• The image upgrade April 4, 2025 includes security updates to dropbear ssh, the podman seccomp profile, and the UDP input only channel. We do not expect any breaking changes on the searcher or builder side.
• We have also included most of the (breaking!) changes in the V2.1 Changes
  • switch to wss/https on Titan
  • increase in vm.max_map_count
  • we have not included the switch to sync-proxy

Relevant code branches https://github.com/flashbots/meta-searcher/pull/32

https://github.com/flashbots/meta-custom-podman/pull/6

Dropbear SSH

The dropbear server is created with additional security flags -m -j -k, most notably disabling port-forwarding.

-m: Don't display the message of the day on login
-j: Disable local port forwarding
-k: Disable remote port forwarding

We also add to the SSH key the prefix:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding

Podman Seccomp

We update the podman seccomp profile to match docker’s seccomp profile, which further restricts the system calls a container can make to the host kernel.

For the new seccomp profile, check: (@Angela Lu insert code)

UDP input channel

Outgoing information, including as a response to an established connection on port 27017, is now explicitly dropped on the searcher network namespace.

nsenter --target "$pid" --net iptables -A OUTPUT -p udp --sport 27017 -j DROP
nsenter --target "$pid" --net iptables -A OUTPUT -p tcp --sport 27017 -j DROP