v0.5.0

I'm happy to finally share this update. It's been in the works for a while.

Fleet Management!

The main attraction is definitely the introduction of fleet management, backed by Hashicorp Vault, Consul, and Nomad.

These components together provide public key infrastructure, service discovery, service mesh, and workload management.

Nodes are issued a host certificate with a 72 hour lifetime. Nodes can use this certificate and its associated private key to acquire additional server and client certificates from Vault. These certificates, in turn, are valid for 12 hours. They are all automatically renewed. Nodes join a Consul cluster for service registry and discovery. They also join a Nomad cluster, allowing workload management across the entire fleet.

Other updates

• Updated to systemd 258.

v0.4.0

It's time to cut a new release.

Ubuntu Oracular -> Ubuntu Plucky

Ubuntu Oracular (24.10) went EOL in July, so we moved to Ubuntu Plucky (25.04). Ubuntu Questing (25.10) builds should also work, so we're ready for when it's released.

Systems without EFI, Secure Boot, and/or a TPM

Without EFI, Secure Boot, and/or a TPM, we can't deliver all the security features we want. Nevertheless, sometimes it's useful to run Mangos in environments where those things simply aren't available, maybe even just for testing purposes.

So, we introduced a new build profile: bios. systemd-boot does not support non-EFI systems, so the bios profile adds GRUB to the image and creates a per-image grub.cfg snippet.

An alternative systemd-repart configuration without Encrypt=tpm2 is added which serves as a fallback if a TPM is not available during systemd-repart.

Installer related improvements:

• The installer now waits for at least one network interface to reach the routable state before presenting the UI.
• The mangos_install_target kernel command line setting now supports : in the argument, which allows using /dev/disk/by-path symlinks (e.g. /dev/disk/by-path/pci-0000:01:00.1-ata-1).
• Both source and target can now be configured using credentials: mangos_install_target and mangos_install_source.
• The installer now generates a new UUID for the disk we installed on as well as the ESP, so all nodes don't end up with the same ones.
• The installer now also moves the secondary GPT header to the correct location at the end of the disk.
• Finally, we now use bootctl to correctly configure the EFI boot manager.

QA related improvements

• Introduce run_tests.sh. It builds the regular image and the installer image, performs an installation, logs into the installed system and verifies that swap, /var, and /var/tmp are encrypted. If asciinema is installed, the whole session is recorded and saved as a build artifact on Github.
• We had a lot of test failures for a few days when the {c,C}anonical mirrors were unstable. We now use the kernel.org mirrors when running on Github hosted runners.

Full Changelog: v0.3.1...v0.4.0

v0.3.1

What's Changed (since v0.2.0)

• Improve local development workflow by @sorenisanerd in #31
• Build Docker as a sysext by @sorenisanerd in #35
• Fix release workflow for docker by @sorenisanerd in #36

Full Changelog: v0.2.0...v0.3.1

v0.3.0

What's Changed

• Improve local development workflow by @sorenisanerd in #31
• Build Docker as a sysext by @sorenisanerd in #35

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Rewrite proxy to only use stdlib by @sorenisanerd in #25
• Fix install path for sysupdate.d by @sorenisanerd in #27
• Substitute linux-image-generic for linux-image-virtual by @sorenisanerd in #29

Full Changelog: v0.1.0...v0.2.0

v0.1.0

We have an installer, we can update, we have encrypted local storage, and we can run on bare metal.