-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.26.0 ⚱️Tracking Issue #4253
Comments
The 1.26.0 has passed validation and will be published shortly. AMIs are public and the SSM parameters should be available for this release or will be shortly. Watch for the release at https://github.com/bottlerocket-os/bottlerocket/releases to signal when the release is complete. |
There seem to be some compatibility issues with the latest version of Bottlerocket when running Java-based applications. |
☝️ same for NodeJS based applications. |
And .NET apps. Python is ok :) NAME READY STATUS RESTARTS AGE |
This change seems... interesting... bottlerocket-os/bottlerocket-core-kit#158 - not sure it should have been "LGTMd 👍" - with very little contest as to why it is a good thing and the potential side effects of such a change that will "block writable/executable memory for all services".
Seems quite clear that it'll cause havoc with a lot of things... (from: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#:~:text=MemoryDenyWriteExecute) |
We faced an issue basically with any language running on VM including JVM based services. |
That is a fair point. As one of the reviewers, I can say I didn't anticipate the interaction with the My mental model is that I wish I had flagged this in review. But failing that, and to allow for the occasional imperfect human review, I would have expected this to be caught by testing. That is the main takeaway for me: we need better coverage of JVM and NodeJS applications, or else better signal when those are failing. |
I'm slightly gloming onto this issue. But, is this a good opportunity to discuss having some delayed mechanism for updating nodes? If I'm not mistaken, the "auto update" for both Karpenter and Bottle Rocket Updater just always goes to the newest release. Is there any way we can look at having some time delayed releases? It would be nice to have: Dev be updated immediately, QA be updated after 3 days, and production after 7 days to avoid these kind of issues, while still also reducing the toil of manually updating these things. |
Forgive my critical tone @bcressey - I'm not trying to throw blame or shame anyone. It shows that we all need to be a bit more vigilant on the changes in dependencies and surfacing them in the dependent software (a largely unsolved problem). Definitely not an issue that is unique to AWS, Bottlerocket or even OSS in general. This sort of chain of changes that seem innocuous in themselves is how malicious actors will target "infrastructure systems" - a small change to systemd, a small change to containerd / runc, a small change to Bottlerocket and you've potentially got millions of compromised machines and 100s of millions of containers globally. |
I've opened an issue to track a change for this at the Bottlerocket level: #4273. This should work for the "update agent" solutions, but we would need something like what's proposed in this issue on the Karpenter side. |
1.26.1 with the fix has been released, so I will close this issue. |
This is a "living" issue used to track bug fixes, features, and things landing in the next release of Bottlerocket v1.26.0.
This is a convenient way for the maintainers and the community to have a birds eye view of what's happening in any given Bottlerocket release. You'll find things we're targeting for the release, target dates, and important maintenance tasks.
But anything is subject to change, this isn't a guarantee anything will actually land in a given release, and this tracking issue is not all encompassing. For a full comparison of new things for this release, use the GitHub /compare feature and check the differences between the 1.24.x branch and develop.
Release captains 🧑✈️
@KCSesh @ginglis13 @rpkelly
Targeting 🎯
Maintenance 🔧
The text was updated successfully, but these errors were encountered: