Releases: bottlerocket-os/bottlerocket
Releases · bottlerocket-os/bottlerocket
v1.0.2
Breaking changes (for build process only)
- pubsys: automate setup of role and key (#1133, #1146)
- Store repos under repo name so you can build multiple (#1135)
Note: these changes do not impact users of Bottlerocket AMIs or repos, only those who build Bottlerocket themselves.
If you use an Infra.toml file to automate publishing, you'll need to update the format of the file.
The root role and signing key definitions now live inside a repo definition, rather than at the top level of the file.
Please see the updated Infra.toml.example file for a commented explanation of the new role and key configuration.
OS changes
- Add aws-k8s-1.18 variant with Kubernetes 1.18 (#1150)
- Update kernel to 5.4.50-25.83 (#1148)
- Update glibc to 2.32 (#1092)
- Add e2fsprogs (#1147)
- pluto: add regional map of pause container source accounts (#1142)
- Add option to enable spot instance draining (#1100, thanks @mkulke!)
- Add 2.root.json + pubsys KMS support (#1122)
- docker: add default nofiles ulimits for containers (#1119)
- Fix AVC denial for
docker run --init(#1085)
Build changes
- Pass Go module proxy variables through docker-go (#1121)
- Set buildmode to pie and drop pie and debuginfo patches for Kubernetes (#1103, thanks @bnrjee!)
- pubsys: use requested size for volume, keeping snapshot to minimum size (#1118)
- Switch to SDK v0.13.0 (#1092)
- Add
cargo make grant-amiandrevoke-amitasks (#1087) - Allow specifying AMI name with PUBLISH_AMI_NAME (#1091)
- Makefile.toml: clean up clean actions (#1089)
- pubsys: check for copied AMIs in parallel (#1086)
Documentation changes
- Add PUBLISHING.md guide explaining pubsys and related tools (#1138)
- README: relocate update API instructions and example (#1124, #1127)
- Fix grammar issues in README.md (#1098, thanks @jweissig!)
- Add documentation for the aws-ecs-1 variant (#1053)
- Update suggested Kubernetes version in sample eksctl config files (#1090)
- Update BUILDING.md to incorporate dependencies (#1107, thanks @troyaws!)
v1.0.1
v1.0.0
Welcome to Bottlerocket 1.0!
Since the first public preview, we've added new variants for Amazon ECS and Kubernetes 1.16 and 1.17, support for ARM instances and more EC2 regions, along with many new features and security improvements. We appreciate all the feedback and contributions so far and look forward to working with the community on even wider support.
🎉 😸
Security fixes
OS changes
- The
aws-ecs-1variant is now available as a preview.- ecs-agent: upgrade to v1.43.0 (#1043)
- aws-ecs-1: add ecs.loglevel setting (#1062)
- aws-ecs-1: remove unsupported capabilities (#1052)
- aws-ecs-1: constrain ephemeral port range (#1051)
- aws-ecs-1: enable awslogs execution role support (#1044)
- ecs-agent: don't start if not configured (#1049)
- ecs-agent: bind introspection to localhost (#1071)
- Update logdog to pull ECS-related log files (#1054)
- Add documentation for the aws-ecs-1 variant (#1053)
- apiclient: accept -s for --socket-path, as per usage message (#1069)
- Fix growpart to avoid race in partition table reload (#1058)
- Added patch for EC2 IMDSv2 support in Docker (#1055)
- schnauzer: add a helper for ecr repos (#1032)
Build changes
- Add
cargo make ami-publicandami-privatetargets (#1033, #1065, #1064) - Add
cargo make ssmandpromote-ssmtargets for publishing parameters (#1060, #1070, #1067, #1066) - Use per-checkout cache directories for builds (#1050)
- Fix rust build caching and tune rpm compression (#1045)
- Add official builds in 16 more EC2 regions. (aws/containers-roadmap#827)
Documentation changes
v0.5.0
Special thanks to first-time contributor @spoonofpower (#988)!
Breaking changes
- Remove support for unsigned datastore migrations (#976)
OS changes
- Add
aws-ecs-1variant prototype for running containers in ECS clusters (#946, #1005, #1007, #1008, #1009, #1017) - Configurable
clusterDomainkubelet setting viasettings.kubernetes.cluster-domain(#988, #1036) - Make update position within waves consistent (#993)
- Fix kubelet configuration for
MaxPods(#994) - Update
eni-max-podswith new instance types (#994) - Fix
max_versionsunit test inupdata(#998) - Remove injection of
label:disableoption for privileged containers in Docker (#1013) - Add
policycoreutilsand related tools (#1016) - Update third-party software packages (#1018, #1023, #1025, #1026)
- Update Rust dependencies (#1019, #1021)
- Update
host-ctr's dependencies (#1020) - Update the host-containers' default versions (#1030, #1040)
- Allow access to all device nodes for superpowered host-containers (#1037)
Build changes
- Add
pubsys(cargo make repo,cargo make ami) for repo and AMI creation (#964, #1010, #1028, #1034) - Require
updata initbefore creating a new repo manifest (#991) - Exclude README.md files from cargo change tracking (#995, #996)
- Build
aws-k8s-1.17variant by default withcargo make(#1002) - Update comments to be more accurate in Infra.toml (#1004)
- Update
amiizeto usecoldsnap(#1012) - Update Bottlerocket SDK to v0.12.0 (#1014)
- Fix warnings for use of deprecated items in
common_migrations(#1022)
Documentation changes
- Removed instructions to manually apply the manifest for aws-vpc-cni-k8s (#1029)
v0.4.1
Security fixes
- Patch Kubernetes for CVE-2020-8558 ([#977])
- Update
toughto 0.7.1 to patch CVE-2020-15093 ([#979])
OS changes
- Add a new
aws-k8s-1.17variant for Kubernetes 1.17 ([#973]) - Confine
chrony,wicked, anddbus-brokervia SELinux, and persist their state to disk ([#970]) - Persist
systemdjournal to disk ([#970]) - Add an API for OS updates ([#942], [#959], [#986])
- Add migration helpers to add / remove multiple settings at once ([#958])
- Fix SELinux policy to allow CSI driver mounts and transition used by Kaniko ([#983])
- Update to new repo URL via migration to ensure signed migration support ([#980])
Build changes
- Fix environment variable override for build output directory ([#963])
- Update
.dockerignoreto account for the new build output directory structure ([#967]) - Remove the
preview-docstask fromMakefile([#969])
Documentation changes
v0.4.0
Breaking changes
- Remove all permissive types from the SELinux policy ([#945]). Actions that were not allowed by the SELinux policy now fail instead of only being logged.
OS changes
- Use update repository metadata and signatures to run settings migrations ([#930])
- Mount debugfs in superpowered host containers, such as the admin container, to support tools like
bccandbpftrace([#934]) - Protect container snapshot layers in SELinux policy ([#935])
- Add
POST /actions/rebootAPI path ([#936]) - Update
toughto v0.6.0 ([#944]) - Fix behavior of
signpost cancel-upgrade([#950]) - Update to kernel 5.4.46 ([#953])
Build changes
- Canonicalize architecture names in amiize.sh ([#932])
- Split build output directories by variant and architecture ([#948])
- Move intermediate RPM output from
build/packagestobuild/rpms([#948]) - Fix
chmodusage for building on macOS ([#951])
Documentation changes
- Document platform-specific settings in README.md ([#941])
v0.3.4
v0.3.3
v0.3.2
Special thanks to our first contributors, @inductor ([#853]), @smoser ([#871]), and @gliptak ([#870])!
OS changes
- Update kernel to 5.4.20 ([#898])
- Expand SELinux policy to include all classes and actions in 5.4 kernel ([#888])
- Include error messages in apiserver error responses ([#897])
- Add "logdog" to help users collect debug logs ([#880])
- Include objtool in kernel-devel for compiling external modules ([#874])
- Ignore termination signals in updog right before initiating reboot ([#869])
- Pass
--containerdflag to kubelet to specify containerd socket path, fixing some cAdvisor metrics ([#868]) - Fix delay on reboot or power off ([#859])
- Add
systemd.log_color=0to remove ANSI color escapes from console log ([#836]) - Reduce containerd logging when no errors have occurred ([#886])
- Update admin container to v0.5.0 ([#903])
Build changes
- Set up GitHub Actions to test OS builds for PRs ([#837])
- Update SDK to v0.10.1 ([#866])
- Move built RPMs to
build/packages([#863]) - Bump cargo-make to 0.30.0 ([#870])
- Pass proxy environment variables through to docker containers ([#871])
- Add parse-datetime crate ([#875])
- Update third-party software packages ([#895])
- Update Rust dependencies ([#896])
- Remove unused Rust dependencies ([#894])
- Add upstream fix for arm64 in coreutils ([#879])
- Add ability to add waves using TOML files ([#883])
- Add default wave files ([#881])
- Fix migrations builds ([#906])
Documentation changes
- QUICKSTART: Clarify which setup is optional ([#902])
- QUICKSTART: add easier setup instructions using new eksctl release ([#849])
- QUICKSTART: add note about allowing SSH access ([#839])
- QUICKSTART: add section on finding AMIs through SSM parameters ([#838])
- QUICKSTART: Add supported region list ([73d120c])
- QUICKSTART: Add info about persistent volume CSI plugin ([#899])
- QUICKSTART and README: Add appropriate ECR policy guidance ([#856])
- README: Fix feedback link to point at existing section ([#833])
- README: Add sentence about preview phase with feedback link ([#832])
- README: Fixes and updates ([#831])
- Update name of early-boot-config in API system diagram ([#840])
- Fix updater README's reference to data store version ([#844])
- Fix example wave files ([#908])
v0.3.1
OS changes
- Log migration errors to console ([#795])
- Enable BTF debug info (
CONFIG_DEBUG_INFO_BTF) ([#799]) - Move migrations from private partition to data partition ([#818])
- Add top-level model struct ([#824])
- Update ca-certificates, cni-plugins, coreutils, dbus-broker, iproute, kmod, libcap, libxcrypt, ncurses, socat, and wicked ([#826])
Build changes
- Update Rust dependencies ([#798], [#806], [#809], [#810])
- Add additional cleanup steps to amiize.sh ([#804])
- Work around warnings for unused licenses ([#827])
Documentation changes
- Add GLOSSARY.md, SECURITY_FEATURES.md, and SECURITY_GUIDANCE.md ([#800], [#807], [#821])
- Add additional information to top section of README.md ([#802])
- Add license information to OpenAPI specification ([#803])
- Add description of source mirroring ([#817])
- Update CHARTER.md wording ([#823])