Skip to content

Latest commit

 

History

History
3909 lines (3174 loc) · 183 KB

CHANGELOG.md

File metadata and controls

3909 lines (3174 loc) · 183 KB

v1.29.0 (2024-12-17)

Build Changes

  • Add bottlerocket-kernel-kit 1.0.0 (#4332)
  • Update bottlerocket-core-kit to 5.0.0 (#4332)
  • Update bottlerocket-sdk to 0.50.0 (#4332)

OS Changes

v1.28.0 (2024-12-08)

Release Highlights

Build Changes

  • Update bottlerocket-core-kit to 4.0.1 (#4322)

OS Changes

  • Update host containers (#4312)
  • Update Twoliter to 0.6.0 (#4323)

Documentation Changes

  • Update models README references (#4138)

v1.27.1 (2024-11-16)

Release Highlights

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 3.3.2 (#4301)

v1.27.0 (2024-11-12)

Release Highlights

OS Changes

  • Add aws-creds settings defaults to all AWS variants (#4285)
  • Add support for migrations to modify aws-config setting generators (#4271)

Build Changes

  • Update bottlerocket-core-kit to 3.3.0 (#4292)
  • Update bottlerocket-sdk to 0.47.0 (#4286)

v1.26.2 (2024-11-04)

Release Highlights

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 3.1.5 (#4280)

v1.26.1 (2024-10-24)

Release Highlights

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 3.1.1 (#4264)

v1.26.0 (2024-10-23)

Release Highlights

  • Update NVIDIA driver to 535.216.01 (#4254)
  • Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 (#4251)

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 3.1.0 (#4254, #4251)
  • Update NVIDIA driver to 535.216.01 (#4254)
  • Update twoliter to 0.5.0 (#4251)
  • Update bottlerocket-sdk to 0.46 (#4251)
  • Standardize RPM release fields for RPM packages (#4244)

Orchestrator Changes

ECS

  • Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 (#4251)

Documentation Changes

  • Add link to bootstrap-commands documentation (#4247)

v1.25.0 (2024-10-15)

Release Highlights

  • Remove aws-k8s-1.23 variants (#4083)
  • Add support for NVIDIA GPU time slicing (closes #2347)

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 2.9.0 (#4242)
  • Update host containers (#4241)
  • Update twoliter to v0.4.7 (#4236)
  • Fix permissions for kubelet-exec-start-conf file (#4199)
  • Add support for NVIDIA GPU time slicing (#4230)

Orchestrator Changes

Kubernetes

  • Drop Kubernetes 1.23 AWS variants (#4227, #4237)

Documentation Changes

  • Add security guidance for NVIDIA GPU time-slicing (#4240)

v1.24.1 (2024-10-04)

Release Highlights

Build Changes

OS Changes

  • Update bottlerocket-core-kit to 2.8.4 (#4231)
  • Update host containers (#4233)

Documentation Changes

  • Update QUICKSTART-EKS.md (#4228) - Thanks @bryanhsu00 for the suggested fix!

v1.24.0 (2024-09-27)

Release Highlights

Build Changes

OS Changes

  • Update bottlerocket-core-kit to v2.8.1 (#4222)

Settings Extensions

  • Drop dependency on glibc-devel (#4213)

Documentation Changes

  • Update QUICKSTART-ECS.md and QUICKSTART-EKS.md (#4169) Thanks @bryantbiggs!

v1.23.0 (2024-09-19)

Orchestrator Changes

Kubernetes

  • Support Kubernetes NVIDIA Device Plugin configurations through API (#4182)
  • Support NVIDIA Container Toolkit configurations through API (#4182)

Build Changes

  • Update bottlerocket-sdk to 0.45 (#4189)
  • Add Twoliter.override to .gitignore (#4202)

Twoliter

  • Update bottlerocket-core-kit (#4189, #4203, #4211)
  • Perform binary checksum validation (#4192)
  • Update Twoliter to v0.4.6 (#4200)

Settings Extensions

  • Update bottlerocket-settings-models to v0.4.0 (#4182)

Documentation Changes

  • Add NVIDIA Device Plugin and NVIDIA Container Toolkit notes to SECURITY_GUIDANCE.md (#4205)

v1.22.0 (2024-09-10)

Orchestrator Changes

Kubernetes

  • Add Kubernetes 1.31 variants (#4142)

OS Changes

  • Update host containers (#4171)
  • Add support for bootstrap commands (#4131)

Build Changes

Twoliter

Settings Extensions

  • Update bottlerocket-settings-models to v0.4.0 (#4131)

v1.21.1 (2024-08-21)

OS Changes

  • Update host containers (#4153)

Build Changes

  • Use workspace dependencies for all dependencies (#4132)

Twoliter

Settings Extensions

  • Update bottlerocket-settings-models to v0.3.0 (#4145)

README changes

  • Update command for SSM Start session on host container (#4129) - Thanks @Veronica4036!

v1.21.0 (2024-08-06)

OS Changes

  • Update host containers (#4117)

Orchestrator Changes

Kubernetes

  • Enable k8s reserved cpus (#3964)
  • Drop k8s 1.27 metal and VMware variants (#4079)
  • Drop k8s 1.26 metal and VMware variants (#4018)
  • Build the pause image from upstream (#3940) - Thanks @tzneal!

ECS

  • Port to the ECS settings extension (#3984)

Build Changes

  • Archive previous release migrations (#4014)
  • Update Go dependencies (#3999)

Twoliter

  • Migrate to core kit (#4060)
  • Remove leftover vendor section (#4071)
  • Update Twoliter to 0.4.4 (#4008, #4086, #4093, #4123)
  • Update bottlerocket-core-kit to v2.3.1 (#4122)
  • Update bottlerocket-sdk to 0.43 (#4122)

Settings Extensions

  • Use settings models vended by bottlerocket-settings-sdk (#4057)
  • Migrate to settings plugins and eliminate variant-based conditional compilation (#4038)
  • Enable settings extensions (#4050)
  • Update to bottlerocket-settings-models v0.2.0 (#4118)

Platform Changes

AWS

  • Add udev rule to create symlinks using EBS volumes’ device names (#3977)

Package changes

  • Add Neuron kmod for 6.1 kernel (#3982)
  • Update containerd to 1.7.20 (#4122)

README changes

  • Fix OpenAPI spec link (#4062)
  • Fix NVIDIA variants in SSM parameters (#4047)
  • Add k8s command to retrieve log archive (#3993)
  • Fix netdog reference link (#3974) - Thanks @emmanuel-ferdman!
  • Update BUILDING.md with the latest Docker requirements (#4098)

v1.20.5 (2024-07-30)

OS Changes

  • Update docker-engine to v25.0.6 (#4111)
  • Update containerd to 1.6.34 (#4113)
  • Update kernels: 5.10.220, 5.15.162, and 6.1.97 (#4104)
  • Update host containers (#4110)

Orchestrator Changes

Kubernetes

  • Add latest instance types to eni-max-pods mapping (#4108)

v1.20.4 (2024-07-15)

OS Changes

  • Update kernels: 5.10.219 and 6.1.94 (#4080)
  • Update docker-engine and docker-cli to v25.0.5 (#4091)

Orchestrator Changes

Kubernetes

  • Update patches for kubernetes 1.23, 1.24, 1.25, and 1.26 (#4084)
  • Update sources for kubernetes 1.27, 1.28, 1.29, and 1.30 (#4089)

v1.20.3 (2024-06-26)

OS Changes

  • Update kernels: 5.10.218, 5.15.160, and 6.1.92 (#4064, #4066)

v1.20.2 (2024-06-12)

OS Changes

  • Update kernel to 5.10.217 #4039
  • Mount static kmod as /usr/local/sbin/modprobe #4037

v1.20.1 (2024-06-04)

OS Changes

  • Update kernels to 6.1.90, 5.15.158, and 5.10.216 (#3976, #3972)
  • Include statically linked version of kmod (#3981)
  • Specify AWS EULA as license for kmod-*-nvidia packages (#3991)
  • Update source for Fabric Manager binaries (#4015)
  • Update NVIDIA driver versions to 470.256.02 and 535.183.01 (#4029)

v1.20.0 (2024-05-13)

OS Changes

  • Update third party packages (#3939)
  • Enable file system encryption in 5.15 and 6.1 kernels (#3906, #3908)
  • Backport fix for loading SELinux modules (#3907)
  • Add Fabric Manager support (#3873)
  • Update host containers (#3947)
  • Add setting to configure ntp options (#3852 thanks @domgoodwin)
  • Include swap utilities (#3829)
  • Update kernels to 6.1.87, 5.15.156, 5.10.215 (#3934, #3930)

Orchestrator Changes

Kubernetes

  • Drop Kubernetes 1.25 Metal and VMware variants (#3896)
  • Add Kubernetes 1.30 variants (#3859, #3936)
  • Add container-runtime settings to aws-k8s-*-nvidia variants (#3945)

ECS

  • Update ecs-agent to 1.82.3 (#3939)
  • Use systemd drop-ins to configure the ECS agent (#3834)

Build Changes

  • Update twoliter and the SDK (#3938, #3885)
  • Remove liblzma and libbzip2 (#3861, #3944)
  • Pessimize Rust builds that require the AWS SDK (#3892)
  • Reduce variant matrix in CI/CD (#3863)
  • Document package build tools for go dependencies (#3882)
  • Update Go lints in CI/CD (#3884)
  • Out-of-tree build enablement
    • systemd: use build defaults and kernel parameters for unified cgroups (#3886, #3935)
    • early-boot-config: Use standalone provider binaries to fetch user data (#3637, #3890)
    • logdog: retrieve settings via API client (#3946)
    • netdog: remove conditional compilation, add hostname helpers (#3700, #3898)
    • schnauzer: add if_not_null template helper (#3838)
    • static-pods: remove conditional compilation, switch to config file (#3891, #3927, #3913)
    • host-containers: switch to config file (#3777, #3842)
    • bootstrap-containers: switch to config file (#3724)
    • corndog: switch to config file (#3715)
    • prairiedog: switch to config file (#3713, #3814, #3836)
    • thar-be-updates: switch to config file (#3721)
    • updog: use modeled types (#3901)
    • kernel: remove variant sensitivity (#3897, #3905, #3932)
  • FIPS enablement
    • add FIPS report to the API (#3894)
    • add release-fips package for FIPS functionality (#3893)
    • build Go binaries for FIPS and non-FIPS (#3887)

v1.19.5 (2024-05-01)

OS Changes

  • Update kernel to 5.10.214, 5.15.153, 6.1.84 #3906
  • Update third party packages (#3910, #3914)
  • Update host containers (#[3911])

Orchestrator Changes

Kubernetes

  • Provide runtime cgroup to kubelet (#3804)

Build Changes

  • Update twoliter to v0.1.1 (#3880, #3900)
  • Update ecs-gpu-init, amazon-ssm-agent, and nvidia-k8s-device-plugin builds for new SDK (#3920, #3921, #3924)

v1.19.4 (2024-04-06)

OS Changes

  • Update kernel to 5.10.213, 5.15.152, 6.1.82 (#3865)
  • Update containerd to 1.6.31 (#3869)

v1.19.3 (2024-03-26)

OS Changes

  • Update kernel to 5.10.210, 5.15.149, 6.1.79 (#3853)
  • Update third party packages (#3793, #3832)
  • Update host containers (#3837)
  • Support auditctl in bootstrap containers (#3831)

Orchestrator Changes

Kubernetes

  • Add latest instance types to eni-max-pods mapping (#3824)

ECS

Build Changes

  • Update Rust dependencies (#3830)
  • Update Go dependencies (#3830)
  • twoliter updated to v0.0.7 (#3839)

v1.19.2 (2024-02-26)

OS Changes

  • Update third party packages (#3789)
  • Update kernel to 5.10.209, 5.15.148, 6.1.77 (#3797)
  • Add AWS settings extension (#3738, #3770)
  • Allow CSI helpers in the SELinux policy (#3779)
  • Update to latest NVIDIA drivers (#3798)

Orchestrator Changes

Kubernetes

  • Enable NVIDIA GPU isolation using volume mounts (#3718 thanks @chiragjn , #3790)
  • Clean up CNI results cache on boot (#3792)

ECS

  • Add settings.ecs.enable-container-metadata (#3782)

Build Changes

  • Adjust certdog to utilize a configuration file instead of the API server (#3706, #3778, #3787)
  • Don't use parallel make for shim package (#3771)
  • Renumber unit files in release package (#3769)
  • Ignore EKS patches for k8s-1.23 in Git (#3774)

v1.19.1 (2024-02-06)

OS Changes

  • Update kernel to 5.10.209, 5.15.148 (#3765)
  • Update host containers (#3763)

Orchestrator Changes

Kubernetes

  • Mark pause container image as "pinned" to prevent garbage collection (#3757)

ECS

  • Update Docker engine and Docker CLI to v25.0.2 (#3759)
  • Update ECS agent to 1.81.0 (#3759)
  • Update AWS SSM agent to 3.2.2222.0 (#3762)

v1.19.0 (2024-02-01)

OS Changes

  • Adjust unit dependencies for systemd-sysusers (#3720)
  • Update third party packages (#3722, #3750)
  • Add kernel settings extension (#3727)
  • Update kernel to 5.10.205, 5.15.145, 6.1.72 (#3734)
  • Update runc to 1.1.12 and containerd to 1.6.28 (#3751)

Orchestrator Changes

Kubernetes

  • Add latest instance types to eni-max-pods mapping (#3741)
  • Drop Kubernetes 1.24 Metal and VMware variants (#3742)

ECS

  • Add additional ECS settings for ECS_BACKEND_HOST and ECS_AWSVPC_BLOCK_IMDS (#3749)

Build Changes

  • twoliter updated to v0.0.6 (#3744)

v1.18.0 (2024-01-16)

OS Changes

  • Remove unused runc SELinux policy rule (#3673)
  • Update third party packages (#3692)
  • Fix creation of kprobes using unqualified names (#3699, #3708)
  • Update host containers (#3704)
  • Update kernel to 5.10.205, 5.15.145, 6.1.66 (#3686, #3708)
  • Add container-registry settings extension (#3674)
  • Add updates settings extension (#3689)

Orchestrator Changes

Kubernetes

  • Add Kubernetes 1.29 variants (#3628)
  • Update Kubernetes 1.23 to release 33 (#3692)
  • Add latest instance types to eni-max-pods mapping (#3695)

ECS

  • Update ecs-agent to 1.79.2 (#3692)

Build Changes

  • Export symbols for packages that include dynamically linked Go binaries (#3680)
  • Update to Bottlerocket SDK v0.37.0 (#3690)
    • Upgrades to Go 1.21.5

v1.17.0 (2023-12-12)

OS Changes

  • Generate valid hostname when IPv6 reverse lookup fails (#3592)
  • Avoid mounting the EFI system partition at /boot (#3591)
  • Update kernel to 5.10.201, 5.15.139, 6.1.61 (#3611, #3643)
  • Switch to async tough (#3566)
  • Update host containers (#3646)
  • Move template migrations to schnauzer v2 (#3633)
  • Handle proxy credentials properly in pluto (#3639, #3667)
  • Update third party packages (#3612, #3642)

Orchestrator Changes

Kubernetes

  • Update nvidia-k8s-device-plugin to address CVEs (#3612)
  • Update to Kubernetes 1.28.4 (#3612)
  • Update to Kubernetes 1.27.8 (#3612)
  • Update to Kubernetes 1.26.11 (#3612)
  • Update to Kubernetes 1.25.16 (#3612)

ECS

  • Update ecs-agent to address CVEs (#3612)

Build Changes

  • Update to Bottlerocket SDK v0.36.1 (#3640, #3670)

v1.16.1 (2023-11-13)

OS Changes

  • Update open-vm-tools to 12.3.5 to address CVE-2023-34058 and CVE-2023-34059 (#3553)
  • Update NVIDIA drivers to 470.223.02 and 535.129.03 to address CVE‑2023‑31022 and CVE‑2023‑31018 (#3561)
  • Improvements to Bottlerocket CIS benchmark checks (#3552 #3562 #3564)
  • Regenerate updog proxy configuration when settings.network.proxy gets updated (#3578)
  • kernel: Update to 5.10.198, 5.15.136, and 6.1.59 (#3572)

Orchestrator Changes

Kubernetes

  • Update Kubernetes versions to address HTTP v2 x/net CVE-2023-39325 (#3581)
  • Avoid specifying hostname-override kubelet option if cloud-provider is set to aws (#3582)

v1.16.0 (2023-10-25)

OS Changes

  • Adjust netlink timeout to prevent interfaces from entering a failed state (#3520)
  • Update third-party packages (#3535)
  • Add XFS CLI utilities for managing XFS-formatted storage (#3444)
  • Add facilities to auto-load kernel modules (#3460)
  • Update to kernels 5.10.197, 5.15.134, and 6.1.55 (#3509 #3542)
  • Fix reporting for Bottlerocket CIS Benchmark 4.1.2 (#3547)
  • Update systemd to 252.18 (#3533)
  • Allow fanotify permission events for trusted subjects in SELinux policy (#3540)

Orchestrator Changes

Kubernetes

  • Drop Kubernetes 1.23 Metal and VMware variants (#3531)

ECS

  • Update ecs-agent (#3535)

Build Changes

  • Update to Bottlerocket SDK v0.35.0 (#3528)

v1.15.1 (2023-10-9)

OS Changes

  • Allow older ext4 snapshot volumes to be mounted in newer variants that default to xfs (#3499)
  • Update apiclient Rust dependencies (#3491)
  • Update pluto Rust dependencies (#3439)
  • Patch glibc to address CVE-2023-4806, CVE-2023-4911, and CVE-2023-5156 (#3501)
  • Update open-vm-tools to 12.3.0 to address CVE-2023-20900 (#3500)

Build Changes

  • Update twoliter to v0.0.4 (#3480)

v1.15.0 (2023-09-18)

Major Features

This release brings support for Secure Boot on platforms using UEFI boot; the Linux 6.1 kernel; systemd-networkd and systemd-resolved for host networking; and XFS as the filesystem for local storage.

These features are enabled by default in the new variants. Existing variants will continue to use earlier kernels, wicked for host networking, and EXT4 as the filesystem for local storage.

Known Incompatibilities

  • Variants using the 6.1 kernel (aws-ecs-2/aws-ecs-2-nvidia, aws-k8s-1.28/aws-k8s-1.28-nvidia, vmware-k8s-1.28, and metal-k8s-1.28) do not support LustreFS (#3459)

Deprecation Notice

The functionality to apply a hotpatch for log4j CVE-2021-44228 has been removed. The corresponding setting, settings.oci-hooks.log4j-hotpatch-enabled, is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning to the system logs. (#3401)

OS Changes

Orchestrator Changes

ECS

  • Add aws-ecs-2 variants (#3273)
    • Enables Secure Boot, systemd-networkd, and XFS for the data partition
  • Add support for AppMesh (#3267)

Kubernetes

  • Add Kubernetes 1.28 variants (#3329)
    • Enables Secure Boot, systemd-networkd, and XFS for the data partition
  • Drop Kubernetes 1.22 variants (#2988)
  • Update to Kubernetes 1.27.4 (#3319)
  • Update to Kubernetes 1.26.7 (#3320)
  • Update to Kubernetes 1.25.12 (#3321)
  • Update to Kubernetes 1.24.16 (#3322)
  • Add support for SeccompDefault setting for k8s 1.25+ (#3334)
  • Add Kubernetes CIS benchmark report (#3239)

Platform Changes

AWS

  • Retry on empty PrivateDnsName from EC2 (#3364)

Metal

  • Enable Intel VMD driver (#3419)
  • Add linux-firmware (#3296, #3418)
  • Add aws-iam-authenticator to k8s variants (#3357)

Build Changes

v1.14.3 (2023-08-10)

OS Changes

  • Apply patches to 5.10 and 5.15 kernels to address CVE-2023-20593 (#3300)
  • Update admin and control containers (#3307)
  • Update eni-max-pods with new instance types (#3324)

Orchestrator Changes

Kubernetes

  • Update Kubernetes v1.23.17 to include latest EKS-D patches (#3323)

v1.14.2 (2023-07-06)

OS Changes

  • Improve the reliability of acquiring a DHCPv6 lease (#3211, #3212)
  • Update kernel-5.10 to 5.10.184 and kernel-5.15 to 5.15.117 (#3238)
  • Update eni-max-pods with new instance types (#3193)
  • Make pluto outbound API requests more resilient to intermittent network errors (#3214)
  • Update runc to 1.1.6 (#3249)

Orchestrator Changes

ECS

  • Add image cleanup settings to control task image cleanup frequency (#3231)

Kubernetes

  • Update to Kubernetes v1.24.15 (#3234)
  • Update to Kubernetes v1.25.11 (#3235)
  • Update to Kubernetes v1.26.6 (#3236)
  • Update to Kubernetes v1.27.3 (#3237)

Build Changes

  • Updated Bottlerocket SDK version to v0.33.0 (#3213)

v1.14.1 (2023-05-31)

OS Changes

  • Apply patches to 5.10 and 5.15 kernels to address CVE-2023-32233 (#3128)
  • Add fallback container image source parsing for regions not yet supported by the aws-go-sdk in host-ctr (#3138)
  • Increase default max_dgram_qlen sysctl value to 512 for both 5.10 and 5.15 kernels (#3139)

Orchestrator Changes

Kubernetes

  • Kubernetes package updates
    • Update Kubernetes v1.22.17 to include latest EKS-D patches (#3108)
    • Update Kubernetes v1.23.17 to include latest EKS-D patches (#3119)
    • Update to Kubernetes v1.24.14 (#3119)
    • Update to Kubernetes v1.25.9 (#3119)
    • Update to Kubernetes v1.26.4 (#3119)
    • Update Kubernetes v1.27.1 to include latest EKS-D patches (#3119)
  • Change nvidia-k8s-device-plugin service dependency on kubelet (#3141)

Build Changes

  • Fix pubsys bug preventing multiple SSM parameter promotions in promote-ssm Makefile target (#3137)

v1.14.0 (2023-05-11)

OS Changes

  • Update kernel-5.10 to 5.10.178 and kernel-5.15 to 5.15.108 (#3077)
  • Update admin and control containers (#3090)
  • Update third party packages and dependencies (#2991, #3082)
  • Enable SCSI_VIRTIO driver for better hypervisor support (#3047)
  • Disable panic on hung task for kernel 5.15 (#3091)
  • Create symlink to inventory path using Storewolf (#3035)

Orchestrator Changes

ECS

  • Add support for ECS Exec (#3075)

Kubernetes

  • Add Kubernetes 1.27 variants (#3046)
    • Switch to using Kubernetes default values for kube-api-burst and kube-api-qps (#3094)
  • Add more Kubernetes settings (#2930, #2986)
    • Soft eviction policy
    • Graceful shutdown
    • CPU quota enforcement
    • Memory manager policy
    • CPU manager policy
  • Fix Kubernetes 1.26 credential provider apiVersion (#3070)
  • Add ability to pass environment variables to image credential providers (#2934)

Build Changes

  • Upgrade to Bottlerocket SDK v0.32.0 (#3071)
  • Add AMI validation to PubSys (#3020)
  • Add SSM parameter validation to PubSys (#2969)
  • Add validate-ami and validate-ssm Makefile targets (#3043)
  • Add check-migrations Makefile target to check for common migration problems (#3051)

Testing Changes

  • Update testsys to v0.0.7 (#3065)
  • Add support for node provisioning with Karpenter (#3067)
  • Enable using custom Sonobuoy images (#3068)

v1.13.5 (2023-05-01)

OS Changes

  • Revert runc update to move back to 1.1.5 (#3054)

v1.13.4 (2023-04-24)

OS Changes

  • Ensure the first hostname is used when a VPC DHCP option set has multiple domains (#3032)
  • Update runc to version 1.1.6 (#3037)

Orchestrator Changes

Kubernetes

  • Generate and pass --hostname-override flag to kubelet in aws-k8s-1.26 variants (#3033)

v1.13.3 (2023-04-17)

OS Changes

  • Update kernel-5.10 to 5.10.173 and kernel-5.15 to 5.15.102 (#2948, #3002)
  • Fix check for rule existence in ip6tables v1.8.9 (#3001)
  • Backport systemd fixes for skipped udevd events (#2999)
  • Check platform-specific mechanisms for hostname first (#3021)

Orchestrator Changes

Kubernetes

  • Generate 'provider-id' setting for aws-k8s variants (#3026)

v1.13.2 (2023-04-04)

OS Changes

  • Update runc to version 1.1.5 (#2946)

Orchestrator Changes

Kubernetes

  • Update to Kubernetes v1.26.2 (#2929)
  • Update aws-iam-authenticator package to v0.6.8 (#2965)

v1.13.1 (2023-03-23)

OS Changes

  • Improve logic around repartitioning and disk expansion by using symlinks to differentiate "fallback" and "preferred" data partitions (#2935)
  • Add keyutils package to enable mounting CIFS shares (#2907)

Orchestrator Changes

Kubernetes

  • Fix AWS profile rendering in credential provider (#2904)
  • Change CredentialProviderConfig api version to v1beta1 for Kubernetes 1.25 variants (#2906)

v1.13.0 (2023-03-15)

OS Changes

  • Add ethtool to Bottlerocket (#2829)
  • Improve logging in migrator to track ongoing migrations (#2751)
  • Improve random-access read performance of root volume on some devices (#2863)
  • Add CAP_SYS_MODULE and CAP_CHROOT to bootstrap containers (#2772)
  • Add support for cgroup v2 (#2875, #2802)
  • Disable IA and SafeSetID LSM for kernel-5.15 (#2789)
  • Update kernel-5.10 to 5.10.165 and kernel-5.15 to 5.15.90 (#2795)
  • Allow = in bootconfig values (#2806)
  • Include systemd-analyze plot for logdog (#2880)
  • Update host containers (#2864)
  • Update third party packages (#2825, #2842)

Orchestrator Changes

Kubernetes

  • Remove Kubernetes 1.21 variants (#2700)
  • Add Kubernetes 1.26 variants (#2771, (#2876)
  • Change kubelet service to have restart policy always (#2774)
  • Update to Kubernetes v1.25.6 (#2782)
  • Update to Kubernetes v1.24.10 (#2790)
  • Update to Kubernetes v1.23.16 (#2791)
  • Update Kubernetes 1.22.17 to include latest EKS-D patches (#2792)

ECS

  • Enable FireLens capability in aws-ecs-1 variant (#2819)

Platform Changes

AWS

  • Set NVMe IO request timeouts for EBS according to AWS recommendations (#2820)
  • Support an alternate data partition on EC2 instances launched with a single volume (#2807, #2879, #2873)
  • Update eni-max-pod mappings to include the latest AWS instance types (#2818)

VMware

  • Remove k8s.gcr.io in favor of public.ecr.aws (#2861, (#2786)
  • Disable UDP offload for primary interface (#2850)

Build Changes

  • Ensure empty build/rpms directory is included in build context (#2784)
  • Add image feature flag for cgroup v2 (#2845)
  • Enable systemd-networkd development via build flag (#2741, #2832, #2750)
  • Fix clippy linter warnings in source files and add clippy CI coverage (#2745)
  • Use clippy provided in SDK image (#2793) (#2868)
  • Remove unnecessary time 0.1.x dependency (#2748, #2851)
  • Remove unnecessary patch from containerd (#2755)
  • Update Bottlerocket SDK to v0.30.2 (#2866, #2857, #2836)
  • Remove outdated rust_2018_idioms enforcement (#2837)
  • Update Rust edition to 2021 (#2835)
  • Upgraded Rust code dependencies (#2816, #2869, #2851, #2736, #2895)
  • Upgraded Go code dependencies (#2828, #2826, #2813)
  • Rename ncurses to libncurses (#2769)
  • Update schnauzer's registry map (#2867)

Testing Changes

  • Add support for Kubernetes workloads in testsys (#2830)
  • Add support for a tests directory (#2737, #2775)
  • Provide advanced config controls to testsys (#2799)
  • Fix incorrect migration starting image for VMware testing in testsys (#2804)
  • Use testsys v0.0.6 (#2865)

Documentation Changes

  • Add boot sequence documentation (#2735)
  • Update Bottlerocket version in provisioning step in PROVISIONING-METAL.md (#2785)
  • Add user-data example for setting container registry credentials in README.md (#2803)
  • Fix missing trailing backslashes on ami commands in TESTING.md (#2838)

v 1.12.0 (2023-01-24)

OS Changes

  • Disable strict aliasing for c-utf-8 library strict aliasing in dbus-broker (#2730)
  • Add /sys/firmware to privileged mounts in host-ctr (#2714)
  • Use user-provided registry credentials for public.ecr.aws in host-ctr (#2676)
  • Build masked paths list dynamically in host-ctr (#2637)
  • Enable EFI option in systemd (#2714)
  • Allow simple enums as map keys in datastore (#2687)
  • Improve reliability of settings.network.hostname generator (#2647)
  • Add support for bonding and VLANS in net.toml (#2596)
  • Keep only one intermediate datastore during migration (#2589)
  • Widen access to filesystem relabel in SELinux policy (#2738)
  • Update hotdog to 1.05 (#2728)
  • Update systemd to 250.9 (#2718)
  • Update third party packages and dependencies ([#2588], #2717)
  • Update host containers (#2739)
  • Update eksd (#2690, #2693, #2694, thanks @rcrozean)

Orchestrator Changes

Kubernetes

  • Add support for Kubernetes 1.25 variants (#2699)
  • Allow access to public kubelet certificates (#2639)
  • During kubelet prestart, skip pause image pull if image exists (#2587)
  • Delay kubelet.service until after warm-pool-wait service runs (#2562)
  • Add OCI default spec and settings to containerd (#2697)

Platform Changes

VMware

  • Downgrade iopl warning when fetching guestinfo in early-boot-config (#2732)

Build Changes

  • Treat alias warning as errors (#2730)
  • Suppress "missing changelog" warning in build (#2730)
  • Update Bottlerocket SDK version to 0.29.0 (#2730)
  • Improve error messages for publish-ami command (#2695)
  • Disallow private AMIs in public SSM parameters (#2680)
  • Rework start-local-vm image selection to use latest symlink (#2696)
  • Improve integration testing through cargo make test (#2560, #2592, #2618, #2646, #2653, #2683, #2674, #2723, #2724, #2725)

v1.11.1 (2022-11-28)

Security Fixes

  • Update NVIDIA driver for 5.10 and 5.15 to include recent security fixes (74d2c5c13ab0)
  • Apply patch to systemd for CVE-2022-3821 (#2611)

v1.11.0 (2022-11-15)

OS Changes

  • Prevent a panic in early-boot-config when there is no IMDS region (#2493)
  • Update grub to 2.06-42 (#2503)
  • Bring back wicked support for matching interfaces via hardware address (#2519)
  • Allow bootstrap containers to manage swap (#2537)
  • Add systemd-analyze commands to troubleshooting log collection tool (#2550)
  • Allow bootstrap containers to manage network configuration (#2558)
  • Serialize bootconfig values correctly when the value is empty (#2565)
  • Update zlib, libexpat, libdbus, docker-cli (#2583)
  • Update host containers (#2574)
  • Unmask /sys/firmware from host containers (#2573)

Orchestrator Changes

ECS

  • Add additional ECS API configurations (#2527)
    • ECS_CONTAINER_STOP_TIMEOUT
    • ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION
    • ECS_TASK_METADATA_RPS_LIMIT
    • ECS_RESERVED_MEMORY

Kubernetes

  • Add a timeout when calling EKS for configuration values (#2566)
  • Enable IAM Roles Anywhere with the k8s ecr-credential-provider plugin (#2377, #2553)
  • Kubernetes EKS-D updates

Platform Changes

AWS

  • Add driver support for AWS variants in hybrid environments (#2554)

Build Changes

  • Add support for publishing to AWS organizations (#2484)
  • Remove unnecessary dependencies when building grub (#2495)
  • Switch to the latest Dockerfile frontend for builds (#2496)
  • Prepare foundations for Secure Boot and image re-signing (#2505)
  • Fix EFI file system to fit partition size (#2528)
  • Add ShellCheck to check-lints for build scripts (#2532)
  • Update the SDK to v0.28.0 (#2543)
  • Use rustls-native-certs instead of webpki-roots (#2551)
  • Handle absolute paths for output directory in kernel build script (#2563)

Documentation Changes

  • Add a Roadmap markdown file (#2549)

v1.10.1 (2022-10-19)

OS Changes

  • Support container runtime settings: enable-unprivileged-icmp, enable-unprivileged-ports, max-concurrent-downloads, max-container-log-line-size (#2494)
  • Update EKS-D to 1.22-11 (#2490)
  • Update EKS-D to 1.23-6 (#2488)

v1.10.0 (2022-10-10)

OS Changes

  • Add optional settings to reboot into new kernel command line parameters (#2375)
  • Support for static IP addressing (#2204, #2330, #2445)
  • Add support for NVIDIA driver version 515 (#2455)
  • Set mode for tmpfs mounts (#2473)
  • Increase inotify default limits (#2335)
  • Align vm.max_map_count with the EKS Optimized AMI (#2344)
  • Add support for configuring DNS settings (#2353)
  • Migrate netdog from serde_xml_rs to quick-xml (#2311)
  • Support versioning for net.toml (#2281)
  • Update admin and control container (#2471, #2472)

Orchestrator Changes

ECS

  • Add cargo make tasks for testing ECS variants (#2348)

Kubernetes

  • Add support for Kubernetes 1.24 variants (#2437)
  • Remove Kubernetes aws-k8s-1.19 variants (#2316)
  • Increase the kube-api-server QPS from 5/10 to 10/20 (#2436, thanks @tzneal)
  • Update eni-max-pods with new instance types (#2416)
  • Add setting to change kubelet's log level (#2460, #2470)
  • Add cargo make tasks to perform migration testing for Kubernetes variants in AWS (#2273)

Platform Changes

AWS

  • Disable drivers for USB-attached network interfaces (#2328)

Metal

  • Add driver support for Solarflare, Pensando, Myricom, Huawei, Emulex, Chelsio, Broadcom, AMD and Intel 10G+ network cards (#2379)

Build Changes

  • Extend external-files to vendor go modules (#2378, #2403, #2430)
  • Make net_config unit tests reusable across versions (#2385)
  • Add diff-kernel-config to identify kernel config changes (#2368)
  • Extended support for variants in buildsys (#2339)
  • Clarify crossbeam license (#2447)
  • Honor BUILDSYS_ARCH and BUILDSYS_VARIANT env variables when set (#2425)
  • Use architecture specific json payloads in unit tests (#2367, #2363)
  • Add unified check target in Makefile.toml for review readiness (#2384)
  • Update Go dependencies of first-party go projects (#2424, #2440, #2450, #2452, #2456)
  • Update Rust dependencies (#2458, #2476)
  • Update third-party packages (#2397, #2398, #2464, #2465, thanks @kschumy)
  • Update Bottlerocket SDK to 0.27.0 (#2428)
  • Migrate pubsys and infrasys to the AWS SDK for Rust (#2414, #2415, #2454)
  • Update testsys dependencies (#2392)
  • Fix hotdog's spec URL to the correct upstream link (#2326)
  • Fix clippy warnings and enable lints on pull requests (#2337, #2346, #2443)
  • Format issue field in PR template (#2314)

Documentation Changes

  • Update checksum for new root.json (#2405)
  • Mention that boot settings are available in Kubernetes 1.23 variants (#2358)
  • Mention the need for AWS credentials in BUILDING.md and PUBLISHING-AWS.md (#2334)
  • Add China to supported regions lists (#2315)
  • Add community section to README.md (#2305, #2383)
  • Standardize userdata.toml as the filename used in different docs (#2446)
  • Remove commit from image name in PROVISIONING-METAL.md (#2312)
  • Add note to CONTRIBUTING.md that outlines filenames' casing (#2306)
  • Fix typos in Makefile.toml, QUICKSTART-ECS.md, QUICKSTART-EKS.md, netdog and prairiedog (#2318, thanks @kianmeng)
  • Fix casing for GitHub and VMware in CHANGELOG.md (#2329)
  • Fix typo in test setup command (#2477)
  • Fix TESTING.md link typo (#2438)
  • Fix positional fetch-license argument (#2457)

v1.9.2 (2022-08-31)

Build Changes

  • Archive old migrations (#2357)
  • Update runc to version 1.1.4 (#2380)

v1.9.1 (2022-08-17)

OS Changes

  • Change kernel module compression from zstd to xz (#2323)
  • Update ECR registry map for new AWS regions (#2336)
  • Add new regions to pause registry map (#2349)
  • Update tough to v0.8.1 (#2338)

v1.9.0 (2022-07-28)

OS Changes

  • SELinux policy now suppresses audit for tmpfs relabels (#2222)
  • Restrict permissions for /boot and System.map (#2223)
  • Remove unused crates growpart and servicedog (#2238)
  • New mount in host containers for system logs (#2295)
  • Apply strict mount options and enforce execution rules (#2239)
  • Switch to a more commonly used syntax for disabling kernel config settings (#2290)
  • Respect proxy settings when running setting generators (#2227)
  • Add NET_CAP_ADMIN to bootstrap containers (#2266)
  • Reduce log output for DHCP services (#2260)
  • Fix invalid kernel config options (#2269)
  • Improve support for container storage mounts (#2240)
  • Disable uncommon filesystems and network protocols (#2255)
  • Add support for blocking kernel modules (#2274)
  • Fix ntp service restart when settings change (#2270)
  • Add kernel 5.15 sources (#2226)
  • Defer squashfs mounts to later in the boot process (#2276)
  • Improve boot speed and rootfs size (#2296)
  • Add "quiet" kernel parameter for some variants (#2277)

Orchestrator Changes

Kubernetes

  • Make new instance types available (#2221 , thanks @cablespaghetti)
  • Update Kubernetes versions (#2230, #2232, #2262, #2263, thanks @kschumy)
  • Add kubelet image GC threshold settings (#2219)

ECS

  • Add iptables rules for ECS introspection server (#2267)

Platform Changes

AWS

  • Add support for AWS China regions (#2224, #2242, #2247, #2285)
  • Migrate to using aws-sdk-rust for first-party OS Rust packages (#2300)

VMware

  • Remove console=ttyS0 from kernel params (#2248)

Metal

  • Enable Mellanox modules in 5.10 kernel (#2241)
  • Add bnxt module for Broadcom 10/25Gb network adapters in 5.10 kernel (#2243)
  • Split out baremetal specific config options (#2264)
  • Add driver support for Cisco UCS platforms (#2271)
  • Only build baremetal variant specific drivers for baremetal variants (#2279)
  • Enable the metal-dev build for the ARM architecture (#2272)

Build Changes

  • Add Makefile targets to create and validate Boot Configuration (#2189)
  • Create symlinks to images with friendly names (#2215)
  • Add start-local-vm script (#2194)
  • Add the testsys CLI and new cargo make tasks for testing aws-k8s variants (#2165)
  • Update Rust and Go dependencies (#2303, #2299)
  • Update third-party packages (#2309)

Documentation Changes

  • Add NVIDIA ECS variant to README (#2244)
  • Add documentation for metal variants (#2205)
  • Add missing step in building packages guide (#2259)
  • Add quickstart for running Bottlerocket in QEMU/KVM VMs (#2280)
  • Address lints in README markdown caught by markdownlint (#2283)

v1.8.0 (2022-06-08)

OS Changes

General

  • Update admin and control containers (#2191)
  • Update to containerd 1.6.x (#2158)
  • Restart container runtimes when certificates store changes (#2076)
  • Add support for providing kernel parameters via Boot Configuration (#1980)
  • Restart long-running systemd services on exit (#2162)
  • Ignore zero blocks on dm-verity root (#2169)
  • Add support for static DNS mappings in /etc/hosts (#2129)
  • Enable network configuration generation via netdog (#2066)
  • Add support for non-eth0 default interfaces (#2144)
  • Update to IMDS schema 2021-07-15 (#2190)

Kubernetes

  • Add support for Kubernetes 1.23 variants (#2188)
  • Improve Kubernetes pod start times by unsetting configMapAndSecretChangeDetectionStrategy in kubelet config (#2166)
  • Add new setting for configuring kubelet's provider-id configuration (#2192)
  • Add new setting for configuring kubelet's podPidsLimit configuration (#2138)
  • Allow a list of IP addresses in settings.kubernetes.cluster-dns-ip (#2176)
  • Set the default for settings.kubernetes.cloud-provider on metal variants to an empty string (#2188)
  • Add c7g instance data for max pods calculation in AWS variants (#2107, thanks, @lizthegrey!)

ECS

Hardware

  • Build smartpqi driver for Microchip Smart Storage devices into 5.10 kernel (#2184)
  • Add support for Broadcom ethernet cards in 5.10 kernel (#2143)
  • Add support for MegaRAID SAS in 5.10 kernel (#2133)

Build Changes

Documentation Changes

  • Standardize README generation in buildsys (#2134)
  • Clarify migration README (#2141)
  • Fix typos in BUILDING.md and QUICKSTART-VMWARE.md (#2159, thanks, @ryanrussell!)
  • Add additional documentation for using GPUs with Kubernetes variants (#2078)
  • Document examples for using enter-admin-container (#2028)

v1.7.2 (2022-04-22)

Security Fixes

  • Update kernel-5.4 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 (a3b4674f7108)
  • Update kernel-5.10 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-1048, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 (37095415bab6)

OS Changes

  • Update eni-max-pods with new instance types (#2079)
  • Add support for AWS region ap-southeast-3: Jakarta (#2080)

v1.7.1 (2022-04-05)

Security Fixes

OS Changes

  • Enable checkpoint restore (CONFIG_CHECKPOINT_RESTORE) for aarch64 (6e3d6ed4b83e)

v1.7.0 (2022-03-30)

With this release, an inventory of software installed in Bottlerocket will now be reported to SSM if the control container is in use and inventorying has been enabled.

OS Changes

  • Generate host software inventory and make it available to host containers (#1996)
  • Update admin and control containers (#2014)

Build Changes

Documentation Changes

  • Fix tuftool download instruction in VMware Quickstart (#1994)
  • Explain data partition extension (#2013)

v1.6.2 (2022-03-08)

With this release, the vmware-k8s variants have graduated from preview status and are now generally available. :tada:

Security Fixes

OS Changes

  • Add support for Kubernetes 1.22 variants (#1962)
  • Add settings support for registry credentials (#1955)
  • Add support for AWS CloudFormation signaling (#1728, thanks, @mello7tre!)
  • Add TCMU support to the kernel (#1953, thanks, @cvlc!)
  • Fix issue with closing frame construction in apiserver (#1948)

Build Changes

  • Fix dead code warning during build in netdog (#1949)

Documentation Changes

  • Correct variable name in bootstrap-containers/README.md (#1959, thanks, @dangen-effy!)
  • Add art to the console (#1970)

v1.6.1 (2022-03-02)

Security Fixes

  • Apply patch to containerd for CVE-2022-23648 (0de1b39efa64)
  • Update kernel-5.4 and kernel-5.10 to include recent security fixes (#1973)

v1.6.0 (2022-02-07)

Deprecation Notice

The Kubernetes 1.18 variant, aws-k8s-1.18, will lose support in March 2022. Kubernetes 1.18 is no longer receiving support upstream. We recommend replacing aws-k8s-1.18 nodes with a later variant, preferably aws-k8s-1.21 if your cluster supports it. See this issue for more details.

Security Fixes

  • Apply patch to the kernel for CVE-2022-0492 (#1943)

OS Changes

  • Add aws-k8s-1.21-nvidia variant with Nvidia driver support (#1859, #1860, #1861, #1862, #1900, #1912, #1915, #1916, #1928)
  • Add metal-k8s-1.21 variant with support for running on bare metal (#1904)
  • Update host containers to the latest version (#1939)
  • Add driverdog, a configuration-driven utility for linking kernel modules at runtime (#1867)
  • Kubernetes: Fix a potential inconsistency with IPv6 node-ip comparisons (#1932)
  • Allow setting multiple Kubernetes node taints with the same key (#1906)
  • Fix a bug which would prevent Bottlerocket from booting when setting container-registry to an empty table (#1910)
  • Add /etc/bottlerocket-release to host containers (#1883)
  • Send grub output to the local console on BIOS systems (#1894)
  • Fix minor issues with systemd units (#1889)

Build Changes

  • Update third-party packages (#1936)
  • Update Rust dependencies (#1940)
  • Update Go dependencies of host-ctr (#1938)
  • Add the ability to fetch licenses at build time (#1901)
  • Pin tuftool to a specific version (#1940)

Documentation Changes

  • Add a no-proxy setting example to the README (#1765 thanks, @mrajashree!)
  • Document variant image-layout options in the README (#1896)

v1.5.3 (2022-01-25)

Security Fixes

  • Update Bottlerocket SDK to 0.25.1 for Rust 1.58.1 (#1918)
  • Update kernel-5.4 and kernel-5.10 to include recent security fixes (#1921)
  • Migrate host-container to the latest version for vmware variants (#1898)

OS Changes

  • Fix an issue which could impair nodes in Kubernetes 1.21 IPv6 clusters (#1925)

v1.5.2 (2022-01-05)

Security Fixes

v1.5.1 (2021-12-23)

Security Fixes

  • Update hotdog to the latest release. Hotdog now mimics the permissions of the target JVM process (#1884)

OS Changes

  • Updated host containers to the latest version (#1881, #1882)

v1.5.0 (2021-12-17)

Security Enhancements

  • Add the ability to hotpatch log4j for CVE-2021-44228 in running containers (#1872, #1871, #1869)

OS Changes

  • Enable configuration for OCI hooks in the container lifecycle (#1868)
  • Retry all failed requests to IMDS (#1841)
  • Enable node feature discovery for Kubernetes device plugins (#1863)
  • Add apiclient get subcommand for simple API retrieval (#1836)
  • Add support for CPU microcode updates (#1827)
  • Consistently support API prefix queries (#1835)

Build Changes

  • Add support for custom image sizes (#1826)
  • Add support for unifying the OS and data partitions on a single disk (#1870)

Documentation Changes

  • Fixed typo in the README (#1847 thanks, PascalBourdier!)

v1.4.2 (2021-12-02)

Security Fixes

  • Update default admin and control host containers to address CVE-2021-43527 (#1852)
  • Update kernel-5.4 and kernel-5.10 to include recent security fixes. (#1851)

Build Changes

  • Update containerd (to v1.5.8) and Docker (to v20.10.11) (#1851)

v1.4.1 (2021-11-18)

Security Fixes

  • Apply patches to docker and containerd for CVE-2021-41190 (#1832, #1833)

Build Changes

  • Update Bottlerocket SDK to 0.23.1 (#1831)

v1.4.0 (2021-11-12)

OS Changes

  • Add 'apiclient exec' for running commands in host containers (#1802, #1790)
  • Improve boot performance (#1809)
  • Add support for wildcard container registry mirrors (#1791, #1818)
  • Wait up to 300s for a DHCP lease at boot (#1800)
  • Retry if fetching the IMDS session token fails (#1801)
  • Add ECR account IDs for pulling host containers in GovCloud (#1793)
  • Filter sensitive API settings from logdog dump (#1777)
  • Fix kubelet standalone mode (#1783)

Build Changes

  • Remove aws-k8s-1.17 variant (#1807)
  • Update Bottlerocket SDK to 0.23 (#1779)
  • Update third-party packages (#1816)
  • Update Rust dependencies (#1810)
  • Update Go dependencies of host-ctr (#1775, #1774)
  • Prevent spurious rebuilds of the model package (#1808)
  • Add disk image files to TUF repo (#1787)
  • Vendor wicked service units (#1798)
  • Add CI check for Rust code formatting (#1782)
  • Allow overriding the AMI data file suffix (#1784)

Documentation Changes

  • Update cargo-make commands to work with newest cargo-make (#1797)

v1.3.0 (2021-10-06)

Deprecation Notice

The Kubernetes 1.17 variant, aws-k8s-1.17, will lose support in November, 2021. Kubernetes 1.17 is no longer receiving support upstream. We recommend replacing aws-k8s-1.17 nodes with a later variant, preferably aws-k8s-1.21 if your cluster supports it. See this issue for more details.

Security Fixes

  • Apply patches to docker and containerd for CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, and CVE-2021-41103 (#1769)

OS Changes

  • Add MCS constraints to the SELinux policy (#1733)
  • Support IPv6 in kubelet and pluto (#1710)
  • Add region flag to aws-iam-authenticator command (#1762)
  • Restart modified host containers (#1722)
  • Add more detail to /etc/os-release (#1749)
  • Add an entry to /etc/hosts for the current hostname (#1713, #1746)
  • Update default control container to v0.5.2 (#1730)
  • Fix various SELinux policy issues (#1729)
  • Update eni-max-pods with new instance types (#1724, thanks @samjo-nyang!)
  • Add cilium device filters to open-vm-tools (#1718)
  • Implement hybrid boot support for x86_64 (#1701)
  • Include /var/log/kdump in logdog tarballs (#1695)
  • Use runtime.slice and system.slice cgroup settings in k8s variants (#1684, thanks @cyrus-mc!)

Build Changes

  • Update third-party packages (#1701, #1716, #1732, #1755, #1763, #1767)
  • Update Rust dependencies (#1707, #1750, #1751)
  • Add wave definition for slow deployment (#1734)
  • Add 'infrasys' for creating TUF infra in AWS (#1723)
  • Make OVF file first in the OVA bundle (#1719)
  • Raise pubsys messages to 'warn' if AMI exists or repo doesn't (#1708)
  • Add constants crate (#1709)
  • Add release URLs to package definitions (#1748)
  • Add *.src.rpm to packages/.gitignore (#1768)
  • Archive old migrations (#1699)

Documentation Changes

  • Mention static pods in the security guidance around API access (#1766)
  • Fix link to issue labels (#1764, thanks @andrewhsu!)
  • Fix broken link for TLS bootstrapping (#1758)
  • Update hash for v3 root.json (#1757)
  • Update example version to v1.2.0 in QUICKSTART-VMWARE (#1741, thanks @yuvalk!)
  • Clarify default kernel lockdown settings per variant (#1704)

v1.2.1 (2021-09-16)

Security fixes

  • Update Kubernetes for CVE-2021-25741 (#1753)

v1.2.0 (2021-08-06)

OS Changes

  • Add settings for kubelet topologyManagerPolicy and topologyManagerScope (#1659)
  • Add support for container image registry mirrors (#1629)
  • Add support for custom CA certificates (#1654)
  • Add a setting for configuring hostname (#1664, #1680, #1693)
  • Avoid wildcard for applying rp_filter to interfaces (#1677)
  • Update default admin container to v0.7.2 (#1685)

Build Changes

  • Add support for zstd compressed kernel (#1668, #1689)
  • Add support for uploading OVAs to VMware (#1622)
  • Update default built variant to aws-k8s-1.21 (#1686)
  • Remove aws-k8s-1.16 variant (#1658)
  • Move migrations from v1.1.5 to v1.2.0 (#1682)
  • Update third-party packages (#1676)
  • Update host-ctr dependencies (#1669)
  • Update Rust dependencies (#1655, #1683, #1687)

Documentation Changes

  • Fix typo in README (#1652, thanks @faultymonk!)

v1.1.4 (2021-07-23)

Security fixes

  • Update containerd to 1.4.8 (#1661)
  • Update systemd to 247.8 (#1662)
  • Update 5.4 and 5.10 kernels (#1665)
  • Set permissions to root-only for /var/lib/systemd/random-seed (#1656)

v1.1.3 (2021-07-12)

Note: in the Bottlerocket v1.0.8 release, for the aws-k8s-1.20 and aws-k8s-1.21 variants, we set the default Kubernetes CPU manager policy to "static". We heard from several users that this breaks usage of the Fluent Bit log processor. In Bottlerocket v1.1.3, we've changed the default back to "none", but have added a setting so you can use the "static" policy if desired. To do so, set settings.kubernetes.cpu-manager-policy to "static". To do this in user data, for example, pass the following:

[settings.kubernetes]
cpu-manager-policy = "static"

OS Changes

  • Fix parsing of lists of values in domain name search field of DHCP option sets (#1646, thanks @hypnoce!)
  • Add setting for configuring Kubernetes CPU manager policy and reconcile policy (#1638)

Build Changes

  • Update SDK to 0.22.0 (#1640)
  • Store build artifacts per architecture (#1630)

Documentation Changes

  • Update references to the ECS variant for GA release (#1637)

v1.1.2 (2021-06-25)

With this release, the aws-ecs-1 variant has graduated from preview status and is now generally available. It's been updated to include Docker 20.10. The new Bottlerocket ECS Updater is available to help provide automated updates. :tada:

OS Changes

  • Add aws-k8s-1.21 variant with Kubernetes 1.21 support (#1612)
  • Add settings for configuring kubelet containerLogMaxFiles and containerLogMaxSize (#1589) (Thanks, @samjo-nyang!)
  • Add settings for configuring kubelet systemReserved (#1606)
  • Add kdump support, enabled by default in VMware variants (#1596)
  • In host containers, allow mount propagations from privileged containers (#1601)
  • Mark ipv6 lease as optional for eth0 (#1602)
  • Add recommended device filters to open-vm-tools (#1603)
  • In host container definitions, default "enabled" and "superpowered" to false (#1580)
  • Allow pubsys refresh-repo to use default key path (#1575)
  • Update default host containers (#1609)

Build Changes

  • Add grep package to all variants (#1562)
  • Update Rust dependencies (#1623, #1574)
  • Update third-party packages (#1619, #1616, #1625)
  • In GitHub Actions, pin rust toolchain to match version in SDK (#1621)
  • Add imdsclient library for querying IMDS (#1372, #1598, #1610)
  • Remove reqwest proxy workaround in metricdog and updog (#1592)
  • Simplify conditional compilation in early-boot-config (#1576)
  • Only build shibaken for aws variants (#1591)
  • Silence tokio mut warning in thar-be-settings (#1593)
  • Refactor package and variant dependencies (#1549)
  • Add derive attributes at start of list in model-derive (#1572)
  • Limit threads during pubsys validate-repo (#1564)

Documentation Changes

  • Document the deprecation of the aws-k8s-1.16 variant (#1600)
  • Update README for VMware and add a QUICKSTART-VMWARE (#1559)
  • Add ap-northeast-3 to supported region list (#1566)
  • Add details about the two default Bottlerocket volumes to README (#1588)
  • Document webpki-roots version in webpki-roots-shim (#1565)

v1.1.1 (2021-05-19)

Security fixes

v1.1.0 (2021-05-07)

Deprecation Notice

The Kubernetes 1.16 variant, aws-k8s-1.16, will lose support in July, 2021. Kubernetes 1.16 is no longer receiving support upstream. We recommend replacing aws-k8s-1.16 nodes with a later variant, preferably aws-k8s-1.19 if your cluster supports it. See this issue for more details.

Important Notes

New variants with new defaults

This release introduces two new variants, aws-k8s-1.20 and vmware-k8s-1.20. We plan for all new variants, including these, to contain the following changes:

  • The kernel is Linux 5.10 rather than 5.4.
  • The kernel lockdown mode is set to "integrity" rather than "none".

The ECS preview variant, aws-ecs-1, has also been updated with these changes.

Existing aws-k8s variants will not receive these changes as they could affect existing workloads.

ECS task networking

The aws-ecs-1 variant now supports the awsvpc mode of ECS task networking. This allocates an elastic network interface and private IP address to each task.

OS Changes

  • Add Linux kernel 5.10 for use in new variants (#1526)
  • Add aws-k8s-1.20 variant with Kubernetes 1.20 support (#1437, #1533)
  • Add vmware-k8s-1.20 variant with Kubernetes 1.20 for VMware (#1511, #1529, #1523, #1502, #1554)
  • Remove aws-k8s-1.15 variant (#1487, #1492)
  • Constrain ephemeral port range (#1560)
  • Support awsvpc networking mode in ECS (#1246)
  • Add settings for QPS and burst limits of Kubernetes registry pulls, event records, and API (#1527, #1532, #1541)
  • Add setting to allow configuration of Kubernetes TLS bootstrap (#1485)
  • Add setting for configuring Kubernetes cloudProvider to allow usage outside AWS (#1494)
  • Make Kubernetes cluster-dns-ip optional to support usage outside of AWS (#1482)
  • Change parameters to support healthy CIS scan (#1295) (Thanks, @felipeac!)
  • Generate stable machine IDs for VMware and ARM KVM guests (#1506, #1537)
  • Enable "integrity" kernel lockdown mode for aws-ecs-1 preview variant (#1530)
  • Remove override for default service start timeout (#1483)
  • Restrict access to bootstrap container user data with SELinux (#1496)
  • Split SELinux policy rules for trusted subjects (#1558)
  • Add symlink to allow usage of secrets store CSI drivers (#1544)
  • Prevent bootstrap containers from restarting (#1508)
  • Add udev rules to mount CD-ROM only when media is present (#1516)
  • Add resize2fs binary to sbin (#1519) (Thanks, @samjo-nyang!)
  • Only restart a host container if affected by settings change (#1480)
  • Support file patterns when specifying log files in logdog (#1509)
  • Daemonize thar-be-settings to avoid zombie processes (#1507)
  • Add support for AWS region ap-northeast-3: Osaka (#1504)
  • Generate pause container URI with standard template variables (#1551)
  • Get cluster DNS IP from cluster when available (#1547)

Build Changes

  • Use kernel 5.10 in aws-ecs-1 variant (#1555)
  • Build only the packages needed for the current variant (#1408, #1520)
  • Use a friendly name for VMware OVA files in build outputs (#1535)
  • Update SDK to 0.21.0 (#1497, #1529)
  • Allow variants to specify extra kernel parameters (#1491)
  • Move kernel console settings to variant definitions (#1513)
  • Update vmw_backdoor dependency (#1498) (Thanks, @lucab!)
  • Archive old migrations (#1540)
  • Refactor default settings and containerd configs to shared files (#1538, #1542)
  • Check cargo version at start of build so we have a clear error when it's too low (#1503)
  • Fix concurrency issue in validate-repo that led to hangs (#1521)
  • Update third-party package dependencies (#1543, #1556)
  • Update Rust dependencies in the tools/ workspace (#1548)
  • Update tokio-related Rust dependencies in the sources/ workspace (#1479)
  • Add upstream runc patches addressing container scheduling failure (#1546)
  • Retry builds on known BuildKit internal errors (#1557, #1561)

Documentation Changes

  • Document the deprecation of the aws-k8s-1.15 variant (#1476)
  • Document the need to quote most Kubernetes labels/taints (#1550) (Thanks, @ellistarn!)
  • Fix VMware spelling and document user data sources (#1534)

v1.0.8 (2021-04-12)

Deprecation Notice

Bottlerocket 1.0.8 is the last release where we plan to support the Kubernetes 1.15 variant, aws-k8s-1.15. Kubernetes 1.15 is no longer receiving support upstream. We recommend replacing aws-k8s-1.15 nodes with a later variant, preferably aws-k8s-1.19 if your cluster supports it. See this issue for more details.

OS Changes

  • Support additional kubelet arguments: kube-reserved, eviction-hard, cpu-manager-policy, and allow-unsafe-sysctls (#1388, #1472, #1465)
  • Expand file and process restrictions in the SELinux policy (#1464)
  • Add support for bootstrap containers (#1387, #1423)
  • Make host containers inherit proxy env vars (#1432)
  • Allow gzip compression of user data (#1366)
  • Add 'apply' mode to apiclient for applying settings from URIs (#1391)
  • Add compat symlink for kubelet volume plugins (#1417)
  • Remove bottlerocket.version attribute from ECS agent settings (#1395)
  • Make Kubernetes taint values optional (#1406)
  • Add guestinfo to available VMware user data retrieval methods (#1393)
  • Include source of invalid base64 data in error messages (#1469)
  • Update eni-max-pods data file (#1468)
  • Update default host container versions (#1443, #1441, #1466)
  • Fix avc denial for dbus-broker (#1434)
  • Fix case of outputted JSON keys in host container user data (#1439)
  • Set mode of host container persistent storage directory after creation (#1463)
  • Add "current" persistent storage location for host containers (#1416)
  • Write static-pods manifest to tempfile before persisting it (#1409)

Build Changes

  • Update default variant to aws-k8s-1.19 (#1394)
  • Update third-party packages (#1460)
  • Update Rust dependencies (#1461, #1462)
  • Update dependencies of host-ctr (#1371)
  • Add support for specifying a variant's supported architectures (#1431)
  • Build OVA packages and include them in repos (#1428)
  • Add support for qcow2 as an image format (#1425) (Thanks, @mikalstill!)
  • Prevent unneeded artifacts from being copied through build process (#1426)
  • Change image format for vmware-dev variant to vmdk (#1397)
  • Remove tough dependency from update_metadata (#1390)
  • Remove generate_constants logic from build.rs of parse-datetime (#1376)
  • In the tools workspace, update to tokio v1, reqwest v0.11, and tough v0.11 (#1370)
  • Run static and non-static Rust builds in parallel (#1368)
  • Disable CMDLINE_EXTEND kernel configuration (#1473)

Documentation Changes

  • Document metrics settings in README (#1449)
  • Fix broken links for symlinked files in models README (#1444)
  • Document apiclient update as primary CLI update method (#1421)
  • Use apiclient set in introductory documentation, explain raw mode separately (#1418)
  • Prefer resolve:ssm: parameters for simplicity in QUICKSTART (#1363)
  • Update quickstart guides to have arm64 examples (#1360)
  • Document the deprecation of the aws-k8s-1.15 variant (#1476)

v1.0.7 (2021-03-17)

Security fixes

  • containerd: update to 1.4.4 (#1401)

OS Changes

  • systemd: update to 247.4 to fix segfault in some cases (#1400)
  • apiserver: reap exited child processes (#1384)
  • host-ctr: specify non-colliding runc root (#1359)
  • updog: update signal-hook dependency (#1328)

v1.0.6 (2021-03-02)

OS Changes

  • Add metricdog to support sending anonymous metrics (#1006, #1322)
  • Add a vmware-dev variant (#1292, #1288, #1290)
  • Add Kubernetes static pods support (#1317)
  • Add high-level 'set' subcommand for changing settings using apiclient (#1278)
  • Allow admin container to use SSH public keys from user data (#1331, #1358, #19)
  • Add support for kubelet in standalone mode and TLS auth (#1338)
  • Add https-proxy and no-proxy settings to updog (#1324)
  • Add support for pulling host-containers from ECR Public (#1296)
  • Add network proxy support to aws-k8s-1.19 (#1337)
  • Modify default SELinux label for containers to align with upstream (#1318)
  • Add aliases for container-selinux types to align with community (#1316)
  • Update default versions of admin and control containers (#1347, #1344)
  • Update ecs-agent to 1.50.2 (#1353)
  • logdog: Add eni logs for Kubernetes (#1327)

Build Changes

  • Add the ability to output vmdk via qemu-img (#1289)
  • Add support for kmod kits to ease building of third-party kernel modules (#1287, #1286, #1285, #1357)
  • storewolf: Declare dependencies on model and defaults files (#1319)
  • storewolf: Refactor default settings files to allow sharing (#1303, #1329)
  • Switch from TermLogger to SimpleLogger (#1282, thanks @hencrice!)
  • Allow overriding the "pretty" name of the OS inside the image (#1330)
  • Specify bash in link-variant task for use of bash features (#1323)
  • Fix invalid symlinks when the BUILDSYS_NAME variable is set (#1312)
  • Track and clean output files for builds (#1291)
  • Update third-party software packages (#1340, #1336, #1334, #1333, #1335, #1190, #1265, #1315, #1352, #1356)

Documentation Changes

  • Add lockdown notes to SECURITY_GUIDANCE.md (#1281)
  • Clarify use case for update repos (#1339)
  • Fix broken link from API docs to top-level docs (#1306)

v1.0.5 (2021-01-15)

Note for aws-ecs-1 variant: due to a change in the ECS agent's data store schema, the aws-ecs-1 variant cannot be downgraded after updating to v1.0.5. Attempts to downgrade may result in inconsistencies between ECS and the Bottlerocket container instance.

OS Changes

  • Add aws-k8s-1.19 variant with Kubernetes 1.19 (#1256)
  • Update ecs-agent to 1.48.1 (#1201)
  • Add high-level update subcommands to apiclient (#1219, #1232)
  • Add kernel lockdown settings (#1223, #1279)
  • Add restart-commands for docker, kubelet, containerd (#1231, #1262, #1258)
  • Add proper restarts for host-containers (#1230, #1235, #1242, #1258)
  • Fix SELinux policy (#1236)
  • Set version and revision strings for containerd (#1248)
  • Add host-container user-data setting (#1244, #1247)
  • Add network proxy settings (#1204, #1262, #1258)
  • Update kernel to 5.4.80-40.140 (#1257)
  • Update third-party software packages (#1264)
  • Update Rust dependencies (#1267)

Build Changes

  • Improve support for out-of-tree kernel modules (#1220)
  • Fix message in partition size check condition (#1233, thanks @pranavek!)
  • Split the datastore module into its own crate (#1249)
  • Update SDK to v0.15.0 (#1263)
  • Update GitHub Actions to ignore changes that only include .md files (#1274)

Documentation Changes

  • Add documentation comments to Dockerfile (#1254)
  • Add a note about CPU usage during builds (#1266)
  • Update README to point to discussions (#1273)

v1.0.4 (2020-11-30)

Security fixes

  • Patch containerd for CVE-2020-15257 (f3677c1406)

v1.0.3 (2020-11-19)

OS Changes

  • Support setting Linux kernel parameters (sysctl) via settings (see README) (#1158, #1171)
  • Create links under /dev/disk/ephemeral for ephemeral storage devices (#1173)
  • Set default RLIMIT_NOFILE in CRI to 65536 soft limit and a 1048576 hard limit (#1180)
  • Add rtcsync directive to chrony config file (#1184, thanks @errm!)
  • Add /etc/ssl/certs symlink to the CA certificate bundle for compatibility with the cluster autoscaler (#1207)
  • Add procps dependency to docker-engine so that docker top works (#1210)

Build Changes

  • Align optimization level for crate and dependency builds (#1155)
  • pubsys no longer requires an Infra.toml file for basic usage (#1166)
  • Makefile: Check that $BUILDSYS_ARCH has a supported value (#1167)
  • Build migrations in parallel (#1192)
  • Allow file URLs for role in pubsys-setup (#1194)
  • Update Rust dependencies (#1196)
  • Update SDK to v0.14.0 (#1198)
  • Fix an occasional issue with KMS signing in pubsys (#1205)
  • Backport selected fixes from containerd 1.4 (#1216)
  • Update third-party package dependencies (#1176, #1195)
  • Switch to SDK v0.14.0 (#1198)

Documentation Changes

  • Nits and fixes (#1170, #1179)
  • Add missing prerequisites for building Bottlerocket (#1191)

v1.0.2 (2020-10-13)

Breaking changes (for build process only)

  • pubsys: automate setup of role and key (#1133, #1146)
  • Store repos under repo name so you can build multiple (#1135)

Note: these changes do not impact users of Bottlerocket AMIs or repos, only those who build Bottlerocket themselves. If you use an Infra.toml file to automate publishing, you'll need to update the format of the file. The root role and signing key definitions now live inside a repo definition, rather than at the top level of the file. Please see the updated Infra.toml.example file for a commented explanation of the new role and key configuration.

OS changes

  • Add aws-k8s-1.18 variant with Kubernetes 1.18 (#1150)
  • Update kernel to 5.4.50-25.83 (#1148)
  • Update glibc to 2.32 (#1092)
  • Add e2fsprogs (#1147)
  • pluto: add regional map of pause container source accounts (#1142)
  • Add option to enable spot instance draining (#1100, thanks @mkulke!)
  • Add 2.root.json + pubsys KMS support (#1122)
  • docker: add default nofiles ulimits for containers (#1119)
  • Fix AVC denial fordocker run --init (#1085)

Build changes

  • Pass Go module proxy variables through docker-go (#1121)
  • Set buildmode to pie and drop pie and debuginfo patches for Kubernetes (#1103, thanks @bnrjee!)
  • pubsys: use requested size for volume, keeping snapshot to minimum size (#1118)
  • Switch to SDK v0.13.0 (#1092)
  • Add cargo make grant-ami and revoke-ami tasks (#1087)
  • Allow specifying AMI name with PUBLISH_AMI_NAME (#1091)
  • Makefile.toml: clean up clean actions (#1089)
  • pubsys: check for copied AMIs in parallel (#1086)

Documentation changes

  • Add PUBLISHING.md guide explaining pubsys and related tools (#1138)
  • README: relocate update API instructions and example (#1124, #1127)
  • Fix grammar issues in README.md (#1098, thanks @jweissig!)
  • Add documentation for the aws-ecs-1 variant (#1053)
  • Update suggested Kubernetes version in sample eksctl config files (#1090)
  • Update BUILDING.md to incorporate dependencies (#1107, thanks @troyaws!)

v1.0.1 (2020-09-03)

Security fixes

  • Patch kernel for CVE-2020-14386 (#1108)

v1.0.0 (2020-08-31)

Welcome to Bottlerocket 1.0! Since the first public preview, we've added new variants for Amazon ECS and Kubernetes 1.16 and 1.17, support for ARM instances and more EC2 regions, along with many new features and security improvements. We appreciate all the feedback and contributions so far and look forward to working with the community on even wider support.

🥳 😸

Security fixes

  • Update to chrony 3.5.1 (#1057)
  • Isolate host containers and limit access to API socket (#1056)

OS changes

  • The aws-ecs-1 variant is now available as a preview.
    • ecs-agent: upgrade to v1.43.0 (#1043)
    • aws-ecs-1: add ecs.loglevel setting (#1062)
    • aws-ecs-1: remove unsupported capabilities (#1052)
    • aws-ecs-1: constrain ephemeral port range (#1051)
    • aws-ecs-1: enable awslogs execution role support (#1044)
    • ecs-agent: don't start if not configured (#1049)
    • ecs-agent: bind introspection to localhost (#1071)
    • Update logdog to pull ECS-related log files (#1054)
    • Add documentation for the aws-ecs-1 variant (#1053)
  • apiclient: accept -s for --socket-path, as per usage message (#1069)
  • Fix growpart to avoid race in partition table reload (#1058)
  • Added patch for EC2 IMDSv2 support in Docker (#1055)
  • schnauzer: add a helper for ecr repos (#1032)

Build changes

Documentation changes

  • Revise security guidance (#1072)
  • README: add supported architectures (#1048)
  • Update supported region list after 0.5.0 release (#1046)
  • Removed aws-cli v1 requirement in docs (#1073)
  • Update BUILDING.md for new coldsnap-based amiize.sh (#1047)

v0.5.0 (2020-08-14)

Special thanks to first-time contributor @spoonofpower (#988)!

Breaking changes

  • Remove support for unsigned datastore migrations (#976)

OS changes

  • Add aws-ecs-1 variant prototype for running containers in ECS clusters (#946, #1005, #1007, #1008, #1009, #1017)
  • Configurable clusterDomain kubelet setting via settings.kubernetes.cluster-domain (#988, #1036)
  • Make update position within waves consistent (#993)
  • Fix kubelet configuration for MaxPods (#994)
  • Update eni-max-pods with new instance types (#994)
  • Fix max_versions unit test in updata (#998)
  • Remove injection of label:disable option for privileged containers in Docker (#1013)
  • Add policycoreutils and related tools (#1016)
  • Update third-party software packages (#1018, #1023, #1025, #1026)
  • Update Rust dependencies (#1019, #1021)
  • Update host-ctr's dependencies (#1020)
  • Update the host-containers' default versions (#1030, #1040)
  • Allow access to all device nodes for superpowered host-containers (#1037)

Build changes

  • Add pubsys (cargo make repo, cargo make ami) for repo and AMI creation (#964, #1010, #1028, #1034)
  • Require updata init before creating a new repo manifest (#991)
  • Exclude README.md files from cargo change tracking (#995, #996)
  • Build aws-k8s-1.17 variant by default with cargo make (#1002)
  • Update comments to be more accurate in Infra.toml (#1004)
  • Update amiize to use coldsnap (#1012)
  • Update Bottlerocket SDK to v0.12.0 (#1014)
  • Fix warnings for use of deprecated items in common_migrations (#1022)

Documentation changes

  • Removed instructions to manually apply the manifest for aws-vpc-cni-k8s (#1029)

v0.4.1 (2020-07-13)

Security fixes

  • Patch Kubernetes for CVE-2020-8558 (#977)
  • Update tough to 0.7.1 to patch CVE-2020-15093 (#979)

OS changes

  • Add a new aws-k8s-1.17 variant for Kubernetes 1.17 (#973)
  • Confine chrony, wicked, and dbus-broker via SELinux, and persist their state to disk (#970)
  • Persist systemd journal to disk (#970)
  • Add an API for OS updates (#942, #959, #986)
  • Add migration helpers to add / remove multiple settings at once (#958)
  • Fix SELinux policy to allow CSI driver mounts and transition used by Kaniko (#983)
  • Update to new repo URL via migration to ensure signed migration support (#980)

Build changes

  • Fix environment variable override for build output directory (#963)
  • Update .dockerignore to account for the new build output directory structure (#967)
  • Remove the preview-docs task from Makefile (#969)

Documentation changes

  • Document new update APIs and add associated diagrams (#962)
  • Add ap-south-1 to supported regions (#965)
  • Fix storewolf's documentation and usage message as it expects a semver value (#957)

v0.4.0 (2020-06-25)

Breaking changes

  • Remove all permissive types from the SELinux policy (#945). Actions that were not allowed by the SELinux policy now fail instead of only being logged.

OS changes

  • Use update repository metadata and signatures to run settings migrations (#930)
  • Mount debugfs in superpowered host containers, such as the admin container, to support tools like bcc and bpftrace (#934)
  • Protect container snapshot layers in SELinux policy (#935)
  • Add POST /actions/reboot API path (#936)
  • Update tough to v0.6.0 (#944)
  • Fix behavior of signpost cancel-upgrade (#950)
  • Update to kernel 5.4.46 (#953)

Build changes

  • Canonicalize architecture names in amiize.sh (#932)
  • Split build output directories by variant and architecture (#948)
  • Move intermediate RPM output from build/packages to build/rpms (#948)
  • Fix chmod usage for building on macOS (#951)

Documentation changes

  • Document platform-specific settings in README.md (#941)

v0.3.4 (2020-05-27)

OS changes

  • Add a new Kubernetes 1.16 variant (#919)
  • Use SELinux to restrict datastore modifications (#917)
  • Add variant override to updog arguments (#923)

Build changes

  • Update systemd to v245 (#916)
  • Update build SDK to v0.11.0 (#926)
  • Allow specifying a start time for waves in updata (#927)
  • Update tough dependencies to v0.5.0 (#928)

v0.3.3 (2020-05-14)

OS changes

  • Security: update kernel to 5.4.38 (#924)

v0.3.2 (2020-04-20)

Special thanks to our first contributors, @inductor (#853), @smoser (#871), and @gliptak (#870)!

OS changes

  • Update kernel to 5.4.20 (#898)
  • Expand SELinux policy to include all classes and actions in 5.4 kernel (#888)
  • Include error messages in apiserver error responses (#897)
  • Add "logdog" to help users collect debug logs (#880)
  • Include objtool in kernel-devel for compiling external modules (#874)
  • Ignore termination signals in updog right before initiating reboot (#869)
  • Pass --containerd flag to kubelet to specify containerd socket path, fixing some cAdvisor metrics (#868)
  • Fix delay on reboot or power off (#859)
  • Add systemd.log_color=0 to remove ANSI color escapes from console log (#836)
  • Reduce containerd logging when no errors have occurred (#886)
  • Update admin container to v0.5.0 (#903)

Build changes

  • Set up GitHub Actions to test OS builds for PRs (#837)
  • Update SDK to v0.10.1 (#866)
  • Move built RPMs to build/packages (#863)
  • Bump cargo-make to 0.30.0 (#870)
  • Pass proxy environment variables through to docker containers (#871)
  • Add parse-datetime crate (#875)
  • Update third-party software packages (#895)
  • Update Rust dependencies (#896)
  • Remove unused Rust dependencies (#894)
  • Add upstream fix for arm64 in coreutils (#879)
  • Add ability to add waves using TOML files (#883)
  • Add default wave files (#881)
  • Fix migrations builds (#906)

Documentation changes

  • QUICKSTART: Clarify which setup is optional (#902)
  • QUICKSTART: add easier setup instructions using new eksctl release (#849)
  • QUICKSTART: add note about allowing SSH access (#839)
  • QUICKSTART: add section on finding AMIs through SSM parameters (#838)
  • QUICKSTART: Add supported region list (73d120c9)
  • QUICKSTART: Add info about persistent volume CSI plugin (#899)
  • QUICKSTART and README: Add appropriate ECR policy guidance (#856)
  • README: Fix feedback link to point at existing section (#833)
  • README: Add sentence about preview phase with feedback link (#832)
  • README: Fixes and updates (#831)
  • Update name of early-boot-config in API system diagram (#840)
  • Fix updater README's reference to data store version (#844)
  • Fix example wave files (#908)

v0.3.1 (2020-03-10)

OS changes

  • Log migration errors to console (#795)
  • Enable BTF debug info (CONFIG_DEBUG_INFO_BTF) (#799)
  • Move migrations from private partition to data partition (#818)
  • Add top-level model struct (#824)
  • Update ca-certificates, cni-plugins, coreutils, dbus-broker, iproute, kmod, libcap, libxcrypt, ncurses, socat, and wicked (#826)

Build changes

  • Update Rust dependencies (#798, #806, #809, #810)
  • Add additional cleanup steps to amiize.sh (#804)
  • Work around warnings for unused licenses (#827)

Documentation changes

v0.3.0 (2020-02-27)

Welcome to Bottlerocket! Bottlerocket is the new name for the OS.

In preparation for public preview, v0.3.0 includes a number of breaking changes that mean upgrades from previous versions are not possible. This is not done lightly, but had to be done to accommodate all we've learned during private preview.

Breaking Changes

  • Rename to Bottlerocket (#722, #740).
  • Change partition labels to BOTTLEROCKET-* (#726).
  • Switch to new updates repository URIs under updates.bottlerocket.aws (#778).
  • Update Kubernetes to 1.15 (#749).
  • Rename aws-k8s variant to aws-k8s-1.15 to enable versioning (#785).
  • Update Linux kernel to 5.4.16-8.72.amzn2 (#731).
  • Rename settings.target-base-url to settings.targets-base-url (#788).

OS Changes

  • Mount kernel modules and development headers into containers from a squashfs file on the host (#701).
  • Include third-party licenses at /usr/share/licenses (#723).
  • Add initial implementation of SELinux (#683, #724).
  • Support transactions in the API (#715, #727).
  • Add support for platform-specific settings like AWS region (#636).
  • Support templated settings with new tool 'schnauzer' (#637).
  • Generate container image URIs with parameterized regions using schnauzer (#638).
  • Respect update release waves when using updog check-updates (#615).
  • Fix an issue with failed updates through certain https connections (#730).
  • Add support for EC2 IMDSv2 (#705, #706, #709).
  • Remove update-checking boot service (#772).
  • Remove old migrations and mitigations that no longer apply (#774).
  • Add /os API to expose variant, arch, version, etc. (#777).
  • Update host container packages (#707).
  • Allow removing settings in migrations (#644).
  • Create abstractions for creating common migrations (#712, #717).
  • Remove the datastore version, instead use Bottlerocket version (#760).
  • Improve datastore migration naming convention and build migrations during cargo make (#704, #716).
  • Update dependencies of third-party packages in base OS (#691, #696, #698, #699, #700, #708, #728, #786).
  • Update dependencies of Rust packages (#738, #730).
  • Rename moondog to early-boot-config (#757).
  • Update admin and control containers to v0.4.0 (#789).
  • Update container runtime socket path to more common /run/dockershim.sock (#796)

Documentation

  • Add copyright statement and Bottlerocket license (#746).
  • General documentation improvements (#681, #693, #736, #761, #762).
  • Added READMEs for packages and variants (#773).
  • Split INSTALL guide into BUILDING and QUICKSTART (#780).
  • Update CNI plugin in documentation and conformance test scripts (#739).

Build Changes

  • General improvements to third-party license scanning (#686, #719, #768).
  • Add policycoreutils, secilc, and squashfs-tools to SDK (#678, #690).
  • Update to Rust 1.41 and Go 1.13.8 (#711, #733).
  • Disallow upstream source fallback by default (#735).
  • Move host, operator, and SDK containers to their own git repos (#743, #751, #775).
  • Improve the syntax of migrations listed in Release.toml (#687).
  • Add arm64 builds for host-containers (#694).
  • Build stable image paths using symlinks in build/latest/ (#767).
  • Add a set-migrations subcommand to the updata tool (#756).
  • Remove rpm_crashtraceback tag from go builds (#779).
  • Rename built artifacts to specify variant before arch (#776).
  • Update SDK to v0.9.0 (#790).
  • Fix architecture conditional in glibc spec (#787).
  • Rename the workspaces directory to sources and the workspaces package to os. (#770).

v0.2.1 (2020-01-20)

OS changes

  • Make signpost usage clearer to avoid updating into empty partition (#444).
  • Fix handling of wave bounds in updog that could result in seeing an update but not accepting it (#539).
  • Add support for query parameters in repo requests to allow for basic telemetry (#542).
  • Enable support for SELinux in OS packages (not yet enforcing) (#579).
  • Make grub reboot when config or kernel loading fails so it can try other partition sets (#585).
  • Add support for image "variants" with separate API models (#578, #588, #589, #591, #597, #613, #625, #626, #627, #653). The default variant is "aws-k8s" for Kubernetes usage, and an "aws-dev" variant can be built that has a local Docker daemon and debug tools.
  • Remove unused cri-tools package (#602).
  • Update Linux kernel to 4.19.75-28.73.amzn2 (#622).
  • Make containerd.service stop containerd-shims to fix shutdown/reboot delay (#652).
  • Ensure updog only removes known extensions from migration filenames (#662).
  • Add OS version to "pretty name" so it's visible in console log (#663).

Documentation changes

  • Reorganize "getting started" documentation for clarity (#581).
  • Fix formatting of kube-proxy options in install guide (#584).
  • Specify compatible cargo-deny version in install guide (#631).
  • Fix typos and improve clarity of install guide (#639).

Build changes

  • Add scripts to ease Kubernetes conformance testing through Sonobuoy (#530).
  • Add release metadata file to be used in future automation (#556, #594).
  • Update dependencies of third-party packages in base OS (#595).
  • Update dependencies of Rust packages (#598).
  • Update SDK container to include Rust 1.40.0, GCC 9.2, and other small fixes (#603, #628).
  • Fix aarch64 build failure for libcap (#621).
  • Add initial container definitions and scripts for CI process (#619, #624, #633, #646, #647, #651, #654, #658).

v0.2.0 (2019-12-09)

Breaking changes

  • Several settings now have added validation for their contents. Upgrades from v0.1 that use invalid settings values will result in a broken system.
    • Host container names (e.g. admin in settings.host-containers.admin) are restricted to ASCII alphanumeric characters and hyphens (#450).
    • settings.kubernetes.api-server, settings.updates.metadata-base-url and target-base-url, settings.host-containers.*.sources, and settings.ntp.time-servers are now validated to be URIs (#549).
    • settings.kubernetes.cluster_name, settings.kubernetes.node-labels, and settings.kubernetes.node-taints are now verified to fit Kubernetes naming conventions (#549).
    • Most settings values disallow multi-line strings (#453, #483).
  • Additional characters are permitted in API keys; for example, dots and slashes in Kubernetes labels. Downgrades from v0.2 that use dots and slashes in API keys will result in a broken system (#511).

OS changes

  • Add dogswatch, a Kubernetes operator for managing OS upgrades (#239).
  • More accurately represent data type of update seed (#430).
  • Retry host container pulls with exponential backoff (#433).
  • Better model startup dependencies in systemd units (#442).
  • Enable panic on disk corruption detected with dm_verity (#445).
  • Add persistent storage for host containers, mapped to /.bottlerocket/host-containers/[CONTAINER_NAME] (#450, #555).
  • Persist SSH host keys for admin container (#450).
  • Use admin container v0.2 by default (#450, #536).
  • Use control container v0.2 by default (#472, #536).
  • Print most critical errors to the console to aid debugging (#476, #479, #546).
  • Update Linux kernel to 4.19.75-27.58.amzn2 (#478).
  • Updated partitions are marked successful after services start (#481).
  • Kernel config is available at /proc/config.gz (#482).
  • Prepare tough for separate release, including:
    • Allow library consumers to override the transport mechanism (#488).
    • Merge tough_schema back into tough (#496).
    • Add locking around tough datastore write operations (#497).
  • Simplify representation of default metadata (#491).
  • apiclient (available via the host containers) exits non-zero on HTTP response errors (#498).
  • apiclient builds as a static binary (#552).
  • /proc/kheaders.tar.xz is enabled in the kernel (#557).
  • settings-committer no longer errors at boot when there are no changes to commit (#559).
  • migrator and updog set migrations executable before running to work around a v0.1.6 bug (#561, #567).

Documentation changes

  • Document how to use Bottlerocket's default for the nf_conntrack_max kernel parameter when using kube-proxy (#391).
  • Fix example user data for enabling admin container (#448).
  • Update build documentation for using Docker instead of buildkitd (#506).
  • Update recommended CNI plugin version (#507).
  • Document settings.ntp.time-servers (#550).
  • Update INSTALL.md to use the instance role created by eksctl instead of creating a new one (#569).

Build changes

  • Add updata tool, which builds update repository metadata (#265).
  • Create versioned symlinks to output images (#434).
  • Add code and CloudFormation template for TUF repository canary (#490).
  • Move the TUF client library, tough, to its own repository and crates.io packages (#499).
  • Remove build dependency on the BuildKit daemon (#506).
  • Switch to SDK container as toolchain for builds, rather than requiring local build of toolchain (#525).
  • Turn buildsys into a binary and remove the cascade feature (#562).

v0.1.6 (2019-10-21)

OS changes

  • The system fetches the pause container from ECR before starting kubelet (#382).
  • New settings: settings.kubernetes.node-labels and settings.kubernetes.node-taints (#390, #408).
  • The control container has an enable-admin-container helper (#405, #413). Made default in v0.2.0 (#472).
  • Rust dependencies updated (#410).
  • thar-be-settings added trace-level messages in the client module (#411).
  • updog no longer checks for migrations from new root images (#416).
  • pluto was cleaned up to create an HTTP connection more consistently (#419).
  • Settings that are usually generated may have defaults, and settings.kubernetes.max-pods defaults to 110 if the EC2 instance type cannot be determined (#420).
  • The admin container MOTD is clearer about where the host's filesystem is mounted (#424).
  • block-party (used in growpart and signpost) errors are better structured (#425).
  • thar-be-settings logs render errors when running in --all mode (#427).
  • Recommended sysctl settings from the Kernel Self Protection Project are now used (#435).
  • acpid is enabled by default to handle power button signals sent by EC2 on stop/restart/terminate events (#437).
  • host-ctr correctly fetches images from non-ECR registries (#439; this regression occurred after v0.1.5).

Build changes

  • amiize uses a short connection timeout when testing SSH connectivity (#409).
  • tuftool only downloads an arbitrary root.json with --allow-root-download (#421).
  • BuildKit updated to v0.6.2 (#423, #429).
  • First-party Rust code is built in the same rpmbuild invocation to improve build times (#428).
  • tuftool correctly uses the --timestamp-{version,expires} arguments instead of the --snapshot-{version,expires} arguments in the timestamp role (#438).
  • tuftool accepts relative dates (#438).

Documentation changes

  • The sources/updater crates are better documented (#381).
  • INSTALL.md's subnet selection documentation is improved (#422).