- Add bottlerocket-kernel-kit 1.0.0 (#4332)
- Update bottlerocket-core-kit to 5.0.0 (#4332)
- Update bottlerocket-sdk to 0.50.0 (#4332)
- Enable plugins and detailed EBS volume stats for
nvme-cli
(bottlerocket-core-kit#269) - Set
LoaderTimeInitUSec
andLoaderTimeExecUSec
in GRUB (bottlerocket-core-kit#273)
- Enable EFA support to Bottlerocket AMIs (#4290)
- Fix
io_uring
regression in 6.1 kernel (bottlerocket-core-kit#284) - Allow overriding the max-pods file with one from your variant (bottlerocket-core-kit#279) - thanks @tzneal
- Update bottlerocket-core-kit to 4.0.1 (#4322)
- Update models README references (#4138)
- Add patch for kernel-5.15 to fix issues when using IPv6 (bottlerocket-core-kit#266)
- Update bottlerocket-core-kit to 3.3.2 (#4301)
- Add aws-creds settings defaults to all AWS variants (#4285)
- Add support for migrations to modify aws-config setting generators (#4271)
- Wait for kubelet device-manager socket before starting nvidia-k8s-device-plugin (bottlerocket-core-kit#238)
- Update bottlerocket-core-kit to 3.1.5 (#4280)
- Revert system-wide configuration to block writeable/executable memory in systemd services (bottlerocket-core-kit#215)
- Update bottlerocket-core-kit to 3.1.1 (#4264)
- Update NVIDIA driver to 535.216.01 (#4254)
- Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 (#4251)
- Update bottlerocket-core-kit to 3.1.0 (#4254, #4251)
- Update NVIDIA driver to 535.216.01 (#4254)
- Update twoliter to 0.5.0 (#4251)
- Update bottlerocket-sdk to 0.46 (#4251)
- Standardize RPM release fields for RPM packages (#4244)
- Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 (#4251)
- Add link to bootstrap-commands documentation (#4247)
- Update bottlerocket-core-kit to 2.9.0 (#4242)
- Update host containers (#4241)
- Update twoliter to v0.4.7 (#4236)
- Fix permissions for kubelet-exec-start-conf file (#4199)
- Add support for NVIDIA GPU time slicing (#4230)
- Add security guidance for NVIDIA GPU time-slicing (#4240)
- Update ecs-agent to 1.86.3 (bottlerocket-core-kit#168) - Closes issue #4186
- Update QUICKSTART-EKS.md (#4228) - Thanks @bryanhsu00 for the suggested fix!
- Use open GPU drivers on P4 and P5 instances automatically bottlerocket-core-kit#114
- Update to nvidia-container-toolkit 1.16.2 bottlerocket-core-kit#161
- Update bottlerocket-core-kit to v2.8.1 (#4222)
- Drop dependency on glibc-devel (#4213)
- Update QUICKSTART-ECS.md and QUICKSTART-EKS.md (#4169) Thanks @bryantbiggs!
- Support Kubernetes NVIDIA Device Plugin configurations through API (#4182)
- Support NVIDIA Container Toolkit configurations through API (#4182)
- Update bottlerocket-core-kit (#4189, #4203, #4211)
- Perform binary checksum validation (#4192)
- Update Twoliter to v0.4.6 (#4200)
- Update bottlerocket-settings-models to v0.4.0 (#4182)
- Add NVIDIA Device Plugin and NVIDIA Container Toolkit notes to SECURITY_GUIDANCE.md (#4205)
- Add Kubernetes 1.31 variants (#4142)
- Update bottlerocket-settings-models to v0.4.0 (#4131)
- Update host containers (#4153)
- Use workspace dependencies for all dependencies (#4132)
- Update bottlerocket-core-kit to v2.3.5 (#4156, #4152, #4143, #4139)
- Update Twoliter to v0.4.5 (#4159)
- Update bottlerocket-settings-models to v0.3.0 (#4145)
- Update command for SSM Start session on host container (#4129) - Thanks @Veronica4036!
- Update host containers (#4117)
- Enable k8s reserved cpus (#3964)
- Drop k8s 1.27 metal and VMware variants (#4079)
- Drop k8s 1.26 metal and VMware variants (#4018)
- Build the pause image from upstream (#3940) - Thanks @tzneal!
- Port to the ECS settings extension (#3984)
- Migrate to core kit (#4060)
- Remove leftover vendor section (#4071)
- Update Twoliter to 0.4.4 (#4008, #4086, #4093, #4123)
- Update bottlerocket-core-kit to v2.3.1 (#4122)
- Update bottlerocket-sdk to 0.43 (#4122)
- Use settings models vended by bottlerocket-settings-sdk (#4057)
- Migrate to settings plugins and eliminate variant-based conditional compilation (#4038)
- Enable settings extensions (#4050)
- Update to bottlerocket-settings-models v0.2.0 (#4118)
- Add udev rule to create symlinks using EBS volumes’ device names (#3977)
- Fix OpenAPI spec link (#4062)
- Fix NVIDIA variants in SSM parameters (#4047)
- Add k8s command to retrieve log archive (#3993)
- Fix netdog reference link (#3974) - Thanks @emmanuel-ferdman!
- Update BUILDING.md with the latest Docker requirements (#4098)
- Update docker-engine to v25.0.6 (#4111)
- Update containerd to 1.6.34 (#4113)
- Update kernels: 5.10.220, 5.15.162, and 6.1.97 (#4104)
- Update host containers (#4110)
- Add latest instance types to eni-max-pods mapping (#4108)
- Update patches for kubernetes 1.23, 1.24, 1.25, and 1.26 (#4084)
- Update sources for kubernetes 1.27, 1.28, 1.29, and 1.30 (#4089)
- Update kernels to 6.1.90, 5.15.158, and 5.10.216 (#3976, #3972)
- Include statically linked version of kmod (#3981)
- Specify AWS EULA as license for kmod-*-nvidia packages (#3991)
- Update source for Fabric Manager binaries (#4015)
- Update NVIDIA driver versions to 470.256.02 and 535.183.01 (#4029)
- Update third party packages (#3939)
- Enable file system encryption in 5.15 and 6.1 kernels (#3906, #3908)
- Backport fix for loading SELinux modules (#3907)
- Add Fabric Manager support (#3873)
- Update host containers (#3947)
- Add setting to configure ntp options (#3852 thanks @domgoodwin)
- Include swap utilities (#3829)
- Update kernels to 6.1.87, 5.15.156, 5.10.215 (#3934, #3930)
- Drop Kubernetes 1.25 Metal and VMware variants (#3896)
- Add Kubernetes 1.30 variants (#3859, #3936)
- Add container-runtime settings to
aws-k8s-*-nvidia
variants (#3945)
- Update twoliter and the SDK (#3938, #3885)
- Remove liblzma and libbzip2 (#3861, #3944)
- Pessimize Rust builds that require the AWS SDK (#3892)
- Reduce variant matrix in CI/CD (#3863)
- Document package build tools for go dependencies (#3882)
- Update Go lints in CI/CD (#3884)
- Out-of-tree build enablement
- systemd: use build defaults and kernel parameters for unified cgroups (#3886, #3935)
- early-boot-config: Use standalone provider binaries to fetch user data (#3637, #3890)
- logdog: retrieve settings via API client (#3946)
- netdog: remove conditional compilation, add hostname helpers (#3700, #3898)
- schnauzer: add if_not_null template helper (#3838)
- static-pods: remove conditional compilation, switch to config file (#3891, #3927, #3913)
- host-containers: switch to config file (#3777, #3842)
- bootstrap-containers: switch to config file (#3724)
- corndog: switch to config file (#3715)
- prairiedog: switch to config file (#3713, #3814, #3836)
- thar-be-updates: switch to config file (#3721)
- updog: use modeled types (#3901)
- kernel: remove variant sensitivity (#3897, #3905, #3932)
- FIPS enablement
- Update kernel to 5.10.214, 5.15.153, 6.1.84 #3906
- Update third party packages (#3910, #3914)
- Update host containers (#[3911])
- Provide runtime cgroup to kubelet (#3804)
- Update twoliter to v0.1.1 (#3880, #3900)
- Update ecs-gpu-init, amazon-ssm-agent, and nvidia-k8s-device-plugin builds for new SDK (#3920, #3921, #3924)
- Update kernel to 5.10.210, 5.15.149, 6.1.79 (#3853)
- Update third party packages (#3793, #3832)
- Update host containers (#3837)
- Support auditctl in bootstrap containers (#3831)
- Add latest instance types to eni-max-pods mapping (#3824)
- Update third party packages (#3789)
- Update kernel to 5.10.209, 5.15.148, 6.1.77 (#3797)
- Add AWS settings extension (#3738, #3770)
- Allow CSI helpers in the SELinux policy (#3779)
- Update to latest NVIDIA drivers (#3798)
- Enable NVIDIA GPU isolation using volume mounts (#3718 thanks @chiragjn , #3790)
- Clean up CNI results cache on boot (#3792)
- Add
settings.ecs.enable-container-metadata
(#3782)
- Adjust certdog to utilize a configuration file instead of the API server (#3706, #3778, #3787)
- Don't use parallel make for shim package (#3771)
- Renumber unit files in release package (#3769)
- Ignore EKS patches for k8s-1.23 in Git (#3774)
- Mark pause container image as "pinned" to prevent garbage collection (#3757)
- Update Docker engine and Docker CLI to v25.0.2 (#3759)
- Update ECS agent to 1.81.0 (#3759)
- Update AWS SSM agent to 3.2.2222.0 (#3762)
- Adjust unit dependencies for systemd-sysusers (#3720)
- Update third party packages (#3722, #3750)
- Add kernel settings extension (#3727)
- Update kernel to 5.10.205, 5.15.145, 6.1.72 (#3734)
- Update runc to 1.1.12 and containerd to 1.6.28 (#3751)
- Add latest instance types to eni-max-pods mapping (#3741)
- Drop Kubernetes 1.24 Metal and VMware variants (#3742)
- Add additional ECS settings for ECS_BACKEND_HOST and ECS_AWSVPC_BLOCK_IMDS (#3749)
- twoliter updated to v0.0.6 (#3744)
- Remove unused runc SELinux policy rule (#3673)
- Update third party packages (#3692)
- Fix creation of kprobes using unqualified names (#3699, #3708)
- Update host containers (#3704)
- Update kernel to 5.10.205, 5.15.145, 6.1.66 (#3686, #3708)
- Add container-registry settings extension (#3674)
- Add updates settings extension (#3689)
- Add Kubernetes 1.29 variants (#3628)
- Update Kubernetes 1.23 to release 33 (#3692)
- Add latest instance types to eni-max-pods mapping (#3695)
- Update ecs-agent to 1.79.2 (#3692)
- Export symbols for packages that include dynamically linked Go binaries (#3680)
- Update to Bottlerocket SDK v0.37.0 (#3690)
- Upgrades to Go 1.21.5
- Generate valid hostname when IPv6 reverse lookup fails (#3592)
- Avoid mounting the EFI system partition at
/boot
(#3591) - Update kernel to 5.10.201, 5.15.139, 6.1.61 (#3611, #3643)
- Switch to async
tough
(#3566) - Update host containers (#3646)
- Move template migrations to
schnauzer
v2 (#3633) - Handle proxy credentials properly in
pluto
(#3639, #3667) - Update third party packages (#3612, #3642)
- Update
nvidia-k8s-device-plugin
to address CVEs (#3612) - Update to Kubernetes 1.28.4 (#3612)
- Update to Kubernetes 1.27.8 (#3612)
- Update to Kubernetes 1.26.11 (#3612)
- Update to Kubernetes 1.25.16 (#3612)
- Update
ecs-agent
to address CVEs (#3612)
- Update open-vm-tools to 12.3.5 to address CVE-2023-34058 and CVE-2023-34059 (#3553)
- Update NVIDIA drivers to 470.223.02 and 535.129.03 to address CVE‑2023‑31022 and CVE‑2023‑31018 (#3561)
- Improvements to Bottlerocket CIS benchmark checks (#3552 #3562 #3564)
- Regenerate updog proxy configuration when settings.network.proxy gets updated (#3578)
- kernel: Update to 5.10.198, 5.15.136, and 6.1.59 (#3572)
- Update Kubernetes versions to address HTTP v2 x/net CVE-2023-39325 (#3581)
- Avoid specifying
hostname-override
kubelet option ifcloud-provider
is set toaws
(#3582)
- Adjust netlink timeout to prevent interfaces from entering a failed state (#3520)
- Update third-party packages (#3535)
- Add XFS CLI utilities for managing XFS-formatted storage (#3444)
- Add facilities to auto-load kernel modules (#3460)
- Update to kernels 5.10.197, 5.15.134, and 6.1.55 (#3509 #3542)
- Fix reporting for Bottlerocket CIS Benchmark 4.1.2 (#3547)
- Update systemd to 252.18 (#3533)
- Allow fanotify permission events for trusted subjects in SELinux policy (#3540)
- Drop Kubernetes 1.23 Metal and VMware variants (#3531)
- Update ecs-agent (#3535)
- Update to Bottlerocket SDK v0.35.0 (#3528)
- Allow older ext4 snapshot volumes to be mounted in newer variants that default to xfs (#3499)
- Update
apiclient
Rust dependencies (#3491) - Update
pluto
Rust dependencies (#3439) - Patch glibc to address CVE-2023-4806, CVE-2023-4911, and CVE-2023-5156 (#3501)
- Update open-vm-tools to 12.3.0 to address CVE-2023-20900 (#3500)
- Update
twoliter
to v0.0.4 (#3480)
This release brings support for Secure Boot on platforms using UEFI boot; the Linux 6.1 kernel; systemd-networkd and systemd-resolved for host networking; and XFS as the filesystem for local storage.
These features are enabled by default in the new variants. Existing variants will continue to use earlier kernels, wicked
for host networking, and EXT4 as the filesystem for local storage.
- Variants using the 6.1 kernel (
aws-ecs-2
/aws-ecs-2-nvidia
,aws-k8s-1.28
/aws-k8s-1.28-nvidia
,vmware-k8s-1.28
, andmetal-k8s-1.28
) do not support LustreFS (#3459)
The functionality to apply a hotpatch for log4j CVE-2021-44228 has been removed. The corresponding setting, settings.oci-hooks.log4j-hotpatch-enabled
, is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning to the system logs. (#3401)
- Add kernel 6.1 (#3121, #3441)
- Update admin and control containers (#3368)
- Update third party packages and dependencies (#3362, #3369, #3330, #3339, #3355, #3441, #3456)
- Updated to systemd 252 (#3290)
- Add support for Secure Boot (#3097)
- Add support for XFS (#3198)
- Add
apiclient report
command (#3258) and Bottlerocket CIS benchmark report (#2881) - Add resource-limit settings for OCI defaults (#3206)
- Use
systemd-networkd
andsystemd-resolved
instead ofwicked
foraws-k8s-1.28
,aws-ecs-2
, and*-dev
variants (#3134, #3232, #3266, #3311, #3394, #3395, #3451, #3455)
- Add
aws-ecs-2
variants (#3273)- Enables Secure Boot, systemd-networkd, and XFS for the data partition
- Add support for AppMesh (#3267)
- Add Kubernetes 1.28 variants (#3329)
- Enables Secure Boot, systemd-networkd, and XFS for the data partition
- Drop Kubernetes 1.22 variants (#2988)
- Update to Kubernetes 1.27.4 (#3319)
- Update to Kubernetes 1.26.7 (#3320)
- Update to Kubernetes 1.25.12 (#3321)
- Update to Kubernetes 1.24.16 (#3322)
- Add support for SeccompDefault setting for k8s 1.25+ (#3334)
- Add Kubernetes CIS benchmark report (#3239)
- Retry on empty PrivateDnsName from EC2 (#3364)
- Enable Intel VMD driver (#3419)
- Add linux-firmware (#3296, #3418)
- Add aws-iam-authenticator to k8s variants (#3357)
- Upgrade to Bottlerocket SDK v0.34.1 (#3445)
- Use Twoliter to enable work on out-of-tree builds. Most
tools
have moved to Twoliter (#3379, #3429, #3392, #3342) - Only limit concurrency while building RPMs (#3343)
- Apply patches to 5.10 and 5.15 kernels to address CVE-2023-20593 (#3300)
- Update admin and control containers (#3307)
- Update eni-max-pods with new instance types (#3324)
- Update Kubernetes v1.23.17 to include latest EKS-D patches (#3323)
- Improve the reliability of acquiring a DHCPv6 lease (#3211, #3212)
- Update kernel-5.10 to 5.10.184 and kernel-5.15 to 5.15.117 (#3238)
- Update eni-max-pods with new instance types (#3193)
- Make
pluto
outbound API requests more resilient to intermittent network errors (#3214) - Update runc to 1.1.6 (#3249)
- Add image cleanup settings to control task image cleanup frequency (#3231)
- Update to Kubernetes v1.24.15 (#3234)
- Update to Kubernetes v1.25.11 (#3235)
- Update to Kubernetes v1.26.6 (#3236)
- Update to Kubernetes v1.27.3 (#3237)
- Updated Bottlerocket SDK version to v0.33.0 (#3213)
- Apply patches to 5.10 and 5.15 kernels to address CVE-2023-32233 (#3128)
- Add fallback container image source parsing for regions not yet supported by the
aws-go-sdk
inhost-ctr
(#3138) - Increase default
max_dgram_qlen
sysctl value to512
for both 5.10 and 5.15 kernels (#3139)
- Kubernetes package updates
- Update Kubernetes v1.22.17 to include latest EKS-D patches (#3108)
- Update Kubernetes v1.23.17 to include latest EKS-D patches (#3119)
- Update to Kubernetes v1.24.14 (#3119)
- Update to Kubernetes v1.25.9 (#3119)
- Update to Kubernetes v1.26.4 (#3119)
- Update Kubernetes v1.27.1 to include latest EKS-D patches (#3119)
- Change
nvidia-k8s-device-plugin
service dependency onkubelet
(#3141)
- Fix
pubsys
bug preventing multiple SSM parameter promotions inpromote-ssm
Makefile target (#3137)
- Update kernel-5.10 to 5.10.178 and kernel-5.15 to 5.15.108 (#3077)
- Update admin and control containers (#3090)
- Update third party packages and dependencies (#2991, #3082)
- Enable
SCSI_VIRTIO
driver for better hypervisor support (#3047) - Disable panic on hung task for kernel 5.15 (#3091)
- Create symlink to
inventory
path using Storewolf (#3035)
- Add support for ECS Exec (#3075)
- Add Kubernetes 1.27 variants (#3046)
- Switch to using Kubernetes default values for
kube-api-burst
andkube-api-qps
(#3094)
- Switch to using Kubernetes default values for
- Add more Kubernetes settings (#2930, #2986)
- Soft eviction policy
- Graceful shutdown
- CPU quota enforcement
- Memory manager policy
- CPU manager policy
- Fix Kubernetes 1.26 credential provider apiVersion (#3070)
- Add ability to pass environment variables to image credential providers (#2934)
- Upgrade to Bottlerocket SDK v0.32.0 (#3071)
- Add AMI validation to PubSys (#3020)
- Add SSM parameter validation to PubSys (#2969)
- Add
validate-ami
andvalidate-ssm
Makefile targets (#3043) - Add
check-migrations
Makefile target to check for common migration problems (#3051)
- Update testsys to v0.0.7 (#3065)
- Add support for node provisioning with Karpenter (#3067)
- Enable using custom Sonobuoy images (#3068)
- Revert
runc
update to move back to 1.1.5 (#3054)
- Ensure the first hostname is used when a VPC DHCP option set has multiple domains (#3032)
- Update
runc
to version 1.1.6 (#3037)
- Generate and pass
--hostname-override
flag to kubelet inaws-k8s-1.26
variants (#3033)
- Update kernel-5.10 to 5.10.173 and kernel-5.15 to 5.15.102 (#2948, #3002)
- Fix check for rule existence in ip6tables v1.8.9 (#3001)
- Backport systemd fixes for skipped udevd events (#2999)
- Check platform-specific mechanisms for hostname first (#3021)
- Generate 'provider-id' setting for aws-k8s variants (#3026)
- Update
runc
to version 1.1.5 (#2946)
- Improve logic around repartitioning and disk expansion by using symlinks to differentiate "fallback" and "preferred" data partitions (#2935)
- Add
keyutils
package to enable mounting CIFS shares (#2907)
- Fix AWS profile rendering in credential provider (#2904)
- Change CredentialProviderConfig api version to
v1beta1
for Kubernetes 1.25 variants (#2906)
- Add
ethtool
to Bottlerocket (#2829) - Improve logging in
migrator
to track ongoing migrations (#2751) - Improve random-access read performance of root volume on some devices (#2863)
- Add
CAP_SYS_MODULE
andCAP_CHROOT
to bootstrap containers (#2772) - Add support for cgroup v2 (#2875, #2802)
- Disable IA and SafeSetID LSM for kernel-5.15 (#2789)
- Update kernel-5.10 to 5.10.165 and kernel-5.15 to 5.15.90 (#2795)
- Allow
=
in bootconfig values (#2806) - Include
systemd-analyze plot
forlogdog
(#2880) - Update host containers (#2864)
- Update third party packages (#2825, #2842)
- Remove Kubernetes 1.21 variants (#2700)
- Add Kubernetes 1.26 variants (#2771, (#2876)
- Change
kubelet
service to have restart policyalways
(#2774) - Update to Kubernetes v1.25.6 (#2782)
- Update to Kubernetes v1.24.10 (#2790)
- Update to Kubernetes v1.23.16 (#2791)
- Update Kubernetes 1.22.17 to include latest EKS-D patches (#2792)
- Enable FireLens capability in
aws-ecs-1
variant (#2819)
- Set NVMe IO request timeouts for EBS according to AWS recommendations (#2820)
- Support an alternate data partition on EC2 instances launched with a single volume (#2807, #2879, #2873)
- Update
eni-max-pod
mappings to include the latest AWS instance types (#2818)
- Remove
k8s.gcr.io
in favor ofpublic.ecr.aws
(#2861, (#2786) - Disable UDP offload for primary interface (#2850)
- Ensure empty build/rpms directory is included in build context (#2784)
- Add image feature flag for cgroup v2 (#2845)
- Enable
systemd-networkd
development via build flag (#2741, #2832, #2750) - Fix
clippy
linter warnings in source files and addclippy
CI coverage (#2745) - Use
clippy
provided in SDK image (#2793) (#2868) - Remove unnecessary
time
0.1.x dependency (#2748, #2851) - Remove unnecessary patch from
containerd
(#2755) - Update Bottlerocket SDK to v0.30.2 (#2866, #2857, #2836)
- Remove outdated
rust_2018_idioms
enforcement (#2837) - Update Rust edition to
2021
(#2835) - Upgraded Rust code dependencies (#2816, #2869, #2851, #2736, #2895)
- Upgraded Go code dependencies (#2828, #2826, #2813)
- Rename
ncurses
tolibncurses
(#2769) - Update schnauzer's registry map (#2867)
- Add support for Kubernetes workloads in
testsys
(#2830) - Add support for a
tests
directory (#2737, #2775) - Provide advanced config controls to
testsys
(#2799) - Fix incorrect migration starting image for VMware testing in
testsys
(#2804) - Use testsys v0.0.6 (#2865)
- Add boot sequence documentation (#2735)
- Update Bottlerocket version in provisioning step in
PROVISIONING-METAL.md
(#2785) - Add user-data example for setting container registry credentials in
README.md
(#2803) - Fix missing trailing backslashes on
ami
commands inTESTING.md
(#2838)
- Disable strict aliasing for c-utf-8 library strict aliasing in dbus-broker (#2730)
- Add
/sys/firmware
to privileged mounts in host-ctr (#2714) - Use user-provided registry credentials for public.ecr.aws in host-ctr (#2676)
- Build masked paths list dynamically in host-ctr (#2637)
- Enable EFI option in systemd (#2714)
- Allow simple enums as map keys in datastore (#2687)
- Improve reliability of
settings.network.hostname
generator (#2647) - Add support for bonding and VLANS in
net.toml
(#2596) - Keep only one intermediate datastore during migration (#2589)
- Widen access to filesystem relabel in SELinux policy (#2738)
- Update hotdog to 1.05 (#2728)
- Update systemd to 250.9 (#2718)
- Update third party packages and dependencies ([#2588], #2717)
- Update host containers (#2739)
- Update eksd (#2690, #2693, #2694, thanks @rcrozean)
- Add support for Kubernetes 1.25 variants (#2699)
- Allow access to public kubelet certificates (#2639)
- During kubelet prestart, skip pause image pull if image exists (#2587)
- Delay kubelet.service until after warm-pool-wait service runs (#2562)
- Add OCI default spec and settings to containerd (#2697)
- Downgrade iopl warning when fetching guestinfo in
early-boot-config
(#2732)
- Treat alias warning as errors (#2730)
- Suppress "missing changelog" warning in build (#2730)
- Update Bottlerocket SDK version to 0.29.0 (#2730)
- Improve error messages for publish-ami command (#2695)
- Disallow private AMIs in public SSM parameters (#2680)
- Rework
start-local-vm
image selection to uselatest
symlink (#2696) - Improve integration testing through
cargo make test
(#2560, #2592, #2618, #2646, #2653, #2683, #2674, #2723, #2724, #2725)
- Update NVIDIA driver for 5.10 and 5.15 to include recent security fixes (74d2c5c13ab0)
- Apply patch to systemd for CVE-2022-3821 (#2611)
- Prevent a panic in
early-boot-config
when there is no IMDS region (#2493) - Update grub to 2.06-42 (#2503)
- Bring back wicked support for matching interfaces via hardware address (#2519)
- Allow bootstrap containers to manage swap (#2537)
- Add
systemd-analyze
commands to troubleshooting log collection tool (#2550) - Allow bootstrap containers to manage network configuration (#2558)
- Serialize bootconfig values correctly when the value is empty (#2565)
- Update zlib, libexpat, libdbus, docker-cli (#2583)
- Update host containers (#2574)
- Unmask /sys/firmware from host containers (#2573)
- Add additional ECS API configurations (#2527)
ECS_CONTAINER_STOP_TIMEOUT
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION
ECS_TASK_METADATA_RPS_LIMIT
ECS_RESERVED_MEMORY
- Add a timeout when calling EKS for configuration values (#2566)
- Enable IAM Roles Anywhere with the k8s
ecr-credential-provider
plugin (#2377, #2553) - Kubernetes EKS-D updates
- Add driver support for AWS variants in hybrid environments (#2554)
- Add support for publishing to AWS organizations (#2484)
- Remove unnecessary dependencies when building grub (#2495)
- Switch to the latest Dockerfile frontend for builds (#2496)
- Prepare foundations for Secure Boot and image re-signing (#2505)
- Fix EFI file system to fit partition size (#2528)
- Add ShellCheck to
check-lints
for build scripts (#2532) - Update the SDK to v0.28.0 (#2543)
- Use
rustls-native-certs
instead ofwebpki-roots
(#2551) - Handle absolute paths for output directory in kernel build script (#2563)
- Add a Roadmap markdown file (#2549)
- Support container runtime settings: enable-unprivileged-icmp, enable-unprivileged-ports, max-concurrent-downloads, max-container-log-line-size (#2494)
- Update EKS-D to 1.22-11 (#2490)
- Update EKS-D to 1.23-6 (#2488)
- Add optional settings to reboot into new kernel command line parameters (#2375)
- Support for static IP addressing (#2204, #2330, #2445)
- Add support for NVIDIA driver version 515 (#2455)
- Set mode for tmpfs mounts (#2473)
- Increase inotify default limits (#2335)
- Align
vm.max_map_count
with the EKS Optimized AMI (#2344) - Add support for configuring DNS settings (#2353)
- Migrate
netdog
fromserde_xml_rs
toquick-xml
(#2311) - Support versioning for
net.toml
(#2281) - Update admin and control container (#2471, #2472)
- Add
cargo make
tasks for testing ECS variants (#2348)
- Add support for Kubernetes 1.24 variants (#2437)
- Remove Kubernetes aws-k8s-1.19 variants (#2316)
- Increase the kube-api-server QPS from 5/10 to 10/20 (#2436, thanks @tzneal)
- Update eni-max-pods with new instance types (#2416)
- Add setting to change
kubelet
's log level (#2460, #2470) - Add
cargo make
tasks to perform migration testing for Kubernetes variants in AWS (#2273)
- Disable drivers for USB-attached network interfaces (#2328)
- Add driver support for Solarflare, Pensando, Myricom, Huawei, Emulex, Chelsio, Broadcom, AMD and Intel 10G+ network cards (#2379)
- Extend
external-files
to vendor go modules (#2378, #2403, #2430) - Make
net_config
unit tests reusable across versions (#2385) - Add
diff-kernel-config
to identify kernel config changes (#2368) - Extended support for variants in buildsys (#2339)
- Clarify crossbeam license (#2447)
- Honor
BUILDSYS_ARCH
andBUILDSYS_VARIANT
env variables when set (#2425) - Use architecture specific json payloads in unit tests (#2367, #2363)
- Add unified
check
target inMakefile.toml
for review readiness (#2384) - Update Go dependencies of first-party go projects (#2424, #2440, #2450, #2452, #2456)
- Update Rust dependencies (#2458, #2476)
- Update third-party packages (#2397, #2398, #2464, #2465, thanks @kschumy)
- Update Bottlerocket SDK to 0.27.0 (#2428)
- Migrate
pubsys
andinfrasys
to the AWS SDK for Rust (#2414, #2415, #2454) - Update
testsys
dependencies (#2392) - Fix
hotdog
's spec URL to the correct upstream link (#2326) - Fix clippy warnings and enable lints on pull requests (#2337, #2346, #2443)
- Format issue field in PR template (#2314)
- Update checksum for new
root.json
(#2405) - Mention that boot settings are available in Kubernetes 1.23 variants (#2358)
- Mention the need for AWS credentials in BUILDING.md and PUBLISHING-AWS.md (#2334)
- Add China to supported regions lists (#2315)
- Add community section to README.md (#2305, #2383)
- Standardize
userdata.toml
as the filename used in different docs (#2446) - Remove commit from image name in PROVISIONING-METAL.md (#2312)
- Add note to CONTRIBUTING.md that outlines filenames' casing (#2306)
- Fix typos in
Makefile.toml
, QUICKSTART-ECS.md, QUICKSTART-EKS.md,netdog
andprairiedog
(#2318, thanks @kianmeng) - Fix casing for GitHub and VMware in CHANGELOG.md (#2329)
- Fix typo in test setup command (#2477)
- Fix TESTING.md link typo (#2438)
- Fix positional
fetch-license
argument (#2457)
- Change kernel module compression from zstd to xz (#2323)
- Update ECR registry map for new AWS regions (#2336)
- Add new regions to pause registry map (#2349)
- Update
tough
to v0.8.1 (#2338)
- SELinux policy now suppresses audit for tmpfs relabels (#2222)
- Restrict permissions for
/boot
andSystem.map
(#2223) - Remove unused crates
growpart
andservicedog
(#2238) - New mount in host containers for system logs (#2295)
- Apply strict mount options and enforce execution rules (#2239)
- Switch to a more commonly used syntax for disabling kernel config settings (#2290)
- Respect proxy settings when running setting generators (#2227)
- Add
NET_CAP_ADMIN
to bootstrap containers (#2266) - Reduce log output for DHCP services (#2260)
- Fix invalid kernel config options (#2269)
- Improve support for container storage mounts (#2240)
- Disable uncommon filesystems and network protocols (#2255)
- Add support for blocking kernel modules (#2274)
- Fix
ntp
service restart when settings change (#2270) - Add kernel 5.15 sources (#2226)
- Defer
squashfs
mounts to later in the boot process (#2276) - Improve boot speed and rootfs size (#2296)
- Add "quiet" kernel parameter for some variants (#2277)
- Make new instance types available (#2221 , thanks @cablespaghetti)
- Update Kubernetes versions (#2230, #2232, #2262, #2263, thanks @kschumy)
- Add kubelet image GC threshold settings (#2219)
- Add iptables rules for ECS introspection server (#2267)
- Add support for AWS China regions (#2224, #2242, #2247, #2285)
- Migrate to using
aws-sdk-rust
for first-party OS Rust packages (#2300)
- Remove
console=ttyS0
from kernel params (#2248)
- Enable Mellanox modules in 5.10 kernel (#2241)
- Add bnxt module for Broadcom 10/25Gb network adapters in 5.10 kernel (#2243)
- Split out baremetal specific config options (#2264)
- Add driver support for Cisco UCS platforms (#2271)
- Only build baremetal variant specific drivers for baremetal variants (#2279)
- Enable the metal-dev build for the ARM architecture (#2272)
- Add Makefile targets to create and validate Boot Configuration (#2189)
- Create symlinks to images with friendly names (#2215)
- Add
start-local-vm
script (#2194) - Add the testsys CLI and new cargo make tasks for testing aws-k8s variants (#2165)
- Update Rust and Go dependencies (#2303, #2299)
- Update third-party packages (#2309)
- Add NVIDIA ECS variant to README (#2244)
- Add documentation for metal variants (#2205)
- Add missing step in building packages guide (#2259)
- Add quickstart for running Bottlerocket in QEMU/KVM VMs (#2280)
- Address lints in README markdown caught by
markdownlint
(#2283)
- Update admin and control containers (#2191)
- Update to containerd 1.6.x (#2158)
- Restart container runtimes when certificates store changes (#2076)
- Add support for providing kernel parameters via Boot Configuration (#1980)
- Restart long-running systemd services on exit (#2162)
- Ignore zero blocks on dm-verity root (#2169)
- Add support for static DNS mappings in
/etc/hosts
(#2129) - Enable network configuration generation via
netdog
(#2066) - Add support for non-
eth0
default interfaces (#2144) - Update to IMDS schema
2021-07-15
(#2190)
- Add support for Kubernetes 1.23 variants (#2188)
- Improve Kubernetes pod start times by unsetting
configMapAndSecretChangeDetectionStrategy
in kubelet config (#2166) - Add new setting for configuring kubelet's
provider-id
configuration (#2192) - Add new setting for configuring kubelet's
podPidsLimit
configuration (#2138) - Allow a list of IP addresses in
settings.kubernetes.cluster-dns-ip
(#2176) - Set the default for
settings.kubernetes.cloud-provider
on metal variants to an empty string (#2188) - Add c7g instance data for max pods calculation in AWS variants (#2107, thanks, @lizthegrey!)
- Add aws-ecs-1-nvidia variant with Nvidia driver support (#2128, #2100, #2098, #2167, #2097, #2090, #2099)
- Add support for ECS ImagePullBehavior and WarmPoolsSupport (#2063, thanks, @mello7tre!)
- Build smartpqi driver for Microchip Smart Storage devices into 5.10 kernel (#2184)
- Add support for Broadcom ethernet cards in 5.10 kernel (#2143)
- Add support for MegaRAID SAS in 5.10 kernel (#2133)
- Remove aws-k8s-1.18 variant (#2044, #2092)
- Update third-party packages (#2178, #2187, #2145)
- Update Rust and Go dependencies (#2183, #2181, #2180, #2085, #2110, #2068, #2075, #2074, #2048, #2059, #2049, #2036, #2033)
- Update Bottlerocket SDK to 0.26.0 (#2157)
- Speed up kernel builds by installing headers and modules in parallel (#2185)
- Removed unused patch from Docker CLI (#2030, thanks, @thaJeztah!)
- Standardize README generation in buildsys (#2134)
- Clarify migration README (#2141)
- Fix typos in BUILDING.md and QUICKSTART-VMWARE.md (#2159, thanks, @ryanrussell!)
- Add additional documentation for using GPUs with Kubernetes variants (#2078)
- Document examples for using
enter-admin-container
(#2028)
- Update kernel-5.4 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 (a3b4674f7108)
- Update kernel-5.10 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-1048, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 (37095415bab6)
- Update eni-max-pods with new instance types (#2079)
- Add support for AWS region ap-southeast-3: Jakarta (#2080)
- Apply patch to hotdog for CVE-2022-0071 (1a3f35b2fe8e)
- Enable checkpoint restore (
CONFIG_CHECKPOINT_RESTORE
) for aarch64 (6e3d6ed4b83e)
With this release, an inventory of software installed in Bottlerocket will now be reported to SSM if the control container is in use and inventorying has been enabled.
- Generate host software inventory and make it available to host containers (#1996)
- Update admin and control containers (#2014)
- Update third-party packages (#1977, #1983, #1987, #1992, #2022)
- Update Rust and Go dependencies (#2016, #2019)
- Makefile: lock tuftool version (#2009)
- Fix tmpfilesd configuration for kmod-5.10-nvidia (#2020)
- Fix tuftool download instruction in VMware Quickstart (#1994)
- Explain data partition extension (#2013)
With this release, the vmware-k8s variants have graduated from preview status and are now generally available. :tada:
- Update kernel-5.4 and kernel-5.10 to include recent security fixes (a8e4a20ca7d1, 3d0c10abeecb)
- Add support for Kubernetes 1.22 variants (#1962)
- Add settings support for registry credentials (#1955)
- Add support for AWS CloudFormation signaling (#1728, thanks, @mello7tre!)
- Add TCMU support to the kernel (#1953, thanks, @cvlc!)
- Fix issue with closing frame construction in apiserver (#1948)
- Fix dead code warning during build in netdog (#1949)
- Correct variable name in bootstrap-containers/README.md (#1959, thanks, @dangen-effy!)
- Add art to the console (#1970)
- Apply patch to containerd for CVE-2022-23648 (0de1b39efa64)
- Update kernel-5.4 and kernel-5.10 to include recent security fixes (#1973)
The Kubernetes 1.18 variant, aws-k8s-1.18
, will lose support in March 2022.
Kubernetes 1.18 is no longer receiving support upstream.
We recommend replacing aws-k8s-1.18
nodes with a later variant, preferably aws-k8s-1.21
if your cluster supports it.
See this issue for more details.
- Apply patch to the kernel for CVE-2022-0492 (#1943)
- Add aws-k8s-1.21-nvidia variant with Nvidia driver support (#1859, #1860, #1861, #1862, #1900, #1912, #1915, #1916, #1928)
- Add metal-k8s-1.21 variant with support for running on bare metal (#1904)
- Update host containers to the latest version (#1939)
- Add driverdog, a configuration-driven utility for linking kernel modules at runtime (#1867)
- Kubernetes: Fix a potential inconsistency with IPv6 node-ip comparisons (#1932)
- Allow setting multiple Kubernetes node taints with the same key (#1906)
- Fix a bug which would prevent Bottlerocket from booting when setting
container-registry
to an empty table (#1910) - Add
/etc/bottlerocket-release
to host containers (#1883) - Send grub output to the local console on BIOS systems (#1894)
- Fix minor issues with systemd units (#1889)
- Update third-party packages (#1936)
- Update Rust dependencies (#1940)
- Update Go dependencies of
host-ctr
(#1938) - Add the ability to fetch licenses at build time (#1901)
- Pin tuftool to a specific version (#1940)
- Add a no-proxy setting example to the README (#1765 thanks, @mrajashree!)
- Document variant
image-layout
options in the README (#1896)
- Update Bottlerocket SDK to 0.25.1 for Rust 1.58.1 (#1918)
- Update kernel-5.4 and kernel-5.10 to include recent security fixes (#1921)
- Migrate host-container to the latest version for vmware variants (#1898)
- Fix an issue which could impair nodes in Kubernetes 1.21 IPv6 clusters (#1925)
- Update containerd for CVE-2021-43816 (8f085929588a)
- Update hotdog to the latest release. Hotdog now mimics the permissions of the target JVM process (#1884)
- Enable configuration for OCI hooks in the container lifecycle (#1868)
- Retry all failed requests to IMDS (#1841)
- Enable node feature discovery for Kubernetes device plugins (#1863)
- Add
apiclient get
subcommand for simple API retrieval (#1836) - Add support for CPU microcode updates (#1827)
- Consistently support API prefix queries (#1835)
- Add support for custom image sizes (#1826)
- Add support for unifying the OS and data partitions on a single disk (#1870)
- Fixed typo in the README (#1847 thanks, PascalBourdier!)
- Update default admin and control host containers to address CVE-2021-43527 (#1852)
- Update kernel-5.4 and kernel-5.10 to include recent security fixes. (#1851)
- Update containerd (to v1.5.8) and Docker (to v20.10.11) (#1851)
- Update Bottlerocket SDK to 0.23.1 (#1831)
- Add 'apiclient exec' for running commands in host containers (#1802, #1790)
- Improve boot performance (#1809)
- Add support for wildcard container registry mirrors (#1791, #1818)
- Wait up to 300s for a DHCP lease at boot (#1800)
- Retry if fetching the IMDS session token fails (#1801)
- Add ECR account IDs for pulling host containers in GovCloud (#1793)
- Filter sensitive API settings from
logdog
dump (#1777) - Fix kubelet standalone mode (#1783)
- Remove aws-k8s-1.17 variant (#1807)
- Update Bottlerocket SDK to 0.23 (#1779)
- Update third-party packages (#1816)
- Update Rust dependencies (#1810)
- Update Go dependencies of
host-ctr
(#1775, #1774) - Prevent spurious rebuilds of the model package (#1808)
- Add disk image files to TUF repo (#1787)
- Vendor wicked service units (#1798)
- Add CI check for Rust code formatting (#1782)
- Allow overriding the AMI data file suffix (#1784)
- Update cargo-make commands to work with newest cargo-make (#1797)
The Kubernetes 1.17 variant, aws-k8s-1.17
, will lose support in November, 2021.
Kubernetes 1.17 is no longer receiving support upstream.
We recommend replacing aws-k8s-1.17
nodes with a later variant, preferably aws-k8s-1.21
if your cluster supports it.
See this issue for more details.
- Apply patches to docker and containerd for CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, and CVE-2021-41103 (#1769)
- Add MCS constraints to the SELinux policy (#1733)
- Support IPv6 in kubelet and pluto (#1710)
- Add region flag to aws-iam-authenticator command (#1762)
- Restart modified host containers (#1722)
- Add more detail to /etc/os-release (#1749)
- Add an entry to
/etc/hosts
for the current hostname (#1713, #1746) - Update default control container to v0.5.2 (#1730)
- Fix various SELinux policy issues (#1729)
- Update eni-max-pods with new instance types (#1724, thanks @samjo-nyang!)
- Add cilium device filters to open-vm-tools (#1718)
- Implement hybrid boot support for x86_64 (#1701)
- Include
/var/log/kdump
in logdog tarballs (#1695) - Use runtime.slice and system.slice cgroup settings in k8s variants (#1684, thanks @cyrus-mc!)
- Update third-party packages (#1701, #1716, #1732, #1755, #1763, #1767)
- Update Rust dependencies (#1707, #1750, #1751)
- Add wave definition for slow deployment (#1734)
- Add 'infrasys' for creating TUF infra in AWS (#1723)
- Make OVF file first in the OVA bundle (#1719)
- Raise pubsys messages to 'warn' if AMI exists or repo doesn't (#1708)
- Add constants crate (#1709)
- Add release URLs to package definitions (#1748)
- Add *.src.rpm to packages/.gitignore (#1768)
- Archive old migrations (#1699)
- Mention static pods in the security guidance around API access (#1766)
- Fix link to issue labels (#1764, thanks @andrewhsu!)
- Fix broken link for TLS bootstrapping (#1758)
- Update hash for v3 root.json (#1757)
- Update example version to v1.2.0 in QUICKSTART-VMWARE (#1741, thanks @yuvalk!)
- Clarify default kernel lockdown settings per variant (#1704)
- Update Kubernetes for CVE-2021-25741 (#1753)
- Add settings for kubelet topologyManagerPolicy and topologyManagerScope (#1659)
- Add support for container image registry mirrors (#1629)
- Add support for custom CA certificates (#1654)
- Add a setting for configuring hostname (#1664, #1680, #1693)
- Avoid wildcard for applying rp_filter to interfaces (#1677)
- Update default admin container to v0.7.2 (#1685)
- Add support for zstd compressed kernel (#1668, #1689)
- Add support for uploading OVAs to VMware (#1622)
- Update default built variant to aws-k8s-1.21 (#1686)
- Remove aws-k8s-1.16 variant (#1658)
- Move migrations from v1.1.5 to v1.2.0 (#1682)
- Update third-party packages (#1676)
- Update host-ctr dependencies (#1669)
- Update Rust dependencies (#1655, #1683, #1687)
- Fix typo in README (#1652, thanks @faultymonk!)
- Update containerd to 1.4.8 (#1661)
- Update systemd to 247.8 (#1662)
- Update 5.4 and 5.10 kernels (#1665)
- Set permissions to root-only for /var/lib/systemd/random-seed (#1656)
Note: in the Bottlerocket v1.0.8 release, for the aws-k8s-1.20 and aws-k8s-1.21 variants, we set the default Kubernetes CPU manager policy to "static".
We heard from several users that this breaks usage of the Fluent Bit log processor.
In Bottlerocket v1.1.3, we've changed the default back to "none", but have added a setting so you can use the "static" policy if desired.
To do so, set settings.kubernetes.cpu-manager-policy
to "static".
To do this in user data, for example, pass the following:
[settings.kubernetes]
cpu-manager-policy = "static"
- Fix parsing of lists of values in domain name search field of DHCP option sets (#1646, thanks @hypnoce!)
- Add setting for configuring Kubernetes CPU manager policy and reconcile policy (#1638)
- Update references to the ECS variant for GA release (#1637)
With this release, the aws-ecs-1 variant has graduated from preview status and is now generally available. It's been updated to include Docker 20.10. The new Bottlerocket ECS Updater is available to help provide automated updates. :tada:
- Add aws-k8s-1.21 variant with Kubernetes 1.21 support (#1612)
- Add settings for configuring kubelet containerLogMaxFiles and containerLogMaxSize (#1589) (Thanks, @samjo-nyang!)
- Add settings for configuring kubelet systemReserved (#1606)
- Add kdump support, enabled by default in VMware variants (#1596)
- In host containers, allow mount propagations from privileged containers (#1601)
- Mark ipv6 lease as optional for eth0 (#1602)
- Add recommended device filters to open-vm-tools (#1603)
- In host container definitions, default "enabled" and "superpowered" to false (#1580)
- Allow pubsys refresh-repo to use default key path (#1575)
- Update default host containers (#1609)
- Add grep package to all variants (#1562)
- Update Rust dependencies (#1623, #1574)
- Update third-party packages (#1619, #1616, #1625)
- In GitHub Actions, pin rust toolchain to match version in SDK (#1621)
- Add imdsclient library for querying IMDS (#1372, #1598, #1610)
- Remove reqwest proxy workaround in metricdog and updog (#1592)
- Simplify conditional compilation in early-boot-config (#1576)
- Only build shibaken for aws variants (#1591)
- Silence tokio mut warning in thar-be-settings (#1593)
- Refactor package and variant dependencies (#1549)
- Add derive attributes at start of list in model-derive (#1572)
- Limit threads during pubsys validate-repo (#1564)
- Document the deprecation of the aws-k8s-1.16 variant (#1600)
- Update README for VMware and add a QUICKSTART-VMWARE (#1559)
- Add ap-northeast-3 to supported region list (#1566)
- Add details about the two default Bottlerocket volumes to README (#1588)
- Document webpki-roots version in webpki-roots-shim (#1565)
- Patch runc for CVE-2021-30465 (232c5741ecec)
The Kubernetes 1.16 variant, aws-k8s-1.16
, will lose support in July, 2021.
Kubernetes 1.16 is no longer receiving support upstream.
We recommend replacing aws-k8s-1.16
nodes with a later variant, preferably aws-k8s-1.19
if your cluster supports it.
See this issue for more details.
This release introduces two new variants, aws-k8s-1.20
and vmware-k8s-1.20
.
We plan for all new variants, including these, to contain the following changes:
- The kernel is Linux 5.10 rather than 5.4.
- The kernel lockdown mode is set to "integrity" rather than "none".
The ECS preview variant, aws-ecs-1
, has also been updated with these changes.
Existing aws-k8s
variants will not receive these changes as they could affect existing workloads.
The aws-ecs-1
variant now supports the awsvpc
mode of ECS task networking.
This allocates an elastic network interface and private IP address to each task.
- Add Linux kernel 5.10 for use in new variants (#1526)
- Add aws-k8s-1.20 variant with Kubernetes 1.20 support (#1437, #1533)
- Add vmware-k8s-1.20 variant with Kubernetes 1.20 for VMware (#1511, #1529, #1523, #1502, #1554)
- Remove aws-k8s-1.15 variant (#1487, #1492)
- Constrain ephemeral port range (#1560)
- Support awsvpc networking mode in ECS (#1246)
- Add settings for QPS and burst limits of Kubernetes registry pulls, event records, and API (#1527, #1532, #1541)
- Add setting to allow configuration of Kubernetes TLS bootstrap (#1485)
- Add setting for configuring Kubernetes cloudProvider to allow usage outside AWS (#1494)
- Make Kubernetes cluster-dns-ip optional to support usage outside of AWS (#1482)
- Change parameters to support healthy CIS scan (#1295) (Thanks, @felipeac!)
- Generate stable machine IDs for VMware and ARM KVM guests (#1506, #1537)
- Enable "integrity" kernel lockdown mode for aws-ecs-1 preview variant (#1530)
- Remove override for default service start timeout (#1483)
- Restrict access to bootstrap container user data with SELinux (#1496)
- Split SELinux policy rules for trusted subjects (#1558)
- Add symlink to allow usage of secrets store CSI drivers (#1544)
- Prevent bootstrap containers from restarting (#1508)
- Add udev rules to mount CD-ROM only when media is present (#1516)
- Add resize2fs binary to sbin (#1519) (Thanks, @samjo-nyang!)
- Only restart a host container if affected by settings change (#1480)
- Support file patterns when specifying log files in logdog (#1509)
- Daemonize thar-be-settings to avoid zombie processes (#1507)
- Add support for AWS region ap-northeast-3: Osaka (#1504)
- Generate pause container URI with standard template variables (#1551)
- Get cluster DNS IP from cluster when available (#1547)
- Use kernel 5.10 in aws-ecs-1 variant (#1555)
- Build only the packages needed for the current variant (#1408, #1520)
- Use a friendly name for VMware OVA files in build outputs (#1535)
- Update SDK to 0.21.0 (#1497, #1529)
- Allow variants to specify extra kernel parameters (#1491)
- Move kernel console settings to variant definitions (#1513)
- Update vmw_backdoor dependency (#1498) (Thanks, @lucab!)
- Archive old migrations (#1540)
- Refactor default settings and containerd configs to shared files (#1538, #1542)
- Check cargo version at start of build so we have a clear error when it's too low (#1503)
- Fix concurrency issue in validate-repo that led to hangs (#1521)
- Update third-party package dependencies (#1543, #1556)
- Update Rust dependencies in the tools/ workspace (#1548)
- Update tokio-related Rust dependencies in the sources/ workspace (#1479)
- Add upstream runc patches addressing container scheduling failure (#1546)
- Retry builds on known BuildKit internal errors (#1557, #1561)
- Document the deprecation of the aws-k8s-1.15 variant (#1476)
- Document the need to quote most Kubernetes labels/taints (#1550) (Thanks, @ellistarn!)
- Fix VMware spelling and document user data sources (#1534)
Bottlerocket 1.0.8 is the last release where we plan to support the Kubernetes 1.15 variant, aws-k8s-1.15
.
Kubernetes 1.15 is no longer receiving support upstream.
We recommend replacing aws-k8s-1.15
nodes with a later variant, preferably aws-k8s-1.19
if your cluster supports it.
See this issue for more details.
- Support additional kubelet arguments: kube-reserved, eviction-hard, cpu-manager-policy, and allow-unsafe-sysctls (#1388, #1472, #1465)
- Expand file and process restrictions in the SELinux policy (#1464)
- Add support for bootstrap containers (#1387, #1423)
- Make host containers inherit proxy env vars (#1432)
- Allow gzip compression of user data (#1366)
- Add 'apply' mode to apiclient for applying settings from URIs (#1391)
- Add compat symlink for kubelet volume plugins (#1417)
- Remove bottlerocket.version attribute from ECS agent settings (#1395)
- Make Kubernetes taint values optional (#1406)
- Add guestinfo to available VMware user data retrieval methods (#1393)
- Include source of invalid base64 data in error messages (#1469)
- Update eni-max-pods data file (#1468)
- Update default host container versions (#1443, #1441, #1466)
- Fix avc denial for dbus-broker (#1434)
- Fix case of outputted JSON keys in host container user data (#1439)
- Set mode of host container persistent storage directory after creation (#1463)
- Add "current" persistent storage location for host containers (#1416)
- Write static-pods manifest to tempfile before persisting it (#1409)
- Update default variant to aws-k8s-1.19 (#1394)
- Update third-party packages (#1460)
- Update Rust dependencies (#1461, #1462)
- Update dependencies of host-ctr (#1371)
- Add support for specifying a variant's supported architectures (#1431)
- Build OVA packages and include them in repos (#1428)
- Add support for qcow2 as an image format (#1425) (Thanks, @mikalstill!)
- Prevent unneeded artifacts from being copied through build process (#1426)
- Change image format for vmware-dev variant to vmdk (#1397)
- Remove tough dependency from update_metadata (#1390)
- Remove generate_constants logic from build.rs of parse-datetime (#1376)
- In the tools workspace, update to tokio v1, reqwest v0.11, and tough v0.11 (#1370)
- Run static and non-static Rust builds in parallel (#1368)
- Disable CMDLINE_EXTEND kernel configuration (#1473)
- Document metrics settings in README (#1449)
- Fix broken links for symlinked files in models README (#1444)
- Document
apiclient update
as primary CLI update method (#1421) - Use
apiclient set
in introductory documentation, explain raw mode separately (#1418) - Prefer resolve:ssm: parameters for simplicity in QUICKSTART (#1363)
- Update quickstart guides to have arm64 examples (#1360)
- Document the deprecation of the aws-k8s-1.15 variant (#1476)
- containerd: update to 1.4.4 (#1401)
- systemd: update to 247.4 to fix segfault in some cases (#1400)
- apiserver: reap exited child processes (#1384)
- host-ctr: specify non-colliding runc root (#1359)
- updog: update signal-hook dependency (#1328)
- Add metricdog to support sending anonymous metrics (#1006, #1322)
- Add a vmware-dev variant (#1292, #1288, #1290)
- Add Kubernetes static pods support (#1317)
- Add high-level 'set' subcommand for changing settings using apiclient (#1278)
- Allow admin container to use SSH public keys from user data (#1331, #1358, #19)
- Add support for kubelet in standalone mode and TLS auth (#1338)
- Add https-proxy and no-proxy settings to updog (#1324)
- Add support for pulling host-containers from ECR Public (#1296)
- Add network proxy support to aws-k8s-1.19 (#1337)
- Modify default SELinux label for containers to align with upstream (#1318)
- Add aliases for container-selinux types to align with community (#1316)
- Update default versions of admin and control containers (#1347, #1344)
- Update ecs-agent to 1.50.2 (#1353)
- logdog: Add eni logs for Kubernetes (#1327)
- Add the ability to output vmdk via qemu-img (#1289)
- Add support for kmod kits to ease building of third-party kernel modules (#1287, #1286, #1285, #1357)
- storewolf: Declare dependencies on model and defaults files (#1319)
- storewolf: Refactor default settings files to allow sharing (#1303, #1329)
- Switch from TermLogger to SimpleLogger (#1282, thanks @hencrice!)
- Allow overriding the "pretty" name of the OS inside the image (#1330)
- Specify bash in link-variant task for use of bash features (#1323)
- Fix invalid symlinks when the BUILDSYS_NAME variable is set (#1312)
- Track and clean output files for builds (#1291)
- Update third-party software packages (#1340, #1336, #1334, #1333, #1335, #1190, #1265, #1315, #1352, #1356)
- Add lockdown notes to SECURITY_GUIDANCE.md (#1281)
- Clarify use case for update repos (#1339)
- Fix broken link from API docs to top-level docs (#1306)
Note for aws-ecs-1 variant: due to a change in the ECS agent's data store schema, the aws-ecs-1 variant cannot be downgraded after updating to v1.0.5. Attempts to downgrade may result in inconsistencies between ECS and the Bottlerocket container instance.
- Add aws-k8s-1.19 variant with Kubernetes 1.19 (#1256)
- Update ecs-agent to 1.48.1 (#1201)
- Add high-level update subcommands to apiclient (#1219, #1232)
- Add kernel lockdown settings (#1223, #1279)
- Add restart-commands for docker, kubelet, containerd (#1231, #1262, #1258)
- Add proper restarts for host-containers (#1230, #1235, #1242, #1258)
- Fix SELinux policy (#1236)
- Set version and revision strings for containerd (#1248)
- Add host-container user-data setting (#1244, #1247)
- Add network proxy settings (#1204, #1262, #1258)
- Update kernel to 5.4.80-40.140 (#1257)
- Update third-party software packages (#1264)
- Update Rust dependencies (#1267)
- Improve support for out-of-tree kernel modules (#1220)
- Fix message in partition size check condition (#1233, thanks @pranavek!)
- Split the datastore module into its own crate (#1249)
- Update SDK to v0.15.0 (#1263)
- Update GitHub Actions to ignore changes that only include .md files (#1274)
- Add documentation comments to Dockerfile (#1254)
- Add a note about CPU usage during builds (#1266)
- Update README to point to discussions (#1273)
- Patch containerd for CVE-2020-15257 (f3677c1406)
- Support setting Linux kernel parameters (sysctl) via settings (see README) (#1158, #1171)
- Create links under
/dev/disk/ephemeral
for ephemeral storage devices (#1173) - Set default RLIMIT_NOFILE in CRI to 65536 soft limit and a 1048576 hard limit (#1180)
- Add rtcsync directive to chrony config file (#1184, thanks @errm!)
- Add
/etc/ssl/certs
symlink to the CA certificate bundle for compatibility with the cluster autoscaler (#1207) - Add procps dependency to docker-engine so that
docker top
works (#1210)
- Align optimization level for crate and dependency builds (#1155)
- pubsys no longer requires an Infra.toml file for basic usage (#1166)
- Makefile: Check that $BUILDSYS_ARCH has a supported value (#1167)
- Build migrations in parallel (#1192)
- Allow file URLs for role in pubsys-setup (#1194)
- Update Rust dependencies (#1196)
- Update SDK to v0.14.0 (#1198)
- Fix an occasional issue with KMS signing in pubsys (#1205)
- Backport selected fixes from containerd 1.4 (#1216)
- Update third-party package dependencies (#1176, #1195)
- Switch to SDK v0.14.0 (#1198)
- pubsys: automate setup of role and key (#1133, #1146)
- Store repos under repo name so you can build multiple (#1135)
Note: these changes do not impact users of Bottlerocket AMIs or repos, only those who build Bottlerocket themselves.
If you use an Infra.toml
file to automate publishing, you'll need to update the format of the file.
The root role and signing key definitions now live inside a repo definition, rather than at the top level of the file.
Please see the updated Infra.toml.example file for a commented explanation of the new role and key configuration.
- Add aws-k8s-1.18 variant with Kubernetes 1.18 (#1150)
- Update kernel to 5.4.50-25.83 (#1148)
- Update glibc to 2.32 (#1092)
- Add e2fsprogs (#1147)
- pluto: add regional map of pause container source accounts (#1142)
- Add option to enable spot instance draining (#1100, thanks @mkulke!)
- Add 2.root.json + pubsys KMS support (#1122)
- docker: add default nofiles ulimits for containers (#1119)
- Fix AVC denial for
docker run --init
(#1085)
- Pass Go module proxy variables through docker-go (#1121)
- Set buildmode to pie and drop pie and debuginfo patches for Kubernetes (#1103, thanks @bnrjee!)
- pubsys: use requested size for volume, keeping snapshot to minimum size (#1118)
- Switch to SDK v0.13.0 (#1092)
- Add
cargo make grant-ami
andrevoke-ami
tasks (#1087) - Allow specifying AMI name with PUBLISH_AMI_NAME (#1091)
- Makefile.toml: clean up clean actions (#1089)
- pubsys: check for copied AMIs in parallel (#1086)
- Add PUBLISHING.md guide explaining pubsys and related tools (#1138)
- README: relocate update API instructions and example (#1124, #1127)
- Fix grammar issues in README.md (#1098, thanks @jweissig!)
- Add documentation for the aws-ecs-1 variant (#1053)
- Update suggested Kubernetes version in sample eksctl config files (#1090)
- Update BUILDING.md to incorporate dependencies (#1107, thanks @troyaws!)
- Patch kernel for CVE-2020-14386 (#1108)
Welcome to Bottlerocket 1.0! Since the first public preview, we've added new variants for Amazon ECS and Kubernetes 1.16 and 1.17, support for ARM instances and more EC2 regions, along with many new features and security improvements. We appreciate all the feedback and contributions so far and look forward to working with the community on even wider support.
🥳 😸
- The
aws-ecs-1
variant is now available as a preview.- ecs-agent: upgrade to v1.43.0 (#1043)
- aws-ecs-1: add ecs.loglevel setting (#1062)
- aws-ecs-1: remove unsupported capabilities (#1052)
- aws-ecs-1: constrain ephemeral port range (#1051)
- aws-ecs-1: enable awslogs execution role support (#1044)
- ecs-agent: don't start if not configured (#1049)
- ecs-agent: bind introspection to localhost (#1071)
- Update logdog to pull ECS-related log files (#1054)
- Add documentation for the aws-ecs-1 variant (#1053)
- apiclient: accept -s for --socket-path, as per usage message (#1069)
- Fix growpart to avoid race in partition table reload (#1058)
- Added patch for EC2 IMDSv2 support in Docker (#1055)
- schnauzer: add a helper for ecr repos (#1032)
- Add
cargo make ami-public
andami-private
targets (#1033, #1065, #1064) - Add
cargo make ssm
andpromote-ssm
targets for publishing parameters (#1060, #1070, #1067, #1066) - Use per-checkout cache directories for builds (#1050)
- Fix rust build caching and tune rpm compression (#1045)
- Add official builds in 16 more EC2 regions. (aws/containers-roadmap#827)
- Revise security guidance (#1072)
- README: add supported architectures (#1048)
- Update supported region list after 0.5.0 release (#1046)
- Removed aws-cli v1 requirement in docs (#1073)
- Update BUILDING.md for new coldsnap-based amiize.sh (#1047)
Special thanks to first-time contributor @spoonofpower (#988)!
- Remove support for unsigned datastore migrations (#976)
- Add
aws-ecs-1
variant prototype for running containers in ECS clusters (#946, #1005, #1007, #1008, #1009, #1017) - Configurable
clusterDomain
kubelet setting viasettings.kubernetes.cluster-domain
(#988, #1036) - Make update position within waves consistent (#993)
- Fix kubelet configuration for
MaxPods
(#994) - Update
eni-max-pods
with new instance types (#994) - Fix
max_versions
unit test inupdata
(#998) - Remove injection of
label:disable
option for privileged containers in Docker (#1013) - Add
policycoreutils
and related tools (#1016) - Update third-party software packages (#1018, #1023, #1025, #1026)
- Update Rust dependencies (#1019, #1021)
- Update
host-ctr
's dependencies (#1020) - Update the host-containers' default versions (#1030, #1040)
- Allow access to all device nodes for superpowered host-containers (#1037)
- Add
pubsys
(cargo make repo
,cargo make ami
) for repo and AMI creation (#964, #1010, #1028, #1034) - Require
updata init
before creating a new repo manifest (#991) - Exclude README.md files from cargo change tracking (#995, #996)
- Build
aws-k8s-1.17
variant by default withcargo make
(#1002) - Update comments to be more accurate in Infra.toml (#1004)
- Update
amiize
to usecoldsnap
(#1012) - Update Bottlerocket SDK to v0.12.0 (#1014)
- Fix warnings for use of deprecated items in
common_migrations
(#1022)
- Removed instructions to manually apply the manifest for aws-vpc-cni-k8s (#1029)
- Add a new
aws-k8s-1.17
variant for Kubernetes 1.17 (#973) - Confine
chrony
,wicked
, anddbus-broker
via SELinux, and persist their state to disk (#970) - Persist
systemd
journal to disk (#970) - Add an API for OS updates (#942, #959, #986)
- Add migration helpers to add / remove multiple settings at once (#958)
- Fix SELinux policy to allow CSI driver mounts and transition used by Kaniko (#983)
- Update to new repo URL via migration to ensure signed migration support (#980)
- Fix environment variable override for build output directory (#963)
- Update
.dockerignore
to account for the new build output directory structure (#967) - Remove the
preview-docs
task fromMakefile
(#969)
- Document new update APIs and add associated diagrams (#962)
- Add
ap-south-1
to supported regions (#965) - Fix
storewolf
's documentation and usage message as it expects a semver value (#957)
- Remove all permissive types from the SELinux policy (#945). Actions that were not allowed by the SELinux policy now fail instead of only being logged.
- Use update repository metadata and signatures to run settings migrations (#930)
- Mount debugfs in superpowered host containers, such as the admin container, to support tools like
bcc
andbpftrace
(#934) - Protect container snapshot layers in SELinux policy (#935)
- Add
POST /actions/reboot
API path (#936) - Update
tough
to v0.6.0 (#944) - Fix behavior of
signpost cancel-upgrade
(#950) - Update to kernel 5.4.46 (#953)
- Canonicalize architecture names in amiize.sh (#932)
- Split build output directories by variant and architecture (#948)
- Move intermediate RPM output from
build/packages
tobuild/rpms
(#948) - Fix
chmod
usage for building on macOS (#951)
- Document platform-specific settings in README.md (#941)
- Add a new Kubernetes 1.16 variant (#919)
- Use SELinux to restrict datastore modifications (#917)
- Add variant override to updog arguments (#923)
- Update systemd to v245 (#916)
- Update build SDK to v0.11.0 (#926)
- Allow specifying a start time for waves in updata (#927)
- Update
tough
dependencies to v0.5.0 (#928)
- Security: update kernel to 5.4.38 (#924)
Special thanks to our first contributors, @inductor (#853), @smoser (#871), and @gliptak (#870)!
- Update kernel to 5.4.20 (#898)
- Expand SELinux policy to include all classes and actions in 5.4 kernel (#888)
- Include error messages in apiserver error responses (#897)
- Add "logdog" to help users collect debug logs (#880)
- Include objtool in kernel-devel for compiling external modules (#874)
- Ignore termination signals in updog right before initiating reboot (#869)
- Pass
--containerd
flag to kubelet to specify containerd socket path, fixing some cAdvisor metrics (#868) - Fix delay on reboot or power off (#859)
- Add
systemd.log_color=0
to remove ANSI color escapes from console log (#836) - Reduce containerd logging when no errors have occurred (#886)
- Update admin container to v0.5.0 (#903)
- Set up GitHub Actions to test OS builds for PRs (#837)
- Update SDK to v0.10.1 (#866)
- Move built RPMs to
build/packages
(#863) - Bump cargo-make to 0.30.0 (#870)
- Pass proxy environment variables through to docker containers (#871)
- Add parse-datetime crate (#875)
- Update third-party software packages (#895)
- Update Rust dependencies (#896)
- Remove unused Rust dependencies (#894)
- Add upstream fix for arm64 in coreutils (#879)
- Add ability to add waves using TOML files (#883)
- Add default wave files (#881)
- Fix migrations builds (#906)
- QUICKSTART: Clarify which setup is optional (#902)
- QUICKSTART: add easier setup instructions using new eksctl release (#849)
- QUICKSTART: add note about allowing SSH access (#839)
- QUICKSTART: add section on finding AMIs through SSM parameters (#838)
- QUICKSTART: Add supported region list (73d120c9)
- QUICKSTART: Add info about persistent volume CSI plugin (#899)
- QUICKSTART and README: Add appropriate ECR policy guidance (#856)
- README: Fix feedback link to point at existing section (#833)
- README: Add sentence about preview phase with feedback link (#832)
- README: Fixes and updates (#831)
- Update name of early-boot-config in API system diagram (#840)
- Fix updater README's reference to data store version (#844)
- Fix example wave files (#908)
- Log migration errors to console (#795)
- Enable BTF debug info (
CONFIG_DEBUG_INFO_BTF
) (#799) - Move migrations from private partition to data partition (#818)
- Add top-level model struct (#824)
- Update ca-certificates, cni-plugins, coreutils, dbus-broker, iproute, kmod, libcap, libxcrypt, ncurses, socat, and wicked (#826)
- Update Rust dependencies (#798, #806, #809, #810)
- Add additional cleanup steps to amiize.sh (#804)
- Work around warnings for unused licenses (#827)
- Add GLOSSARY.md, SECURITY_FEATURES.md, and SECURITY_GUIDANCE.md (#800, #807, #821)
- Add additional information to top section of README.md (#802)
- Add license information to OpenAPI specification (#803)
- Add description of source mirroring (#817)
- Update CHARTER.md wording (#823)
Welcome to Bottlerocket! Bottlerocket is the new name for the OS.
In preparation for public preview, v0.3.0 includes a number of breaking changes that mean upgrades from previous versions are not possible. This is not done lightly, but had to be done to accommodate all we've learned during private preview.
- Rename to Bottlerocket (#722, #740).
- Change partition labels to
BOTTLEROCKET-*
(#726). - Switch to new updates repository URIs under
updates.bottlerocket.aws
(#778). - Update Kubernetes to 1.15 (#749).
- Rename aws-k8s variant to aws-k8s-1.15 to enable versioning (#785).
- Update Linux kernel to 5.4.16-8.72.amzn2 (#731).
- Rename
settings.target-base-url
tosettings.targets-base-url
(#788).
- Mount kernel modules and development headers into containers from a squashfs file on the host (#701).
- Include third-party licenses at
/usr/share/licenses
(#723). - Add initial implementation of SELinux (#683, #724).
- Support transactions in the API (#715, #727).
- Add support for platform-specific settings like AWS region (#636).
- Support templated settings with new tool 'schnauzer' (#637).
- Generate container image URIs with parameterized regions using schnauzer (#638).
- Respect update release waves when using
updog check-updates
(#615). - Fix an issue with failed updates through certain https connections (#730).
- Add support for EC2 IMDSv2 (#705, #706, #709).
- Remove update-checking boot service (#772).
- Remove old migrations and mitigations that no longer apply (#774).
- Add /os API to expose variant, arch, version, etc. (#777).
- Update host container packages (#707).
- Allow removing settings in migrations (#644).
- Create abstractions for creating common migrations (#712, #717).
- Remove the datastore version, instead use Bottlerocket version (#760).
- Improve datastore migration naming convention and build migrations during cargo make (#704, #716).
- Update dependencies of third-party packages in base OS (#691, #696, #698, #699, #700, #708, #728, #786).
- Update dependencies of Rust packages (#738, #730).
- Rename
moondog
toearly-boot-config
(#757). - Update admin and control containers to v0.4.0 (#789).
- Update container runtime socket path to more common
/run/dockershim.sock
(#796)
- Add copyright statement and Bottlerocket license (#746).
- General documentation improvements (#681, #693, #736, #761, #762).
- Added READMEs for packages and variants (#773).
- Split INSTALL guide into BUILDING and QUICKSTART (#780).
- Update CNI plugin in documentation and conformance test scripts (#739).
- General improvements to third-party license scanning (#686, #719, #768).
- Add policycoreutils, secilc, and squashfs-tools to SDK (#678, #690).
- Update to Rust 1.41 and Go 1.13.8 (#711, #733).
- Disallow upstream source fallback by default (#735).
- Move host, operator, and SDK containers to their own git repos (#743, #751, #775).
- Improve the syntax of migrations listed in Release.toml (#687).
- Add arm64 builds for host-containers (#694).
- Build stable image paths using symlinks in
build/latest/
(#767). - Add a
set-migrations
subcommand to theupdata
tool (#756). - Remove
rpm_crashtraceback
tag from go builds (#779). - Rename built artifacts to specify variant before arch (#776).
- Update SDK to v0.9.0 (#790).
- Fix architecture conditional in glibc spec (#787).
- Rename the
workspaces
directory tosources
and theworkspaces
package toos
. (#770).
- Make
signpost
usage clearer to avoid updating into empty partition (#444). - Fix handling of wave bounds in
updog
that could result in seeing an update but not accepting it (#539). - Add support for query parameters in repo requests to allow for basic telemetry (#542).
- Enable support for SELinux in OS packages (not yet enforcing) (#579).
- Make grub reboot when config or kernel loading fails so it can try other partition sets (#585).
- Add support for image "variants" with separate API models (#578, #588, #589, #591, #597, #613, #625, #626, #627, #653). The default variant is "aws-k8s" for Kubernetes usage, and an "aws-dev" variant can be built that has a local Docker daemon and debug tools.
- Remove unused cri-tools package (#602).
- Update Linux kernel to 4.19.75-28.73.amzn2 (#622).
- Make containerd.service stop containerd-shims to fix shutdown/reboot delay (#652).
- Ensure
updog
only removes known extensions from migration filenames (#662). - Add OS version to "pretty name" so it's visible in console log (#663).
- Reorganize "getting started" documentation for clarity (#581).
- Fix formatting of kube-proxy options in install guide (#584).
- Specify compatible cargo-deny version in install guide (#631).
- Fix typos and improve clarity of install guide (#639).
- Add scripts to ease Kubernetes conformance testing through Sonobuoy (#530).
- Add release metadata file to be used in future automation (#556, #594).
- Update dependencies of third-party packages in base OS (#595).
- Update dependencies of Rust packages (#598).
- Update SDK container to include Rust 1.40.0, GCC 9.2, and other small fixes (#603, #628).
- Fix aarch64 build failure for libcap (#621).
- Add initial container definitions and scripts for CI process (#619, #624, #633, #646, #647, #651, #654, #658).
- Several settings now have added validation for their contents. Upgrades from v0.1 that use invalid settings values will result in a broken system.
- Host container names (e.g.
admin
insettings.host-containers.admin
) are restricted to ASCII alphanumeric characters and hyphens (#450). settings.kubernetes.api-server
,settings.updates.metadata-base-url
andtarget-base-url
,settings.host-containers.*.sources
, andsettings.ntp.time-servers
are now validated to be URIs (#549).settings.kubernetes.cluster_name
,settings.kubernetes.node-labels
, andsettings.kubernetes.node-taints
are now verified to fit Kubernetes naming conventions (#549).- Most settings values disallow multi-line strings (#453, #483).
- Host container names (e.g.
- Additional characters are permitted in API keys; for example, dots and slashes in Kubernetes labels. Downgrades from v0.2 that use dots and slashes in API keys will result in a broken system (#511).
- Add
dogswatch
, a Kubernetes operator for managing OS upgrades (#239). - More accurately represent data type of update seed (#430).
- Retry host container pulls with exponential backoff (#433).
- Better model startup dependencies in systemd units (#442).
- Enable panic on disk corruption detected with dm_verity (#445).
- Add persistent storage for host containers, mapped to
/.bottlerocket/host-containers/[CONTAINER_NAME]
(#450, #555). - Persist SSH host keys for admin container (#450).
- Use admin container v0.2 by default (#450, #536).
- Use control container v0.2 by default (#472, #536).
- Print most critical errors to the console to aid debugging (#476, #479, #546).
- Update Linux kernel to 4.19.75-27.58.amzn2 (#478).
- Updated partitions are marked
successful
after services start (#481). - Kernel config is available at
/proc/config.gz
(#482). - Prepare
tough
for separate release, including: - Simplify representation of default metadata (#491).
apiclient
(available via the host containers) exits non-zero on HTTP response errors (#498).apiclient
builds as a static binary (#552)./proc/kheaders.tar.xz
is enabled in the kernel (#557).settings-committer
no longer errors at boot when there are no changes to commit (#559).migrator
andupdog
set migrations executable before running to work around a v0.1.6 bug (#561, #567).
- Document how to use Bottlerocket's default for the
nf_conntrack_max
kernel parameter when usingkube-proxy
(#391). - Fix example user data for enabling admin container (#448).
- Update build documentation for using Docker instead of
buildkitd
(#506). - Update recommended CNI plugin version (#507).
- Document
settings.ntp.time-servers
(#550). - Update INSTALL.md to use the instance role created by
eksctl
instead of creating a new one (#569).
- Add
updata
tool, which builds update repository metadata (#265). - Create versioned symlinks to output images (#434).
- Add code and CloudFormation template for TUF repository canary (#490).
- Move the TUF client library,
tough
, to its own repository and crates.io packages (#499). - Remove build dependency on the BuildKit daemon (#506).
- Switch to SDK container as toolchain for builds, rather than requiring local build of toolchain (#525).
- Turn
buildsys
into a binary and remove thecascade
feature (#562).
- The system fetches the pause container from ECR before starting
kubelet
(#382). - New settings:
settings.kubernetes.node-labels
andsettings.kubernetes.node-taints
(#390, #408). - The control container has an
enable-admin-container
helper (#405, #413). Made default in v0.2.0 (#472). - Rust dependencies updated (#410).
thar-be-settings
added trace-level messages in the client module (#411).updog
no longer checks for migrations from new root images (#416).pluto
was cleaned up to create an HTTP connection more consistently (#419).- Settings that are usually generated may have defaults, and
settings.kubernetes.max-pods
defaults to110
if the EC2 instance type cannot be determined (#420). - The admin container MOTD is clearer about where the host's filesystem is mounted (#424).
block-party
(used ingrowpart
andsignpost
) errors are better structured (#425).thar-be-settings
logs render errors when running in--all
mode (#427).- Recommended
sysctl
settings from the Kernel Self Protection Project are now used (#435). acpid
is enabled by default to handle power button signals sent by EC2 on stop/restart/terminate events (#437).host-ctr
correctly fetches images from non-ECR registries (#439; this regression occurred after v0.1.5).
- amiize uses a short connection timeout when testing SSH connectivity (#409).
tuftool
only downloads an arbitraryroot.json
with--allow-root-download
(#421).- BuildKit updated to v0.6.2 (#423, #429).
- First-party Rust code is built in the same
rpmbuild
invocation to improve build times (#428). tuftool
correctly uses the--timestamp-{version,expires}
arguments instead of the--snapshot-{version,expires}
arguments in the timestamp role (#438).tuftool
accepts relative dates (#438).