EVE 14.5 LTS Release Notes

Updated

Article Published Date: 6/18/2025

The latest 14.5 LTS version is 14.5.0-lts.

For a change log between 13.4.0-lts and 14.5.0-lts, please see: https://github.com/lf-edge/eve/compare/13.4.0-lts...14.5.0-lts

New Features

Clustered EVE

Edge Node clustering: This release introduces a new EVE platform variant 'eve-kubevirt' that enables building clustered EVE nodes. It does so by incorporating a k3s control-plane as part of EVE. Note that the k3s instance is part of the EVE infrastructure and does not enable direct interaction to deploy apps; apps continue to be deployed through the standard ZEDEDA API.

The following restrictions and hardware requirements apply:

  • EVE Kubevirt uses a 1G rootfs partition size.
  • ARM64 is not supported.
  • It is recommended that all edge nodes should be of the same hardware type and model.
  • They should have a minimum of 12 core CPUs, 16 GB RAM, and NVMe SSDs for EVE persistent storage for optimal performance.
  • EVE-OS consumes approximately 4 GB of memory and 2 vCPUs (if used for clustering).
  • It is recommended that the management traffic should be separated from the cluster traffic, with a dedicated 1Gb interface for management interface and a dedicated 10Gb interface for traffic from cluster interfaces.
    See Create an Edge Node Cluster article for the full list of prerequisites.

Docker Compose support

Handle the Patch-Envelope Encrypted Artifacts: This release introduces the ability for EVE-OS to host a Compose Runtime and provides the ability to deploy Docker Compose app definitions on top. To ensure secure passing of any container registry credentials, the EVE patch envelope framework has been extended with encrypted artifacts.

EVE Local UI

This release introduces a new EVE-OS Local User Interface (UI) for edge nodes. You can access the Local UI via a directly-connected keyboard and video display. It is available (by default) before the edge node is onboarded to the ZEDEDA Cloud controller. The local UI lets you perform initial configurations locally, such as setting the controller URL and network parameters, and can be used for troubleshooting purposes.

The local UI will be disabled (by default) after the node is onboarded to the controller, as the VGA and USB keyboard access are typically turned off to enhance security. The local UI can be re-enabled by setting the following debug flags: debug.enable.vga:true and debug.enable.usb:true. Please note that depending on your hardware, you may be required to attach a screen during the BIOS/UEFI boot to correctly initialize the screen.

Platform & OS Enhancements

Linux OS & kernel updates

  • Alpine update from 3.16.2 to 3.16.9 (riscv64 not included)
  • Kernel update for arm64-generic to fix TPM on Raspberry Pi 4B
  • Switched to QEMU-native CPU pinning mechanism, allowing vCPU threads of the same VM to migrate between the CPUs assigned to that VM
  • Enabled VFIO multifunction devices: This allows passthrough of a multifunction PCI device. For example, if the model manifest has one device with PCILong 0000:00:14.0 and another one with 0000:00:14.1, it is now possible to passthrough these to an edge application.

ARM64 platforms

  • Fix OVMF firmware: This release addresses a problem with the OVMF firmware.
  • Add support for OnLogic FR201 device: This release adds support for the OnLogic FR201 device. See details at https://github.com/lf-edge/eve/blob/master/README.md 
  • Support for Raspberry Pi 5. EVE now supports the Raspberry 5 platform. Note: EVE can only be installed on the SD card. This limitation is due to an upstream uboot limitation.
  • Added support for NVIDIA Jetson Orin devices with Jetpack 6.0.
  • Introduction of EVE platform options nvidia-jp5 and nvidia-jp6 platforms for Jetpack 5.1.3 and Jetpack 6.0. The previous platform option 'nvidia' has been removed to allow distinction between jetpack versions.
  • Publishing of arm64 platform variant eve images to dockerhub (generic, nvidia-jp5 and nvidia-jp6):
    Previously, building EVE for ARM platforms generally required building from the source. However, the following ARM images are now automatically built and uploaded to dockerhub as part of the release process: generic, nvidia-jp5 and nvidia-jp6.

Handle virtual consoles and framebuffer drivers when enabling/disabling VGA

Improved debug.enable.vga Behavior for Consistent Video Output Control

This release introduces an enhanced mechanism for managing Virtual Terminal (VT) consoles and framebuffer drivers, significantly improving the consistency of the debug.enable.vga flag across different hardware.

Previously, when debug.enable.vga was used to disable the host's video output (for example, debug.enable.vga:false), its effect was primarily limited to dedicated PCIe VGA cards by detaching their kernel drivers. This approach often did not fully disable video output on systems with Integrated GPUs (iGPUs) or video devices integrated into SoCs, particularly on arm64 devices, where the display could remain active. 

However, the new mechanism addresses this by ensuring that when host VGA output is disabled via the debug.enable.vga flag, the system now also detaches the VT consoles and the associated framebuffer drivers. This results in more reliable and comprehensive disabling of video output across all types of video hardware. An additional benefit of this change is that it can better facilitate the passthrough of certain iGPUs to applications or virtual machines.

Networking Infrastructure and Services

Networking enhancements

  • Ethernet interface handling has been updated to ensure it's in the DOWN state before renaming and changing the MAC address. This resolves "Device or resource busy" errors on some devices. 
  • Re-execute full validation for AppNetworkConfig once pending NIs are ready: When an application's network depends on a missing or faulty network instance (NI), zedrouter marks its status as AwaitNetworkInstance and waits for the NI to become active and error-free. Once the NI is ready, the system re-evaluates the application's configuration to ensure it’s still valid, for example, to catch conflicts like overlapping port forwarding rules introduced in the meantime.
  • An app-shared port that does not have a DNS server is not necessarily an issue. Previously, an app-shared port without a DNS server was logged as an error. However, this issue is now raised as a warning only, since this could be a valid deployment scenario.
  • Performance Improvement: iptables processing is now bypassed for L2-only traffic when all such traffic is permitted by Access Control Lists (ACLs), reducing overhead.
  • Single-Stack IPv4/IPv6 Network Support: The feature enables configuration of networks as exclusively IPv4-only or IPv6-only, resolving previous issues with IP single-stack options.
  • The /32 (all-ones) netmask is no longer necessary for ACL enforcement or flow logging on local network instances (NIs). Previously, when EVE-OS provided DHCP on local NIs, it assigned IP addresses with a /32 netmask and used the Classless Static Route Option (See RFC 3442: https://datatracker.ietf.org/doc/html/rfc3442) to configure static routes for the NI's subnet. This was done to force east-west (app-to-app) traffic through EVE, thereby enabling ACL enforcement.
    However, EVE now relies on the net.bridge.bridge-nf-call-ip(6)tables kernel options, making this specialized /32 netmask configuration unnecessary. Consequently, the all-ones netmask configuration has been removed in this release. Applications will now receive a netmask that corresponds to their actual subnet
    (for example, /24) instead of /32.
    If the debug.disable.dhcp.all-ones.netmask:true flag is currently configured, it can remain in place but will no longer impact EVE-OS behavior, as the underlying mechanism has changed.

Clock sync for container Apps

Enable clock synchronization in container Edge Apps by default:
EVE provides workloads with the ability to synchronize their time using the PTP_KVM clock. This provides an accurate means of synchronizing with the host clock. Previously, for container workloads, the environment variable EVE_ENABLE_CHRONY=1 had to be set to enable the shim VM (in which the container app runs) to leverage the PTP_KVM clock. With this change, PTP_KVM for containers is enabled by default, i.e., always run chrony daemon except when explicitly disabled by the EVE_ENABLE_CHRONY=0 variable. 

See more information in Clock synchronization.

VLAN sub-interfaces

Allow to use network port with VLAN-subinterfaces for untagged traffic:
With this enhancement, you can use the VLAN parent interface as a Layer 3 (L3) endpoint to access the untagged network, either for EVE management traffic or from an application via a local network instance. Note that it is not permitted to bridge a network port while simultaneously using it with VLAN sub-interfaces. As a result, accessing the untagged network through a switch network instance is not allowed if the port is already in use by VLAN sub-interfaces.

NTP server

EVE-OS now offers more flexible Network Time Protocol (NTP) server settings:

  • Multiple NTP servers can now be specified.
  • NTP servers can be configured using domain names (FQDNs), in addition to IP addresses.
  • An option has been added to ignore NTP servers provided by DHCP, allowing manual configurations to take precedence.

QMI-firmware-update package

The QMI-firmware-update package has added the ability to enable modem firmware upgrades directly from EVE: The qmi-firmware-update utility now allows firmware upgrades for cellular modems over the QMI interface. Including this new utility in the WWAN container allows you upgrade the modem firmware directly from EVE, eliminating the need to install another OS or pass through the modem to a VM with a separate upgrade tool.

User-configurable LTE Attach configuration 

This release has added support for user-configurable PDP settings for the LTE attach bearer. If the modem profile or the network do not provide the correct APN settings during the attach procedure, you can now specify the attach_* configuration settings.

 

Application and Instance Management

On-demand snapshots

EVE-OS support for immediate snapshots: Previously, snapshots could only be performed during upgrade. However, this release now adds the ability to take snapshots on-demand.

Hardware OEM license propagation

Propagate Windows local host license to the VMs: This capability allows EVE to propagate a Windows OEM license from the hardware to a Windows VM instance. It does so by propagating the MSDM APCI table from the physical node to the VM. Please ensure this is permissible per your Windows license agreement.

Added USB boot priority to OVMF firmware (x86_64)

Using an Edge App VM with FML virtualization mode (to get UEFI support), you can now pass-through a USB stick and boot from it. This enables you to install bootable images into the VM directly. Note that the USB stick must be present at VM initialization time.

 

Monitoring, Logging and Diagnostics

EVE Network metrics exposed to app instances

Add network status and metrics report to the EVE meta-data server for app instances: In some use cases, an edge app can be used to check the health of the edge node, requiring it to receive the metrics and status of physical network interfaces. Now, this feature adds the `/networks/metrics.json` endpoint to the meta-data server, so VMs can use it to retrieve the corresponding information. The information is provided through a JSON output, like the following:

```json
    [{
        ""IfName"": ""eth0"",
        ""Up"": true,
        ""TxBytes"": 405385,
        ""RxBytes"": 3375652,
        ""TxD..."

ECC and SMART reporting

ECC memory error reporting has been added to the remote controller: This release adds the following monitoring capabilities to EVE:

  • ECC memory monitoring – In case the edge-device is equipped with ECC-capable memory, the correctable and uncorrectable error counts (per memory rank) are reported to the controller.
  • SMART metrics monitoring – When available, EVE will now report SMART metrics for SATA, SCSI and NVMe disks. Note that SMART metrics for RAID controllers are currently not supported.

Memory monitor improvements

In this release various memory monitor improvements have been introduced. These include:

Make memory monitor configurable and disable it by default:
Memory monitor is a tool that helps characterize memory behavior of EVE and EVE components. In this release, various improvements were made, including making the memory monitor more configurable. By default, memory monitor is disabled. For details on EVE memory monitor, please see: https://github.com/lf-edge/eve/blob/master/pkg/memory-monitor/README.md

EVE logging enhancements

Improved logging: EVE logging has been extended with following additional capabilities:

  • Deduplication of logs within a given window of messages
  • Ability to filter out (or count) logs with a certain signature

Note that these capabilities are disabled by default.

See https://github.com/lf-edge/eve/blob/master/docs/LOGGING.md for details.

Miscellaneous Improvements and Fixes

  • Fix ISO installer: Resolved issue with generating an ISO installer image from the EVE container.
  • vTPM communication and error handling refactoring: Improved vTPM communication and error handling.
  • Stability improvements have been made in the WWAN service.
  • Improvements have been made in the documentation in the following areas: FR201: OnLogic Factor 201 Industrial IoT Gateway, Network performance considerations, CAN bus, installer.
  • Wait for root device inside the initrd script for ISO images: Robustness improvement when installing EVE on devices with Virtual Media CD/DVD-ROM emulation.
  • grub: Disable the boot measurement for the installer. The installer boot process speed has been improved by disabling boot PCR measurements. This only affects the installer and does not affect EVE, in general.

 

Was this article helpful?
2 out of 2 found this helpful