v1.16.1

OS Changes

• Update open-vm-tools to 12.3.5 to address CVE-2023-34058 and CVE-2023-34059 (#3553)
• Update NVIDIA drivers to 470.223.02 and 535.129.03 to address CVE‑2023‑31022 and CVE‑2023‑31018 (#3561)
• Improvements to Bottlerocket CIS benchmark checks (#3552 #3562 #3564)
• Regenerate updog proxy configuration when settings.network.proxy gets updated (#3578)
• kernel: Update to 5.10.198, 5.15.136, and 6.1.59 (#3572)

Orchestrator Changes

Kubernetes

• Update Kubernetes versions to address HTTP v2 x/net CVE-2023-39325 (#3581)
• Avoid specifying hostname-override kubelet option if cloud-provider is set to aws (#3582)

v1.16.0

OS Changes

• Adjust netlink timeout to prevent interfaces from entering a failed state (#3520)
• Update third-party packages (#3535)
• Add XFS CLI utilities for managing XFS-formatted storage (#3444)
• Add facilities to auto-load kernel modules (#3460)
• Update to kernels 5.10.197, 5.15.134, and 6.1.55 (#3509 #3542)
• Fix reporting for Bottlerocket CIS Benchmark 4.1.2 (#3547)
• Update systemd to 252.18 (#3533)
• Allow fanotify permission events for trusted subjects in SELinux policy (#3540)

Orchestrator Changes

Kubernetes

• Drop Kubernetes 1.23 Metal and VMware variants (#3531)

ECS

• Update ecs-agent (#3535)

Build Changes

• Update to Bottlerocket SDK v0.35.0 (#3528)

v1.15.1

OS Changes

• Allow older ext4 snapshot volumes to be mounted in newer variants that default to xfs (#3499)
• Update apiclient Rust dependencies (#3491)
• Update pluto Rust dependencies (#3439)
• Patch glibc to address CVE-2023-4806, CVE-2023-4911, and CVE-2023-5156 (#3501)
• Update open-vm-tools to 12.3.0 to address CVE-2023-20900 (#3500)

Build Changes

• Update twoliter to v0.0.4 (#3480)

v1.15.0

Major Features

This release brings support for Secure Boot on platforms using UEFI boot; the Linux 6.1 kernel; systemd-networkd and systemd-resolved for host networking; and XFS as the filesystem for local storage.

These features are enabled by default in the new variants. Existing variants will continue to use earlier kernels, wicked for host networking, and EXT4 as the filesystem for local storage.

Known Incompatibilities

• Variants using the 6.1 kernel (aws-ecs-2/aws-ecs-2-nvidia, aws-k8s-1.28/aws-k8s-1.28-nvidia, vmware-k8s-1.28, and metal-k8s-1.28) do not support LustreFS (#3459)

Deprecation Notice

The functionality to apply a hotpatch for log4j CVE-2021-44228 has been removed. The corresponding setting, settings.oci-hooks.log4j-hotpatch-enabled, is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning to the system logs. (#3401)

OS Changes

• Add kernel 6.1 (#3121, #3441)
• Update admin and control containers (#3368)
• Update third party packages and dependencies (#3362, #3369, #3330, #3339, #3355, #3441, #3456)
• Updated to systemd 252 (#3290)
• Add support for Secure Boot (#3097)
• Add support for XFS (#3198)
• Add apiclient report command (#3258) and Bottlerocket CIS benchmark report (#2881)
• Add resource-limit settings for OCI defaults (#3206)
• Use systemd-networkd and systemd-resolved instead of wicked for aws-k8s-1.28, aws-ecs-2, and *-dev variants (#3134, #3232, #3266, #3311, #3394, #3395, #3451, #3455)

Orchestrator Changes

ECS

• Add aws-ecs-2 variants (#3273)
  • Enables Secure Boot, systemd-networkd, and XFS for the data partition
• Add support for AppMesh (#3267)

Kubernetes

• Add Kubernetes 1.28 variants (#3329)
  • Enables Secure Boot, systemd-networkd, and XFS for the data partition
• Drop Kubernetes 1.22 variants (#2988)
• Update to Kubernetes 1.27.4 (#3319)
• Update to Kubernetes 1.26.7 (#3320)
• Update to Kubernetes 1.25.12 (#3321)
• Update to Kubernetes 1.24.16 (#3322)
• Add support for SeccompDefault setting for k8s 1.25+ (#3334)
• Add Kubernetes CIS benchmark report (#3239)

Platform Changes

AWS

• Retry on empty PrivateDnsName from EC2 (#3364)

Metal

• Enable Intel VMD driver (#3419)
• Add linux-firmware (#3296, #3418)
• Add aws-iam-authenticator to k8s variants (#3357)

Build Changes

• Upgrade to Bottlerocket SDK v0.34.1 (#3445)
• Use Twoliter to enable work on out-of-tree builds. Most tools have moved to Twoliter (#3379, #3429, #3392, #3342)
• Only limit concurrency while building RPMs (#3343)

v1.14.3

OS Changes

• Apply patches to 5.10 and 5.15 kernels to address CVE-2023-20593 (#3300)
• Update admin and control containers (#3307)
• Update eni-max-pods with new instance types (#3324)

Orchestrator Changes

Kubernetes

• Update Kubernetes v1.23.17 to include latest EKS-D patches (#3323)

v1.14.2

OS Changes

• Improve the reliability of acquiring a DHCPv6 lease (#3211, #3212)
• Update kernel-5.10 to 5.10.184 and kernel-5.15 to 5.15.117 (#3238)
• Update eni-max-pods with new instance types (#3193)
• Make pluto outbound API requests more resilient to intermittent network errors (#3214)
• Update runc to 1.1.6 (#3249)

Orchestrator Changes

ECS

• Add image cleanup settings to control task image cleanup frequency (#3231)

Kubernetes

• Update to Kubernetes v1.24.15 (#3234)
• Update to Kubernetes v1.25.11 (#3235)
• Update to Kubernetes v1.26.6 (#3236)
• Update to Kubernetes v1.27.3 (#3237)

Build Changes

• Updated Bottlerocket SDK version to v0.33.0 (#3213)

v1.14.1

OS Changes

• Apply patches to 5.10 and 5.15 kernels to address CVE-2023-32233 (#3128)
• Add fallback container image source parsing for regions not yet supported by the aws-go-sdk in host-ctr (#3138)
• Increase default max_dgram_qlen sysctl value to 512 for both 5.10 and 5.15 kernels (#3139)

Orchestrator Changes

Kubernetes

• Kubernetes package updates
  • Update Kubernetes v1.22.17 to include latest EKS-D patches (#3108)
  • Update Kubernetes v1.23.17 to include latest EKS-D patches (#3119)
  • Update to Kubernetes v1.24.14 (#3119)
  • Update to Kubernetes v1.25.9 (#3119)
  • Update to Kubernetes v1.26.4 (#3119)
  • Update Kubernetes v1.27.1 to include latest EKS-D patches (#3119)
• Change nvidia-k8s-device-plugin service dependency on kubelet (#3141)

Build Changes

• Fix pubsys bug preventing multiple SSM parameter promotions in promote-ssm Makefile target (#3137)

v1.14.0

OS Changes

• Update kernel-5.10 to 5.10.178 and kernel-5.15 to 5.15.108 (#3077)
• Update admin and control containers (#3090)
• Update third party packages and dependencies (#2991, #3082)
• Enable SCSI_VIRTIO driver for better hypervisor support (#3047)
• Disable panic on hung task for kernel 5.15 (#3091)
• Create symlink to inventory path using Storewolf (#3035)

Orchestrator Changes

ECS

• Add support for ECS Exec (#3075)

Kubernetes

• Add Kubernetes 1.27 variants (#3046)
  • Switch to using Kubernetes default values for kube-api-burst and kube-api-qps (#3094)
• Add more Kubernetes settings (#2930, #2986)
  • Soft eviction policy
  • Graceful shutdown
  • CPU quota enforcement
  • Memory manager policy
  • CPU manager policy
• Fix Kubernetes 1.26 credential provider apiVersion (#3070)
• Add ability to pass environment variables to image credential providers (#2934)

Build Changes

• Upgrade to Bottlerocket SDK v0.32.0 (#3071)
• Add AMI validation to PubSys (#3020)
• Add SSM parameter validation to PubSys (#2969)
• Add validate-ami and validate-ssm Makefile targets (#3043)
• Add check-migrations Makefile target to check for common migration problems (#3051)

Testing Changes

• Update testsys to v0.0.7 (#3065)
• Add support for node provisioning with Karpenter (#3067)
• Enable using custom Sonobuoy images (#3068)

v1.13.5

OS Changes

• Revert runc update to move back to 1.1.5 (#3054)

v1.13.4

OS Changes

• Ensure the first hostname is used when a VPC DHCP option set has multiple domains (#3032)
• Update runc to version 1.1.6 (#3037)

Orchestrator Changes

Kubernetes

• Generate and pass --hostname-override flag to kubelet in aws-k8s-1.26 variants (#3033)