diff --git a/Dockerfile b/Dockerfile index 3b2ae8b8c6..04fe64cc07 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,7 @@ ARG PKG_LIBAIO ARG PKG_MUSL ARG PKG_RUNC ARG PKG_XFSPROGS +ARG PKG_APPARMOR ARG PKG_UTIL_LINUX ARG PKG_KMOD ARG PKG_KERNEL @@ -40,6 +41,9 @@ ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL FROM ${PKG_FHS} AS pkg-fhs FROM ${PKG_CA_CERTIFICATES} AS pkg-ca-certificates +FROM --platform=amd64 ${PKG_APPARMOR} AS pkg-apparmor-amd64 +FROM --platform=arm64 ${PKG_APPARMOR} AS pkg-apparmor-arm64 + FROM --platform=amd64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-amd64 FROM --platform=arm64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-arm64 @@ -558,6 +562,7 @@ COPY --from=depmod-arm64 /build/lib/modules /lib/modules FROM build AS rootfs-base-amd64 COPY --link --from=pkg-fhs / /rootfs COPY --link --from=pkg-ca-certificates / /rootfs +COPY --link --from=pkg-apparmor-amd64 / /rootfs COPY --link --from=pkg-cryptsetup-amd64 / /rootfs COPY --link --from=pkg-containerd-amd64 / /rootfs COPY --link --from=pkg-dosfstools-amd64 / /rootfs @@ -622,6 +627,7 @@ END FROM build AS rootfs-base-arm64 COPY --link --from=pkg-fhs / /rootfs COPY --link --from=pkg-ca-certificates / /rootfs +COPY --link --from=pkg-apparmor-arm64 / /rootfs COPY --link --from=pkg-cryptsetup-arm64 / /rootfs COPY --link --from=pkg-containerd-arm64 / /rootfs COPY --link --from=pkg-dosfstools-arm64 / /rootfs diff --git a/Makefile b/Makefile index 6f34b3475f..99da3e3c80 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ ARTIFACTS := _out TOOLS ?= ghcr.io/siderolabs/tools:v1.8.0-alpha.0-5-gd2746e5 PKGS_PREFIX ?= ghcr.io/siderolabs -PKGS ?= v1.8.0-alpha.0-23-gc309452 +PKGS ?= v1.8.0-alpha.0-29-g84bad89 EXTRAS ?= v1.8.0-alpha.0-2-g0efb05f KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest @@ -26,6 +26,7 @@ CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS) PKG_CA_CERTIFICATES ?= $(PKGS_PREFIX)/ca-certificates:$(PKGS) +PKG_APPARMOR ?= $(PKGS_PREFIX)/apparmor:$(PKGS) PKG_CRYPTSETUP ?= $(PKGS_PREFIX)/cryptsetup:$(PKGS) PKG_CONTAINERD ?= $(PKGS_PREFIX)/containerd:$(PKGS) PKG_DOSFSTOOLS ?= $(PKGS_PREFIX)/dosfstools:$(PKGS) @@ -177,6 +178,7 @@ COMMON_ARGS += --build-arg=REGISTRY=$(REGISTRY) COMMON_ARGS += --build-arg=PKGS_PREFIX=$(PKGS_PREFIX) COMMON_ARGS += --build-arg=PKG_FHS=$(PKG_FHS) COMMON_ARGS += --build-arg=PKG_CA_CERTIFICATES=$(PKG_CA_CERTIFICATES) +COMMON_ARGS += --build-arg=PKG_APPARMOR=$(PKG_APPARMOR) COMMON_ARGS += --build-arg=PKG_CRYPTSETUP=$(PKG_CRYPTSETUP) COMMON_ARGS += --build-arg=PKG_CONTAINERD=$(PKG_CONTAINERD) COMMON_ARGS += --build-arg=PKG_DOSFSTOOLS=$(PKG_DOSFSTOOLS) diff --git a/hack/release.toml b/hack/release.toml index 443653df57..bfeec2963c 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -27,6 +27,20 @@ Flannel: 0.25.3 Talos is built with Go 1.22.4. """ + [notes.apparmor] + title = "Workload Apparmor Profile" + description = """\ +Talos Linux can now apply the default AppArmor profiles to all workloads started via containerd, if the machine is installed with the AppArmor LSM enforced via the extraKernelArgs. + +Eg: + +```yaml +machine: + install: + extraKernelArgs: + - security=apparmor +``` +""" [notes.zstd] title = "ZSTD Compression" diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index d13e2d8d0a..e07c323632 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -14,7 +14,7 @@ import ( const ( // DefaultKernelVersion is the default Linux kernel version. - DefaultKernelVersion = "6.6.32-talos" + DefaultKernelVersion = "6.6.33-talos" // KernelModulesPath is the default path to the kernel modules without the kernel version. KernelModulesPath = "/lib/modules" diff --git a/pkg/machinery/gendata/data/pkgs b/pkg/machinery/gendata/data/pkgs index 69012c5644..f85c63d80b 100644 --- a/pkg/machinery/gendata/data/pkgs +++ b/pkg/machinery/gendata/data/pkgs @@ -1 +1 @@ -v1.8.0-alpha.0-23-gc309452 \ No newline at end of file +v1.8.0-alpha.0-29-g84bad89 \ No newline at end of file