Kai Lüke

So, the way people could get OOB access would either be by specifying a password for the core user (or another user) and check that SSH password auth is disabled,...

To further understand how malicious access could happen, my understanding is that the SSH key for the OOB console access is the same as the one specified for the instance...

I'll prepare a docs PR to point out the kargs Ignition section to control this. Merging this is ok, I only want to point out that the UX is worse...

Docs PR done in https://github.com/flatcar-linux/flatcar-docs/pull/248

Another question, with the merge here we would align Flatcar with other distros like Ubuntu, or would there still be a difference?

We have many ways documented now to disable autologin: https://www.flatcar.org/docs/latest/installing/cloud/equinix-metal/#disablingenabling-autologin The `[email protected]` drop-in doesn't require a reboot.

Can we use the build secret token from `github-actions-overlay.txt.gpg` (add the permissions) instead of creating a new one to manually manage? (This one expires 2023-03-17 which is tomorrow, by the...

For testing we have the kola qemu update test but it doesn't cover the downgrade case. This has to be done manually with `flatcar-update -F -V 3033…` to downgrade to...

The service also needs to go from `coreos-base/oem-(azure|ec2-compat)/files/base/base(-ec2).ign`

Should we also have a migration path to bring the new version to old instances? (link to post action in old discussion: https://github.com/flatcar/coreos-overlay/pull/2160#issuecomment-1300141054)