📢 Kairos release v2.0.0

[mudler]

🗺 What's left for release

🏗️ Factory ( #116 )

• 🏗️ handle image pushing #271
• ✨ Publish images for BYOI #755

🎨 UX ( #773 )

📖 Media/Blog posts ( #774 )

• 📖 Kairos+wireguard home lab #1197
• 📖 Understanding immutability #1081

🔒 CoCo/Security (#347)

• 🌱 Port dracut modules to standalone binary #657
• ⚠️ 🎨 ✨ Use immucore 🦔 #877
• 🌱 SBOM #51
• 🤖 Attach trivy scan reports #1019
• 🌱 Attach and sign SBOM to images #1055

🌱 Generic

• ✨ Custom partitioning refactor config #1180
• 🌱 Custom mounts #210
• 🌱 Support runtime registry authentication for updates #932

🐛 Bugfixing:

• 🐛 Update schema failed to pick up alpha releases #1131
• 🐛 Reset fails when encryption is enabled #733
• 🐛 config_url is saved as part of the config during netboot #885
• Debian based machine is missing /etc/resolv.conf on boot #1035
• 🐛 🦔 Revisit logging for immucore #1116

🔦 Highlights

This is a major releases as #877 is a core change of the Kairos boot process.

We replaced the former dracut modules (a set of bash scripts/dracut/systemd services), which were responsible for the immutability management of Kairos, with https://github.com/kairos-io/immucore, a self-contained binary which doesn't have dependencies and can run without dracut and systemd.

This allows us to:

• not depend anymore on systemd while set up immutability on boot ( allowing us to unblock 🐧 Alpine image with alpine kernel #653 )
• have hybrid images (🌱 Hybrid rootfs images #656), that boots both UKI as a single file image, and as well as pivoting (as we are doing currently)
• pave the way for things like Static measured boot #873 🔒 Offline encryption with static measured boot #119 and much more
• debug things more cleanly, have a better testbed, and allow to integrate easily with golang

Besides, we have now full SBOM list attached to images, as part of the release process, and in-toto attestation, allowing you to verify attestation also of SBOM lists, and have full audit of images. We also have integrated grype and trivy in our pipelines, and as such now releases contains also CVE reports, and finally we upload the generated reports as sarif file to GitHub to have notifications and see with more ease the impact of CVEs to the images.

There were also fixes to the Debian flavor (thanks to the community for reporting issues!) and now manual upgrades with private registries are supported, too.

Finally, it is also now possible to specify custom bind mounts path to overlay on top of the persistent partition, allowing to easily specify paths that you want to be persistent in the system via the cloud config file: https://kairos.io/docs/advanced/customizing/#customizing-the-file-system-hierarchy-using-custom-mounts .

✅ Release Checklist

• Stage 0 - Finishing Touches
  • Check kairos/packages, and for any needed update
  • Make sure CI tests are passing.
  • Consider cutting an rc, alpha, ... based on changes on the CI
• Stage 1 - Manual testing
  • How: Using the assets from master, make sure that test scenarios not covered by automatic tests are passing, and that docs are still aligned
    • Fedora flavor install, and manual upgrade works
    • ARM images (openSUSE, alpine) boots and manual upgrade works
• Stage 3 - Release
  • Tag the release on master.
• Stage 4 - Update provider-kairos
  • Update go mod to consume kairos-io/kairos.
  • Check if any changes on the pipelines and building pieces are required
    • Flavor changes
    • osbuilder version bumps
  • Update the CORE_VERSION file of kairos-io/provider to match the release tag of kairos-io/kairos
  • Tag the release on provider-kairos
• Stage 5 - Announcement
  • Blog post announcement

[mudler]

blocked by #1240

[mudler]

2.0.0 is released now, all artifacts are there, announcement blog post too!