v1.0.7

Security fixes

• containerd: update to 1.4.4 (#1401)

OS Changes

• systemd: update to 247.4 to fix segfault in some cases (#1400)
• apiserver: reap exited child processes (#1384)
• host-ctr: specify non-colliding runc root (#1359)
• updog: update signal-hook dependency (#1328)

v1.0.6

OS Changes

• Add metricdog to support sending anonymous metrics (#1006, #1322)
• Add a vmware-dev variant (#1292, #1288, #1290)
• Add Kubernetes static pods support (#1317)
• Add high-level 'set' subcommand for changing settings using apiclient (#1278)
• Allow admin container to use SSH public keys from user data (#1331, #1358, #19)
• Add support for kubelet in standalone mode and TLS auth (#1338)
• Add https-proxy and no-proxy settings to updog (#1324)
• Add support for pulling host-containers from ECR Public (#1296)
• Add network proxy support to aws-k8s-1.19 (#1337)
• Modify default SELinux label for containers to align with upstream (#1318)
• Add aliases for container-selinux types to align with community (#1316)
• Update default versions of admin and control containers (#1347, #1344)
• Update ecs-agent to 1.50.2 (#1353)
• logdog: Add eni logs for Kubernetes (#1327)

Build Changes

• Add the ability to output vmdk via qemu-img (#1289)
• Add support for kmod kits to ease building of third-party kernel modules (#1287, #1286, #1285,#1357)
• storewolf: Declare dependencies on model and defaults files (#1319)
• storewolf: Refactor default settings files to allow sharing (#1303, #1329)
• Switch from TermLogger to SimpleLogger (#1282, thanks @hencrice!)
• Allow overriding the "pretty" name of the OS inside the image (#1330)
• Specify bash in link-variant task for use of bash features (#1323)
• Fix invalid symlinks when the BUILDSYS_NAME variable is set (#1312)
• Track and clean output files for builds (#1291)
• Update third-party software packages (#1340, #1336, #1334, #1333, #1335, #1190, #1265, #1315, #1352, #1356)

Documentation Changes

• Add lockdown notes to SECURITY_GUIDANCE.md (#1281)
• Clarify use case for update repos (#1339)
• Fix broken link from API docs to top-level docs (#1306)

v1.0.5

Note for aws-ecs-1 variant: due to a change in the ECS agent's data store schema, the aws-ecs-1 variant cannot be downgraded after updating to v1.0.5. Attempts to downgrade may result in inconsistencies between ECS and the Bottlerocket container instance.

OS Changes

• Add aws-k8s-1.19 variant with Kubernetes 1.19 (#1256)
• Update ecs-agent to 1.48.1 (#1201)
• Add high-level update subcommands to apiclient (#1219, #1232)
• Add kernel lockdown settings (#1223, #1279)
• Add restart-commands for docker, kubelet, containerd (#1231, #1262, #1258)
• Add proper restarts for host-containers (#1230, #1235, #1242, #1258)
• Fix SELinux policy (#1236)
• Set version and revision strings for containerd (#1248)
• Add host-container user-data setting (#1244, #1247)
• Add network proxy settings (#1204, #1262, #1258)
• Update kernel to 5.4.80-40.140 (#1257)
• Update third-party software packages (#1264)
• Update Rust dependencies (#1267)

Build Changes

• Improve support for out-of-tree kernel modules (#1220)
• Fix message in partition size check condition (#1233, thanks @pranavek!)
• Split the datastore module into its own crate (#1249)
• Update SDK to v0.15.0 (#1263)
• Update Github Actions to ignore changes that only include .md files (#1274)

Documentation Changes

• Add documentation comments to Dockerfile (#1254)
• Add a note about CPU usage during builds (#1266)
• Update README to point to discussions (#1273)

v1.0.4

Security fixes

• Patch containerd for CVE-2020-15257 (f3677c1406)

v1.0.3

OS Changes

• Support setting Linux kernel parameters (sysctl) via settings (see README) (#1158, #1171)
• Create links under /dev/disk/ephemeral for ephemeral storage devices (#1173)
• Set default RLIMIT_NOFILE in CRI to 65536 soft limit and a 1048576 hard limit (#1180)
• Add rtcsync directive to chrony config file (#1184, thanks @errm!)
• Add /etc/ssl/certs symlink to the CA certificate bundle for compatibility with the cluster autoscaler (#1207)
• Add procps dependency to docker-engine so that docker top works (#1210)

Build Changes

• Align optimization level for crate and dependency builds (#1155)
• pubsys no longer requires an Infra.toml file for basic usage (#1166)
• Makefile: Check that $BUILDSYS_ARCH has a supported value (#1167)
• Build migrations in parallel (#1192)
• Allow file URLs for role in pubsys-setup (#1194)
• Update Rust dependencies (#1196)
• Update SDK to v0.14.0 (#1198)
• Fix an occasional issue with KMS signing in pubsys (#1205)
• Backport selected fixes from containerd 1.4 (#1216)
• Update third-party package dependencies (#1176, #1195)
• Switch to SDK v0.14.0 (#1198)

Documentation Changes

• Nits and fixes (#1170, #1179)
• Add missing prerequisites for building Bottlerocket (#1191)

v1.0.2

Breaking changes (for build process only)

• pubsys: automate setup of role and key (#1133, #1146)
• Store repos under repo name so you can build multiple (#1135)

Note: these changes do not impact users of Bottlerocket AMIs or repos, only those who build Bottlerocket themselves.
If you use an Infra.toml file to automate publishing, you'll need to update the format of the file.
The root role and signing key definitions now live inside a repo definition, rather than at the top level of the file.
Please see the updated Infra.toml.example file for a commented explanation of the new role and key configuration.

OS changes

• Add aws-k8s-1.18 variant with Kubernetes 1.18 (#1150)
• Update kernel to 5.4.50-25.83 (#1148)
• Update glibc to 2.32 (#1092)
• Add e2fsprogs (#1147)
• pluto: add regional map of pause container source accounts (#1142)
• Add option to enable spot instance draining (#1100, thanks @mkulke!)
• Add 2.root.json + pubsys KMS support (#1122)
• docker: add default nofiles ulimits for containers (#1119)
• Fix AVC denial fordocker run --init (#1085)

Build changes

• Pass Go module proxy variables through docker-go (#1121)
• Set buildmode to pie and drop pie and debuginfo patches for Kubernetes (#1103, thanks @bnrjee!)
• pubsys: use requested size for volume, keeping snapshot to minimum size (#1118)
• Switch to SDK v0.13.0 (#1092)
• Add cargo make grant-ami and revoke-ami tasks (#1087)
• Allow specifying AMI name with PUBLISH_AMI_NAME (#1091)
• Makefile.toml: clean up clean actions (#1089)
• pubsys: check for copied AMIs in parallel (#1086)

Documentation changes

• Add PUBLISHING.md guide explaining pubsys and related tools (#1138)
• README: relocate update API instructions and example (#1124, #1127)
• Fix grammar issues in README.md (#1098, thanks @jweissig!)
• Add documentation for the aws-ecs-1 variant (#1053)
• Update suggested Kubernetes version in sample eksctl config files (#1090)
• Update BUILDING.md to incorporate dependencies (#1107, thanks @troyaws!)

v1.0.1

Security fixes

• Patch kernel for CVE-2020-14386 (#1108)

v1.0.0

Welcome to Bottlerocket 1.0!

Since the first public preview, we've added new variants for Amazon ECS and Kubernetes 1.16 and 1.17, support for ARM instances and more EC2 regions, along with many new features and security improvements. We appreciate all the feedback and contributions so far and look forward to working with the community on even wider support.

🎉 😸

Security fixes

• Update to chrony 3.5.1 (#1057)
• Isolate host containers and limit access to API socket (#1056)

OS changes

• The aws-ecs-1 variant is now available as a preview.
  • ecs-agent: upgrade to v1.43.0 (#1043)
  • aws-ecs-1: add ecs.loglevel setting (#1062)
  • aws-ecs-1: remove unsupported capabilities (#1052)
  • aws-ecs-1: constrain ephemeral port range (#1051)
  • aws-ecs-1: enable awslogs execution role support (#1044)
  • ecs-agent: don't start if not configured (#1049)
  • ecs-agent: bind introspection to localhost (#1071)
  • Update logdog to pull ECS-related log files (#1054)
  • Add documentation for the aws-ecs-1 variant (#1053)
• apiclient: accept -s for --socket-path, as per usage message (#1069)
• Fix growpart to avoid race in partition table reload (#1058)
• Added patch for EC2 IMDSv2 support in Docker (#1055)
• schnauzer: add a helper for ecr repos (#1032)

Build changes

• Add cargo make ami-public and ami-private targets (#1033, #1065, #1064)
• Add cargo make ssm and promote-ssm targets for publishing parameters (#1060, #1070, #1067, #1066)
• Use per-checkout cache directories for builds (#1050)
• Fix rust build caching and tune rpm compression (#1045)
• Add official builds in 16 more EC2 regions. (aws/containers-roadmap#827)

Documentation changes

• Revise security guidance (#1072)
• README: add supported architectures (#1048)
• Update supported region list after 0.5.0 release (#1046)
• Removed aws-cli v1 requirement in docs (#1073)
• Update BUILDING.md for new coldsnap-based amiize.sh (#1047)

v0.5.0

Special thanks to first-time contributor @spoonofpower (#988)!

Breaking changes

• Remove support for unsigned datastore migrations (#976)

OS changes

• Add aws-ecs-1 variant prototype for running containers in ECS clusters (#946, #1005, #1007, #1008, #1009, #1017)
• Configurable clusterDomain kubelet setting via settings.kubernetes.cluster-domain (#988, #1036)
• Make update position within waves consistent (#993)
• Fix kubelet configuration for MaxPods (#994)
• Update eni-max-pods with new instance types (#994)
• Fix max_versions unit test in updata (#998)
• Remove injection of label:disable option for privileged containers in Docker (#1013)
• Add policycoreutils and related tools (#1016)
• Update third-party software packages (#1018, #1023, #1025, #1026)
• Update Rust dependencies (#1019, #1021)
• Update host-ctr's dependencies (#1020)
• Update the host-containers' default versions (#1030, #1040)
• Allow access to all device nodes for superpowered host-containers (#1037)

Build changes

• Add pubsys (cargo make repo, cargo make ami) for repo and AMI creation (#964, #1010, #1028, #1034)
• Require updata init before creating a new repo manifest (#991)
• Exclude README.md files from cargo change tracking (#995, #996)
• Build aws-k8s-1.17 variant by default with cargo make (#1002)
• Update comments to be more accurate in Infra.toml (#1004)
• Update amiize to use coldsnap (#1012)
• Update Bottlerocket SDK to v0.12.0 (#1014)
• Fix warnings for use of deprecated items in common_migrations (#1022)

Documentation changes

• Removed instructions to manually apply the manifest for aws-vpc-cni-k8s (#1029)

v0.4.1

Security fixes

• Patch Kubernetes for CVE-2020-8558 ([#977])
• Update tough to 0.7.1 to patch CVE-2020-15093 ([#979])

OS changes

• Add a new aws-k8s-1.17 variant for Kubernetes 1.17 ([#973])
• Confine chrony, wicked, and dbus-broker via SELinux, and persist their state to disk ([#970])
• Persist systemd journal to disk ([#970])
• Add an API for OS updates ([#942], [#959], [#986])
• Add migration helpers to add / remove multiple settings at once ([#958])
• Fix SELinux policy to allow CSI driver mounts and transition used by Kaniko ([#983])
• Update to new repo URL via migration to ensure signed migration support ([#980])

Build changes

• Fix environment variable override for build output directory ([#963])
• Update .dockerignore to account for the new build output directory structure ([#967])
• Remove the preview-docs task from Makefile ([#969])

Documentation changes

• Document new update APIs and add associated diagrams ([#962])
• Add ap-south-1 to supported regions ([#965])
• Fix storewolf's documentation and usage message as it expects a semver value ([#957])