM
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/images/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM
https://alt.fedoraproject.org/pub/alt/atomic/stable/Fedora-29-updates-20190219.0/AtomicHost/x86_64/iso/Fedora-AtomicHost-29-20190219.0-x86_64-CHECKSUM

For direct download, the "latest" targets are always available here:
x86_64:
https://getfedora.org/atomic_qcow2_x86_64_latest
https://getfedora.org/atomic_raw_x86_64_latest
https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest
https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest
https://getfedora.org/atomic_dvd_ostree_x86_64_latest

aarch64:
https://getfedora.org/atomic_qcow2_aarch64_latest
https://getfedora.org/atomic_raw_aarch64_latest
https://getfedora.org/atomic_dvd_ostree_aarch64_latest

ppc64le:
https://getfedora.org/atomic_qcow2_ppc64le_latest
https://getfedora.org/atomic_raw_ppc64le_latest
https://getfedora.org/atomic_dvd_ostree_ppc64le_latest

Filename fetching URLs are available here:
x86_64:
https://getfedora.org/atomic_qcow2_x86_64_latest_filename
https://getfedora.org/atomic_raw_x86_64_latest_filename
https://getfedora.org/atomic_vagrant_libvirt_x86_64_latest_filename
https://getfedora.org/atomic_vagrant_virtualbox_x86_64_latest_filename
https://getfedora.org/atomic_dvd_ostree_x86_64_latest_filename

aarch64:
https://getfedora.org/atomic_qcow2_aarch64_latest_filename
https://getfedora.org/atomic_raw_aarch64_latest_filename
https://getfedora.org/atomic_dvd_ostree_aarch64_latest_filename

ppc64le:
https://getfedora.org/atomic_qcow2_ppc64le_latest_filename
https://getfedora.org/atomic_raw_ppc64le_latest_filename