v0.15.0

Breaking changes

• Enable GPG checking for package installation by default.
  • GPG checking can be explicitly disabled in .repo files passed to --rpm-source. GPG checking is also disabled for directories.
• Don't copy extended file ACLs for additionalFiles, etc.

New features

• Add support for reinitializing verity. (Reading verity settings from base image and reapplying them.)
• Add support for specifying package snapshot time.

Bug fixes

• Remove unnecessary/duplicate files from ISO.
• Ensure no files are left in build directory.
• Ensure correct UUID is used when verity hashDeviceMountIdType or hashDeviceMountIdType is set to uuid.
• Don't overwrite shim EFI when UKIs are configured.

Doc fixes and improvements

• Remove deprecated doc: "Partition Metadata JSON Format"

v0.14.0

Breaking changes

• The config input.image.path and output.image.path APIs are now relative to the config file's parent directory instead of the working directory.
• Packages are now installed, updated, or removed in a single batch.
  • This improves performance and allows RPM dependency solving to be more effective.
• When exporting as COSI, verity hash partitions are now shrunk to their actual size.

New features

• Added output.artifacts config API and inject-files CLI subcommand. These APIs can be used together for secure-boot signing.

Bug fixes

• Don't delete PXE output directory before populating it.
• Support older versions of lsof.
• Support filesystems larger than 4 GiB when shrinking partitions.
• Fix support for verity's corruptionOption field, so it works again.

Doc fixes and improvements

• Added doc describing how to use systemd-sysext.
• Add missing documentation for some verity fields.
• Re-organized the docs for easier navigation.

v0.13.0

Breaking changes

• Switched from parted to sfdisk.
  • Ubuntu 20.04 can no longer be used as a build host, unless you use the containerized version of Prism (Image Customizer).
• The --output-split-partitions-format and --shrink-filesystems APIs have been removed.
• Switched CLI args parser from Kingpin to Kong.
  • The API should be the same. But there might be subtle behavior differences.
• Added customize as sub-command.
  • If no sub-command is specified, then customize is the default, thus maintaining compatibility with the existing API.

New features

• Added ARM64 support.
• Added .output.image.path, .output.image.format, and input.image.path to config file as alternative to --output-image-file, .output.image.path and --image-file.
• Allow verity to be initialized on pre-created partitions that exist in the base image.
• Using Prism (Image Customizer) in WSL2 (Windows Subsystem for Linux) is now supported.

Bug fixes

• Fix error when customizing a base image that has verity enabled, when specifying a new partition layout.
• Ensure osRelease in COSI file is correctly populated.
• COSI files will no longer include empty filesystems.
• COSI files now correctly uses x86_64 value instead of amd64.
• Config API schema file now accepts integer values for permission fields.
• Improved error message when base image file is not found.
• Prism's (Image Customizer) container now includes all dependencies needed for building UKIs.
• Removed extraneous warnings logs when building LiveOS ISOs.
• Bumped the minimum OS version required to enable SELinux on LiveOS images.
• Stop all chroot processes (not just gpg-agent) before unmounted image.
• Remove unnecessary requirement that systemd-ukify is installed in customized OS when UKIs are used.
• Don't rely on udevadm settle to signal when block device metadata has finished being populated.

Doc fixes and improvements

• Example code in 'Quick Start' guide has been fixed.
• Navigation panel title of 'Create Verity and UKI image' page has been fixed.
• Added version when features were added.
• Added 'lvm2' package installation to verity examples.
• PowerShell code blocks are now rendered correctly.
• Verity recommendations doc has been split up to improve readability.

v0.12.0

Breaking changes

None

New features

None

Bug fixes

• Ensure UKIs get all of the of kernel command line args.

v0.11.0

Breaking changes

• Enabling verity no longer sets GRUB_DISABLE_RECOVERY in /etc/default/grub.

New features

• Add support for /usr dm-verity.

Bug fixes

• When output format is COSI, shrink the filesystems.
• Add Joliet extensions to ISO output. This ensures Windows sees the correct file names.
• Enabling dm-verity on an image with multiple kernel packages installed will no longer error out.

v0.10.0

Breaking changes

None

New features

• COSI output is now fully supported.
• Add support for customizing a verity protected base image. However, the new image must re-customized the partitions.

Bug fixes

• Overlay working directory will be set to no_access_t when SELinux is enabled.
• Create parent directory when additionalFile entry uses content instead of source.
• VHDs will not always be output using the Hyper-V format (as opposed to the Microsoft Virtual PC format). In addition, input VHDs will be now parsed assuming they use the Hyper-V format.
• Fix race condition when resetting partition UUIDs.

v0.9.0

Breaking changes

• Script capability restrictions have been removed. A new more flexible design is being worked on.
• Image Customizer container's base has been updated to Azure Linux 3.0.
  • This fixes Image Customizer's handling of file capabilities.

New features

• Add basic (incomplete) support for COSI output format.
• Add support for specifying partition type UUID.

Bug fixes

• Add basic pre-validation of --rpm-source values.
• Ensure ext4 and xfs filesystems enable appropriate features for Azure Linux 2.0 and 3.0, regardless which versions of the mkfs tools are used.

v0.8.0

Breaking changes

• Verity filesystems must now explicitly include the 'ro' mount option.
• The kernel extraCommandLine field is now a list of strings instead of a single combined string.
• Custom scripts are now limited to the following capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_SETFCAP, CAP_SETFCAP.
• .os.resetBootLoaderType has been renamed to .os.bootloader.resetType.

New features

• Added support for PXE boot.
• Mounts options may now include the 'ro' option.
• SELinux is now supported for ISOs.
• Add support for generating UKIs. This is a preview feature.
• Added file to the image describing the config used to generate the image. This can be disabled using the imageHistory API.

Bug fixes

• Fixed error when --output-split-partitions-format is used and there is an unformatted partition.
• Fixed issue where a verity hash partition's UUID can sometimes be wrong.
• Creating ISOs no longer require rpm package to be installed in the customized OS.
• Fixed an issue that sometimes prevented an ISO from entering initrd debug mode.
• Fixed error that sometimes occurred when using --shrink-filesystems.

v0.7.0

Breaking changes

• .storage.fileSystems has been renamed to filesystems.
• Partitions must now be specified in order of where they are on the disk.
• .os.additionalFiles and .iso.additionalFiles are now a list of struct instead of a map. See, additionalFiles docs for details.
• .os.additionalDirs[].sourcePath has been renamed to source.
• .os.additionalDirs[].destinationPath has been renamed to destination.
• .os.overlays[].isRootfsOverlay has been renamed to isInitrdOverlay.
• .resetPartitionsUuidsType has been moved to .storage.resetPartitionsUuidsType.
• Verity API has changed substantially. See, verity docs for details.
  • .os.verity has been moved to .storage.verity.
  • Verity is now a list. In the future, we may add support for non-root filesystems. (e.g. /usr.)

New features

• Disk size can now be auto-calculated. That is .storage.disks[].maxSize is now optional.
• Partition start (.storage.disks[].partitions[].start) is now optional.
• Add vfat partition type as an alias for fat32.
• Partitions are no longer required to have a filesystem.
• Added syntactic sugar where mountPoint is just a string path.
• additionalFiles can now specify file contents inline within the YAML file.
• Added doc for how to clone an RPM repo.

Bug fixes

• Fixed a partition initialization bug (which is most commonly experienced in Ubuntu build hosts).
• tdnf cache is now removed after packages are installed/updated.
• VHDX block size is now always 2 MiB, instead of being dynamic based on disk size. This will likely substantially reduce the file size for large disks.

v0.6.0

Breaking changes

• The Overlays API implementation has been completely overhauled. It now works the way you'd expect.
• The /etc/mariner-customizer-release file has been renamed to /etc/image-customizer-release.
• The curl package is now required for Live-ISO images.

New features

• A unique build UUID is now added to the /etc/image-customizer-release file.

Bug fixes

• Improved error message for missing filesystem entry in config file.
• Report error if no kernel is installed at end of customization.
• Account for GPT footer when validating disk partition sizes.
• Report error if lvm2 package is not installed for verity images.
• Ensure RPM repo metadata is always refreshed for each run of the image customizer tool.
• Don't assume lsblk and fdisk commands return partitions in any particular order.