v1.5.2

Security Fixes

• Update containerd for CVE-2021-43816 (8f085929588a)

v1.5.1

Security Fixes

• Update hotdog to the latest release. Hotdog now mimics the permissions of the target JVM process (#1884)

OS Changes

• Updated host containers to the latest version (#1881, #1882)

v1.5.0

Security Enhancements

• Add the ability to hotpatch log4j for CVE-2021-44228 in running containers (#1872, #1871, #1869)

OS Changes

• Enable configuration for OCI hooks in the container lifecycle (#1868)
• Retry all failed requests to IMDS (#1841)
• Enable node feature discovery for Kubernetes device plugins (#1863)
• Add apiclient get subcommand for simple API retrieval (#1836)
• Add support for CPU microcode updates (#1827)
• Consistently support API prefix queries (#1835)

Build Changes

• Add support for custom image sizes (#1826)
• Add support for unifying the OS and data partitions on a single disk (#1870)

Documentation Changes

• Fixed typo in the README (#1847 thanks, @PascalBourdier!)

v1.4.2

Security Fixes

• Update default admin and control host containers to address CVE-2021-43527 (#1852)
• Update kernel-5.4 and kernel-5.10 to include recent security fixes. (#1851)

Build Changes

• Update containerd (to v1.5.8) and Docker (to v20.10.11) (#1851)

v1.4.1

Security Fixes

• Apply patches to docker and containerd for CVE-2021-41190 (#1832, #1833)

Build Changes

• Update Bottlerocket SDK to 0.23.1 (#1831)

v1.4.0

OS Changes

• Add 'apiclient exec' for running commands in host containers (#1802, #1790)
• Improve boot performance (#1809)
• Add support for wildcard container registry mirrors (#1791, #1818)
• Wait up to 300s for a DHCP lease at boot (#1800)
• Retry if fetching the IMDS session token fails (#1801)
• Add ECR account IDs for pulling host containers in GovCloud (#1793)
• Filter sensitive API settings from logdog dump (#1777)
• Fix kubelet standalone mode (#1783)

Build Changes

• Remove aws-k8s-1.17 variant (#1807)
• Update Bottlerocket SDK to 0.23 (#1779)
• Update third-party packages (#1816)
• Update Rust dependencies (#1810)
• Update Go dependencies of host-ctr (#1775, #1774)
• Prevent spurious rebuilds of the model package (#1808)
• Add disk image files to TUF repo (#1787)
• Vendor wicked service units (#1798)
• Add CI check for Rust code formatting (#1782)
• Allow overriding the AMI data file suffix (#1784)

Documentation Changes

• Update cargo-make commands to work with newest cargo-make (#1797)

v1.3.0

Deprecation Notice

The Kubernetes 1.17 variant, aws-k8s-1.17, will lose support in November, 2021. Kubernetes 1.17 is no longer receiving support upstream. We recommend replacing aws-k8s-1.17 nodes with a later variant, preferably aws-k8s-1.21 if your cluster supports it. See this issue for more details.

Security Fixes

• Apply patches to docker and containerd for CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, and CVE-2021-41103 (#1769)

OS Changes

• Add MCS constraints to the SELinux policy (#1733)
• Support IPv6 in kubelet and pluto (#1710)
• Add region flag to aws-iam-authenticator command (#1762)
• Restart modified host containers (#1722)
• Add more detail to /etc/os-release (#1749)
• Add an entry to /etc/hosts for the current hostname (#1713, #1746)
• Update default control container to v0.5.2 (#1730)
• Fix various SELinux policy issues (#1729)
• Update eni-max-pods with new instance types (#1724, thanks @samjo-nyang!)
• Add cilium device filters to open-vm-tools (#1718)
• Implement hybrid boot support for x86_64 (#1701)
• Include /var/log/kdump in logdog tarballs (#1695)
• Use runtime.slice and system.slice cgroup settings in k8s variants (#1684, thanks @cyrus-mc!)

Build Changes

• Update third-party packages (#1701, #1716, #1732, #1755, #1763, #1767)
• Update Rust dependencies (#1707, #1750, #1751)
• Add wave definition for slow deployment (#1734)
• Add 'infrasys' for creating TUF infra in AWS (#1723)
• Make OVF file first in the OVA bundle (#1719)
• Raise pubsys messages to 'warn' if AMI exists or repo doesn't (#1708)
• Add constants crate (#1709)
• Add release URLs to package definitions (#1748)
• Add *.src.rpm to packages/.gitignore (#1768)
• Archive old migrations (#1699)

Documentation Changes

• Mention static pods in the security guidance around API access (#1766)
• Fix link to issue labels (#1764, thanks @andrewhsu!)
• Fix broken link for TLS bootstrapping (#1758)
• Update hash for v3 root.json (#1757)
• Update example version to v1.2.0 in QUICKSTART-VMWARE (#1741, thanks @yuvalk!)
• Clarify default kernel lockdown settings per variant (#1704)

v1.2.1

Security fixes

• Update Kubernetes for CVE-2021-25741 (#1753)

v1.2.0

OS Changes

• Add settings for kubelet topologyManagerPolicy and topologyManagerScope (#1659)
• Add support for container image registry mirrors (#1629)
• Add support for custom CA certificates (#1654)
• Add a setting for configuring hostname (#1664, #1680, #1693)
• Avoid wildcard for applying rp_filter to interfaces (#1677)
• Update default admin container to v0.7.2 (#1685)

Build Changes

• Add support for zstd compressed kernel (#1668, #1689)
• Add support for uploading OVAs to VMware (#1622)
• Update default built variant to aws-k8s-1.21 (#1686)
• Remove aws-k8s-1.16 variant (#1658)
• Move migrations from v1.1.5 to v1.2.0 (#1682)
• Update third-party packages (#1676)
• Update host-ctr dependencies (#1669)
• Update Rust dependencies (#1655, #1683, #1687)

Documentation Changes

• Fix typo in README (#1652, thanks @faultymonk!)

v1.1.4

Security fixes

• Update containerd to 1.4.8 (#1661)
• Update systemd to 247.8 (#1662)
• Update 5.4 and 5.10 kernels (#1665)
• Set permissions to root-only for /var/lib/systemd/random-seed (#1656)