v1.19.2

OS Changes

• Update third party packages (#3789)
• Update kernel to 5.10.209, 5.15.148, 6.1.77 (#3797)
• Add AWS settings extension (#3738, #3770)
• Allow CSI helpers in the SELinux policy (#3779)
• Update to latest NVIDIA drivers (#3798)

Orchestrator Changes

Kubernetes

• Enable NVIDIA GPU isolation using volume mounts (#3718 thanks @chiragjn , #3790)
• Clean up CNI results cache on boot (#3792)

ECS

• Add settings.ecs.enable-container-metadata (#3782)

Build Changes

• Adjust certdog to utilize a configuration file instead of the API server (#3706, #3778, #3787)
• Don't use parallel make for shim package (#3771)
• Renumber unit files in release package (#3769)
• Ignore EKS patches for k8s-1.23 in Git (#3774)

v1.19.1

OS Changes

• Update kernel to 5.10.209, 5.15.148 (#3765)
• Update host containers (#3763)

Orchestrator Changes

Kubernetes

• Mark pause container image as "pinned" to prevent garbage collection (#3757)

ECS

• Update Docker engine and Docker CLI to v25.0.2 (#3759)
• Update ECS agent to 1.81.0 (#3759)
• Update AWS SSM agent to 3.2.2222.0 (#3762)

v.1.19.0

OS Changes

• Adjust unit dependencies for systemd-sysusers (#3720)
• Update third party packages (#3722, #3750)
• Add kernel settings extension (#3727)
• Update kernel to 5.10.205, 5.15.145, 6.1.72 (#3734)
• Update runc to 1.1.12 and containerd to 1.6.28 (#3751)

Orchestrator Changes

Kubernetes

• Add latest instance types to eni-max-pods mapping (#3741)
• Drop Kubernetes 1.24 Metal and VMware variants (#3742)

ECS

• Add additional ECS settings for ECS_BACKEND_HOST and ECS_AWSVPC_BLOCK_IMDS (#3749)

Build Changes

• twoliter updated to v0.0.6 (#3744)

v1.18.0

OS Changes

• Remove unused runc SELinux policy rule (#3673)
• Update third party packages (#3692)
• Fix creation of kprobes using unqualified names (#3699, #3708)
• Update host containers (#3704)
• Update kernel to 5.10.205, 5.15.145, 6.1.66 (#3686, #3708)
• Add container-registry settings extension (#3674)
• Add updates settings extension (#3689)

Orchestrator Changes

Kubernetes

• Add Kubernetes 1.29 variants (#3628)
• Update Kubernetes 1.23 to release 33 (#3692)
• Add latest instance types to eni-max-pods mapping (#3695)

ECS

• Update ecs-agent to 1.79.2 (#3692)

Build Changes

• Export symbols for packages that include dynamically linked Go binaries (#3680)
• Update to Bottlerocket SDK v0.37.0 (#3690)
  • Upgrades to Go 1.21.5

v1.17.0

OS Changes

• Generate valid hostname when IPv6 reverse lookup fails (#3592)
• Avoid mounting the EFI system partition at /boot (#3591)
• Update kernel to 5.10.201, 5.15.139, 6.1.61 (#3611, #3643)
• Switch to async tough (#3566 thanks @phu-cinemo)
• Update host containers (#3646)
• Move template migrations to schnauzer v2 (#3633)
• Handle proxy credentials properly in pluto (#3639, #3667)
• Update third party packages (#3612, #3642)

Orchestrator Changes

Kubernetes

• Update nvidia-k8s-device-plugin to address CVEs (#3612)
• Update to Kubernetes 1.28.4 (#3612)
• Update to Kubernetes 1.27.8 (#3612)
• Update to Kubernetes 1.26.11 (#3612)
• Update to Kubernetes 1.25.16 (#3612)

ECS

• Update ecs-agent to address CVEs (#3612)

Build Changes

• Update to Bottlerocket SDK v0.36.1 (#3640, #3670)

v1.16.1

OS Changes

• Update open-vm-tools to 12.3.5 to address CVE-2023-34058 and CVE-2023-34059 (#3553)
• Update NVIDIA drivers to 470.223.02 and 535.129.03 to address CVE‑2023‑31022 and CVE‑2023‑31018 (#3561)
• Improvements to Bottlerocket CIS benchmark checks (#3552 #3562 #3564)
• Regenerate updog proxy configuration when settings.network.proxy gets updated (#3578)
• kernel: Update to 5.10.198, 5.15.136, and 6.1.59 (#3572)

Orchestrator Changes

Kubernetes

• Update Kubernetes versions to address HTTP v2 x/net CVE-2023-39325 (#3581)
• Avoid specifying hostname-override kubelet option if cloud-provider is set to aws (#3582)

v1.16.0

OS Changes

• Adjust netlink timeout to prevent interfaces from entering a failed state (#3520)
• Update third-party packages (#3535)
• Add XFS CLI utilities for managing XFS-formatted storage (#3444)
• Add facilities to auto-load kernel modules (#3460)
• Update to kernels 5.10.197, 5.15.134, and 6.1.55 (#3509 #3542)
• Fix reporting for Bottlerocket CIS Benchmark 4.1.2 (#3547)
• Update systemd to 252.18 (#3533)
• Allow fanotify permission events for trusted subjects in SELinux policy (#3540)

Orchestrator Changes

Kubernetes

• Drop Kubernetes 1.23 Metal and VMware variants (#3531)

ECS

• Update ecs-agent (#3535)

Build Changes

• Update to Bottlerocket SDK v0.35.0 (#3528)

v1.15.1

OS Changes

• Allow older ext4 snapshot volumes to be mounted in newer variants that default to xfs (#3499)
• Update apiclient Rust dependencies (#3491)
• Update pluto Rust dependencies (#3439)
• Patch glibc to address CVE-2023-4806, CVE-2023-4911, and CVE-2023-5156 (#3501)
• Update open-vm-tools to 12.3.0 to address CVE-2023-20900 (#3500)

Build Changes

• Update twoliter to v0.0.4 (#3480)

v1.15.0

Major Features

This release brings support for Secure Boot on platforms using UEFI boot; the Linux 6.1 kernel; systemd-networkd and systemd-resolved for host networking; and XFS as the filesystem for local storage.

These features are enabled by default in the new variants. Existing variants will continue to use earlier kernels, wicked for host networking, and EXT4 as the filesystem for local storage.

Known Incompatibilities

• Variants using the 6.1 kernel (aws-ecs-2/aws-ecs-2-nvidia, aws-k8s-1.28/aws-k8s-1.28-nvidia, vmware-k8s-1.28, and metal-k8s-1.28) do not support LustreFS (#3459)

Deprecation Notice

The functionality to apply a hotpatch for log4j CVE-2021-44228 has been removed. The corresponding setting, settings.oci-hooks.log4j-hotpatch-enabled, is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning to the system logs. (#3401)

OS Changes

• Add kernel 6.1 (#3121, #3441)
• Update admin and control containers (#3368)
• Update third party packages and dependencies (#3362, #3369, #3330, #3339, #3355, #3441, #3456)
• Updated to systemd 252 (#3290)
• Add support for Secure Boot (#3097)
• Add support for XFS (#3198)
• Add apiclient report command (#3258) and Bottlerocket CIS benchmark report (#2881)
• Add resource-limit settings for OCI defaults (#3206)
• Use systemd-networkd and systemd-resolved instead of wicked for aws-k8s-1.28, aws-ecs-2, and *-dev variants (#3134, #3232, #3266, #3311, #3394, #3395, #3451, #3455)

Orchestrator Changes

ECS

• Add aws-ecs-2 variants (#3273)
  • Enables Secure Boot, systemd-networkd, and XFS for the data partition
• Add support for AppMesh (#3267)

Kubernetes

• Add Kubernetes 1.28 variants (#3329)
  • Enables Secure Boot, systemd-networkd, and XFS for the data partition
• Drop Kubernetes 1.22 variants (#2988)
• Update to Kubernetes 1.27.4 (#3319)
• Update to Kubernetes 1.26.7 (#3320)
• Update to Kubernetes 1.25.12 (#3321)
• Update to Kubernetes 1.24.16 (#3322)
• Add support for SeccompDefault setting for k8s 1.25+ (#3334)
• Add Kubernetes CIS benchmark report (#3239)

Platform Changes

AWS

• Retry on empty PrivateDnsName from EC2 (#3364)

Metal

• Enable Intel VMD driver (#3419)
• Add linux-firmware (#3296, #3418)
• Add aws-iam-authenticator to k8s variants (#3357)

Build Changes

• Upgrade to Bottlerocket SDK v0.34.1 (#3445)
• Use Twoliter to enable work on out-of-tree builds. Most tools have moved to Twoliter (#3379, #3429, #3392, #3342)
• Only limit concurrency while building RPMs (#3343)

v1.14.3

OS Changes

• Apply patches to 5.10 and 5.15 kernels to address CVE-2023-20593 (#3300)
• Update admin and control containers (#3307)
• Update eni-max-pods with new instance types (#3324)

Orchestrator Changes

Kubernetes

• Update Kubernetes v1.23.17 to include latest EKS-D patches (#3323)