Repository: bottlerocket-os/bottlerocket Branch: develop Commit: beaadc525a2f Files: 868 Total size: 1.4 MB Directory structure: gitextract_2r2jdj8y/ ├── .dockerignore ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ ├── build.md │ │ ├── feature.md │ │ ├── image.md │ │ └── metal_driver.md │ ├── actions/ │ │ └── setup-node/ │ │ └── action.yml │ ├── dependabot.yaml │ ├── pull_request_template.md │ └── workflows/ │ ├── build.yml │ ├── cache.yml │ └── weekly.yml ├── .gitignore ├── .golangci.yaml ├── .mailmap ├── .vscode/ │ └── settings.json ├── BUILDING.md ├── CHANGELOG.md ├── CHARTER.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── COPYRIGHT ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── Makefile.toml ├── PROVISIONING-METAL.md ├── PUBLISHING-AWS.md ├── PUBLISHING-VMWARE.md ├── PUBLISHING.md ├── QUICKSTART-ECS.md ├── QUICKSTART-EKS.md ├── QUICKSTART-LOCAL.md ├── QUICKSTART-VMWARE.md ├── README.md ├── ROADMAP.md ├── Release.toml ├── SECURITY.md ├── SECURITY_FEATURES.md ├── SECURITY_GUIDANCE.md ├── SUPPORTED-HARDWARE.md ├── TESTING.md ├── TRADEMARKS.md ├── Twoliter.toml ├── packages/ │ ├── .gitignore │ ├── build.rs │ ├── packages.rs │ ├── settings-defaults/ │ │ ├── Cargo.toml │ │ └── settings-defaults.spec │ ├── settings-migrations/ │ │ ├── Cargo.toml │ │ └── settings-migrations.spec │ └── settings-plugins/ │ ├── Cargo.toml │ └── settings-plugins.spec ├── sample-eksctl-ssh.yaml ├── sample-eksctl.yaml ├── sources/ │ ├── Cargo.toml │ ├── README.md │ ├── api/ │ │ ├── .gitignore │ │ ├── datastore/ │ │ │ ├── .gitignore │ │ │ ├── Cargo.toml │ │ │ ├── README.md │ │ │ ├── README.tpl │ │ │ ├── build.rs │ │ │ └── src/ │ │ │ ├── constraints_check.rs │ │ │ ├── deserialization/ │ │ │ │ ├── error.rs │ │ │ │ ├── mod.rs │ │ │ │ └── pairs.rs │ │ │ ├── error.rs │ │ │ ├── filesystem.rs │ │ │ ├── key.rs │ │ │ ├── lib.rs │ │ │ ├── memory.rs │ │ │ └── serialization/ │ │ │ ├── error.rs │ │ │ ├── mod.rs │ │ │ └── pairs.rs │ │ └── migration/ │ │ └── migration-helpers/ │ │ ├── Cargo.toml │ │ └── src/ │ │ ├── args.rs │ │ ├── common_migrations.rs │ │ ├── datastore_helper.rs │ │ ├── error.rs │ │ └── lib.rs │ ├── bottlerocket-release/ │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── README.tpl │ │ ├── build.rs │ │ └── src/ │ │ └── lib.rs │ ├── clarify.toml │ ├── constants/ │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── README.tpl │ │ ├── build.rs │ │ └── src/ │ │ └── lib.rs │ ├── deny.toml │ ├── generate-readme/ │ │ ├── Cargo.toml │ │ └── src/ │ │ └── lib.rs │ ├── models/ │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── README.tpl │ │ ├── build.rs │ │ └── src/ │ │ ├── exec.rs │ │ ├── generator.rs │ │ ├── lib.rs │ │ └── variant/ │ │ └── .keep │ ├── retry-read/ │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── README.tpl │ │ ├── build.rs │ │ └── src/ │ │ └── lib.rs │ ├── settings-defaults/ │ │ ├── aws-dev/ │ │ │ ├── Cargo.toml │ │ │ └── defaults.d/ │ │ │ └── 50-aws-dev.toml │ │ ├── aws-ecs-2/ │ │ │ └── Cargo.toml │ │ ├── aws-ecs-2-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-ecs-3/ │ │ │ └── Cargo.toml │ │ ├── aws-ecs-3-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.31/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.31-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.32/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.32-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.33/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.33-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.34/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.34-nvidia/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.35/ │ │ │ └── Cargo.toml │ │ ├── aws-k8s-1.35-nvidia/ │ │ │ └── Cargo.toml │ │ ├── build-defaults.rs │ │ ├── defaults-toml.rs │ │ ├── metal-dev/ │ │ │ ├── Cargo.toml │ │ │ └── defaults.d/ │ │ │ └── 50-metal-dev.toml │ │ ├── metal-k8s-1.30/ │ │ │ └── Cargo.toml │ │ ├── vmware-dev/ │ │ │ ├── Cargo.toml │ │ │ └── defaults.d/ │ │ │ └── 50-vmware-dev.toml │ │ ├── vmware-k8s-1.32/ │ │ │ └── Cargo.toml │ │ ├── vmware-k8s-1.33/ │ │ │ └── Cargo.toml │ │ ├── vmware-k8s-1.34/ │ │ │ └── Cargo.toml │ │ └── vmware-k8s-1.35/ │ │ └── Cargo.toml │ ├── settings-migrations/ │ │ ├── .keep │ │ ├── archived/ │ │ │ ├── v0.3.2/ │ │ │ │ └── migrate-admin-container-v0-5-0/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v0.4.1/ │ │ │ │ ├── add-version-lock-ignore-waves/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── pivot-repo-2020-07-07/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v0.5.0/ │ │ │ │ ├── add-cluster-domain/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── migrate-admin-container-v0-5-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── migrate-control-container-v0-4-1/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.0/ │ │ │ │ ├── ecr-helper-admin/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── ecr-helper-control/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.2/ │ │ │ │ └── add-enable-spot-instance-draining/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.3/ │ │ │ │ └── add-sysctl/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.5/ │ │ │ │ ├── add-lockdown/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-network-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-proxy-restart/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-proxy-services/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-user-data/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── sysctl-subcommand/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.6/ │ │ │ │ ├── add-shibaken/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-static-pods/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── admin-container-v0-6-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── control-container-v0-4-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-standalone-tls-services/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-standalone-tls-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── metricdog-init/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.0.8/ │ │ │ │ ├── add-bootstrap-containers/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── admin-container-v0-7-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── control-container-v0-5-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-eviction-hard/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-unsafe-sysctl-kube-reserved/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── proxy-affect-host-containers/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.1.0/ │ │ │ │ ├── kubelet-cloud-provider/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-event-qps-event-burst/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-kube-api-qps-kube-api-burst/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-registry-qps-registry-burst/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-server-tls-bootstrap/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── schnauzer-paws/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── shared-containerd-configs/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.1.2/ │ │ │ │ ├── admin-container-v0-7-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── control-container-v0-5-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-container-log/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── kubelet-system-reserved/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.1.3/ │ │ │ │ ├── kubelet-cpu-manager/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── kubelet-cpu-manager-state/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.10.0/ │ │ │ │ ├── aws-admin-container-v0-9-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-6-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── dns-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── dns-settings-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-log-level/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-9-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-6-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── reboot-to-reconcile-setting/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.10.1/ │ │ │ │ ├── container-runtime/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── container-runtime-metadata/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.11.0/ │ │ │ │ ├── aws-admin-container-v0-9-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-config-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-6-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-creds/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-creds-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── credential-providers/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── ecs-additional-configurations/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-new-config-files/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-tls-config/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-tls-files/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-9-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-6-4/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.12.0/ │ │ │ │ ├── add-k8s-autoscaling-warm-pool-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-k8s-autoscaling-warm-pool-setting-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-admin-container-v0-9-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── k8s-private-pki-path/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-setting-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-9-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-0/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.13.0/ │ │ │ │ ├── aws-admin-container-v0-10-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── k8s-registry/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-10-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-1/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.13.1/ │ │ │ │ └── aws-profile-cred-provider/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.13.3/ │ │ │ │ └── aws-k8s-provider-id-gen/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.13.4/ │ │ │ │ ├── add-hostname-override/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── add-hostname-override-metadata/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.14.0/ │ │ │ │ ├── aws-admin-container-v0-10-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── k8s-services-mode/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-config-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-prefix-config-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubernetes-gc-percent-type-change/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-10-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-2/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.14.2/ │ │ │ │ └── ecs-images-cleanup/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.14.3/ │ │ │ │ ├── aws-admin-container-v0-10-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-10-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-3/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.15.0/ │ │ │ │ ├── aws-admin-container-v0-11-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── deprecate-log4j-hotpatch-enabled/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── log4j-hotpatch-enabled-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-docker-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-docker-setting-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-max-open-files/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── oci-defaults-resource-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-7-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── seccomp-default-setting/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.16.0/ │ │ │ │ ├── aws-admin-container-v0-11-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-5/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kernel-modules-autoload-configs/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kernel-modules-autoload-files/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kernel-modules-autoload-restart/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kernel-modules-autoload-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-7-5/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── schnauzer-v2-generators/ │ │ │ │ ├── Cargo.toml │ │ │ │ ├── build.rs │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.16.1/ │ │ │ │ └── updog-network-affected/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.17.0/ │ │ │ │ ├── aws-admin-container-v0-11-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-6/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-6/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.18.0/ │ │ │ │ ├── aws-admin-container-v0-11-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-7/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-7/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.19.0/ │ │ │ │ └── add-additional-ecs-settings/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.19.1/ │ │ │ │ ├── aws-admin-container-v0-11-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-8/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-8/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.19.2/ │ │ │ │ ├── add-ecs-enable-container-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── certdog-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── certdog-service-cfg-v0-1-0/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.19.3/ │ │ │ │ ├── aws-admin-container-v0-11-6/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-10/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-6/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-10/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.19.5/ │ │ │ │ ├── aws-admin-container-v0-11-7/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-11/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-7/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-11/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.2.0/ │ │ │ │ ├── add-custom-certificates/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── admin-container-v0-7-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── container-registry-config-restarts/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── container-registry-mirrors/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── hostname-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── hostname-setting-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── kubelet-topology-manager/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.20.0/ │ │ │ │ ├── add-ntp-default-options-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-admin-container-v0-11-8/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-12/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── bootstrap-containers-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── bootstrap-containers-services-cfg-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── container-runtime-metadata-nvidia/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── container-runtime-nvidia/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── corndog-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── corndog-services-cfg-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── host-containers-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── host-containers-config-list-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── prairiedog-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── prairiedog-services-cfg-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-8/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-7-12/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── remove-ecs-settings-applier/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── static-pods-add-prefix-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── static-pods-services-cfg-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── thar-be-updates-affected-services-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── thar-be-updates-config-file-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── update-ecs-config-path/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── update-ecs-config-template-path/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.20.5/ │ │ │ │ ├── aws-admin-container-v0-11-9/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-13/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-9/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-13/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.21.0/ │ │ │ │ ├── add-hostname-override-source/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── k8s-reserved-cpus-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── pluto-remove-generators-v0-1-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── pod-infra-container-image-affected-services/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── pod-infra-container-image-remove-settings-generator/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── pod-infra-container-image-services/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.21.1/ │ │ │ │ ├── aws-admin-container-v0-11-10/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-14/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-10/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-14/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.22.0/ │ │ │ │ ├── aws-admin-container-v0-11-11/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-15/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── bootstrap-commands-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── bootstrap-commands-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-11/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-15/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.23.0/ │ │ │ │ ├── kubelet-device-plugins-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-device-plugins-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── nvidia-container-runtime-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── nvidia-container-runtime-settings/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.24.1/ │ │ │ │ ├── aws-admin-container-v0-11-12/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-16/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-12/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-16/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.25.0/ │ │ │ │ ├── aws-admin-container-v0-11-13/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-17/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-device-plugins-time-slicing-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubernetes-service-config/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-13/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-17/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.27.0/ │ │ │ │ └── aws-config/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.28.0/ │ │ │ │ ├── aws-admin-container-v0-11-14/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-18/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kernel-sysctl-hugepages/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-14/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-18/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.3.0/ │ │ │ │ ├── control-container-v0-5-2/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── etc-hosts-service/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── hostname-affects-etc-hosts/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.30.0/ │ │ │ │ ├── aws-admin-container-v0-11-15/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-19/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubernetes-device-ownership-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubernetes-device-ownership-settings/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-15/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-19/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.31.0/ │ │ │ │ ├── aws-admin-container-v0-11-16/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-7-20/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-11-16/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-7-20/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.33.0/ │ │ │ │ ├── aws-remove-schnauzer-admin/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-remove-schnauzer-control/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-7-19-update/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-control-container-v0-7-20-update/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-remove-source-admin/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-remove-source-control/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── remove-metadata-and-weak-settings-migration/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.4.0/ │ │ │ │ └── registry-mirror-representation/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.4.2/ │ │ │ │ ├── admin-container-v0-7-3/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── control-container-v0-5-3/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.5.0/ │ │ │ │ ├── oci-hooks-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── oci-hooks-setting-metadata/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.5.1/ │ │ │ │ └── control-container-v0-5-4/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.5.3/ │ │ │ │ └── vmware-host-containers/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.6.0/ │ │ │ │ ├── aws-admin-container-v0-7-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-5-5/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── node-taints-representation/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-7-4/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-5-5/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.6.2/ │ │ │ │ ├── add-cfsignal/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── container-registry-credentials/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── container-registry-credentials-metadata/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.7.0/ │ │ │ │ ├── aws-admin-container-v0-8-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-6-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-8-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-6-0/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── v1.8.0/ │ │ │ │ ├── add-autoscaling/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── add-pull-behavior/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-admin-container-v0-9-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── aws-control-container-v0-6-1/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── boot-setting/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── boot-setting-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── cluster-dns-ip-list/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── etc-hosts/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── etc-hosts-metadata/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-pod-pids-limit/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── kubelet-provider-id/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── pki-affected-services/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ ├── build.rs │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── public-admin-container-v0-9-0/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ └── public-control-container-v0-6-1/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── v1.9.0/ │ │ │ ├── image-gc-thresholds/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── kernel-modules-setting/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── kernel-modules-setting-metadata/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── kubelet-no-daemon-reload/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── ntp-affected-services/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── shibaken-admin-userdata-semantics/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── shibaken-send-metrics/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── updates-targets-base-url/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.34.0/ │ │ │ └── kubelet-device-plugins-mig-settings/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.36.0/ │ │ │ └── kubernetes-ecr-credential-providers-expansion/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.37.0/ │ │ │ └── delete-configs-and-services-on-downgrade/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.39.0/ │ │ │ └── kubelet-setting-container-log-single-process-oom-kill/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.40.0/ │ │ │ └── kubelet-device-plugins-cdi-settings/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.41.0/ │ │ │ └── kubernetes-ecr-credential-providers-correction/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.42.0/ │ │ │ └── kubernetes-memory-swap-behavior-setting/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.44.0/ │ │ │ ├── container-runtime-plugins-settings/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── container-runtime-snapshotter-setting/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.46.0/ │ │ │ └── kubernetes-static-pods-enabled-setting/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.47.0/ │ │ │ ├── container-runtime-concurrent-download-chunk-size/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── host-bootstrap-containers-command-setting/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.50.0/ │ │ │ └── kubernetes-reserved-pid-settings/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.51.0/ │ │ │ ├── kubernetes-additional-settings/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ ├── kubernetes-beta-cpu-manager-policy-options/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── kubernetes-ecr-credential-provider-patterns/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ ├── v1.54.0/ │ │ │ ├── kubelet-device-plugins-mps-prefix-settings/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ └── main.rs │ │ │ └── kubelet-device-plugins-mps-settings/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ └── v1.56.0/ │ │ └── image-verifier-plugins-extensible/ │ │ ├── Cargo.toml │ │ └── src/ │ │ └── main.rs │ ├── settings-plugins/ │ │ ├── aws-dev/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── aws-ecs-2/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── aws-ecs-3/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── aws-k8s/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── aws-k8s-nvidia/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── metal-dev/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── metal-k8s/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ ├── vmware-dev/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── lib.rs │ │ └── vmware-k8s/ │ │ ├── Cargo.toml │ │ └── src/ │ │ └── lib.rs │ └── shared-defaults/ │ ├── aws-autoscaling.toml │ ├── aws-bootstrap-container.toml │ ├── aws-creds.toml │ ├── aws-host-containers.toml │ ├── aws-tuf.toml │ ├── boot.toml │ ├── cf-signal.toml │ ├── containerd-cri-pki.toml │ ├── defaults.toml │ ├── docker-daemon-nvidia.toml │ ├── docker-pki.toml │ ├── docker-services.toml │ ├── ecs.toml │ ├── image-verification.toml │ ├── kubernetes-aws-credential-provider.toml │ ├── kubernetes-aws-external-cloud-provider.toml │ ├── kubernetes-aws-graceful-shutdown.toml │ ├── kubernetes-aws.toml │ ├── kubernetes-containerd-nvidia.toml │ ├── kubernetes-containerd.toml │ ├── kubernetes-device-ownership-default-false.toml │ ├── kubernetes-device-ownership-default-true.toml │ ├── kubernetes-kubelet-env-nvidia.toml │ ├── kubernetes-metal.toml │ ├── kubernetes-seccomp-default-false.toml │ ├── kubernetes-seccomp-default-true.toml │ ├── kubernetes-services.toml │ ├── kubernetes-vmware.toml │ ├── lockdown-integrity.toml │ ├── lockdown-none.toml │ ├── metrics.toml │ ├── nvidia-k8s-container-toolkit.toml │ ├── nvidia-k8s-device-plugin-cdi.toml │ ├── nvidia-k8s-device-plugin-legacy.toml │ ├── nvidia-k8s-device-plugin.toml │ ├── oci-defaults-capabilities.toml │ ├── oci-defaults-containerd-cri-resource-limits.toml │ ├── oci-defaults-containerd-cri.toml │ ├── oci-defaults-docker-resource-limits.toml │ ├── oci-defaults-docker.toml │ ├── oci-hooks.toml │ ├── public-bootstrap-containers.toml │ ├── public-host-containers.toml │ ├── public-ntp.toml │ ├── public-tuf.toml │ ├── send-metrics-aws.toml │ └── send-metrics-global.toml ├── tools/ │ ├── .gitignore │ ├── bootconfig/ │ │ └── qemu-x86-console-bootconfig.data │ ├── diff-kernel-config │ ├── install-twoliter.sh │ ├── pubsys/ │ │ ├── Infra.toml.example │ │ ├── policies/ │ │ │ ├── repo-expiration/ │ │ │ │ └── 2w-2w-1w.toml │ │ │ └── ssm/ │ │ │ ├── README.md │ │ │ └── defaults.toml │ │ └── support/ │ │ └── vmware/ │ │ └── import_spec.template │ └── start-local-vm └── variants/ ├── README.md ├── aws-dev/ │ └── Cargo.toml ├── aws-ecs-2/ │ └── Cargo.toml ├── aws-ecs-2-fips/ │ └── Cargo.toml ├── aws-ecs-2-nvidia/ │ └── Cargo.toml ├── aws-ecs-2-nvidia-fips/ │ └── Cargo.toml ├── aws-ecs-3/ │ ├── Cargo.toml │ └── amispec.toml ├── aws-ecs-3-fips/ │ ├── Cargo.toml │ └── amispec.toml ├── aws-ecs-3-nvidia/ │ ├── Cargo.toml │ └── amispec.toml ├── aws-ecs-3-nvidia-fips/ │ ├── Cargo.toml │ └── amispec.toml ├── aws-k8s-1.29/ │ └── Cargo.toml ├── aws-k8s-1.29-fips/ │ └── Cargo.toml ├── aws-k8s-1.29-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.29-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.30/ │ └── Cargo.toml ├── aws-k8s-1.30-fips/ │ └── Cargo.toml ├── aws-k8s-1.30-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.30-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.31/ │ └── Cargo.toml ├── aws-k8s-1.31-fips/ │ └── Cargo.toml ├── aws-k8s-1.31-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.31-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.32/ │ └── Cargo.toml ├── aws-k8s-1.32-fips/ │ └── Cargo.toml ├── aws-k8s-1.32-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.32-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.33/ │ └── Cargo.toml ├── aws-k8s-1.33-fips/ │ └── Cargo.toml ├── aws-k8s-1.33-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.33-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.34/ │ └── Cargo.toml ├── aws-k8s-1.34-fips/ │ └── Cargo.toml ├── aws-k8s-1.34-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.34-nvidia-fips/ │ └── Cargo.toml ├── aws-k8s-1.35/ │ └── Cargo.toml ├── aws-k8s-1.35-fips/ │ └── Cargo.toml ├── aws-k8s-1.35-nvidia/ │ └── Cargo.toml ├── aws-k8s-1.35-nvidia-fips/ │ └── Cargo.toml ├── build.rs ├── metal-dev/ │ └── Cargo.toml ├── shared/ │ ├── amispec-split.toml │ ├── template-split-secboot.ovf │ ├── template-split.ovf │ ├── template-unified-secboot-tpm.ovf │ ├── template-unified-secboot.ovf │ └── template-unified.ovf ├── variants.rs ├── vmware-dev/ │ └── Cargo.toml ├── vmware-k8s-1.29/ │ └── Cargo.toml ├── vmware-k8s-1.29-fips/ │ └── Cargo.toml ├── vmware-k8s-1.30/ │ └── Cargo.toml ├── vmware-k8s-1.30-fips/ │ └── Cargo.toml ├── vmware-k8s-1.31/ │ └── Cargo.toml ├── vmware-k8s-1.31-fips/ │ └── Cargo.toml ├── vmware-k8s-1.32/ │ └── Cargo.toml ├── vmware-k8s-1.32-fips/ │ └── Cargo.toml ├── vmware-k8s-1.33/ │ └── Cargo.toml ├── vmware-k8s-1.33-fips/ │ └── Cargo.toml ├── vmware-k8s-1.34/ │ └── Cargo.toml ├── vmware-k8s-1.34-fips/ │ └── Cargo.toml ├── vmware-k8s-1.35/ │ └── Cargo.toml └── vmware-k8s-1.35-fips/ └── Cargo.toml ================================================ FILE CONTENTS ================================================ ================================================ FILE: .dockerignore ================================================ /.git /.gomodcache /build/* !/build/rpms/ /build/rpms/* !/build/rpms/*.rpm /build/rpms/*-debuginfo-*.rpm /build/rpms/*-debugsource-*.rpm **/target/* /sbkeys /tests ================================================ FILE: .github/ISSUE_TEMPLATE/build.md ================================================ --- name: Bug report - build process about: Let us know about a problem with the build process labels: status/needs-triage, type/bug --- **Platform I'm building on:** **What I expected to happen:** **What actually happened:** **How to reproduce the problem:** ================================================ FILE: .github/ISSUE_TEMPLATE/feature.md ================================================ --- name: Feature request about: Request a change to to the project labels: status/needs-triage, type/enhancement --- **What I'd like:** **Any alternatives you've considered:** ================================================ FILE: .github/ISSUE_TEMPLATE/image.md ================================================ --- name: Bug report - Bottlerocket image about: Let us know about a problem with Bottlerocket labels: status/needs-triage, type/bug --- **Image I'm using:** **What I expected to happen:** **What actually happened:** **How to reproduce the problem:** ================================================ FILE: .github/ISSUE_TEMPLATE/metal_driver.md ================================================ --- name: bare metal variant - driver request about: Request a driver to be added to the metal variant of Bottlerocket labels: status/needs-triage, area/metal, type/enhancement --- **What I'd like:** **Device type (e.g. network interface, disk controller):** **Device vendor:** **Device model:** **Driver used on other Linux distribition:** **Any alternatives you've considered:** ================================================ FILE: .github/actions/setup-node/action.yml ================================================ name: "Node setup" description: "Performs setup for caching and other common needs." inputs: perform-cache-cleanup: description: "Whether to perform cache cleanup" required: false default: false type: boolean runs: using: "composite" steps: - run: | echo "OS_ARCH=`uname -m`" >> $GITHUB_ENV sudo apt -y install build-essential openssl libssl-dev pkg-config liblz4-tool shell: bash - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # Cache `cargo-make`, `cargo-cache` with: path: | ~/.cargo key: ${{ hashFiles('.github/workflows/cache.yml') }}-${{ runner.os }}-${{ env.OS_ARCH }} - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # Cache first-party code dependencies with: path: | .cargo key: ${{ hashFiles('.github/workflows/cache.yml') }}-${{ runner.os }}-${{ env.OS_ARCH }}-${{ hashFiles('sources/Cargo.lock') }} - run: cargo install cargo-make shell: bash - if: ${{ inputs.perform-cache-cleanup }} run: cargo install --no-default-features --features ci-autoclean cargo-cache shell: bash ================================================ FILE: .github/dependabot.yaml ================================================ version: 2 updates: # Maintain dependencies for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" labels: - "area/dependencies" # We maintain updates for most dependencies. This disables updates other than # security ones. - package-ecosystem: "cargo" directory: "/" schedule: interval: "daily" labels: - "area/dependencies" open-pull-requests-limit: 0 - package-ecosystem: "gomod" directory: "/" schedule: interval: "daily" labels: - "area/dependencies" open-pull-requests-limit: 0 ================================================ FILE: .github/pull_request_template.md ================================================ **Issue number:** Closes # **Description of changes:** **Testing done:** **Terms of contribution:** By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license. ================================================ FILE: .github/workflows/build.yml ================================================ name: Build on: pull_request: branches: [develop] # Here we list file types that don't affect the build and don't need to use # up our Actions runners. paths-ignore: # draw.io (diagrams.net) files, the source of png images for docs - '**.drawio' # Example configuration files - '**.example' # Markdown documentation - '**.md' # Images for documentation - '**.png' # Templates for README files - '**.tpl' # Sample config files and OpenAPI docs - '**.yaml' # Mailmap - '.mailmap' concurrency: group: ${{ github.ref }} cancel-in-progress: true jobs: build: if: github.repository == 'bottlerocket-os/bottlerocket' runs-on: group: bottlerocket labels: bottlerocket_ubuntu-latest_32-core continue-on-error: true strategy: matrix: arch: [x86_64, aarch64] fail-fast: false name: "Build ${{ matrix.arch }}" steps: - name: Random delay run: | delay=$((1 + $RANDOM % 32)) echo "Waiting ${delay} seconds before execution" sleep $delay - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Preflight step to set up the runner uses: ./.github/actions/setup-node - run: rustup component add rustfmt - run: cargo make check - run: | cargo make \ -e BUILDSYS_ARCH=${{ matrix.arch }} \ -e BUILDSYS_JOBS=12 \ build-all ================================================ FILE: .github/workflows/cache.yml ================================================ # This workflow caches crate dependencies and build artifacts for tools (except 'test-tools' since we don't use them in build workflows). # The cache is only usable by workflows started from pull requests against the develop branch. name: CacheDepsAndTools on: push: branches: [develop] paths: - '.github/**' - 'sources/Cargo.lock' - 'tools/pubsys*/**' - '!tools/pubsys/policies/**' - '!tools/pubsys/**.example' jobs: cache: if: github.repository == 'bottlerocket-os/bottlerocket' runs-on: group: bottlerocket labels: bottlerocket_ubuntu-latest_8-core continue-on-error: true steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Preflight step to set up the runner uses: ./.github/actions/setup-node with: perform-cache-cleanup: true - run: cargo make install-twoliter # This cleans the cargo cache in ~/.cargo - run: cargo-cache ================================================ FILE: .github/workflows/weekly.yml ================================================ # This is basically a duplicate of the main "build" workflow, but uses GOPROXY=direct # to try to catch errors close to their introduction due to yanked Go modules. These # could otherwise be covered up by caching and not discovered until much later when # bypassing the main cache. name: Weekly on: schedule: # Run Monday at 02:15 UTC. Randomly chosen as a "quiet" time for this to run. # See syntax for format details: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onschedule - cron: '15 2 * * 1' env: # When Go packages are built, buildsys will vendor in dependent Go code for # that package and bundle it up in a tarball. This env variable is consumed # and used to configure Go to directly download code from its upstream source. # This is a useful early signal during GitHub actions to see if there are # upstream Go code problems. GOPROXY: direct jobs: build: if: github.repository == 'bottlerocket-os/bottlerocket' runs-on: group: bottlerocket labels: bottlerocket_ubuntu-latest_32-core continue-on-error: false strategy: matrix: arch: [x86_64, aarch64] fail-fast: false name: "Build ${{ matrix.arch }}" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Preflight step to set up the runner uses: ./.github/actions/setup-node - run: | cargo make \ -e BUILDSYS_ARCH=${{ matrix.arch }} \ -e BUILDSYS_JOBS=12 \ build-all ================================================ FILE: .gitignore ================================================ /build *.tar.* *.tgz **/target/ **/vendor/ /.cargo /.gomodcache /html /Infra.toml /Test.toml /testsys.kubeconfig /*.pem /keys /roles /sbkeys/**/ /Licenses.toml /licenses *.run /tests Twoliter.override ================================================ FILE: .golangci.yaml ================================================ linters: enable: - errcheck - goimports - ineffassign - misspell - revive - staticcheck - unconvert - unused - govet run: timeout: 3m issues: exclude-dirs: - vendor - .gomodcache ================================================ FILE: .mailmap ================================================ Jacob Peddicord Jacob Vallejo Jamie Anderson <32437770+jamieand@users.noreply.github.com> Michael Patraw <52084153+patraw@users.noreply.github.com> Samuel Mendoza-Jonas <53018225+sam-aws@users.noreply.github.com> Tom Kirchner Zac Mrowicki Zac Mrowicki Mahdi Chaker M Arnaldo Garcia Rincon Arnaldo Garcia Rincon Ben Cressey Erikson Tung Jacob Vallejo John McBride Kyle J. Davis Markus Boehme Matthew James Briggs Matthew James Briggs <6260372+webern@users.noreply.github.com> Matthew James Briggs Matthew James Briggs Matt Briggs Matthew Yeazel <67169369+yeazelm@users.noreply.github.com> Matthias Sterckx Samuel Karp Sanika Shah Sean Kelly Sean McGinnis Sean P. Kelly Shailesh Gothi Tianhao Geng Tianhao Geng <45469883+gthao313@users.noreply.github.com> Ethan Pullen Ethan Pullen Shikha Vyaghra <107685805+vyaghras@users.noreply.github.com> Patrick J.P. Culp Patrick J.P. Culp Piyush Jena Martin Harriman Vighnesh Maheshwari Vighnesh Maheshwari <21048293+vigh-m@users.noreply.github.com> Kyle Sessions Kyle Sessions Gaurav Sharma <168583863+mgsharm@users.noreply.github.com> Gavin Inglis <43075615+ginglis13@users.noreply.github.com> Sam Berning <113054166+sam-berning@users.noreply.github.com> Sparks Song Sparks Song Sparks <56856447+Sparksssj@users.noreply.github.com> Cezar Rata cezar-r <59450965+cezar-r@users.noreply.github.com> ================================================ FILE: .vscode/settings.json ================================================ { "rust-analyzer.linkedProjects": [ "sources/Cargo.toml" ], "files.insertFinalNewline": true } ================================================ FILE: BUILDING.md ================================================ # Building Bottlerocket If you'd like to build your own image instead of relying on an Amazon-provided image, follow these steps. You can skip to the [setup guide for Kubernetes](QUICKSTART-EKS.md) or the [setup guide for Amazon ECS](QUICKSTART-ECS.md) to use an existing image in Amazon EC2. (We're still working on other use cases!) ## Build an image ### Dependencies #### System Requirements The build process artifacts and resulting images can consume in excess of 80GB in the local directory. The build process is also fairly demanding on your CPU, since we build all included software from scratch. (The first time. Package builds are cached, and only changes are built afterward.) The build scales well to 32+ cores. The first time you build, the fastest machines can take about 12 minutes while slower machines with only a couple cores can take 3-4 hours. #### Linux The build system requires certain operating system packages to be installed. Ensure the following OS packages are installed: ##### Ubuntu ```shell apt install build-essential openssl libssl-dev pkg-config liblz4-tool ``` ##### Fedora ```shell yum install make automake gcc openssl openssl-devel pkg-config lz4 perl-FindBin perl-lib ``` #### Rust The build system is based on the Rust language. We recommend you install the latest stable Rust using [rustup](https://rustup.rs/), either from the official site or your development host's package manager. Rust 1.51.0 or higher is required. To organize build tasks, we use [cargo-make](https://sagiegurari.github.io/cargo-make/). To get it, run: ```shell cargo install cargo-make ``` #### Docker Bottlerocket uses [Docker](https://docs.docker.com/install/#supported-platforms) to orchestrate package and image builds. We recommend Docker 20.10.10 or later. Builds rely on Docker's integrated BuildKit support, which has received many fixes and improvements in newer versions. The default seccomp policy of older versions of Docker do not support the `clone3` syscall in recent versions of Fedora or Ubuntu, on which the Bottlerocket SDK is based. You'll need to have Docker installed and running, with your user account added to the `docker` group. Docker's [post-installation steps for Linux](https://docs.docker.com/install/linux/linux-postinstall/) will walk you through that. > Note: If you're on a newer Linux distribution using the unified cgroup hierarchy with cgroups v2, you may need to disable it to work with current versions of runc. > You'll know this is the case if you see an error like `docker: Error response from daemon: OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown.` > Set the kernel parameter `systemd.unified_cgroup_hierarchy=0` in your boot configuration (e.g. GRUB) and reboot. ### Build process To build an image, run: ```shell cargo make ``` This will build an image for the default variant (a recent `aws-k8s-*`, see the `BUILDSYS_VARIANT` variable in [Makefile.toml](Makefile.toml) to find the current default variant). All packages will be built in turn, and then compiled into an `img` file in the `build/images/` directory. The version number in [Release.toml](Release.toml) will be used in naming the file, and will be used inside the image as the release version. If you're planning on [publishing your build](PUBLISHING.md), you may want to change the version. To build an image for a different variant, run: ```shell cargo make -e BUILDSYS_VARIANT=my-variant-here ``` To build an image for a different architecture, run: ```shell cargo make -e BUILDSYS_ARCH=my-arch-here ``` If you want to limit the build concurrency, set `BUILDSYS_JOBS` (the default is `8`): ```shell cargo make -e BUILDSYS_JOBS=4 ``` (You can use variant and arch arguments together, too.) #### Package licenses Most packages will include license files extracted from upstream source archives. However, in some rare cases there are multiple licenses that could apply to a package. Bottlerocket's build system uses the `Licenses.toml` file in conjunction with the `licenses` directory to configure the licenses used for such special packages. Here is an example of a simple `Licenses.toml` configuration file: ```toml [package] spdx-id = "SPDX-ID" licenses = [ { path = "the-license.txt" } ] ``` In the previous example, it is expected that the file `the-license.txt` is present in `licenses`. You can retrieve the licenses from a remote endpoint, or the local filesystem if you specify the `license-url` field: ```toml [package] spdx-id = "SPDX-ID AND SPDX-ID-2" # Package with multiple licenses licenses = [ # This file is copied from a file system, and will be saved as `path` { license-url = "file:///path/to/spdx-id-license.txt", path = "spdx-id-license.txt" }, # This file is fetched from an https endpoint, and will be saved as `path` { license-url = "https://localhost/spdx-id-license-v2.txt", path = "spdx-id-license-2.txt" } ] ``` #### NVIDIA variants If you want to build any of the NVIDIA variants, you can follow these steps to prepare a `Licenses.toml` file using the [License for customer use of NVIDIA software](https://www.nvidia.com/en-us/drivers/nvidia-license/): 1. Create a `Licenses.toml` file in your Bottlerocket root directory, with the following content: ```toml [nvidia] spdx-id = "LicensesRef-NVIDIA-Customer-Use" licenses = [ { path = "LICENSE", license-url = "https://www.nvidia.com/en-us/drivers/nvidia-license/" } ] ``` 2. Fetch the licenses with this command: ```shell cargo make -e BUILDSYS_UPSTREAM_LICENSE_FETCH=true fetch-licenses ``` 3. Build your image, setting the `BUILDSYS_UPSTREAM_SOURCE_FALLBACK` flag to `true`, if you haven't cached the driver's sources: ```shell K8S_VERSION=1.32 cargo make \ -e BUILDSYS_VARIANT=aws-k8s-${K8S_VERSION}-nvidia \ -e BUILDSYS_UPSTREAM_SOURCE_FALLBACK="true" ``` ### Register an AMI To use the image in Amazon EC2, we need to register the image as an AMI. To do this, you'll need to have your AWS account credentials setup on your system. There are lots of ways to do this; one method is using [the `aws` CLI](https://aws.amazon.com/cli/) via its `configure` command with your user's access and secret keys. If you're using an EC2 instance, the [EC2 instance's IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) will be used automatically if available. For a simple start, pick an [EC2 region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions), then run: ```shell cargo make -e PUBLISH_REGIONS=your-region-here ami ``` Note that the task ("ami") must come **after** the arguments to `cargo make` that are specified with `-e`. Your new AMI ID will be printed after it's registered. If you built your image for a different architecture or variant, just use the same arguments here: ```shell cargo make -e PUBLISH_REGIONS=your-region-here -e BUILDSYS_VARIANT=my-variant-here ami ``` (There's a lot more detail on building and managing AMIs in the [PUBLISHING](PUBLISHING.md) guide.) ## Use your image See any of the setup guides tailored to the various execution environments for information on running Bottlerocket images: * [Setup guide for Kubernetes](QUICKSTART-EKS.md) * [Setup guide for Amazon ECS](QUICKSTART-ECS.md) * [Setup guide for VMware](QUICKSTART-VMWARE.md) * [Setup guide for QEMU/KVM](QUICKSTART-LOCAL.md) ## Publish your image See the [PUBLISHING](PUBLISHING.md) guide for information on deploying Bottlerocket images and repositories. ## Building out-of-tree kernel modules To further extend Bottlerocket, you may want to build extra kernel modules. The specifics of building an out-of-tree module will vary by project, but the first step is to download the "kmod kit" that contains the kernel headers and toolchain you'll need to use. ### Downloading the kmod kit kmod kits are included in the official Bottlerocket repos starting with Bottlerocket v1.0.6. Let's say you want to download the kit for building x86_64 modules for v1.31.0 and variant aws-k8s-1.32. First, you need tuftool: ```shell cargo install tuftool ``` Next, you need the Bottlerocket root role, which is used by tuftool to verify the kmod kit. This will download and verify the root role itself: ```shell curl -O "https://cache.bottlerocket.aws/root.json" sha512sum -c <<<"4fcb272345fd6adb94d4c04834400548178fecb57407ca79bc2c3d20e0428fc9ed3a82cea268d7f9c667b5803524a4f465acd701a86953d5d732bf6ecb064888 root.json" ``` Next, set your desired parameters, and download the kmod kit: ```shell ARCH=x86_64 VERSION=v1.31.0 VARIANT=aws-k8s-1.32 OUTDIR="${VARIANT}-${VERSION}" tuftool download "${OUTDIR}" --target-name ${VARIANT}-${ARCH}-kmod-kit-${VERSION}.tar.xz \ --root ./root.json \ --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/${ARCH}/" \ --targets-url "https://updates.bottlerocket.aws/targets/" ``` ### Using the kmod kit To use the kmod kit, extract it, and update your PATH to use its toolchain: ```shell tar xf "${VARIANT}-${ARCH}-kmod-kit-${VERSION}.tar.xz" export CROSS_COMPILE="${ARCH}-bottlerocket-linux-musl-" export KERNELDIR="${PWD}/${VARIANT}-${ARCH}-kmod-kit-${VERSION}/kernel-devel" export PATH="${PWD}/${VARIANT}-${ARCH}-kmod-kit-${VERSION}/toolchain/usr/bin:${PATH}" ``` Now you can compile modules against the kernel headers in `${KERNELDIR}`. ================================================ FILE: CHANGELOG.md ================================================ # v1.57.0 (2026-03-18) ## Release Highlights * Update `glibc` to 2.43 and `runc` to 1.3.4 ([bottlerocket-core-kit#865], [bottlerocket-core-kit#854]) * Add `kubelet-env-nvidia` template for `kubernetes-1.35` ([#4784], [bottlerocket-core-kit#860]) * Reserve EKS add-on ports ([bottlerocket-core-kit#864]) - Thanks @Shreyank031! ## OS Changes * Update `bottlerocket-core-kit` from 13.1.0 to 13.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1330-2026-03-18) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v13.1.0...v13.3.0)) ([#4789], [#4791]) * Update `bottlerocket-kernel-kit` from 5.0.1 to 5.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v520-2026-03-18) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v5.0.1...v5.2.0)) ([#4789], [#4791]) * Update `admin-container` from 0.20.3 to 0.20.4 ([#4780]) * Update `control-container` from 0.20.3 to 0.20.4 ([#4780]) * Update `bootstrap-container` from 0.2.13 to 0.2.14 ([#4780]) ## Build Changes * Update `twoliter` from 0.16.0 to 0.17.0 ([#4776]) * Update `bottlerocket-sdk` from 0.70.0 to 0.72.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.70.0...v0.72.0)) ([#4789], [#4791]) [#4776]: https://github.com/bottlerocket-os/bottlerocket/pull/4776 [#4780]: https://github.com/bottlerocket-os/bottlerocket/pull/4780 [#4784]: https://github.com/bottlerocket-os/bottlerocket/pull/4784 [#4789]: https://github.com/bottlerocket-os/bottlerocket/pull/4789 [#4791]: https://github.com/bottlerocket-os/bottlerocket/pull/4791 [bottlerocket-core-kit#854]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/854 [bottlerocket-core-kit#860]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/860 [bottlerocket-core-kit#864]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/864 [bottlerocket-core-kit#865]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/865 # v1.56.0 (2026-02-24) ## Release Highlights * Add support to render `settings.container-registry` into containerd supported `hosts.toml` ([bottlerocket-core-kit#819], [#4767]) * Expand image verifier support with a new helper to render trust policies for all image verifier plugins ([bottlerocket-core-kit#820], [#4766]) * Suppress IPv6 on interfaces with no IPv6 intent in `net.toml` ([bottlerocket-core-kit#826]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.8.2 to 5.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v501-2026-02-26) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.8.2...v5.0.1)) ([#4764], [#4775]) * Update `bottlerocket-core-kit` from 13.0.0 to 13.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1310-2026-02-25) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v13.0.0...v13.1.0)) ([#4770]) ## Build Changes * Update Rust dependencies ([#4763]) * Update `bottlerocket-settings-models` to v0.21.0 ([#4773]) [#4763]: https://github.com/bottlerocket-os/bottlerocket/pull/4763 [#4764]: https://github.com/bottlerocket-os/bottlerocket/pull/4764 [#4766]: https://github.com/bottlerocket-os/bottlerocket/pull/4766 [#4767]: https://github.com/bottlerocket-os/bottlerocket/pull/4767 [#4770]: https://github.com/bottlerocket-os/bottlerocket/pull/4770 [#4773]: https://github.com/bottlerocket-os/bottlerocket/pull/4773 [#4775]: https://github.com/bottlerocket-os/bottlerocket/pull/4775 [bottlerocket-core-kit#819]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/819 [bottlerocket-core-kit#820]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/820 [bottlerocket-core-kit#826]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/826 # v1.55.0 (2026-02-11) ## Release Highlights * Add URI resolver support to `apiclient apply` and `apiclient network configure` ([bottlerocket-core-kit#554]) * `s3://` - S3 bucket objects * `secretsmanager://` - AWS Secrets Manager secrets * `ssm://` - AWS SSM Parameter Store parameters * `arn:aws:secretsmanager:` and `arn:aws:ssm:` - cross-region access via full ARN * `base64:` - inline encoded content * Remove separate FIPS binaries from Go packages in favor of Go built-in FIPS support ([bottlerocket-core-kit#813]) * Remove hugepages from `reservedMemory` in kubelet config ([bottlerocket-core-kit#821]) * Update SELinux policy to allow container communication with MPS daemon ([bottlerocket-core-kit#831]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.8.0 to 4.8.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v482-2026-02-07) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.8.0...v4.8.2)) ([#4757]) * Update `bottlerocket-core-kit` from 12.3.0 to 13.0.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1300-2026-02-11) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v12.3.0...v13.0.0)) ([#4761]) * Update `admin-container` from 0.20.1 to 0.20.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0203) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.20.1...v0.20.3)) ([#4759]) * Update `control-container` from 0.20.1 to 0.20.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#0203) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.20.1...v0.20.3)) ([#4759]) * Update `bootstrap-container` from 0.2.11 to 0.2.13 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#0213) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.11...v0.2.13)) ([#4759]) [#4757]: https://github.com/bottlerocket-os/bottlerocket/pull/4757 [#4759]: https://github.com/bottlerocket-os/bottlerocket/pull/4759 [#4761]: https://github.com/bottlerocket-os/bottlerocket/pull/4761 [bottlerocket-core-kit#554]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/554 [bottlerocket-core-kit#813]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/813 [bottlerocket-core-kit#821]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/821 [bottlerocket-core-kit#823]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/823 [bottlerocket-core-kit#831]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/831 # v1.54.0 (2026-01-22) ## Release Highlights * Migrate to Go's native FIPS 140-3 runtime support for all FIPS variants ([bottlerocket-core-kit#783]) * Add NVIDIA Multi-Process Service (MPS) support ([#4744], [bottlerocket-core-kit#789]) * Add `trn3` device IDs to `pciclient` ([bottlerocket-core-kit#800]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.7.1 to 4.8.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v480-2026-01-21) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.7.1...v4.8.0)) ([#4744]) * Update `bottlerocket-core-kit` from 12.2.0 to 12.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1230-2026-01-21) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v12.2.0...v12.3.0)) ([#4744]) * Update `admin-container` from 0.20.0 to 0.20.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0201) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.20.0...v0.20.1)) ([#4749]) * Update `control-container` from 0.20.0 to 0.20.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#0201) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.20.0...v0.20.1)) ([#4749]) * Update `bootstrap-container` from 0.2.10 to 0.2.11 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#0211) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.10...v0.2.11)) ([#4749]) ## Build Changes * Update `bottlerocket-sdk` from 0.66.0 to 0.70.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.66.0...v0.70.0)) ([#4744]) * Update `bottlerocket-settings-models` to v0.20.0 ([#4744]) [#4744]: https://github.com/bottlerocket-os/bottlerocket/pull/4744 [#4749]: https://github.com/bottlerocket-os/bottlerocket/pull/4749 [bottlerocket-core-kit#783]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/783 [bottlerocket-core-kit#789]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/789 [bottlerocket-core-kit#800]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/800 # v1.53.0 (2026-01-13) ## Release Highlights * Add new kubernetes 1.35 variants ([#4735]): * Add `aws-k8s-1.35`, `aws-k8s-1.35-nvidia`, `aws-k8s-1.35-fips`, `aws-k8s-1.35-nvidia-fips`, `vmware-k8s-1.35`, and `vmware-k8s-1.35-fips` variants * All k8s-1.35 variants use the following: * `kernel-6.12` * `systemd-257` * `nftables` * `containerd-2.1` * `whippet` * `release-swap` - Enable **zram-backed** swap device to improve system stability in low-memory situations ([bottlerocket-core-kit#590]) * Migrate all nvidia variants to use nvidia R580 drivers ([#4733]) * Migrate `admin-container` and `control-container` to AL2023 ([#4740]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.7.0 to 4.7.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v471-2026-01-07) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.7.0...v4.7.1)) ([#4736]) * Update `bottlerocket-core-kit` from 12.0.1 to 12.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1220-2026-01-08) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v12.0.1...v12.2.0)) ([#4735]) * Enable `erofs` root partition in all variants ([#4728]) * Use `whippet` in all variants ([#4738]) * Update `admin-container` from 0.12.5 to 0.20.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0200) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.5...v0.20.0)) ([#4740]) * Update `bootstrap-container` from 0.2.9 to 0.2.10 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#0210) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.9...v0.2.10)) ([#4740]) * Update `control-container` from 0.8.11 to 0.20.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#0200) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.11...v0.20.0)) ([#4740]) ### Twoliter * Update `twoliter` from v0.15.0 to v0.16.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0160---2026-01-06) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.15.0...v0.16.0)) ([#4726], [#4734]) ## Documentation Changes * Remove stale settings extension design documents ([#4716]) [#4716]: https://github.com/bottlerocket-os/bottlerocket/pull/4716 [#4726]: https://github.com/bottlerocket-os/bottlerocket/pull/4726 [#4728]: https://github.com/bottlerocket-os/bottlerocket/pull/4728 [#4733]: https://github.com/bottlerocket-os/bottlerocket/pull/4733 [#4734]: https://github.com/bottlerocket-os/bottlerocket/pull/4734 [#4735]: https://github.com/bottlerocket-os/bottlerocket/pull/4735 [#4736]: https://github.com/bottlerocket-os/bottlerocket/pull/4736 [#4738]: https://github.com/bottlerocket-os/bottlerocket/pull/4738 [#4740]: https://github.com/bottlerocket-os/bottlerocket/pull/4740 [bottlerocket-core-kit#590]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/590 # v1.52.0 (2025-12-16) ## Release Highlights * Remove `aws-k8s-1.28` variants ([#4717]) * Disable concurrent layer fetch by default in `containerd-2.1` ([bottlerocket-core-kit#764]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.5.1 to 4.7.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v470-2025-12-10) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.5.1...v4.7.0)) ([#4719]) * Update `bottlerocket-core-kit` from 11.0.1 to 12.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1201-2025-12-12) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v11.0.1...v12.0.1)) ([#4719], [#4724]) * Update `admin-container` from 0.12.4 to 0.12.5 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0125) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.4...v0.12.5)) ([#4712]) * Update `bootstrap-container` from 0.2.8 to 0.2.9 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#029) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.8...v0.2.9)) ([#4712]) * Update `control-container` from 0.8.10 to 0.8.11 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#0811) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.10...v0.8.11)) ([#4712]) * Update `aws-dev` and `vmware-dev` variants with the latest Bottlerocket features([#4705]) ## Build Changes * Update `bottlerocket-sdk` from 0.65.1 to 0.66.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.65.1...v0.66.0)) ([#4719]) ### Twoliter * Update `twoliter` from v0.13.0 to v0.15.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0150---2025-12-11) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.13.0...v0.15.0))([#4718], [#4722]) [#4705]: https://github.com/bottlerocket-os/bottlerocket/pull/4705 [#4711]: https://github.com/bottlerocket-os/bottlerocket/pull/4711 [#4712]: https://github.com/bottlerocket-os/bottlerocket/pull/4712 [#4717]: https://github.com/bottlerocket-os/bottlerocket/pull/4717 [#4718]: https://github.com/bottlerocket-os/bottlerocket/pull/4718 [#4719]: https://github.com/bottlerocket-os/bottlerocket/pull/4719 [#4722]: https://github.com/bottlerocket-os/bottlerocket/pull/4722 [#4724]: https://github.com/bottlerocket-os/bottlerocket/pull/4724 [bottlerocket-core-kit#764]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/764 # v1.51.0 (2025-11-17) ## Release Highlights * New ecs-3 variants are now available as a preview ([#4685]) * Add `aws-ecs-3`, `aws-ecs-3-nvidia`, `aws-ecs-3-fips`, and `aws-ecs-3-nvidia-fips` variants * All ecs-3 variants use the following: * `kernel-6.12` * `containerd-2.1` * `systemd-257` * `nftables` * `whippet` ([bottlerocket-core-kit#720]) * `docker-engine-29` ([bottlerocket-core-kit#711]) * `docker-cli-29` ([bottlerocket-core-kit#711]) * Use EROFS for root filesystem * Use EBS volume gp3 for all variants * Require IMDSv2 by default * `aws-ecs-3-nvidia` and `aws-ecs-nvidia-fips` variants use NVIDIA R580 drivers * Enable support for image verification * Enable support for encrypted storage * Add NVIDIA FIPS variants for Kubernetes 1.29-1.34 and ECS-2 ([#4671]) * Add support for new Kubernetes settings, `image-minimum-gc-age`, `image-maximum-gc-age`, `max-parallel-image-pulls`, `ids-per-pod`, and Beta options for `cpu-manager-policy-options` ([#4690], [bottlerocket-core-kit#689]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.4.2 to 4.5.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v451-2025-11-12) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.4.2...v4.5.1)) ([#4693], [#4698]) * Update `bottlerocket-core-kit` from 10.9.0 to 11.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1101-2025-11-12) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.9.0...v11.0.1)) ([#4699]) * Bump `containerd` from 2.0 to 2.1 on all `aws-k8s-1.33` variants ([#4687]) * Drop `socat` from `aws-dev` variant ([#4699]) * Update ECR credential provider image patterns to include EUSC image formats ([#4689]) * Use `whippet` in `aws-ecs-2`, `aws-k8s-1.34`, and `vmware-k8s-1.34` variants ([#4701]) ### Twoliter * Update `twoliter` from v0.12.0 to v0.13.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0130---2025-11-10) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.12.0...v0.13.0)) ([#4691]) ### Settings Extensions * Update `bottlerocket-settings-models` to v0.17.0 ([#4690]) [#4671]: https://github.com/bottlerocket-os/bottlerocket/pull/4671 [#4685]: https://github.com/bottlerocket-os/bottlerocket/pull/4685 [#4687]: https://github.com/bottlerocket-os/bottlerocket/pull/4687 [#4689]: https://github.com/bottlerocket-os/bottlerocket/pull/4689 [#4690]: https://github.com/bottlerocket-os/bottlerocket/pull/4690 [#4691]: https://github.com/bottlerocket-os/bottlerocket/pull/4691 [#4693]: https://github.com/bottlerocket-os/bottlerocket/pull/4693 [#4697]: https://github.com/bottlerocket-os/bottlerocket/pull/4697 [#4698]: https://github.com/bottlerocket-os/bottlerocket/pull/4698 [#4699]: https://github.com/bottlerocket-os/bottlerocket/pull/4699 [#4701]: https://github.com/bottlerocket-os/bottlerocket/pull/4701 [bottlerocket-core-kit#689]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/689 [bottlerocket-core-kit#711]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/711 [bottlerocket-core-kit#720]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/720 # v1.50.0 (2025-11-05) ## Release Highlights * Add support for new kubernetes setting `kube-reserved.pid` and `system-reserved.pid` ([#4661], [bottlerocket-core-kit#646]) * Allow multiple sequential calls of `apiclient ephemeral-storage bind` ([bottlerocket-core-kit#679]) * Patch `containerd-2.1` to fix image pull when range-get is ignored by the registry ([bottlerocket-core-kit#702]) ## Security Fixes * Patch `runc` to mitigate CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 ([bottlerocket-core-kit#6e3d3e2e]) ## OS Changes * Update `bottlerocket-sdk` from 0.64.0 to 0.65.1 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.64.0...v0.65.1))([#4664], [#4667]) * Update `bottlerocket-kernel-kit` from 4.3.3 to 4.4.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v442-2025-10-27) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.3.3...v4.4.2)) ([#4664], [#4667], [#4672]) * Update `bottlerocket-core-kit` from 10.6.0 to 10.9.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1082-2025-11-05) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.6.0...v10.9.0)) ([#4661], [#4664], [#4667], [#07b40823]) * Update `admin-container` from 0.12.3 to 0.12.4 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0124) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.3...v0.12.4)) ([#4669]) * Update `bootstrap-container` from 0.2.6 to 0.2.8 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#028) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.6...v0.2.8)) ([#4664], [#4669]) * Update `control-container` from 0.8.8 to 0.8.10 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#0810) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.8...v0.8.10)) ([#4664], [#4669]) ### Settings Extensions * Update bottlerocket-settings-models to v0.16.0 ([#4661]) [#4661]: https://github.com/bottlerocket-os/bottlerocket/pull/4661 [#4664]: https://github.com/bottlerocket-os/bottlerocket/pull/4664 [#4667]: https://github.com/bottlerocket-os/bottlerocket/pull/4667 [#4669]: https://github.com/bottlerocket-os/bottlerocket/pull/4669 [#4672]: https://github.com/bottlerocket-os/bottlerocket/pull/4672 [bottlerocket-core-kit#646]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/646 [bottlerocket-core-kit#679]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/679 [bottlerocket-core-kit#702]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/702 [#07b40823]: https://github.com/bottlerocket-os/bottlerocket/commit/07b408232df3a5c47b93b7ba086ddebca5677703 [bottlerocket-core-kit#6e3d3e2e]: https://github.com/bottlerocket-os/bottlerocket-core-kit/commit/6e3d3e2e563ec556b9fc51eb495a180b69bcf43b # v1.49.0 (2025-10-09) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.3.1 to 4.3.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v433-2025-10-03) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.3.1...v4.3.3)) ([#4657]) [#4657]: https://github.com/bottlerocket-os/bottlerocket/pull/4657 # v1.48.0 (2025-09-29) ## Release Highlights * Support passing arguments to `apiclient exec` subcommand with a `--` separator ([bottlerocket-core-kit#647]) * Install `driverdog` for all variants ([bottlerocket-core-kit#656]) - Thanks @fletcherw! ## OS Changes * Update `bottlerocket-kernel-kit` from 4.3.0 to 4.3.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v431-2025-09-15) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.3.0...v4.3.1)) ([#4644]) * Update `bottlerocket-core-kit` from 10.4.1 to 10.6.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1060-2025-09-23) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.4.1...v10.6.0)) ([#4649]) * Update `admin-container` from 0.12.2 to 0.12.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0123) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.2...v0.12.3)) ([#4647]) * Update `bootstrap-container` from 0.2.5 to 0.2.6 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#026) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.5...v0.2.6)) ([#4647]) * Update `control-container` from 0.8.7 to 0.8.8 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#088) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.7...v0.8.8)) ([#4647]) [#4644]: https://github.com/bottlerocket-os/bottlerocket/pull/4644 [#4647]: https://github.com/bottlerocket-os/bottlerocket/pull/4647 [#4649]: https://github.com/bottlerocket-os/bottlerocket/pull/4649 [bottlerocket-core-kit#647]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/647 [bottlerocket-core-kit#656]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/656 # v1.47.0 (2025-09-15) ## Release Highlights * Add new kubernetes 1.34 variants ([#4631]): * Add `aws-k8s-1.34`, `aws-k8s-1.34-nvidia`, `aws-k8s-1.34-fips`, `vmware-k8s-1.34`, and `vmware-k8s-1.34-fips` variants * All k8s-1.34 variants use the following: * Kernel 6.12 * `systemd-257` ([bottlerocket-core-kit#581], [bottlerocket-core-kit#636]) * `nftables` for managing network filter rules ([bottlerocket-core-kit#549]) * `containerd-2.1` ([bottlerocket-core-kit#621]) * Default `concurrent-download-chunk-size` setting is set at `8mib` * Remove the support for Schema 1 images * Update defaults for the `shutdown-grace-period` to 2 minutes and 30 seconds with the last 30 seconds reserved for critical pods for aws variants. * Default device list strategy is set to `cdi-cri` for nvidia k8s device plugin * `aws-k8s-1.34-nvidia` variant uses NVIDIA R580 drivers * Add `command` field to override default entrypoint for host and bootstrap containers ([#4636], [bottlerocket-core-kit#594]) - Thanks @kasimeka! * Add `containerd-2.1` setting for `concurrent-download-chunk-size` ([#4638], [bottlerocket-core-kit#645]) ## OS Changes * Update `bottlerocket-kernel-kit` from 4.2.0 to 4.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v430-2025-09-08) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.2.0...v4.3.0)) ([#4637]) * Update `bottlerocket-core-kit` from 10.3.0 to 10.4.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1041-2025-09-11) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.3.0...v10.4.1)) ([#4639], [#4642]) [#4631]: https://github.com/bottlerocket-os/bottlerocket/pull/4631 [#4636]: https://github.com/bottlerocket-os/bottlerocket/pull/4636 [#4637]: https://github.com/bottlerocket-os/bottlerocket/pull/4637 [#4638]: https://github.com/bottlerocket-os/bottlerocket/pull/4638 [#4639]: https://github.com/bottlerocket-os/bottlerocket/pull/4639 [#4642]: https://github.com/bottlerocket-os/bottlerocket/pull/4642 [bottlerocket-core-kit#549]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/549 [bottlerocket-core-kit#581]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/581 [bottlerocket-core-kit#594]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/594 [bottlerocket-core-kit#621]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/621 [bottlerocket-core-kit#636]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/636 [bottlerocket-core-kit#645]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/645 # v1.46.0 (2025-09-02) ## Release Highlights * Add support for new Kubernetes setting `static-pods-enabled` ([bottlerocket-core-kit#641]) * Add default bind directories for ephemeral storage ([bottlerocket-core-kit#632]) ## OS Changes * Update `bottlerocket-sdk` from 0.63.0 to 0.64.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.63.0...v0.64.0))([#4623]) * Update `bottlerocket-core-kit` from 10.1.2 to 10.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1030-2025-08-26) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.1.2...v10.3.0)) ([#4623], [#4628]) * Update `bottlerocket-kernel-kit` from 4.0.1 to 4.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v420-2025-08-25) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v4.0.1...v4.2.0)) ([#4623], [#4626]) ## Build Changes ### Twoliter * Update `twoliter` from 0.11.0 to 0.12.0 and schema-version to 2 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0120---2025-08-21) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.11.0...v0.12.0)) ([#4624]) [#4623]: https://github.com/bottlerocket-os/bottlerocket/pull/4623 [#4624]: https://github.com/bottlerocket-os/bottlerocket/pull/4624 [#4626]: https://github.com/bottlerocket-os/bottlerocket/pull/4626 [#4628]: https://github.com/bottlerocket-os/bottlerocket/pull/4628 [bottlerocket-core-kit#632]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/632 [bottlerocket-core-kit#641]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/641 # v1.45.0 (2025-08-18) ## Release Highlights * Fix `containerd-2.0` settings for `max_concurrent_downloads` ([bottlerocket-core-kit#623]) ## OS Changes * Restrict kubelet's exec-start file permission to 0600 ([#4574]) * Restrict kubelet-server.key file permission to 0600 ([#4599]) * Update admin container from 0.12.1 to 0.12.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0122) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.1...v0.12.2)) ([#4612]) * Update bootstrap container from 0.2.4 to 0.2.5 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#025) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.4...v0.2.5)) ([#4612]) * Update control container from 0.8.6 to 0.8.7 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#087) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.6...v0.8.7)) ([#4612]) * Update `bottlerocket-kernel-kit` from 3.3.1 to 4.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v401-2025-08-11) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v3.3.1...v4.0.1))([#4613]) * Update `bottlerocket-core-kit` from 10.0.1 to 10.1.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1012-2025-08-14) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v10.0.1...v10.1.2))([#4615], [#4616], [#4619]) [#4574]: https://github.com/bottlerocket-os/bottlerocket/pull/4574 [#4599]: https://github.com/bottlerocket-os/bottlerocket/pull/4599 [#4612]: https://github.com/bottlerocket-os/bottlerocket/pull/4612 [#4613]: https://github.com/bottlerocket-os/bottlerocket/pull/4613 [#4615]: https://github.com/bottlerocket-os/bottlerocket/pull/4615 [#4616]: https://github.com/bottlerocket-os/bottlerocket/pull/4616 [#4619]: https://github.com/bottlerocket-os/bottlerocket/pull/4619 [bottlerocket-core-kit#623]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/623 # v1.44.0 (2025-08-04) ## Release Highlights * Remove `aws-k8s-1.27` and `aws-ecs-1` variants ([#4598]) * Fix file descriptor leak in `apiserver exec` ([bottlerocket-core-kit#595]) * Add `soci-snapshotter` support to kubernetes variants ([#4593]) * Configure `soci-snapshotter` for parallel pull unpack feature ([bottlerocket-core-kit#569]) * Optionally configure containerd and kubelet with `soci-snapshotter` via drop-in configuration files ([bottlerocket-core-kit#576]) * Extend selinux-policy to cover `soci-snapshotter` ([bottlerocket-core-kit#579]) * Add `configure-snapshotter.service` to reset state directories of snapshotters on boot when selected snapshotter changes ([bottlerocket-core-kit#582]) * Apply upstream patches to `soci-snapshotter` ([bottlerocket-core-kit#599]) * Drop CLI from `soci-snapshotter` ([bottlerocket-core-kit#569]) ## OS Changes * Update `bottlerocket-core-kit` from 9.2.1 to 10.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v1001-2025-07-31) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v9.2.1...v10.0.1)) ([#4605], [#4609]) * Update `bottlerocket-kernel-kit` from 3.2.1 to 3.3.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v331-2025-07-25) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v3.2.1...v3.3.1)) ([#4604]) ## Build Changes * Add `reset-single-test` testsys command ([#4581]) ## Orchestrator Changes ### Kubernetes * Add `soci-snapshotter` support to kubernetes variants ([#4593]) * Remove `aws-k8s-1.27` variants ([#4598]) ### ECS * Remove `aws-ecs-1` variants ([#4598]) [#4581]: https://github.com/bottlerocket-os/bottlerocket/pull/4581 [#4593]: https://github.com/bottlerocket-os/bottlerocket/pull/4593 [#4598]: https://github.com/bottlerocket-os/bottlerocket/pull/4598 [#4604]: https://github.com/bottlerocket-os/bottlerocket/pull/4604 [#4605]: https://github.com/bottlerocket-os/bottlerocket/pull/4605 [#4609]: https://github.com/bottlerocket-os/bottlerocket/pull/4609 [bottlerocket-core-kit#569]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/569 [bottlerocket-core-kit#576]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/576 [bottlerocket-core-kit#579]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/579 [bottlerocket-core-kit#582]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/582 [bottlerocket-core-kit#595]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/595 [bottlerocket-core-kit#599]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/599 # v1.43.0 (2025-07-24) ## OS Changes * Update `bottlerocket-core-kit` from 9.1.0 to 9.2.1 ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v9.1.0...v9.2.1))([#dee811f6]) * Update `bottlerocket-kernel-kit` from 3.1.1 to 3.2.1 ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v3.1.1...v3.2.1))([#d6d31d6c]) * Update admin container from 0.12.0 to 0.12.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0121) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.12.0...v0.12.1)) ([#4590]) * Update bootstrap container from 0.2.3 to 0.2.4 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#024) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.3...v0.2.4)) ([#4590]) * Update control container from 0.8.5 to 0.8.6 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#086) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.5...v0.8.6)) ([#4590]) ## Build Changes * Update `bottlerocket-sdk` from 0.62.0 to 0.63.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.62.0...v0.63.0)) ([#4592]) ### Twoliter * Update `twoliter` from 0.10.1 to 0.11.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0110---2024-07-17) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.10.1...v0.11.0)) ([#4594]) [#4590]: https://github.com/bottlerocket-os/bottlerocket/pull/4590 [#4592]: https://github.com/bottlerocket-os/bottlerocket/pull/4592 [#4594]: https://github.com/bottlerocket-os/bottlerocket/pull/4594 [#dee811f6]: https://github.com/bottlerocket-os/bottlerocket/commit/dee811f63f7da043fb1caea2f54815bdb05da697 [#d6d31d6c]: https://github.com/bottlerocket-os/bottlerocket/commit/d6d31d6cc322454f3b5738075af805e3f388f966 # v1.42.0 (2025-06-30) ## Release Highlights * Add support for kubernetes `memory-swap-behavior` ([#4566], [bottlerocket-core-kit#541], [bottlerocket-settings-sdk#88]) - Thanks @teskje! ## OS Changes * Update `bottlerocket-core-kit` from 9.0.0 to 9.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v910-2025-06-23) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v9.0.0...v9.1.0)) ([#4569]) * Update `bottlerocket-kernel-kit` from 3.1.0 to 3.1.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v311-2025-07-24) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v3.1.0...v3.1.1)) ([#4570]) * Update admin container from 0.11.20 to 0.12.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#0120) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.11.20...v0.12.0)) ([#4565]) * Update bootstrap container from 0.2.2 to 0.2.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#023) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.2...v0.2.3)) ([#4565]) * Update control container from 0.8.4 to 0.8.5 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#085) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.4...v0.8.5)) ([#4565]) ## Orchestrator Changes ### Kubernetes * Support kubernetes `memory-swap-behavior` setting [#4566] - Thanks @teskje! [#4565]: https://github.com/bottlerocket-os/bottlerocket/pull/4565 [#4566]: https://github.com/bottlerocket-os/bottlerocket/pull/4566 [#4569]: https://github.com/bottlerocket-os/bottlerocket/pull/4569 [#4570]: https://github.com/bottlerocket-os/bottlerocket/pull/4570 [bottlerocket-settings-sdk#88]:https://github.com/bottlerocket-os/bottlerocket-settings-sdk/pull/88 [bottlerocket-core-kit#541]:https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/541 # v1.41.0 (2025-06-17) ## Release Highlights * Remove aws-k8s-1.26 variants ([#4519], [#4536]) * Add `zramctl` to `util-linux` package ([bottlerocket-core-kit#543]) * Enable LTO and arch-specific optimizations ([bottlerocket-sdk#276], [bottlerocket-core-kit#526]) * Provide Vulkan ICD configuration files for variants using the 6.1 and 6.12 kernels ([bottlerocket-kernel-kit#138]) - Thanks, @iterion! * Build GRUB with optimizations ([bottlerocket-kernel-kit#163]) * Provide `libnvidia-gpucomp.so` ([bottlerocket-kernel-kit#181]) - Thanks, @tzmtl! ## OS Changes * Update `bottlerocket-core-kit` from 8.2.0 to 9.0.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v900-2025-06-10) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v8.2.0...v9.0.0)) ([#4561]) * Update `bottlerocket-kernel-kit` from 2.5.1 to 3.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v310-2025-06-11) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v2.5.1...v3.1.0)) ([#4561]) * Drop setting generator for hugepages ([#4411]) ## Build Changes * Update `bottlerocket-sdk` from 0.61.0 to 0.62.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.61.0...v0.62.0)) ([#4561]) ## Orchestrator Changes ### Kubernetes * Remove aws-k8s-1.26 variants ([#4519], [#4536]) * Fix image patterns for ECR dual-stack endpoint ([#4518]) - Thanks @rxnew, @cartermckinnon! [#4411]: https://github.com/bottlerocket-os/bottlerocket/pull/4411 [#4518]: https://github.com/bottlerocket-os/bottlerocket/pull/4518 [#4519]: https://github.com/bottlerocket-os/bottlerocket/issues/4519 [#4536]: https://github.com/bottlerocket-os/bottlerocket/pull/4536 [#4561]: https://github.com/bottlerocket-os/bottlerocket/pull/4561 [bottlerocket-core-kit#526]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/526 [bottlerocket-core-kit#543]: https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/543 [bottlerocket-sdk#276]: https://github.com/bottlerocket-os/bottlerocket-sdk/pull/276 [bottlerocket-kernel-kit#138]: https://github.com/bottlerocket-os/bottlerocket-kernel-kit/pull/138 [bottlerocket-kernel-kit#163]: https://github.com/bottlerocket-os/bottlerocket-kernel-kit/pull/163 [bottlerocket-kernel-kit#181]: https://github.com/bottlerocket-os/bottlerocket-kernel-kit/pull/181 # v1.40.0 (2025-05-22) ## Release Highlights * Migrate ECS to use CDI ([bottlerocket-core-kit#482](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/482)) * Support CDI and legacy NVIDIA Container Runtime modes ([#4475]) * Add NVLink Subnet Manager to support NVIDIA B200 ([bottlerocket-core-kit#499](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/499), [bottlerocket-kernel-kit#142](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/pull/142)) ## OS Changes * Update `bottlerocket-core-kit` from 8.1.1 to 8.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v820-2025-05-20) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v8.1.1...v8.2.0)) ([#4532]) * Update `bottlerocket-kernel-kit` from 2.3.3 to 2.5.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v251-2025-05-22) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v2.3.3...v2.5.1)) ([#4537]) * Update bootstrap container from 0.2.1 to 0.2.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#022) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.1...v0.2.2)) ([#4535]) * Update control container from 0.8.3 to 0.8.4 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#084) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.3...v0.8.4)) ([#4535]) [#4475]: https://github.com/bottlerocket-os/bottlerocket/pull/4475 [#4532]: https://github.com/bottlerocket-os/bottlerocket/pull/4532 [#4535]: https://github.com/bottlerocket-os/bottlerocket/pull/4535 [#4537]: https://github.com/bottlerocket-os/bottlerocket/pull/4537 # v1.39.1 (2025-05-19) ## OS Changes * Update `bottlerocket-core-kit` from 8.1.0 to 8.1.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v811-2025-05-14) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v8.1.0...v8.1.1)) ([#4522]) ## Build Changes ### Twoliter * Update `twoliter` from 0.10.0 to 0.10.1 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0101---2025-05-14) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.10.0...v0.10.1)) ([#4523]) [#4522]: https://github.com/bottlerocket-os/bottlerocket/pull/4522 [#4523]: https://github.com/bottlerocket-os/bottlerocket/pull/4523 # v1.39.0 (2025-05-06) ## Release Highlights * Provide `containerd-2.0` and `containerd-1.7` ([bottlerocket-core-kit#485](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/485)) * Add new k8s 1.33 variants ([#4507], [#4513]): * Add `aws-k8s-1.33`, `aws-k8s-1.33-nvidia`, `aws-k8s-1.33-fips`, `vmware-k8s-1.33`, and `vmware-k8s-1.33-fips`variants * FIPS variants use 6.1 kernel, all others use 6.12 kernel * Use EROFS for root filesystem on Kernel 6.12 variants * Use `containerd-2.0` on all k8s 1.33 variants * Use EBS volume `gp3` for all AWS k8s 1.33 variant AMIs * Require IMDSv2 by default for new k8s 1.33 variant AMIs. For applications not yet compatible with IMDSv2, this can be disabled at the instance or account level. See [the AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#instance-metadata-options-order-of-precedence) for more details. ## OS Changes * Update `bottlerocket-core-kit` from 8.0.0 to 8.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v810-2025-05-05) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v8.0.0...v8.1.0)) ([#4510]) * Update `bottlerocket-kernel-kit` from 2.3.0 to 2.3.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v233-2025-05-01) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v2.3.0...v2.3.3)) ([#4508]) * Update admin container from 0.11.19 to 0.11.20 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#01120) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.11.19...v0.11.20)) ([#4509]) * Update bootstrap container from 0.2.0 to 0.2.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#021) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.2.0...v0.2.1)) ([#4509]) * Update control container from 0.8.2 to 0.8.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#083) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.2...v0.8.3)) ([#4509]) ## Orchestrator Changes ### Kubernetes * Add `aws-k8s-1.33`, `aws-k8s-1.33-nvidia`, `aws-k8s-1.33-fips`, `vmware-k8s-1.33`, and `vmware-k8s-1.33-fips`variants ([#4507]) * Add new Kubernetes settings ([#4506]) * `containerLogMaxWorkers` * `containerLogMonitorInterval` * `singleProcessOOMKill` ## Build Changes * Use GP3 volumes and require IMDSv2 by default for AWS k8s 1.33 variant AMIs. ([#4513]) ### Twoliter * Update `twoliter` from 0.9.0 to 0.10.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#0100---2025-05-06) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.9.0...v0.10.0)) ([#4512]) [#4506]: https://github.com/bottlerocket-os/bottlerocket/pull/4506 [#4507]: https://github.com/bottlerocket-os/bottlerocket/pull/4507 [#4508]: https://github.com/bottlerocket-os/bottlerocket/pull/4508 [#4509]: https://github.com/bottlerocket-os/bottlerocket/pull/4509 [#4510]: https://github.com/bottlerocket-os/bottlerocket/pull/4510 [#4512]: https://github.com/bottlerocket-os/bottlerocket/pull/4512 [#4513]: https://github.com/bottlerocket-os/bottlerocket/pull/4513 # v1.38.0 (2025-04-29) ## Release Highlights * Move aws-ecs-2-nvidia, aws-k8s-1.28-nvidia, aws-k8s-1.29-nvidia, aws-k8s-1.30-nvidia, aws-k8s-1.31-nvidia, and aws-k8s-1.32-nvidia variants from NVIDIA r535 driver to r570 driver ([#4499], [#4441]) * Remove aws-k8s-1.25 variants ([#4497], [#4496]) ## OS Changes * Update `bottlerocket-core-kit` from 7.0.1 to 8.0.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v800-2025-04-28) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v7.0.1...v8.0.0)) ([#4501]) * Update `bottlerocket-kernel-kit` from 2.2.2 to 2.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v230-2025-04-28) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v2.2.2...v2.3.0)) ([#4498]) ## Build Changes * Pass missing vars to sbkeys script ([#4493]) [#4493]: https://github.com/bottlerocket-os/bottlerocket/pull/4493 [#4496]: https://github.com/bottlerocket-os/bottlerocket/issues/4496 [#4497]: https://github.com/bottlerocket-os/bottlerocket/pull/4497 [#4498]: https://github.com/bottlerocket-os/bottlerocket/pull/4498 [#4499]: https://github.com/bottlerocket-os/bottlerocket/pull/4499 [#4441]: https://github.com/bottlerocket-os/bottlerocket/issues/4441 [#4501]: https://github.com/bottlerocket-os/bottlerocket/pull/4501 # v1.37.0 (2025-04-21) ## Release Highlights * Add `brush` to enable `aws-signing-helper` and IAM Roles Anywhere usage ([bottlerocket-core-kit#451](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/451)) * Clear configuration-files and services on upgrades ([bottlerocket-core-kit#456](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/456)) * Remove `shimpei` and `oci-add-hooks` ([bottlerocket-core-kit#458](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/458)) * Use the NVIDIA Container Runtime to configure GPUs for containers ([bottlerocket-core-kit#458](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/458)) * Update `runc` from 1.1.15 to 1.2.6 ([bottlerocket-core-kit#463](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/463)) * Allow lookups of .local domains using unicast DNS ([bottlerocket-core-kit#464](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/464)) - Thanks @tzneal! * Let `kubelet` start when swap is on ([bottlerocket-core-kit#473](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/473)) ## OS Changes * Remove unnecessary settings for OCI Hooks API ([#4474]) * Update migrations to delete configuration-files and services on downgrade ([#4478]) * Update `bottlerocket-core-kit` from 6.2.0 to 7.0.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v701-2025-04-22) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v6.3.0...v7.0.1)) ([#4471], [#4485], [#4490]) * Update `bottlerocket-kernel-kit` from 2.1.0 to 2.2.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v222-2025-04-18) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v2.1.0...v2.2.2)) ([#4485], [#4489]) * Update admin container from 0.11.18 to 0.11.19 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#01119) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.11.18...v0.11.19)) ([#4476]) * Update bootstrap container from 0.1.3 to 0.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#020) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.1.3...v0.2.0)) ([#4476]) * Update control container from 0.8.1 to 0.8.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#082) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.8.1...v0.8.2)) ([#4476]) ## Build Changes * Update Rust dependencies ([#4468], [#4469]) * Update secure boot keys to include aws-partition & ca-signing-algo arguments ([#4450]) * Update `bottlerocket-sdk` from 0.60.0 to 0.61.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.60.0...v0.61.0)) ([#4485]) ### Twoliter * Update `twoliter` from 0.8.1 to 0.9.0 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#090---2025-04-16) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.8.1...v0.9.0)) ([#4484]) [#4450]: https://github.com/bottlerocket-os/bottlerocket/pull/4450 [#4468]: https://github.com/bottlerocket-os/bottlerocket/pull/4468 [#4469]: https://github.com/bottlerocket-os/bottlerocket/pull/4469 [#4471]: https://github.com/bottlerocket-os/bottlerocket/pull/4471 [#4474]: https://github.com/bottlerocket-os/bottlerocket/pull/4474 [#4476]: https://github.com/bottlerocket-os/bottlerocket/pull/4476 [#4478]: https://github.com/bottlerocket-os/bottlerocket/pull/4478 [#4484]: https://github.com/bottlerocket-os/bottlerocket/pull/4484 [#4485]: https://github.com/bottlerocket-os/bottlerocket/pull/4485 [#4489]: https://github.com/bottlerocket-os/bottlerocket/pull/4489 [#4490]: https://github.com/bottlerocket-os/bottlerocket/pull/4490 # v1.36.0 (2025-04-07) ## Release Highlights * Switch to igzip (x86_64) or pigz with zlib-ng (aarch64) to decompress container images ([bottlerocket-core-kit#443](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/443)) * Add support for more AWS regions in schnauzer and host-ctr ([bottlerocket-core-kit#454](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/454)) ## OS Changes * Update `bottlerocket-core-kit` from 6.1.0 to 6.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v620-2025-04-01) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v6.1.0...v6.2.0)) ([#4460], [#4452]) * Update `bottlerocket-kernel-kit` from 1.3.0 to 2.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v210-2024-04-02) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v1.3.0...v2.1.0)) ([#4461]) ## Orchestrator Changes ### Kubernetes * Authenticate with ECR public to avoid rate limits ([#4419]) - Thanks @MarkIannucci! * Support ECR credential provider in more ISO partitions ([#4459]) ## Build Changes * Remove redundant metadata migration helpers ([#4459]) * Archive migrations prior to v1.34.0 ([#4459]) * Remove schnauzer and apiclient dependencies from bottlerocket repo ([#4459]) ### Documentation Changes * Fix links to `./packages` to point to the `bottlerocket-core-kit/packages` ([#4446]) [#4419]: https://github.com/bottlerocket-os/bottlerocket/pull/4419 [#4446]: https://github.com/bottlerocket-os/bottlerocket/pull/4446 [#4452]: https://github.com/bottlerocket-os/bottlerocket/pull/4452 [#4459]: https://github.com/bottlerocket-os/bottlerocket/pull/4459 [#4460]: https://github.com/bottlerocket-os/bottlerocket/pull/4460 [#4461]: https://github.com/bottlerocket-os/bottlerocket/pull/4461 # v1.35.0 (2025-03-24) ## Release Highlights * Move the `aws-ecs-1` kernel from 5.10 to 5.15 ([#4434]) * Persist sysctl setting changes to /etc/sysctl.d ([bottlerocket-core-kit#333](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/333)) - Thanks @aetimmes * Updated cis report to account for formatting change in iptables ([bottlerocket-core-kit#390](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/390)) * Include SHA-256 and SHA-512 CPU routines in the ARM kernel image ([bottlerocket-kernel-kit#67](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/pull/67)) ## OS Changes * Update admin container from 0.11.16 to 0.11.18 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-admin-container/blob/develop/CHANGELOG.md#01118) ([commits](https://github.com/bottlerocket-os/bottlerocket-admin-container/compare/v0.11.16...v0.11.18)) ([#4431], [#4443]) * Update bootstrap container from 0.1.1 to 0.1.3 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/blob/develop/CHANGELOG.md#013) ([commits](https://github.com/bottlerocket-os/bottlerocket-bootstrap-container/compare/v0.1.1...v0.1.3)) ([#4432], [#4443]) * Update control container from 0.7.20 to 0.8.1 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-control-container/blob/develop/CHANGELOG.md#081) ([commits](https://github.com/bottlerocket-os/bottlerocket-control-container/compare/v0.7.20...v0.8.1)) ([#4431], [#4443]) ## Build Changes * Update `bottlerocket-core-kit` from 6.0.2 to 6.1.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v610-2025-03-14) ([commits](https://github.com/bottlerocket-os/bottlerocket-core-kit/compare/v6.0.2...v6.1.0)) ([#4439]) * Update `bottlerocket-kernel-kit` from 1.2.0 to 1.3.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v130-2024-03-06) ([commits](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/compare/v1.2.0...v1.3.0)) ([#4439]) * Update `bottlerocket-sdk` from 0.50.1 to 0.60.0 ([commits](https://github.com/bottlerocket-os/bottlerocket-sdk/compare/v0.50.1...v0.60.0)) ([#4439]) * Bump `ring` from 0.17.8 to 0.17.13 ([#4430]) ### Twoliter * Update `twoliter` from 0.7.3 to 0.8.1 [CHANGELOG](https://github.com/bottlerocket-os/twoliter/blob/develop/CHANGELOG.md#081---2025-03-13) ([commits](https://github.com/bottlerocket-os/twoliter/compare/v0.7.3...v0.8.1)) ([#4433], [#4438]) [#4430]: https://github.com/bottlerocket-os/bottlerocket/pull/4430 [#4431]: https://github.com/bottlerocket-os/bottlerocket/pull/4431 [#4432]: https://github.com/bottlerocket-os/bottlerocket/pull/4432 [#4433]: https://github.com/bottlerocket-os/bottlerocket/pull/4433 [#4434]: https://github.com/bottlerocket-os/bottlerocket/pull/4434 [#4438]: https://github.com/bottlerocket-os/bottlerocket/pull/4438 [#4439]: https://github.com/bottlerocket-os/bottlerocket/pull/4439 [#4443]: https://github.com/bottlerocket-os/bottlerocket/pull/4443 # v1.34.0 (2025-03-03) ## OS Changes * Add support for NVIDIA Multi-Instance GPU (MIG) ([#4418]) ## Build Changes * Update bottlerocket-core-kit from 6.0.1 to 6.0.2 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/CHANGELOG.md#v602-2025-02-26) ([#4416]) * Update bottlerocket-kernel-kit from 1.1.2 to 1.2.0 [CHANGELOG](https://github.com/bottlerocket-os/bottlerocket-kernel-kit/blob/develop/CHANGELOG.md#v120-2024-02-26) ([#4416]) ### Twoliter * Update Twoliter to 0.7.3 ([#4416]) [#4416]: https://github.com/bottlerocket-os/bottlerocket/pull/4416 [#4418]: https://github.com/bottlerocket-os/bottlerocket/pull/4418 # v1.33.0 (2025-02-26) ## Release Highlights * Remove aws-k8s-1.24 variants ([#4359]) ## OS Changes * Allow default host containers to be changed without a migration ([#4324]) * Add default managed Bootstrap container ([#4349]) * Correct migrations for public control containers. ([#4388]) ## Build Changes * Update bottlerocket-kernel-kit to 1.1.2 ([#4383], [#4386], [#4394], [#4408]) * Update bottlerocket-core-kit to 6.0.1 ([#4387], [#4403]) ### Twoliter * Update Twoliter to 0.7.2 ([#4384]) ## Orchestrator Changes ### Kubernetes * Deprecate Kubernetes 1.24 AWS variants ([#4379]) [#4324]: https://github.com/bottlerocket-os/bottlerocket/pull/4324 [#4349]: https://github.com/bottlerocket-os/bottlerocket/pull/4349 [#4359]: https://github.com/bottlerocket-os/bottlerocket/issues/4359 [#4379]: https://github.com/bottlerocket-os/bottlerocket/pull/4379 [#4383]: https://github.com/bottlerocket-os/bottlerocket/pull/4383 [#4384]: https://github.com/bottlerocket-os/bottlerocket/pull/4384 [#4386]: https://github.com/bottlerocket-os/bottlerocket/pull/4386 [#4387]: https://github.com/bottlerocket-os/bottlerocket/pull/4387 [#4388]: https://github.com/bottlerocket-os/bottlerocket/pull/4388 [#4394]: https://github.com/bottlerocket-os/bottlerocket/pull/4394 [#4403]: https://github.com/bottlerocket-os/bottlerocket/pull/4403 [#4408]: https://github.com/bottlerocket-os/bottlerocket/pull/4408 # v1.32.0 (2025-01-24) ## Build Changes * Update bottlerocket-core-kit to 5.4.2 ([#4374]) * Update bottlerocket-kernel-kit to 1.0.6 ([#4374]) * Update bottlerocket-sdk to 0.50.1 ([#4374]) ### Twoliter * Update Twoliter to 0.7.1 ([#4373]) [#4373]: https://github.com/bottlerocket-os/bottlerocket/pull/4373 [#4374]: https://github.com/bottlerocket-os/bottlerocket/pull/4374 # v1.31.0 (2025-01-21) ## OS Changes * Update host containers ([#4360]) ## Build Changes * Update bottlerocket-core-kit to 5.4.1 ([#4365]) * Update bottlerocket-kernel-kit to 1.0.4 ([#4366]) ### Twoliter * Update Twoliter to 0.7.0 ([#4362]) [#4360]: https://github.com/bottlerocket-os/bottlerocket/pull/4360 [#4362]: https://github.com/bottlerocket-os/bottlerocket/pull/4362 [#4365]: https://github.com/bottlerocket-os/bottlerocket/pull/4365 [#4366]: https://github.com/bottlerocket-os/bottlerocket/pull/4366 # v1.30.0 (2025-01-07) ## OS Changes * Update host containers ([#4353]) ## Orchestrator Changes ### Kubernetes * Add Kubernetes 1.32 variants ([#4320]) * Add device-ownership-from-security-context setting (default to true on aws-k8s-1.32) ([#4345]) ## Build Changes * Update bottlerocket-core-kit to 5.3.0 ([#4351]) * Update bottlerocket-kernel-kit to 1.0.2 ([#4344]) [#4320]: https://github.com/bottlerocket-os/bottlerocket/pull/4320 [#4344]: https://github.com/bottlerocket-os/bottlerocket/pull/4344 [#4345]: https://github.com/bottlerocket-os/bottlerocket/pull/4345 [#4351]: https://github.com/bottlerocket-os/bottlerocket/pull/4351 [#4353]: https://github.com/bottlerocket-os/bottlerocket/pull/4353 # v1.29.0 (2024-12-17) ## Build Changes * Add bottlerocket-kernel-kit 1.0.0 ([#4332]) * Update bottlerocket-core-kit to 5.0.0 ([#4332]) * Update bottlerocket-sdk to 0.50.0 ([#4332]) ## OS Changes * Enable plugins and detailed EBS volume stats for `nvme-cli` ([bottlerocket-core-kit#269](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/269)) * Set `LoaderTimeInitUSec` and `LoaderTimeExecUSec` in GRUB ([bottlerocket-core-kit#273](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/273)) [#4332]: https://github.com/bottlerocket-os/bottlerocket/pull/4332 # v1.28.0 (2024-12-08) ## Release Highlights * Enable EFA support to Bottlerocket AMIs ([#4290]) * Fix `io_uring` regression in 6.1 kernel ([bottlerocket-core-kit#284](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/284)) * Allow overriding the max-pods file with one from your variant ([bottlerocket-core-kit#279](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/279)) - thanks @tzneal ## Build Changes * Update bottlerocket-core-kit to 4.0.1 ([#4322]) ### OS Changes * Update host containers ([#4312]) * Update Twoliter to 0.6.0 ([#4323]) ### Documentation Changes * Update models README references ([#4138]) [#4138]: https://github.com/bottlerocket-os/bottlerocket/pull/4138 [#4290]: https://github.com/bottlerocket-os/bottlerocket/pull/4290 [#4312]: https://github.com/bottlerocket-os/bottlerocket/pull/4312 [#4322]: https://github.com/bottlerocket-os/bottlerocket/pull/4322 [#4323]: https://github.com/bottlerocket-os/bottlerocket/pull/4323 # v1.27.1 (2024-11-16) ## Release Highlights * Add patch for kernel-5.15 to fix issues when using IPv6 ([bottlerocket-core-kit#266](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/266)) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 3.3.2 ([#4301]) [#4301]: https://github.com/bottlerocket-os/bottlerocket/pull/4301 # v1.27.0 (2024-11-12) ## Release Highlights * Add FIPS variants ([#4274], [#1667], [#4267]) * Drop k8s 1.28 and k8s 1.29 metal variants ([#4287]) ## OS Changes * Add aws-creds settings defaults to all AWS variants ([#4285]) * Add support for migrations to modify aws-config setting generators ([#4271]) ## Build Changes * Update bottlerocket-core-kit to 3.3.0 ([#4292]) * Update bottlerocket-sdk to 0.47.0 ([#4286]) [#1667]: https://github.com/bottlerocket-os/bottlerocket/pull/1667 [#4267]: https://github.com/bottlerocket-os/bottlerocket/pull/4267 [#4271]: https://github.com/bottlerocket-os/bottlerocket/pull/4271 [#4274]: https://github.com/bottlerocket-os/bottlerocket/pull/4274 [#4285]: https://github.com/bottlerocket-os/bottlerocket/pull/4285 [#4286]: https://github.com/bottlerocket-os/bottlerocket/pull/4286 [#4287]: https://github.com/bottlerocket-os/bottlerocket/pull/4287 [#4292]: https://github.com/bottlerocket-os/bottlerocket/pull/4292 # v1.26.2 (2024-11-04) ## Release Highlights * Wait for kubelet device-manager socket before starting nvidia-k8s-device-plugin ([bottlerocket-core-kit#238](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/238)) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 3.1.5 ([#4280]) [#4280]: https://github.com/bottlerocket-os/bottlerocket/pull/4280 # v1.26.1 (2024-10-24) ## Release Highlights * Revert system-wide configuration to block writeable/executable memory in systemd services ([bottlerocket-core-kit#215](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/215)) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 3.1.1 ([#4264]) [#4264]: https://github.com/bottlerocket-os/bottlerocket/pull/4264 # v1.26.0 (2024-10-23) ## Release Highlights * Update NVIDIA driver to 535.216.01 ([#4254]) * Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 ([#4251]) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 3.1.0 ([#4254], [#4251]) * Update NVIDIA driver to 535.216.01 ([#4254]) * Update twoliter to 0.5.0 ([#4251]) * Update bottlerocket-sdk to 0.46 ([#4251]) * Standardize RPM release fields for RPM packages ([#4244]) ## Orchestrator Changes ### ECS * Move kmod-5.10-nvidia tesla package for aws-ecs-1-nvidia variant from branch R470 to R535 ([#4251]) ### Documentation Changes * Add link to bootstrap-commands documentation ([#4247]) [#4244]: https://github.com/bottlerocket-os/bottlerocket/pull/4244 [#4247]: https://github.com/bottlerocket-os/bottlerocket/pull/4247 [#4251]: https://github.com/bottlerocket-os/bottlerocket/pull/4251 [#4254]: https://github.com/bottlerocket-os/bottlerocket/pull/4254 # v1.25.0 (2024-10-15) ## Release Highlights * Remove aws-k8s-1.23 variants (https://github.com/bottlerocket-os/bottlerocket/issues/4083) * Add support for NVIDIA GPU time slicing (closes https://github.com/bottlerocket-os/bottlerocket/issues/2347) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 2.9.0 ([#4242]) * Update host containers ([#4241]) * Update twoliter to v0.4.7 ([#4236]) * Fix permissions for kubelet-exec-start-conf file ([#4199]) * Add support for NVIDIA GPU time slicing ([#4230]) ## Orchestrator Changes ### Kubernetes * Drop Kubernetes 1.23 AWS variants ([#4227], [#4237]) ### Documentation Changes * Add security guidance for NVIDIA GPU time-slicing ([#4240]) [#4199]: https://github.com/bottlerocket-os/bottlerocket/pull/4199 [#4227]: https://github.com/bottlerocket-os/bottlerocket/pull/4227 [#4230]: https://github.com/bottlerocket-os/bottlerocket/pull/4230 [#4236]: https://github.com/bottlerocket-os/bottlerocket/pull/4236 [#4237]: https://github.com/bottlerocket-os/bottlerocket/pull/4237 [#4240]: https://github.com/bottlerocket-os/bottlerocket/pull/4240 [#4241]: https://github.com/bottlerocket-os/bottlerocket/pull/4241 [#4242]: https://github.com/bottlerocket-os/bottlerocket/pull/4242 # v1.24.1 (2024-10-04) ## Release Highlights * Update ecs-agent to 1.86.3 ([bottlerocket-core-kit#168](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/168)) - Closes issue [#4186](https://github.com/bottlerocket-os/bottlerocket/issues/4186) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to 2.8.4 ([#4231]) * Update host containers ([#4233]) ### Documentation Changes * Update QUICKSTART-EKS.md ([#4228]) - Thanks @bryanhsu00 for the suggested fix! [#4228]: https://github.com/bottlerocket-os/bottlerocket/pull/4228 [#4231]: https://github.com/bottlerocket-os/bottlerocket/pull/4231 [#4233]: https://github.com/bottlerocket-os/bottlerocket/pull/4233 # v1.24.0 (2024-09-27) ## Release Highlights * Use open GPU drivers on P4 and P5 instances automatically [bottlerocket-core-kit#114](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/114) * Update to nvidia-container-toolkit 1.16.2 [bottlerocket-core-kit#161](https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/161) ## Build Changes ### OS Changes * Update bottlerocket-core-kit to v2.8.1 ([#4222]) ### Settings Extensions * Drop dependency on glibc-devel ([#4213]) ### Documentation Changes * Update QUICKSTART-ECS.md and QUICKSTART-EKS.md ([#4169]) Thanks @bryantbiggs! [#4169]: https://github.com/bottlerocket-os/bottlerocket/pull/4169 [#4213]: https://github.com/bottlerocket-os/bottlerocket/pull/4213 [#4222]: https://github.com/bottlerocket-os/bottlerocket/pull/4222 # v1.23.0 (2024-09-19) ## Orchestrator Changes ### Kubernetes * Support Kubernetes NVIDIA Device Plugin configurations through API ([#4182]) * Support NVIDIA Container Toolkit configurations through API ([#4182]) ## Build Changes * Update bottlerocket-sdk to 0.45 ([#4189]) * Add `Twoliter.override` to `.gitignore` ([#4202]) ### Twoliter * Update bottlerocket-core-kit ([#4189], [#4203], [#4211]) * Perform binary checksum validation ([#4192]) * Update Twoliter to v0.4.6 ([#4200]) ### Settings Extensions * Update bottlerocket-settings-models to v0.4.0 ([#4182]) ### Documentation Changes * Add NVIDIA Device Plugin and NVIDIA Container Toolkit notes to SECURITY_GUIDANCE.md ([#4205]) [#4182]: https://github.com/bottlerocket-os/bottlerocket/pull/4182 [#4189]: https://github.com/bottlerocket-os/bottlerocket/pull/4189 [#4192]: https://github.com/bottlerocket-os/bottlerocket/pull/4192 [#4200]: https://github.com/bottlerocket-os/bottlerocket/pull/4200 [#4202]: https://github.com/bottlerocket-os/bottlerocket/pull/4202 [#4203]: https://github.com/bottlerocket-os/bottlerocket/pull/4203 [#4205]: https://github.com/bottlerocket-os/bottlerocket/pull/4205 [#4211]: https://github.com/bottlerocket-os/bottlerocket/pull/4211 # v1.22.0 (2024-09-10) ## Orchestrator Changes ### Kubernetes * Add Kubernetes 1.31 variants ([#4142]) ## OS Changes * Update host containers ([#4171]) * Add support for bootstrap commands ([#4131]) ## Build Changes ### Twoliter * Update bottlerocket-core-kit to v2.4.1 ([#4183], [#4177], [#4168]) ### Settings Extensions * Update bottlerocket-settings-models to v0.4.0 ([#4131]) [#4131]: https://github.com/bottlerocket-os/bottlerocket/pull/4131 [#4142]: https://github.com/bottlerocket-os/bottlerocket/pull/4142 [#4168]: https://github.com/bottlerocket-os/bottlerocket/pull/4168 [#4171]: https://github.com/bottlerocket-os/bottlerocket/pull/4171 [#4177]: https://github.com/bottlerocket-os/bottlerocket/pull/4177 [#4183]: https://github.com/bottlerocket-os/bottlerocket/pull/4183 # v1.21.1 (2024-08-21) ## OS Changes * Update host containers ([#4153]) ## Build Changes * Use workspace dependencies for all dependencies ([#4132]) ### Twoliter * Update bottlerocket-core-kit to v2.3.5 ([#4156], [#4152], [#4143], [#4139]) * Update Twoliter to v0.4.5 ([#4159]) ### Settings Extensions * Update bottlerocket-settings-models to v0.3.0 ([#4145]) ## README changes * Update command for SSM Start session on host container ([#4129]) - Thanks @Veronica4036! [#4129]: https://github.com/bottlerocket-os/bottlerocket/pull/4129 [#4132]: https://github.com/bottlerocket-os/bottlerocket/pull/4132 [#4139]: https://github.com/bottlerocket-os/bottlerocket/pull/4139 [#4143]: https://github.com/bottlerocket-os/bottlerocket/pull/4143 [#4145]: https://github.com/bottlerocket-os/bottlerocket/pull/4145 [#4152]: https://github.com/bottlerocket-os/bottlerocket/pull/4152 [#4153]: https://github.com/bottlerocket-os/bottlerocket/pull/4153 [#4156]: https://github.com/bottlerocket-os/bottlerocket/pull/4156 [#4159]: https://github.com/bottlerocket-os/bottlerocket/pull/4159 # v1.21.0 (2024-08-06) ## OS Changes * Update host containers ([#4117]) ## Orchestrator Changes ### Kubernetes * Enable k8s reserved cpus ([#3964]) * Drop k8s 1.27 metal and VMware variants ([#4079]) * Drop k8s 1.26 metal and VMware variants ([#4018]) * Build the pause image from upstream ([#3940]) - Thanks @tzneal! ### ECS * Port to the ECS settings extension ([#3984]) ## Build Changes * Archive previous release migrations ([#4014]) * Update Go dependencies ([#3999]) ### Twoliter * Migrate to core kit ([#4060]) * Remove leftover vendor section ([#4071]) * Update Twoliter to 0.4.4 ([#4008], [#4086], [#4093], [#4123]) * Update bottlerocket-core-kit to v2.3.1 ([#4122]) * Update bottlerocket-sdk to 0.43 ([#4122]) ### Settings Extensions * Use settings models vended by bottlerocket-settings-sdk ([#4057]) * Migrate to settings plugins and eliminate variant-based conditional compilation ([#4038]) * Enable settings extensions ([#4050]) * Update to bottlerocket-settings-models v0.2.0 ([#4118]) ## Platform Changes ### AWS * Add udev rule to create symlinks using EBS volumes’ device names ([#3977]) ## Package changes * Add Neuron kmod for 6.1 kernel ([#3982]) * Update containerd to 1.7.20 ([#4122]) ## README changes * Fix OpenAPI spec link ([#4062]) * Fix NVIDIA variants in SSM parameters ([#4047]) * Add k8s command to retrieve log archive ([#3993]) * Fix netdog reference link ([#3974]) - Thanks @emmanuel-ferdman! * Update BUILDING.md with the latest Docker requirements ([#4098]) [#3940]: https://github.com/bottlerocket-os/bottlerocket/pull/3940 [#3964]: https://github.com/bottlerocket-os/bottlerocket/pull/3964 [#3974]: https://github.com/bottlerocket-os/bottlerocket/pull/3974 [#3977]: https://github.com/bottlerocket-os/bottlerocket/pull/3977 [#3982]: https://github.com/bottlerocket-os/bottlerocket/pull/3982 [#3984]: https://github.com/bottlerocket-os/bottlerocket/pull/3984 [#3993]: https://github.com/bottlerocket-os/bottlerocket/pull/3993 [#3999]: https://github.com/bottlerocket-os/bottlerocket/pull/3999 [#4008]: https://github.com/bottlerocket-os/bottlerocket/pull/4008 [#4014]: https://github.com/bottlerocket-os/bottlerocket/pull/4014 [#4018]: https://github.com/bottlerocket-os/bottlerocket/pull/4018 [#4027]: https://github.com/bottlerocket-os/bottlerocket/pull/4027 [#4038]: https://github.com/bottlerocket-os/bottlerocket/pull/4038 [#4047]: https://github.com/bottlerocket-os/bottlerocket/pull/4047 [#4050]: https://github.com/bottlerocket-os/bottlerocket/pull/4050 [#4057]: https://github.com/bottlerocket-os/bottlerocket/pull/4057 [#4060]: https://github.com/bottlerocket-os/bottlerocket/pull/4060 [#4062]: https://github.com/bottlerocket-os/bottlerocket/pull/4062 [#4071]: https://github.com/bottlerocket-os/bottlerocket/pull/4071 [#4079]: https://github.com/bottlerocket-os/bottlerocket/pull/4079 [#4086]: https://github.com/bottlerocket-os/bottlerocket/pull/4086 [#4093]: https://github.com/bottlerocket-os/bottlerocket/pull/4093 [#4098]: https://github.com/bottlerocket-os/bottlerocket/pull/4098 [#4117]: https://github.com/bottlerocket-os/bottlerocket/pull/4117 [#4118]: https://github.com/bottlerocket-os/bottlerocket/pull/4118 [#4122]: https://github.com/bottlerocket-os/bottlerocket/pull/4122 [#4123]: https://github.com/bottlerocket-os/bottlerocket/pull/4123 # v1.20.5 (2024-07-30) ## OS Changes * Update docker-engine to v25.0.6 ([#4111]) * Update containerd to 1.6.34 ([#4113]) * Update kernels: 5.10.220, 5.15.162, and 6.1.97 ([#4104]) * Update host containers ([#4110]) ## Orchestrator Changes ### Kubernetes * Add latest instance types to eni-max-pods mapping ([#4108]) [#4104]: https://github.com/bottlerocket-os/bottlerocket/pull/4104 [#4108]: https://github.com/bottlerocket-os/bottlerocket/pull/4108 [#4110]: https://github.com/bottlerocket-os/bottlerocket/pull/4110 [#4111]: https://github.com/bottlerocket-os/bottlerocket/pull/4111 [#4113]: https://github.com/bottlerocket-os/bottlerocket/pull/4113 # v1.20.4 (2024-07-15) ## OS Changes * Update kernels: 5.10.219 and 6.1.94 ([#4080]) * Update docker-engine and docker-cli to v25.0.5 ([#4091]) ## Orchestrator Changes ### Kubernetes * Update patches for kubernetes 1.23, 1.24, 1.25, and 1.26 ([#4084]) * Update sources for kubernetes 1.27, 1.28, 1.29, and 1.30 ([#4089]) [#4080]: https://github.com/bottlerocket-os/bottlerocket/pull/4080 [#4084]: https://github.com/bottlerocket-os/bottlerocket/pull/4084 [#4089]: https://github.com/bottlerocket-os/bottlerocket/pull/4089 [#4091]: https://github.com/bottlerocket-os/bottlerocket/pull/4091 # v1.20.3 (2024-06-26) ## OS Changes * Update kernels: 5.10.218, 5.15.160, and 6.1.92 ([#4064], [#4066]) [#4064]: https://github.com/bottlerocket-os/bottlerocket/pull/4064 [#4066]: https://github.com/bottlerocket-os/bottlerocket/pull/4066 # v1.20.2 (2024-06-12) ## OS Changes * Update kernel to 5.10.217 [#4039] * Mount static kmod as /usr/local/sbin/modprobe [#4037] [#4037]: https://github.com/bottlerocket-os/bottlerocket/pull/4037 [#4039]: https://github.com/bottlerocket-os/bottlerocket/pull/4039 # v1.20.1 (2024-06-04) ## OS Changes * Update kernels to 6.1.90, 5.15.158, and 5.10.216 ([#3976], [#3972]) * Include statically linked version of kmod ([#3981]) * Specify AWS EULA as license for kmod-*-nvidia packages ([#3991]) * Update source for Fabric Manager binaries ([#4015]) * Update NVIDIA driver versions to 470.256.02 and 535.183.01 ([#4029]) [#3972]: https://github.com/bottlerocket-os/bottlerocket/pull/3972 [#3976]: https://github.com/bottlerocket-os/bottlerocket/pull/3976 [#3981]: https://github.com/bottlerocket-os/bottlerocket/pull/3981 [#3991]: https://github.com/bottlerocket-os/bottlerocket/pull/3991 [#4015]: https://github.com/bottlerocket-os/bottlerocket/pull/4015 [#4029]: https://github.com/bottlerocket-os/bottlerocket/pull/4029 # v1.20.0 (2024-05-13) ## OS Changes * Update third party packages ([#3939]) * Enable file system encryption in 5.15 and 6.1 kernels ([#3906], [#3908]) * Backport fix for loading SELinux modules ([#3907]) * Add Fabric Manager support ([#3873]) * Update host containers ([#3947]) * Add setting to configure ntp options ([#3852] thanks @domgoodwin) * Include swap utilities ([#3829]) * Update kernels to 6.1.87, 5.15.156, 5.10.215 ([#3934], [#3930]) ## Orchestrator Changes ### Kubernetes * Drop Kubernetes 1.25 Metal and VMware variants ([#3896]) * Add Kubernetes 1.30 variants ([#3859], [#3936]) * Add container-runtime settings to `aws-k8s-*-nvidia` variants ([#3945]) ### ECS * Update ecs-agent to 1.82.3 ([#3939]) * Use systemd drop-ins to configure the ECS agent ([#3834]) ## Build Changes * Update twoliter and the SDK ([#3938], [#3885]) * Remove liblzma and libbzip2 ([#3861], [#3944]) * Pessimize Rust builds that require the AWS SDK ([#3892]) * Reduce variant matrix in CI/CD ([#3863]) * Document package build tools for go dependencies ([#3882]) * Update Go lints in CI/CD ([#3884]) * Out-of-tree build enablement * systemd: use build defaults and kernel parameters for unified cgroups ([#3886], [#3935]) * early-boot-config: Use standalone provider binaries to fetch user data ([#3637], [#3890]) * logdog: retrieve settings via API client ([#3946]) * netdog: remove conditional compilation, add hostname helpers ([#3700], [#3898]) * schnauzer: add if_not_null template helper ([#3838]) * static-pods: remove conditional compilation, switch to config file ([#3891], [#3927], [#3913]) * host-containers: switch to config file ([#3777], [#3842]) * bootstrap-containers: switch to config file ([#3724]) * corndog: switch to config file ([#3715]) * prairiedog: switch to config file ([#3713], [#3814], [#3836]) * thar-be-updates: switch to config file ([#3721]) * updog: use modeled types ([#3901]) * kernel: remove variant sensitivity ([#3897], [#3905], [#3932]) * FIPS enablement * add FIPS report to the API ([#3894]) * add release-fips package for FIPS functionality ([#3893]) * build Go binaries for FIPS and non-FIPS ([#3887]) [#3637]: https://github.com/bottlerocket-os/bottlerocket/pull/3637 [#3700]: https://github.com/bottlerocket-os/bottlerocket/pull/3700 [#3713]: https://github.com/bottlerocket-os/bottlerocket/pull/3713 [#3715]: https://github.com/bottlerocket-os/bottlerocket/pull/3715 [#3721]: https://github.com/bottlerocket-os/bottlerocket/pull/3721 [#3724]: https://github.com/bottlerocket-os/bottlerocket/pull/3724 [#3777]: https://github.com/bottlerocket-os/bottlerocket/pull/3777 [#3814]: https://github.com/bottlerocket-os/bottlerocket/pull/3814 [#3829]: https://github.com/bottlerocket-os/bottlerocket/pull/3829 [#3834]: https://github.com/bottlerocket-os/bottlerocket/pull/3834 [#3836]: https://github.com/bottlerocket-os/bottlerocket/pull/3836 [#3838]: https://github.com/bottlerocket-os/bottlerocket/pull/3838 [#3842]: https://github.com/bottlerocket-os/bottlerocket/pull/3842 [#3852]: https://github.com/bottlerocket-os/bottlerocket/pull/3852 [#3859]: https://github.com/bottlerocket-os/bottlerocket/pull/3859 [#3861]: https://github.com/bottlerocket-os/bottlerocket/pull/3861 [#3863]: https://github.com/bottlerocket-os/bottlerocket/pull/3863 [#3873]: https://github.com/bottlerocket-os/bottlerocket/pull/3873 [#3882]: https://github.com/bottlerocket-os/bottlerocket/pull/3882 [#3884]: https://github.com/bottlerocket-os/bottlerocket/pull/3884 [#3885]: https://github.com/bottlerocket-os/bottlerocket/pull/3885 [#3886]: https://github.com/bottlerocket-os/bottlerocket/pull/3886 [#3887]: https://github.com/bottlerocket-os/bottlerocket/pull/3887 [#3890]: https://github.com/bottlerocket-os/bottlerocket/pull/3890 [#3891]: https://github.com/bottlerocket-os/bottlerocket/pull/3891 [#3892]: https://github.com/bottlerocket-os/bottlerocket/pull/3892 [#3893]: https://github.com/bottlerocket-os/bottlerocket/pull/3893 [#3894]: https://github.com/bottlerocket-os/bottlerocket/pull/3894 [#3896]: https://github.com/bottlerocket-os/bottlerocket/pull/3896 [#3897]: https://github.com/bottlerocket-os/bottlerocket/pull/3897 [#3898]: https://github.com/bottlerocket-os/bottlerocket/pull/3898 [#3901]: https://github.com/bottlerocket-os/bottlerocket/pull/3901 [#3905]: https://github.com/bottlerocket-os/bottlerocket/pull/3905 [#3906]: https://github.com/bottlerocket-os/bottlerocket/pull/3906 [#3907]: https://github.com/bottlerocket-os/bottlerocket/pull/3907 [#3908]: https://github.com/bottlerocket-os/bottlerocket/pull/3908 [#3913]: https://github.com/bottlerocket-os/bottlerocket/pull/3913 [#3927]: https://github.com/bottlerocket-os/bottlerocket/pull/3927 [#3930]: https://github.com/bottlerocket-os/bottlerocket/pull/3930 [#3932]: https://github.com/bottlerocket-os/bottlerocket/pull/3932 [#3934]: https://github.com/bottlerocket-os/bottlerocket/pull/3934 [#3935]: https://github.com/bottlerocket-os/bottlerocket/pull/3935 [#3936]: https://github.com/bottlerocket-os/bottlerocket/pull/3936 [#3938]: https://github.com/bottlerocket-os/bottlerocket/pull/3938 [#3939]: https://github.com/bottlerocket-os/bottlerocket/pull/3939 [#3944]: https://github.com/bottlerocket-os/bottlerocket/pull/3944 [#3945]: https://github.com/bottlerocket-os/bottlerocket/pull/3945 [#3946]: https://github.com/bottlerocket-os/bottlerocket/pull/3946 [#3947]: https://github.com/bottlerocket-os/bottlerocket/pull/3947 # v1.19.5 (2024-05-01) ## OS Changes * Update kernel to 5.10.214, 5.15.153, 6.1.84 [#3906] * Update third party packages ([#3910], [#3914]) * Update host containers (#[3911]) ## Orchestrator Changes ### Kubernetes * Provide runtime cgroup to kubelet ([#3804]) ## Build Changes * Update twoliter to v0.1.1 ([#3880], [#3900]) * Update ecs-gpu-init, amazon-ssm-agent, and nvidia-k8s-device-plugin builds for new SDK ([#3920], [#3921], [#3924]) [#3804]: https://github.com/bottlerocket-os/bottlerocket/pull/3804 [#3880]: https://github.com/bottlerocket-os/bottlerocket/pull/3880 [#3900]: https://github.com/bottlerocket-os/bottlerocket/pull/3900 [#3906]: https://github.com/bottlerocket-os/bottlerocket/pull/3906 [#3910]: https://github.com/bottlerocket-os/bottlerocket/pull/3910 [#3911]: https://github.com/bottlerocket-os/bottlerocket/pull/3911 [#3914]: https://github.com/bottlerocket-os/bottlerocket/pull/3914 [#3920]: https://github.com/bottlerocket-os/bottlerocket/pull/3920 [#3921]: https://github.com/bottlerocket-os/bottlerocket/pull/3921 [#3924]: https://github.com/bottlerocket-os/bottlerocket/pull/3924 # v1.19.4 (2024-04-06) ## OS Changes * Update kernel to 5.10.213, 5.15.152, 6.1.82 ([#3865]) * Update containerd to 1.6.31 ([#3869]) [#3865]: https://github.com/bottlerocket-os/bottlerocket/pull/3865 [#3869]: https://github.com/bottlerocket-os/bottlerocket/pull/3869 # v1.19.3 (2024-03-26) ## OS Changes * Update kernel to 5.10.210, 5.15.149, 6.1.79 ([#3853]) * Update third party packages ([#3793], [#3832]) * Update host containers ([#3837]) * Support auditctl in bootstrap containers ([#3831]) ## Orchestrator Changes ### Kubernetes * Add latest instance types to eni-max-pods mapping ([#3824]) ### ECS ## Build Changes * Update Rust dependencies ([#3830]) * Update Go dependencies ([#3830]) * twoliter updated to v0.0.7 ([#3839]) [#3793]: https://github.com/bottlerocket-os/bottlerocket/pull/3793 [#3824]: https://github.com/bottlerocket-os/bottlerocket/pull/3824 [#3832]: https://github.com/bottlerocket-os/bottlerocket/pull/3832 [#3830]: https://github.com/bottlerocket-os/bottlerocket/pull/3830 [#3831]: https://github.com/bottlerocket-os/bottlerocket/pull/3831 [#3837]: https://github.com/bottlerocket-os/bottlerocket/pull/3837 [#3839]: https://github.com/bottlerocket-os/bottlerocket/pull/3839 [#3853]: https://github.com/bottlerocket-os/bottlerocket/pull/3853 # v1.19.2 (2024-02-26) ## OS Changes * Update third party packages ([#3789]) * Update kernel to 5.10.209, 5.15.148, 6.1.77 ([#3797]) * Add AWS settings extension ([#3738], [#3770]) * Allow CSI helpers in the SELinux policy ([#3779]) * Update to latest NVIDIA drivers ([#3798]) ## Orchestrator Changes ### Kubernetes * Enable NVIDIA GPU isolation using volume mounts ([#3718] thanks @chiragjn , [#3790]) * Clean up CNI results cache on boot ([#3792]) ### ECS * Add `settings.ecs.enable-container-metadata` ([#3782]) ## Build Changes * Adjust certdog to utilize a configuration file instead of the API server ([#3706], [#3778], [#3787]) * Don't use parallel make for shim package ([#3771]) * Renumber unit files in release package ([#3769]) * Ignore EKS patches for k8s-1.23 in Git ([#3774]) [#3706]: https://github.com/bottlerocket-os/bottlerocket/pull/3706 [#3718]: https://github.com/bottlerocket-os/bottlerocket/pull/3718 [#3738]: https://github.com/bottlerocket-os/bottlerocket/pull/3738 [#3769]: https://github.com/bottlerocket-os/bottlerocket/pull/3769 [#3770]: https://github.com/bottlerocket-os/bottlerocket/pull/3770 [#3771]: https://github.com/bottlerocket-os/bottlerocket/pull/3771 [#3774]: https://github.com/bottlerocket-os/bottlerocket/pull/3774 [#3778]: https://github.com/bottlerocket-os/bottlerocket/pull/3778 [#3779]: https://github.com/bottlerocket-os/bottlerocket/pull/3779 [#3782]: https://github.com/bottlerocket-os/bottlerocket/pull/3782 [#3787]: https://github.com/bottlerocket-os/bottlerocket/pull/3787 [#3789]: https://github.com/bottlerocket-os/bottlerocket/pull/3789 [#3790]: https://github.com/bottlerocket-os/bottlerocket/pull/3790 [#3792]: https://github.com/bottlerocket-os/bottlerocket/pull/3792 [#3797]: https://github.com/bottlerocket-os/bottlerocket/pull/3797 [#3798]: https://github.com/bottlerocket-os/bottlerocket/pull/3798 # v1.19.1 (2024-02-06) ## OS Changes * Update kernel to 5.10.209, 5.15.148 ([#3765]) * Update host containers ([#3763]) ## Orchestrator Changes ### Kubernetes * Mark pause container image as "pinned" to prevent garbage collection ([#3757]) ### ECS * Update Docker engine and Docker CLI to v25.0.2 ([#3759]) * Update ECS agent to 1.81.0 ([#3759]) * Update AWS SSM agent to 3.2.2222.0 ([#3762]) [#3765]: https://github.com/bottlerocket-os/bottlerocket/pull/3765 [#3763]: https://github.com/bottlerocket-os/bottlerocket/pull/3763 [#3757]: https://github.com/bottlerocket-os/bottlerocket/pull/3757 [#3759]: https://github.com/bottlerocket-os/bottlerocket/pull/3759 [#3762]: https://github.com/bottlerocket-os/bottlerocket/pull/3762 # v1.19.0 (2024-02-01) ## OS Changes * Adjust unit dependencies for systemd-sysusers ([#3720]) * Update third party packages ([#3722], [#3750]) * Add kernel settings extension ([#3727]) * Update kernel to 5.10.205, 5.15.145, 6.1.72 ([#3734]) * Update runc to 1.1.12 and containerd to 1.6.28 ([#3751]) ## Orchestrator Changes ### Kubernetes * Add latest instance types to eni-max-pods mapping ([#3741]) * Drop Kubernetes 1.24 Metal and VMware variants ([#3742]) ### ECS * Add additional ECS settings for ECS_BACKEND_HOST and ECS_AWSVPC_BLOCK_IMDS ([#3749]) ## Build Changes * twoliter updated to v0.0.6 ([#3744]) [#3720]: https://github.com/bottlerocket-os/bottlerocket/pull/3720 [#3722]: https://github.com/bottlerocket-os/bottlerocket/pull/3722 [#3727]: https://github.com/bottlerocket-os/bottlerocket/pull/3727 [#3734]: https://github.com/bottlerocket-os/bottlerocket/pull/3734 [#3741]: https://github.com/bottlerocket-os/bottlerocket/pull/3741 [#3742]: https://github.com/bottlerocket-os/bottlerocket/pull/3742 [#3744]: https://github.com/bottlerocket-os/bottlerocket/pull/3744 [#3749]: https://github.com/bottlerocket-os/bottlerocket/pull/3749 [#3750]: https://github.com/bottlerocket-os/bottlerocket/pull/3750 [#3751]: https://github.com/bottlerocket-os/bottlerocket/pull/3751 # v1.18.0 (2024-01-16) ## OS Changes * Remove unused runc SELinux policy rule ([#3673]) * Update third party packages ([#3692]) * Fix creation of kprobes using unqualified names ([#3699], [#3708]) * Update host containers ([#3704]) * Update kernel to 5.10.205, 5.15.145, 6.1.66 ([#3686], [#3708]) * Add container-registry settings extension ([#3674]) * Add updates settings extension ([#3689]) ## Orchestrator Changes ### Kubernetes * Add Kubernetes 1.29 variants ([#3628]) * Update Kubernetes 1.23 to release 33 ([#3692]) * Add latest instance types to eni-max-pods mapping ([#3695]) ### ECS * Update ecs-agent to 1.79.2 ([#3692]) ## Build Changes * Export symbols for packages that include dynamically linked Go binaries ([#3680]) * Update to Bottlerocket SDK v0.37.0 ([#3690]) + Upgrades to Go 1.21.5 [#3628]: https://github.com/bottlerocket-os/bottlerocket/pull/3628 [#3673]: https://github.com/bottlerocket-os/bottlerocket/pull/3673 [#3674]: https://github.com/bottlerocket-os/bottlerocket/pull/3674 [#3680]: https://github.com/bottlerocket-os/bottlerocket/pull/3680 [#3686]: https://github.com/bottlerocket-os/bottlerocket/pull/3686 [#3689]: https://github.com/bottlerocket-os/bottlerocket/pull/3689 [#3690]: https://github.com/bottlerocket-os/bottlerocket/pull/3690 [#3692]: https://github.com/bottlerocket-os/bottlerocket/pull/3692 [#3695]: https://github.com/bottlerocket-os/bottlerocket/pull/3695 [#3699]: https://github.com/bottlerocket-os/bottlerocket/pull/3699 [#3704]: https://github.com/bottlerocket-os/bottlerocket/pull/3704 [#3708]: https://github.com/bottlerocket-os/bottlerocket/pull/3708 # v1.17.0 (2023-12-12) ## OS Changes * Generate valid hostname when IPv6 reverse lookup fails ([#3592]) * Avoid mounting the EFI system partition at `/boot` ([#3591]) * Update kernel to 5.10.201, 5.15.139, 6.1.61 ([#3611], [#3643]) * Switch to async `tough` ([#3566]) * Update host containers ([#3646]) * Move template migrations to `schnauzer` v2 ([#3633]) * Handle proxy credentials properly in `pluto` ([#3639], [#3667]) * Update third party packages ([#3612], [#3642]) ## Orchestrator Changes ### Kubernetes * Update `nvidia-k8s-device-plugin` to address CVEs ([#3612]) * Update to Kubernetes 1.28.4 ([#3612]) * Update to Kubernetes 1.27.8 ([#3612]) * Update to Kubernetes 1.26.11 ([#3612]) * Update to Kubernetes 1.25.16 ([#3612]) ### ECS * Update `ecs-agent` to address CVEs ([#3612]) ## Build Changes * Update to Bottlerocket SDK v0.36.1 ([#3640], [#3670]) [#3566]: https://github.com/bottlerocket-os/bottlerocket/pull/3566 [#3591]: https://github.com/bottlerocket-os/bottlerocket/pull/3591 [#3592]: https://github.com/bottlerocket-os/bottlerocket/pull/3592 [#3611]: https://github.com/bottlerocket-os/bottlerocket/pull/3611 [#3612]: https://github.com/bottlerocket-os/bottlerocket/pull/3612 [#3633]: https://github.com/bottlerocket-os/bottlerocket/pull/3633 [#3639]: https://github.com/bottlerocket-os/bottlerocket/pull/3639 [#3640]: https://github.com/bottlerocket-os/bottlerocket/pull/3640 [#3642]: https://github.com/bottlerocket-os/bottlerocket/pull/3642 [#3643]: https://github.com/bottlerocket-os/bottlerocket/pull/3643 [#3646]: https://github.com/bottlerocket-os/bottlerocket/pull/3646 [#3667]: https://github.com/bottlerocket-os/bottlerocket/pull/3667 [#3670]: https://github.com/bottlerocket-os/bottlerocket/pull/3670 # v1.16.1 (2023-11-13) ## OS Changes * Update open-vm-tools to 12.3.5 to address CVE-2023-34058 and CVE-2023-34059 ([#3553]) * Update NVIDIA drivers to 470.223.02 and 535.129.03 to address CVE‑2023‑31022 and CVE‑2023‑31018 ([#3561]) * Improvements to Bottlerocket CIS benchmark checks ([#3552] [#3562] [#3564]) * Regenerate updog proxy configuration when settings.network.proxy gets updated ([#3578]) * kernel: Update to 5.10.198, 5.15.136, and 6.1.59 ([#3572]) ## Orchestrator Changes ### Kubernetes * Update Kubernetes versions to address HTTP v2 x/net CVE-2023-39325 ([#3581]) * Avoid specifying `hostname-override` kubelet option if `cloud-provider` is set to `aws` ([#3582]) [#3552]: https://github.com/bottlerocket-os/bottlerocket/pull/3552 [#3553]: https://github.com/bottlerocket-os/bottlerocket/pull/3553 [#3561]: https://github.com/bottlerocket-os/bottlerocket/pull/3561 [#3562]: https://github.com/bottlerocket-os/bottlerocket/pull/3562 [#3564]: https://github.com/bottlerocket-os/bottlerocket/pull/3564 [#3572]: https://github.com/bottlerocket-os/bottlerocket/pull/3572 [#3578]: https://github.com/bottlerocket-os/bottlerocket/pull/3578 [#3581]: https://github.com/bottlerocket-os/bottlerocket/pull/3581 [#3582]: https://github.com/bottlerocket-os/bottlerocket/pull/3582 # v1.16.0 (2023-10-25) ## OS Changes * Adjust netlink timeout to prevent interfaces from entering a failed state ([#3520]) * Update third-party packages ([#3535]) * Add XFS CLI utilities for managing XFS-formatted storage ([#3444]) * Add facilities to auto-load kernel modules ([#3460]) * Update to kernels 5.10.197, 5.15.134, and 6.1.55 ([#3509] [#3542]) * Fix reporting for Bottlerocket CIS Benchmark 4.1.2 ([#3547]) * Update systemd to 252.18 ([#3533]) * Allow fanotify permission events for trusted subjects in SELinux policy ([#3540]) ## Orchestrator Changes ### Kubernetes * Drop Kubernetes 1.23 Metal and VMware variants ([#3531]) ### ECS * Update ecs-agent ([#3535]) ## Build Changes * Update to Bottlerocket SDK v0.35.0 ([#3528]) [#3444]: https://github.com/bottlerocket-os/bottlerocket/pull/3444 [#3460]: https://github.com/bottlerocket-os/bottlerocket/pull/3460 [#3509]: https://github.com/bottlerocket-os/bottlerocket/pull/3509 [#3520]: https://github.com/bottlerocket-os/bottlerocket/pull/3520 [#3528]: https://github.com/bottlerocket-os/bottlerocket/pull/3528 [#3531]: https://github.com/bottlerocket-os/bottlerocket/pull/3531 [#3533]: https://github.com/bottlerocket-os/bottlerocket/pull/3533 [#3535]: https://github.com/bottlerocket-os/bottlerocket/pull/3535 [#3540]: https://github.com/bottlerocket-os/bottlerocket/pull/3540 [#3542]: https://github.com/bottlerocket-os/bottlerocket/pull/3542 [#3547]: https://github.com/bottlerocket-os/bottlerocket/pull/3547 # v1.15.1 (2023-10-9) ## OS Changes * Allow older ext4 snapshot volumes to be mounted in newer variants that default to xfs ([#3499]) * Update `apiclient` Rust dependencies ([#3491]) * Update `pluto` Rust dependencies ([#3439]) * Patch glibc to address CVE-2023-4806, CVE-2023-4911, and CVE-2023-5156 ([#3501]) * Update open-vm-tools to 12.3.0 to address CVE-2023-20900 ([#3500]) ## Build Changes * Update `twoliter` to v0.0.4 ([#3480]) [#3439]: https://github.com/bottlerocket-os/bottlerocket/pull/3439 [#3480]: https://github.com/bottlerocket-os/bottlerocket/pull/3480 [#3491]: https://github.com/bottlerocket-os/bottlerocket/pull/3491 [#3499]: https://github.com/bottlerocket-os/bottlerocket/pull/3499 [#3500]: https://github.com/bottlerocket-os/bottlerocket/pull/3500 [#3501]: https://github.com/bottlerocket-os/bottlerocket/pull/3501 # v1.15.0 (2023-09-18) ## Major Features This release brings support for Secure Boot on platforms using UEFI boot; the Linux 6.1 kernel; systemd-networkd and systemd-resolved for host networking; and XFS as the filesystem for local storage. These features are enabled by default in the new variants. Existing variants will continue to use earlier kernels, `wicked` for host networking, and EXT4 as the filesystem for local storage. ## Known Incompatibilities * Variants using the 6.1 kernel (`aws-ecs-2`/`aws-ecs-2-nvidia`, `aws-k8s-1.28`/`aws-k8s-1.28-nvidia`, `vmware-k8s-1.28`, and `metal-k8s-1.28`) do not support [LustreFS](https://aws.amazon.com/fsx/lustre/) ([#3459]) ## Deprecation Notice The functionality to apply a hotpatch for log4j CVE-2021-44228 has been removed. The corresponding setting, `settings.oci-hooks.log4j-hotpatch-enabled`, is still available for backwards compatibility. However, it has no effect beyond printing a deprecation warning to the system logs. ([#3401]) ## OS Changes * Add kernel 6.1 ([#3121], [#3441]) * Update admin and control containers ([#3368]) * Update third party packages and dependencies ([#3362], [#3369], [#3330], [#3339], [#3355], [#3441], [#3456]) * Updated to systemd 252 ([#3290]) * Add support for Secure Boot ([#3097]) * Add support for XFS ([#3198]) * Add `apiclient report` command ([#3258]) and Bottlerocket CIS benchmark report ([#2881]) * Add resource-limit settings for OCI defaults ([#3206]) * Use `systemd-networkd` and `systemd-resolved` instead of `wicked` for `aws-k8s-1.28`, `aws-ecs-2`, and `*-dev` variants ([#3134], [#3232], [#3266], [#3311], [#3394], [#3395], [#3451], [#3455]) ## Orchestrator Changes ### ECS * Add `aws-ecs-2` variants ([#3273]) * Enables Secure Boot, systemd-networkd, and XFS for the data partition * Add support for AppMesh ([#3267]) ### Kubernetes * Add Kubernetes 1.28 variants ([#3329]) * Enables Secure Boot, systemd-networkd, and XFS for the data partition * Drop Kubernetes 1.22 variants ([#2988]) * Update to Kubernetes 1.27.4 ([#3319]) * Update to Kubernetes 1.26.7 ([#3320]) * Update to Kubernetes 1.25.12 ([#3321]) * Update to Kubernetes 1.24.16 ([#3322]) * Add support for SeccompDefault setting for k8s 1.25+ ([#3334]) * Add Kubernetes CIS benchmark report ([#3239]) ## Platform Changes ### AWS * Retry on empty PrivateDnsName from EC2 ([#3364]) ### Metal * Enable Intel VMD driver ([#3419]) * Add linux-firmware ([#3296], [#3418]) * Add aws-iam-authenticator to k8s variants ([#3357]) ## Build Changes * Upgrade to Bottlerocket SDK v0.34.1 ([#3445]) * Use [Twoliter] to enable work on [out-of-tree builds]. Most `tools` have moved to [Twoliter] ([#3379], [#3429], [#3392], [#3342]) * Only limit concurrency while building RPMs ([#3343]) [Twoliter]: https://github.com/bottlerocket-os/twoliter [out-of-tree builds]: https://github.com/bottlerocket-os/bottlerocket/issues/2669 [#2881]: https://github.com/bottlerocket-os/bottlerocket/pull/2881 [#2988]: https://github.com/bottlerocket-os/bottlerocket/pull/2988 [#3075]: https://github.com/bottlerocket-os/bottlerocket/pull/3075 [#3097]: https://github.com/bottlerocket-os/bottlerocket/pull/3097 [#3121]: https://github.com/bottlerocket-os/bottlerocket/pull/3121 [#3134]: https://github.com/bottlerocket-os/bottlerocket/pull/3134 [#3198]: https://github.com/bottlerocket-os/bottlerocket/pull/3198 [#3206]: https://github.com/bottlerocket-os/bottlerocket/pull/3206 [#3232]: https://github.com/bottlerocket-os/bottlerocket/pull/3232 [#3239]: https://github.com/bottlerocket-os/bottlerocket/pull/3239 [#3258]: https://github.com/bottlerocket-os/bottlerocket/pull/3258 [#3266]: https://github.com/bottlerocket-os/bottlerocket/pull/3266 [#3267]: https://github.com/bottlerocket-os/bottlerocket/pull/3267 [#3273]: https://github.com/bottlerocket-os/bottlerocket/pull/3273 [#3290]: https://github.com/bottlerocket-os/bottlerocket/pull/3290 [#3296]: https://github.com/bottlerocket-os/bottlerocket/pull/3296 [#3311]: https://github.com/bottlerocket-os/bottlerocket/pull/3311 [#3319]: https://github.com/bottlerocket-os/bottlerocket/pull/3319 [#3320]: https://github.com/bottlerocket-os/bottlerocket/pull/3320 [#3321]: https://github.com/bottlerocket-os/bottlerocket/pull/3321 [#3322]: https://github.com/bottlerocket-os/bottlerocket/pull/3322 [#3329]: https://github.com/bottlerocket-os/bottlerocket/pull/3329 [#3330]: https://github.com/bottlerocket-os/bottlerocket/pull/3330 [#3334]: https://github.com/bottlerocket-os/bottlerocket/pull/3334 [#3339]: https://github.com/bottlerocket-os/bottlerocket/pull/3339 [#3342]: https://github.com/bottlerocket-os/bottlerocket/pull/3342 [#3342]: https://github.com/bottlerocket-os/bottlerocket/pull/3342 [#3343]: https://github.com/bottlerocket-os/bottlerocket/pull/3343 [#3355]: https://github.com/bottlerocket-os/bottlerocket/pull/3355 [#3357]: https://github.com/bottlerocket-os/bottlerocket/pull/3357 [#3362]: https://github.com/bottlerocket-os/bottlerocket/pull/3362 [#3364]: https://github.com/bottlerocket-os/bottlerocket/pull/3364 [#3366]: https://github.com/bottlerocket-os/bottlerocket/pull/3366 [#3368]: https://github.com/bottlerocket-os/bottlerocket/pull/3368 [#3369]: https://github.com/bottlerocket-os/bottlerocket/pull/3369 [#3379]: https://github.com/bottlerocket-os/bottlerocket/pull/3379 [#3392]: https://github.com/bottlerocket-os/bottlerocket/pull/3392 [#3394]: https://github.com/bottlerocket-os/bottlerocket/pull/3394 [#3395]: https://github.com/bottlerocket-os/bottlerocket/pull/3395 [#3401]: https://github.com/bottlerocket-os/bottlerocket/pull/3401 [#3418]: https://github.com/bottlerocket-os/bottlerocket/pull/3418 [#3419]: https://github.com/bottlerocket-os/bottlerocket/pull/3419 [#3429]: https://github.com/bottlerocket-os/bottlerocket/pull/3429 [#3441]: https://github.com/bottlerocket-os/bottlerocket/pull/3441 [#3445]: https://github.com/bottlerocket-os/bottlerocket/pull/3445 [#3451]: https://github.com/bottlerocket-os/bottlerocket/pull/3451 [#3455]: https://github.com/bottlerocket-os/bottlerocket/pull/3455 [#3456]: https://github.com/bottlerocket-os/bottlerocket/pull/3456 [#3459]: https://github.com/bottlerocket-os/bottlerocket/issues/3459 # v1.14.3 (2023-08-10) ## OS Changes * Apply patches to 5.10 and 5.15 kernels to address CVE-2023-20593 ([#3300]) * Update admin and control containers ([#3307]) * Update eni-max-pods with new instance types ([#3324]) ## Orchestrator Changes ### Kubernetes * Update Kubernetes v1.23.17 to include latest EKS-D patches ([#3323]) [#3300]: https://github.com/bottlerocket-os/bottlerocket/pull/3300 [#3307]: https://github.com/bottlerocket-os/bottlerocket/pull/3307 [#3323]: https://github.com/bottlerocket-os/bottlerocket/pull/3323 [#3324]: https://github.com/bottlerocket-os/bottlerocket/pull/3324 # v1.14.2 (2023-07-06) ## OS Changes * Improve the reliability of acquiring a DHCPv6 lease ([#3211], [#3212]) * Update kernel-5.10 to 5.10.184 and kernel-5.15 to 5.15.117 ([#3238]) * Update eni-max-pods with new instance types ([#3193]) * Make `pluto` outbound API requests more resilient to intermittent network errors ([#3214]) * Update runc to 1.1.6 ([#3249]) ## Orchestrator Changes ### ECS * Add image cleanup settings to control task image cleanup frequency ([#3231]) ### Kubernetes * Update to Kubernetes v1.24.15 ([#3234]) * Update to Kubernetes v1.25.11 ([#3235]) * Update to Kubernetes v1.26.6 ([#3236]) * Update to Kubernetes v1.27.3 ([#3237]) ## Build Changes * Updated Bottlerocket SDK version to v0.33.0 ([#3213]) [#3211]: https://github.com/bottlerocket-os/bottlerocket/pull/3211 [#3212]: https://github.com/bottlerocket-os/bottlerocket/pull/3212 [#3213]: https://github.com/bottlerocket-os/bottlerocket/pull/3213 [#3214]: https://github.com/bottlerocket-os/bottlerocket/pull/3214 [#3231]: https://github.com/bottlerocket-os/bottlerocket/pull/3231 [#3234]: https://github.com/bottlerocket-os/bottlerocket/pull/3234 [#3235]: https://github.com/bottlerocket-os/bottlerocket/pull/3235 [#3236]: https://github.com/bottlerocket-os/bottlerocket/pull/3236 [#3237]: https://github.com/bottlerocket-os/bottlerocket/pull/3237 [#3238]: https://github.com/bottlerocket-os/bottlerocket/pull/3238 [#3193]: https://github.com/bottlerocket-os/bottlerocket/pull/3193 [#3249]: https://github.com/bottlerocket-os/bottlerocket/pull/3249 # v1.14.1 (2023-05-31) ## OS Changes * Apply patches to 5.10 and 5.15 kernels to address CVE-2023-32233 ([#3128]) * Add fallback container image source parsing for regions not yet supported by the `aws-go-sdk` in `host-ctr` ([#3138]) * Increase default `max_dgram_qlen` sysctl value to `512` for both 5.10 and 5.15 kernels ([#3139]) ## Orchestrator Changes ### Kubernetes * Kubernetes package updates * Update Kubernetes v1.22.17 to include latest EKS-D patches ([#3108]) * Update Kubernetes v1.23.17 to include latest EKS-D patches ([#3119]) * Update to Kubernetes v1.24.14 ([#3119]) * Update to Kubernetes v1.25.9 ([#3119]) * Update to Kubernetes v1.26.4 ([#3119]) * Update Kubernetes v1.27.1 to include latest EKS-D patches ([#3119]) * Change `nvidia-k8s-device-plugin` service dependency on `kubelet` ([#3141]) ## Build Changes * Fix `pubsys` bug preventing multiple SSM parameter promotions in `promote-ssm` Makefile target ([#3137]) [#3108]: https://github.com/bottlerocket-os/bottlerocket/pull/3108 [#3119]: https://github.com/bottlerocket-os/bottlerocket/pull/3119 [#3128]: https://github.com/bottlerocket-os/bottlerocket/pull/3128 [#3137]: https://github.com/bottlerocket-os/bottlerocket/pull/3137 [#3138]: https://github.com/bottlerocket-os/bottlerocket/pull/3138 [#3139]: https://github.com/bottlerocket-os/bottlerocket/pull/3139 [#3141]: https://github.com/bottlerocket-os/bottlerocket/pull/3141 # v1.14.0 (2023-05-11) ## OS Changes * Update kernel-5.10 to 5.10.178 and kernel-5.15 to 5.15.108 ([#3077]) * Update admin and control containers ([#3090]) * Update third party packages and dependencies ([#2991], [#3082]) * Enable `SCSI_VIRTIO` driver for better hypervisor support ([#3047]) * Disable panic on hung task for kernel 5.15 ([#3091]) * Create symlink to `inventory` path using Storewolf ([#3035]) ## Orchestrator Changes ### ECS * Add support for ECS Exec ([#3075]) ### Kubernetes * Add Kubernetes 1.27 variants ([#3046]) * Switch to using Kubernetes default values for `kube-api-burst` and `kube-api-qps` ([#3094]) * Add more Kubernetes settings ([#2930], [#2986]) * Soft eviction policy * Graceful shutdown * CPU quota enforcement * Memory manager policy * CPU manager policy * Fix Kubernetes 1.26 credential provider apiVersion ([#3070]) * Add ability to pass environment variables to image credential providers ([#2934]) ## Build Changes * Upgrade to Bottlerocket SDK v0.32.0 ([#3071]) * Add AMI validation to PubSys ([#3020]) * Add SSM parameter validation to PubSys ([#2969]) * Add `validate-ami` and `validate-ssm` Makefile targets ([#3043]) * Add `check-migrations` Makefile target to check for common migration problems ([#3051]) ## Testing Changes * Update testsys to v0.0.7 ([#3065]) * Add support for node provisioning with Karpenter ([#3067]) * Enable using custom Sonobuoy images ([#3068]) [#3077]: https://github.com/bottlerocket-os/bottlerocket/pull/3077 [#3090]: https://github.com/bottlerocket-os/bottlerocket/pull/3090 [#2991]: https://github.com/bottlerocket-os/bottlerocket/pull/2991 [#3082]: https://github.com/bottlerocket-os/bottlerocket/pull/3082 [#3047]: https://github.com/bottlerocket-os/bottlerocket/pull/3047 [#3091]: https://github.com/bottlerocket-os/bottlerocket/pull/3091 [#3071]: https://github.com/bottlerocket-os/bottlerocket/pull/3071 [#3035]: https://github.com/bottlerocket-os/bottlerocket/pull/3035 [#3075]: https://github.com/bottlerocket-os/bottlerocket/pull/3075 [#3046]: https://github.com/bottlerocket-os/bottlerocket/pull/3046 [#3094]: https://github.com/bottlerocket-os/bottlerocket/pull/3094 [#2930]: https://github.com/bottlerocket-os/bottlerocket/pull/2930 [#2986]: https://github.com/bottlerocket-os/bottlerocket/pull/2986 [#3070]: https://github.com/bottlerocket-os/bottlerocket/pull/3070 [#2934]: https://github.com/bottlerocket-os/bottlerocket/pull/2934 [#3051]: https://github.com/bottlerocket-os/bottlerocket/pull/3051 [#3020]: https://github.com/bottlerocket-os/bottlerocket/pull/3020 [#2969]: https://github.com/bottlerocket-os/bottlerocket/pull/2969 [#3043]: https://github.com/bottlerocket-os/bottlerocket/pull/3043 [#3065]: https://github.com/bottlerocket-os/bottlerocket/pull/3065 [#3067]: https://github.com/bottlerocket-os/bottlerocket/pull/3067 [#3068]: https://github.com/bottlerocket-os/bottlerocket/pull/3068 # v1.13.5 (2023-05-01) ## OS Changes * Revert `runc` update to move back to 1.1.5 ([#3054]) [#3054]: https://github.com/bottlerocket-os/bottlerocket/pull/3054 # v1.13.4 (2023-04-24) ## OS Changes * Ensure the first hostname is used when a VPC DHCP option set has multiple domains ([#3032]) * Update `runc` to version 1.1.6 ([#3037]) ## Orchestrator Changes ### Kubernetes * Generate and pass `--hostname-override` flag to kubelet in `aws-k8s-1.26` variants ([#3033]) [#3032]: https://github.com/bottlerocket-os/bottlerocket/pull/3032 [#3033]: https://github.com/bottlerocket-os/bottlerocket/pull/3033 [#3037]: https://github.com/bottlerocket-os/bottlerocket/pull/3037 # v1.13.3 (2023-04-17) ## OS Changes * Update kernel-5.10 to 5.10.173 and kernel-5.15 to 5.15.102 ([#2948], [#3002]) * Fix check for rule existence in ip6tables v1.8.9 ([#3001]) * Backport systemd fixes for skipped udevd events ([#2999]) * Check platform-specific mechanisms for hostname first ([#3021]) ## Orchestrator Changes ### Kubernetes * Generate 'provider-id' setting for aws-k8s variants ([#3026]) [#2948]: https://github.com/bottlerocket-os/bottlerocket/pull/2948 [#2999]: https://github.com/bottlerocket-os/bottlerocket/pull/2999 [#3001]: https://github.com/bottlerocket-os/bottlerocket/pull/3001 [#3002]: https://github.com/bottlerocket-os/bottlerocket/pull/3002 [#3021]: https://github.com/bottlerocket-os/bottlerocket/pull/3021 [#3026]: https://github.com/bottlerocket-os/bottlerocket/pull/3026 # v1.13.2 (2023-04-04) ## OS Changes * Update `runc` to version 1.1.5 ([#2946]) ## Orchestrator Changes ### Kubernetes * Update to Kubernetes v1.26.2 ([#2929]) * Update `aws-iam-authenticator` package to v0.6.8 ([#2965]) [#2946]: https://github.com/bottlerocket-os/bottlerocket/pull/2946 [#2929]: https://github.com/bottlerocket-os/bottlerocket/pull/2929 [#2965]: https://github.com/bottlerocket-os/bottlerocket/pull/2965 # v1.13.1 (2023-03-23) ## OS Changes * Improve logic around repartitioning and disk expansion by using symlinks to differentiate "fallback" and "preferred" data partitions ([#2935]) * Add `keyutils` package to enable mounting CIFS shares ([#2907]) ## Orchestrator Changes ### Kubernetes * Fix AWS profile rendering in credential provider ([#2904]) * Change CredentialProviderConfig api version to `v1beta1` for Kubernetes 1.25 variants ([#2906]) [#2904]: https://github.com/bottlerocket-os/bottlerocket/pull/2904 [#2906]: https://github.com/bottlerocket-os/bottlerocket/pull/2906 [#2907]: https://github.com/bottlerocket-os/bottlerocket/pull/2907 [#2935]: https://github.com/bottlerocket-os/bottlerocket/pull/2935 # v1.13.0 (2023-03-15) ## OS Changes * Add `ethtool` to Bottlerocket ([#2829]) * Improve logging in `migrator` to track ongoing migrations ([#2751]) * Improve random-access read performance of root volume on some devices ([#2863]) * Add `CAP_SYS_MODULE` and `CAP_CHROOT` to bootstrap containers ([#2772]) * Add support for cgroup v2 ([#2875], [#2802]) * Disable IA and SafeSetID LSM for kernel-5.15 ([#2789]) * Update kernel-5.10 to 5.10.165 and kernel-5.15 to 5.15.90 ([#2795]) * Allow `=` in bootconfig values ([#2806]) * Include `systemd-analyze plot` for `logdog` ([#2880]) * Update host containers ([#2864]) * Update third party packages ([#2825], [#2842]) ## Orchestrator Changes ### Kubernetes * **Remove Kubernetes 1.21 variants ([#2700])** * Add Kubernetes 1.26 variants ([#2771], ([#2876]) * Change `kubelet` service to have restart policy `always` ([#2774]) * Update to Kubernetes v1.25.6 ([#2782]) * Update to Kubernetes v1.24.10 ([#2790]) * Update to Kubernetes v1.23.16 ([#2791]) * Update Kubernetes 1.22.17 to include latest EKS-D patches ([#2792]) ### ECS * Enable FireLens capability in `aws-ecs-1` variant ([#2819]) ## Platform Changes ### AWS * Set NVMe IO request timeouts for EBS according to AWS recommendations ([#2820]) * Support an alternate data partition on EC2 instances launched with a single volume ([#2807], [#2879], [#2873]) * Update `eni-max-pod` mappings to include the latest AWS instance types ([#2818]) ### VMware * Remove `k8s.gcr.io` in favor of `public.ecr.aws` ([#2861], ([#2786]) * Disable UDP offload for primary interface ([#2850]) ## Build Changes * Ensure empty build/rpms directory is included in build context ([#2784]) * Add image feature flag for cgroup v2 ([#2845]) * Enable `systemd-networkd` development via build flag ([#2741], [#2832], [#2750]) * Fix `clippy` linter warnings in source files and add `clippy` CI coverage ([#2745]) * Use `clippy` provided in SDK image ([#2793]) ([#2868]) * Remove unnecessary `time` 0.1.x dependency ([#2748], [#2851]) * Remove unnecessary patch from `containerd` ([#2755]) * Update Bottlerocket SDK to v0.30.2 ([#2866], [#2857], [#2836]) * Remove outdated `rust_2018_idioms` enforcement ([#2837]) * Update Rust edition to `2021` ([#2835]) * Upgraded Rust code dependencies ([#2816], [#2869], [#2851], [#2736], [#2895]) * Upgraded Go code dependencies ([#2828], [#2826], [#2813]) * Rename `ncurses` to `libncurses` ([#2769]) * Update schnauzer's registry map ([#2867]) ## Testing Changes * Add support for Kubernetes workloads in `testsys` ([#2830]) * Add support for a `tests` directory ([#2737], [#2775]) * Provide advanced config controls to `testsys` ([#2799]) * Fix incorrect migration starting image for VMware testing in `testsys` ([#2804]) * Use testsys v0.0.6 ([#2865]) ## Documentation Changes * Add boot sequence documentation ([#2735]) * Update Bottlerocket version in provisioning step in `PROVISIONING-METAL.md` ([#2785]) * Add user-data example for setting container registry credentials in `README.md` ([#2803]) * Fix missing trailing backslashes on `ami` commands in `TESTING.md` ([#2838]) [#2700]: https://github.com/bottlerocket-os/bottlerocket/pull/2700 [#2735]: https://github.com/bottlerocket-os/bottlerocket/pull/2735 [#2736]: https://github.com/bottlerocket-os/bottlerocket/pull/2736 [#2737]: https://github.com/bottlerocket-os/bottlerocket/pull/2737 [#2741]: https://github.com/bottlerocket-os/bottlerocket/pull/2741 [#2745]: https://github.com/bottlerocket-os/bottlerocket/pull/2745 [#2748]: https://github.com/bottlerocket-os/bottlerocket/pull/2748 [#2749]: https://github.com/bottlerocket-os/bottlerocket/pull/2749 [#2750]: https://github.com/bottlerocket-os/bottlerocket/pull/2750 [#2751]: https://github.com/bottlerocket-os/bottlerocket/pull/2751 [#2755]: https://github.com/bottlerocket-os/bottlerocket/pull/2755 [#2769]: https://github.com/bottlerocket-os/bottlerocket/pull/2769 [#2771]: https://github.com/bottlerocket-os/bottlerocket/pull/2771 [#2772]: https://github.com/bottlerocket-os/bottlerocket/pull/2772 [#2774]: https://github.com/bottlerocket-os/bottlerocket/pull/2774 [#2775]: https://github.com/bottlerocket-os/bottlerocket/pull/2775 [#2782]: https://github.com/bottlerocket-os/bottlerocket/pull/2782 [#2784]: https://github.com/bottlerocket-os/bottlerocket/pull/2784 [#2785]: https://github.com/bottlerocket-os/bottlerocket/pull/2785 [#2786]: https://github.com/bottlerocket-os/bottlerocket/pull/2786 [#2789]: https://github.com/bottlerocket-os/bottlerocket/pull/2789 [#2790]: https://github.com/bottlerocket-os/bottlerocket/pull/2790 [#2791]: https://github.com/bottlerocket-os/bottlerocket/pull/2791 [#2792]: https://github.com/bottlerocket-os/bottlerocket/pull/2792 [#2793]: https://github.com/bottlerocket-os/bottlerocket/pull/2793 [#2795]: https://github.com/bottlerocket-os/bottlerocket/pull/2795 [#2797]: https://github.com/bottlerocket-os/bottlerocket/pull/2797 [#2799]: https://github.com/bottlerocket-os/bottlerocket/pull/2799 [#2802]: https://github.com/bottlerocket-os/bottlerocket/pull/2802 [#2803]: https://github.com/bottlerocket-os/bottlerocket/pull/2803 [#2804]: https://github.com/bottlerocket-os/bottlerocket/pull/2804 [#2806]: https://github.com/bottlerocket-os/bottlerocket/pull/2806 [#2807]: https://github.com/bottlerocket-os/bottlerocket/pull/2807 [#2813]: https://github.com/bottlerocket-os/bottlerocket/pull/2813 [#2816]: https://github.com/bottlerocket-os/bottlerocket/pull/2816 [#2818]: https://github.com/bottlerocket-os/bottlerocket/pull/2818 [#2819]: https://github.com/bottlerocket-os/bottlerocket/pull/2819 [#2820]: https://github.com/bottlerocket-os/bottlerocket/pull/2820 [#2825]: https://github.com/bottlerocket-os/bottlerocket/pull/2825 [#2826]: https://github.com/bottlerocket-os/bottlerocket/pull/2826 [#2828]: https://github.com/bottlerocket-os/bottlerocket/pull/2828 [#2829]: https://github.com/bottlerocket-os/bottlerocket/pull/2829 [#2830]: https://github.com/bottlerocket-os/bottlerocket/pull/2830 [#2832]: https://github.com/bottlerocket-os/bottlerocket/pull/2832 [#2835]: https://github.com/bottlerocket-os/bottlerocket/pull/2835 [#2836]: https://github.com/bottlerocket-os/bottlerocket/pull/2836 [#2837]: https://github.com/bottlerocket-os/bottlerocket/pull/2837 [#2838]: https://github.com/bottlerocket-os/bottlerocket/pull/2838 [#2842]: https://github.com/bottlerocket-os/bottlerocket/pull/2842 [#2845]: https://github.com/bottlerocket-os/bottlerocket/pull/2845 [#2846]: https://github.com/bottlerocket-os/bottlerocket/pull/2846 [#2850]: https://github.com/bottlerocket-os/bottlerocket/pull/2850 [#2851]: https://github.com/bottlerocket-os/bottlerocket/pull/2851 [#2857]: https://github.com/bottlerocket-os/bottlerocket/pull/2857 [#2861]: https://github.com/bottlerocket-os/bottlerocket/pull/2861 [#2863]: https://github.com/bottlerocket-os/bottlerocket/pull/2863 [#2864]: https://github.com/bottlerocket-os/bottlerocket/pull/2864 [#2865]: https://github.com/bottlerocket-os/bottlerocket/pull/2865 [#2866]: https://github.com/bottlerocket-os/bottlerocket/pull/2866 [#2867]: https://github.com/bottlerocket-os/bottlerocket/pull/2867 [#2868]: https://github.com/bottlerocket-os/bottlerocket/pull/2868 [#2869]: https://github.com/bottlerocket-os/bottlerocket/pull/2869 [#2873]: https://github.com/bottlerocket-os/bottlerocket/pull/2873 [#2875]: https://github.com/bottlerocket-os/bottlerocket/pull/2875 [#2876]: https://github.com/bottlerocket-os/bottlerocket/pull/2876 [#2879]: https://github.com/bottlerocket-os/bottlerocket/pull/2879 [#2880]: https://github.com/bottlerocket-os/bottlerocket/pull/2880 [#2895]: https://github.com/bottlerocket-os/bottlerocket/pull/2895 # v 1.12.0 (2023-01-24) ## OS Changes * Disable strict aliasing for c-utf-8 library strict aliasing in dbus-broker ([#2730]) * Add `/sys/firmware` to privileged mounts in host-ctr ([#2714]) * Use user-provided registry credentials for public.ecr.aws in host-ctr ([#2676]) * Build masked paths list dynamically in host-ctr ([#2637]) * Enable EFI option in systemd ([#2714]) * Allow simple enums as map keys in datastore ([#2687]) * Improve reliability of `settings.network.hostname` generator ([#2647]) * Add support for bonding and VLANS in `net.toml` ([#2596]) * Keep only one intermediate datastore during migration ([#2589]) * Widen access to filesystem relabel in SELinux policy ([#2738]) * Update hotdog to 1.05 ([#2728]) * Update systemd to 250.9 ([#2718]) * Update third party packages and dependencies ([#2588], [#2717]) * Update host containers ([#2739]) * Update eksd ([#2690], [#2693], [#2694], thanks @rcrozean) ## Orchestrator Changes ### Kubernetes * Add support for Kubernetes 1.25 variants ([#2699]) * Allow access to public kubelet certificates ([#2639]) * During kubelet prestart, skip pause image pull if image exists ([#2587]) * Delay kubelet.service until after warm-pool-wait service runs ([#2562]) * Add OCI default spec and settings to containerd ([#2697]) ## Platform Changes ### VMware * Downgrade iopl warning when fetching guestinfo in `early-boot-config` ([#2732]) ## Build Changes * Treat alias warning as errors ([#2730]) * Suppress "missing changelog" warning in build ([#2730]) * Update Bottlerocket SDK version to 0.29.0 ([#2730]) * Improve error messages for publish-ami command ([#2695]) * Disallow private AMIs in public SSM parameters ([#2680]) * Rework `start-local-vm` image selection to use `latest` symlink ([#2696]) * Improve integration testing through `cargo make test` ([#2560], [#2592], [#2618], [#2646], [#2653], [#2683], [#2674], [#2723], [#2724], [#2725]) [#2560]: https://github.com/bottlerocket-os/bottlerocket/pull/2560 [#2562]: https://github.com/bottlerocket-os/bottlerocket/pull/2562 [#2587]: https://github.com/bottlerocket-os/bottlerocket/pull/2587 [#2589]: https://github.com/bottlerocket-os/bottlerocket/pull/2589 [#2592]: https://github.com/bottlerocket-os/bottlerocket/pull/2592 [#2596]: https://github.com/bottlerocket-os/bottlerocket/pull/2596 [#2618]: https://github.com/bottlerocket-os/bottlerocket/pull/2618 [#2637]: https://github.com/bottlerocket-os/bottlerocket/pull/2637 [#2639]: https://github.com/bottlerocket-os/bottlerocket/pull/2639 [#2646]: https://github.com/bottlerocket-os/bottlerocket/pull/2646 [#2647]: https://github.com/bottlerocket-os/bottlerocket/pull/2647 [#2650]: https://github.com/bottlerocket-os/bottlerocket/pull/2650 [#2653]: https://github.com/bottlerocket-os/bottlerocket/pull/2653 [#2674]: https://github.com/bottlerocket-os/bottlerocket/pull/2674 [#2676]: https://github.com/bottlerocket-os/bottlerocket/pull/2676 [#2680]: https://github.com/bottlerocket-os/bottlerocket/pull/2680 [#2683]: https://github.com/bottlerocket-os/bottlerocket/pull/2683 [#2687]: https://github.com/bottlerocket-os/bottlerocket/pull/2687 [#2690]: https://github.com/bottlerocket-os/bottlerocket/pull/2690 [#2693]: https://github.com/bottlerocket-os/bottlerocket/pull/2693 [#2694]: https://github.com/bottlerocket-os/bottlerocket/pull/2694 [#2695]: https://github.com/bottlerocket-os/bottlerocket/pull/2695 [#2696]: https://github.com/bottlerocket-os/bottlerocket/pull/2696 [#2697]: https://github.com/bottlerocket-os/bottlerocket/pull/2697 [#2699]: https://github.com/bottlerocket-os/bottlerocket/pull/2699 [#2714]: https://github.com/bottlerocket-os/bottlerocket/pull/2714 [#2717]: https://github.com/bottlerocket-os/bottlerocket/pull/2717 [#2718]: https://github.com/bottlerocket-os/bottlerocket/pull/2718 [#2723]: https://github.com/bottlerocket-os/bottlerocket/pull/2723 [#2724]: https://github.com/bottlerocket-os/bottlerocket/pull/2724 [#2725]: https://github.com/bottlerocket-os/bottlerocket/pull/2725 [#2728]: https://github.com/bottlerocket-os/bottlerocket/pull/2728 [#2730]: https://github.com/bottlerocket-os/bottlerocket/pull/2730 [#2732]: https://github.com/bottlerocket-os/bottlerocket/pull/2732 [#2738]: https://github.com/bottlerocket-os/bottlerocket/pull/2738 [#2739]: https://github.com/bottlerocket-os/bottlerocket/pull/2739 # v1.11.1 (2022-11-28) ## Security Fixes * Update NVIDIA driver for 5.10 and 5.15 to include recent security fixes ([74d2c5c13ab0][64f3967373a5]) * Apply patch to systemd for CVE-2022-3821 ([#2611]) [74d2c5c13ab0]: https://github.com/bottlerocket-os/bottlerocket/commit/74d2c5c13ab0f6839b9849a9f058a70e82f6ffb8 [64f3967373a5]: https://github.com/bottlerocket-os/bottlerocket/commit/64f3967373a53096219a73580fd81409c846266c [#2611]: https://github.com/bottlerocket-os/bottlerocket/pull/2611 # v1.11.0 (2022-11-15) ## OS Changes * Prevent a panic in `early-boot-config` when there is no IMDS region ([#2493]) * Update grub to 2.06-42 ([#2503]) * Bring back wicked support for matching interfaces via hardware address ([#2519]) * Allow bootstrap containers to manage swap ([#2537]) * Add `systemd-analyze` commands to troubleshooting log collection tool ([#2550]) * Allow bootstrap containers to manage network configuration ([#2558]) * Serialize bootconfig values correctly when the value is empty ([#2565]) * Update zlib, libexpat, libdbus, docker-cli ([#2583]) * Update host containers ([#2574]) * Unmask /sys/firmware from host containers ([#2573]) ## Orchestrator Changes ### ECS * Add additional ECS API configurations ([#2527]) * `ECS_CONTAINER_STOP_TIMEOUT` * `ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION` * `ECS_TASK_METADATA_RPS_LIMIT` * `ECS_RESERVED_MEMORY` ### Kubernetes * Add a timeout when calling EKS for configuration values ([#2566]) * Enable IAM Roles Anywhere with the k8s `ecr-credential-provider` plugin ([#2377], [#2553]) * Kubernetes EKS-D updates * v1.24.6 ([#2582]) * v1.23.13 ([#2578]) * v1.22.15 ([#2580], [#2490]) ## Platform Changes ### AWS * Add driver support for AWS variants in hybrid environments ([#2554]) ## Build Changes * Add support for publishing to AWS organizations ([#2484]) * Remove unnecessary dependencies when building grub ([#2495]) * Switch to the latest Dockerfile frontend for builds ([#2496]) * Prepare foundations for Secure Boot and image re-signing ([#2505]) * Fix EFI file system to fit partition size ([#2528]) * Add ShellCheck to `check-lints` for build scripts ([#2532]) * Update the SDK to v0.28.0 ([#2543]) * Use `rustls-native-certs` instead of `webpki-roots` ([#2551]) * Handle absolute paths for output directory in kernel build script ([#2563]) ## Documentation Changes * Add a Roadmap markdown file ([#2549]) [#2377]: https://github.com/bottlerocket-os/bottlerocket/pull/2377 [#2484]: https://github.com/bottlerocket-os/bottlerocket/pull/2484 [#2488]: https://github.com/bottlerocket-os/bottlerocket/pull/2488 [#2490]: https://github.com/bottlerocket-os/bottlerocket/pull/2490 [#2493]: https://github.com/bottlerocket-os/bottlerocket/pull/2493 [#2495]: https://github.com/bottlerocket-os/bottlerocket/pull/2495 [#2496]: https://github.com/bottlerocket-os/bottlerocket/pull/2496 [#2503]: https://github.com/bottlerocket-os/bottlerocket/pull/2503 [#2505]: https://github.com/bottlerocket-os/bottlerocket/pull/2505 [#2519]: https://github.com/bottlerocket-os/bottlerocket/pull/2519 [#2523]: https://github.com/bottlerocket-os/bottlerocket/pull/2523 [#2527]: https://github.com/bottlerocket-os/bottlerocket/pull/2527 [#2528]: https://github.com/bottlerocket-os/bottlerocket/pull/2528 [#2532]: https://github.com/bottlerocket-os/bottlerocket/pull/2532 [#2536]: https://github.com/bottlerocket-os/bottlerocket/pull/2536 [#2537]: https://github.com/bottlerocket-os/bottlerocket/pull/2537 [#2540]: https://github.com/bottlerocket-os/bottlerocket/pull/2540 [#2541]: https://github.com/bottlerocket-os/bottlerocket/pull/2541 [#2542]: https://github.com/bottlerocket-os/bottlerocket/pull/2542 [#2543]: https://github.com/bottlerocket-os/bottlerocket/pull/2543 [#2547]: https://github.com/bottlerocket-os/bottlerocket/pull/2547 [#2549]: https://github.com/bottlerocket-os/bottlerocket/pull/2549 [#2550]: https://github.com/bottlerocket-os/bottlerocket/pull/2550 [#2551]: https://github.com/bottlerocket-os/bottlerocket/pull/2551 [#2553]: https://github.com/bottlerocket-os/bottlerocket/pull/2553 [#2554]: https://github.com/bottlerocket-os/bottlerocket/pull/2554 [#2558]: https://github.com/bottlerocket-os/bottlerocket/pull/2558 [#2563]: https://github.com/bottlerocket-os/bottlerocket/pull/2563 [#2565]: https://github.com/bottlerocket-os/bottlerocket/pull/2565 [#2566]: https://github.com/bottlerocket-os/bottlerocket/pull/2566 [#2574]: https://github.com/bottlerocket-os/bottlerocket/pull/2574 [#2573]: https://github.com/bottlerocket-os/bottlerocket/pull/2573 [#2578]: https://github.com/bottlerocket-os/bottlerocket/pull/2578 [#2580]: https://github.com/bottlerocket-os/bottlerocket/pull/2580 [#2582]: https://github.com/bottlerocket-os/bottlerocket/pull/2582 [#2583]: https://github.com/bottlerocket-os/bottlerocket/pull/2583 # v1.10.1 (2022-10-19) ## OS Changes * Support container runtime settings: enable-unprivileged-icmp, enable-unprivileged-ports, max-concurrent-downloads, max-container-log-line-size ([#2494]) * Update EKS-D to 1.22-11 ([#2490]) * Update EKS-D to 1.23-6 ([#2488]) [#2488]: https://github.com/bottlerocket-os/bottlerocket/pull/2488 [#2490]: https://github.com/bottlerocket-os/bottlerocket/pull/2490 [#2494]: https://github.com/bottlerocket-os/bottlerocket/pull/2494 # v1.10.0 (2022-10-10) ## OS Changes * Add optional settings to reboot into new kernel command line parameters ([#2375]) * Support for static IP addressing ([#2204], [#2330], [#2445]) * Add support for NVIDIA driver version 515 ([#2455]) * Set mode for tmpfs mounts ([#2473]) * Increase inotify default limits ([#2335]) * Align `vm.max_map_count` with the EKS Optimized AMI ([#2344]) * Add support for configuring DNS settings ([#2353]) * Migrate `netdog` from `serde_xml_rs` to `quick-xml` ([#2311]) * Support versioning for `net.toml` ([#2281]) * Update admin and control container ([#2471], [#2472]) ## Orchestrator Changes ### ECS * Add `cargo make` tasks for testing ECS variants ([#2348]) ### Kubernetes * Add support for Kubernetes 1.24 variants ([#2437]) * Remove Kubernetes aws-k8s-1.19 variants ([#2316]) * Increase the kube-api-server QPS from 5/10 to 10/20 ([#2436], thanks @tzneal) * Update eni-max-pods with new instance types ([#2416]) * Add setting to change `kubelet`'s log level ([#2460], [#2470]) * Add `cargo make` tasks to perform migration testing for Kubernetes variants in AWS ([#2273]) ## Platform Changes ### AWS * Disable drivers for USB-attached network interfaces ([#2328]) ### Metal * Add driver support for Solarflare, Pensando, Myricom, Huawei, Emulex, Chelsio, Broadcom, AMD and Intel 10G+ network cards ([#2379]) ## Build Changes * Extend `external-files` to vendor go modules ([#2378], [#2403], [#2430]) * Make `net_config` unit tests reusable across versions ([#2385]) * Add `diff-kernel-config` to identify kernel config changes ([#2368]) * Extended support for variants in buildsys ([#2339]) * Clarify crossbeam license ([#2447]) * Honor `BUILDSYS_ARCH` and `BUILDSYS_VARIANT` env variables when set ([#2425]) * Use architecture specific json payloads in unit tests ([#2367], [#2363]) * Add unified `check` target in `Makefile.toml` for review readiness ([#2384]) * Update Go dependencies of first-party go projects ([#2424], [#2440], [#2450], [#2452], [#2456]) * Update Rust dependencies ([#2458], [#2476]) * Update third-party packages ([#2397], [#2398], [#2464], [#2465], thanks @kschumy) * Update Bottlerocket SDK to 0.27.0 ([#2428]) * Migrate `pubsys` and `infrasys` to the AWS SDK for Rust ([#2414], [#2415], [#2454]) * Update `testsys` dependencies ([#2392]) * Fix `hotdog`'s spec URL to the correct upstream link ([#2326]) * Fix clippy warnings and enable lints on pull requests ([#2337], [#2346], [#2443]) * Format issue field in PR template ([#2314]) ## Documentation Changes * Update checksum for new `root.json` ([#2405]) * Mention that boot settings are available in Kubernetes 1.23 variants ([#2358]) * Mention the need for AWS credentials in BUILDING.md and PUBLISHING-AWS.md ([#2334]) * Add China to supported regions lists ([#2315]) * Add community section to README.md ([#2305], [#2383]) * Standardize `userdata.toml` as the filename used in different docs ([#2446]) * Remove commit from image name in PROVISIONING-METAL.md ([#2312]) * Add note to CONTRIBUTING.md that outlines filenames' casing ([#2306]) * Fix typos in `Makefile.toml`, QUICKSTART-ECS.md, QUICKSTART-EKS.md, `netdog` and `prairiedog` ([#2318], thanks @kianmeng) * Fix casing for GitHub and VMware in CHANGELOG.md ([#2329]) * Fix typo in test setup command ([#2477]) * Fix TESTING.md link typo ([#2438]) * Fix positional `fetch-license` argument ([#2457]) [#2204]: https://github.com/bottlerocket-os/bottlerocket/pull/2204 [#2273]: https://github.com/bottlerocket-os/bottlerocket/pull/2273 [#2281]: https://github.com/bottlerocket-os/bottlerocket/pull/2281 [#2305]: https://github.com/bottlerocket-os/bottlerocket/pull/2305 [#2306]: https://github.com/bottlerocket-os/bottlerocket/pull/2306 [#2311]: https://github.com/bottlerocket-os/bottlerocket/pull/2311 [#2312]: https://github.com/bottlerocket-os/bottlerocket/pull/2312 [#2314]: https://github.com/bottlerocket-os/bottlerocket/pull/2314 [#2315]: https://github.com/bottlerocket-os/bottlerocket/pull/2315 [#2316]: https://github.com/bottlerocket-os/bottlerocket/pull/2316 [#2318]: https://github.com/bottlerocket-os/bottlerocket/pull/2318 [#2326]: https://github.com/bottlerocket-os/bottlerocket/pull/2326 [#2328]: https://github.com/bottlerocket-os/bottlerocket/pull/2328 [#2329]: https://github.com/bottlerocket-os/bottlerocket/pull/2329 [#2330]: https://github.com/bottlerocket-os/bottlerocket/pull/2330 [#2334]: https://github.com/bottlerocket-os/bottlerocket/pull/2334 [#2335]: https://github.com/bottlerocket-os/bottlerocket/pull/2335 [#2337]: https://github.com/bottlerocket-os/bottlerocket/pull/2337 [#2339]: https://github.com/bottlerocket-os/bottlerocket/pull/2339 [#2344]: https://github.com/bottlerocket-os/bottlerocket/pull/2344 [#2346]: https://github.com/bottlerocket-os/bottlerocket/pull/2346 [#2348]: https://github.com/bottlerocket-os/bottlerocket/pull/2348 [#2353]: https://github.com/bottlerocket-os/bottlerocket/pull/2353 [#2358]: https://github.com/bottlerocket-os/bottlerocket/pull/2358 [#2363]: https://github.com/bottlerocket-os/bottlerocket/pull/2363 [#2367]: https://github.com/bottlerocket-os/bottlerocket/pull/2367 [#2368]: https://github.com/bottlerocket-os/bottlerocket/pull/2368 [#2375]: https://github.com/bottlerocket-os/bottlerocket/pull/2375 [#2378]: https://github.com/bottlerocket-os/bottlerocket/pull/2378 [#2379]: https://github.com/bottlerocket-os/bottlerocket/pull/2379 [#2383]: https://github.com/bottlerocket-os/bottlerocket/pull/2383 [#2384]: https://github.com/bottlerocket-os/bottlerocket/pull/2384 [#2385]: https://github.com/bottlerocket-os/bottlerocket/pull/2385 [#2392]: https://github.com/bottlerocket-os/bottlerocket/pull/2392 [#2397]: https://github.com/bottlerocket-os/bottlerocket/pull/2397 [#2398]: https://github.com/bottlerocket-os/bottlerocket/pull/2398 [#2403]: https://github.com/bottlerocket-os/bottlerocket/pull/2403 [#2405]: https://github.com/bottlerocket-os/bottlerocket/pull/2405 [#2414]: https://github.com/bottlerocket-os/bottlerocket/pull/2414 [#2415]: https://github.com/bottlerocket-os/bottlerocket/pull/2415 [#2416]: https://github.com/bottlerocket-os/bottlerocket/pull/2416 [#2424]: https://github.com/bottlerocket-os/bottlerocket/pull/2424 [#2425]: https://github.com/bottlerocket-os/bottlerocket/pull/2425 [#2428]: https://github.com/bottlerocket-os/bottlerocket/pull/2428 [#2430]: https://github.com/bottlerocket-os/bottlerocket/pull/2430 [#2436]: https://github.com/bottlerocket-os/bottlerocket/pull/2436 [#2437]: https://github.com/bottlerocket-os/bottlerocket/pull/2437 [#2438]: https://github.com/bottlerocket-os/bottlerocket/pull/2438 [#2440]: https://github.com/bottlerocket-os/bottlerocket/pull/2440 [#2443]: https://github.com/bottlerocket-os/bottlerocket/pull/2443 [#2445]: https://github.com/bottlerocket-os/bottlerocket/pull/2445 [#2446]: https://github.com/bottlerocket-os/bottlerocket/pull/2446 [#2447]: https://github.com/bottlerocket-os/bottlerocket/pull/2447 [#2450]: https://github.com/bottlerocket-os/bottlerocket/pull/2450 [#2452]: https://github.com/bottlerocket-os/bottlerocket/pull/2452 [#2454]: https://github.com/bottlerocket-os/bottlerocket/pull/2454 [#2455]: https://github.com/bottlerocket-os/bottlerocket/pull/2455 [#2456]: https://github.com/bottlerocket-os/bottlerocket/pull/2456 [#2457]: https://github.com/bottlerocket-os/bottlerocket/pull/2457 [#2458]: https://github.com/bottlerocket-os/bottlerocket/pull/2458 [#2460]: https://github.com/bottlerocket-os/bottlerocket/pull/2460 [#2464]: https://github.com/bottlerocket-os/bottlerocket/pull/2464 [#2465]: https://github.com/bottlerocket-os/bottlerocket/pull/2465 [#2470]: https://github.com/bottlerocket-os/bottlerocket/pull/2470 [#2471]: https://github.com/bottlerocket-os/bottlerocket/pull/2471 [#2472]: https://github.com/bottlerocket-os/bottlerocket/pull/2472 [#2473]: https://github.com/bottlerocket-os/bottlerocket/pull/2473 [#2476]: https://github.com/bottlerocket-os/bottlerocket/pull/2476 [#2477]: https://github.com/bottlerocket-os/bottlerocket/pull/2477 # v1.9.2 (2022-08-31) ## Build Changes * Archive old migrations ([#2357]) * Update `runc` to version 1.1.4 ([#2380]) [#2357]: https://github.com/bottlerocket-os/bottlerocket/pull/2357 [#2380]: https://github.com/bottlerocket-os/bottlerocket/pull/2380 # v1.9.1 (2022-08-17) ## OS Changes * Change kernel module compression from zstd to xz ([#2323]) * Update ECR registry map for new AWS regions ([#2336]) * Add new regions to pause registry map ([#2349]) * Update `tough` to v0.8.1 ([#2338]) [#2323]: https://github.com/bottlerocket-os/bottlerocket/pull/2323 [#2336]: https://github.com/bottlerocket-os/bottlerocket/pull/2336 [#2338]: https://github.com/bottlerocket-os/bottlerocket/pull/2338 [#2349]: https://github.com/bottlerocket-os/bottlerocket/pull/2349 # v1.9.0 (2022-07-28) ## OS Changes * SELinux policy now suppresses audit for tmpfs relabels ([#2222]) * Restrict permissions for `/boot` and `System.map` ([#2223]) * Remove unused crates `growpart` and `servicedog` ([#2238]) * New mount in host containers for system logs ([#2295]) * Apply strict mount options and enforce execution rules ([#2239]) * Switch to a more commonly used syntax for disabling kernel config settings ([#2290]) * Respect proxy settings when running setting generators ([#2227]) * Add `NET_CAP_ADMIN` to bootstrap containers ([#2266]) * Reduce log output for DHCP services ([#2260]) * Fix invalid kernel config options ([#2269]) * Improve support for container storage mounts ([#2240]) * Disable uncommon filesystems and network protocols ([#2255]) * Add support for blocking kernel modules ([#2274]) * Fix `ntp` service restart when settings change ([#2270]) * Add kernel 5.15 sources ([#2226]) * Defer `squashfs` mounts to later in the boot process ([#2276]) * Improve boot speed and rootfs size ([#2296]) * Add "quiet" kernel parameter for some variants ([#2277]) ## Orchestrator Changes ### Kubernetes * Make new instance types available ([#2221] , thanks @cablespaghetti) * Update Kubernetes versions ([#2230], [#2232], [#2262], [#2263], thanks @kschumy) * Add kubelet image GC threshold settings ([#2219]) ### ECS * Add iptables rules for ECS introspection server ([#2267]) ## Platform Changes ### AWS * Add support for AWS China regions ([#2224], [#2242], [#2247], [#2285]) * Migrate to using `aws-sdk-rust` for first-party OS Rust packages ([#2300]) ### VMware * Remove `console=ttyS0` from kernel params ([#2248]) ### Metal * Enable Mellanox modules in 5.10 kernel ([#2241]) * Add bnxt module for Broadcom 10/25Gb network adapters in 5.10 kernel ([#2243]) * Split out baremetal specific config options ([#2264]) * Add driver support for Cisco UCS platforms ([#2271]) * Only build baremetal variant specific drivers for baremetal variants ([#2279]) * Enable the metal-dev build for the ARM architecture ([#2272]) ## Build Changes * Add Makefile targets to create and validate Boot Configuration ([#2189]) * Create symlinks to images with friendly names ([#2215]) * Add `start-local-vm` script ([#2194]) * Add the testsys CLI and new cargo make tasks for testing aws-k8s variants ([#2165]) * Update Rust and Go dependencies ([#2303], [#2299]) * Update third-party packages ([#2309]) ## Documentation Changes * Add NVIDIA ECS variant to README ([#2244]) * Add documentation for metal variants ([#2205]) * Add missing step in building packages guide ([#2259]) * Add quickstart for running Bottlerocket in QEMU/KVM VMs ([#2280]) * Address lints in README markdown caught by `markdownlint` ([#2283]) [#2165]: https://github.com/bottlerocket-os/bottlerocket/pull/2165 [#2189]: https://github.com/bottlerocket-os/bottlerocket/pull/2189 [#2194]: https://github.com/bottlerocket-os/bottlerocket/pull/2194 [#2205]: https://github.com/bottlerocket-os/bottlerocket/pull/2205 [#2215]: https://github.com/bottlerocket-os/bottlerocket/pull/2215 [#2219]: https://github.com/bottlerocket-os/bottlerocket/pull/2219 [#2221]: https://github.com/bottlerocket-os/bottlerocket/pull/2221 [#2222]: https://github.com/bottlerocket-os/bottlerocket/pull/2222 [#2223]: https://github.com/bottlerocket-os/bottlerocket/pull/2223 [#2224]: https://github.com/bottlerocket-os/bottlerocket/pull/2224 [#2226]: https://github.com/bottlerocket-os/bottlerocket/pull/2226 [#2227]: https://github.com/bottlerocket-os/bottlerocket/pull/2227 [#2230]: https://github.com/bottlerocket-os/bottlerocket/pull/2230 [#2232]: https://github.com/bottlerocket-os/bottlerocket/pull/2232 [#2238]: https://github.com/bottlerocket-os/bottlerocket/pull/2238 [#2239]: https://github.com/bottlerocket-os/bottlerocket/pull/2239 [#2240]: https://github.com/bottlerocket-os/bottlerocket/pull/2240 [#2241]: https://github.com/bottlerocket-os/bottlerocket/pull/2241 [#2242]: https://github.com/bottlerocket-os/bottlerocket/pull/2242 [#2243]: https://github.com/bottlerocket-os/bottlerocket/pull/2243 [#2244]: https://github.com/bottlerocket-os/bottlerocket/pull/2244 [#2247]: https://github.com/bottlerocket-os/bottlerocket/pull/2247 [#2248]: https://github.com/bottlerocket-os/bottlerocket/pull/2248 [#2255]: https://github.com/bottlerocket-os/bottlerocket/pull/2255 [#2259]: https://github.com/bottlerocket-os/bottlerocket/pull/2259 [#2260]: https://github.com/bottlerocket-os/bottlerocket/pull/2260 [#2262]: https://github.com/bottlerocket-os/bottlerocket/pull/2262 [#2263]: https://github.com/bottlerocket-os/bottlerocket/pull/2263 [#2264]: https://github.com/bottlerocket-os/bottlerocket/pull/2264 [#2266]: https://github.com/bottlerocket-os/bottlerocket/pull/2266 [#2267]: https://github.com/bottlerocket-os/bottlerocket/pull/2267 [#2269]: https://github.com/bottlerocket-os/bottlerocket/pull/2269 [#2270]: https://github.com/bottlerocket-os/bottlerocket/pull/2270 [#2271]: https://github.com/bottlerocket-os/bottlerocket/pull/2271 [#2272]: https://github.com/bottlerocket-os/bottlerocket/pull/2272 [#2274]: https://github.com/bottlerocket-os/bottlerocket/pull/2274 [#2276]: https://github.com/bottlerocket-os/bottlerocket/pull/2276 [#2277]: https://github.com/bottlerocket-os/bottlerocket/pull/2277 [#2279]: https://github.com/bottlerocket-os/bottlerocket/pull/2279 [#2280]: https://github.com/bottlerocket-os/bottlerocket/pull/2280 [#2283]: https://github.com/bottlerocket-os/bottlerocket/pull/2283 [#2285]: https://github.com/bottlerocket-os/bottlerocket/pull/2285 [#2290]: https://github.com/bottlerocket-os/bottlerocket/pull/2290 [#2295]: https://github.com/bottlerocket-os/bottlerocket/pull/2295 [#2296]: https://github.com/bottlerocket-os/bottlerocket/pull/2296 [#2299]: https://github.com/bottlerocket-os/bottlerocket/pull/2299 [#2300]: https://github.com/bottlerocket-os/bottlerocket/pull/2300 [#2303]: https://github.com/bottlerocket-os/bottlerocket/pull/2303 [#2309]: https://github.com/bottlerocket-os/bottlerocket/pull/2309 # v1.8.0 (2022-06-08) ## OS Changes ### General * Update admin and control containers ([#2191]) * Update to containerd 1.6.x ([#2158]) * Restart container runtimes when certificates store changes ([#2076]) * Add support for providing kernel parameters via Boot Configuration ([#1980]) * Restart long-running systemd services on exit ([#2162]) * Ignore zero blocks on dm-verity root ([#2169]) * Add support for static DNS mappings in `/etc/hosts` ([#2129]) * Enable network configuration generation via `netdog` ([#2066]) * Add support for non-`eth0` default interfaces ([#2144]) * Update to IMDS schema `2021-07-15` ([#2190]) ### Kubernetes * Add support for Kubernetes 1.23 variants ([#2188]) * Improve Kubernetes pod start times by unsetting `configMapAndSecretChangeDetectionStrategy` in kubelet config ([#2166]) * Add new setting for configuring kubelet's `provider-id` configuration ([#2192]) * Add new setting for configuring kubelet's `podPidsLimit` configuration ([#2138]) * Allow a list of IP addresses in `settings.kubernetes.cluster-dns-ip` ([#2176]) * Set the default for `settings.kubernetes.cloud-provider` on metal variants to an empty string ([#2188]) * Add c7g instance data for max pods calculation in AWS variants ([#2107], thanks, @lizthegrey!) ### ECS * Add aws-ecs-1-nvidia variant with Nvidia driver support ([#2128], [#2100], [#2098], [#2167], [#2097], [#2090], [#2099]) * Add support for ECS ImagePullBehavior and WarmPoolsSupport ([#2063], thanks, @mello7tre!) ### Hardware * Build smartpqi driver for Microchip Smart Storage devices into 5.10 kernel ([#2184]) * Add support for Broadcom ethernet cards in 5.10 kernel ([#2143]) * Add support for MegaRAID SAS in 5.10 kernel ([#2133]) ## Build Changes * Remove aws-k8s-1.18 variant ([#2044], [#2092]) * Update third-party packages ([#2178], [#2187], [#2145]) * Update Rust and Go dependencies ([#2183], [#2181], [#2180], [#2085], [#2110], [#2068], [#2075], [#2074], [#2048], [#2059], [#2049], [#2036], [#2033]) * Update Bottlerocket SDK to 0.26.0 ([#2157]) * Speed up kernel builds by installing headers and modules in parallel ([#2185]) * Removed unused patch from Docker CLI ([#2030], thanks, @thaJeztah!) ## Documentation Changes * Standardize README generation in buildsys ([#2134]) * Clarify migration README ([#2141]) * Fix typos in BUILDING.md and QUICKSTART-VMWARE.md ([#2159], thanks, @ryanrussell!) * Add additional documentation for using GPUs with Kubernetes variants ([#2078]) * Document examples for using `enter-admin-container` ([#2028]) [#1980]: https://github.com/bottlerocket-os/bottlerocket/pull/1980 [#2028]: https://github.com/bottlerocket-os/bottlerocket/pull/2028 [#2030]: https://github.com/bottlerocket-os/bottlerocket/pull/2030 [#2033]: https://github.com/bottlerocket-os/bottlerocket/pull/2033 [#2036]: https://github.com/bottlerocket-os/bottlerocket/pull/2036 [#2044]: https://github.com/bottlerocket-os/bottlerocket/pull/2044 [#2048]: https://github.com/bottlerocket-os/bottlerocket/pull/2048 [#2049]: https://github.com/bottlerocket-os/bottlerocket/pull/2049 [#2059]: https://github.com/bottlerocket-os/bottlerocket/pull/2059 [#2063]: https://github.com/bottlerocket-os/bottlerocket/pull/2063 [#2066]: https://github.com/bottlerocket-os/bottlerocket/pull/2066 [#2068]: https://github.com/bottlerocket-os/bottlerocket/pull/2068 [#2074]: https://github.com/bottlerocket-os/bottlerocket/pull/2074 [#2075]: https://github.com/bottlerocket-os/bottlerocket/pull/2075 [#2076]: https://github.com/bottlerocket-os/bottlerocket/pull/2076 [#2078]: https://github.com/bottlerocket-os/bottlerocket/pull/2078 [#2085]: https://github.com/bottlerocket-os/bottlerocket/pull/2085 [#2090]: https://github.com/bottlerocket-os/bottlerocket/pull/2090 [#2092]: https://github.com/bottlerocket-os/bottlerocket/pull/2092 [#2097]: https://github.com/bottlerocket-os/bottlerocket/pull/2097 [#2098]: https://github.com/bottlerocket-os/bottlerocket/pull/2098 [#2099]: https://github.com/bottlerocket-os/bottlerocket/pull/2099 [#2100]: https://github.com/bottlerocket-os/bottlerocket/pull/2100 [#2107]: https://github.com/bottlerocket-os/bottlerocket/pull/2107 [#2110]: https://github.com/bottlerocket-os/bottlerocket/pull/2110 [#2128]: https://github.com/bottlerocket-os/bottlerocket/pull/2128 [#2129]: https://github.com/bottlerocket-os/bottlerocket/pull/2129 [#2133]: https://github.com/bottlerocket-os/bottlerocket/pull/2133 [#2134]: https://github.com/bottlerocket-os/bottlerocket/pull/2134 [#2138]: https://github.com/bottlerocket-os/bottlerocket/pull/2138 [#2141]: https://github.com/bottlerocket-os/bottlerocket/pull/2141 [#2142]: https://github.com/bottlerocket-os/bottlerocket/pull/2142 [#2143]: https://github.com/bottlerocket-os/bottlerocket/pull/2143 [#2144]: https://github.com/bottlerocket-os/bottlerocket/pull/2144 [#2145]: https://github.com/bottlerocket-os/bottlerocket/pull/2145 [#2146]: https://github.com/bottlerocket-os/bottlerocket/pull/2146 [#2157]: https://github.com/bottlerocket-os/bottlerocket/pull/2157 [#2158]: https://github.com/bottlerocket-os/bottlerocket/pull/2158 [#2159]: https://github.com/bottlerocket-os/bottlerocket/pull/2159 [#2162]: https://github.com/bottlerocket-os/bottlerocket/pull/2162 [#2166]: https://github.com/bottlerocket-os/bottlerocket/pull/2166 [#2167]: https://github.com/bottlerocket-os/bottlerocket/pull/2167 [#2169]: https://github.com/bottlerocket-os/bottlerocket/pull/2169 [#2176]: https://github.com/bottlerocket-os/bottlerocket/pull/2176 [#2178]: https://github.com/bottlerocket-os/bottlerocket/pull/2178 [#2180]: https://github.com/bottlerocket-os/bottlerocket/pull/2180 [#2181]: https://github.com/bottlerocket-os/bottlerocket/pull/2181 [#2183]: https://github.com/bottlerocket-os/bottlerocket/pull/2183 [#2184]: https://github.com/bottlerocket-os/bottlerocket/pull/2184 [#2185]: https://github.com/bottlerocket-os/bottlerocket/pull/2185 [#2187]: https://github.com/bottlerocket-os/bottlerocket/pull/2187 [#2188]: https://github.com/bottlerocket-os/bottlerocket/pull/2188 [#2190]: https://github.com/bottlerocket-os/bottlerocket/pull/2190 [#2191]: https://github.com/bottlerocket-os/bottlerocket/pull/2191 [#2192]: https://github.com/bottlerocket-os/bottlerocket/pull/2192 # v1.7.2 (2022-04-22) ## Security Fixes * Update kernel-5.4 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 ([a3b4674f7108][a3b4674f7108]) * Update kernel-5.10 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-1048, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 ([37095415bab6][37095415bab6]) ## OS Changes * Update eni-max-pods with new instance types ([#2079]) * Add support for AWS region ap-southeast-3: Jakarta ([#2080]) [a3b4674f7108]: https://github.com/bottlerocket-os/bottlerocket/commit/a3b4674f7108a7f69f108a011042be2a5b91e563 [37095415bab6]: https://github.com/bottlerocket-os/bottlerocket/commit/37095415bab67a24240d95b59c7bf20a112d7ae1 [#2079]: https://github.com/bottlerocket-os/bottlerocket/pull/2079 [#2080]: https://github.com/bottlerocket-os/bottlerocket/pull/2080 # v1.7.1 (2022-04-05) ## Security Fixes * Apply patch to hotdog for CVE-2022-0071 ([1a3f35b2fe8e][1a3f35b2fe8e]) ## OS Changes * Enable checkpoint restore (`CONFIG_CHECKPOINT_RESTORE`) for aarch64 ([6e3d6ed4b83e][6e3d6ed4b83e]) [1a3f35b2fe8e]: https://github.com/bottlerocket-os/bottlerocket/commit/1a3f35b2fe8ed9a7078e43940545dc941c5de99f [6e3d6ed4b83e]: https://github.com/bottlerocket-os/bottlerocket/commit/6e3d6ed4b83ecefa5de5885f8c4a30cd9df8b689 # v1.7.0 (2022-03-30) With this release, an inventory of software installed in Bottlerocket will now be reported to SSM if the control container is in use and inventorying has been enabled. ## OS Changes * Generate host software inventory and make it available to host containers ([#1996]) * Update admin and control containers ([#2014]) ## Build Changes * Update third-party packages ([#1977], [#1983], [#1987], [#1992], [#2022]) * Update Rust and Go dependencies ([#2016], [#2019]) * Makefile: lock tuftool version ([#2009]) * Fix tmpfilesd configuration for kmod-5.10-nvidia ([#2020]) ## Documentation Changes * Fix tuftool download instruction in VMware Quickstart ([#1994]) * Explain data partition extension ([#2013]) [#1977]: https://github.com/bottlerocket-os/bottlerocket/pull/1977 [#1983]: https://github.com/bottlerocket-os/bottlerocket/pull/1983 [#1987]: https://github.com/bottlerocket-os/bottlerocket/pull/1987 [#1992]: https://github.com/bottlerocket-os/bottlerocket/pull/1992 [#1994]: https://github.com/bottlerocket-os/bottlerocket/pull/1994 [#1996]: https://github.com/bottlerocket-os/bottlerocket/pull/1996 [#2009]: https://github.com/bottlerocket-os/bottlerocket/pull/2009 [#2013]: https://github.com/bottlerocket-os/bottlerocket/pull/2013 [#2014]: https://github.com/bottlerocket-os/bottlerocket/pull/2014 [#2016]: https://github.com/bottlerocket-os/bottlerocket/pull/2016 [#2019]: https://github.com/bottlerocket-os/bottlerocket/pull/2019 [#2020]: https://github.com/bottlerocket-os/bottlerocket/pull/2020 [#2022]: https://github.com/bottlerocket-os/bottlerocket/pull/2022 # v1.6.2 (2022-03-08) With this release, the vmware-k8s variants have graduated from preview status and are now generally available. :tada: ## Security Fixes * Update kernel-5.4 and kernel-5.10 to include recent security fixes ([a8e4a20ca7d1][a8e4a20ca7d1], [3d0c10abeecb][3d0c10abeecb]) ## OS Changes * Add support for Kubernetes 1.22 variants ([#1962]) * Add settings support for registry credentials ([#1955]) * Add support for AWS CloudFormation signaling ([#1728], thanks, @mello7tre!) * Add TCMU support to the kernel ([#1953], thanks, @cvlc!) * Fix issue with closing frame construction in apiserver ([#1948]) ## Build Changes * Fix dead code warning during build in netdog ([#1949]) ## Documentation Changes * Correct variable name in bootstrap-containers/README.md ([#1959], thanks, @dangen-effy!) * Add art to the console ([#1970]) [a8e4a20ca7d1]: https://github.com/bottlerocket-os/bottlerocket/commit/a8e4a20ca7d1dde4e8b5f679e4e11d9687b6ef09 [3d0c10abeecb]: https://github.com/bottlerocket-os/bottlerocket/commit/3d0c10abeecb9f69b6ec598fd5137cb146a46b6e [#1728]: https://github.com/bottlerocket-os/bottlerocket/pull/1728 [#1948]: https://github.com/bottlerocket-os/bottlerocket/pull/1948 [#1949]: https://github.com/bottlerocket-os/bottlerocket/pull/1949 [#1953]: https://github.com/bottlerocket-os/bottlerocket/pull/1953 [#1955]: https://github.com/bottlerocket-os/bottlerocket/pull/1955 [#1959]: https://github.com/bottlerocket-os/bottlerocket/pull/1959 [#1962]: https://github.com/bottlerocket-os/bottlerocket/pull/1962 [#1970]: https://github.com/bottlerocket-os/bottlerocket/pull/1970 # v1.6.1 (2022-03-02) ## Security Fixes * Apply patch to containerd for CVE-2022-23648 ([0de1b39efa64][0de1b39efa64]) * Update kernel-5.4 and kernel-5.10 to include recent security fixes ([#1973]) [0de1b39efa64]: https://github.com/bottlerocket-os/bottlerocket/commit/0de1b39efa6437fa57388918e1554174ca2f02e4 [#1973]: https://github.com/bottlerocket-os/bottlerocket/pull/1973 # v1.6.0 (2022-02-07) ## Deprecation Notice The Kubernetes 1.18 variant, `aws-k8s-1.18`, will lose support in March 2022. Kubernetes 1.18 is no longer receiving support upstream. We recommend replacing `aws-k8s-1.18` nodes with a later variant, preferably `aws-k8s-1.21` if your cluster supports it. See [this issue](https://github.com/bottlerocket-os/bottlerocket/issues/1942) for more details. ## Security Fixes * Apply patch to the kernel for CVE-2022-0492 ([#1943]) ## OS Changes * Add aws-k8s-1.21-nvidia variant with Nvidia driver support ([#1859], [#1860], [#1861], [#1862], [#1900], [#1912], [#1915], [#1916], [#1928]) * Add metal-k8s-1.21 variant with support for running on bare metal ([#1904]) * Update host containers to the latest version ([#1939]) * Add driverdog, a configuration-driven utility for linking kernel modules at runtime ([#1867]) * Kubernetes: Fix a potential inconsistency with IPv6 node-ip comparisons ([#1932]) * Allow setting multiple Kubernetes node taints with the same key ([#1906]) * Fix a bug which would prevent Bottlerocket from booting when setting `container-registry` to an empty table ([#1910]) * Add `/etc/bottlerocket-release` to host containers ([#1883]) * Send grub output to the local console on BIOS systems ([#1894]) * Fix minor issues with systemd units ([#1889]) ## Build Changes * Update third-party packages ([#1936]) * Update Rust dependencies ([#1940]) * Update Go dependencies of `host-ctr` ([#1938]) * Add the ability to fetch licenses at build time ([#1901]) * Pin tuftool to a specific version ([#1940]) ## Documentation Changes * Add a no-proxy setting example to the README ([#1765] thanks, @mrajashree!) * Document variant `image-layout` options in the README ([#1896]) [#1765]: https://github.com/bottlerocket-os/bottlerocket/pull/1765 [#1859]: https://github.com/bottlerocket-os/bottlerocket/pull/1859 [#1860]: https://github.com/bottlerocket-os/bottlerocket/pull/1860 [#1861]: https://github.com/bottlerocket-os/bottlerocket/pull/1861 [#1862]: https://github.com/bottlerocket-os/bottlerocket/pull/1862 [#1867]: https://github.com/bottlerocket-os/bottlerocket/pull/1867 [#1883]: https://github.com/bottlerocket-os/bottlerocket/pull/1883 [#1889]: https://github.com/bottlerocket-os/bottlerocket/pull/1889 [#1894]: https://github.com/bottlerocket-os/bottlerocket/pull/1894 [#1896]: https://github.com/bottlerocket-os/bottlerocket/pull/1896 [#1900]: https://github.com/bottlerocket-os/bottlerocket/pull/1900 [#1901]: https://github.com/bottlerocket-os/bottlerocket/pull/1901 [#1904]: https://github.com/bottlerocket-os/bottlerocket/pull/1904 [#1906]: https://github.com/bottlerocket-os/bottlerocket/pull/1906 [#1910]: https://github.com/bottlerocket-os/bottlerocket/pull/1910 [#1912]: https://github.com/bottlerocket-os/bottlerocket/pull/1912 [#1915]: https://github.com/bottlerocket-os/bottlerocket/pull/1915 [#1916]: https://github.com/bottlerocket-os/bottlerocket/pull/1916 [#1928]: https://github.com/bottlerocket-os/bottlerocket/pull/1928 [#1932]: https://github.com/bottlerocket-os/bottlerocket/pull/1932 [#1936]: https://github.com/bottlerocket-os/bottlerocket/pull/1936 [#1938]: https://github.com/bottlerocket-os/bottlerocket/pull/1938 [#1939]: https://github.com/bottlerocket-os/bottlerocket/pull/1939 [#1940]: https://github.com/bottlerocket-os/bottlerocket/pull/1940 [#1943]: https://github.com/bottlerocket-os/bottlerocket/pull/1943 # v1.5.3 (2022-01-25) ## Security Fixes * Update Bottlerocket SDK to 0.25.1 for Rust 1.58.1 ([#1918]) * Update kernel-5.4 and kernel-5.10 to include recent security fixes ([#1921]) * Migrate host-container to the latest version for vmware variants ([#1898]) ## OS Changes * Fix an issue which could impair nodes in Kubernetes 1.21 IPv6 clusters ([#1925]) [#1898]: https://github.com/bottlerocket-os/bottlerocket/pull/1898 [#1918]: https://github.com/bottlerocket-os/bottlerocket/pull/1918 [#1921]: https://github.com/bottlerocket-os/bottlerocket/pull/1921 [#1925]: https://github.com/bottlerocket-os/bottlerocket/pull/1925 # v1.5.2 (2022-01-05) ## Security Fixes * Update containerd for CVE-2021-43816 ([8f085929588a][8f085929588a]) [8f085929588a]: https://github.com/bottlerocket-os/bottlerocket/commit/8f085929588a3f0cd575f865dd6f04f96a97e923 # v1.5.1 (2021-12-23) ## Security Fixes * Update hotdog to the latest release. Hotdog now mimics the permissions of the target JVM process ([#1884]) ## OS Changes * Updated host containers to the latest version ([#1881], [#1882]) [#1881]: https://github.com/bottlerocket-os/bottlerocket/pull/1881 [#1882]: https://github.com/bottlerocket-os/bottlerocket/pull/1882 [#1884]: https://github.com/bottlerocket-os/bottlerocket/pull/1884 # v1.5.0 (2021-12-17) ## Security Enhancements * Add the ability to hotpatch log4j for CVE-2021-44228 in running containers ([#1872], [#1871], [#1869]) ## OS Changes * Enable configuration for OCI hooks in the container lifecycle ([#1868]) * Retry all failed requests to IMDS ([#1841]) * Enable node feature discovery for Kubernetes device plugins ([#1863]) * Add `apiclient get` subcommand for simple API retrieval ([#1836]) * Add support for CPU microcode updates ([#1827]) * Consistently support API prefix queries ([#1835]) ## Build Changes * Add support for custom image sizes ([#1826]) * Add support for unifying the OS and data partitions on a single disk ([#1870]) ## Documentation Changes * Fixed typo in the README ([#1847] thanks, PascalBourdier!) [#1826]:https://github.com/bottlerocket-os/bottlerocket/pull/1826 [#1827]:https://github.com/bottlerocket-os/bottlerocket/pull/1827 [#1835]:https://github.com/bottlerocket-os/bottlerocket/pull/1835 [#1836]:https://github.com/bottlerocket-os/bottlerocket/pull/1836 [#1841]:https://github.com/bottlerocket-os/bottlerocket/pull/1841 [#1847]:https://github.com/bottlerocket-os/bottlerocket/pull/1847 [#1863]:https://github.com/bottlerocket-os/bottlerocket/pull/1863 [#1868]:https://github.com/bottlerocket-os/bottlerocket/pull/1868 [#1869]:https://github.com/bottlerocket-os/bottlerocket/pull/1869 [#1870]:https://github.com/bottlerocket-os/bottlerocket/pull/1870 [#1871]:https://github.com/bottlerocket-os/bottlerocket/pull/1871 [#1872]:https://github.com/bottlerocket-os/bottlerocket/pull/1872 # v1.4.2 (2021-12-02) ## Security Fixes * Update default [admin](https://github.com/bottlerocket-os/bottlerocket-admin-container/releases/tag/v0.7.3) and [control](https://github.com/bottlerocket-os/bottlerocket-control-container/releases/tag/v0.5.3) host containers to address CVE-2021-43527 ([#1852]) * Update kernel-5.4 and kernel-5.10 to include recent security fixes. ([#1851]) ## Build Changes * Update containerd (to v1.5.8) and Docker (to v20.10.11) ([#1851]) [#1851]: https://github.com/bottlerocket-os/bottlerocket/pull/1851 [#1852]: https://github.com/bottlerocket-os/bottlerocket/pull/1852 # v1.4.1 (2021-11-18) ## Security Fixes * Apply patches to docker and containerd for CVE-2021-41190 ([#1832], [#1833]) ## Build Changes * Update Bottlerocket SDK to 0.23.1 ([#1831]) [#1831]: https://github.com/bottlerocket-os/bottlerocket/pull/1831 [#1832]: https://github.com/bottlerocket-os/bottlerocket/pull/1832 [#1833]: https://github.com/bottlerocket-os/bottlerocket/pull/1833 # v1.4.0 (2021-11-12) ## OS Changes * Add 'apiclient exec' for running commands in host containers ([#1802], [#1790]) * Improve boot performance ([#1809]) * Add support for wildcard container registry mirrors ([#1791], [#1818]) * Wait up to 300s for a DHCP lease at boot ([#1800]) * Retry if fetching the IMDS session token fails ([#1801]) * Add ECR account IDs for pulling host containers in GovCloud ([#1793]) * Filter sensitive API settings from `logdog` dump ([#1777]) * Fix kubelet standalone mode ([#1783]) ## Build Changes * Remove aws-k8s-1.17 variant ([#1807]) * Update Bottlerocket SDK to 0.23 ([#1779]) * Update third-party packages ([#1816]) * Update Rust dependencies ([#1810]) * Update Go dependencies of `host-ctr` ([#1775], [#1774]) * Prevent spurious rebuilds of the model package ([#1808]) * Add disk image files to TUF repo ([#1787]) * Vendor wicked service units ([#1798]) * Add CI check for Rust code formatting ([#1782]) * Allow overriding the AMI data file suffix ([#1784]) ## Documentation Changes * Update cargo-make commands to work with newest cargo-make ([#1797]) [#1774]: https://github.com/bottlerocket-os/bottlerocket/pull/1774 [#1775]: https://github.com/bottlerocket-os/bottlerocket/pull/1775 [#1777]: https://github.com/bottlerocket-os/bottlerocket/pull/1777 [#1779]: https://github.com/bottlerocket-os/bottlerocket/pull/1779 [#1782]: https://github.com/bottlerocket-os/bottlerocket/pull/1782 [#1783]: https://github.com/bottlerocket-os/bottlerocket/pull/1783 [#1784]: https://github.com/bottlerocket-os/bottlerocket/pull/1784 [#1787]: https://github.com/bottlerocket-os/bottlerocket/pull/1787 [#1790]: https://github.com/bottlerocket-os/bottlerocket/pull/1790 [#1791]: https://github.com/bottlerocket-os/bottlerocket/pull/1791 [#1793]: https://github.com/bottlerocket-os/bottlerocket/pull/1793 [#1797]: https://github.com/bottlerocket-os/bottlerocket/pull/1797 [#1798]: https://github.com/bottlerocket-os/bottlerocket/pull/1798 [#1800]: https://github.com/bottlerocket-os/bottlerocket/pull/1800 [#1801]: https://github.com/bottlerocket-os/bottlerocket/pull/1801 [#1802]: https://github.com/bottlerocket-os/bottlerocket/pull/1802 [#1807]: https://github.com/bottlerocket-os/bottlerocket/pull/1807 [#1808]: https://github.com/bottlerocket-os/bottlerocket/pull/1808 [#1809]: https://github.com/bottlerocket-os/bottlerocket/pull/1809 [#1810]: https://github.com/bottlerocket-os/bottlerocket/pull/1810 [#1816]: https://github.com/bottlerocket-os/bottlerocket/pull/1816 [#1818]: https://github.com/bottlerocket-os/bottlerocket/pull/1818 # v1.3.0 (2021-10-06) ## Deprecation Notice The Kubernetes 1.17 variant, `aws-k8s-1.17`, will lose support in November, 2021. Kubernetes 1.17 is no longer receiving support upstream. We recommend replacing `aws-k8s-1.17` nodes with a later variant, preferably `aws-k8s-1.21` if your cluster supports it. See [this issue](https://github.com/bottlerocket-os/bottlerocket/issues/1772) for more details. ## Security Fixes * Apply patches to docker and containerd for CVE-2021-41089, CVE-2021-41091, CVE-2021-41092, and CVE-2021-41103 ([#1769]) ## OS Changes * Add MCS constraints to the SELinux policy ([#1733]) * Support IPv6 in kubelet and pluto ([#1710]) * Add region flag to aws-iam-authenticator command ([#1762]) * Restart modified host containers ([#1722]) * Add more detail to /etc/os-release ([#1749]) * Add an entry to `/etc/hosts` for the current hostname ([#1713], [#1746]) * Update default control container to v0.5.2 ([#1730]) * Fix various SELinux policy issues ([#1729]) * Update eni-max-pods with new instance types ([#1724], thanks @samjo-nyang!) * Add cilium device filters to open-vm-tools ([#1718]) * Implement hybrid boot support for x86_64 ([#1701]) * Include `/var/log/kdump` in logdog tarballs ([#1695]) * Use runtime.slice and system.slice cgroup settings in k8s variants ([#1684], thanks @cyrus-mc!) ## Build Changes * Update third-party packages ([#1701], [#1716], [#1732], [#1755], [#1763], [#1767]) * Update Rust dependencies ([#1707], [#1750], [#1751]) * Add wave definition for slow deployment ([#1734]) * Add 'infrasys' for creating TUF infra in AWS ([#1723]) * Make OVF file first in the OVA bundle ([#1719]) * Raise pubsys messages to 'warn' if AMI exists or repo doesn't ([#1708]) * Add constants crate ([#1709]) * Add release URLs to package definitions ([#1748]) * Add *.src.rpm to packages/.gitignore ([#1768]) * Archive old migrations ([#1699]) ## Documentation Changes * Mention static pods in the security guidance around API access ([#1766]) * Fix link to issue labels ([#1764], thanks @andrewhsu!) * Fix broken link for TLS bootstrapping ([#1758]) * Update hash for v3 root.json ([#1757]) * Update example version to v1.2.0 in QUICKSTART-VMWARE ([#1741], thanks @yuvalk!) * Clarify default kernel lockdown settings per variant ([#1704]) [#1684]: https://github.com/bottlerocket-os/bottlerocket/pull/1684 [#1695]: https://github.com/bottlerocket-os/bottlerocket/pull/1695 [#1699]: https://github.com/bottlerocket-os/bottlerocket/pull/1699 [#1701]: https://github.com/bottlerocket-os/bottlerocket/pull/1701 [#1701]: https://github.com/bottlerocket-os/bottlerocket/pull/1701 [#1704]: https://github.com/bottlerocket-os/bottlerocket/pull/1704 [#1707]: https://github.com/bottlerocket-os/bottlerocket/pull/1707 [#1708]: https://github.com/bottlerocket-os/bottlerocket/pull/1708 [#1709]: https://github.com/bottlerocket-os/bottlerocket/pull/1709 [#1710]: https://github.com/bottlerocket-os/bottlerocket/pull/1710 [#1713]: https://github.com/bottlerocket-os/bottlerocket/pull/1713 [#1716]: https://github.com/bottlerocket-os/bottlerocket/pull/1716 [#1718]: https://github.com/bottlerocket-os/bottlerocket/pull/1718 [#1719]: https://github.com/bottlerocket-os/bottlerocket/pull/1719 [#1722]: https://github.com/bottlerocket-os/bottlerocket/pull/1722 [#1723]: https://github.com/bottlerocket-os/bottlerocket/pull/1723 [#1724]: https://github.com/bottlerocket-os/bottlerocket/pull/1724 [#1729]: https://github.com/bottlerocket-os/bottlerocket/pull/1729 [#1730]: https://github.com/bottlerocket-os/bottlerocket/pull/1730 [#1732]: https://github.com/bottlerocket-os/bottlerocket/pull/1732 [#1733]: https://github.com/bottlerocket-os/bottlerocket/pull/1733 [#1734]: https://github.com/bottlerocket-os/bottlerocket/pull/1734 [#1741]: https://github.com/bottlerocket-os/bottlerocket/pull/1741 [#1746]: https://github.com/bottlerocket-os/bottlerocket/pull/1746 [#1748]: https://github.com/bottlerocket-os/bottlerocket/pull/1748 [#1749]: https://github.com/bottlerocket-os/bottlerocket/pull/1749 [#1750]: https://github.com/bottlerocket-os/bottlerocket/pull/1750 [#1751]: https://github.com/bottlerocket-os/bottlerocket/pull/1751 [#1755]: https://github.com/bottlerocket-os/bottlerocket/pull/1755 [#1757]: https://github.com/bottlerocket-os/bottlerocket/pull/1757 [#1758]: https://github.com/bottlerocket-os/bottlerocket/pull/1758 [#1762]: https://github.com/bottlerocket-os/bottlerocket/pull/1762 [#1763]: https://github.com/bottlerocket-os/bottlerocket/pull/1763 [#1764]: https://github.com/bottlerocket-os/bottlerocket/pull/1764 [#1766]: https://github.com/bottlerocket-os/bottlerocket/pull/1766 [#1767]: https://github.com/bottlerocket-os/bottlerocket/pull/1767 [#1768]: https://github.com/bottlerocket-os/bottlerocket/pull/1768 [#1769]: https://github.com/bottlerocket-os/bottlerocket/pull/1769 # v1.2.1 (2021-09-16) ## Security fixes * Update Kubernetes for CVE-2021-25741 ([#1753]) [#1753]: https://github.com/bottlerocket-os/bottlerocket/pull/1753 # v1.2.0 (2021-08-06) ## OS Changes * Add settings for kubelet topologyManagerPolicy and topologyManagerScope ([#1659]) * Add support for container image registry mirrors ([#1629]) * Add support for custom CA certificates ([#1654]) * Add a setting for configuring hostname ([#1664], [#1680], [#1693]) * Avoid wildcard for applying rp_filter to interfaces ([#1677]) * Update default admin container to v0.7.2 ([#1685]) ## Build Changes * Add support for zstd compressed kernel ([#1668], [#1689]) * Add support for uploading OVAs to VMware ([#1622]) * Update default built variant to aws-k8s-1.21 ([#1686]) * Remove aws-k8s-1.16 variant ([#1658]) * Move migrations from v1.1.5 to v1.2.0 ([#1682]) * Update third-party packages ([#1676]) * Update host-ctr dependencies ([#1669]) * Update Rust dependencies ([#1655], [#1683], [#1687]) ## Documentation Changes * Fix typo in README ([#1652], **thanks @faultymonk!**) [#1622]: https://github.com/bottlerocket-os/bottlerocket/pull/1622 [#1629]: https://github.com/bottlerocket-os/bottlerocket/pull/1629 [#1652]: https://github.com/bottlerocket-os/bottlerocket/pull/1652 [#1654]: https://github.com/bottlerocket-os/bottlerocket/pull/1654 [#1655]: https://github.com/bottlerocket-os/bottlerocket/pull/1655 [#1658]: https://github.com/bottlerocket-os/bottlerocket/pull/1658 [#1659]: https://github.com/bottlerocket-os/bottlerocket/pull/1659 [#1664]: https://github.com/bottlerocket-os/bottlerocket/pull/1664 [#1668]: https://github.com/bottlerocket-os/bottlerocket/pull/1668 [#1669]: https://github.com/bottlerocket-os/bottlerocket/pull/1669 [#1676]: https://github.com/bottlerocket-os/bottlerocket/pull/1676 [#1677]: https://github.com/bottlerocket-os/bottlerocket/pull/1677 [#1680]: https://github.com/bottlerocket-os/bottlerocket/pull/1680 [#1682]: https://github.com/bottlerocket-os/bottlerocket/pull/1682 [#1683]: https://github.com/bottlerocket-os/bottlerocket/pull/1683 [#1685]: https://github.com/bottlerocket-os/bottlerocket/pull/1685 [#1686]: https://github.com/bottlerocket-os/bottlerocket/pull/1686 [#1687]: https://github.com/bottlerocket-os/bottlerocket/pull/1687 [#1689]: https://github.com/bottlerocket-os/bottlerocket/pull/1689 [#1693]: https://github.com/bottlerocket-os/bottlerocket/pull/1693 # v1.1.4 (2021-07-23) ## Security fixes * Update containerd to 1.4.8 ([#1661]) * Update systemd to 247.8 ([#1662]) * Update 5.4 and 5.10 kernels ([#1665]) * Set permissions to root-only for /var/lib/systemd/random-seed ([#1656]) [#1656]: https://github.com/bottlerocket-os/bottlerocket/pull/1656 [#1661]: https://github.com/bottlerocket-os/bottlerocket/pull/1661 [#1662]: https://github.com/bottlerocket-os/bottlerocket/pull/1662 [#1665]: https://github.com/bottlerocket-os/bottlerocket/pull/1665 # v1.1.3 (2021-07-12) Note: in the Bottlerocket v1.0.8 release, for the aws-k8s-1.20 and aws-k8s-1.21 variants, we set the default Kubernetes CPU manager policy to "static". We heard from several users that this breaks usage of the Fluent Bit log processor. In Bottlerocket v1.1.3, we've changed the default back to "none", but have added a setting so you can use the "static" policy if desired. To do so, set `settings.kubernetes.cpu-manager-policy` to "static". To do this in user data, for example, pass the following: ```toml [settings.kubernetes] cpu-manager-policy = "static" ``` ## OS Changes * Fix parsing of lists of values in domain name search field of DHCP option sets ([#1646], **thanks @hypnoce!**) * Add setting for configuring Kubernetes CPU manager policy and reconcile policy ([#1638]) ## Build Changes * Update SDK to 0.22.0 ([#1640]) * Store build artifacts per architecture ([#1630]) ## Documentation Changes * Update references to the ECS variant for GA release ([#1637]) [#1630]: https://github.com/bottlerocket-os/bottlerocket/pull/1630 [#1637]: https://github.com/bottlerocket-os/bottlerocket/pull/1637 [#1638]: https://github.com/bottlerocket-os/bottlerocket/pull/1638 [#1640]: https://github.com/bottlerocket-os/bottlerocket/pull/1640 [#1646]: https://github.com/bottlerocket-os/bottlerocket/pull/1646 # v1.1.2 (2021-06-25) With this release, the aws-ecs-1 variant has graduated from preview status and is now generally available. It's been updated to include Docker 20.10. The new [Bottlerocket ECS Updater](https://github.com/bottlerocket-os/bottlerocket-ecs-updater/) is available to help provide automated updates. :tada: ## OS Changes * Add aws-k8s-1.21 variant with Kubernetes 1.21 support ([#1612]) * Add settings for configuring kubelet containerLogMaxFiles and containerLogMaxSize ([#1589]) (Thanks, @samjo-nyang!) * Add settings for configuring kubelet systemReserved ([#1606]) * Add kdump support, enabled by default in VMware variants ([#1596]) * In host containers, allow mount propagations from privileged containers ([#1601]) * Mark ipv6 lease as optional for eth0 ([#1602]) * Add recommended device filters to open-vm-tools ([#1603]) * In host container definitions, default "enabled" and "superpowered" to false ([#1580]) * Allow pubsys refresh-repo to use default key path ([#1575]) * Update default host containers ([#1609]) ## Build Changes * Add grep package to all variants ([#1562]) * Update Rust dependencies ([#1623], [#1574]) * Update third-party packages ([#1619], [#1616], [#1625]) * In GitHub Actions, pin rust toolchain to match version in SDK ([#1621]) * Add imdsclient library for querying IMDS ([#1372], [#1598], [#1610]) * Remove reqwest proxy workaround in metricdog and updog ([#1592]) * Simplify conditional compilation in early-boot-config ([#1576]) * Only build shibaken for aws variants ([#1591]) * Silence tokio mut warning in thar-be-settings ([#1593]) * Refactor package and variant dependencies ([#1549]) * Add derive attributes at start of list in model-derive ([#1572]) * Limit threads during pubsys validate-repo ([#1564]) ## Documentation Changes * Document the deprecation of the aws-k8s-1.16 variant ([#1600]) * Update README for VMware and add a QUICKSTART-VMWARE ([#1559]) * Add ap-northeast-3 to supported region list ([#1566]) * Add details about the two default Bottlerocket volumes to README ([#1588]) * Document webpki-roots version in webpki-roots-shim ([#1565]) [#1372]: https://github.com/bottlerocket-os/bottlerocket/pull/1372 [#1549]: https://github.com/bottlerocket-os/bottlerocket/pull/1549 [#1559]: https://github.com/bottlerocket-os/bottlerocket/pull/1559 [#1562]: https://github.com/bottlerocket-os/bottlerocket/pull/1562 [#1564]: https://github.com/bottlerocket-os/bottlerocket/pull/1564 [#1565]: https://github.com/bottlerocket-os/bottlerocket/pull/1565 [#1566]: https://github.com/bottlerocket-os/bottlerocket/pull/1566 [#1572]: https://github.com/bottlerocket-os/bottlerocket/pull/1572 [#1574]: https://github.com/bottlerocket-os/bottlerocket/pull/1574 [#1575]: https://github.com/bottlerocket-os/bottlerocket/pull/1575 [#1576]: https://github.com/bottlerocket-os/bottlerocket/pull/1576 [#1580]: https://github.com/bottlerocket-os/bottlerocket/pull/1580 [#1588]: https://github.com/bottlerocket-os/bottlerocket/pull/1588 [#1589]: https://github.com/bottlerocket-os/bottlerocket/pull/1589 [#1591]: https://github.com/bottlerocket-os/bottlerocket/pull/1591 [#1592]: https://github.com/bottlerocket-os/bottlerocket/pull/1592 [#1593]: https://github.com/bottlerocket-os/bottlerocket/pull/1593 [#1596]: https://github.com/bottlerocket-os/bottlerocket/pull/1596 [#1598]: https://github.com/bottlerocket-os/bottlerocket/pull/1598 [#1600]: https://github.com/bottlerocket-os/bottlerocket/pull/1600 [#1601]: https://github.com/bottlerocket-os/bottlerocket/pull/1601 [#1602]: https://github.com/bottlerocket-os/bottlerocket/pull/1602 [#1603]: https://github.com/bottlerocket-os/bottlerocket/pull/1603 [#1606]: https://github.com/bottlerocket-os/bottlerocket/pull/1606 [#1609]: https://github.com/bottlerocket-os/bottlerocket/pull/1609 [#1610]: https://github.com/bottlerocket-os/bottlerocket/pull/1610 [#1612]: https://github.com/bottlerocket-os/bottlerocket/pull/1612 [#1616]: https://github.com/bottlerocket-os/bottlerocket/pull/1616 [#1619]: https://github.com/bottlerocket-os/bottlerocket/pull/1619 [#1621]: https://github.com/bottlerocket-os/bottlerocket/pull/1621 [#1623]: https://github.com/bottlerocket-os/bottlerocket/pull/1623 [#1625]: https://github.com/bottlerocket-os/bottlerocket/pull/1625 # v1.1.1 (2021-05-19) ## Security fixes * Patch runc for CVE-2021-30465 ([232c5741ecec][232c5741ecec]) [232c5741ecec]: https://github.com/bottlerocket-os/bottlerocket/commit/232c5741ecec1b903df3e56922bda03eecb2c02a # v1.1.0 (2021-05-07) ## Deprecation Notice The Kubernetes 1.16 variant, `aws-k8s-1.16`, will lose support in July, 2021. Kubernetes 1.16 is no longer receiving support upstream. We recommend replacing `aws-k8s-1.16` nodes with a later variant, preferably `aws-k8s-1.19` if your cluster supports it. See [this issue](https://github.com/bottlerocket-os/bottlerocket/issues/1552) for more details. ## Important Notes ### New variants with new defaults This release introduces two new variants, `aws-k8s-1.20` and `vmware-k8s-1.20`. We plan for all new variants, including these, to contain the following changes: * The kernel is Linux 5.10 rather than 5.4. * The kernel lockdown mode is set to "integrity" rather than "none". The ECS preview variant, `aws-ecs-1`, has also been updated with these changes. Existing `aws-k8s` variants will not receive these changes as they could affect existing workloads. ### ECS task networking The `aws-ecs-1` variant now supports the `awsvpc` mode of [ECS task networking](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html). This allocates an elastic network interface and private IP address to each task. ## OS Changes * Add Linux kernel 5.10 for use in new variants ([#1526]) * Add aws-k8s-1.20 variant with Kubernetes 1.20 support ([#1437], [#1533]) * Add vmware-k8s-1.20 variant with Kubernetes 1.20 for VMware ([#1511], [#1529], [#1523], [#1502], [#1554]) * Remove aws-k8s-1.15 variant ([#1487], [#1492]) * Constrain ephemeral port range ([#1560]) * Support awsvpc networking mode in ECS ([#1246]) * Add settings for QPS and burst limits of Kubernetes registry pulls, event records, and API ([#1527], [#1532], [#1541]) * Add setting to allow configuration of Kubernetes TLS bootstrap ([#1485]) * Add setting for configuring Kubernetes cloudProvider to allow usage outside AWS ([#1494]) * Make Kubernetes cluster-dns-ip optional to support usage outside of AWS ([#1482]) * Change parameters to support healthy CIS scan ([#1295]) (Thanks, @felipeac!) * Generate stable machine IDs for VMware and ARM KVM guests ([#1506], [#1537]) * Enable "integrity" kernel lockdown mode for aws-ecs-1 preview variant ([#1530]) * Remove override for default service start timeout ([#1483]) * Restrict access to bootstrap container user data with SELinux ([#1496]) * Split SELinux policy rules for trusted subjects ([#1558]) * Add symlink to allow usage of secrets store CSI drivers ([#1544]) * Prevent bootstrap containers from restarting ([#1508]) * Add udev rules to mount CD-ROM only when media is present ([#1516]) * Add resize2fs binary to sbin ([#1519]) (Thanks, @samjo-nyang!) * Only restart a host container if affected by settings change ([#1480]) * Support file patterns when specifying log files in logdog ([#1509]) * Daemonize thar-be-settings to avoid zombie processes ([#1507]) * Add support for AWS region ap-northeast-3: Osaka ([#1504]) * Generate pause container URI with standard template variables ([#1551]) * Get cluster DNS IP from cluster when available ([#1547]) ## Build Changes * Use kernel 5.10 in aws-ecs-1 variant ([#1555]) * Build only the packages needed for the current variant ([#1408], [#1520]) * Use a friendly name for VMware OVA files in build outputs ([#1535]) * Update SDK to 0.21.0 ([#1497], [#1529]) * Allow variants to specify extra kernel parameters ([#1491]) * Move kernel console settings to variant definitions ([#1513]) * Update vmw_backdoor dependency ([#1498]) (Thanks, @lucab!) * Archive old migrations ([#1540]) * Refactor default settings and containerd configs to shared files ([#1538], [#1542]) * Check cargo version at start of build so we have a clear error when it's too low ([#1503]) * Fix concurrency issue in validate-repo that led to hangs ([#1521]) * Update third-party package dependencies ([#1543], [#1556]) * Update Rust dependencies in the tools/ workspace ([#1548]) * Update tokio-related Rust dependencies in the sources/ workspace ([#1479]) * Add upstream runc patches addressing container scheduling failure ([#1546]) * Retry builds on known BuildKit internal errors ([#1557], [#1561]) ## Documentation Changes * Document the deprecation of the aws-k8s-1.15 variant ([#1476]) * Document the need to quote most Kubernetes labels/taints ([#1550]) (Thanks, @ellistarn!) * Fix VMware spelling and document user data sources ([#1534]) [#1246]: https://github.com/bottlerocket-os/bottlerocket/pull/1246 [#1295]: https://github.com/bottlerocket-os/bottlerocket/pull/1295 [#1408]: https://github.com/bottlerocket-os/bottlerocket/pull/1408 [#1437]: https://github.com/bottlerocket-os/bottlerocket/pull/1437 [#1476]: https://github.com/bottlerocket-os/bottlerocket/pull/1476 [#1477]: https://github.com/bottlerocket-os/bottlerocket/pull/1477 [#1479]: https://github.com/bottlerocket-os/bottlerocket/pull/1479 [#1480]: https://github.com/bottlerocket-os/bottlerocket/pull/1480 [#1482]: https://github.com/bottlerocket-os/bottlerocket/pull/1482 [#1483]: https://github.com/bottlerocket-os/bottlerocket/pull/1483 [#1485]: https://github.com/bottlerocket-os/bottlerocket/pull/1485 [#1486]: https://github.com/bottlerocket-os/bottlerocket/pull/1486 [#1487]: https://github.com/bottlerocket-os/bottlerocket/pull/1487 [#1491]: https://github.com/bottlerocket-os/bottlerocket/pull/1491 [#1492]: https://github.com/bottlerocket-os/bottlerocket/pull/1492 [#1494]: https://github.com/bottlerocket-os/bottlerocket/pull/1494 [#1496]: https://github.com/bottlerocket-os/bottlerocket/pull/1496 [#1497]: https://github.com/bottlerocket-os/bottlerocket/pull/1497 [#1498]: https://github.com/bottlerocket-os/bottlerocket/pull/1498 [#1502]: https://github.com/bottlerocket-os/bottlerocket/pull/1502 [#1503]: https://github.com/bottlerocket-os/bottlerocket/pull/1503 [#1504]: https://github.com/bottlerocket-os/bottlerocket/pull/1504 [#1506]: https://github.com/bottlerocket-os/bottlerocket/pull/1506 [#1507]: https://github.com/bottlerocket-os/bottlerocket/pull/1507 [#1508]: https://github.com/bottlerocket-os/bottlerocket/pull/1508 [#1509]: https://github.com/bottlerocket-os/bottlerocket/pull/1509 [#1511]: https://github.com/bottlerocket-os/bottlerocket/pull/1511 [#1513]: https://github.com/bottlerocket-os/bottlerocket/pull/1513 [#1516]: https://github.com/bottlerocket-os/bottlerocket/pull/1516 [#1519]: https://github.com/bottlerocket-os/bottlerocket/pull/1519 [#1520]: https://github.com/bottlerocket-os/bottlerocket/pull/1520 [#1521]: https://github.com/bottlerocket-os/bottlerocket/pull/1521 [#1523]: https://github.com/bottlerocket-os/bottlerocket/pull/1523 [#1526]: https://github.com/bottlerocket-os/bottlerocket/pull/1526 [#1527]: https://github.com/bottlerocket-os/bottlerocket/pull/1527 [#1529]: https://github.com/bottlerocket-os/bottlerocket/pull/1529 [#1530]: https://github.com/bottlerocket-os/bottlerocket/pull/1530 [#1532]: https://github.com/bottlerocket-os/bottlerocket/pull/1532 [#1533]: https://github.com/bottlerocket-os/bottlerocket/pull/1533 [#1534]: https://github.com/bottlerocket-os/bottlerocket/pull/1534 [#1535]: https://github.com/bottlerocket-os/bottlerocket/pull/1535 [#1537]: https://github.com/bottlerocket-os/bottlerocket/pull/1537 [#1538]: https://github.com/bottlerocket-os/bottlerocket/pull/1538 [#1540]: https://github.com/bottlerocket-os/bottlerocket/pull/1540 [#1541]: https://github.com/bottlerocket-os/bottlerocket/pull/1541 [#1542]: https://github.com/bottlerocket-os/bottlerocket/pull/1542 [#1543]: https://github.com/bottlerocket-os/bottlerocket/pull/1543 [#1544]: https://github.com/bottlerocket-os/bottlerocket/pull/1544 [#1546]: https://github.com/bottlerocket-os/bottlerocket/pull/1546 [#1547]: https://github.com/bottlerocket-os/bottlerocket/pull/1547 [#1548]: https://github.com/bottlerocket-os/bottlerocket/pull/1548 [#1550]: https://github.com/bottlerocket-os/bottlerocket/pull/1550 [#1551]: https://github.com/bottlerocket-os/bottlerocket/pull/1551 [#1554]: https://github.com/bottlerocket-os/bottlerocket/pull/1554 [#1555]: https://github.com/bottlerocket-os/bottlerocket/pull/1555 [#1556]: https://github.com/bottlerocket-os/bottlerocket/pull/1556 [#1557]: https://github.com/bottlerocket-os/bottlerocket/pull/1557 [#1558]: https://github.com/bottlerocket-os/bottlerocket/pull/1558 [#1560]: https://github.com/bottlerocket-os/bottlerocket/pull/1560 [#1561]: https://github.com/bottlerocket-os/bottlerocket/pull/1561 # v1.0.8 (2021-04-12) ## Deprecation Notice Bottlerocket 1.0.8 is the last release where we plan to support the Kubernetes 1.15 variant, `aws-k8s-1.15`. Kubernetes 1.15 is no longer receiving support upstream. We recommend replacing `aws-k8s-1.15` nodes with a later variant, preferably `aws-k8s-1.19` if your cluster supports it. See [this issue](https://github.com/bottlerocket-os/bottlerocket/issues/1478) for more details. ## OS Changes * Support additional kubelet arguments: kube-reserved, eviction-hard, cpu-manager-policy, and allow-unsafe-sysctls ([#1388], [#1472], [#1465]) * Expand file and process restrictions in the SELinux policy ([#1464]) * Add support for bootstrap containers ([#1387], [#1423]) * Make host containers inherit proxy env vars ([#1432]) * Allow gzip compression of user data ([#1366]) * Add 'apply' mode to apiclient for applying settings from URIs ([#1391]) * Add compat symlink for kubelet volume plugins ([#1417]) * Remove bottlerocket.version attribute from ECS agent settings ([#1395]) * Make Kubernetes taint values optional ([#1406]) * Add guestinfo to available VMware user data retrieval methods ([#1393]) * Include source of invalid base64 data in error messages ([#1469]) * Update eni-max-pods data file ([#1468]) * Update default host container versions ([#1443], [#1441], [#1466]) * Fix avc denial for dbus-broker ([#1434]) * Fix case of outputted JSON keys in host container user data ([#1439]) * Set mode of host container persistent storage directory after creation ([#1463]) * Add "current" persistent storage location for host containers ([#1416]) * Write static-pods manifest to tempfile before persisting it ([#1409]) ## Build Changes * Update default variant to aws-k8s-1.19 ([#1394]) * Update third-party packages ([#1460]) * Update Rust dependencies ([#1461], [#1462]) * Update dependencies of host-ctr ([#1371]) * Add support for specifying a variant's supported architectures ([#1431]) * Build OVA packages and include them in repos ([#1428]) * Add support for qcow2 as an image format ([#1425]) (Thanks, @mikalstill!) * Prevent unneeded artifacts from being copied through build process ([#1426]) * Change image format for vmware-dev variant to vmdk ([#1397]) * Remove tough dependency from update_metadata ([#1390]) * Remove generate_constants logic from build.rs of parse-datetime ([#1376]) * In the tools workspace, update to tokio v1, reqwest v0.11, and tough v0.11 ([#1370]) * Run static and non-static Rust builds in parallel ([#1368]) * Disable CMDLINE_EXTEND kernel configuration ([#1473]) ## Documentation Changes * Document metrics settings in README ([#1449]) * Fix broken links for symlinked files in models README ([#1444]) * Document `apiclient update` as primary CLI update method ([#1421]) * Use `apiclient set` in introductory documentation, explain raw mode separately ([#1418]) * Prefer resolve:ssm: parameters for simplicity in QUICKSTART ([#1363]) * Update quickstart guides to have arm64 examples ([#1360]) * Document the deprecation of the aws-k8s-1.15 variant ([#1476]) [#1360]: https://github.com/bottlerocket-os/bottlerocket/pull/1360 [#1363]: https://github.com/bottlerocket-os/bottlerocket/pull/1363 [#1366]: https://github.com/bottlerocket-os/bottlerocket/pull/1366 [#1368]: https://github.com/bottlerocket-os/bottlerocket/pull/1368 [#1370]: https://github.com/bottlerocket-os/bottlerocket/pull/1370 [#1371]: https://github.com/bottlerocket-os/bottlerocket/pull/1371 [#1376]: https://github.com/bottlerocket-os/bottlerocket/pull/1376 [#1387]: https://github.com/bottlerocket-os/bottlerocket/pull/1387 [#1388]: https://github.com/bottlerocket-os/bottlerocket/pull/1388 [#1390]: https://github.com/bottlerocket-os/bottlerocket/pull/1390 [#1391]: https://github.com/bottlerocket-os/bottlerocket/pull/1391 [#1393]: https://github.com/bottlerocket-os/bottlerocket/pull/1393 [#1394]: https://github.com/bottlerocket-os/bottlerocket/pull/1394 [#1395]: https://github.com/bottlerocket-os/bottlerocket/pull/1395 [#1397]: https://github.com/bottlerocket-os/bottlerocket/pull/1397 [#1406]: https://github.com/bottlerocket-os/bottlerocket/pull/1406 [#1409]: https://github.com/bottlerocket-os/bottlerocket/pull/1409 [#1416]: https://github.com/bottlerocket-os/bottlerocket/pull/1416 [#1417]: https://github.com/bottlerocket-os/bottlerocket/pull/1417 [#1418]: https://github.com/bottlerocket-os/bottlerocket/pull/1418 [#1421]: https://github.com/bottlerocket-os/bottlerocket/pull/1421 [#1423]: https://github.com/bottlerocket-os/bottlerocket/pull/1423 [#1425]: https://github.com/bottlerocket-os/bottlerocket/pull/1425 [#1426]: https://github.com/bottlerocket-os/bottlerocket/pull/1426 [#1428]: https://github.com/bottlerocket-os/bottlerocket/pull/1428 [#1431]: https://github.com/bottlerocket-os/bottlerocket/pull/1431 [#1432]: https://github.com/bottlerocket-os/bottlerocket/pull/1432 [#1434]: https://github.com/bottlerocket-os/bottlerocket/pull/1434 [#1439]: https://github.com/bottlerocket-os/bottlerocket/pull/1439 [#1441]: https://github.com/bottlerocket-os/bottlerocket/pull/1441 [#1443]: https://github.com/bottlerocket-os/bottlerocket/pull/1443 [#1444]: https://github.com/bottlerocket-os/bottlerocket/pull/1444 [#1449]: https://github.com/bottlerocket-os/bottlerocket/pull/1449 [#1460]: https://github.com/bottlerocket-os/bottlerocket/pull/1460 [#1461]: https://github.com/bottlerocket-os/bottlerocket/pull/1461 [#1462]: https://github.com/bottlerocket-os/bottlerocket/pull/1462 [#1463]: https://github.com/bottlerocket-os/bottlerocket/pull/1463 [#1464]: https://github.com/bottlerocket-os/bottlerocket/pull/1464 [#1465]: https://github.com/bottlerocket-os/bottlerocket/pull/1465 [#1466]: https://github.com/bottlerocket-os/bottlerocket/pull/1466 [#1468]: https://github.com/bottlerocket-os/bottlerocket/pull/1468 [#1469]: https://github.com/bottlerocket-os/bottlerocket/pull/1469 [#1472]: https://github.com/bottlerocket-os/bottlerocket/pull/1472 [#1473]: https://github.com/bottlerocket-os/bottlerocket/pull/1473 [#1476]: https://github.com/bottlerocket-os/bottlerocket/pull/1476 # v1.0.7 (2021-03-17) ## Security fixes * containerd: update to 1.4.4 ([#1401]) ## OS Changes * systemd: update to 247.4 to fix segfault in some cases ([#1400]) * apiserver: reap exited child processes ([#1384]) * host-ctr: specify non-colliding runc root ([#1359]) * updog: update signal-hook dependency ([#1328]) [#1328]: https://github.com/bottlerocket-os/bottlerocket/pull/1328 [#1359]: https://github.com/bottlerocket-os/bottlerocket/pull/1359 [#1384]: https://github.com/bottlerocket-os/bottlerocket/pull/1384 [#1400]: https://github.com/bottlerocket-os/bottlerocket/pull/1400 [#1401]: https://github.com/bottlerocket-os/bottlerocket/pull/1401 # v1.0.6 (2021-03-02) ## OS Changes * Add metricdog to support sending anonymous metrics ([#1006], [#1322]) * Add a vmware-dev variant ([#1292], [#1288], [#1290]) * Add Kubernetes static pods support ([#1317]) * Add high-level 'set' subcommand for changing settings using apiclient ([#1278]) * Allow admin container to use SSH public keys from user data ([#1331], [#1358], [#19]) * Add support for kubelet in standalone mode and TLS auth ([#1338]) * Add https-proxy and no-proxy settings to updog ([#1324]) * Add support for pulling host-containers from ECR Public ([#1296]) * Add network proxy support to aws-k8s-1.19 ([#1337]) * Modify default SELinux label for containers to align with upstream ([#1318]) * Add aliases for container-selinux types to align with community ([#1316]) * Update default versions of admin and control containers ([#1347], [#1344]) * Update ecs-agent to 1.50.2 ([#1353]) * logdog: Add eni logs for Kubernetes ([#1327]) ## Build Changes * Add the ability to output vmdk via qemu-img ([#1289]) * Add support for kmod kits to ease building of third-party kernel modules ([#1287], [#1286], [#1285], [#1357]) * storewolf: Declare dependencies on model and defaults files ([#1319]) * storewolf: Refactor default settings files to allow sharing ([#1303], [#1329]) * Switch from TermLogger to SimpleLogger ([#1282], **thanks @hencrice!**) * Allow overriding the "pretty" name of the OS inside the image ([#1330]) * Specify bash in link-variant task for use of bash features ([#1323]) * Fix invalid symlinks when the BUILDSYS_NAME variable is set ([#1312]) * Track and clean output files for builds ([#1291]) * Update third-party software packages ([#1340], [#1336], [#1334], [#1333], [#1335], [#1190], [#1265], [#1315], [#1352], [#1356]) ## Documentation Changes * Add lockdown notes to SECURITY_GUIDANCE.md ([#1281]) * Clarify use case for update repos ([#1339]) * Fix broken link from API docs to top-level docs ([#1306]) [#1006]: https://github.com/bottlerocket-os/bottlerocket/pull/1006 [#1190]: https://github.com/bottlerocket-os/bottlerocket/pull/1190 [#1265]: https://github.com/bottlerocket-os/bottlerocket/pull/1265 [#1278]: https://github.com/bottlerocket-os/bottlerocket/pull/1278 [#1281]: https://github.com/bottlerocket-os/bottlerocket/pull/1281 [#1282]: https://github.com/bottlerocket-os/bottlerocket/pull/1282 [#1285]: https://github.com/bottlerocket-os/bottlerocket/pull/1285 [#1286]: https://github.com/bottlerocket-os/bottlerocket/pull/1286 [#1287]: https://github.com/bottlerocket-os/bottlerocket/pull/1287 [#1288]: https://github.com/bottlerocket-os/bottlerocket/pull/1288 [#1289]: https://github.com/bottlerocket-os/bottlerocket/pull/1289 [#1290]: https://github.com/bottlerocket-os/bottlerocket/pull/1290 [#1291]: https://github.com/bottlerocket-os/bottlerocket/pull/1291 [#1292]: https://github.com/bottlerocket-os/bottlerocket/pull/1292 [#1296]: https://github.com/bottlerocket-os/bottlerocket/pull/1296 [#1303]: https://github.com/bottlerocket-os/bottlerocket/pull/1303 [#1306]: https://github.com/bottlerocket-os/bottlerocket/pull/1306 [#1312]: https://github.com/bottlerocket-os/bottlerocket/pull/1312 [#1315]: https://github.com/bottlerocket-os/bottlerocket/pull/1315 [#1316]: https://github.com/bottlerocket-os/bottlerocket/pull/1316 [#1317]: https://github.com/bottlerocket-os/bottlerocket/pull/1317 [#1318]: https://github.com/bottlerocket-os/bottlerocket/pull/1318 [#1319]: https://github.com/bottlerocket-os/bottlerocket/pull/1319 [#1322]: https://github.com/bottlerocket-os/bottlerocket/pull/1322 [#1323]: https://github.com/bottlerocket-os/bottlerocket/pull/1323 [#1324]: https://github.com/bottlerocket-os/bottlerocket/pull/1324 [#1327]: https://github.com/bottlerocket-os/bottlerocket/pull/1327 [#1329]: https://github.com/bottlerocket-os/bottlerocket/pull/1329 [#1330]: https://github.com/bottlerocket-os/bottlerocket/pull/1330 [#1331]: https://github.com/bottlerocket-os/bottlerocket/pull/1331 [#1333]: https://github.com/bottlerocket-os/bottlerocket/pull/1333 [#1334]: https://github.com/bottlerocket-os/bottlerocket/pull/1334 [#1335]: https://github.com/bottlerocket-os/bottlerocket/pull/1335 [#1336]: https://github.com/bottlerocket-os/bottlerocket/pull/1336 [#1337]: https://github.com/bottlerocket-os/bottlerocket/pull/1337 [#1338]: https://github.com/bottlerocket-os/bottlerocket/pull/1338 [#1339]: https://github.com/bottlerocket-os/bottlerocket/pull/1339 [#1340]: https://github.com/bottlerocket-os/bottlerocket/pull/1340 [#1344]: https://github.com/bottlerocket-os/bottlerocket/pull/1344 [#1347]: https://github.com/bottlerocket-os/bottlerocket/pull/1347 [#1352]: https://github.com/bottlerocket-os/bottlerocket/pull/1352 [#1353]: https://github.com/bottlerocket-os/bottlerocket/pull/1353 [#1356]: https://github.com/bottlerocket-os/bottlerocket/pull/1356 [#1357]: https://github.com/bottlerocket-os/bottlerocket/pull/1357 [#1358]: https://github.com/bottlerocket-os/bottlerocket/pull/1358 [#19]: https://github.com/bottlerocket-os/bottlerocket-admin-container/pull/19 # v1.0.5 (2021-01-15) **Note for aws-ecs-1 variant**: due to a change in the ECS agent's data store schema, the aws-ecs-1 variant cannot be downgraded after updating to v1.0.5. Attempts to downgrade may result in inconsistencies between ECS and the Bottlerocket container instance. ## OS Changes * Add aws-k8s-1.19 variant with Kubernetes 1.19 ([#1256]) * Update ecs-agent to 1.48.1 ([#1201]) * Add high-level update subcommands to apiclient ([#1219], [#1232]) * Add kernel lockdown settings ([#1223], [#1279]) * Add restart-commands for docker, kubelet, containerd ([#1231], [#1262], [#1258]) * Add proper restarts for host-containers ([#1230], [#1235], [#1242], [#1258]) * Fix SELinux policy ([#1236]) * Set version and revision strings for containerd ([#1248]) * Add host-container user-data setting ([#1244], [#1247]) * Add network proxy settings ([#1204], [#1262], [#1258]) * Update kernel to 5.4.80-40.140 ([#1257]) * Update third-party software packages ([#1264]) * Update Rust dependencies ([#1267]) ## Build Changes * Improve support for out-of-tree kernel modules ([#1220]) * Fix message in partition size check condition ([#1233], **thanks @pranavek!**) * Split the datastore module into its own crate ([#1249]) * Update SDK to v0.15.0 ([#1263]) * Update GitHub Actions to ignore changes that only include .md files ([#1274]) ## Documentation Changes * Add documentation comments to Dockerfile ([#1254]) * Add a note about CPU usage during builds ([#1266]) * Update README to point to discussions ([#1273]) [#1201]: https://github.com/bottlerocket-os/bottlerocket/pull/1201 [#1204]: https://github.com/bottlerocket-os/bottlerocket/pull/1204 [#1219]: https://github.com/bottlerocket-os/bottlerocket/pull/1219 [#1220]: https://github.com/bottlerocket-os/bottlerocket/pull/1220 [#1223]: https://github.com/bottlerocket-os/bottlerocket/pull/1223 [#1230]: https://github.com/bottlerocket-os/bottlerocket/pull/1230 [#1231]: https://github.com/bottlerocket-os/bottlerocket/pull/1231 [#1232]: https://github.com/bottlerocket-os/bottlerocket/pull/1232 [#1233]: https://github.com/bottlerocket-os/bottlerocket/pull/1233 [#1235]: https://github.com/bottlerocket-os/bottlerocket/pull/1235 [#1236]: https://github.com/bottlerocket-os/bottlerocket/pull/1236 [#1242]: https://github.com/bottlerocket-os/bottlerocket/pull/1242 [#1244]: https://github.com/bottlerocket-os/bottlerocket/pull/1244 [#1247]: https://github.com/bottlerocket-os/bottlerocket/pull/1247 [#1248]: https://github.com/bottlerocket-os/bottlerocket/pull/1248 [#1249]: https://github.com/bottlerocket-os/bottlerocket/pull/1249 [#1254]: https://github.com/bottlerocket-os/bottlerocket/pull/1254 [#1256]: https://github.com/bottlerocket-os/bottlerocket/pull/1256 [#1257]: https://github.com/bottlerocket-os/bottlerocket/pull/1257 [#1258]: https://github.com/bottlerocket-os/bottlerocket/pull/1258 [#1259]: https://github.com/bottlerocket-os/bottlerocket/pull/1259 [#1262]: https://github.com/bottlerocket-os/bottlerocket/pull/1262 [#1263]: https://github.com/bottlerocket-os/bottlerocket/pull/1263 [#1264]: https://github.com/bottlerocket-os/bottlerocket/pull/1264 [#1266]: https://github.com/bottlerocket-os/bottlerocket/pull/1266 [#1267]: https://github.com/bottlerocket-os/bottlerocket/pull/1267 [#1273]: https://github.com/bottlerocket-os/bottlerocket/pull/1273 [#1274]: https://github.com/bottlerocket-os/bottlerocket/pull/1274 [#1279]: https://github.com/bottlerocket-os/bottlerocket/pull/1279 # v1.0.4 (2020-11-30) ## Security fixes * Patch containerd for CVE-2020-15257 ([f3677c1406][f3677c1406]) [f3677c1406]: https://github.com/bottlerocket-os/bottlerocket/commit/f3677c1406139240d2bca6b275799953ced5a5f # v1.0.3 (2020-11-19) ## OS Changes * Support setting Linux kernel parameters (sysctl) via settings (see README) ([#1158], [#1171]) * Create links under `/dev/disk/ephemeral` for ephemeral storage devices ([#1173]) * Set default RLIMIT_NOFILE in CRI to 65536 soft limit and a 1048576 hard limit ([#1180]) * Add rtcsync directive to chrony config file ([#1184], **thanks @errm!**) * Add `/etc/ssl/certs` symlink to the CA certificate bundle for compatibility with the cluster autoscaler ([#1207]) * Add procps dependency to docker-engine so that `docker top` works ([#1210]) ## Build Changes * Align optimization level for crate and dependency builds ([#1155]) * pubsys no longer requires an Infra.toml file for basic usage ([#1166]) * Makefile: Check that $BUILDSYS_ARCH has a supported value ([#1167]) * Build migrations in parallel ([#1192]) * Allow file URLs for role in pubsys-setup ([#1194]) * Update Rust dependencies ([#1196]) * Update SDK to v0.14.0 ([#1198]) * Fix an occasional issue with KMS signing in pubsys ([#1205]) * Backport selected fixes from containerd 1.4 ([#1216]) * Update third-party package dependencies ([#1176], [#1195]) * Switch to SDK v0.14.0 ([#1198]) ## Documentation Changes * Nits and fixes ([#1170], [#1179]) * Add missing prerequisites for building Bottlerocket ([#1191]) [#1158]: https://github.com/bottlerocket-os/bottlerocket/pull/1158 [#1171]: https://github.com/bottlerocket-os/bottlerocket/pull/1171 [#1173]: https://github.com/bottlerocket-os/bottlerocket/pull/1173 [#1176]: https://github.com/bottlerocket-os/bottlerocket/pull/1176 [#1180]: https://github.com/bottlerocket-os/bottlerocket/pull/1180 [#1184]: https://github.com/bottlerocket-os/bottlerocket/pull/1184 [#1195]: https://github.com/bottlerocket-os/bottlerocket/pull/1195 [#1207]: https://github.com/bottlerocket-os/bottlerocket/pull/1207 [#1155]: https://github.com/bottlerocket-os/bottlerocket/pull/1155 [#1166]: https://github.com/bottlerocket-os/bottlerocket/pull/1166 [#1167]: https://github.com/bottlerocket-os/bottlerocket/pull/1167 [#1192]: https://github.com/bottlerocket-os/bottlerocket/pull/1192 [#1194]: https://github.com/bottlerocket-os/bottlerocket/pull/1194 [#1196]: https://github.com/bottlerocket-os/bottlerocket/pull/1196 [#1198]: https://github.com/bottlerocket-os/bottlerocket/pull/1198 [#1205]: https://github.com/bottlerocket-os/bottlerocket/pull/1205 [#1170]: https://github.com/bottlerocket-os/bottlerocket/pull/1170 [#1179]: https://github.com/bottlerocket-os/bottlerocket/pull/1179 [#1191]: https://github.com/bottlerocket-os/bottlerocket/pull/1191 [#1210]: https://github.com/bottlerocket-os/bottlerocket/pull/1210 [#1216]: https://github.com/bottlerocket-os/bottlerocket/pull/1216 [#1198]: https://github.com/bottlerocket-os/bottlerocket/pull/1198 # v1.0.2 (2020-10-13) ## Breaking changes (for build process only) * pubsys: automate setup of role and key ([#1133], [#1146]) * Store repos under repo name so you can build multiple ([#1135]) **Note:** these changes do not impact users of Bottlerocket AMIs or repos, only those who build Bottlerocket themselves. If you use an `Infra.toml` file to automate publishing, you'll need to update the format of the file. The root role and signing key definitions now live inside a repo definition, rather than at the top level of the file. Please see the updated [Infra.toml.example](tools/pubsys/Infra.toml.example) file for a commented explanation of the new role and key configuration. ## OS changes * Add aws-k8s-1.18 variant with Kubernetes 1.18 ([#1150]) * Update kernel to 5.4.50-25.83 ([#1148]) * Update glibc to 2.32 ([#1092]) * Add e2fsprogs ([#1147]) * pluto: add regional map of pause container source accounts ([#1142]) * Add option to enable spot instance draining ([#1100], **thanks @mkulke!**) * Add 2.root.json + pubsys KMS support ([#1122]) * docker: add default nofiles ulimits for containers ([#1119]) * Fix AVC denial for`docker run --init` ([#1085]) ## Build changes * Pass Go module proxy variables through docker-go ([#1121]) * Set buildmode to pie and drop pie and debuginfo patches for Kubernetes ([#1103], **thanks @bnrjee!**) * pubsys: use requested size for volume, keeping snapshot to minimum size ([#1118]) * Switch to SDK v0.13.0 ([#1092]) * Add `cargo make grant-ami` and `revoke-ami` tasks ([#1087]) * Allow specifying AMI name with PUBLISH_AMI_NAME ([#1091]) * Makefile.toml: clean up clean actions ([#1089]) * pubsys: check for copied AMIs in parallel ([#1086]) ## Documentation changes * Add PUBLISHING.md guide explaining pubsys and related tools ([#1138]) * README: relocate update API instructions and example ([#1124], [#1127]) * Fix grammar issues in README.md ([#1098], **thanks @jweissig!**) * Add documentation for the aws-ecs-1 variant ([#1053]) * Update suggested Kubernetes version in sample eksctl config files ([#1090]) * Update BUILDING.md to incorporate dependencies ([#1107], **thanks @troyaws!**) [#1053]: https://github.com/bottlerocket-os/bottlerocket/pull/1053 [#1084]: https://github.com/bottlerocket-os/bottlerocket/pull/1084 [#1085]: https://github.com/bottlerocket-os/bottlerocket/pull/1085 [#1086]: https://github.com/bottlerocket-os/bottlerocket/pull/1086 [#1087]: https://github.com/bottlerocket-os/bottlerocket/pull/1087 [#1089]: https://github.com/bottlerocket-os/bottlerocket/pull/1089 [#1090]: https://github.com/bottlerocket-os/bottlerocket/pull/1090 [#1091]: https://github.com/bottlerocket-os/bottlerocket/pull/1091 [#1092]: https://github.com/bottlerocket-os/bottlerocket/pull/1092 [#1094]: https://github.com/bottlerocket-os/bottlerocket/pull/1094 [#1098]: https://github.com/bottlerocket-os/bottlerocket/pull/1098 [#1100]: https://github.com/bottlerocket-os/bottlerocket/pull/1100 [#1103]: https://github.com/bottlerocket-os/bottlerocket/pull/1103 [#1107]: https://github.com/bottlerocket-os/bottlerocket/pull/1107 [#1109]: https://github.com/bottlerocket-os/bottlerocket/pull/1109 [#1118]: https://github.com/bottlerocket-os/bottlerocket/pull/1118 [#1119]: https://github.com/bottlerocket-os/bottlerocket/pull/1119 [#1121]: https://github.com/bottlerocket-os/bottlerocket/pull/1121 [#1122]: https://github.com/bottlerocket-os/bottlerocket/pull/1122 [#1124]: https://github.com/bottlerocket-os/bottlerocket/pull/1124 [#1127]: https://github.com/bottlerocket-os/bottlerocket/pull/1127 [#1133]: https://github.com/bottlerocket-os/bottlerocket/pull/1133 [#1135]: https://github.com/bottlerocket-os/bottlerocket/pull/1135 [#1138]: https://github.com/bottlerocket-os/bottlerocket/pull/1138 [#1142]: https://github.com/bottlerocket-os/bottlerocket/pull/1142 [#1146]: https://github.com/bottlerocket-os/bottlerocket/pull/1146 [#1147]: https://github.com/bottlerocket-os/bottlerocket/pull/1147 [#1148]: https://github.com/bottlerocket-os/bottlerocket/pull/1148 [#1149]: https://github.com/bottlerocket-os/bottlerocket/pull/1149 [#1150]: https://github.com/bottlerocket-os/bottlerocket/pull/1150 # v1.0.1 (2020-09-03) ## Security fixes * Patch kernel for CVE-2020-14386 ([#1108]) [#1108]: https://github.com/bottlerocket-os/bottlerocket/pull/1108 # v1.0.0 (2020-08-31) Welcome to Bottlerocket 1.0! Since the first public preview, we've added new variants for Amazon ECS and Kubernetes 1.16 and 1.17, support for ARM instances and more EC2 regions, along with many new features and security improvements. We appreciate all the feedback and contributions so far and look forward to working with the community on even wider support. :partying_face: :smile_cat: ## Security fixes * Update to chrony 3.5.1 ([#1057]) * Isolate host containers and limit access to API socket ([#1056]) ## OS changes * The `aws-ecs-1` variant is now available as a preview. * ecs-agent: upgrade to v1.43.0 ([#1043]) * aws-ecs-1: add ecs.loglevel setting ([#1062]) * aws-ecs-1: remove unsupported capabilities ([#1052]) * aws-ecs-1: constrain ephemeral port range ([#1051]) * aws-ecs-1: enable awslogs execution role support ([#1044]) * ecs-agent: don't start if not configured ([#1049]) * ecs-agent: bind introspection to localhost ([#1071]) * Update logdog to pull ECS-related log files ([#1054]) * Add documentation for the aws-ecs-1 variant ([#1053]) * apiclient: accept -s for --socket-path, as per usage message ([#1069]) * Fix growpart to avoid race in partition table reload ([#1058]) * Added patch for EC2 IMDSv2 support in Docker ([#1055]) * schnauzer: add a helper for ecr repos ([#1032]) ## Build changes * Add `cargo make ami-public` and `ami-private` targets ([#1033], [#1065], [#1064]) * Add `cargo make ssm` and `promote-ssm` targets for publishing parameters ([#1060], [#1070], [#1067], [#1066]) * Use per-checkout cache directories for builds ([#1050]) * Fix rust build caching and tune rpm compression ([#1045]) * Add official builds in 16 more EC2 regions. ([aws/containers-roadmap#827](https://github.com/aws/containers-roadmap/issues/827)) ## Documentation changes * Revise security guidance ([#1072]) * README: add supported architectures ([#1048]) * Update supported region list after 0.5.0 release ([#1046]) * Removed aws-cli v1 requirement in docs ([#1073]) * Update BUILDING.md for new coldsnap-based amiize.sh ([#1047]) [#1073]: https://github.com/bottlerocket-os/bottlerocket/pull/1073 [#1072]: https://github.com/bottlerocket-os/bottlerocket/pull/1072 [#1071]: https://github.com/bottlerocket-os/bottlerocket/pull/1071 [#1070]: https://github.com/bottlerocket-os/bottlerocket/pull/1070 [#1069]: https://github.com/bottlerocket-os/bottlerocket/pull/1069 [#1067]: https://github.com/bottlerocket-os/bottlerocket/pull/1067 [#1066]: https://github.com/bottlerocket-os/bottlerocket/pull/1066 [#1065]: https://github.com/bottlerocket-os/bottlerocket/pull/1065 [#1064]: https://github.com/bottlerocket-os/bottlerocket/pull/1064 [#1062]: https://github.com/bottlerocket-os/bottlerocket/pull/1062 [#1060]: https://github.com/bottlerocket-os/bottlerocket/pull/1060 [#1058]: https://github.com/bottlerocket-os/bottlerocket/pull/1058 [#1057]: https://github.com/bottlerocket-os/bottlerocket/pull/1057 [#1056]: https://github.com/bottlerocket-os/bottlerocket/pull/1056 [#1055]: https://github.com/bottlerocket-os/bottlerocket/pull/1055 [#1054]: https://github.com/bottlerocket-os/bottlerocket/pull/1054 [#1053]: https://github.com/bottlerocket-os/bottlerocket/pull/1053 [#1052]: https://github.com/bottlerocket-os/bottlerocket/pull/1052 [#1051]: https://github.com/bottlerocket-os/bottlerocket/pull/1051 [#1050]: https://github.com/bottlerocket-os/bottlerocket/pull/1050 [#1049]: https://github.com/bottlerocket-os/bottlerocket/pull/1049 [#1048]: https://github.com/bottlerocket-os/bottlerocket/pull/1048 [#1047]: https://github.com/bottlerocket-os/bottlerocket/pull/1047 [#1046]: https://github.com/bottlerocket-os/bottlerocket/pull/1046 [#1045]: https://github.com/bottlerocket-os/bottlerocket/pull/1045 [#1044]: https://github.com/bottlerocket-os/bottlerocket/pull/1044 [#1043]: https://github.com/bottlerocket-os/bottlerocket/pull/1043 [#1033]: https://github.com/bottlerocket-os/bottlerocket/pull/1033 [#1032]: https://github.com/bottlerocket-os/bottlerocket/pull/1032 # v0.5.0 (2020-08-14) Special thanks to first-time contributor @spoonofpower ([#988])! ## Breaking changes * Remove support for unsigned datastore migrations ([#976]) ## OS changes * Add `aws-ecs-1` variant prototype for running containers in ECS clusters ([#946], [#1005], [#1007], [#1008], [#1009], [#1017]) * Configurable `clusterDomain` kubelet setting via `settings.kubernetes.cluster-domain` ([#988], [#1036]) * Make update position within waves consistent ([#993]) * Fix kubelet configuration for `MaxPods` ([#994]) * Update `eni-max-pods` with new instance types ([#994]) * Fix `max_versions` unit test in `updata` ([#998]) * Remove injection of `label:disable` option for privileged containers in Docker ([#1013]) * Add `policycoreutils` and related tools ([#1016]) * Update third-party software packages ([#1018], [#1023], [#1025], [#1026]) * Update Rust dependencies ([#1019], [#1021]) * Update `host-ctr`'s dependencies ([#1020]) * Update the host-containers' default versions ([#1030], [#1040]) * Allow access to all device nodes for superpowered host-containers ([#1037]) ## Build changes * Add `pubsys` (`cargo make repo`, `cargo make ami`) for repo and AMI creation ([#964], [#1010], [#1028], [#1034]) * Require `updata init` before creating a new repo manifest ([#991]) * Exclude README.md files from cargo change tracking ([#995], [#996]) * Build `aws-k8s-1.17` variant by default with `cargo make` ([#1002]) * Update comments to be more accurate in Infra.toml ([#1004]) * Update `amiize` to use `coldsnap` ([#1012]) * Update Bottlerocket SDK to v0.12.0 ([#1014]) * Fix warnings for use of deprecated items in `common_migrations` ([#1022]) ## Documentation changes * Removed instructions to manually apply the manifest for aws-vpc-cni-k8s ([#1029]) [#946]: https://github.com/bottlerocket-os/bottlerocket/pull/946 [#964]: https://github.com/bottlerocket-os/bottlerocket/pull/964 [#976]: https://github.com/bottlerocket-os/bottlerocket/pull/976 [#988]: https://github.com/bottlerocket-os/bottlerocket/pull/988 [#991]: https://github.com/bottlerocket-os/bottlerocket/pull/991 [#993]: https://github.com/bottlerocket-os/bottlerocket/pull/993 [#994]: https://github.com/bottlerocket-os/bottlerocket/pull/994 [#995]: https://github.com/bottlerocket-os/bottlerocket/pull/995 [#996]: https://github.com/bottlerocket-os/bottlerocket/pull/996 [#998]: https://github.com/bottlerocket-os/bottlerocket/pull/998 [#1002]: https://github.com/bottlerocket-os/bottlerocket/pull/1002 [#1004]: https://github.com/bottlerocket-os/bottlerocket/pull/1004 [#1005]: https://github.com/bottlerocket-os/bottlerocket/pull/1005 [#1007]: https://github.com/bottlerocket-os/bottlerocket/pull/1007 [#1008]: https://github.com/bottlerocket-os/bottlerocket/pull/1008 [#1009]: https://github.com/bottlerocket-os/bottlerocket/pull/1009 [#1010]: https://github.com/bottlerocket-os/bottlerocket/pull/1010 [#1012]: https://github.com/bottlerocket-os/bottlerocket/pull/1012 [#1013]: https://github.com/bottlerocket-os/bottlerocket/pull/1013 [#1014]: https://github.com/bottlerocket-os/bottlerocket/pull/1014 [#1016]: https://github.com/bottlerocket-os/bottlerocket/pull/1016 [#1017]: https://github.com/bottlerocket-os/bottlerocket/pull/1017 [#1018]: https://github.com/bottlerocket-os/bottlerocket/pull/1018 [#1019]: https://github.com/bottlerocket-os/bottlerocket/pull/1019 [#1020]: https://github.com/bottlerocket-os/bottlerocket/pull/1020 [#1021]: https://github.com/bottlerocket-os/bottlerocket/pull/1021 [#1022]: https://github.com/bottlerocket-os/bottlerocket/pull/1022 [#1023]: https://github.com/bottlerocket-os/bottlerocket/pull/1023 [#1025]: https://github.com/bottlerocket-os/bottlerocket/pull/1025 [#1026]: https://github.com/bottlerocket-os/bottlerocket/pull/1026 [#1028]: https://github.com/bottlerocket-os/bottlerocket/pull/1028 [#1029]: https://github.com/bottlerocket-os/bottlerocket/pull/1029 [#1030]: https://github.com/bottlerocket-os/bottlerocket/pull/1030 [#1034]: https://github.com/bottlerocket-os/bottlerocket/pull/1034 [#1036]: https://github.com/bottlerocket-os/bottlerocket/pull/1036 [#1037]: https://github.com/bottlerocket-os/bottlerocket/pull/1037 [#1040]: https://github.com/bottlerocket-os/bottlerocket/pull/1040 # v0.4.1 (2020-07-13) ## Security fixes * Patch Kubernetes for CVE-2020-8558 ([#977]) * Update `tough` to 0.7.1 to patch CVE-2020-15093 ([#979]) ## OS changes * Add a new `aws-k8s-1.17` variant for Kubernetes 1.17 ([#973]) * Confine `chrony`, `wicked`, and `dbus-broker` via SELinux, and persist their state to disk ([#970]) * Persist `systemd` journal to disk ([#970]) * Add an API for OS updates ([#942], [#959], [#986]) * Add migration helpers to add / remove multiple settings at once ([#958]) * Fix SELinux policy to allow CSI driver mounts and transition used by Kaniko ([#983]) * Update to new repo URL via migration to ensure signed migration support ([#980]) ## Build changes * Fix environment variable override for build output directory ([#963]) * Update `.dockerignore` to account for the new build output directory structure ([#967]) * Remove the `preview-docs` task from `Makefile` ([#969]) ## Documentation changes * Document new update APIs and add associated diagrams ([#962]) * Add `ap-south-1` to supported regions ([#965]) * Fix `storewolf`'s documentation and usage message as it expects a semver value ([#957]) [#942]: https://github.com/bottlerocket-os/bottlerocket/pull/942 [#957]: https://github.com/bottlerocket-os/bottlerocket/pull/957 [#958]: https://github.com/bottlerocket-os/bottlerocket/pull/958 [#959]: https://github.com/bottlerocket-os/bottlerocket/pull/959 [#962]: https://github.com/bottlerocket-os/bottlerocket/pull/962 [#963]: https://github.com/bottlerocket-os/bottlerocket/pull/963 [#965]: https://github.com/bottlerocket-os/bottlerocket/pull/965 [#967]: https://github.com/bottlerocket-os/bottlerocket/pull/967 [#969]: https://github.com/bottlerocket-os/bottlerocket/pull/969 [#970]: https://github.com/bottlerocket-os/bottlerocket/pull/970 [#973]: https://github.com/bottlerocket-os/bottlerocket/pull/973 [#977]: https://github.com/bottlerocket-os/bottlerocket/pull/977 [#979]: https://github.com/bottlerocket-os/bottlerocket/pull/979 [#980]: https://github.com/bottlerocket-os/bottlerocket/pull/980 [#983]: https://github.com/bottlerocket-os/bottlerocket/pull/983 [#986]: https://github.com/bottlerocket-os/bottlerocket/pull/986 # v0.4.0 (2020-06-25) ## Breaking changes * Remove all permissive types from the SELinux policy ([#945]). Actions that were not allowed by the SELinux policy now fail instead of only being logged. ## OS changes * Use update repository metadata and signatures to run settings migrations ([#930]) * Mount debugfs in superpowered host containers, such as the admin container, to support tools like `bcc` and `bpftrace` ([#934]) * Protect container snapshot layers in SELinux policy ([#935]) * Add `POST /actions/reboot` API path ([#936]) * Update `tough` to v0.6.0 ([#944]) * Fix behavior of `signpost cancel-upgrade` ([#950]) * Update to kernel 5.4.46 ([#953]) ## Build changes * Canonicalize architecture names in amiize.sh ([#932]) * Split build output directories by variant and architecture ([#948]) * Move intermediate RPM output from `build/packages` to `build/rpms` ([#948]) * Fix `chmod` usage for building on macOS ([#951]) ## Documentation changes * Document platform-specific settings in README.md ([#941]) [#930]: https://github.com/bottlerocket-os/bottlerocket/pull/930 [#932]: https://github.com/bottlerocket-os/bottlerocket/pull/932 [#934]: https://github.com/bottlerocket-os/bottlerocket/pull/934 [#935]: https://github.com/bottlerocket-os/bottlerocket/pull/935 [#936]: https://github.com/bottlerocket-os/bottlerocket/pull/936 [#941]: https://github.com/bottlerocket-os/bottlerocket/pull/941 [#944]: https://github.com/bottlerocket-os/bottlerocket/pull/944 [#945]: https://github.com/bottlerocket-os/bottlerocket/pull/945 [#948]: https://github.com/bottlerocket-os/bottlerocket/pull/948 [#950]: https://github.com/bottlerocket-os/bottlerocket/pull/950 [#951]: https://github.com/bottlerocket-os/bottlerocket/pull/951 [#953]: https://github.com/bottlerocket-os/bottlerocket/pull/953 # v0.3.4 (2020-05-27) ## OS changes * Add a new Kubernetes 1.16 variant ([#919]) * Use SELinux to restrict datastore modifications ([#917]) * Add variant override to updog arguments ([#923]) ## Build changes * Update systemd to v245 ([#916]) * Update build SDK to v0.11.0 ([#926]) * Allow specifying a start time for waves in updata ([#927]) * Update `tough` dependencies to v0.5.0 ([#928]) [#916]: https://github.com/bottlerocket-os/bottlerocket/pull/916 [#917]: https://github.com/bottlerocket-os/bottlerocket/pull/917 [#919]: https://github.com/bottlerocket-os/bottlerocket/pull/919 [#923]: https://github.com/bottlerocket-os/bottlerocket/pull/923 [#926]: https://github.com/bottlerocket-os/bottlerocket/pull/926 [#927]: https://github.com/bottlerocket-os/bottlerocket/pull/927 [#928]: https://github.com/bottlerocket-os/bottlerocket/pull/928 # v0.3.3 (2020-05-14) ## OS changes * Security: update kernel to 5.4.38 ([#924]) [#924]: https://github.com/bottlerocket-os/bottlerocket/pull/924 # v0.3.2 (2020-04-20) Special thanks to our first contributors, @inductor ([#853]), @smoser ([#871]), and @gliptak ([#870])! ## OS changes * Update kernel to 5.4.20 ([#898]) * Expand SELinux policy to include all classes and actions in 5.4 kernel ([#888]) * Include error messages in apiserver error responses ([#897]) * Add "logdog" to help users collect debug logs ([#880]) * Include objtool in kernel-devel for compiling external modules ([#874]) * Ignore termination signals in updog right before initiating reboot ([#869]) * Pass `--containerd` flag to kubelet to specify containerd socket path, fixing some cAdvisor metrics ([#868]) * Fix delay on reboot or power off ([#859]) * Add `systemd.log_color=0` to remove ANSI color escapes from console log ([#836]) * Reduce containerd logging when no errors have occurred ([#886]) * Update admin container to v0.5.0 ([#903]) ## Build changes * Set up GitHub Actions to test OS builds for PRs ([#837]) * Update SDK to v0.10.1 ([#866]) * Move built RPMs to `build/packages` ([#863]) * Bump cargo-make to 0.30.0 ([#870]) * Pass proxy environment variables through to docker containers ([#871]) * Add parse-datetime crate ([#875]) * Update third-party software packages ([#895]) * Update Rust dependencies ([#896]) * Remove unused Rust dependencies ([#894]) * Add upstream fix for arm64 in coreutils ([#879]) * Add ability to add waves using TOML files ([#883]) * Add default wave files ([#881]) * Fix migrations builds ([#906]) ## Documentation changes * QUICKSTART: Clarify which setup is optional ([#902]) * QUICKSTART: add easier setup instructions using new eksctl release ([#849]) * QUICKSTART: add note about allowing SSH access ([#839]) * QUICKSTART: add section on finding AMIs through SSM parameters ([#838]) * QUICKSTART: Add supported region list ([73d120c9]) * QUICKSTART: Add info about persistent volume CSI plugin ([#899]) * QUICKSTART and README: Add appropriate ECR policy guidance ([#856]) * README: Fix feedback link to point at existing section ([#833]) * README: Add sentence about preview phase with feedback link ([#832]) * README: Fixes and updates ([#831]) * Update name of early-boot-config in API system diagram ([#840]) * Fix updater README's reference to data store version ([#844]) * Fix example wave files ([#908]) [#831]: https://github.com/bottlerocket-os/bottlerocket/pull/831 [#832]: https://github.com/bottlerocket-os/bottlerocket/pull/832 [#833]: https://github.com/bottlerocket-os/bottlerocket/pull/833 [#836]: https://github.com/bottlerocket-os/bottlerocket/pull/836 [#837]: https://github.com/bottlerocket-os/bottlerocket/pull/837 [#838]: https://github.com/bottlerocket-os/bottlerocket/pull/838 [#839]: https://github.com/bottlerocket-os/bottlerocket/pull/839 [#840]: https://github.com/bottlerocket-os/bottlerocket/pull/840 [#844]: https://github.com/bottlerocket-os/bottlerocket/pull/844 [#849]: https://github.com/bottlerocket-os/bottlerocket/pull/849 [#853]: https://github.com/bottlerocket-os/bottlerocket/pull/853 [#856]: https://github.com/bottlerocket-os/bottlerocket/pull/856 [#859]: https://github.com/bottlerocket-os/bottlerocket/pull/859 [#860]: https://github.com/bottlerocket-os/bottlerocket/pull/860 [#863]: https://github.com/bottlerocket-os/bottlerocket/pull/863 [#866]: https://github.com/bottlerocket-os/bottlerocket/pull/866 [#868]: https://github.com/bottlerocket-os/bottlerocket/pull/868 [#869]: https://github.com/bottlerocket-os/bottlerocket/pull/869 [#870]: https://github.com/bottlerocket-os/bottlerocket/pull/870 [#871]: https://github.com/bottlerocket-os/bottlerocket/pull/871 [#874]: https://github.com/bottlerocket-os/bottlerocket/pull/874 [#875]: https://github.com/bottlerocket-os/bottlerocket/pull/875 [#879]: https://github.com/bottlerocket-os/bottlerocket/pull/879 [#880]: https://github.com/bottlerocket-os/bottlerocket/pull/880 [#881]: https://github.com/bottlerocket-os/bottlerocket/pull/881 [#883]: https://github.com/bottlerocket-os/bottlerocket/pull/883 [#886]: https://github.com/bottlerocket-os/bottlerocket/pull/886 [#888]: https://github.com/bottlerocket-os/bottlerocket/pull/888 [#894]: https://github.com/bottlerocket-os/bottlerocket/pull/894 [#895]: https://github.com/bottlerocket-os/bottlerocket/pull/895 [#896]: https://github.com/bottlerocket-os/bottlerocket/pull/896 [#897]: https://github.com/bottlerocket-os/bottlerocket/pull/897 [#898]: https://github.com/bottlerocket-os/bottlerocket/pull/898 [#899]: https://github.com/bottlerocket-os/bottlerocket/pull/899 [#902]: https://github.com/bottlerocket-os/bottlerocket/pull/902 [#903]: https://github.com/bottlerocket-os/bottlerocket/pull/903 [#906]: https://github.com/bottlerocket-os/bottlerocket/pull/906 [#908]: https://github.com/bottlerocket-os/bottlerocket/pull/908 [73d120c9]: https://github.com/bottlerocket-os/bottlerocket/commit/73d120c9 # v0.3.1 (2020-03-10) ## OS changes * Log migration errors to console ([#795]) * Enable BTF debug info (`CONFIG_DEBUG_INFO_BTF`) ([#799]) * Move migrations from private partition to data partition ([#818]) * Add top-level model struct ([#824]) * Update ca-certificates, cni-plugins, coreutils, dbus-broker, iproute, kmod, libcap, libxcrypt, ncurses, socat, and wicked ([#826]) ## Build changes * Update Rust dependencies ([#798], [#806], [#809], [#810]) * Add additional cleanup steps to amiize.sh ([#804]) * Work around warnings for unused licenses ([#827]) ## Documentation changes * Add [GLOSSARY.md](GLOSSARY.md), [SECURITY_FEATURES.md](SECURITY_FEATURES.md), and [SECURITY_GUIDANCE.md](SECURITY_GUIDANCE.md) ([#800], [#807], [#821]) * Add additional information to top section of [README.md](README.md) ([#802]) * Add license information to OpenAPI specification ([#803]) * Add description of source mirroring ([#817]) * Update [CHARTER.md](CHARTER.md) wording ([#823]) [#795]: https://github.com/bottlerocket-os/bottlerocket/pull/795 [#798]: https://github.com/bottlerocket-os/bottlerocket/pull/798 [#799]: https://github.com/bottlerocket-os/bottlerocket/pull/799 [#800]: https://github.com/bottlerocket-os/bottlerocket/pull/800 [#802]: https://github.com/bottlerocket-os/bottlerocket/pull/802 [#803]: https://github.com/bottlerocket-os/bottlerocket/pull/803 [#804]: https://github.com/bottlerocket-os/bottlerocket/pull/804 [#806]: https://github.com/bottlerocket-os/bottlerocket/pull/806 [#807]: https://github.com/bottlerocket-os/bottlerocket/pull/807 [#809]: https://github.com/bottlerocket-os/bottlerocket/pull/809 [#810]: https://github.com/bottlerocket-os/bottlerocket/pull/810 [#817]: https://github.com/bottlerocket-os/bottlerocket/pull/817 [#818]: https://github.com/bottlerocket-os/bottlerocket/pull/818 [#821]: https://github.com/bottlerocket-os/bottlerocket/pull/821 [#823]: https://github.com/bottlerocket-os/bottlerocket/pull/823 [#824]: https://github.com/bottlerocket-os/bottlerocket/pull/824 [#826]: https://github.com/bottlerocket-os/bottlerocket/pull/826 [#827]: https://github.com/bottlerocket-os/bottlerocket/pull/827 # v0.3.0 (2020-02-27) Welcome to Bottlerocket! Bottlerocket is the new name for the OS. In preparation for public preview, v0.3.0 includes a number of breaking changes that mean upgrades from previous versions are not possible. This is not done lightly, but had to be done to accommodate all we've learned during private preview. ## Breaking Changes * Rename to Bottlerocket ([#722], [#740]). * Change partition labels to `BOTTLEROCKET-*` ([#726]). * Switch to new updates repository URIs under `updates.bottlerocket.aws` ([#778]). * Update Kubernetes to 1.15 ([#749]). * Rename aws-k8s variant to aws-k8s-1.15 to enable versioning ([#785]). * Update Linux kernel to 5.4.16-8.72.amzn2 ([#731]). * Rename `settings.target-base-url` to `settings.targets-base-url` ([#788]). ## OS Changes * Mount kernel modules and development headers into containers from a squashfs file on the host ([#701]). * Include third-party licenses at `/usr/share/licenses` ([#723]). * Add initial implementation of SELinux ([#683], [#724]). * Support transactions in the API ([#715], [#727]). * Add support for platform-specific settings like AWS region ([#636]). * Support templated settings with new tool 'schnauzer' ([#637]). * Generate container image URIs with parameterized regions using schnauzer ([#638]). * Respect update release waves when using `updog check-updates` ([#615]). * Fix an issue with failed updates through certain https connections ([#730]). * Add support for EC2 IMDSv2 ([#705], [#706], [#709]). * Remove update-checking boot service ([#772]). * Remove old migrations and mitigations that no longer apply ([#774]). * Add /os API to expose variant, arch, version, etc. ([#777]). * Update host container packages ([#707]). * Allow removing settings in migrations ([#644]). * Create abstractions for creating common migrations ([#712], [#717]). * Remove the datastore version, instead use Bottlerocket version ([#760]). * Improve datastore migration naming convention and build migrations during cargo make ([#704], [#716]). * Update dependencies of third-party packages in base OS ([#691], [#696], [#698], [#699], [#700], [#708], [#728], [#786]). * Update dependencies of Rust packages ([#738], [#730]). * Rename `moondog` to `early-boot-config` ([#757]). * Update admin and control containers to v0.4.0 ([#789]). * Update container runtime socket path to more common `/run/dockershim.sock` ([#796]) ## Documentation * Add copyright statement and Bottlerocket license ([#746]). * General documentation improvements ([#681], [#693], [#736], [#761], [#762]). * Added READMEs for [packages](packages/) and [variants](variants/) ([#773]). * Split INSTALL guide into BUILDING and QUICKSTART ([#780]). * Update CNI plugin in documentation and conformance test scripts ([#739]). ## Build Changes * General improvements to third-party license scanning ([#686], [#719], [#768]). * Add policycoreutils, secilc, and squashfs-tools to SDK ([#678], [#690]). * Update to Rust 1.41 and Go 1.13.8 ([#711], [#733]). * Disallow upstream source fallback by default ([#735]). * Move host, operator, and SDK containers to their own git repos ([#743], [#751], [#775]). * [SDK Container](https://github.com/bottlerocket-os/bottlerocket-sdk) * [Admin Container](https://github.com/bottlerocket-os/bottlerocket-admin-container) * [Control Container](https://github.com/bottlerocket-os/bottlerocket-control-container) * [Bottlerocket Update Operator](https://github.com/bottlerocket-os/bottlerocket-update-operator) * Improve the syntax of migrations listed in Release.toml ([#687]). * Add arm64 builds for host-containers ([#694]). * Build stable image paths using symlinks in `build/latest/` ([#767]). * Add a `set-migrations` subcommand to the `updata` tool ([#756]). * Remove `rpm_crashtraceback` tag from go builds ([#779]). * Rename built artifacts to specify variant before arch ([#776]). * Update SDK to v0.9.0 ([#790]). * Fix architecture conditional in glibc spec ([#787]). * Rename the `workspaces` directory to `sources` and the `workspaces` package to `os`. ([#770]). [#615]: https://github.com/bottlerocket-os/bottlerocket/pull/615 [#636]: https://github.com/bottlerocket-os/bottlerocket/pull/636 [#637]: https://github.com/bottlerocket-os/bottlerocket/pull/637 [#638]: https://github.com/bottlerocket-os/bottlerocket/pull/638 [#644]: https://github.com/bottlerocket-os/bottlerocket/pull/644 [#678]: https://github.com/bottlerocket-os/bottlerocket/pull/678 [#681]: https://github.com/bottlerocket-os/bottlerocket/pull/681 [#683]: https://github.com/bottlerocket-os/bottlerocket/pull/683 [#686]: https://github.com/bottlerocket-os/bottlerocket/pull/686 [#687]: https://github.com/bottlerocket-os/bottlerocket/pull/687 [#690]: https://github.com/bottlerocket-os/bottlerocket/pull/690 [#691]: https://github.com/bottlerocket-os/bottlerocket/pull/691 [#693]: https://github.com/bottlerocket-os/bottlerocket/pull/693 [#694]: https://github.com/bottlerocket-os/bottlerocket/pull/694 [#696]: https://github.com/bottlerocket-os/bottlerocket/pull/696 [#698]: https://github.com/bottlerocket-os/bottlerocket/pull/698 [#699]: https://github.com/bottlerocket-os/bottlerocket/pull/699 [#700]: https://github.com/bottlerocket-os/bottlerocket/pull/700 [#701]: https://github.com/bottlerocket-os/bottlerocket/pull/701 [#704]: https://github.com/bottlerocket-os/bottlerocket/pull/704 [#705]: https://github.com/bottlerocket-os/bottlerocket/pull/705 [#706]: https://github.com/bottlerocket-os/bottlerocket/pull/706 [#707]: https://github.com/bottlerocket-os/bottlerocket/pull/707 [#708]: https://github.com/bottlerocket-os/bottlerocket/pull/708 [#709]: https://github.com/bottlerocket-os/bottlerocket/pull/709 [#711]: https://github.com/bottlerocket-os/bottlerocket/pull/711 [#712]: https://github.com/bottlerocket-os/bottlerocket/pull/712 [#715]: https://github.com/bottlerocket-os/bottlerocket/pull/715 [#716]: https://github.com/bottlerocket-os/bottlerocket/pull/716 [#717]: https://github.com/bottlerocket-os/bottlerocket/pull/717 [#719]: https://github.com/bottlerocket-os/bottlerocket/pull/719 [#722]: https://github.com/bottlerocket-os/bottlerocket/pull/722 [#723]: https://github.com/bottlerocket-os/bottlerocket/pull/723 [#724]: https://github.com/bottlerocket-os/bottlerocket/pull/724 [#726]: https://github.com/bottlerocket-os/bottlerocket/pull/726 [#727]: https://github.com/bottlerocket-os/bottlerocket/pull/727 [#728]: https://github.com/bottlerocket-os/bottlerocket/pull/728 [#730]: https://github.com/bottlerocket-os/bottlerocket/pull/730 [#731]: https://github.com/bottlerocket-os/bottlerocket/pull/731 [#733]: https://github.com/bottlerocket-os/bottlerocket/pull/733 [#735]: https://github.com/bottlerocket-os/bottlerocket/pull/735 [#736]: https://github.com/bottlerocket-os/bottlerocket/pull/736 [#738]: https://github.com/bottlerocket-os/bottlerocket/pull/738 [#739]: https://github.com/bottlerocket-os/bottlerocket/pull/739 [#740]: https://github.com/bottlerocket-os/bottlerocket/pull/740 [#743]: https://github.com/bottlerocket-os/bottlerocket/pull/743 [#746]: https://github.com/bottlerocket-os/bottlerocket/pull/746 [#749]: https://github.com/bottlerocket-os/bottlerocket/pull/749 [#751]: https://github.com/bottlerocket-os/bottlerocket/pull/751 [#756]: https://github.com/bottlerocket-os/bottlerocket/pull/756 [#757]: https://github.com/bottlerocket-os/bottlerocket/pull/757 [#758]: https://github.com/bottlerocket-os/bottlerocket/pull/758 [#760]: https://github.com/bottlerocket-os/bottlerocket/pull/760 [#761]: https://github.com/bottlerocket-os/bottlerocket/pull/761 [#762]: https://github.com/bottlerocket-os/bottlerocket/pull/762 [#767]: https://github.com/bottlerocket-os/bottlerocket/pull/767 [#768]: https://github.com/bottlerocket-os/bottlerocket/pull/768 [#770]: https://github.com/bottlerocket-os/bottlerocket/pull/770 [#772]: https://github.com/bottlerocket-os/bottlerocket/pull/772 [#773]: https://github.com/bottlerocket-os/bottlerocket/pull/773 [#774]: https://github.com/bottlerocket-os/bottlerocket/pull/774 [#775]: https://github.com/bottlerocket-os/bottlerocket/pull/775 [#776]: https://github.com/bottlerocket-os/bottlerocket/pull/776 [#777]: https://github.com/bottlerocket-os/bottlerocket/pull/777 [#778]: https://github.com/bottlerocket-os/bottlerocket/pull/778 [#779]: https://github.com/bottlerocket-os/bottlerocket/pull/779 [#780]: https://github.com/bottlerocket-os/bottlerocket/pull/780 [#782]: https://github.com/bottlerocket-os/bottlerocket/pull/782 [#785]: https://github.com/bottlerocket-os/bottlerocket/pull/785 [#786]: https://github.com/bottlerocket-os/bottlerocket/pull/786 [#787]: https://github.com/bottlerocket-os/bottlerocket/pull/787 [#788]: https://github.com/bottlerocket-os/bottlerocket/pull/788 [#789]: https://github.com/bottlerocket-os/bottlerocket/pull/789 [#790]: https://github.com/bottlerocket-os/bottlerocket/pull/790 [#796]: https://github.com/bottlerocket-os/bottlerocket/pull/796 # v0.2.1 (2020-01-20) ## OS changes * Make `signpost` usage clearer to avoid updating into empty partition ([#444]). * Fix handling of wave bounds in `updog` that could result in seeing an update but not accepting it ([#539]). * Add support for query parameters in repo requests to allow for basic telemetry ([#542]). * Enable support for SELinux in OS packages (not yet enforcing) ([#579]). * Make grub reboot when config or kernel loading fails so it can try other partition sets ([#585]). * Add support for image "variants" with separate API models ([#578], [#588], [#589], [#591], [#597], [#613], [#625], [#626], [#627], [#653]). The default variant is "aws-k8s" for Kubernetes usage, and an "aws-dev" variant can be built that has a local Docker daemon and debug tools. * Remove unused cri-tools package ([#602]). * Update Linux kernel to 4.19.75-28.73.amzn2 ([#622]). * Make containerd.service stop containerd-shims to fix shutdown/reboot delay ([#652]). * Ensure `updog` only removes known extensions from migration filenames ([#662]). * Add OS version to "pretty name" so it's visible in console log ([#663]). ## Documentation changes * Reorganize "getting started" documentation for clarity ([#581]). * Fix formatting of kube-proxy options in install guide ([#584]). * Specify compatible cargo-deny version in install guide ([#631]). * Fix typos and improve clarity of install guide ([#639]). ## Build changes * Add scripts to ease Kubernetes conformance testing through Sonobuoy ([#530]). * Add release metadata file to be used in future automation ([#556], [#594]). * Update dependencies of third-party packages in base OS ([#595]). * Update dependencies of Rust packages ([#598]). * Update SDK container to include Rust 1.40.0, GCC 9.2, and other small fixes ([#603], [#628]). * Fix aarch64 build failure for libcap ([#621]). * Add initial container definitions and scripts for CI process ([#619], [#624], [#633], [#646], [#647], [#651], [#654], [#658]). [#444]: ../../pull/444 [#530]: ../../pull/530 [#539]: ../../pull/539 [#542]: ../../pull/542 [#556]: ../../pull/556 [#578]: ../../pull/578 [#579]: ../../pull/579 [#581]: ../../pull/581 [#584]: ../../pull/584 [#585]: ../../pull/585 [#588]: ../../pull/588 [#589]: ../../pull/589 [#591]: ../../pull/591 [#594]: ../../pull/594 [#595]: ../../pull/595 [#597]: ../../pull/597 [#598]: ../../pull/598 [#602]: ../../pull/602 [#603]: ../../pull/603 [#613]: ../../pull/613 [#619]: ../../pull/619 [#621]: ../../pull/621 [#622]: ../../pull/622 [#624]: ../../pull/624 [#625]: ../../pull/625 [#626]: ../../pull/626 [#627]: ../../pull/627 [#628]: ../../pull/628 [#631]: ../../pull/631 [#633]: ../../pull/633 [#639]: ../../pull/639 [#646]: ../../pull/646 [#647]: ../../pull/647 [#651]: ../../pull/651 [#652]: ../../pull/652 [#653]: ../../pull/653 [#654]: ../../pull/654 [#658]: ../../pull/658 [#662]: ../../pull/662 [#663]: ../../pull/663 # v0.2.0 (2019-12-09) ## Breaking changes * Several settings now have added validation for their contents. Upgrades from v0.1 that use invalid settings values will result in a broken system. * Host container names (e.g. `admin` in `settings.host-containers.admin`) are restricted to ASCII alphanumeric characters and hyphens ([#450]). * `settings.kubernetes.api-server`, `settings.updates.metadata-base-url` and `target-base-url`, `settings.host-containers.*.sources`, and `settings.ntp.time-servers` are now validated to be URIs ([#549]). * `settings.kubernetes.cluster_name`, `settings.kubernetes.node-labels`, and `settings.kubernetes.node-taints` are now verified to fit Kubernetes naming conventions ([#549]). * Most settings values disallow multi-line strings ([#453], [#483]). * Additional characters are permitted in API keys; for example, dots and slashes in Kubernetes labels. Downgrades from v0.2 that use dots and slashes in API keys will result in a broken system ([#511]). ## OS changes * Add `dogswatch`, a Kubernetes operator for managing OS upgrades ([#239]). * More accurately represent data type of update seed ([#430]). * Retry host container pulls with exponential backoff ([#433]). * Better model startup dependencies in systemd units ([#442]). * Enable panic on disk corruption detected with dm_verity ([#445]). * Add persistent storage for host containers, mapped to `/.bottlerocket/host-containers/[CONTAINER_NAME]` ([#450], [#555]). * Persist SSH host keys for admin container ([#450]). * Use admin container v0.2 by default ([#450], [#536]). * Use control container v0.2 by default ([#472], [#536]). * Print most critical errors to the console to aid debugging ([#476], [#479], [#546]). * Update Linux kernel to 4.19.75-27.58.amzn2 ([#478]). * Updated partitions are marked `successful` after services start ([#481]). * Kernel config is available at `/proc/config.gz` ([#482]). * Prepare `tough` for separate release, including: * Allow library consumers to override the transport mechanism ([#488]). * Merge `tough_schema` back into `tough` ([#496]). * Add locking around tough datastore write operations ([#497]). * Simplify representation of default metadata ([#491]). * `apiclient` (available via the host containers) exits non-zero on HTTP response errors ([#498]). * `apiclient` builds as a static binary ([#552]). * `/proc/kheaders.tar.xz` is enabled in the kernel ([#557]). * `settings-committer` no longer errors at boot when there are no changes to commit ([#559]). * `migrator` and `updog` set migrations executable before running to work around a v0.1.6 bug ([#561], [#567]). ## Documentation changes * Document how to use Bottlerocket's default for the `nf_conntrack_max` kernel parameter when using `kube-proxy` ([#391]). * Fix example user data for enabling admin container ([#448]). * Update build documentation for using Docker instead of `buildkitd` ([#506]). * Update recommended CNI plugin version ([#507]). * Document `settings.ntp.time-servers` ([#550]). * Update INSTALL.md to use the instance role created by `eksctl` instead of creating a new one ([#569]). ## Build changes * Add `updata` tool, which builds update repository metadata ([#265]). * Create versioned symlinks to output images ([#434]). * Add code and CloudFormation template for TUF repository canary ([#490]). * Move the TUF client library, `tough`, to [its own repository](https://github.com/awslabs/tough) and [crates.io packages](https://crates.io/crates/tough) ([#499]). * Remove build dependency on the BuildKit daemon ([#506]). * Switch to SDK container as toolchain for builds, rather than requiring local build of toolchain ([#525]). * Turn `buildsys` into a binary and remove the `cascade` feature ([#562]). [#239]: ../../pull/239 [#265]: ../../pull/265 [#391]: ../../pull/391 [#430]: ../../pull/430 [#433]: ../../pull/433 [#434]: ../../pull/434 [#442]: ../../pull/442 [#445]: ../../pull/445 [#448]: ../../pull/448 [#450]: ../../pull/450 [#453]: ../../pull/453 [#472]: ../../pull/472 [#476]: ../../pull/476 [#478]: ../../pull/478 [#479]: ../../pull/479 [#481]: ../../pull/481 [#482]: ../../pull/482 [#483]: ../../pull/483 [#488]: ../../pull/488 [#490]: ../../pull/490 [#491]: ../../pull/491 [#496]: ../../pull/496 [#497]: ../../pull/497 [#498]: ../../pull/498 [#499]: ../../pull/499 [#506]: ../../pull/506 [#507]: ../../pull/507 [#511]: ../../pull/511 [#525]: ../../pull/525 [#536]: ../../pull/536 [#546]: ../../pull/546 [#549]: ../../pull/549 [#550]: ../../pull/550 [#552]: ../../pull/552 [#555]: ../../pull/555 [#557]: ../../pull/557 [#559]: ../../pull/559 [#561]: ../../pull/561 [#562]: ../../pull/562 [#567]: ../../pull/567 [#569]: ../../pull/569 # v0.1.6 (2019-10-21) ## OS changes * The system fetches the pause container from ECR before starting `kubelet` ([#382]). * New settings: `settings.kubernetes.node-labels` and `settings.kubernetes.node-taints` ([#390], [#408]). * The control container has an `enable-admin-container` helper ([#405], [#413]). Made default in v0.2.0 ([#472]). * Rust dependencies updated ([#410]). * `thar-be-settings` added trace-level messages in the client module ([#411]). * `updog` no longer checks for migrations from new root images ([#416]). * `pluto` was cleaned up to create an HTTP connection more consistently ([#419]). * Settings that are usually generated may have defaults, and `settings.kubernetes.max-pods` defaults to `110` if the EC2 instance type cannot be determined ([#420]). * The admin container MOTD is clearer about where the host's filesystem is mounted ([#424]). * `block-party` (used in `growpart` and `signpost`) errors are better structured ([#425]). * `thar-be-settings` logs render errors when running in `--all` mode ([#427]). * [Recommended `sysctl` settings from the Kernel Self Protection Project](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls) are now used ([#435]). * `acpid` is enabled by default to handle power button signals sent by EC2 on stop/restart/terminate events ([#437]). * `host-ctr` correctly fetches images from non-ECR registries ([#439]; this regression occurred after v0.1.5). ## Build changes * amiize uses a short connection timeout when testing SSH connectivity ([#409]). * `tuftool` only downloads an arbitrary `root.json` with `--allow-root-download` ([#421]). * BuildKit updated to v0.6.2 ([#423], [#429]). * First-party Rust code is built in the same `rpmbuild` invocation to improve build times ([#428]). * `tuftool` correctly uses the `--timestamp-{version,expires}` arguments instead of the `--snapshot-{version,expires}` arguments in the timestamp role ([#438]). * `tuftool` accepts relative dates ([#438]). ## Documentation changes * The `sources/updater` crates are better documented ([#381]). * INSTALL.md's subnet selection documentation is improved ([#422]). [#381]: ../../pull/381 [#382]: ../../pull/382 [#390]: ../../pull/390 [#405]: ../../pull/405 [#408]: ../../pull/408 [#409]: ../../pull/409 [#410]: ../../pull/410 [#411]: ../../pull/411 [#413]: ../../pull/413 [#416]: ../../pull/416 [#419]: ../../pull/419 [#420]: ../../pull/420 [#421]: ../../pull/421 [#422]: ../../pull/422 [#423]: ../../pull/423 [#424]: ../../pull/424 [#425]: ../../pull/425 [#427]: ../../pull/427 [#428]: ../../pull/428 [#429]: ../../pull/429 [#435]: ../../pull/435 [#437]: ../../pull/437 [#438]: ../../pull/438 [#439]: ../../pull/439 ================================================ FILE: CHARTER.md ================================================ # Bottlerocket Charter ## Tenets (unless you know better ones) These tenets guide Bottlerocket's development. They let you know what we value and what we're working toward, even if not every feature is ready yet. ### Secure Bottlerocket is **secure** so it can become a quiet piece of a platform you trust. It uses a variety of mechanisms to provide defense-in-depth, and enables automatic updates by default. It protects itself from persistent threats. It enables kernel features that allow users to assert their own policies for locking down workloads. ### Open Bottlerocket is **open** because the best OS can only be built through collaboration. It is developed in full view of the world using open source tools and public infrastructure services. It is not a Kubernetes distro, nor an Amazon distro. We obsess over shared components like the kernel, and work within the community to support new orchestrators and platforms. ### Small Bottlerocket is **small** because a few big ideas scale better than many small ones. It includes only the core set of components needed for development and for use at runtime. Anything we ship, we must be prepared to fix, so our goal is to ship as little as possible while staying useful. ### Simple Bottlerocket is **simple** because simple lasts. Users can pick the image they want, tweak a handful of settings, and then forget about it. We favor settings that convey high-level intent over those that provide low-level control over specific details, because it is easier to preserve intent across months and years of automatic updates. ================================================ FILE: CODE_OF_CONDUCT.md ================================================ ## Code of Conduct This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing Guidelines Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community. Please read through this document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution. ## Reporting Bugs/Feature Requests We welcome you to use the GitHub issue tracker to report bugs or suggest features. When filing an issue, please check [existing open](https://github.com/bottlerocket-os/bottlerocket/issues) and [closed](https://github.com/bottlerocket-os/bottlerocket/issues?q=is%3Aissue+is%3Aclosed) issues to make sure somebody else hasn't already reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: * A reproducible test case or series of steps * The version of our code being used * Any modifications you've made relevant to the bug * Anything unusual about your environment or deployment ## Contributing via Pull Requests Contributions via pull requests are much appreciated. Before starting a pull request, please ensure that: 1. You open an issue first to discuss any significant work - we would hate for your time to be wasted. 2. You are working against the latest source on the *develop* branch. 3. You check existing [open](https://github.com/bottlerocket-os/bottlerocket/pulls) and [merged](https://github.com/bottlerocket-os/bottlerocket/pulls?q=is%3Apr+is%3Aclosed) pull requests to make sure someone else hasn't addressed the problem already. To send us a pull request, please: 1. Fork the repository. 2. Modify the source; please focus on the specific change you are contributing. If you also reformat the code, it will be hard for us to focus on your change. 3. Ensure local tests pass. 4. Commit to your fork using clear commit messages. 5. Send us a pull request, answering any default questions in the pull request interface. 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. GitHub provides additional documentation on [forking a repository](https://help.github.com/articles/fork-a-repo/) and [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). ## Repo branch and tag structure Active development occurs under the `develop` branch. Bottlerocket uses both tags and branches for release alignment. Numbered releases are always associated with [tags that mirror the full SemVer 3-digit version number](https://github.com/bottlerocket-os/bottlerocket/tags) (e.g. `1.7.2`). [Branches are for patching only](https://github.com/bottlerocket-os/bottlerocket/branches/all): if a patch is required, a branch will be cut for that minor release line (e.g. `1.7.x`). As a consequence, some previous minor versions may not have a branch if they never required a subsequent patch. ## Filename case conventions Bottlerocket follows a few basic filename case conventions: - All extensions are lowercase, - Build related configuration files always start with a capital letter (e.g. `Infra.toml`, `Release.toml`), - All caps is used for documents and licenses (e.g. `PUBLISHING.md`, `TRADEMARKS.md`), - All lower case is used for all other files (e.g. `sample-eksctl.yaml`, `main.rs`). ## Finding contributions to work on Looking at the existing issues is a great way to find something to contribute on. As this repository uses GitHub issue [labels](https://github.com/bottlerocket-os/bottlerocket/labels), looking through issues labeled ['good first issue'](https://github.com/bottlerocket-os/bottlerocket/labels/good%20first%20issue) or ['help wanted'](https://github.com/bottlerocket-os/bottlerocket/labels/help%20wanted) is a great place to start. ## Code of Conduct This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. ## Security issue notifications If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public GitHub issue. ## Licensing See the [COPYRIGHT](COPYRIGHT) file for our project's licensing. We will ask you to confirm the licensing of your contribution. ================================================ FILE: COPYRIGHT ================================================ Copyright Amazon.com, Inc., its affiliates, or other contributors. All Rights Reserved. Except as otherwise noted (below and/or in individual files), Bottlerocket is dual-licensed under the Apache License, version 2.0 or the MIT license , at your option. Copyrights in Bottlerocket are retained by their contributors. No copyright assignment is required to contribute to Bottlerocket. Contributions to Bottlerocket are explicitly made under both the Apache License, version 2.0, and the MIT license. For full authorship information, see the version control history. Bottlerocket operating system images include packages written by third parties, which may carry their own copyright notices and license terms. These are available in /usr/share/licenses on the operating system images. =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= Contains modified hyper-proxy files [mod.rs, stream.rs, tunnel.rs] from https://github.com/tafia/hyper-proxy 2021-09-20. Copyright (c) 2017 Johann Tuffe. Licensed under the MIT License. ================================================ FILE: Cargo.toml ================================================ [workspace] resolver = "1" members = [ "packages/settings-defaults", "packages/settings-plugins", "variants/aws-dev", "variants/aws-ecs-2", "variants/aws-ecs-2-fips", "variants/aws-ecs-2-nvidia", "variants/aws-ecs-2-nvidia-fips", "variants/aws-ecs-3", "variants/aws-ecs-3-fips", "variants/aws-ecs-3-nvidia", "variants/aws-ecs-3-nvidia-fips", "variants/aws-k8s-1.29", "variants/aws-k8s-1.29-fips", "variants/aws-k8s-1.30", "variants/aws-k8s-1.30-fips", "variants/aws-k8s-1.31", "variants/aws-k8s-1.31-fips", "variants/aws-k8s-1.32", "variants/aws-k8s-1.32-fips", "variants/aws-k8s-1.33", "variants/aws-k8s-1.33-fips", "variants/aws-k8s-1.34", "variants/aws-k8s-1.34-fips", "variants/aws-k8s-1.35", "variants/aws-k8s-1.35-fips", "variants/aws-k8s-1.29-nvidia", "variants/aws-k8s-1.29-nvidia-fips", "variants/aws-k8s-1.30-nvidia", "variants/aws-k8s-1.30-nvidia-fips", "variants/aws-k8s-1.31-nvidia", "variants/aws-k8s-1.31-nvidia-fips", "variants/aws-k8s-1.32-nvidia", "variants/aws-k8s-1.32-nvidia-fips", "variants/aws-k8s-1.33-nvidia", "variants/aws-k8s-1.33-nvidia-fips", "variants/aws-k8s-1.34-nvidia", "variants/aws-k8s-1.34-nvidia-fips", "variants/aws-k8s-1.35-nvidia", "variants/aws-k8s-1.35-nvidia-fips", "variants/metal-dev", "variants/vmware-dev", "variants/vmware-k8s-1.29", "variants/vmware-k8s-1.29-fips", "variants/vmware-k8s-1.30", "variants/vmware-k8s-1.30-fips", "variants/vmware-k8s-1.31", "variants/vmware-k8s-1.31-fips", "variants/vmware-k8s-1.32", "variants/vmware-k8s-1.32-fips", "variants/vmware-k8s-1.33", "variants/vmware-k8s-1.33-fips", "variants/vmware-k8s-1.34", "variants/vmware-k8s-1.34-fips", "variants/vmware-k8s-1.35", "variants/vmware-k8s-1.35-fips", ] [profile.dev] debug = false opt-level = 'z' [profile.dev.build-override] opt-level = 'z' ================================================ FILE: LICENSE-APACHE ================================================ Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================ FILE: LICENSE-MIT ================================================ MIT License Copyright Amazon.com, Inc., its affiliates, or other contributors. All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: Makefile.toml ================================================ [config] skip_core_tasks = true default_to_workspace = false [env] BUILDSYS_ROOT_DIR = "${CARGO_MAKE_WORKING_DIRECTORY}" # For binary installation, this should be a released version (prefixed with a v, # for example v0.1.0). For the git sourcecode installation method, this can be # any git rev, e.g. a tag, sha, or branch name. TWOLITER_VERSION = "v0.17.0" TWOLITER_SHA256_AARCH64 = "474b6dce0ddd993e926065baee55c8a06167615cb2c0513c2c9f4f02876a7011" TWOLITER_SHA256_X86_64 = "f7239b329ae71f75e5f3262e6b83c0a96bf36bfed1dda225fc3998316b5a92d9" # For binary installation, this is the GitHub repository that has binary release artifacts attached # to it, for example https://github.com/bottlerocket-os/twoliter. For git sourcecode installation, # this is any URI that can be used in a git clone command. TWOLITER_REPO = "https://github.com/bottlerocket-os/twoliter" # Skip installing Twoliter if it is already installed and its version # matches the requested version. TWOLITER_REUSE_EXISTING_INSTALL="true" # Allow Twoliter to be installed from a binary distribution if binaries are expected to exist for # the host OS and architecture. TWOLITER_ALLOW_BINARY_INSTALL="true" # Allow Twoliter to be installed by building from sourcecode. TWOLITER_ALLOW_SOURCE_INSTALL="true" # If you know the version string returned by Twoliter will not match TWOLITER_VERSION (e.g. when you # are testing changes to Twoliter itself), set this to true to prevent re-installation. TWOLITER_SKIP_VERSION_CHECK="false" # Where Twoliter will be installed. TWOLITER_INSTALL_DIR = "${BUILDSYS_ROOT_DIR}/tools/twoliter" # The logging verbosity for Twoliter: error, warn, info, debug, trace TWOLITER_LOG_LEVEL = "info" # The project file that configures Twoliter. TWOLITER_PROJECT = "${BUILDSYS_ROOT_DIR}/Twoliter.toml" UNAME_ARCH = { script = ['uname -m'] } BUILDSYS_ARCH = { script = ['echo "${BUILDSYS_ARCH:-${UNAME_ARCH}}"'] } BUILDSYS_BUILD_DIR = "${BUILDSYS_ROOT_DIR}/build" BUILDSYS_PACKAGES_DIR = "${BUILDSYS_BUILD_DIR}/rpms" BUILDSYS_STATE_DIR = "${BUILDSYS_BUILD_DIR}/state" BUILDSYS_IMAGES_DIR = "${BUILDSYS_BUILD_DIR}/images" BUILDSYS_TOOLS_DIR = "${BUILDSYS_ROOT_DIR}/tools" BUILDSYS_SOURCES_DIR = "${BUILDSYS_ROOT_DIR}/sources" BUILDSYS_SBKEYS_DIR = "${BUILDSYS_ROOT_DIR}/sbkeys" BUILDSYS_SBKEYS_PROFILE = { script = ['echo "${BUILDSYS_SBKEYS_PROFILE:-local}"'] } BUILDSYS_TIMESTAMP = { script = ["date +%s"] } BUILDSYS_VERSION_BUILD = { script = ["git describe --always --dirty --exclude '*' || echo 00000000"] } # For now, release config path can't be overridden with -e, because it's used # later in this section. You have to edit the path here in Makefile.toml to # use a different Release.toml. BUILDSYS_RELEASE_CONFIG_PATH = "${BUILDSYS_ROOT_DIR}/Release.toml" BUILDSYS_VERSION_IMAGE = { script = ["awk -F '[ =\"]+' '$1 == \"version\" {print $2}' ${BUILDSYS_RELEASE_CONFIG_PATH}"] } # This can be overridden with -e to build a different variant from the variants/ directory BUILDSYS_VARIANT = { script = ['echo "${BUILDSYS_VARIANT:-aws-k8s-1.32}"'] } # Product name used for file and directory naming BUILDSYS_NAME = "bottlerocket" # "Pretty" name used to identify OS in os-release, bootloader, etc. # If you're building a Bottlerocket remix, you'd want to set this to something like # "Bottlerocket Remix by ${CORP}" or "${CORP}'s Bottlerocket Remix" BUILDSYS_PRETTY_NAME = "Bottlerocket OS" # These can be overridden with -e to change configuration for pubsys (`cargo # make repo`). In addition, you can set RELEASE_START_TIME to determine when # update waves and repo metadata expiration times will start, instead of # starting now. (This can be an RFC3339 date, or an offset like "in X # hours/days/weeks".) PUBLISH_EXPIRATION_POLICY_PATH = "${BUILDSYS_ROOT_DIR}/tools/pubsys/policies/repo-expiration/2w-2w-1w.toml" PUBLISH_WAVE_POLICY_PATH = "${BUILDSYS_BUILD_DIR}/tools/waves/default-waves.toml" PUBLISH_INFRA_CONFIG_PATH = "${BUILDSYS_ROOT_DIR}/Infra.toml" # Default repo to read from PUBLISH_INFRA_CONFIG_PATH PUBLISH_REPO = "default" # The version of tuftool (without the 'v') that we will install and use for # publishing-related steps PUBLISH_TUFTOOL_VERSION="0.10.0" # This can be overridden with -e to change the path to the file containing SSM # parameter templates. This file determines the parameter names and values # that will be published to SSM when you run `cargo make ssm`. See # tools/pubsys/policies/ssm/README.md for more information. PUBLISH_SSM_TEMPLATES_PATH = "${BUILDSYS_ROOT_DIR}/tools/pubsys/policies/ssm/defaults.toml" # This can be overridden with -e to change the source path # for the Licenses.toml file BUILDSYS_LICENSES_CONFIG_PATH = "${BUILDSYS_ROOT_DIR}/Licenses.toml" # Specifies whether to validate all targets when validating TUF repositories REPO_VALIDATE_TARGETS = "true" # Specifies the timeframe to look for upcoming repository metadata expirations REPO_METADATA_EXPIRING_WITHIN = "3 days" # When refreshing repositories, you can set REPO_UNSAFE_REFRESH=true to refresh repositories that have expired metadata files. # You can also set PUBLISH_REGIONS to override the list of regions from # Infra.toml for AMI and SSM commands; it's a comma-separated list like # "us-west-2,us-east-1". # You can set NO_PROGRESS=true to not print progress bars during snapshot upload. # You can use ALLOW_CLOBBER=true with the `ssm` task to make it overwrite existing values. # (This is not required with `promote-ssm` because the intent of promotion is overwriting.) # This can be overridden to provide a custom import spec for a VMware OVA. # Using configuration from Infra.toml, we substitute the correct value for # network, and whether or not to mark a VM as a template VMWARE_IMPORT_SPEC_PATH = "${BUILDSYS_ROOT_DIR}/tools/pubsys/support/vmware/import_spec.template" # You can set VMWARE_DATACENTERS to override the list of datacenters from # Infra.toml for VMware commands; it's a comma-separated list like # "datacenter1,datacenter2" # Disallow pulling directly Upstream URLs when lookaside cache results in MISSes as a fallback. # To use the upstream source as fallback, override this on the command line and set it to 'true' BUILDSYS_UPSTREAM_SOURCE_FALLBACK = "false" # We require license checks to pass to build an image. If you're working on a # local change and don't have license information yet, you can run with `-e # BUILDSYS_ALLOW_FAILED_LICENSE_CHECK=true` to allow the build to continue even # if the license check fails. BUILDSYS_ALLOW_FAILED_LICENSE_CHECK = "false" # Disallow pulling licenses from Upstream URLs. To fetch licenses from the upstream source, # override this on the command line and set it to 'true' BUILDSYS_UPSTREAM_LICENSE_FETCH= "false" # This controls how many `docker build` commands we'll invoke at once. BUILDSYS_JOBS = "8" CARGO_HOME = "${BUILDSYS_ROOT_DIR}/.cargo" # This needs to end with pkg/mod so that we can mount the parent of pkg/mod as GOPATH. GO_MOD_CACHE = "${BUILDSYS_ROOT_DIR}/.gomodcache/pkg/mod" GO_MODULES = "" DOCKER_BUILDKIT = "1" # This is the filename suffix for operations that write out AMI information to # file. It can be overridden with -e in situations where a user is using # multiple `Infra.toml` files for publishing to different places, and wants to # write AMI information to specifically named files. AMI_DATA_FILE_SUFFIX = "amis.json" # This is the filename suffix for operations that write out SSM parameter information # to file. It can be overridden with -e. SSM_DATA_FILE_SUFFIX = "ssm-params.json" # The type of testsys test that should be run. # `quick` will run a quick test which usually tests that the instances are reachable. # `conformance` will run a certified conformance test, these tests may take up to 3 hrs. # `migration` will run an upgrade downgrade test including: # 1: an initial `quick` test # 2: a migration from TESTSYS_STARTING_VERSION to BUILDSYS_FULL_VERSION # 3: a `quick` test on the migrated instances # 4: a migration from BUILDSYS_FULL_VERSION back to TESTSYS_STARTING_VERSION # 5: a final `quick` test on the downgraded instances # TESTSYS_STARTING_IMAGE_ID can be used to provide the correct starting image for migration tests. TESTSYS_TEST = "quick" # The default path to the testsys cluster's kubeconfig file. This is used for all testsys calls. CARGO_MAKE_DEFAULT_TESTSYS_KUBECONFIG_PATH = "${BUILDSYS_ROOT_DIR}/testsys.kubeconfig" # The last released version of bottlerocket. TESTSYS_STARTING_VERSION = { script = ["git tag --list --sort=version:refname 'v*' | tail -1"] } # The commit for the last release of bottlerocket. TESTSYS_STARTING_COMMIT = { script = ["git describe --tag ${TESTSYS_STARTING_VERSION} --always --exclude '*' || echo 00000000"] } TESTSYS_TESTS_DIR = "${BUILDSYS_ROOT_DIR}/tests" TESTSYS_TEST_CONFIG_PATH = "${BUILDSYS_ROOT_DIR}/Test.toml" [env.development] # Certain variables are defined here to allow us to override a component value # on the command line. TWOLITER = "${TWOLITER_INSTALL_DIR}/twoliter" # Depends on ${BUILDSYS_JOBS}. CARGO_MAKE_CARGO_LIMIT_JOBS = "--jobs ${BUILDSYS_JOBS}" CARGO_MAKE_CARGO_ARGS = "--offline --locked" # Depends on ${BUILDSYS_ARCH} and ${BUILDSYS_VARIANT}. BUILDSYS_OUTPUT_DIR = "${BUILDSYS_IMAGES_DIR}/${BUILDSYS_ARCH}-${BUILDSYS_VARIANT}" # Depends on a number of variables defined above, and each other. BUILDSYS_VERSION_FULL="${BUILDSYS_VERSION_IMAGE}-${BUILDSYS_VERSION_BUILD}" # These names are used as prefixes for build and repo steps. BUILDSYS_NAME_VARIANT="${BUILDSYS_NAME}-${BUILDSYS_VARIANT}-${BUILDSYS_ARCH}" BUILDSYS_NAME_VERSION="${BUILDSYS_NAME}-${BUILDSYS_VERSION_FULL}" BUILDSYS_NAME_FULL="${BUILDSYS_NAME_VARIANT}-${BUILDSYS_VERSION_FULL}" # This name does not include the build short SHA BUILDSYS_NAME_FRIENDLY = "${BUILDSYS_NAME_VARIANT}-v${BUILDSYS_VERSION_IMAGE}" # For variant build artifacts. BUILDSYS_VARIANT_DIR = "${BUILDSYS_OUTPUT_DIR}/${BUILDSYS_VERSION_FULL}" # Depends on ${BUILDSYS_SBKEYS_DIR} and ${BUILDSYS_SBKEYS_PROFILE}. BUILDSYS_SBKEYS_PROFILE_DIR = "${BUILDSYS_SBKEYS_DIR}/${BUILDSYS_SBKEYS_PROFILE}" # Path to repo-specific root role. PUBLISH_REPO_ROOT_JSON = "${BUILDSYS_ROOT_DIR}/roles/${PUBLISH_REPO}.root.json" # If you don't specify a signing key in Infra.toml, we generate one at this path. PUBLISH_REPO_KEY = "${BUILDSYS_ROOT_DIR}/keys/${PUBLISH_REPO}.pem" # Repo directories have subdirectories for variant/arch, so we only want version here. PUBLISH_REPO_BASE_DIR = "${BUILDSYS_BUILD_DIR}/repos" PUBLISH_REPO_OUTPUT_DIR = "${PUBLISH_REPO_BASE_DIR}/${PUBLISH_REPO}/${BUILDSYS_NAME_VERSION}" # The default name of registered AMIs; override by setting PUBLISH_AMI_NAME. PUBLISH_AMI_NAME_DEFAULT = "${BUILDSYS_NAME}-${BUILDSYS_VARIANT}-${BUILDSYS_ARCH}-v${BUILDSYS_VERSION_IMAGE}-${BUILDSYS_VERSION_BUILD}" # The name of the kmod kit archive, used to ease building out-of-tree kernel modules. BUILDSYS_KMOD_KIT = "${BUILDSYS_VARIANT}-${BUILDSYS_ARCH}-kmod-kit-v${BUILDSYS_VERSION_IMAGE}.tar.xz" BUILDSYS_KMOD_KIT_PATH = "${BUILDSYS_VARIANT_DIR}/${BUILDSYS_KMOD_KIT}" # The name of the OVA bundle that will be built if the current variant builds VMDK artifacts BUILDSYS_OVA = "${BUILDSYS_NAME_VARIANT}-v${BUILDSYS_VERSION_IMAGE}.ova" BUILDSYS_OVA_PATH = "${BUILDSYS_VARIANT_DIR}/${BUILDSYS_OVA}" BUILDSYS_OVF_TEMPLATE = "${BUILDSYS_ROOT_DIR}/variants/${BUILDSYS_VARIANT}/template.ovf" # The default name of uploaded OVAs; override by setting VMWARE_VM_NAME VMWARE_VM_NAME_DEFAULT = "${BUILDSYS_NAME}-${BUILDSYS_VARIANT}-${BUILDSYS_ARCH}-v${BUILDSYS_VERSION_IMAGE}-${BUILDSYS_VERSION_BUILD}" # Config file for Boot Configuration initrd generation BOOT_CONFIG_INPUT = "${BUILDSYS_ROOT_DIR}/bootconfig-input" # Boot Configuration initrd BOOT_CONFIG = "${BUILDSYS_ROOT_DIR}/bootconfig.data" # Determines the kubeconfig that should be used by testsys. If no kubeconfig was provided and the # default kubeconfig location does not exist, use the users default kubeconfig. CARGO_MAKE_TESTSYS_KUBECONFIG_ARG = {script = [ ''' if ! [ -n "${TESTSYS_KUBECONFIG}" ] && [ -s "${TESTSYS_TESTS_DIR}/testsys.kubeconfig" ] && [ -s "${CARGO_MAKE_DEFAULT_TESTSYS_KUBECONFIG_PATH}" ];then echo "No kubeconfig was specified and a kubeconfig was found in 2 possible locations: '${TESTSYS_TESTS_DIR}/testsys.kubeconfig' and '${CARGO_MAKE_DEFAULT_TESTSYS_KUBECONFIG_PATH}'" exit 1 fi if [ -n "${TESTSYS_KUBECONFIG}" ]; then # If the user provides a kubeconfig path it should be used. echo "--kubeconfig ${TESTSYS_KUBECONFIG}" elif [ -s "${TESTSYS_TESTS_DIR}/testsys.kubeconfig" ]; then # If the kubeconfig is in the TESTSYS_TESTS_DIR it should be used. echo "--kubeconfig ${TESTSYS_TESTS_DIR}/testsys.kubeconfig" elif [ -s "${CARGO_MAKE_DEFAULT_TESTSYS_KUBECONFIG_PATH}" ]; then # If the default kubeconfig exists it should be used. echo "--kubeconfig ${CARGO_MAKE_DEFAULT_TESTSYS_KUBECONFIG_PATH}" fi ''' ]} # Args that will be passed into all testsys invocations. CARGO_MAKE_TESTSYS_ARGS = "${CARGO_MAKE_TESTSYS_KUBECONFIG_ARG}" TESTSYS_TEST_CONFIG_PATH = { script = [ ''' if [ -s "${TESTSYS_TEST_CONFIG_PATH}" ] && [ -s "${TESTSYS_TESTS_DIR}/Test.toml" ];then echo "There can only be 1 config file. 2 config files were found: '${TESTSYS_TEST_CONFIG_PATH}' and '${TESTSYS_TESTS_DIR}/Test.toml'" exit 1 fi if [ -s "${TESTSYS_TEST_CONFIG_PATH}" ]; then # If the config path exists echo "${TESTSYS_TEST_CONFIG_PATH}" elif [ -s "${TESTSYS_TESTS_DIR}/Test.toml" ]; then # If the test config is in the TESTSYS_TESTS_DIR it should be used. echo "${TESTSYS_TESTS_DIR}/Test.toml" else echo "${TESTSYS_TEST_CONFIG_PATH}" fi ''' ] } [tasks.install-twoliter] script_runner = "bash" script = [ ''' declare -a flags if [ "${TWOLITER_REUSE_EXISTING_INSTALL}" = "true" ]; then flags+=("--reuse-existing-install") fi if [ "${TWOLITER_ALLOW_BINARY_INSTALL}" = "true" ]; then if [ "${UNAME_ARCH}" = "aarch64" ]; then flags+=("--allow-binary-install" "${TWOLITER_SHA256_AARCH64}") else flags+=("--allow-binary-install" "${TWOLITER_SHA256_X86_64}") fi fi if [ "${TWOLITER_ALLOW_SOURCE_INSTALL}" = "true" ]; then flags+=("--allow-from-source") fi if [ "${TWOLITER_SKIP_VERSION_CHECK}" = "true" ]; then flags+=("--skip-version-check") fi "${BUILDSYS_TOOLS_DIR}/install-twoliter.sh" \ --repo "${TWOLITER_REPO}" \ --version "${TWOLITER_VERSION}" \ --directory "${TWOLITER_INSTALL_DIR}" \ "${flags[@]}" ''' ] [tasks.run-twoliter] dependencies = ["install-twoliter"] command = "${TWOLITER}" args = [ "--log-level=${TWOLITER_LOG_LEVEL}", "make", "${CARGO_MAKE_TASK}", "--project-path=${TWOLITER_PROJECT}", "--cargo-home=${CARGO_HOME}", "--", "${@}", ] [tasks.deprecated] dependencies = ["install-twoliter"] script_runner = "bash" script = [ ''' echo "The '${CARGO_MAKE_TASK}' task is deprecated." echo "All it does is ensure that Twoliter is installed." echo "You should do this with 'cargo make install-twoliter' instead.", ''' ] [tasks.setup] run_task = "run-twoliter" [tasks.setup-build] run_task = "run-twoliter" [tasks.fetch] run_task = "run-twoliter" [tasks.fetch-sdk] run_task = "run-twoliter" [tasks.fetch-toolchain] run_task = "run-twoliter" [tasks.fetch-sources] run_task = "run-twoliter" [tasks.fetch-vendored] run_task = "run-twoliter" [tasks.fetch-external-kits] dependencies = ["install-twoliter"] command = "${TWOLITER}" args = [ "--log-level=${TWOLITER_LOG_LEVEL}", "fetch", "--project-path=${TWOLITER_PROJECT}", "--arch=${BUILDSYS_ARCH}", ] [tasks.unit-tests] run_task = "run-twoliter" # A top level target for devs to ensure review and patch readiness [tasks.check] run_task = "run-twoliter" [tasks.check-fmt] run_task = "run-twoliter" [tasks.check-lints] run_task = "run-twoliter" [tasks.check-clippy] run_task = "run-twoliter" [tasks.check-shell] run_task = "run-twoliter" [tasks.check-golangci-lint] run_task = "run-twoliter" [tasks.check-migrations] run_task = "run-twoliter" [tasks.build-tools] run_task = "deprecated" # Note: this is separate from publish-tools because publish-tools takes a while # to build and isn't needed to build an image. [tasks.publish-setup-tools] run_task = "deprecated" [tasks.publish-tools] run_task = "deprecated" [tasks.build-sbkeys] run_task = "run-twoliter" # We need Cargo version 1.51 or higher in order to build a workspace's # dependency during build-package [tasks.check-cargo-version] run_task = "run-twoliter" [tasks.boot-config] run_task = "run-twoliter" [tasks.validate-boot-config] run_task = "run-twoliter" # Builds a package including its build-time and runtime dependency packages. [tasks.build-package] dependencies = ["fetch-external-kits"] run_task = "run-twoliter" [tasks.build-variant] dependencies = ["fetch-external-kits"] run_task = "run-twoliter" [tasks.build-all] dependencies = ["fetch-external-kits"] run_task = "run-twoliter" [tasks.repack-variant] run_task = "run-twoliter" [tasks.fetch-variant] run_task = "run-twoliter" [tasks.fetch-friendly-variant] run_task = "run-twoliter" [tasks.fetch-ova] run_task = "run-twoliter" [tasks.check-licenses] run_task = "run-twoliter" [tasks.fetch-licenses] run_task = "run-twoliter" [tasks.build] dependencies = ["fetch-external-kits"] run_task = "run-twoliter" [tasks.tuftool] run_task = "deprecated" [tasks.publish-setup] run_task = "run-twoliter" [tasks.publish-setup-without-key] run_task = "run-twoliter" # Builds a local repository based on the 'latest' built targets. Uses pubsys # to create a repo under /build/repos, named after the arch/variant/version, # containing subdirectories for the repo metadata and targets. [tasks.repo] run_task = "run-twoliter" [tasks.validate-repo] run_task = "run-twoliter" [tasks.check-repo-expirations] run_task = "run-twoliter" [tasks.refresh-repo] run_task = "run-twoliter" [tasks.ami] run_task = "run-twoliter" [tasks.ami-public] run_task = "run-twoliter" [tasks.ami-private] run_task = "run-twoliter" [tasks.grant-ami] run_task = "run-twoliter" [tasks.revoke-ami] run_task = "run-twoliter" [tasks.validate-ami] run_task = "run-twoliter" [tasks.ssm] run_task = "run-twoliter" [tasks.promote-ssm] run_task = "run-twoliter" [tasks.validate-ssm] run_task = "run-twoliter" [tasks._upload-ova-base] run_task = "run-twoliter" # This task runs `_upload-ova-base` which will upload the OVA and *not* mark it # as a template [tasks.upload-ova] run_task = "run-twoliter" # This task runs `_upload-ova-base` with the environment variable # `MARK_OVA_AS_TEMPLATE` set, which will upload the OVA *and* mark it as a # template [tasks.vmware-template] run_task = "run-twoliter" [tasks.clean] run_task = "run-twoliter" [tasks.clean-sources] run_task = "run-twoliter" [tasks.clean-packages] run_task = "run-twoliter" [tasks.clean-images] run_task = "run-twoliter" [tasks.clean-repos] run_task = "run-twoliter" [tasks.clean-state] run_task = "run-twoliter" # Deletes cached code used for Bottlerocket builds [tasks.purge-cache] run_task = "run-twoliter" # This task will delete vendored Go code, primarily, the Go module cache. # The Go module cache is intentionally readonly and does not have writable # subdirectories or files. So, we first need to perform the `chmod` in order to # have permissions to delete it. # See for more context: https://github.com/golang/go/issues/27455 [tasks.purge-go-vendor] run_task = "run-twoliter" # This task will remove all the cached Rust code found in the cargo home dir [tasks.purge-cargo] run_task = "run-twoliter" [tasks.test-tools] run_task = "deprecated" [tasks.setup-test] run_task = "run-twoliter" # This task is used to test bottlerocket build artifacts. By default the region first listed in Infra.toml # is used for testing; however, `TESTSYS_REGION` can be used to test in a different region. [tasks.test] run_task = "run-twoliter" # This task will clear all tests from the testsys cluster. # To delete all passed tests use `cargo make clean-test --passed` # To delete all failed tests use `cargo make clean-test --failed` # To delete all incomplete tests use `cargo make clean-test --running` [tasks.clean-test] run_task = "run-twoliter" # This task will clear all tests and resources from the testsys cluster. [tasks.reset-test] run_task = "run-twoliter" # This task will clear a specific test and its resources from the testsys cluster. [tasks.reset-single-test] run_task = "run-twoliter" # This task will clear all testsys components from the testsys cluster. [tasks.uninstall-test] run_task = "run-twoliter" # This task will clear all testsys components from the testsys cluster. [tasks.purge-test] run_task = "run-twoliter" # This task will call watch on the `status` testsys command to show the results of all tests. # To see all passed tests use `cargo make watch-test --passed` # To see all failed tests use `cargo make watch-test --failed` # To see all incomplete tests use `cargo make watch-test --running` [tasks.watch-test] run_task = "run-twoliter" # This task will call watch on the `status` testsys command to show the results of all tests and # resources. # To see all incomplete crds use `cargo make watch-test-all --running` [tasks.watch-test-all] run_task = "run-twoliter" # This task will retrieve testsys logs from a test. You can add `--follow` to continue to receive # logs as they come in. [tasks.log-test] run_task = "run-twoliter" # This task is useful for using the current tree's testsys without symlinks [tasks.testsys] run_task = "run-twoliter" [tasks.default] alias = "build" ================================================ FILE: PROVISIONING-METAL.md ================================================ # Provisioning Bottlerocket on metal This guide will describe what is needed to properly provision Bottlerocket on bare metal. Provisioning Bottlerocket on metal is different than provisioning other general-purpose distros. Since Bottlerocket has a `dm-verity`-checked boot and root partition, and is immutable at runtime, a user cannot provision an image and directly write configuration files. Bottlerocket requires a few files to be generated and written to disk at provisioning time in order to boot properly; these files are described below. For more information about the hardware that Bottlerocket for bare metal is currently tested on, see [SUPPORTED-HARDWARE](SUPPORTED-HARDWARE.md). ## High level provisioning steps The high level steps to provision Bottlerocket images for bare metal to your host are below. Most provisioning systems provide methods to achieve the following: * Decompress (`unlz4`) and write the Bottlerocket image to the desired disk * Mount the `BOTTLEROCKET-PRIVATE` partition (partition 12) * Write the below files to the mounted partition (these files are further described below): * (Required) [`user-data.toml`](#user-data) * (Required) [`net.toml`](#network-interface-configuration) * (Optional, recommended) [`bootconfig.data`](#boot-configuration) * Reboot ### Fetch the Bottlerocket image for bare metal The Bottlerocket image for bare metal is signed and uploaded alongside the rest of the Bottlerocket release artifacts. You first need the Bottlerocket root role, which is used by `tuftool` to verify the image. The following will download and verify the root role itself: ```shell curl -O "https://cache.bottlerocket.aws/root.json" sha512sum -c <<<"4fcb272345fd6adb94d4c04834400548178fecb57407ca79bc2c3d20e0428fc9ed3a82cea268d7f9c667b5803524a4f465acd701a86953d5d732bf6ecb064888 root.json" ``` Next, set your desired version and variant, and use `tuftool` to download the image: To install `tuftool` you'll need to install Rust (via [rustup](https://rustup.rs/) or the official site), and then you can run `cargo install tuftool`. The VERSION corresponds to the [Bottlerocket version](https://github.com/bottlerocket-os/bottlerocket/releases/latest), the latest release is almost always what you want. You might need to install `jq` to fetch the VERSION. ```shell ARCH="x86_64" VERSION="v1.26.1" # New releases do not have metal-k8s variants VARIANT="metal-k8s-1.28" IMAGE="bottlerocket-${VARIANT}-${ARCH}-${VERSION}.img.lz4" OUTDIR="${VARIANT}-${VERSION}" tuftool download "${OUTDIR}" --target-name "${IMAGE}" \ --root ./root.json \ --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/x86_64/" \ --targets-url "https://updates.bottlerocket.aws/targets/" ``` ### User data Bottlerocket for bare metal expects a TOML-formatted file named `user-data.toml` that contains user data settings. Acceptable settings can be found in the [settings docs](https://github.com/bottlerocket-os/bottlerocket#settings). If you're just getting started and want to provision a host without connecting to a Kubernetes cluster, you can use the following example user data which will start `kubelet` in standalone mode. ```toml [settings.kubernetes] standalone-mode = true ``` For remote access to your running Bottlerocket hosts, you will need to add user data to enable host containers. The Bottlerocket images for bare metal don't enable any host containers by default. You can use our [admin](https://github.com/bottlerocket-os/bottlerocket-admin-container) and/or [control](https://github.com/bottlerocket-os/bottlerocket-control-container) containers, but they need to be configured first. Full configuration details are covered in the [admin container documentation](https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container) and the [control container documentation](https://github.com/bottlerocket-os/bottlerocket-control-container#connecting-to-aws-systems-manager-ssm). ### Network interface configuration Bottlerocket for bare metal provides the means to configure the physical network interfaces in the system via TOML-formatted file `net.toml`. `net.toml` is read at boot time and generates the proper configuration files in the correct format for each interface described; no default configuration is provided. If no network configuration is provided, boot-time services like host containers, `containerd`, and `kubelet` will fail to start. When these services fail, your machine will not connect to any cluster and will be unreachable via host containers. #### `net.toml` structure The configuration file must be valid TOML and have the filename `net.toml`. The first and required top level key in the file is `version`; the latest is version `3`. The rest of the file is a map of interface name or MAC address to supported settings. Interface names are expected to be correct as per `udevd` naming, no interface naming or matching is supported. (See the note below regarding `udevd` interface naming.) #### Supported interface settings * `primary` (boolean): Use this interface as the primary network interface. `kubelet` will use this interface's IP when joining the cluster. If none of the interfaces has `primary` set, the first interface in the file is used as the primary interface. * `dhcp4` (boolean or map): Turns on DHCP4 for the interface. If additional DHCP4 configuration is required, the following settings are supported and may be provided as a map with the following keys: * `enabled` (boolean, required): Enables DHCP4. * `route-metric` (integer): Prioritizes routes by setting values for preferred interfaces. * `optional` (boolean): the system will request a lease using this protocol, but will not wait for a valid lease to consider this interface configured. * `dhcp6` (boolean or map): Turns on DHCP6 for the interface. If additional DHCP6 configuration is required, the following settings are supported and may be provided as a map with the following keys: * `enabled` (boolean, required): Enables DHCP6. * `optional` (boolean): the system will request a lease using this protocol, but will not wait for a valid lease to consider this interface configured. As of version `2` static addressing with simple routes is supported via the below settings. Please keep in mind that when using static addresses, DNS information must be supplied to the system via user data: [`settings.dns`](https://github.com/bottlerocket-os/bottlerocket#network-settings). * `static4` (map): IPv4 static address settings. * `addresses` (list of quoted IPv4 address including prefix): The desired IPv4 IP addresses, including prefix i.e. `["192.168.14.2/24"]`. The first IP in the list will be used as the primary IP which `kubelet` will use when joining the cluster. If IPv4 and IPv6 static addresses exist, the first IPv4 address is used. * `static6` (map): IPv6 static address settings. * `addresses` (list of quoted IPv6 address including prefix): The desired IPv6 IP addresses, including prefix i.e. `["2001:dead:beef::2/64"]`. The first IP in the list will be used as the primary IP which `kubelet` will use when joining the cluster. If IPv4 and IPv6 static addresses exist, the first IPv4 address is used. * `route` (map): Static route; multiple routes can be added. (cannot be used in conjunction with DHCP) * `to` (`"default"` or IP address with prefix, required): Destination address. * `from` (IP address): Source IP address. * `via` (IP address): Gateway IP address. If no gateway is provided, a scope of `link` is assumed. * `route-metric` (integer): Relative route priority. Version `3` adds support for bonding, vlan tagging, and the ability to use a MAC address (colon or dash separated) as the identifier for an interface. MAC address identification is limited to interface configuration *only* and may not be used in conjunction with bonds or vlans. [Bonding](https://www.kernel.org/doc/Documentation/networking/bonding.txt) support is limited to mode `1` (`active-backup`). Future support may include other bonding options - pull requests are welcome! Version `3` adds the concept of virtual network devices in addition to interfaces. The default type of device is an interface and the syntax is the same as previous versions. The name of an interface must match an existing interface on the system such as `eno1` or `enp0s16`. For virtual network devices, a `kind` is required. If no `kind` is specified, it is assumed to be an interface. Currently, `bond` and `vlan` are the two supported `kind`s. Virtual network devices are created, and therefore a name has to be chosen. Names for virtual network devices must conform to kernel naming restrictions: * Names must not have line terminators in them * Names must be between 1-15 characters * Names must not contain `.`, `/` or whitespace Bonding configuration creates a virtual network device across several other devices: * Bonding configuration (map): * `kind = "bond"`: This setting is required to specify a bond device. Required. * `interfaces` (list of quoted strings of interface names, not MAC addresses): Which interfaces should be added to the bond (i.e. `["eno1"]`). The first in the list is considered the default `primary`. These interfaces are "consumed" so no other configuration can refer to them. Required. * `mode` (string): Currently `active-backup` is the only supported option. Required. * `min-links` (integer): Number of links required to bring up the device * `monitoring` (map): Values m ust all be of `miimon` or `arpmon` type. The user must choose one type of monitoring and configure it fully in order for the bond to properly function. See [section 7](https://www.kernel.org/doc/Documentation/networking/bonding.txt) for more background on what to choose. * `miimon-frequency-ms` (integer): MII Monitoring frequency in milliseconds * `miimon-updelay-ms` (integer): MII Monitoring delay before the link is enabled after link is detected in milliseconds * `miimon-downdelay-ms` (integer): MII Monitoring delay before the link is disabled after link is no longer detected in milliseconds * `arpmon-interval-ms` (integer): Number of milliseconds between intervals to determine link status, must be greater than 0 * `arpmon-validate` (one of `all`, `none`, `active`, or `backup`): What packets should be used to validate link * `arpmon-targets` (list of quoted IPv4 address including prefix): List of targets to use for validating ARP. Min = 1, Max = 16 Vlan tagging is configured as a new virtual network device stacked on another device: * Vlan configuration (map): * `kind = "vlan"`: This setting is required to specify a vlan device. * `device` (string for device name, not MAC address): Defines the device the vlan should be configured on. If VLAN tagging is required, this device should receive all IP address configuration instead of the underlying device. * `id` (integer): Number between 0 and 4096 specifying the vlan tag on the device Example `net.toml` version `3` with comments: ```toml version = 3 # "eno1" is the interface name [eno1] # Users may turn on dhcp4 and dhcp6 via boolean dhcp4 = true dhcp6 = true primary = true # "eno2" is the second interface in this example [eno2.dhcp4] # `enabled` is a boolean and is a required key when # setting up DHCP this way enabled = true # Route metric may be supplied for IPv4 route-metric = 200 [eno2.dhcp6] enabled = true optional = true [eno3.static4] addresses = ["10.0.0.10/24", "11.0.0.11/24"] # Multiple routes may be configured [[eno3.route]] to = "default" via = "10.0.0.1" route-metric = 100 [[eno3.route]] to = "default" via = "11.0.0.1" route-metric = 200 [eno4.static4] addresses = ["192.168.14.5/24"] # Using a source IP and non-default route [[eno4.route]] to = "10.10.10.0/24" from = "192.168.14.5" via = "192.168.14.25" # Interfaces may be configured using their MAC address rather than the interface name. # The MAC address must be quoted and colon or dash separated ["0e:b3:69:44:b6:33"] dhcp4 = true ["3e:03:69:49:e6:31".static4] addresses = ["10.0.0.15/24"] [["3e:03:69:49:e6:31".route]] to = "default" via = "10.0.0.1" # A bond is a network device that is of `kind` `bond` [bond0] kind = "bond" # Currently `active-backup` is the only supported option mode = "active-backup" # In this case, the vlan will have addressing, the bond is simply there for use in the vlan dhcp4 = false dhcp6 = false # The first interface in the array is considered `primary` by default, this list may not contain MAC addresses. interfaces = ["eno11", "eno12"] [bond0.monitoring] miimon-frequency-ms = 100 # 100 milliseconds miimon-updelay-ms = 200 # 200 milliseconds miimon-downdelay-ms = 200 # 200 milliseconds [bond1] kind = "bond" mode = "active-backup" interfaces = ["eno51" , "eno52", "eno53"] min-links = 2 # Optional min-links dhcp4 = true [bond1.monitoring] arpmon-interval-ms = 200 # 200 milliseconds arpmon-validate = "all" arpmon-targets = ["192.168.1.1", "10.0.0.2"] # A vlan is a network device that is of `kind` `vlan` # VLAN42 is the name of the device, can be anything that is a valid network interface name [VLAN42] kind = "vlan" # `device` may not contain a MAC address. device = "bond0" id = 42 dhcp4 = true [internal_vlan] kind = "vlan" device = "eno2" id = 1234 dhcp6 = true ``` #### **An additional note on network device names** Interface name policies are [specified in this file](https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/80-release.link#L6); with name precedence in the following order: onboard, slot, path. Typically on-board devices are named `eno*`, hot-plug devices are named `ens*`, and if neither of those names are able to be generated, the “path” name is given, i.e `enp*s*f*`. #### Networking configuration versions and Releases Older networking configuration versions (such as `1` or `2`) are supported in newer releases. In order to use a newer version, the following table provides guidance on what release first enabled the version. | Network Configuration Version | First Release | |-------------------------------|---------------------------------------------------------------------------------| | Version 1 | [v1.9.0](https://github.com/bottlerocket-os/bottlerocket/releases/tag/v1.9.0) | | Version 2 | [v1.10.0](https://github.com/bottlerocket-os/bottlerocket/releases/tag/v1.10.0) | | Version 3 | [v1.12.0](https://github.com/bottlerocket-os/bottlerocket/releases/tag/v1.12.0) | ### Boot Configuration Bottlerocket for bare metal uses a feature of the Linux kernel called [Boot Configuration](https://www.kernel.org/doc/html/latest/admin-guide/bootconfig.html), which allows a user to pass additional arguments to the kernel command line at runtime. An immediate use of this feature for most users is setting `console` settings so boot messages can be seen on the appropriate consoles. In order to make use of this feature, an initrd is created with the desired settings encoded inside it. The initrd is empty save for the encoded boot config data. To create the initrd, you must first create a configuration file containing key value pairs for the settings you would like to pass to kernel / init. Full syntax is described in the [Boot Config documentation](https://www.kernel.org/doc/html/latest/admin-guide/bootconfig.html#config-file-syntax), but a simple example is provided below that shows the format of console settings as well as an example `systemd` parameter. The two acceptable prefixes to settings are `kernel` and `init`. Settings prefixed with `kernel` are added to the beginning of the kernel command line. Settings prefixed with `init` are added to the kernel command line after the `--`, but before any existing init parameters. In the example below, two console devices are set up, and `systemd`'s log level is set to `debug`. Example Boot Configuration: ``` kernel { console = tty0, "ttyS1,115200n8" } init { systemd.log_level = debug } ``` The Bottlerocket SDK provides the `bootconfig` CLI tool, which is used to create a Boot Configuration initrd. To create the Boot Configuration initrd, create a config file named `bootconfig-input` containing your desired key/value pair kernel and init arguments. Then run the following (you will need Docker installed): ```shell ARCH=$(uname -m) SDK_VERSION="v0.26.0" SDK_IMAGE="public.ecr.aws/bottlerocket/bottlerocket-sdk-${ARCH}:${SDK_VERSION}" touch $(pwd)/bootconfig.data docker run --rm \ --network=none \ --user "$(id -u):$(id -g)" \ --security-opt label=disable \ -v $(pwd)/bootconfig-input:/tmp/bootconfig-input \ -v $(pwd)/bootconfig.data:/tmp/bootconfig.data \ "${SDK_IMAGE}" \ bootconfig -a /tmp/bootconfig-input /tmp/bootconfig.data ``` The above command will create the properly named initrd `bootconfig.data` in your current directory. This is the file you will write to disk during provisioning. You can list a `bootconfig.data`'s contents, which also validates its format, by running: ```shell ARCH=$(uname -m) SDK_VERSION="v0.26.0" SDK_IMAGE="public.ecr.aws/bottlerocket/bottlerocket-sdk-${ARCH}:${SDK_VERSION}" docker run --rm \ --network=none \ --user "$(id -u):$(id -g)" \ --security-opt label=disable \ -v $(pwd)/bootconfig.data:/tmp/bootconfig.data \ "${SDK_IMAGE}" \ bootconfig -l /tmp/bootconfig.data ``` ### Enable Secure Boot Starting with metal-k8s-1.28, the Bottlerocket images for bare metal support Secure Boot when used on a platform with UEFI firmware. UEFI boot mode must be used, rather than legacy BIOS boot mode, and Secure Boot must be enabled. The UEFI firmware may provide a Compatibility Support Module (CSM) option to enable legacy BIOS emulation. The CSM option must not be enabled. These options can be set in the firmware setup menu, which can be accessed during boot by pressing a certain key (such as F2 or F12). Many Linux distros ship a copy of the [shim](https://github.com/rhboot/shim) bootloader signed by Microsoft with a key that is trusted by default. Although Bottlerocket also uses `shim`, its copy is not signed by Microsoft and will not be trusted without additional configuration. After installing Bottlerocket, the appropriate vendor certificate can be found on the EFI System Partition (ESP). The firmware setup menu should provide an option to import a new vendor certificate by selecting a file on the ESP. Either the PEM format (`db.crt`) or DER format (`db.cer`) certificate can be imported, depending on what the firmware supports. The firmware setup menu should be password-protected to prevent unauthorized changes to the Secure Boot configuration. Please refer to the documentation from your hardware vendor for more information on this procedure. ================================================ FILE: PUBLISHING-AWS.md ================================================ # Publishing Bottlerocket on AWS This guide will walk you through some AWS-specific details around publishing an AMI, granting access to said AMI, as well as making it easy for others to find your AMI via SSM parameters. ### Register an AMI The [BUILDING](BUILDING.md#register-an-ami) guide covers the process of making an AMI, and has you specify `PUBLISH_REGIONS` to decide where the AMI will live. You can also specify this in your `Infra.toml` file: ```toml [aws] regions = ["us-west-2", "us-east-1", "us-east-2"] ``` Note: several commands work with AWS services, so there's some shared configuration related to AWS accounts and AWS IAM roles. For example, you can specify a role to assume before any API calls are made, and a role to assume before any API calls in a specific region. This can be useful if you want to use roles to control access to the accounts that own AMIs, for example. See the commented [example Infra.toml](tools/pubsys/Infra.toml.example) for details. If you specify multiple regions, an AMI will be registered in the first region and then copied to the other regions. After putting this in `Infra.toml`, you can make an AMI more easily: ```shell cargo make ami ``` If you want to change the name or description of your AMI, you can add on `-e PUBLISH_AMI_NAME=my-name` or `-e PUBLISH_AMI_DESCRIPTION=my-desc`. > Note: the AMI registration process creates a JSON file describing the AMIs in a directory under `build/images/`. > This file is used by the steps below when granting access to the AMIs or setting parameters in SSM. ### Granting access to your AMI If you use different accounts to make and test your AMIs, you can grant access to specific accounts like this: ```shell cargo make -e GRANT_TO_USERS=0123456789,9876543210 grant-ami ``` (Later, if you need to revoke access, you can do this:) ```shell cargo make -e REVOKE_FROM_USERS=0123456789,9876543210 revoke-ami ``` > Note: similar to `cargo make ami`, you can specify `PUBLISH_REGIONS` on the command line if you don't want to make an `Infra.toml` config. ### Making your AMIs discoverable with SSM parameters After you've made AMIs and a repo, you may want to make it easier to find your AMIs, particularly as you make new versions over time. One way to do this is to store the AMI IDs in [AWS SSM Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html). These are simple names like `/my/ami/id` that you can use in many places instead of specific AMI IDs. For example, you can launch EC2 instances using [RunInstances](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-ec2-aliases.html) or [in a CloudFormation stack](https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/) using a parameter name rather than an AMI ID. You can also use the same parameter names across regions, so you don't have to deal with region-specific AMI IDs. > Note: SSM parameters are private to your account. > They let you use consistent names instead of tracking AMI IDs, but they don't currently let you share with other accounts. The `cargo make ssm` task can set SSM parameters based on the AMIs you built [above](#register-an-ami). For this to work, you have to specify a parameter prefix in your `Infra.toml`. This setting lives in the same `[aws]` section you used above to list the regions where you want to register AMIs. (The same region list will be used to determine where to publish SSM parameters.) Here's an example configuration for regions and the SSM prefix: ```toml [aws] regions = ["us-west-2", "us-east-1", "us-east-2"] ssm_prefix = "/your/prefix/here" ``` This prefix forms the start of the name of each SSM parameter we set. The rest of the name comes from parameter templates. Parameter templates determine the name and value of each parameter we want to set for each AMI we've built. The [default template](tools/pubsys/policies/ssm/defaults.toml) creates parameters that let users find the AMI ID and the image version for each of your AMIs. The templates have access to the name of the current variant, architecture, etc., so they can create unique parameter names for each build. For more information on how templates work, check out [their documentation](tools/pubsys/policies/ssm/). If you're happy with the default template, you can set SSM parameters like this: ```shell cargo make ssm ``` This will create versioned parameters, meaning that the parameter name has the image version in it. This isn't very discoverable yet, but it's useful for testing. As an example, a parameter might look like this: ``` /your/prefix/here/aws-k8s-1.32/x86_64/1.31.0-41108b4/image_id ``` Once you're satisfied with your image and parameters, you can promote the parameters to simpler names (for example, "latest") using the [instructions below](#promoting-ssm-parameters). Note: if you want to customize the SSM parameters that get set, you can copy and modify the existing template file, then point to your file like this: ```shell cargo make -e PUBLISH_SSM_TEMPLATES_PATH=/my/template/path ssm ``` ### Making your AMIs public We talked about [granting AMI access](#granting-access-to-your-ami) to specific AWS accounts. This is useful for testing, and for sharing private AMIs with specific accounts. If you want to make your AMIs public to the world, there's a shortcut: ```shell cargo make ami-public ``` (Later, if you need to make the AMIs private again, you can do this. The AMIs will then only be accessible to account IDs you've specifically granted.) ```shell cargo make ami-private ``` ### Promoting SSM parameters [Above](#making-your-amis-discoverable-with-ssm-parameters), we set SSM parameters based on our AMIs. The SSM parameter names include version numbers, which is handy for testing, but makes them hard to find. Once we're satisfied, we can promote the SSM parameters to simpler names. ```shell cargo make -e SSM_TARGET=latest promote-ssm ``` This will copy the fully versioned parameter from earlier, something like: ``` /your/prefix/here/aws-k8s-1.32/x86_64/1.31.0-41108b4/image_id ``` ...to a simpler parameter name: ``` /your/prefix/here/aws-k8s-1.32/x86_64/latest/image_id ``` You can then use this parameter name to get the latest AMI ID. > Note: if you use a custom parameter template, you need to have an `{image_version}` component in the parameter name for promotion to work. > The `SSM_TARGET` you specify above becomes the `image_version` in the template. ================================================ FILE: PUBLISHING-VMWARE.md ================================================ # Publishing a Bottlerocket OVA on VMware This guide will walk through some VMware specific details around making your OVA available as a VM or VM template in one or more software defined datacenters. ### Configuration details As mentioned in the [PUBLISHING](PUBLISHING.md) guide, the process uses a configuration file called `Infra.toml`. For VMware, you can specify details about your various vSphere instances and datacenters in `Infra.toml`, as well as configuration that may be common between datacenters. It's important to note that we use [`govc`](https://github.com/vmware/govmomi/tree/master/govc) under the hood for interactions with vSphere, so at runtime **all datacenter configuration in `Infra.toml` is overridden by `GOVC_` environment variables.** `govc` is run in a container, so you do not need to install it on your machine. We first check for environment variables, then use `Infra.toml` for datacenter specific configuration, and finally common configuration. The following `GOVC_` environment variables are supported: * `GOVC_URL` * `GOVC_DATACENTER` * `GOVC_DATASTORE` * `GOVC_NETWORK` * `GOVC_FOLDER` * `GOVC_RESOURCE_POOL` * `GOVC_USERNAME` * `GOVC_PASSWORD` Credentials for your various datacenters may be stored at `~/.config/pubsys/vsphere-credentials.toml`. The format of the file is below; each datacenter gets its own `[datacenter.NAME]` block, where `NAME` corresponds to a datacenter name in `Infra.toml` Similar to other datacenter configuration, at runtime we first check for the environment variables `GOVC_USERNAME` and `GOVC_PASSWORD` and use one or both of them if they are set. ```toml [datacenter.foo] username = "username" password = "password" [datacenter.bar] username = "bar" password = "baz" ``` ### Uploading a Bottlerocket OVA You can specify the datacenters to which you would like to upload your OVA in `Infra.toml`. ```toml [vmware] datacenters = ["foo", "bar"] ``` Then you can easily upload your OVA, specifying the variant you wish to upload (currently only VMware variants). ```shell cargo make -e BUILDSYS_VARIANT=vmware-k8s-1.32 upload-ova ``` If you would like to upload your OVA as a VM template, you can do this in a single step: ```shell cargo make -e BUILDSYS_VARIANT=vmware-k8s-1.32 vmware-template ``` You can override the list of datacenters to upload to by specifying `VMWARE_DATACENTERS`: ```shell cargo make vmware-template \ -e BUILDSYS_VARIANT=vmware-k8s-1.32 \ -e VMWARE_DATACENTERS="foo,bar" ``` If you would like to override the name of the VM, you can add on `-e VMWARE_VM_NAME=my-name`. You can also override the import spec used when uploading the OVA by specifying `VMWARE_IMPORT_SPEC_PATH`. Our [import spec template](tools/pubsys/support/vmware/import_spec.template) can be used as a starting point for further customization. ```shell cargo make vmware-template \ -e BUILDSYS_VARIANT=vmware-k8s-1.32 \ -e VMWARE_IMPORT_SPEC_PATH=/path/to/my/spec.toml ``` ================================================ FILE: PUBLISHING.md ================================================ # Publishing Bottlerocket This guide will walk you through deploying a Bottlerocket image, and if desired, sharing it with others. It currently focuses on deploying to AWS and VMware, though the tooling is built to support other platforms in the future. Remember to look at the [TRADEMARKS](TRADEMARKS.md) guide to understand naming concerns. You can pass `-e BUILDSYS_NAME=my-name` to `cargo make` commands to change the default "short" name, which is used in file and AMI names. You can pass `-e BUILDSYS_PRETTY_NAME="My Name"` to `cargo make` commands to change the default "pretty" name, which is used in the os-release file and some menus. We'll assume you've been through the [BUILDING](BUILDING.md) guide to make an image. ### Configuring the publishing process The publishing process uses a configuration file called `Infra.toml`. The relevant sections of this file will be introduced as needed below. You can also see an [example file](tools/pubsys/Infra.toml.example) where each section is commented. When you make your own `Infra.toml`, you put it in the root of the Bottlerocket code repo, wherever you have it checked out. (If you want to keep it elsewhere, you can pass `-e "PUBLISH_INFRA_CONFIG_PATH=/my/path"` to subsequent `cargo make` commands.) Note: several commands work with AWS services, so there's some shared configuration related to AWS accounts and AWS IAM roles. For example, you can specify a role to assume before any API calls are made, and a role to assume before any API calls in a specific region. This can be useful if you want to use roles to control access to the accounts that own AMIs, for example. See the commented [example Infra.toml](tools/pubsys/Infra.toml.example) for details. ### Variants and architectures If you [built your image](BUILDING.md) for a different variant or architecture, you can pass the same variant and architecture arguments to any of the `cargo make` commands in this document. For example, if you built your image like this: ```shell cargo make -e BUILDSYS_VARIANT=my-variant -e BUILDSYS_ARCH=my-arch ``` ...then you can then build a repo for it like this: ```shell cargo make -e BUILDSYS_VARIANT=my-variant -e BUILDSYS_ARCH=my-arch repo ``` ## Publishing your image For details on publishing your image on AWS or VMware, please see the respective [PUBLISHING-AWS](PUBLISHING-AWS.md) or [PUBLISHING-VMWARE](PUBLISHING-VMWARE.md) guides. ## Build a repo > NOTE: If you intend to replace hosts rather than update them, you don't need to build an update repository. Bottlerocket uses [TUF repositories](https://theupdateframework.io/overview/) to make system updates available to hosts. You can read more about how Bottlerocket uses TUF in the [updater README](sources/updater/README.md#tuf-and-tough). Initially, the repo will only contain the image you just built. Later, when you build updates, you can [add them to the repo](#configuring-your-repo-location), which allows your hosts to update to new versions. (If you don't have an `Infra.toml` file, it will always try to build a brand new repo.) ### Build process To build a repo, run: ```shell cargo make repo ``` #### Picking a release time If you're preparing the release of a new version in advance (see [waves](#waves) for why you may want to) you can specify the start time for the release. You'll need the time in ISO 8601 format. You can use the `date` command to get the formatted time using a simple description of your desired start. For example, if you want your release to start at 10:00 AM on Monday: ```shell RELEASE_START_TIME="$(date '+%Y-%m-%dT%H:%M:%S%:z' -d 'Monday 10am')" ``` Now we can create the repo using that time: ```shell cargo make -e "RELEASE_START_TIME=${RELEASE_START_TIME}" repo ``` ### Roles and keys #### Background on roles and keys TUF repos use [signed metadata](https://theupdateframework.io/metadata/) to ensure the repo content is secure and consistent. Bottlerocket images contain a signed root role that verifies the data in the update repo they talk to. If you run the `cargo make repo` command above without any configuration, it will generate a root role file and a signing key for you. The generated role and key are functional, but a bit basic. There's only a single key, and a "signing threshold" of 1, meaning only 1 key needs to sign replacement keys. For production use, you should consider having multiple root keys with a higher signing threshold. The benefit is that if someone compromises a single root key, TUF libraries won't trust any new keys they try to issue. It's also a good idea to keep your key somewhere safer than your local disk. This helps guard against loss of the key, which would leave you unable to update your repo. We currently support storing keys in local files, in [AWS SSM Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html), and in [AWS KMS](https://aws.amazon.com/kms/). SSM supports encrypted "SecureString" parameters for cases like this, and you can upload an existing private key into a parameter. KMS is even stronger in that private keys can never be uploaded or read - they're held in secure hardware. Another improvement is to separate your root key from your "publication" key, where the publication key controls the snapshot, targets, and timestamp roles. Those three roles are updated a lot more frequently. The benefit is that even if the publication key is compromised, you still control the root key, and can replace the publication key. To use a separate publication key, you can generate two keys using [tuftool](https://github.com/awslabs/tough/tree/develop/tuftool). Assuming you have a root.json from `tuftool root init`, you can create keys like this: ```shell tuftool root gen-rsa-key /path/to/root.json /path/to/my-new-root-key.pem --role root tuftool root gen-rsa-key /path/to/root.json /path/to/my-new-publication-key.pem --role snapshot --role targets --role timestamp ``` If you're using keys in SSM or KMS, then you can add them to your root role with a similar command. For example, with a KMS key, instead of `gen-rsa-key` you'd run `add-key` like this: ```shell tuftool root add-key /path/to/root.json aws-kms:///abc-def-123 --role root tuftool root add-key /path/to/root.json aws-kms:///456-cba-fed --role snapshot --role targets --role timestamp ``` #### Role and key configuration You can specify your own root role and your own key in `Infra.toml`. Root roles and keys are associated with a specific named repo. The publishing system assumes a repo named "default", so it's easiest to get started by using that name. (You can also pass `-e PUBLISH_REPO=myrepo` to `cargo make` commands to use a different name.) Here's an example repo configuration in `Infra.toml`: ```toml [repo.default] root_role_url = "https://example.com/root.json" root_role_sha512 = "0123456789abcdef" signing_keys = { file = { path = "/home/user/key.pem" } } ``` If you have your own root role, you specify it by URL; this can be a `file://` URL for a local file. You also specify the SHA512 checksum, to confirm that the file is the one you expect, in case we're downloading it from a remote URL. There's nothing secret in a root role file, so if you have a way of storing it remotely, a URL can be more convenient. The `signing_keys` portion above references a local file path. If you want to use an SSM or KMS key, you'd write it like this, instead: ```toml signing_keys = { kms = { key_id = "abc-def-123" } } ``` ...or... ```toml signing_keys = { ssm = { parameter = "/my/parameter" } } ``` ### Repo location #### Uploading your repo Your repo needs to be accessible to your hosts by URL. One good place to store repos is S3; this is how Bottlerocket's official repos are stored. (If you want, you can put a CloudFront distribution on top of this to make it accessible even more quickly around the world.) You can also store your repo behind any HTTP server; the key part is that the repo is accessible from your host. This could mean it's publicly accessible, or only accessible inside a VPC, or something similar. Let's assume you're using an S3 bucket. You just need to sync the built repo, like this. (If you're using a repo other than `default`, make sure you change the repo name.) ```shell aws s3 sync build/repos/default/latest/ s3://my-bucket/ ``` This syncs the metadata and targets directories of the repo into the root of your bucket. You can also sync to a subdirectory of your bucket if desired, for example if you use the bucket for other purposes. Just make sure you include that subdirectory in the URL in the next step. > Note: for production repos, it's safer to sync the targets directory before the metadata directory so that clients aren't pointed to targets they can't download yet. #### Configuring your repo location After your repo is uploaded, you can add the location into the repo configuration in your `Infra.toml`. This will allow you to use `cargo make repo` to update your existing repo in the future, rather than creating a new one from scratch every time. This is important so that your hosts can see all available updates in the repo, not just the latest one. Inside the repo section of your `Infra.toml` (for example, underneath `[repo.default]`) you'd add something like this: ```toml metadata_base_url = "https://example.com/" targets_url = "https://example.com/targets/" ``` (You can use a `file://` URL if you want to update a repo based on one you keep locally.) The variant and architecture are automatically added onto the metadata URL, matching the format of the directories inside `build/repos/default/latest`. (The targets directories is shared for all variants and architectures, since target files are prefixed with a checksum.) ### Using your repo from a Bottlerocket host By default, Bottlerocket hosts talk to the project's official repos. There are two ways to point your hosts at your own repo - at build time or at run time. If you're maintaining your own fork of Bottlerocket, you'd probably want to change the settings at build time, so you don't have to change settings for every host you launch. If you're just running a few hosts, or don't want to maintain a fork, then it's easier to change settings at run time. To change your repo URLs at build time, you would change the `settings.updates.targets-base-url` and `metadata.settings.updates.metadata-base-url.template` settings. The default settings are defined in TOML files. First, open the directory for your variant under [sources/models/src/](sources/models/src/). Then, open the `defaults.d` directory. Here, you can have any number of TOML files, or symlinks to shared TOML files, that define your default settings. Later files override earlier ones. For an example, take a look at the [aws-ecs-2 defaults](sources/models/src/aws-ecs-2/defaults.d/). These default settings will be applied to your hosts at startup, meaning any host you run would already know to look at your repo. (You'll probably want to commit your changes into your fork of the repo; we're working on ways of making it easier to maintain your own model and settings without a fork.) The easiest way to change your repo URLs at run time is to include the settings changes in user data. This method is covered [in README](README.md#using-user-data). For example, if you built the `aws-k8s-1.32` variant for `x86_64` and uploaded to the public S3 bucket `my-bucket`, your URLs could look like: ```toml [settings.updates] targets-base-url = "https://my-bucket.s3-us-west-2.amazonaws.com/targets/" metadata-base-url = "https://my-bucket.s3-us-west-2.amazonaws.com/aws-k8s-1.32/x86_64/" ``` ### Waves When you release a new version, you may want to make your update available to a small number of hosts in the beginning, then gradually expand. This can help mitigate the risk of the change and give you more time to detect issues before they're widespread. The Bottlerocket update system uses the concept of 'waves' of updates. For example, you can say that you want: * one hour before updates start, so you can prepare * 1% of hosts to get the update within 4 hours * 5% of hosts to get the update within 1 day * 15% of hosts to get the update within 2 days * 40% of hosts to get the update within 4 days * 60% of hosts to get the update within 5 days * 90% of hosts to get the update within 6 days * 100% of hosts to get the update after 6 days This provides a gradual ramp-up so you can watch the status of your deployment more easily. And, in fact, this is the default wave policy! The policy above is defined in [default-waves](sources/updater/waves/default-waves.toml). There's also an [accelerated schedule](sources/updater/waves/accelerated-waves.toml) for more urgent deployments, and an ["oh no" schedule](sources/updater/waves/ohno.toml) for emergencies. If you want to use a different policy, pass `-e PUBLISH_WAVE_POLICY_PATH=sources/updater/waves/chosen-policy.toml` when building your repo. For example, to use the accelerated schedule: ```shell cargo make -e PUBLISH_WAVE_POLICY_PATH=sources/updater/waves/accelerated-waves.toml repo ``` To learn more about waves, check out the [README](sources/updater/waves). ### Expiration policy Each piece of signed metadata in a TUF repo expires after a specific length of time, meaning that repos need to re-signed regularly. This lets users know that the repo has been verified recently by the owner. The [default policy](tools/pubsys/policies/repo-expiration/2w-2w-1w.toml) sets the timestamp expiration relatively short, [as recommended by TUF](https://theupdateframework.io/metadata/#timestamp-metadata-timestampjson), with the snapshot and targets expirations a bit longer. If you want to use different expiration policy, you can copy and modify the existing policy, then point to your file like this: ```shell cargo make -e PUBLISH_EXPIRATION_POLICY_PATH=/my/policy/path repo ``` **Note:** remember to update your repo before the expiration date. If you forget, your hosts won't be able to talk to the repo until you update it. (Don't worry, they're not lost forever.) Currently, to refresh an existing repo, you would use the [tuftool update](https://github.com/awslabs/tough/tree/develop/tuftool) command without specifying any new targets. We're working on ways to make this easier, and integrated into the `cargo make` system. ================================================ FILE: QUICKSTART-ECS.md ================================================ # Using a Bottlerocket AMI with Amazon ECS [Amazon Elastic Container Service (Amazon ECS)](https://ecs.aws) is a highly scalable, fast container management service that makes it easy to run, stop, and manage containers on a cluster. Your containers are defined in a task definition which you use to run individual tasks or as a service. This quickstart will walk through setting up an Amazon ECS cluster with Bottlerocket container instances (using the EC2 launch type). Check out the [Amazon ECS developer guide](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) for an overview of ECS. ## Prerequisites Before you begin, be sure that you've completed the steps in [Setting up with Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html) and that your AWS user has either the [`AdministratorAccess`](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess) policy or the permissions specified in the [Amazon ECS First Run Wizard Permissions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#first-run-permissions) IAM policy example. You'll also need [aws-cli](https://aws.amazon.com/cli/) set up to interact with AWS. ## Create a cluster An Amazon ECS cluster is a logical grouping of tasks, services, and container instances. For more information about clusters, see [Amazon ECS clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.html). You can create a cluster with the AWS CLI as follows: ```shell aws ecs --region us-west-2 create-cluster --cluster-name bottlerocket ``` > Note: The command above and subsequent examples include the AWS region, so change it from `us-west-2` if you operate in another region. ## Finding an AMI The official AMI IDs are stored in [public SSM parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). The parameter names look like this: `/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id` Just change the variant (`aws-ecs-2`) and architecture (`x86_64`) to the ones you want to use. Supported variants and architectures are described in the [README](README.md#variants). For the purposes of SSM parameters, the valid architecture names are `x86_64` and `arm64` (also known as `aarch64`). Also, if you know a specific Bottlerocket version you'd like to use, for example `1.0.6`, you can replace `latest` with that version. Bottlerocket ECS variants with NVIDIA support append `-nvidia` to the variant name. For instance, the NVIDIA variant corresponding to `aws-ecs-2` is `aws-ecs-2-nvidia`. Once you have the parameter name you want to use, the easiest way to use it is to pass it directly to EC2. Just prefix the parameter name with `resolve:ssm:` and EC2 will fetch the current value for you. (You can also use this method for CloudFormation and other services that launch EC2 instances for you.) For example, to use the parameter above, you would pass this as the AMI ID in your launch request: `resolve:ssm:/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id` #### Manually querying SSM If you prefer to fetch the AMI ID yourself, you can use [aws-cli](https://aws.amazon.com/cli/) on the command line. To fetch the example parameter above, for the us-west-2 region, you could run this: ```shell aws ssm get-parameter --region us-west-2 --name "/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id" --query Parameter.Value --output text ``` If you have `jq` installed and would like a bit more information, try this: ```shell aws ssm get-parameters --region us-west-2 \ --names "/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_id" \ "/aws/service/bottlerocket/aws-ecs-2/x86_64/latest/image_version" \ --output json | jq -r '.Parameters | .[] | "\(.Name): \(.Value) (updated \(.LastModifiedDate | gmtime | strftime("%c")) UTC)"' ``` ## Launching your first instance In order to launch a Bottlerocket instance into your ECS cluster, you'll first need some information about the resources in your AWS account. ### Subnet info You should either have a default virtual private cloud (VPC) or have already [created a VPC](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-vpc) in your account. To find your default VPC, run this command. (If you use an AWS region other than "us-west-2", make sure to change that.) ```shell aws ec2 describe-vpcs \ --region us-west-2 \ --filters=Name=isDefault,Values=true \ | jq --raw-output '.Vpcs[].VpcId' ``` If you want to use a different VPC you created, run this to get the ID for your VPC. Make sure to change VPC_NAME to the name of the VPC you created. (If you use an EC2 region other than "us-west-2", make sure to change that too.) ```shell aws ec2 describe-vpcs \ --region us-west-2 \ --filters=Name=tag:Name,Values=VPC_NAME \ | jq --raw-output '.Vpcs[].VpcId' ``` Next, run this to get information about the subnets in your VPC. It will give you a list of the subnets and tell you whether each is public or private. Make sure to change VPC_ID to the value you received from the previous command. (If you use an EC2 region other than "us-west-2", make sure to change that too.) ```shell aws ec2 describe-subnets \ --region us-west-2 \ --filter=Name=vpc-id,Values=VPC_ID \ | jq '.Subnets[] | {id: .SubnetId, public: .MapPublicIpOnLaunch, az: .AvailabilityZone}' ``` You'll want to pick one and save it for the launch command later. You can choose whether you want public or private. * Choose private for production deployments to get maximum isolation of instances. * Choose public to more easily debug your instance. These subnets have an Internet Gateway, so if you add a public IP address to your instance, you can talk to it. (You can manually add an Internet Gateway to a private subnet later, so this is a reversible decision.) Note that if you choose to use the public subnet, you'll need your instance to have a publicly accessible IP address. That either means adding `--associate-public-ip-address` to the launch command below, or attaching an Elastic IP address after launch. There will be a reminder about this when we talk about the launch command. Finally, note that if you want to launch in a specific availability zone, make sure you pick a subnet that matches; the AZ is listed right below the public/private status. ### IAM role The instance we launch needs to be associated with an IAM role that allows for communication with ECS. ECS provides a [managed policy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_managed_policies.html#AmazonEC2ContainerServiceforEC2Role) with all of the appropriate permissions. If you've used ECS before, you may already have an appropriate role in your account called `ecsInstanceRole`. If you do not, you can [follow the instructions in the ECS Developer Guide to create a role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html). Note down the instance role name in your account for the instructions below. #### Enabling SSM If you add SSM permissions, you can use Bottlerocket's default SSM agent to get a shell session on the instance. To attach the role policy for SSM permissions, run the following (replacing INSTANCE_ROLE_NAME with the name of your instance role): ```shell aws iam attach-role-policy \ --role-name INSTANCE_ROLE_NAME \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ``` Next, to retrieve the instance profile name used to launch instances, run this: ```shell aws iam list-instance-profiles-for-role --role-name INSTANCE_ROLE_NAME --query "InstanceProfiles[*].InstanceProfileName" --output text ``` Note this down as the INSTANCE_PROFILE_NAME for the final launch command. ### Connecting to your cluster For the instance to be able to communicate with ECS, we need to make sure to configure the instance with the name of the cluster. Create a file called `user-data.toml` with the following contents, where CLUSTER_NAME is the name of the cluster you created above (for example, "bottlerocket"). ```toml [settings.ecs] cluster = "CLUSTER_NAME" ``` If you want to customize the behavior of your instance further, you can find the full set of supported settings [here](README.md#settings). ### Launch! Now we can launch a Bottlerocket instance in our cluster! There are a few values to make sure you change in this command: * YOUR_KEY_NAME: your SSH key pair name, as registered with EC2 * SUBNET_ID: the subnet you selected earlier * If you chose a public subnet, either add `--associate-public-ip-address` to the command, or attach an Elastic IP afterward. * BOTTLEROCKET_AMI_ID: the Amazon-provided AMI ID you found above, or the ID of an AMI you registered * user-data.toml: the path to the user data file you created earlier * INSTANCE_PROFILE_NAME: the IAM instance profile you created, e.g. `ecsInstanceRole` ```shell aws ec2 run-instances --key-name YOUR_KEY_NAME \ --subnet-id SUBNET_ID \ --image-id BOTTLEROCKET_AMI_ID \ --instance-type c7.large \ --region us-west-2 \ --tag-specifications 'ResourceType=instance,Tags=[{Key=bottlerocket,Value=quickstart}]' \ --user-data file://user-data.toml \ --iam-instance-profile Name=INSTANCE_PROFILE_NAME ``` And remember, if you used a public subnet, add `--associate-public-ip-address` or attach an Elastic IP after launch. Once it launches, you should be able to run tasks on your Bottlerocket instance using the ECS API and console. ### aws-ecs-*-nvidia variants The `aws-ecs-*-nvidia` variants include the required packages and configurations to leverage NVIDIA GPUs. They come with the [NVIDIA Tesla driver](https://docs.nvidia.com/datacenter/tesla/drivers/index.html) along with the libraries required by the [NVIDIA container runtime](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit). In hosts with multiple GPUs (ex. EC2 `g4dn` instances) you can assign one or multiple GPUs per container by specifying the resource requirements in your container definitions as described in the [official ECS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-gpu.html): ```json { "containerDefinitions": [ { "resourceRequirements" : [ { "type" : "GPU", "value" : "2" } ] } ] } ``` ### Neuron Support Bottlerocket `v1.30.0+` supports Neuron Instance Types such as: `inf1`, `inf2`, `trn1`, and `trn2`. You can assign one or multiple Neuron devices per container by specifying the `linuxParameter` in the task definitions as described in the [official ECS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-inference.html): ```json { "containerDefinitions": [ { "linuxParameters": { "devices": [ { "containerPath": "/dev/neuron0", "hostPath": "/dev/neuron0", "permissions": [ "read", "write" ] } ], "capabilities": { "add": [ "IPC_LOCK" ] } }, } ] } ``` ================================================ FILE: QUICKSTART-EKS.md ================================================ # Using a Bottlerocket AMI with Amazon EKS The first release of Bottlerocket focuses on Kubernetes, in particular serving as the host OS for Kubernetes pods. One easy way to get started is to use Amazon EKS, a service that manages a Kubernetes control plane for you. This document will focus on EKS to make it easy to follow a single path. There's nothing that limits Bottlerocket to EKS or AWS, though. Most of this is one-time setup, and yes, we plan to automate more of it! Once you have a cluster, you can skip to the last step, [Launch!](#launch) ## Dependencies EKS has a command-line tool called `eksctl` that makes cluster setup easy. Versions of eksctl starting with 0.15.0-rc.2 support Bottlerocket natively. We recommend that you download the [latest version of eksctl](https://github.com/weaveworks/eksctl/releases) to get this support. You'll also need to [install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to augment `eksctl` during setup, and to run pods afterward. Finally, you'll need [aws-cli](https://aws.amazon.com/cli/) set up to interact with AWS. (You'll need a [recent v1 release](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html#install-tool-bundled) with EKS support.) ## Automated setup If you have a recent `eksctl`, as mentioned above, most of Bottlerocket setup for EKS is automated. ### Cluster setup #### Cluster setup configuration file eksctl can use a configuration file to simplify setup. We have sample configuration files in the repo: * [`sample-eksctl.yaml`](sample-eksctl.yaml) - recommended for most setups. * [`sample-eksctl-ssh.yaml`](sample-eksctl-ssh.yaml) - for test clusters where you know you'll want SSH access. Make sure to change the `publicKeyName` setting to the name of the SSH key pair you have registered with EC2. Pick the file most appropriate for you and make a copy, for example `my-eksctl.yaml`. In this file you can change your desired numbered of nodes and even set Bottlerocket settings in advance if you like. The 'settings' section under 'bottlerocket' can include any [Bottlerocket settings](https://github.com/bottlerocket-os/bottlerocket#description-of-settings). Note that the configuration file includes the AWS region, so change it from `us-west-2` if you operate in another region. To learn more about eksctl configuration files, you can look at the [full schema](https://eksctl.io/usage/schema/) or [official examples](https://github.com/weaveworks/eksctl/tree/master/examples). #### Cluster creation You can set up a new cluster like this, pointing to the file you created in the last step: ```shell eksctl create cluster --config-file ./my-eksctl.yaml ``` This will take a few minutes to create the EKS cluster and spin up your Bottlerocket worker nodes. #### Optional cluster configuration ##### CSI plugin If you want to create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) on a Bottlerocket host, you will need to use the [EBS CSI Plugin](https://github.com/kubernetes-sigs/aws-ebs-csi-driver). This is because the default EBS driver relies on file system tools that are not included with Bottlerocket. A walk-through of creating a storage class using the driver is available [here](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html). ##### conntrack configuration By default `kube-proxy` will set the `nf_conntrack_max` kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. If you prefer to keep Bottlerocket's [default setting](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/packages/release/release-sysctl.conf), edit the kube-proxy-config ConfigMap with: ```shell kubectl edit -n kube-system cm/kube-proxy-config ``` Change the `maxPerCore` and `min` fields for `conntrack` like so (a setting of 0 implies no change): ```yaml conntrack: maxPerCore: 0 min: 0 tcpCloseWaitTimeout: 1h0m0s tcpEstablishedTimeout: 24h0m0s ``` ### Done! Bottlerocket instances are launched in an autoscaling group, up to the number specified in your eksctl configuration file. (You can change this number after creation by [configuring the ASG](https://console.aws.amazon.com/ec2/autoscaling/home#AutoScalingGroups:view=details), the same way you might change other ASGs.) The Bottlerocket instances will automatically register into the EKS cluster created by eksctl. You can now use normal Kubernetes tools like `kubectl` to manage your cluster and the Bottlerocket nodes. For example, to run a simple busybox pod: `kubectl run -i -t busybox --image=busybox --restart=Never` ## Manual setup If you'd like even more control over your setup, something that eksctl can't (yet) provide, or you just want to see what's involved, you can follow these steps. ### Finding an AMI The official AMI IDs are stored in [public SSM parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). The parameter names look like this: `/aws/service/bottlerocket/aws-k8s-1.32/x86_64/latest/image_id` Just change the variant (`aws-k8s-1.32`) and architecture (`x86_64`) to the ones you want to use. Supported variants and architectures are described in the [README](README.md#variants). For the purposes of SSM parameters, the valid architecture names are `x86_64` and `arm64` (also known as `aarch64`). Also, if you know a specific Bottlerocket version you'd like to use, for example `1.11.0`, you can replace `latest` with that version. All Bottlerocket EKS variants `v1.30.0+` support Neuron instance types. So, for instance, the variant for Kubernetes version 1.28 with Neuron support is `aws-k8s-1.28`. Bottlerocket EKS variants with NVIDIA support append `-nvidia` to the variant name. For instance, the variant for Kubernetes version 1.28 with NVIDIA support is `aws-k8s-1.28-nvidia`. Once you have the parameter name you want to use, the easiest way to use it is to pass it directly to EC2. (You can also use this method for CloudFormation and other services that launch EC2 instances for you.) Just prefix the parameter name with `resolve:ssm:` and EC2 will fetch the current value for you. For example, to use the parameter above, you would pass this as the AMI ID in your launch request: `resolve:ssm:/aws/service/bottlerocket/aws-k8s-1.32/x86_64/latest/image_id` #### Manually querying SSM If you prefer to fetch the AMI ID yourself, you can use [aws-cli](https://aws.amazon.com/cli/) on the command line. To fetch the example parameter above, for the us-west-2 region, you could run this: ```shell aws ssm get-parameter --region us-west-2 --name "/aws/service/bottlerocket/aws-k8s-1.32/x86_64/latest/image_id" --query Parameter.Value --output text ``` If you have `jq` installed and would like a bit more information, try this: ```shell aws ssm get-parameters --region us-west-2 \ --names "/aws/service/bottlerocket/aws-k8s-1.32/x86_64/latest/image_id" \ "/aws/service/bottlerocket/aws-k8s-1.32/x86_64/latest/image_version" \ --output json | jq -r '.Parameters | .[] | "\(.Name): \(.Value) (updated \(.LastModifiedDate | gmtime | strftime("%c")) UTC)"' ``` ### Cluster setup *Note:* most commands will have a region argument; make sure to change it if you don't want to set up in us-west-2. Also be aware that when operating in GovCloud the IAM ARNs will need to be updated to the following: `arn:aws-us-gov`. For example, `arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy` must be updated to `arn:aws-us-gov:iam::aws:policy/AmazonEKSWorkerNodePolicy`. You can set up a new cluster like this: ```shell eksctl create cluster --region us-west-2 --name bottlerocket ``` This will automatically add a "context" so `kubectl` knows how to interact with your cluster, and it'll set that context as your default. You can see your contexts (clusters) using `kubectl config get-contexts` and change your current one with `kubectl config use-context 'NEW-CONTEXT-HERE'`. ### Cluster info This section helps you determine some of the cluster information needed later by the instance launch command. #### Kubernetes cluster info Bottlerocket uses a TOML-formatted configuration file as user data. This can include the configuration of the Kubernetes cluster we just created. Run this to generate the configuration file with the relevant cluster config, including the API endpoint and base64-encoded certificate authority. ```shell eksctl get cluster --region us-west-2 --name bottlerocket -o json \ | jq --raw-output '.[] | "[settings.kubernetes]\napi-server = \"" + .Endpoint + "\"\ncluster-certificate =\"" + .CertificateAuthority.Data + "\"\ncluster-name = \"bottlerocket\""' > user-data.toml ``` This will save the TOML-formatted configuration data into a file named `user-data.toml`. This will be used at the end, in the instance launch command. #### Subnet info Next, run this to get information about the subnets that eksctl created. It will give you a list of the subnets and tell you whether each is public or private. (If you use an EC2 region other than "us-west-2", make sure to change that.) ```shell aws ec2 describe-subnets \ --subnet-ids $(eksctl get cluster --region us-west-2 --name bottlerocket -o json | jq --raw-output '.[].ResourcesVpcConfig.SubnetIds[]') \ --region us-west-2 \ --query "Subnets[].[SubnetId, Tags[?Key=='aws:cloudformation:logical-id'].Value]" \ | xargs -L2 ``` You'll want to pick one and save it for the launch command later. You can choose whether you want public or private. * Choose private for production deployments to get maximum isolation of worker nodes. * Choose public to more easily debug your instance. These subnets have an Internet Gateway, so if you add a public IP address to your instance, you can talk to it. (You can manually add an Internet Gateway to a private subnet later, so this is a reversible decision.) Note that if you choose to use the public subnet, you'll need your instance to have a publicly accessible IP address. That either means adding `--associate-public-ip-address` to the launch command below, or attaching an Elastic IP address after launch. There will be a reminder about this when we talk about the launch command. Finally, note that if you want to launch in a specific availability zone, make sure you pick a subnet that matches; the AZ is listed right next to the public/private status. ### IAM role The instance we launch needs to be associated with an IAM role that allows for communication with EKS and ECR. `eksctl` by default already creates such a role (and an instance profile that allows use of the role) as part of the cluster nodegroup. The ARN of the IAM role can be retrieved with: ```shell eksctl get iamidentitymapping --region us-west-2 --cluster bottlerocket ``` The output should look like this: ``` ARN USERNAME GROUPS arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/INSTANCE_ROLE_NAME system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes ``` Note down the INSTANCE_ROLE_NAME for the instructions below. ##### Enabling SSM If you add SSM permissions, you can use Bottlerocket's default SSM agent to get a shell session on the instance. To attach the role policy for SSM permissions, run the following: ```shell aws iam attach-role-policy \ --role-name INSTANCE_ROLE_NAME \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ``` If you receive the following error, you need to truncate INSTANCE_ROLE_NAME to 64 characters. (We are working on improving this.) ``` 1 validation error detected: Value 'INSTANCE_ROLE_NAME' at 'role Name' failed to satisfy constraint: Member must have length less than or equal to 64 ``` Next, to retrieve the instance profile name used to launch instances, run this: ```shell aws iam list-instance-profiles-for-role --role-name INSTANCE_ROLE_NAME --query "InstanceProfiles[*].InstanceProfileName" --output text ``` There should only be one that looks like: ``` eksctl-bottlerocket-nodegroup-ng-IDENTIFIER-NodeInstanceProfile-IDENTIFIER ``` Note this down as the `INSTANCE_PROFILE_NAME` for the final launch command. ### kube-proxy settings By default `kube-proxy` will set the `nf_conntrack_max` kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. If you prefer to keep Bottlerocket's [default setting](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/packages/release/release-sysctl.conf), edit the kube-proxy configuration details with: ```shell kubectl edit -n kube-system daemonset kube-proxy ``` Add `--conntrack-max-per-core` and `--conntrack-min` to the kube-proxy arguments like so (a setting of 0 implies no change): ```yaml containers: - command: - kube-proxy - --v=2 - --config=/var/lib/kube-proxy-config/config - --conntrack-max-per-core=0 - --conntrack-min=0 ``` ### Final launch details For the instance to be able to communicate with the EKS cluster control plane and other worker nodes, we need to make sure the instance is launched with the right security groups. Run the following command: ```shell aws ec2 describe-security-groups --region us-west-2 \ --filters 'Name=tag:Name,Values=*bottlerocket*' \ --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" ``` This will output several security group names and IDs. You want to save the IDs for the `...ClusterSharedNodeSecurityGroup...` and `...nodegroup...` entries. Example: ```json [ { "Name": "eksctl-bottlerocket-cluster-ClusterSharedNodeSecurityGroup-IDENTIFIER", "ID": "SECURITY_GROUP_ID_1" }, { "Name": "eksctl-bottlerocket-cluster-ControlPlaneSecurityGroup-IDENTIFIER", "ID": *ignore* }, { "Name": "eksctl-bottlerocket-nodegroup-ng-IDENTIFIER-SG-IDENTIFIER", "ID": "SECURITY_GROUP_ID_2" } ] ``` If you chose a public subnet, and you plan to SSH to the instance (using the admin container), you'll also need to allow SSH traffic to your security group. You can do that with a command like this - just make sure to insert a security group from the last command, and your source network CIDR. ```shell aws ec2 authorize-security-group-ingress --region us-west-2 \ --group-id SECURITY_GROUP_ID_1 --cidr YOUR_NETWORK_CIDR \ --protocol tcp --port 22 ``` If you chose a private subnet and you want to SSH in, you can do so from another instance in the same subnet and security group. ### Launch! Now we can launch a Bottlerocket instance in our cluster! There are a few values to make sure you change in this command: * YOUR_KEY_NAME: your SSH key pair name, as registered with EC2 * SUBNET_ID: the subnet you selected earlier * If you chose a public subnet, either add `--associate-public-ip-address` to the command, or attach an Elastic IP afterward. * SECURITY_GROUP_ID_1, SECURITY_GROUP_ID_2: the two security groups you found earlier * BOTTLEROCKET_AMI_ID: the ID of the AMI you registered, or an Amazon-provided AMI ID * user-data.toml: the path to the user data file you created earlier * INSTANCE_PROFILE_NAME: the instance profile created by `eksctl` for the cluster nodegroups. ```shell aws ec2 run-instances --key-name YOUR_KEY_NAME \ --subnet-id SUBNET_ID \ --security-group-ids SECURITY_GROUP_ID_1 SECURITY_GROUP_ID_2 \ --image-id BOTTLEROCKET_AMI_ID \ --instance-type c7.large \ --region us-west-2 \ --tag-specifications 'ResourceType=instance,Tags=[{Key=kubernetes.io/cluster/bottlerocket,Value=owned}]' \ --user-data file://user-data.toml \ --iam-instance-profile Name=INSTANCE_PROFILE_NAME ``` And remember, if you used a public subnet, add `--associate-public-ip-address` or attach an Elastic IP after launch. Once it launches, you should be able to run pods on your Bottlerocket instance using normal Kubernetes workflows. For example, to run busybox: `kubectl run -i -t busybox --image=busybox --restart=Never` ### aws-k8s-*-nvidia variants The `aws-k8s-*-nvidia` variants include the required packages and configurations to leverage NVIDIA GPUs. They come with the [NVIDIA Tesla driver](https://docs.nvidia.com/datacenter/tesla/drivers/index.html) along with the libraries required by the [NVIDIA container runtime](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit). They also include the [NVIDIA k8s device plugin](https://github.com/NVIDIA/k8s-device-plugin). If you already have a daemonset for the device plugin in your cluster, you may need to use taints and tolerations to keep it from running on Bottlerocket nodes. Additional NVIDIA tools such as [DCGM exporter](https://github.com/NVIDIA/dcgm-exporter) and [GPU Feature Discovery](https://github.com/NVIDIA/gpu-feature-discovery) will work as expected. You can install them in your cluster by following the `helm install` instructions provided for each project. The [GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/getting-started.html#install-nvidia-gpu-operator) can also be used to install these tools. However, it is cumbersome to select the right subset of features to avoid conflicts with the software included in the variant. Therefore we recommend installing the tools individually if they are required. In hosts with multiple GPUs (ex. EC2 `g4dn` instances) you can assign a GPU per container by specifying the resource in the containers' spec as described in the [official kubernetes documentation](https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/): ```yaml apiVersion: v1 kind: Pod metadata: name: test spec: restartPolicy: OnFailure containers: - name: test image: amazonlinux:2 resources: limits: nvidia.com/gpu: 1 # requesting 1 GPU ``` ### Neuron Support Bottlerocket `v1.30.0+` supports Neuron Instance Types such as: `inf1`, `inf2`, `trn1`, and `trn2`. To enable Neuron workloads, you will need the following user-data configurations: ```toml [settings] [settings.kubernetes] device-ownership-from-security-context = true ``` This setting allows the container to take ownership of the mounted Neuron device based on the `runAsUser` and `runAsGroup` values provided in the spec. For more details on this, see the [Kubernetes documentation](https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/): ```yaml apiVersion: v1 kind: Pod metadata: name: test spec: hostNetwork: true securityContext: runAsUser: 1001 runAsGroup: 2001 fsGroup: 3001 restartPolicy: OnFailure containers: - name: test image: amazonlinux:2023 resources: limits: aws.amazon.com/neuron: "1" ``` Along with the `device-ownership-from-secuirity-context` setting, you will need to deploy the [neuron-device-plugin](https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/kubernetes-getting-started.html#neuron-device-plugin), and optionally, the [neuron-scheduler](https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/kubernetes-getting-started.html#neuron-scheduler-extension). ================================================ FILE: QUICKSTART-LOCAL.md ================================================ # Testing Bottlerocket in a local virtual machine This quickstart will walk through launching a Bottlerocket VM guest on a local machine using QEMU and KVM. The VM will not join an ECS or Kubernetes cluster. This way of running Bottlerocket is therefore best used for testing purposes when developing Bottlerocket components that do not need to integrate with any orchestrators or to just get a feel for what a Bottlerocket node looks from the inside. ## Prerequisites We assume you are following along on a machine running Fedora. If you are using a cloud VM, ensure you can use hardware-assisted virtualization. For example, on Amazon EC2 this requires the use of a .metal instance type. You need a clone of the main Bottlerocket repository and a build of the metal-dev variant. Please refer to [`BUILDING.md`](https://github.com/bottlerocket-os/bottlerocket/blob/develop/BUILDING.md) for instructions on how to build a Bottlerocket image and ensure you pass `-e BUILDSYS_VARIANT=metal-dev` to `cargo make`. The use of QEMU requires extra packages which you may install using this dnf invocation: ```shell sudo dnf install qemu ``` If you'd (optionally) like to make use of the control container, you'll need an AWS account and AWS CLI. ## Configuring Bottlerocket Bottlerocket is configured [via an API](https://github.com/bottlerocket-os/bottlerocket/#using-the-api-client) or, if running in a cloud VM, [via user data](https://github.com/bottlerocket-os/bottlerocket/#using-user-data) upon boot. For running a local VM, neither mechanism can be used to apply configuration on first boot: Bottlerocket is not yet running, making its API server unavailable, and the goal to have Bottlerocket running locally precludes use of the user data mechanism. As an alternative, the `start-local-vm` wrapper script included in the `tools` directory of the main repository allows to inject configuration into well-known locations of the built image for Bottlerocket to find on boot. ### Set up networking The `start-local-vm` wrapper configures QEMU to provide one virtual network interface to the VM. To enable this interface, create a file named `net.toml` containing the following TOML snippet: ```toml version = 1 [enp0s16] dhcp4 = true ``` This will prompt [netdog](https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/netdog/README.md) to set up `enp0s16` as the primary network interface with IPv4 networking configured via DHCP. No dedicated DHCP server needs to be running on the host as QEMU will act as one on the virtual network interface. Note that for virtual machines launched with `start-local-vm`, the primary network interface will always be named `enp0s16`. The name will differ when running on bare metal or in a cloud environment. ### Accessing your Bottlerocket guest via host containers When running a Bottlerocket development variant such as metal-dev locally, you can directly interact with the system via the serial console that `start-local-vm` connects you to. For remote access to your running Bottlerocket VMs, you will need to provide additional configuration to enable host containers. The Bottlerocket metal images don't include any host containers enabled by default. But don't worry! You can use our [admin](https://github.com/bottlerocket-os/bottlerocket-admin-container) and/or [control](https://github.com/bottlerocket-os/bottlerocket-control-container) containers, they just need to be configured first. Information about the roles these host containers play can be found [here](https://github.com/bottlerocket-os/bottlerocket/#exploration). #### Admin container If you would like to use the admin container, you will need to create some base64 encoded user data which will be passed to the container at runtime. Full details are covered in the [admin container documentation](https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container). If we assume you have a public key at `${HOME}/.ssh/id_rsa.pub`, the below will add the correct user data to your `user-data.toml`. ```shell PUBKEY_FILE="${HOME}/.ssh/id_rsa.pub" PUBKEY=$(< "${PUBKEY_FILE}") ADMIN_USER_DATA="$(echo '{"ssh": {"authorized-keys": ["'"${PUBKEY}"'"]}}' | base64 -w 0)" cat <>user-data.toml [settings.host-containers.admin] enabled = true superpowered = true user-data = "${ADMIN_USER_DATA}" source = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.1" EOF ``` #### Control container Enabling the control container is very similar to the admin container; you will create some base64 encoded user data that will be passed to the container at runtime. This user data includes an activation ID and code retrieved from AWS SSM. Full details can be found in the [control container documentation](https://github.com/bottlerocket-os/bottlerocket-control-container#connecting-to-aws-systems-manager-ssm). You'll first need an AWS account, and AWS CLI installed. Then you'll create a service role in that account to [grant AWS STS trust to the AWS Systems Manager service](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html). ```shell cat < ssmservice-trust.json { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } } EOF # Create the role using the above policy aws iam create-role \ --role-name SSMServiceRole \ --assume-role-policy-document file://ssmservice-trust.json # Attach the policy enabling the role to create session tokens aws iam attach-role-policy \ --role-name SSMServiceRole \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ``` Once the above is created, we can use the role to create an activation code and ID. ```shell export SSM_ACTIVATION="$(aws ssm create-activation \ --iam-role SSMServiceRole \ --registration-limit 100 \ --region us-west-2 \ --output json)" ``` Using the above activation data we can create our user data to pass to the control container: ```shell SSM_ACTIVATION_ID="$(jq -r '.ActivationId' <<< ${SSM_ACTIVATION})" SSM_ACTIVATION_CODE="$(jq -r '.ActivationCode' <<< ${SSM_ACTIVATION})" CONTROL_USER_DATA="$(echo '{"ssm": {"activation-id": "'${SSM_ACTIVATION_ID}'", "activation-code": "'${SSM_ACTIVATION_CODE}'", "region": "us-west-2"}}' | base64 -w0)" cat <>user-data.toml [settings.host-containers.control] enabled = true user-data = "${CONTROL_USER_DATA}" source = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.1" EOF ``` ## Launch! We have now prepared all configuration we might need. Assuming you are in the root of the main Bottlerocket repository, you can run ```shell ./tools/start-local-vm --variant metal-dev --arch $(uname -m) --inject-file net.toml --inject-file user-data.toml ``` to start a local VM with the Bottlerocket image you built earlier. The `--inject-file` options add the listed files to the private partition of the image, where Bottlerocket's various services will find them on boot. The final configuration files ending up in the image need to be named like in the examples above. If you named yours differently, you can ensure they have the right name in the image by using a colon as the separator of local file name and file name in the image, e.g. `--inject-file admin-container-only.toml:user-data.toml`. If you did not enable any host containers and thus have no `user-data.toml` you need to leave this option off. Once the VM launches, boot output will be visible in the terminal. The `start-local-vm` script connects you to the serial console of the VM, which can also be used to interact with the system if you are running a development variant such as metal-dev. When prompted to login, any username will do. The virtual serial console will capture most keyboard input, such as Ctrl-C. If you want to terminate the VM, you can either instruct it to `systemctl poweroff` from within or exit QEMU via the Ctrl-A X shortcut. By default, the `start-local-vm` wrapper will forward the host's TCP port 2222 to the VM's port 22. If you enabled the admin host container, the SSH server running in it will therefore be available by connecting to localhost's port 2222: ```shell ssh -p 2222 ec2-user@localhost ``` ================================================ FILE: QUICKSTART-VMWARE.md ================================================ # Using Bottlerocket as a Kubernetes worker node with VMware This quickstart will walk through joining a Bottlerocket VM guest to an existing Kubernetes cluster running in VMware. ## Prerequisites You must be able to access vSphere, via webUI or some type of client. We will use the CLI tool [`govc`](https://github.com/vmware/govmomi/tree/master/govc) to communicate with vSphere in this guide. `govc` can use [environment variables or take arguments](https://github.com/vmware/govmomi/tree/master/govc#usage) to specify needed parameters. For the purposes of this guide we will assume that the following environment variables are set to the proper values in your environment: ``` GOVC_URL GOVC_USERNAME GOVC_PASSWORD GOVC DATACENTER GOVC_DATASTORE GOVC_NETWORK GOVC_RESOURCE_POOL GOVC_FOLDER ``` This guide assumes you already have a functioning Kubernetes cluster running in VMware. You'll need to have [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl) and [`kubeadm`](https://kubernetes.io/docs/tasks/tools/#kubeadm) installed, as well as a `kubeconfig` for your cluster. These tools allow us to access information about your cluster to facilitate the joining of Bottlerocket nodes. You'll need to install [`tuftool`](https://github.com/awslabs/tough/blob/develop/tuftool/README.md) to assist you with fetching the signed Bottlerocket OVA from the Bottlerocket TUF repository. `jq` should also be installed. If you'd (optionally) like to make use of the control container, you'll need an AWS account and AWS CLI. ## Fetch the OVA The Bottlerocket OVA is signed and uploaded alongside the rest of the Bottlerocket release artifacts. You first need the Bottlerocket root role, which is used by `tuftool` to verify the OVA. The following will download and verify the root role itself: ```shell curl -O "https://cache.bottlerocket.aws/root.json" sha512sum -c <<<"4fcb272345fd6adb94d4c04834400548178fecb57407ca79bc2c3d20e0428fc9ed3a82cea268d7f9c667b5803524a4f465acd701a86953d5d732bf6ecb064888 root.json" ``` Next, set your desired version and variant, and download the OVA: ```shell VERSION="v1.31.0" VARIANT="vmware-k8s-1.32" OVA="bottlerocket-${VARIANT}-x86_64-${VERSION}.ova" OUTDIR="${VARIANT}-${VERSION}" tuftool download "${OUTDIR}" --target-name "${OVA}" \ --root ./root.json \ --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/x86_64/" \ --targets-url "https://updates.bottlerocket.aws/targets/" ``` ## Upload the OVA Once you have downloaded the OVA, you can upload it to vSphere. The first command generates a spec file (`bottlerocket_spec.json` in this case) using the OVA and gives you few options for your deployment. ```shell govc import.spec "${OUTDIR}/${OVA}" > bottlerocket_spec.json ``` The spec will look similar to this: ```json { "DiskProvisioning": "flat", "IPAllocationPolicy": "dhcpPolicy", "IPProtocol": "IPv4", "NetworkMapping": [ { "Name": "VM Network", "Network": "" } ], "MarkAsTemplate": false, "PowerOn": false, "InjectOvfEnv": false, "WaitForIP": false, "Name": null } ``` We will use `$GOVC_NETWORK` to populate the value for `Network` in the file and use it to upload the OVA! ```shell VM_NAME="bottlerocket-quickstart-${VERSION}" jq --arg network "${GOVC_NETWORK}" \ '.NetworkMapping[].Network = $network' \ bottlerocket_spec.json > bottlerocket_spec_edit.json govc import.ova -options=bottlerocket_spec_edit.json -name="${VM_NAME}" "${OUTDIR}/${OVA}" ``` Since we intend to run multiple identical VMs, let's mark the OVA you just uploaded as a template. You can think of a template as a "golden" image, allowing you to create many VMs without affecting the "golden" image. ```shell govc vm.markastemplate "${VM_NAME}" ``` Let's create 3 Bottlerocket VMs using the template. The following will clone from the template, but leave the VMs turned off since we still need to set user data. ```shell for node in 1 2 3; do govc vm.clone -vm "${VM_NAME}" -on=false "${VM_NAME}-${node}" done ``` ## Gathering cluster info This section will help you gather cluster information needed to configure Bottlerocket via user data. The below commands assume a single cluster. #### API Server This is the address (including port) of the control plane. ```shell export API_SERVER="$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')" ``` #### Cluster DNS IP This is the IP address of the DNS pod/service. ```shell export CLUSTER_DNS_IP="$(kubectl -n kube-system get svc -l k8s-app=kube-dns -o=jsonpath='{.items[0].spec.clusterIP}')" ``` #### Bootstrap token Nodes require a token to establish trust between the node and the control plane. Tokens must be [used within 24 hours](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-token/), but once the node has booted and registered with the cluster, it isn't used again. ```shell export BOOTSTRAP_TOKEN="$(kubeadm token create)" ``` #### Cluster Certificate This is the base64 encoded cluster certificate authority. ```shell export CLUSTER_CERTIFICATE="$(kubectl config view --raw -o=jsonpath='{.clusters[0].cluster.certificate-authority-data}')" ``` ## Configuring Bottlerocket In order to join Bottlerocket to your cluster, it must be configured via user data. There are multiple methods of passing user data to Bottlerocket in VMware; we will demonstrate all of them. Create a file called `user-data.toml` and populate it with the values you just retrieved. ```shell cat < user-data.toml [settings.kubernetes] api-server = "${API_SERVER}" cluster-dns-ip = "${CLUSTER_DNS_IP}" bootstrap-token = "${BOOTSTRAP_TOKEN}" cluster-certificate = "${CLUSTER_CERTIFICATE}" EOF ``` ### Accessing your Bottlerocket guest via host containers For remote access to your running Bottlerocket VMs, you will need to add additional user data to enable host containers. The Bottlerocket VMware images don't include any host containers enabled by default. But don't worry! You can use our [admin](https://github.com/bottlerocket-os/bottlerocket-admin-container) and/or [control](https://github.com/bottlerocket-os/bottlerocket-control-container) containers, they just need to be configured first. #### Admin container If you would like to use the admin container, you will need to create some base64 encoded user data which will be passed to the container at runtime. Full details are covered in the [admin container documentation](https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container). If we assume you have a public key at `${HOME}/.ssh/id_rsa.pub`, the below will add the correct user data to your `user-data.toml`. ```shell PUBKEY="${HOME}/.ssh/id_rsa.pub" ADMIN_USER_DATA="$(echo '{"ssh":{"authorized-keys":["'"$(cat ${PUBKEY})"'"]}}' | base64 -w 0)" cat <>user-data.toml [settings.host-containers.admin] enabled = true user-data = "${ADMIN_USER_DATA}" EOF ``` #### Control container Enabling the control container is very similar to the admin container; you will create some base64 encoded user data that will be passed to the container at runtime. This user data includes an activation ID and code retrieved from AWS SSM. Full details can be found in the [control container documentation](https://github.com/bottlerocket-os/bottlerocket-control-container#connecting-to-aws-systems-manager-ssm). You'll first need an AWS account, and AWS CLI installed. Then you'll create a service role in that account to [grant AWS STS trust to the AWS Systems Manager service](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html). ```shell cat < ssmservice-trust.json { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } } EOF # Create the role using the above policy aws iam create-role \ --role-name SSMServiceRole \ --assume-role-policy-document file://ssmservice-trust.json # Attach the policy enabling the role to create session tokens aws iam attach-role-policy \ --role-name SSMServiceRole \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ``` Once the above is created, we can use the role to create an activation code and ID. ```shell export SSM_ACTIVATION="$(aws ssm create-activation \ --iam-role SSMServiceRole \ --registration-limit 100 \ --region us-west-2 \ --output json)" ``` Using the above activation data we can create our user data to pass to the control container: ```shell SSM_ACTIVATION_ID="$(jq -r '.ActivationId' <<< ${SSM_ACTIVATION})" SSM_ACTIVATION_CODE="$(jq -r '.ActivationCode' <<< ${SSM_ACTIVATION})" CONTROL_USER_DATA="$(echo '{"ssm":{"activation-id":"'${SSM_ACTIVATION_ID}'","activation-code":"'${SSM_ACTIVATION_CODE}'","region":"us-west-2"}}' | base64 -w0)" cat <>user-data.toml [settings.host-containers.control] enabled = true user-data = "${CONTROL_USER_DATA}" EOF ``` ### Setting user data via "guestinfo" interface **Note: You must set these values before you start the VM for the first time!** VMware allows you to set some extended attributes of your VM, which your VM can then access via a "guestinfo" interface. These extended attributes are `guestinfo.userdata` and `guestinfo.userdata.encoding`. `guestinfo.userdata` may be passed as base64, gzipped base64, or (least desirable) raw TOML. Valid values for `guestinfo.userdata.encoding` are: `base64`, `b64`, `gzip+base64`, and `gz+b64`. Given the above file `user-data.toml`, base64 encode and set user data for your VM: ```shell export BR_USERDATA=$(base64 -w0 user-data.toml) for node in 1 2 3; do govc vm.change -vm "${VM_NAME}-${node}" \ -e guestinfo.userdata="${BR_USERDATA}" \ -e guestinfo.userdata.encoding="base64" done ``` You can check that your user data was set; using node "1" as an example below: ```shell govc vm.info -e -r -t "${VM_NAME}-1" ``` ## Launch! Once you've created your user data and given your VM a way to access it via guestinfo, you can launch all 3 Bottlerocket VMs in your cluster! ```shell for node in 1 2 3; do govc vm.power -on "${VM_NAME}-${node}" done ``` Once it launches, you should be able to use your Bottlerocket instance using normal Kubernetes workflows. All boot output should be visible in the vSphere console if you need to troubleshoot. ================================================ FILE: README.md ================================================ # Bottlerocket OS Welcome to Bottlerocket! Bottlerocket is a free and open-source Linux-based operating system meant for hosting containers. To learn more about Bottlerocket, visit the [official Bottlerocket website and documentation](https://bottlerocket.dev/). Otherwise, if you’re ready to jump right in, read one of our setup guides for running Bottlerocket in [Amazon EKS](QUICKSTART-EKS.md), [Amazon ECS](QUICKSTART-ECS.md), or [VMware](QUICKSTART-VMWARE.md). If you're interested in running Bottlerocket on bare metal servers, please refer to the [provisioning guide](PROVISIONING-METAL.md) to get started. Bottlerocket focuses on security and maintainability, providing a reliable, consistent, and safe platform for container-based workloads. This is a reflection of what we've learned building operating systems and services at Amazon. You can read more about what drives us in [our charter](CHARTER.md). The base operating system has just what you need to run containers reliably, and is built with standard open-source components. Bottlerocket-specific additions focus on reliable updates and on the API. Instead of making configuration changes manually, you can change settings with an API call, and these changes are automatically migrated through updates. Some notable features include: * [API access](#api) for configuring your system, with secure out-of-band [access methods](#exploration) when you need them. * [Updates](#updates) based on partition flips, for fast and reliable system updates. * [Modeled configuration](#settings) that's automatically migrated through updates. * [Security](#security) as a top priority. ## Participate in the Community There are many ways to take part in the Bottlerocket community: - [Join us on Meetup](https://www.meetup.com/bottlerocket-community/) to hear about the latest Bottlerocket (virtual/in-person) events and community meetings. Community meetings are typically every other week. Details can be found under the [Events section on Meetup](https://www.meetup.com/bottlerocket-community/events/), and you will receive email notifications if you become a member of the Meetup group. (It's free to join!) - [Start or join a discussion](https://github.com/bottlerocket-os/bottlerocket/discussions) if you have questions about Bottlerocket. - If you're interested in contributing, thank you! Please see our [contributor's guide](CONTRIBUTING.md). ## Contact us If you find a security issue, please [contact our security team](https://github.com/bottlerocket-os/bottlerocket/security/policy) rather than opening an issue. We use GitHub issues to track other bug reports and feature requests. You can look at [existing issues](https://github.com/bottlerocket-os/bottlerocket/issues) to see whether your concern is already known. If not, you can select from a few templates and get some guidance on the type of information that would be most helpful. [Contact us with a new issue here.](https://github.com/bottlerocket-os/bottlerocket/issues/new/choose) We don't have other communication channels set up quite yet, but don't worry about making an issue or a discussion thread! You can let us know about things that seem difficult, or even ways you might like to help. ## Variants To start, we're focusing on the use of Bottlerocket as a host OS in AWS EKS Kubernetes clusters and Amazon ECS clusters. We’re excited to get early feedback and to continue working on more use cases! Bottlerocket is architected such that different cloud environments and container orchestrators can be supported in the future. A build of Bottlerocket that supports different features or integration characteristics is known as a 'variant'. The artifacts of a build will include the architecture and variant name. For example, an `x86_64` build of the `aws-k8s-1.32` variant will produce an image named `bottlerocket-aws-k8s-1.32-x86_64--.img`. The following variants support EKS, as described above: * `aws-k8s-1.29` * `aws-k8s-1.30` * `aws-k8s-1.31` * `aws-k8s-1.32` * `aws-k8s-1.33` * `aws-k8s-1.34` * `aws-k8s-1.35` * `aws-k8s-1.29-nvidia` * `aws-k8s-1.30-nvidia` * `aws-k8s-1.31-nvidia` * `aws-k8s-1.32-nvidia` * `aws-k8s-1.33-nvidia` * `aws-k8s-1.34-nvidia` * `aws-k8s-1.35-nvidia` The following variants support ECS: * `aws-ecs-2` * `aws-ecs-2-nvidia` * `aws-ecs-3` * `aws-ecs-3-fips` * `aws-ecs-3-nvidia` We also have variants that are designed to be Kubernetes worker nodes in VMware: * `vmware-k8s-1.29` * `vmware-k8s-1.30` * `vmware-k8s-1.31` * `vmware-k8s-1.32` * `vmware-k8s-1.33` * `vmware-k8s-1.34` * `vmware-k8s-1.35` The following variants are no longer supported: * All Kubernetes variants using Kubernetes 1.28 and earlier * VMware variants using Kubernetes 1.28 and earlier * Bare metal variants for Kubernetes * ECS-1 variants We recommend users replace nodes running these variants with the [latest variant compatible with their cluster](variants/). ## Architectures Our supported architectures include `x86_64` and `aarch64` (written as `arm64` in some contexts). ## Setup :walking: :running: Bottlerocket is best used with a container orchestrator. To get started with Kubernetes in Amazon EKS, please see [QUICKSTART-EKS](QUICKSTART-EKS.md). To get started with Kubernetes in VMware, please see [QUICKSTART-VMWARE](QUICKSTART-VMWARE.md). To get started with Amazon ECS, please see [QUICKSTART-ECS](QUICKSTART-ECS.md). These guides describe: * how to set up a cluster with the orchestrator, so your Bottlerocket instance can run containers * how to launch a Bottlerocket instance in EC2 or VMware To see how to provision Bottlerocket on bare metal, see [PROVISIONING-METAL](PROVISIONING-METAL.md). To build your own Bottlerocket images, please see [BUILDING](BUILDING.md). It describes: * how to build an image * how to register an EC2 AMI from an image To publish your built Bottlerocket images, please see [PUBLISHING](PUBLISHING.md). It describes: * how to make TUF repos including your image * how to copy your AMI across regions * how to mark your AMIs public or grant access to specific accounts * how to make your AMIs discoverable using [SSM parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) ## Exploration To improve security, there's no SSH server in a Bottlerocket image, and not even a shell. Don't panic! There are a couple out-of-band access methods you can use to explore Bottlerocket like you would a typical Linux system. Either option will give you a shell within Bottlerocket. From there, you can [change settings](#settings), manually [update Bottlerocket](#updates), debug problems, and generally explore. **Note:** These methods require that your instance has permission to access the ECR repository where these containers live; the appropriate policy to add to your instance's IAM role is `AmazonEC2ContainerRegistryReadOnly`. ### Control container Bottlerocket has a ["control" container](https://github.com/bottlerocket-os/bottlerocket-control-container), enabled by default, that runs outside of the orchestrator in a separate instance of containerd. This container runs the [AWS SSM agent](https://github.com/aws/amazon-ssm-agent) that lets you run commands, or start shell sessions, on Bottlerocket instances in EC2. (You can easily replace this control container with your own just by changing the URI; see [Settings](#settings).) In AWS, you need to give your instance the SSM role for this to work; see the [setup guide](QUICKSTART-EKS.md#enabling-ssm). Outside of AWS, you can use [AWS Systems Manager for hybrid environments](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances.html). There's more detail about hybrid environments in the [control container documentation](https://github.com/bottlerocket-os/bottlerocket-control-container/#connecting-to-aws-systems-manager-ssm). Once the instance is started, you can start a session: * Go to AWS SSM's [Session Manager](https://console.aws.amazon.com/systems-manager/session-manager/sessions) * Select "Start session" and choose your Bottlerocket instance * Select "Start session" again to get a shell If you prefer a command-line tool, you can start a session with a recent [AWS CLI](https://aws.amazon.com/cli/) and the [session-manager-plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html). Then you'd be able to start a session using only your instance ID, like this: ```shell aws ssm start-session --target INSTANCE_ID --region REGION_CODE ``` With the [default control container](https://github.com/bottlerocket-os/bottlerocket-control-container), you can make [API calls](#api) to configure and manage your Bottlerocket host. To do even more, read the next section about the [admin container](#admin-container). You can access the admin container from the control container like this: ```shell enter-admin-container ``` ### Admin container Bottlerocket has an [administrative container](https://github.com/bottlerocket-os/bottlerocket-admin-container), disabled by default, that runs outside of the orchestrator in a separate instance of containerd. This container has an SSH server that lets you log in as `ec2-user` using your EC2-registered SSH key. Outside of AWS, you can [pass in your own SSH keys](https://github.com/bottlerocket-os/bottlerocket-admin-container#authenticating-with-the-admin-container). (You can easily replace this admin container with your own just by changing the URI; see [Settings](#settings). To enable the container, you can change the setting in user data when starting Bottlerocket, for example EC2 instance user data: ```toml [settings.host-containers.admin] enabled = true ``` If Bottlerocket is already running, you can enable the admin container from the default [control container](#control-container) like this: ```shell enable-admin-container ``` Or you can start an interactive session immediately like this: ```shell enter-admin-container ``` If you're using a custom control container, or want to make the API calls directly, you can enable the admin container like this instead: ```shell apiclient set host-containers.admin.enabled=true ``` Once you've enabled the admin container, you can either access it through SSH or execute commands from the control container like this: ```shell apiclient exec admin bash ``` Once you're in the admin container, you can run `sheltie` to get a full root shell in the Bottlerocket host. Be careful; while you can inspect and change even more as root, Bottlerocket's filesystem and dm-verity setup will prevent most changes from persisting over a restart - see [Security](#security). ## Updates Rather than a package manager that updates individual pieces of software, Bottlerocket downloads a full filesystem image and reboots into it. It can automatically roll back if boot failures occur, and workload failures can trigger manual rollbacks. The update process uses images secured by [TUF](https://theupdateframework.github.io/). For more details, see the [update system documentation](sources/updater/). ### Update methods There are several ways of updating your Bottlerocket hosts. We provide tools for automatically updating hosts, as well as an API for direct control of updates. #### Automated updates For EKS variants of Bottlerocket, we recommend using the [Bottlerocket update operator](https://github.com/bottlerocket-os/bottlerocket-update-operator) for automated updates. For the ECS variant of Bottlerocket, we recommend using the [Bottlerocket ECS updater](https://github.com/bottlerocket-os/bottlerocket-ecs-updater/) for automated updates. #### Update API The [Bottlerocket API](#api) includes methods for checking and starting system updates. You can read more about the update APIs in our [update system documentation](sources/updater/README.md#update-api). apiclient knows how to handle those update APIs for you, and you can run it from the [control](#control-container) or [admin](#admin-container) containers. To see what updates are available: ```shell apiclient update check ``` If an update is available, it will show up in the `chosen_update` field. The `available_updates` field will show the full list of available versions, including older versions, because Bottlerocket supports safely rolling back. To apply the latest update: ```shell apiclient update apply ``` The next time you reboot, you'll start up in the new version, and system configuration will be automatically [migrated](sources/api/migration/). To reboot right away: ```shell apiclient reboot ``` If you're confident about updating, the `apiclient update apply` command has `--check` and `--reboot` flags to combine the above actions, so you can accomplish all of the above steps like this: ```shell apiclient update apply --check --reboot ``` See the [apiclient documentation](sources/api/apiclient/) for more details. ### Update rollback The system will automatically roll back if it's unable to boot. If the update is not functional for a given container workload, you can do a manual rollback: ```shell signpost rollback-to-inactive reboot ``` This doesn't require any external communication, so it's quicker than `apiclient`, and it's made to be as reliable as possible. ## Settings Here we'll describe the settings you can configure on your Bottlerocket instance, and how to do it. (API endpoints are defined in our [OpenAPI spec](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api/openapi.yaml) if you want more detail.) ### Interacting with settings #### Using the API client You can see the current settings with an API request: ```shell apiclient get settings ``` This will return all of the current settings in JSON format. For example, here's an abbreviated response: ```json {"motd": "...", {"kubernetes": {}}} ``` You can change settings like this: ```shell apiclient set motd="hi there" kubernetes.node-labels.environment=test ``` You can also use a JSON input mode to help change many related settings at once, and a "raw" mode if you want more control over how the settings are committed and applied to the system. See the [apiclient README](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api/apiclient/) for details. #### Using user data If you know what settings you want to change when you start your Bottlerocket instance, you can send them in the user data. In user data, we structure the settings in TOML form to make things a bit simpler. Here's the user data to change the message of the day setting, as we did in the last section: ```toml [settings] motd = "my own value!" ``` If your user data is over the size limit of the platform (e.g. 16KiB for EC2) you can compress the contents with gzip. (With [aws-cli](https://aws.amazon.com/cli/), you can use `--user-data fileb:///path/to/gz-file` to pass binary data.) ### Description of settings Here we'll describe each setting you can change. **Note:** You can see the default values (for any settings that are not generated at runtime) by looking in the `defaults.d` directory for a variant, for example [aws-ecs-2](sources/models/src/aws-ecs-2/defaults.d/). When you're sending settings to the API, or receiving settings from the API, they're in a structured JSON format. This allows modification of any number of keys at once. It also lets us ensure that they fit the definition of the Bottlerocket data model - requests with invalid settings won't even parse correctly, helping ensure safety. Here, however, we'll use the shortcut "dotted key" syntax for referring to keys. This is used in some API endpoints with less-structured requests or responses. It's also more compact for our needs here. In this format, "settings.kubernetes.cluster-name" refers to the same key as in the JSON `{"settings": {"kubernetes": {"cluster-name": "value"}}}`. **NOTE:** [bottlerocket.dev](https://bottlerocket.dev/en/os/latest/#/api/settings/) now contains a complete, versioned setting reference. This documents retains the headings below for existing link and bookmark compatability. Please update your bookmarks and check out [bottlerocket.dev](https://bottlerocket.dev/) for future updates to the setting reference. #### Top-level settings See the [`settings.motd` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/motd/). #### Kubernetes settings See the [`settings.kubernetes.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/kubernetes/). #### Amazon ECS settings See the [`settings.ecs.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/ecs/). #### CloudFormation signal helper settings See the [`settings.cloudformation.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/cloudformation/). #### Auto Scaling group settings See the [`settings.autoscaling.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/autoscaling/). #### OCI Hooks settings See the [`settings.oci-hooks.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/oci-hooks/). #### OCI Defaults settings See the [`settings.oci-defaults.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/oci-defaults/). ##### OCI Defaults: Capabilities See the ["Capabilities Settings" section in the `settings.oci-defaults.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/oci-defaults/). ##### OCI Defaults: Resource Limits See the ["Resource Limits Settings" section in the `settings.oci-defaults.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/oci-defaults/). #### Container image registry settings See the [`settings.container-registry.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/container-registry/). #### Container runtime settings See the [`settings.container-runtime.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/container-runtime/). #### Updates settings See the [`settings.updates.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/updates/). #### Network settings See the [`settings.network.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/network/). ##### Proxy settings See the ["Proxy Settings" section in the `settings.networks.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/network/). #### Metrics settings See the [`settings.metrics.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/metrics/). #### Time settings See the [`settings.ntp.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/ntp/). #### Kernel settings See the [`settings.kernel.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/kernel/). #### Boot-related settings See the [`settings.boot.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/boot/). #### Custom CA certificates settings See the [`settings.pki.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/pki/). #### Host containers settings See the [`settings.host-containers.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/host-containers/). ##### Custom host containers See the [Host Containers documentation](https://bottlerocket.dev/en/os/latest/#/concepts/host-containers/). #### Bootstrap commands settings See the [`settings.bootstrap-commands.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/bootstrap-commands/) as well as the [Bootstrap Commands documentation](https://bottlerocket.dev/en/os/latest/#/concepts/bootstrap-commands/) #### Bootstrap containers settings See the [`settings.bootstrap-containers.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/bootstrap-containers/) as well as the [Bootstrap Containers documentation](https://bottlerocket.dev/en/os/latest/#/concepts/bootstrap-containers/) ##### Mount propagations in bootstrap and superpowered containers Both bootstrap and superpowered host containers are configured with the `/.bottlerocket/rootfs/mnt` bind mount that points to `/mnt` in the host, which itself is a bind mount of `/local/mnt`. This bind mount is set up with shared propagations, so any new mount point created underneath `/.bottlerocket/rootfs/mnt` in any bootstrap or superpowered host container will propagate across mount namespaces. You can use this feature to configure ephemeral disks attached to your hosts that you may want to use on your workloads. #### Platform-specific settings Platform-specific settings are automatically set at boot time by [early-boot-config](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/early-boot-config/early-boot-config) based on metadata available on the running platform. They can be overridden for testing purposes in [the same way as other settings](#interacting-with-settings). ##### AWS-specific settings See the [`settings.aws.*` reference](https://bottlerocket.dev/en/os/latest/#/api/settings/aws/). ### Logs You can use `logdog` through the [admin container](#admin-container) to obtain an archive of log files from your Bottlerocket host. For a list of what is collected, see the logdog [command list](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/sources/logdog/src/log_request.rs). #### Generating logs SSH to the Bottlerocket host or `apiclient exec admin bash` to access the admin container, then run: ```shell sudo sheltie logdog ``` This will write an archive of the logs to `/var/log/support/bottlerocket-logs.tar.gz`. This archive is accessible from host containers at `/.bottlerocket/support`. #### Fetching logs There are multiple methods to retrieve the generated log archive. - **Via SSH if already enabled** Once you have exited from the Bottlerocket host, run a command like: ```shell ssh -i YOUR_KEY_FILE \ ec2-user@YOUR_HOST \ "cat /.bottlerocket/support/bottlerocket-logs.tar.gz" > bottlerocket-logs.tar.gz ``` - **With `kubectl get` if running Kubernetes** ```shell kubectl get --raw \ "/api/v1/nodes/NODE_NAME/proxy/logs/support/bottlerocket-logs.tar.gz" > bottlerocket-logs.tar.gz ``` - **Using [SSH over SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html) if your instance isn't accessible through SSH or Kubernetes** ### Kdump Support Bottlerocket provides support to collect kernel crash dumps whenever the system kernel panics. Once this happens, both the dmesg log and vmcore dump are stored at `/var/log/kdump`, and the system reboots. There are a few important caveats about the provided kdump support: * Currently, only vmware variants have kdump support enabled * The system kernel will reserve 256MB for the crash kernel, only when the host has at least 2GB of memory; the reserved space won't be available for processes running in the host * The crash kernel will only be loaded when the `crashkernel` parameter is present in the kernel's cmdline and if there is memory reserved for it ### NVIDIA GPUs Support Bottlerocket's `nvidia` variants include the required packages and configurations to leverage NVIDIA GPUs. Currently, the following NVIDIA driver versions are supported in Bottlerocket: * 470.X * 515.X The official AMIs for these variants can be used with EC2 GPU-equipped instance types such as: `p2`, `p3`, `p4`, `g3`, `g4dn`, `g5` and `g5g`. Note that older instance types, such as `p2`, are not supported by NVIDIA driver `515.X` and above. You need to make sure you select the appropriate AMI depending on the instance type you are planning to use. Please see [QUICKSTART-EKS](QUICKSTART-EKS.md#aws-k8s--nvidia-variants) for further details about Kubernetes variants, and [QUICKSTART-ECS](QUICKSTART-ECS.md#aws-ecs--nvidia-variants) for ECS variants. ### Neuron Accelerated Instance Support Bottlerocket variants, from `v1.30.0+`, include the required packages and configurations to leverage [AWS Neuron Accelerated Instances](https://aws.amazon.com/ai/machine-learning/neuron/). The AMIs can be used with EC2 Neuron-equipped instance types such as: `inf1`, `inf2`, `trn1`, and `trn2`. Please see [QUICKSTART-EKS](QUICKSTART-EKS.md#Neuron-Support) for further details about Kubernetes variants, and [QUICKSTART-ECS](QUICKSTART-ECS.md#Neuron-Support) for ECS variants. ## Details ### Security :shield: :crab: To learn more about security features in Bottlerocket, please see [SECURITY FEATURES](SECURITY_FEATURES.md). It describes how we use features like [dm-verity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity) and [SELinux](https://selinuxproject.org/) to protect the system from security threats. To learn more about security recommendations for Bottlerocket, please see [SECURITY GUIDANCE](SECURITY_GUIDANCE.md). It documents additional steps you can take to secure the OS, and includes resources such as a [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for your reference. In addition, almost all first-party components are written in [Rust](https://www.rust-lang.org/). Rust eliminates some classes of memory safety issues, and encourages design patterns that help security. ### Packaging Bottlerocket is built from source using a container toolchain. We use RPM package definitions to build and install individual packages into an image. RPM itself is not in the image - it's just a common and convenient package definition format. We currently package the following major third-party components: * Linux kernel ([background](https://en.wikipedia.org/wiki/Linux), [5.10 packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/kernel-5.10/), [5.15 packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/kernel-5.15/)) * glibc ([background](https://www.gnu.org/software/libc/), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/glibc/)) * Buildroot as build toolchain ([background](https://buildroot.org/), via the [SDK](https://github.com/bottlerocket-os/bottlerocket-sdk)) * GRUB, with patches for partition flip updates ([background](https://www.gnu.org/software/grub/), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/grub/)) * systemd as init ([background](https://en.wikipedia.org/wiki/Systemd), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/systemd/)) * wicked for networking ([background](https://github.com/openSUSE/wicked), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/wicked/)) * containerd ([background](https://containerd.io/), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/containerd/)) * Kubernetes ([background](https://kubernetes.io/), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/kubernetes-1.30/)) * aws-iam-authenticator ([background](https://github.com/kubernetes-sigs/aws-iam-authenticator), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/aws-iam-authenticator/)) * Amazon ECS agent ([background](https://github.com/aws/amazon-ecs-agent), [packaging](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/ecs-agent/)) For further documentation or to see the rest of the packages, see the [packaging directory](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages/). ### Updates The Bottlerocket image has two identical sets of partitions, A and B. When updating Bottlerocket, the partition table is updated to point from set A to set B, or vice versa. We also track successful boots, and if there are failures it will automatically revert back to the prior working partition set. The update process uses images secured by [TUF](https://theupdateframework.github.io/). For more details, see the [update system documentation](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/updater). ### API There are two main ways you'd interact with a production Bottlerocket instance. (There are a couple more [exploration](#exploration) methods above for test instances.) The first method is through a container orchestrator, for when you want to run or manage containers. This uses the standard channel for your orchestrator, for example a tool like `kubectl` for Kubernetes. The second method is through the Bottlerocket API, for example when you want to configure the system. There's an HTTP API server that listens on a local Unix-domain socket. Remote access to the API requires an authenticated transport such as SSM's RunCommand or Session Manager, as described above. For more details, see the [apiserver documentation](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api/apiserver/). The [apiclient](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api/apiclient/) can be used to make requests. They're just HTTP requests, but the API client simplifies making requests with the Unix-domain socket. To make configuration easier, we have [early-boot-config](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/early-boot-config/early-boot-config), which can send an API request for you based on instance user data. If you start a virtual machine, like an EC2 instance, it will read TOML-formatted Bottlerocket configuration from user data and send it to the API server. This way, you can configure your Bottlerocket instance without having to make API calls after launch. See [Settings](#settings) above for examples and to understand what you can configure. You can also access host containers through the API using [apiclient exec](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api/apiclient#exec-mode). The server and client are the user-facing components of the API system, but there are a number of other components that work together to make sure your settings are applied, and that they survive upgrades of Bottlerocket. For more details, see the [API system documentation](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/sources/api). ### Default Volumes Bottlerocket operates with two default storage volumes. * The root device, holds the active and passive [partition sets](#updates-1). It also contains the bootloader, the dm-verity hash tree for verifying the [immutable root filesystem](SECURITY_FEATURES.md#immutable-rootfs-backed-by-dm-verity), and the data store for the Bottlerocket API. * The data device is used as persistent storage for container images, container orchestration, [host-containers](#Custom-host-containers), and [bootstrap containers](#Bootstrap-containers-settings). The operating system does not typically make changes to this volume during regular updates, though changes to upstream software such as containerd or kubelet could result in changes to their stored data. This device (mounted to `/local` on the host) can be used for application storage for orchestrated workloads; however, we recommend using an additional volume if possible for such cases. See [this section of the Security Guidance documentation](./SECURITY_GUIDANCE.md#limit-access-to-system-mounts) for more information. On boot Bottlerocket will increase the data partition size to use all of the data device. If you increase the size of the device, you can reboot Bottlerocket to extend the data partition. If you need to extend the data partition without rebooting, have a look at this [discussion](https://github.com/bottlerocket-os/bottlerocket/discussions/2011). ================================================ FILE: ROADMAP.md ================================================ # Roadmap The Bottlerocket roadmap is public and hosted as a GitHub Project at the following URL: https://github.com/orgs/bottlerocket-os/projects/18 GitHub Projects allows for multiple views that represent different ways of looking at the same data. In the case of Bottlerocket, there are four views (represented as tabs): * [All Items](https://github.com/orgs/bottlerocket-os/projects/18/views/1): a list of all the issues being actively worked on. * [Upcoming Releases](https://github.com/orgs/bottlerocket-os/projects/18/views/2): the issues sorted into columns that represent an upcoming release. * [Feature Highlights](https://github.com/orgs/bottlerocket-os/projects/18/views/4): selected issues sorted into columns that represent particular features. * [Themes](https://github.com/orgs/bottlerocket-os/projects/18/views/5): selected issues sorted into columns as they align to overarching thematic changes. ## What does the roadmap represent? The roadmap is best understood as a point-in-time snapshot of what is being worked on and the intentions for upcoming releases. Each item on the roadmap links back to a GitHub issue; issues represent a problem (i.e. a bug) or a change from the current functional state (i.e. an enhancement). Both bug and enhancements can take a non-linear path to resolution. The work to resolve these can take more or less effort than anticipated as paths are explored and complexity is thoughtfully considered. Releases in Bottlerocket follow a loose release train model with each being spaced out about six weeks apart. So, roadmap items are continuously reconsidered and roadmap adjustments may be required. ## How do I follow a specific change to the roadmap? For individual items, the best way to find out more information is to subscribe to notifications on GitHub for the specific issues linked in the roadmap. This will give you insight into both the development and any large changes to how the issue gets packaged into a release. Additionally, you can ask questions, provide feedback, and, hopefully, contribute. ## Can I see a log of all the changes to the roadmap? This was supported in [GitHub Projects classic](https://docs.github.com/en/issues/organizing-your-work-with-project-boards/tracking-work-with-project-boards/tracking-progress-on-your-project-board) however, Bottlerocket uses the newer version of this GitHub feature which lacks this particular log-like view. In the future, it would be great to see this feature return to GitHub Projects or similar functionality through the [Bottlerocket website](https://github.com/bottlerocket-os/project-website) initiative. ================================================ FILE: Release.toml ================================================ version = "1.57.0" [migrations] "(0.3.1, 0.3.2)" = ["migrate_v0.3.2_admin-container-v0-5-0.lz4"] "(0.3.2, 0.3.3)" = [] "(0.3.3, 0.3.4)" = [] "(0.3.4, 0.4.0)" = [] "(0.4.0, 0.4.1)" = ["migrate_v0.4.1_add-version-lock-ignore-waves.lz4", "migrate_v0.4.1_pivot-repo-2020-07-07.lz4"] "(0.4.1, 0.5.0)" = ["migrate_v0.5.0_add-cluster-domain.lz4", "migrate_v0.5.0_admin-container-v0-5-2.lz4", "migrate_v0.5.0_control-container-v0-4-1.lz4"] "(0.5.0, 1.0.0)" = ["migrate_v1.0.0_ecr-helper-admin.lz4", "migrate_v1.0.0_ecr-helper-control.lz4"] "(1.0.0, 1.0.1)" = [] "(1.0.1, 1.0.2)" = ["migrate_v1.0.2_add-enable-spot-instance-draining.lz4"] "(1.0.2, 1.0.3)" = ["migrate_v1.0.3_add-sysctl.lz4"] "(1.0.3, 1.0.4)" = [] "(1.0.4, 1.0.5)" = [ "migrate_v1.0.5_add-lockdown.lz4", "migrate_v1.0.5_sysctl-subcommand.lz4", "migrate_v1.0.5_add-user-data.lz4", "migrate_v1.0.5_add-network-settings.lz4", "migrate_v1.0.5_add-proxy-restart.lz4", "migrate_v1.0.5_add-proxy-services.lz4", ] "(1.0.5, 1.0.6)" = [ "migrate_v1.0.6_metricdog-init.lz4", "migrate_v1.0.6_add-static-pods.lz4", "migrate_v1.0.6_kubelet-standalone-tls-settings.lz4", "migrate_v1.0.6_kubelet-standalone-tls-services.lz4", "migrate_v1.0.6_control-container-v0-4-2.lz4", "migrate_v1.0.6_add-shibaken.lz4", "migrate_v1.0.6_admin-container-v0-6-0.lz4", ] "(1.0.6, 1.0.7)" = [] "(1.0.7, 1.0.8)" = [ "migrate_v1.0.8_kubelet-eviction-hard.lz4", "migrate_v1.0.8_kubelet-unsafe-sysctl-kube-reserved.lz4", "migrate_v1.0.8_proxy-affect-host-containers.lz4", "migrate_v1.0.8_control-container-v0-5-0.lz4", "migrate_v1.0.8_admin-container-v0-7-0.lz4", "migrate_v1.0.8_add-bootstrap-containers.lz4" ] "(1.0.8, 1.1.0)" = [ "migrate_v1.1.0_kubelet-server-tls-bootstrap.lz4", "migrate_v1.1.0_kubelet-cloud-provider.lz4", "migrate_v1.1.0_kubelet-registry-qps-registry-burst.lz4", "migrate_v1.1.0_shared-containerd-configs.lz4", "migrate_v1.1.0_kubelet-event-qps-event-burst.lz4", "migrate_v1.1.0_schnauzer-paws.lz4", "migrate_v1.1.0_kubelet-kube-api-qps-kube-api-burst.lz4", ] "(1.1.0, 1.1.1)" = [] "(1.1.1, 1.1.2)" = [ "migrate_v1.1.2_kubelet-container-log.lz4", "migrate_v1.1.2_kubelet-system-reserved.lz4", "migrate_v1.1.2_admin-container-v0-7-1.lz4", "migrate_v1.1.2_control-container-v0-5-1.lz4", ] "(1.1.2, 1.1.3)" = [ "migrate_v1.1.3_kubelet-cpu-manager-state.lz4", "migrate_v1.1.3_kubelet-cpu-manager.lz4", ] "(1.1.3, 1.1.4)" = [] "(1.1.4, 1.2.0)" = [ "migrate_v1.2.0_hostname-setting.lz4", "migrate_v1.2.0_hostname-setting-metadata.lz4", "migrate_v1.2.0_add-custom-certificates.lz4", "migrate_v1.2.0_kubelet-topology-manager.lz4", "migrate_v1.2.0_container-registry-mirrors.lz4", "migrate_v1.2.0_container-registry-config-restarts.lz4", "migrate_v1.2.0_admin-container-v0-7-2.lz4", ] "(1.2.0, 1.2.1)" = [] "(1.2.1, 1.3.0)" = [ "migrate_v1.3.0_etc-hosts-service.lz4", "migrate_v1.3.0_hostname-affects-etc-hosts.lz4", "migrate_v1.3.0_control-container-v0-5-2.lz4", ] "(1.3.0, 1.4.0)" = [ "migrate_v1.4.0_registry-mirror-representation.lz4", ] "(1.4.0, 1.4.1)" = [] "(1.4.1, 1.4.2)" = [ "migrate_v1.4.2_admin-container-v0-7-3.lz4", "migrate_v1.4.2_control-container-v0-5-3.lz4", ] "(1.4.2, 1.5.0)" = [ "migrate_v1.5.0_oci-hooks-setting.lz4", "migrate_v1.5.0_oci-hooks-setting-metadata.lz4", ] "(1.5.0, 1.5.1)" = [ "migrate_v1.5.1_control-container-v0-5-4.lz4", ] "(1.5.1, 1.5.2)" = [] "(1.5.2, 1.5.3)" = [ "migrate_v1.5.3_vmware-host-containers.lz4", ] "(1.5.3, 1.6.0)" = [ "migrate_v1.6.0_node-taints-representation.lz4", "migrate_v1.6.0_aws-admin-container-v0-7-4.lz4", "migrate_v1.6.0_aws-control-container-v0-5-5.lz4", "migrate_v1.6.0_public-admin-container-v0-7-4.lz4", "migrate_v1.6.0_public-control-container-v0-5-5.lz4", ] "(1.6.0, 1.6.1)" = [] "(1.6.1, 1.6.2)" = [ "migrate_v1.6.2_add-cfsignal.lz4", "migrate_v1.6.2_container-registry-credentials.lz4", "migrate_v1.6.2_container-registry-credentials-metadata.lz4", ] "(1.6.2, 1.7.0)" = [ "migrate_v1.7.0_aws-admin-container-v0-8-0.lz4", "migrate_v1.7.0_aws-control-container-v0-6-0.lz4", "migrate_v1.7.0_public-admin-container-v0-8-0.lz4", "migrate_v1.7.0_public-control-container-v0-6-0.lz4", ] "(1.7.0, 1.7.1)" = [] "(1.7.1, 1.7.2)" = [] "(1.7.2, 1.8.0)" = [ "migrate_v1.8.0_boot-setting.lz4", "migrate_v1.8.0_boot-setting-metadata.lz4", "migrate_v1.8.0_kubelet-pod-pids-limit.lz4", "migrate_v1.8.0_add-pull-behavior.lz4", "migrate_v1.8.0_add-autoscaling.lz4", "migrate_v1.8.0_etc-hosts.lz4", "migrate_v1.8.0_etc-hosts-metadata.lz4", "migrate_v1.8.0_cluster-dns-ip-list.lz4", "migrate_v1.8.0_pki-affected-services.lz4", "migrate_v1.8.0_kubelet-provider-id.lz4", "migrate_v1.8.0_aws-admin-container-v0-9-0.lz4", "migrate_v1.8.0_aws-control-container-v0-6-1.lz4", "migrate_v1.8.0_public-admin-container-v0-9-0.lz4", "migrate_v1.8.0_public-control-container-v0-6-1.lz4", ] "(1.8.0, 1.9.0)" = [ "migrate_v1.9.0_ntp-affected-services.lz4", "migrate_v1.9.0_shibaken-admin-userdata-semantics.lz4", "migrate_v1.9.0_shibaken-send-metrics.lz4", "migrate_v1.9.0_image-gc-thresholds.lz4", "migrate_v1.9.0_kernel-modules-setting.lz4", "migrate_v1.9.0_kernel-modules-setting-metadata.lz4", "migrate_v1.9.0_kubelet-no-daemon-reload.lz4", "migrate_v1.9.0_updates-targets-base-url.lz4", ] "(1.9.0, 1.9.1)" = [] "(1.9.1, 1.9.2)" = [] "(1.9.2, 1.10.0)" = [ "migrate_v1.10.0_dns-settings.lz4", "migrate_v1.10.0_dns-settings-metadata.lz4", "migrate_v1.10.0_reboot-to-reconcile-setting.lz4", "migrate_v1.10.0_kubelet-log-level.lz4", "migrate_v1.10.0_aws-admin-container-v0-9-2.lz4", "migrate_v1.10.0_public-admin-container-v0-9-2.lz4", "migrate_v1.10.0_aws-control-container-v0-6-3.lz4", "migrate_v1.10.0_public-control-container-v0-6-3.lz4" ] "(1.10.0, 1.10.1)" = [ "migrate_v1.10.1_container-runtime.lz4", "migrate_v1.10.1_container-runtime-metadata.lz4" ] "(1.10.1, 1.11.0)" = [ "migrate_v1.11.0_aws-config-settings.lz4", "migrate_v1.11.0_aws-creds.lz4", "migrate_v1.11.0_aws-creds-metadata.lz4", "migrate_v1.11.0_credential-providers.lz4", "migrate_v1.11.0_kubelet-tls-config.lz4", "migrate_v1.11.0_kubelet-tls-files.lz4", "migrate_v1.11.0_kubelet-new-config-files.lz4", "migrate_v1.11.0_ecs-additional-configurations.lz4", "migrate_v1.11.0_aws-admin-container-v0-9-3.lz4", "migrate_v1.11.0_public-admin-container-v0-9-3.lz4", "migrate_v1.11.0_aws-control-container-v0-6-4.lz4", "migrate_v1.11.0_public-control-container-v0-6-4.lz4", ] "(1.11.0, 1.11.1)" = [] "(1.11.1, 1.12.0)" = [ "migrate_v1.12.0_k8s-private-pki-path.lz4", "migrate_v1.12.0_add-k8s-autoscaling-warm-pool-setting.lz4", "migrate_v1.12.0_add-k8s-autoscaling-warm-pool-setting-metadata.lz4", "migrate_v1.12.0_oci-defaults-setting.lz4", "migrate_v1.12.0_oci-defaults-setting-metadata.lz4", "migrate_v1.12.0_aws-admin-container-v0-9-4.lz4", "migrate_v1.12.0_public-admin-container-v0-9-4.lz4", "migrate_v1.12.0_aws-control-container-v0-7-0.lz4", "migrate_v1.12.0_public-control-container-v0-7-0.lz4", ] "(1.12.0, 1.13.0)" = [ "migrate_v1.13.0_k8s-registry.lz4", "migrate_v1.13.0_aws-admin-container-v0-10-0.lz4", "migrate_v1.13.0_public-admin-container-v0-10-0.lz4", "migrate_v1.13.0_aws-control-container-v0-7-1.lz4", "migrate_v1.13.0_public-control-container-v0-7-1.lz4", ] "(1.13.0, 1.13.1)" = [ "migrate_v1.13.1_aws-profile-cred-provider.lz4", ] "(1.13.1, 1.13.2)" = [] "(1.13.2, 1.13.3)" = [ "migrate_v1.13.3_aws-k8s-provider-id-gen.lz4", ] "(1.13.3, 1.13.4)" = [ "migrate_v1.13.4_add-hostname-override.lz4", "migrate_v1.13.4_add-hostname-override-metadata.lz4", ] "(1.13.4, 1.13.5)" = [] "(1.13.5, 1.14.0)" = [ "migrate_v1.14.0_kubernetes-gc-percent-type-change.lz4", "migrate_v1.14.0_kubelet-config-settings.lz4", "migrate_v1.14.0_kubelet-prefix-config-settings.lz4", "migrate_v1.14.0_k8s-services-mode.lz4", "migrate_v1.14.0_aws-admin-container-v0-10-1.lz4", "migrate_v1.14.0_public-admin-container-v0-10-1.lz4", "migrate_v1.14.0_aws-control-container-v0-7-2.lz4", "migrate_v1.14.0_public-control-container-v0-7-2.lz4", ] "(1.14.0, 1.14.1)" = [] "(1.14.1, 1.14.2)" = [ "migrate_v1.14.2_ecs-images-cleanup.lz4", ] "(1.14.2, 1.14.3)" = [ "migrate_v1.14.3_aws-admin-container-v0-10-2.lz4", "migrate_v1.14.3_public-admin-container-v0-10-2.lz4", "migrate_v1.14.3_aws-control-container-v0-7-3.lz4", "migrate_v1.14.3_public-control-container-v0-7-3.lz4", ] "(1.14.3, 1.15.0)" = [ "migrate_v1.15.0_oci-defaults-resource-setting.lz4", "migrate_v1.15.0_oci-defaults-max-open-files.lz4", "migrate_v1.15.0_seccomp-default-setting.lz4", "migrate_v1.15.0_oci-defaults-docker-setting.lz4", "migrate_v1.15.0_oci-defaults-docker-setting-metadata.lz4", "migrate_v1.15.0_aws-admin-container-v0-11-0.lz4", "migrate_v1.15.0_public-admin-container-v0-11-0.lz4", "migrate_v1.15.0_aws-control-container-v0-7-4.lz4", "migrate_v1.15.0_public-control-container-v0-7-4.lz4", "migrate_v1.15.0_log4j-hotpatch-enabled-metadata.lz4", "migrate_v1.15.0_deprecate-log4j-hotpatch-enabled.lz4", ] "(1.15.0, 1.15.1)" = [] "(1.15.1, 1.16.0)" = [ "migrate_v1.16.0_kernel-modules-autoload-configs.lz4", "migrate_v1.16.0_kernel-modules-autoload-files.lz4", "migrate_v1.16.0_kernel-modules-autoload-restart.lz4", "migrate_v1.16.0_kernel-modules-autoload-settings.lz4", "migrate_v1.16.0_aws-admin-container-v0-11-1.lz4", "migrate_v1.16.0_public-admin-container-v0-11-1.lz4", "migrate_v1.16.0_aws-control-container-v0-7-5.lz4", "migrate_v1.16.0_public-control-container-v0-7-5.lz4", "migrate_v1.16.0_schnauzer-v2-generators.lz4", ] "(1.16.0, 1.16.1)" = [ "migrate_v1.16.1_updog-network-affected.lz4", ] "(1.16.1, 1.17.0)" = [ "migrate_v1.17.0_aws-admin-container-v0-11-2.lz4", "migrate_v1.17.0_public-admin-container-v0-11-2.lz4", "migrate_v1.17.0_aws-control-container-v0-7-6.lz4", "migrate_v1.17.0_public-control-container-v0-7-6.lz4", ] "(1.17.0, 1.18.0)" = [ "migrate_v1.18.0_aws-admin-container-v0-11-3.lz4", "migrate_v1.18.0_public-admin-container-v0-11-3.lz4", "migrate_v1.18.0_aws-control-container-v0-7-7.lz4", "migrate_v1.18.0_public-control-container-v0-7-7.lz4", ] "(1.18.0, 1.19.0)" = [ "migrate_v1.19.0_add-additional-ecs-settings.lz4", ] "(1.19.0, 1.19.1)" = [ "migrate_v1.19.1_aws-admin-container-v0-11-4.lz4", "migrate_v1.19.1_public-admin-container-v0-11-4.lz4", "migrate_v1.19.1_aws-control-container-v0-7-8.lz4", "migrate_v1.19.1_public-control-container-v0-7-8.lz4", ] "(1.19.1, 1.19.2)" = [ "migrate_v1.19.2_certdog-config-file-v0-1-0.lz4", "migrate_v1.19.2_certdog-service-cfg-v0-1-0.lz4", "migrate_v1.19.2_add-ecs-enable-container-metadata.lz4", ] "(1.19.2, 1.19.3)" = [ "migrate_v1.19.3_aws-admin-container-v0-11-6.lz4", "migrate_v1.19.3_public-admin-container-v0-11-6.lz4", "migrate_v1.19.3_aws-control-container-v0-7-10.lz4", "migrate_v1.19.3_public-control-container-v0-7-10.lz4", ] "(1.19.3, 1.19.4)" = [] "(1.19.4, 1.19.5)" = [ "migrate_v1.19.5_aws-admin-container-v0-11-7.lz4", "migrate_v1.19.5_public-admin-container-v0-11-7.lz4", "migrate_v1.19.5_aws-control-container-v0-7-11.lz4", "migrate_v1.19.5_public-control-container-v0-7-11.lz4", ] "(1.19.5, 1.20.0)" = [ "migrate_v1.20.0_prairiedog-config-file-v0-1-0.lz4", "migrate_v1.20.0_prairiedog-services-cfg-v0-1-0.lz4", "migrate_v1.20.0_thar-be-updates-config-file-v0-1-0.lz4", "migrate_v1.20.0_thar-be-updates-affected-services-v0-1-0.lz4", "migrate_v1.20.0_host-containers-config-file-v0-1-0.lz4", "migrate_v1.20.0_host-containers-config-list-v0-1-0.lz4", "migrate_v1.20.0_corndog-config-file-v0-1-0.lz4", "migrate_v1.20.0_corndog-services-cfg-v0-1-0.lz4", "migrate_v1.20.0_bootstrap-containers-config-file-v0-1-0.lz4", "migrate_v1.20.0_bootstrap-containers-services-cfg-v0-1-0.lz4", "migrate_v1.20.0_remove-ecs-settings-applier.lz4", "migrate_v1.20.0_update-ecs-config-path.lz4", "migrate_v1.20.0_update-ecs-config-template-path.lz4", "migrate_v1.20.0_add-ntp-default-options-v0-1-0.lz4", "migrate_v1.20.0_static-pods-add-prefix-v0-1-0.lz4", "migrate_v1.20.0_static-pods-services-cfg-v0-1-0.lz4", "migrate_v1.20.0_container-runtime-nvidia.lz4", "migrate_v1.20.0_container-runtime-metadata-nvidia.lz4", "migrate_v1.20.0_aws-admin-container-v0-11-8.lz4", "migrate_v1.20.0_public-admin-container-v0-11-8.lz4", "migrate_v1.20.0_aws-control-container-v0-7-12.lz4", "migrate_v1.20.0_public-control-container-v0-7-12.lz4", ] "(1.20.0, 1.20.1)" = [] "(1.20.1, 1.20.2)" = [] "(1.20.2, 1.20.3)" = [] "(1.20.3, 1.20.4)" = [] "(1.20.4, 1.20.5)" = [ "migrate_v1.20.5_aws-admin-container-v0-11-9.lz4", "migrate_v1.20.5_public-admin-container-v0-11-9.lz4", "migrate_v1.20.5_aws-control-container-v0-7-13.lz4", "migrate_v1.20.5_public-control-container-v0-7-13.lz4", ] "(1.20.5, 1.21.0)" = [ "migrate_v1.21.0_pluto-remove-generators-v0-1-0.lz4", "migrate_v1.21.0_pod-infra-container-image-remove-settings-generator.lz4", "migrate_v1.21.0_pod-infra-container-image-affected-services.lz4", "migrate_v1.21.0_pod-infra-container-image-services.lz4", "migrate_v1.21.0_k8s-reserved-cpus-v0-1-0.lz4", "migrate_v1.21.0_add-hostname-override-source.lz4", ] "(1.21.0, 1.21.1)" = [ "migrate_v1.21.1_aws-admin-container-v0-11-10.lz4", "migrate_v1.21.1_public-admin-container-v0-11-10.lz4", "migrate_v1.21.1_aws-control-container-v0-7-14.lz4", "migrate_v1.21.1_public-control-container-v0-7-14.lz4", ] "(1.21.1, 1.22.0)" = [ "migrate_v1.22.0_aws-admin-container-v0-11-11.lz4", "migrate_v1.22.0_public-admin-container-v0-11-11.lz4", "migrate_v1.22.0_aws-control-container-v0-7-15.lz4", "migrate_v1.22.0_public-control-container-v0-7-15.lz4", "migrate_v1.22.0_bootstrap-commands-settings.lz4", "migrate_v1.22.0_bootstrap-commands-metadata.lz4", ] "(1.22.0, 1.23.0)" = [ "migrate_v1.23.0_kubelet-device-plugins-metadata.lz4", "migrate_v1.23.0_kubelet-device-plugins-settings.lz4", "migrate_v1.23.0_nvidia-container-runtime-metadata.lz4", "migrate_v1.23.0_nvidia-container-runtime-settings.lz4", ] "(1.23.0, 1.24.0)" = [] "(1.24.0, 1.24.1)" = [ "migrate_v1.24.1_aws-admin-container-v0-11-12.lz4", "migrate_v1.24.1_public-admin-container-v0-11-12.lz4", "migrate_v1.24.1_aws-control-container-v0-7-16.lz4", "migrate_v1.24.1_public-control-container-v0-7-16.lz4", ] "(1.24.1, 1.25.0)" = [ "migrate_v1.25.0_kubernetes-service-config.lz4", "migrate_v1.25.0_kubelet-device-plugins-time-slicing-settings.lz4", "migrate_v1.25.0_aws-admin-container-v0-11-13.lz4", "migrate_v1.25.0_public-admin-container-v0-11-13.lz4", "migrate_v1.25.0_aws-control-container-v0-7-17.lz4", "migrate_v1.25.0_public-control-container-v0-7-17.lz4", ] "(1.25.0, 1.26.0)" = [] "(1.26.0, 1.26.1)" = [] "(1.26.1, 1.26.2)" = [] "(1.26.2, 1.27.0)" = [ "migrate_v1.27.0_aws-config.lz4", ] "(1.27.0, 1.27.1)" = [] "(1.27.1, 1.28.0)" = [ "migrate_v1.28.0_kernel-sysctl-hugepages.lz4", "migrate_v1.28.0_aws-admin-container-v0-11-14.lz4", "migrate_v1.28.0_public-admin-container-v0-11-14.lz4", "migrate_v1.28.0_aws-control-container-v0-7-18.lz4", "migrate_v1.28.0_public-control-container-v0-7-18.lz4", ] "(1.28.0, 1.29.0)" = [] "(1.29.0, 1.30.0)" = [ "migrate_v1.30.0_kubernetes-device-ownership-metadata.lz4", "migrate_v1.30.0_kubernetes-device-ownership-settings.lz4", "migrate_v1.30.0_aws-admin-container-v0-11-15.lz4", "migrate_v1.30.0_public-admin-container-v0-11-15.lz4", "migrate_v1.30.0_aws-control-container-v0-7-19.lz4", "migrate_v1.30.0_public-control-container-v0-7-19.lz4", ] "(1.30.0, 1.31.0)" = [ "migrate_v1.31.0_aws-admin-container-v0-11-16.lz4", "migrate_v1.31.0_public-admin-container-v0-11-16.lz4", "migrate_v1.31.0_aws-control-container-v0-7-20.lz4", "migrate_v1.31.0_public-control-container-v0-7-20.lz4", ] "(1.31.0, 1.32.0)" = [] "(1.32.0, 1.33.0)" = [ "migrate_v1.33.0_public-control-container-v0-7-19-update.lz4", "migrate_v1.33.0_public-control-container-v0-7-20-update.lz4", "migrate_v1.33.0_aws-remove-schnauzer-admin.lz4", "migrate_v1.33.0_aws-remove-schnauzer-control.lz4", "migrate_v1.33.0_public-remove-source-admin.lz4", "migrate_v1.33.0_public-remove-source-control.lz4", "migrate_v1.33.0_remove-metadata-and-weak-settings-migration.lz4", ] "(1.33.0, 1.34.0)" = [ "migrate_v1.34.0_kubelet-device-plugins-mig-settings.lz4", ] "(1.34.0, 1.35.0)" = [] "(1.35.0, 1.36.0)" = [ "migrate_v1.36.0_kubernetes-ecr-credential-providers-expansion.lz4", ] "(1.36.0, 1.37.0)" = [ "migrate_v1.37.0_delete-configs-and-services-on-downgrade.lz4", ] "(1.37.0, 1.38.0)" = [] "(1.38.0, 1.39.0)" = [ "migrate_v1.39.0_kubelet-setting-container-log-single-process-oom-kill.lz4" ] "(1.39.0, 1.39.1)" = [] "(1.39.1, 1.40.0)" = [ "migrate_v1.40.0_kubelet-device-plugins-cdi-settings.lz4" ] "(1.40.0, 1.41.0)" = [ "migrate_v1.41.0_kubernetes-ecr-credential-providers-correction.lz4", ] "(1.41.0, 1.42.0)" = [ "migrate_v1.42.0_kubernetes-memory-swap-behavior-setting.lz4", ] "(1.42.0, 1.43.0)" = [] "(1.43.0, 1.44.0)" = [ "migrate_v1.44.0_container-runtime-plugins-settings.lz4", "migrate_v1.44.0_container-runtime-snapshotter-setting.lz4", ] "(1.44.0, 1.45.0)" = [] "(1.45.0, 1.46.0)" = [ "migrate_v1.46.0_kubernetes-static-pods-enabled-setting.lz4", ] "(1.46.0, 1.47.0)" = [ "migrate_v1.47.0_container-runtime-concurrent-download-chunk-size.lz4", "migrate_v1.47.0_host-bootstrap-containers-command-setting.lz4" ] "(1.47.0, 1.48.0)" = [] "(1.48.0, 1.49.0)" = [] "(1.49.0, 1.50.0)" = [ "migrate_v1.50.0_kubernetes-reserved-pid-settings.lz4", ] "(1.50.0, 1.51.0)" = [ "migrate_v1.51.0_kubernetes-ecr-credential-provider-patterns.lz4", "migrate_v1.51.0_kubernetes-additional-settings.lz4", "migrate_v1.51.0_kubernetes-beta-cpu-manager-policy-options.lz4", ] "(1.51.0, 1.52.0)" = [] "(1.52.0, 1.53.0)" = [] "(1.53.0, 1.54.0)" = [ "migrate_v1.54.0_kubelet-device-plugins-mps-settings.lz4", "migrate_v1.54.0_kubelet-device-plugins-mps-prefix-settings.lz4" ] "(1.54.0, 1.55.0)" = [] "(1.55.0, 1.56.0)" = [ "migrate_v1.56.0_image-verifier-plugins-extensible.lz4" ] "(1.56.0, 1.57.0)" = [] ================================================ FILE: SECURITY.md ================================================ ## Reporting a Vulnerability If you discover a potential security issue in this project, we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue. ================================================ FILE: SECURITY_FEATURES.md ================================================ # Security Features ## Goals Bottlerocket has the following high-level security goals. They are listed in priority order. 1. Harden the OS against persistent threats. 2. Mitigate the impact of vulnerabilities in the OS. 3. Protect containers from other containers. We will add and enhance security features over time based on these goals. ## Overview | Feature | Version | | :-------------------------------------------------------------------------------- | :------: | | [Automated security updates](#automated-security-updates) | 0.3.0 | | [Immutable rootfs backed by dm-verity](#immutable-rootfs-backed-by-dm-verity) | 0.3.0 | | [Stateless tmpfs for /etc](#stateless-tmpfs-for-etc) | 0.3.0 | | [No shell or interpreters installed](#no-shell-or-interpreters-installed) | 0.3.0 | | [Executables built with hardening flags](#executables-built-with-hardening-flags) | 0.3.0 | | [SELinux enabled in enforcing mode](#selinux-enabled-in-enforcing-mode) | 0.3.0 | | [Kernel lockdown in integrity mode](#kernel-lockdown-in-integrity-mode) | 1.1.0 | | [Secure Boot enabled](#secure-boot-enabled) | 1.15.0 | The version listed indicates the first release of Bottlerocket that included the feature. Features may evolve or improve over time. ## Details ### Automated security updates Bottlerocket is designed for reliable security updates that can be applied through automation. This is achieved through the following mechanisms: * Two partition sets and an active/passive flip to swap OS images * Declarative API with modeled settings for runtime configuration * Variants to silo backwards-incompatible or breaking changes Using partition sets and modeled settings removes the dependency on correct local state for reliable updates. There is no package manager database or shared filesystem tree that can become corrupted and make the process non-deterministic. #### Update Policy Our philosophy for variants is that the right time for an unexpected major version update to the kernel or orchestrator agent is "never". New variants can introduce newer LTS kernels or GPU drivers. On release, variants peg to a kernel and GPU driver version and relevant security patches are applied. However, in a situation where security patches are no longer available for the kernel or GPU driver, an existing variant may adopt a new version to address security vulnerabilities. ##### Kubernetes variants Bottlerocket provides updates for each Kubernetes variant for approximately 14 months after the first release of each variant. For `aws-k8s-*` variants, Bottlerocket follows the [Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html) support policy, including extended support beyond the typical 12 months support period. We provide [a Kubernetes operator](https://github.com/bottlerocket-os/bottlerocket-update-operator) for automated updates to Bottlerocket. We recommend deploying it on your Kubernetes clusters. ##### ECS variant Bottlerocket provides updates for each ECS variant for at least one year after the first release of each variant. Because the ECS agent is backwards compatible, there is no need to create new variants on a regular cadence. ECS variants will be added as necessary to introduce newer LTS kernels or potentially breaking changes. We provide [an updater](https://github.com/bottlerocket-os/bottlerocket-ecs-updater) for automated updates to Bottlerocket. We recommend deploying it on your ECS clusters. ### Immutable rootfs backed by dm-verity Bottlerocket uses [dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html) for its root filesystem image. This provides transparent integrity checking of the underlying block device using a cryptographic digest. The root filesystem is marked as read-only and cannot be directly modified by userspace processes. This protects against some container escape vulnerabilities such as [CVE-2019-5736](https://www.openwall.com/lists/oss-security/2019/02/11/2). The kernel is configured to restart if corruption is detected. That allows the system to fail closed if the underlying block device is unexpectedly modified and the node is in an unknown state. The uncontrolled reboot will disrupt running containers, which can trigger alarms and prompt administrators to investigate. Although this provides a powerful layer of protection, it is incomplete unless [Secure Boot is enabled](#secure-boot-enabled). Otherwise, an attacker with full access to the block device could alter both the verity metadata and the contents of the root filesystem. ### Stateless tmpfs for /etc Bottlerocket uses [tmpfs](https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt), a memory-backed filesystem, for `/etc`. Direct modification of system configuration files such as `/etc/resolv.conf` or `/etc/containerd/config.toml` is not supported. This makes OS updates more reliable, as it is not necessary to account for local edits that might have changed the behavior of system services. It also makes it harder for an attacker to modify these files in a way that persists across a reboot. There are two supported ways to configure the OS in the presence of these restrictions. The first is through the API. Settings are persisted across reboot and migrated through OS upgrades. They are used to render system configuration files from templates on every boot. The second is by using containers. Specifications such as [CNI](https://github.com/containernetworking/cni) and [CSI](https://github.com/container-storage-interface/spec) provide ways to configure networking and storage devices. Containers written to these specifications can be deployed to nodes using orchestrator-specific mechanisms like [DaemonSets](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). All variants will include a secondary filesystem for local storage. It will be mounted at `/local` with bind mounts for `/var` and `/opt`. Modifications to this area will survive an OS update or a reboot. ### No shell or interpreters installed Bottlerocket does not have a shell installed in non-developer builds. Interpreted languages such as Python are not installed or even available as packages. Shells and interpreters enable administrators to write code that combines other programs on the system in new ways. However, these properties can also be exploited by an attacker to pivot from a vulnerability that grants local code execution. The lack of a shell also serves as a forcing function to ensure that new code for the OS is written in a preferred language such as Rust or Go. These languages offer built-in protection against memory safety issues such as buffer overflows. ### Executables built with hardening flags The GCC cross-compilers in the [Bottlerocket SDK](https://github.com/bottlerocket-os/bottlerocket-sdk) are built with these options: * `--enable-default-pie` for `-fPIE` and `-pie` by default * `--enable-default-ssp` for `-fstack-protector-strong` by default Position-independent executables (PIE) have their address space randomized on every execution. This makes addresses harder to predict for an attacker that attempts to exploit a memory corruption vulnerability. The stack protector feature enables stack canaries to detect stack overflow and abort the program if it occurs. The "strong" version enables it for additional functions. All C and C++ programs are compiled with the following options: * `-Wall` to warn about questionable constructs * `-Werror=format-security` to warn about unsafe uses of format functions * `-Wp,-D_FORTIFY_SOURCE=2` for runtime error checks in libc * `-Wp,-D_GLIBCXX_ASSERTIONS` for runtime error checks in libstdc++ * `-fstack-clash-protection` for stack overflow detection Although C and C++ lack the memory safety of Go and Rust, these options add a layer of defense during build and execution. All binaries are linked with the following options: * `-Wl,-z,relro` to mark segments read-only after relocation * `-Wl,-z,now` to resolve all symbols at load time Together these enable [full RELRO support](https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro) which makes [ROP](https://en.wikipedia.org/wiki/Return-oriented_programming) attacks more difficult to execute. **Note:** Certain variants, such as the ones for NVIDIA, include precompiled binaries that may not have been built with these hardening flags. ### SELinux enabled in enforcing mode Bottlerocket enables SELinux by default, sets it to enforcing mode, and loads the policy during boot. There is no way to disable it. SELinux is a Linux Security Module (LSM) that provides a mechanism for mandatory access control (MAC). Processes that run as root with full capabilities are still subject to the mandatory policy restrictions. The policy in Bottlerocket has the following objectives: 1) Prevent most components from directly modifying the API settings. 2) Block most components from modifying the container archives saved on disk. 3) Stop containers from directly modifying the layers for other running containers. The policy is currently aimed at hardening the OS against persistent threats. Future enhancements to the policy will focus on mitigating the impact of OS vulnerabilities, and protecting containers from other containers. ### Kernel lockdown in integrity mode Bottlerocket enables Lockdown in "integrity" mode by default on most variants. Lockdown is a Linux Security Module (LSM) that blocks certain actions which could compromise the Linux kernel. As with SELinux, even processes that run as root with full capabilities are subject to these restrictions. Certain variants such as `*-nvidia` need to load unsigned kernel modules at runtime. This is prohibited by the "integrity" mode, but required for the hardware to work as expected. On these variants, Lockdown is set to "none" instead. ### Secure Boot enabled Bottlerocket enables Secure Boot for all new variants on platforms that support UEFI boot. The goal is to prevent unsigned, untrusted code from running at any point until containers are started. This is achieved by establishing the following chain of trust: 1) The trusted platform firmware verifies that shim is signed correctly, then loads it. 2) shim verifies that grub is signed correctly, then loads it. 3) grub verifies that its grub.cfg is signed correctly, then loads it. 4) grub verifies that the Linux kernel is signed correctly, then loads it. 5) The Linux kernel verifies that the [immutable root filesystem](#immutable-rootfs-backed-by-dm-verity) has not been altered. Secure Boot only applies to platforms using UEFI firmware, and it is only enforced when the feature is enabled in the firmware. Therefore, systems using the legacy BIOS boot mode cannot benefit from Secure Boot. This includes Xen-based EC2 instance types, and bare metal machines configured to emulate the legacy BIOS boot mode. ================================================ FILE: SECURITY_GUIDANCE.md ================================================ # Security Guidance ## Overview Bottlerocket adheres to the [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) which defines security and compliance as a shared responsibility between the OS vendor and the customer. We provide these recommendations, along with [details](#details) and [examples](#examples), to help you create a configuration that meets your security and compliance requirements. | Recommendation | Priority | | :-------------------------------------------------------------------------------------------------- | :-------- | | [Enable automatic updates](#enable-automatic-updates) | Critical | | [Avoid containers with elevated privileges](#avoid-containers-with-elevated-privileges) | Critical | | [Restrict access to the host API socket](#restrict-access-to-the-host-api-socket) | Critical | | [Restrict access to the container runtime socket](#restrict-access-to-the-container-runtime-socket) | Critical | | [Design for host replacement](#design-for-host-replacement) | Important | | [Enable kernel lockdown](#enable-kernel-lockdown) | Important | | [Limit use of host containers](#limit-use-of-host-containers) | Important | | [Limit use of privileged SELinux labels](#limit-use-of-privileged-selinux-labels) | Important | | [Limit access to system mounts](#limit-access-to-system-mounts) | Important | | [Limit access to host namespaces](#limit-access-to-host-namespaces) | Important | | [Limit access to block devices](#limit-access-to-block-devices) | Important | | [Enforce requested NVIDIA GPU limits for unprivileged containers](#enforce-requested-nvidia-gpu-limits-for-unprivileged-containers) | Important | | [Limit use of NVIDIA GPU Time-Slicing](#limit-use-of-nvidia-gpu-time-slicing) | Important | | [Do not run containers as UID 0](#do-not-run-containers-as-uid-0) | Moderate | ## Details ### Enable automatic updates Bottlerocket includes many [security features](SECURITY_FEATURES.md) to mitigate software vulnerabilities. These countermeasures serve to reduce the reliability of exploits and to raise their cost. However, it is always better to patch vulnerabilities than to rely on mitigations alone. For our Kubernetes variants, we provide [a Kubernetes operator](https://github.com/bottlerocket-os/bottlerocket-update-operator) for automated updates to Bottlerocket. We recommend deploying it on your Kubernetes clusters. For our ECS variant, we provide [an updater](https://github.com/bottlerocket-os/bottlerocket-ecs-updater) for automated updates to Bottlerocket. We recommend deploying it on your ECS clusters. ### Avoid containers with elevated privileges Containers can be made more secure by limiting the capabilities they have, by filtering syscalls they can make, and by changing the SELinux labels they use. Capabilities are a way to split up the traditional powers of the `root` user so that a subset of the permissions can be granted instead. For example, `CAP_NET_BIND_SERVICE` can be granted to allow binding to a low-numbered port. Bottlerocket uses `runc` to execute containers with [a subset of Linux capabilities](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security). Syscalls are a way for userspace programs to request services from the kernel. Seccomp filters can be used to allow access to a subset of syscalls. Bottlerocket uses `containerd` as the container runtime which provides [a default seccomp profile](https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go). SELinux labels are part of mandatory access controls, which impose constraints after discretionary access controls are checked. Bottlerocket runs unprivileged containers with the restrictive `container_t` label. Orchestrators provide ways to disable these protections: * Docker can run containers with the `--privileged` flag * Kubernetes can run pods with `privileged: true` in the pod definition * Amazon ECS can run tasks with `"privileged": true` in the task definition By default, Kubernetes also runs pods with no seccomp filter applied. Pods can specify a seccomp profile, or you can apply a default profile using a [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). We recommend that you avoid containers with elevated privileges. The default set of capabilities, the default seccomp filter, and the default SELinux labels should be used where possible. ### Restrict access to the host API socket The Bottlerocket API server listens for requests on a Unix domain socket. The canonical location of this socket is `/run/api.sock`. It is owned by UID 0 (`root`) and GID 274 (`api`). It is labeled `api_socket_t`, so only processes with privileged SELinux labels can use it. Write access to this socket will grant full control over system configuration. This includes the ability to define an arbitrary source for a host container, and to run that container with "superpowers" that bypass other restrictions. These "superpowers" are described [below](#limit-use-of-host-containers). For Kubernetes variants, it also includes the ability to define and run static pods. These are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the cluster. We recommend blocking access to the API socket from containers managed by the orchestrator. The "control" host container can be used to modify settings when needed. ### Restrict access to the container runtime socket Different [variants](variants/) of Bottlerocket may have different container runtimes installed. Each container runtime will have its own API and will listen for requests on a Unix domain socket. The socket will usually be owned by UID 0 (`root`) and GID 0 (`root`). Some potential locations of container runtime sockets are: * `/run/docker.sock` * `/run/dockershim.sock` * `/run/containerd/containerd.sock` * `/run/host-containerd/host-containerd.sock` Write access to any of these sockets will grant full control over container execution. This includes the ability to run containers with elevated privileges and with access to all filesystem locations. One common use case for mounting the container runtime socket is to perform container image builds. Instead of mounting the socket, you can use an image build tool that does not require additional privileges. We recommend blocking access to the container runtime socket from containers managed by the orchestrator. ### Design for host replacement One of the main security objectives of Bottlerocket is to harden the OS against persistent threats. This is closely related to the support for automated, in-place updates. Applying updates to the same host makes sense if you are confident that the underlying software can still be trusted. However, containers share the same kernel with the host. The exposed kernel interface can be minimized through techniques such as seccomp filters, but it cannot be eliminated. If the kernel is ever compromised through a local exploit, then other defenses may break down. We recommend designing for periodic host replacement even with automated updates enabled. ### Enable kernel lockdown The security mechanisms in Bottlerocket ultimately depend on the kernel for enforcement. This includes access controls such as capabilities and SELinux, and integrity checks such as dm-verity. Modifications to the running kernel could bypass or subvert these mechanisms. Bottlerocket enables the Lockdown security module and offers settings to choose from one of three modes. The first mode, "none", effectively disables the protection. The second mode, "integrity", blocks most ways to overwrite the kernel's memory and modify its code. Enabling this mode will prevent unsigned kernel modules from being loaded. The third mode, "confidentiality", stops most ways of reading the kernel's memory from userspace. The goal is to protect secrets that may be stored in the kernel, such as keys used to detect modification while the system is offline. Bottlerocket does not make use of the secrets that this mode is meant to protect. Enabling this mode will break BPF, perf, and any other tools that rely on reading kernel memory. We recommend enabling kernel lockdown in "integrity" mode. ### Limit use of host containers Bottlerocket offers host containers to provide out-of-band access to the underlying host OS. Host containers can be configured with an optional `superpowered` flag. This causes the container to run with extra privileges, an unrestricted SELinux label, and additional mounts. The current implementation can be found in [host-ctr](sources/host-ctr/cmd/host-ctr/main.go). Two host containers are defined in the default configuration. The ["control" host container](README.md#control-container) is enabled by default unless otherwise specified. It provides remote connectivity through the AWS SSM [Session Manager](https://console.aws.amazon.com/systems-manager/session-manager/sessions). The ["admin" host container](README.md#admin-container) is disabled by default unless otherwise specified. It can be enabled through the "control" host container, through instance user data, or by accessing the host API socket. We recommend leaving the "admin" host container disabled until it is necessary to use it. The "control" host container can also be disabled if you are confident you will not need it. **This could leave you with no way to access the API and change settings on an existing node!** If you define your own host container, avoid using `superpowered = true` unless your use case requires an extremely high level of privilege, such as loading an out-of-tree kernel module. ### Limit use of privileged SELinux labels Bottlerocket enables SELinux in enforcing mode by default. SELinux works by associating labels with subjects (processes) and objects (such as files). Labels are "sticky" by default: processes will receive the label of their parent process, and files will receive the label of the directory where they are created. A process can change its own label or the label of a child process under certain circumstances. These changes are called "transitions". The SELinux policy for Bottlerocket defines special transition rules for container runtimes. A container runtime can transition a child processes to any of these labels: * `container_t` (the default for ordinary containers) * `control_t` (the default for privileged containers) * `super_t` (opt-in for "superpowered" containers) The `control_t` and `super_t` labels allow writes to the API socket. The `super_t` label allows modifications to any file or directory on the host OS. Some orchestrators allow SELinux labels to be defined in the container specification, including Kubernetes and Amazon ECS. If `control_t` or `super_t` is specified in this way, it will override the default transition rules and the container will run with additional privileges. We recommend limiting access to any SELinux label other than `container_t`. ### Limit access to system mounts Bottlerocket provides a read-only root filesystem, ephemeral mounts for system directories such as `/etc` and `/run`, and persistent storage under `/local`. The `/etc` directory contains system configuration files generated by the API. These are regenerated when a setting changes, but otherwise not monitored. If the contents of this directory are mounted into a privileged container, they can be modified in unexpected ways. This is not supported and may interfere with the reliability of automated updates. The `/run` directory contains ephemeral files such as Unix domain sockets used by the API server and the container runtime. If the contents of this directory are mounted into a privileged container, they can be used to bypass security protections. The `/local` directory is where persistent storage is mounted, with `/var` and `/opt` as subdirectories. This is where cached container images, unpacked container layers, and files for host containers are stored. If this directory or its subdirectories are mounted into a privileged container, the integrity of the system can be compromised. We recommend limiting access to all system mounts. ### Limit access to host namespaces Namespaces are one of the key building blocks for Linux containers. Network namespaces provide isolation for network resources such as IP addresses, ports, and routing tables. Containers that share the host network namespace can connect to services listening on the host loopback addresses `127.0.0.1` and `::1`. These services are not otherwise reachable from the network. Sharing the network namespace also enables access to abstract sockets. Containers that share the host network namespace can send messages to processes on the host which expose APIs over abstract sockets. This can bypass intended restrictions for API access. PID namespaces provide isolation for the process ID number space. Containers that share the host PID namespace can interact with processes running on the host. This includes the ability to send signals to those processes, which may interfere with system functionality. Sharing the host PID namespace also enables access to the host filesystem through `/proc//root` links for host processes. This can bypass intended restrictions for system mounts. We recommend limiting access to all host namespaces. ### Limit access to block devices Direct access to block devices can be used to bypass abstractions such as filesystems and caches. This is useful for databases and storage applications that want full control over the data layout on disk. The order in which the kernel enumerates block devices is inconsistent and subject to change. To avoid referring to the wrong device, Linux distributions use links under `/dev/disk` to map predictable identifiers to specific devices. Bottlerocket relies on partition type GUIDs and partition names to discover its devices. Orchestrators offer ways to associate block devices with containers. For example, Kubernetes allows pods to claim a "block mode" volume and mount the device to a desired path. Containers with direct access to a block device can alter the partition table or modify the filesystem metadata. If the same partition type or partition name is used for another device, the `/dev/disk` link may point to the wrong device. This could compromise the integrity of the host. We recommend limiting access to block devices. ### Enforce requested NVIDIA GPU limits for unprivileged containers When launching a container that has requested NVIDIA GPUs, the host software responsible for adding the devices to the container - the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html) - will use one of these sources to determine which devices should be added: * The `NVIDIA_VISIBLE_DEVICES` environment variable * Mounts configured by the [NVIDIA Kubernetes Device Plugin](https://github.com/NVIDIA/k8s-device-plugin) If `NVIDIA_VISIBLE_DEVICES="all"` is set in a container’s environment, it can gain access to all NVIDIA GPUs on the system regardless of the NVIDIA GPU limits requested through Kubernetes directives. Because most popular container base images are configured this way, respecting this value by default would grant unprivileged containers access to all NVIDIA GPUs, ignoring the requested limits. To prevent this, Bottlerocket configures the host software so that `NVIDIA_VISIBLE_DEVICES="all"` is only respected for privileged containers. If you need to grant unprivileged containers access to all NVIDIA GPUs using this environment variable - bypassing any requested GPU limits - you can apply these settings: ```toml [settings.kubelet-device-plugins.nvidia] # Configures NVIDIA_VISIBLE_DEVICES with the list of devices device-list-strategy = "envvar" [settings.nvidia-container-runtime] # Allows reading the devices from NVIDIA_VISIBLE_DEVICES visible-devices-as-volume-mounts = false # Allows granting access to all unprivileged # containers with NVIDIA_VISIBLE_DEVICES=all visible-devices-envvar-when-unprivileged = true ``` We recommend leaving these settings at the default values, which will enforce the requested NVIDIA GPU limits for unprivileged containers. ### Limit use of NVIDIA GPU Time-Slicing Bottlerocket supports NVIDIA GPU time-slicing, enabling system administrators to allocate a set of replicas for a GPU, which can be assigned to individual pods for running various workloads. Internally, GPU time-slicing is used to multiplex workloads from multiple replicas of the same underlying GPU, providing each process with an equal share of time across all pods. However, while time-slicing allows sharing of GPUs among multiple workloads, it does not provide memory or fault isolation between replicas. Without memory isolation, all workloads share the same memory space, which can lead to contention, and possible interference between processes. This can affect the predictability and performance of each workload, as one process may consume more resources than anticipated, leaving less available for others. Moreover, without fault isolation, if one process fails, it has the potential to affect all other processes running on the GPU. These impacts can happen to processes running in different containers with different privilege levels. We recommend keeping the NVIDIA GPU time-slicing feature in a disabled state and only enabling it when necessary. ### Do not run containers as UID 0 Bottlerocket does not currently support user namespaces. This means that UID 0 (`root`) inside the container is the same as UID 0 on the host. A process in a container that runs as UID 0 will have nearly unlimited access to the host if all of these are true: * it uses a privileged SELinux label * it has access to system mounts * it shares the host namespaces * it has elevated privileges, with all capabilities and no seccomp filter This is essentially the configuration that is used for a host container with "superpowers", where `superpowered = true` is set. We recommend that you do not run containers as UID 0. ## Examples ### Amazon EC2 These settings can passed as [user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) on EC2 instance launch. They apply to any Bottlerocket variant. ```toml # Enable kernel lockdown in "integrity" mode. # This prevents modifications to the running kernel, even by privileged users. [settings.kernel] lockdown = "integrity" # The admin host container provides SSH access and runs with "superpowers". # It is disabled by default, but can be disabled explicitly. [settings.host-containers.admin] enabled = false # The control host container provides out-of-band access via SSM. # It is enabled by default, and can be disabled if you do not expect to use SSM. # This could leave you with no way to access the API and change settings on an existing node! [settings.host-containers.control] enabled = false ``` ### Amazon ECS These settings can passed as [user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html) on EC2 instance launch. They are specific to the `aws-ecs-2` variant. ```toml # By default, this variant does not allow launching privileged containers. # The feature can also be disabled explicitly. [settings.ecs] allow-privileged-containers = false ``` ### Kubernetes The following [Pod Security Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) is based on our recommendations. It can be used as a starting point for your own policy. ```yaml --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp # Ensure that the default seccomp filter is used. annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' spec: # Do not allow containers to run as privileged. privileged: false # Do not allow containers to gain new privileges. allowPrivilegeEscalation: false # Remove all capabilities from the default set. requiredDropCapabilities: - ALL # Run all containers with the less privileged container_t label. seLinux: rule: 'MustRunAs' seLinuxOptions: user: system_u role: system_r type: container_t level: s0 # Do not allow containers to run as any system user. runAsUser: rule: 'MustRunAs' ranges: - min: 1000 max: 65535 # Do not allow containers to run as any system group. runAsGroup: rule: 'MustRunAs' ranges: - min: 1000 max: 65535 # Do not allow containers to add other system groups. supplementalGroups: rule: 'MustRunAs' ranges: - min: 1000 max: 65535 # Do not allow containers to use other system groups for volumes. fsGroup: rule: 'MustRunAs' ranges: - min: 1000 max: 65535 # Do not allow containers to share host namespaces. hostNetwork: false hostIPC: false hostPID: false # Do not allow containers to use or write to host paths. allowedHostPaths: - pathPrefix: "/tmp" readOnly: true # Allow minimal set of core volume types. volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' ``` ================================================ FILE: SUPPORTED-HARDWARE.md ================================================ # Supported hardware for Bottlerocket on bare metal The Bottlerocket bare metal variant is intended to run Bottlerocket on targets outside of AWS or vmware clusters. The vast diversity of available hardware poses a challenge. The need to be compatible with as much hardware as possible out-of-the-box conflicts with Bottlerocket's core principles of keeping it small and simple. To strike the right balance, the initial offering focuses on compatibility with common x86_64 server hardware. The Bottlerocket kernel for metal is configured to include drivers for a wider spread of 10G+ Ethernet NICs in their base configuration (no model-specific FPGA offloading support and similar) as well as common RAID controllers. Beyond that, the number of drivers included in the Bottlerocket kernels has been reduced substantially comparing to common general purpose Linux distributions. The aim is to keep Bottlerocket images as lean as possible, while trying to maintain a good out-of-the-box coverage. It is possible that Bottlerocket is missing drivers for your specific hardware. Please [submit an issue](https://github.com/bottlerocket-os/bottlerocket/issues/new?assignees=&labels=&template=metal_driver.md) to open a discussion on inclusion of additional drivers. ## Limitations of hardware support to be added Adding drivers that are part of the upstream Linux source tree is an easy fix for certain target platforms. However, there are limitations of what to add to the Bottlerocket metal variant in order to accommodate Bottlerocket's core principles of keeping it small and simple. If you want to create a custom variant that for example contains specific drivers, the current work towards out-of-tree builds will help you achieve that. Work for that is currently underway and can be tracked in [issue #2669](https://github.com/bottlerocket-os/bottlerocket/issues/2669). Until out-of-tree builds land the following limitations apply to the available Bottlerocket variants: * There is no plan to add out-of-tree drivers to Bottlerocket images. * There is no plan to add additional CPU architectures. * There is no plan to add drivers for embedded devices in the core images. If you have questions about these limitations or want to debate them, feel free to open an issue or start a discussion. ## Testing The AWS Bottlerocket team does basic functional testing on a limited set of server configurations they have available (See [Hardware configurations confirmed to work](#hardware-configurations-confirmed-to-work)). "Functional testing" means that machines are provisioned and base functionality of storage and network hardware is proven by a properly functioning distribution. With the vast diversity of hardware available community involvement in confirming hardware configurations work is key. We are interested to learn about your success stories running Bottlerocket on other hardware platforms. Feel free to report a working configuration below by opening a PR with the information. ### Hardware configurations confirmed to work Bottlerocket is tested on and known to work with the hardware below. | Server model | CPU | BIOS/UEFI | Network Card | Disk | RAID/Storage controller | Entity confirming | | --- | --- | --- | --- | --- | --- | --- | | Supermicro SYS-E200-8D | Intel Xeon D-1528 | BIOS & UEFI | Intel i350 1G & 10G | SATA SSD, NVME | N/A | AWS Bottlerocket team | | Dell R240 | Intel Xeon E2236 | BIOS & UEFI | Broadcom BCM5720 1G | SATA SSD (RAID0) | PERC H730P | AWS Bottlerocket team | | Dell R620 | Intel Xeon E5-2660 | BIOS | Intel i350 1G | SATA HDD | PERC H710P | AWS Bottlerocket team | | HP DL20 | Intel Xeon E2234 | BIOS | HPE 361i 1G | SATA SSD | HPE Smart Array S100i | AWS Bottlerocket team | ================================================ FILE: TESTING.md ================================================ # Testing Bottlerocket 🚧 👷 This section is under active development. We are working on tooling for running Bottlerocket integration tests. While the work is underway, there will be frequent changes to this document. ## Unit Tests It is easy to execute unit tests, you can run them from the root of the repo with `cargo make unit-tests`. Note that some code in Bottlerocket is conditionally compiled based on variant thus some tests won't be executed. Unless you intend to test the default variant, it is best to pass the relevant variant and architecture like this: ```shell cargo make \ -e BUILDSYS_VARIANT="aws-ecs-2" \ -e BUILDSYS_ARCH="x86_64" \ unit-tests ``` ## Integration Tests Unit tests will only get us so far. Ultimately we want to know if Bottlerocket runs correctly as a complete system. We have created a [command line utility] and [testing system] to help us test Bottlerocket holistically. [command line utility]: ./tools/testsys [testing system]: https://github.com/bottlerocket-os/bottlerocket-test-system The test system coordinates: - the creation of a cluster (or re-use of an existing cluster), - creation of Bottlerocket instances, - running tests that target the created cluster and instances, - terminating the Bottlerocket instances, - terminating the Kubernetes cluster (if desired) Testsys uses a Kubernetes operator to test bottlerocket. The operator runs in a cluster that is separate from the one where you are testing Bottlerocket nodes. We call this control cluster the *testsys cluster*. When you launch a Bottlerocket integration test, pods run in the testsys cluster to perform the steps described above. ## Setup ### EKS It is possible to run your testsys cluster anywhere so long as it has the necessary authorization and networking. We have plans to make this easy to do in EKS by providing the instructions and role permissions you need. However, some work is still needed on the roles, so check back for those instructions in the future! ### Using a Temporary Kind Cluster For developer workflows, the quickest way to run a testsys cluster is using [kind]. [kind]: https://kind.sigs.k8s.io/ **Important:** only use `kind` for temporary testsys clusters that you will be using yourself. Do not use `kind` for long-lived clusters or clusters that you will share with other users. Here are the steps to set up a testsys cluster using `kind`. Create a kind cluster (any name will suffice): ```shell kind create cluster --name testsys ``` If you want to store the kubeconfig file, set the `KUBECONFIG` variable to some path (there should be no pre-existing file there). It doesn't really matter where this is, since this is a throwaway cluster and then write the kubeconfig to that path. The environment variable `TESTSYS_KUBECONFIG` is used by all testsys related cargo make tasks. ```shell export TESTSYS_KUBECONFIG="${HOME}/testsys-kubeconfig.yaml" kind get kubeconfig --name testsys > $TESTSYS_KUBECONFIG ``` Install the testsys cluster components: ```shell cargo make setup-test ``` Testsys containers will need AWS credentials. **Reminder**: this is for your developer workflow only, do not share this cluster with other users. ```shell cargo make testsys add secret map \ --name "creds" \ "access-key-id=$(aws configure get aws_access_key_id)" \ "secret-access-key=$(aws configure get aws_secret_access_key)" ``` If you have a named profile you can use the following. ```shell PROFILE= cargo make testsys add secret map \ --name "creds" \ "access-key-id=$(aws configure get aws_access_key_id --profile ${PROFILE})" \ "secret-access-key=$(aws configure get aws_secret_access_key --profile ${PROFILE})" ``` If you added a secret, you then need to pass the secret's name to testsys through an environment variable: ```shell export TESTSYS_AWS_SECRET_NAME="awsCredentials=" ``` ### Conveniences All testsys commands can be run using cargo make to eliminate the chance of 2 different versions of testsys being used. Testsys requires the controller and the agent images to be of the same testsys version. ```shell cargo make testsys ``` The Bottlerocket components are found in the `testsys` Kubernetes namespace. ## Run Now that you have the testsys cluster set up, it's time to run a Bottlerocket integration test! ### Configuration There are many arguments that can be configured via environment variables with `cargo make`; however, it is possible to create a configuration file instead. Check out the [example config file](tools/testsys/Test.toml.example) for a sample `Test.toml` file. For example, the instance type can be specified based on variant requirements: ```toml [aws-k8s] # Set the default instance type for all `aws-k8s` variants instance-type = "m5.xlarge" [aws-k8s-nvidia] # Override the instance type for `nvidia` `aws-k8s` variants instance-type = "g5g.2xlarge" ``` Since `aws-k8s-nvidia` is a `-` level configuration it will take precedence over `aws-k8s` which is `` level configuration. Tables can also be created for custom testing configurations. For a custom test type called `foo`, the config above can be updated: ```toml [aws-k8s] # Set the default instance type for all `aws-k8s` variants instance-type = "m5.xlarge" [aws-k8s.configuration.foo] # Set the default instance type for all `aws-k8s` variants when `TESTSYS_TEST=foo` is set instance-type = "m5.8xlarge" [aws-k8s-nvidia] # Override the instance type for `nvidia` `aws-k8s` variants instance-type = "g5g.2xlarge" [aws-k8s-nvidia.configuration.foo] # Override the instance type for `nvidia` `aws-k8s` variants when `TESTSYS_TEST=foo` is set instance-type = "g5g.8xlarge" ``` ### Variants Different Bottlerocket variants require different implementations in the test system. For example, to ensure that Kubernetes variants are working correctly, we use [Sonobuoy] to run through the K8s E2E conformance test suite. For ECS, we run a [task] on Bottlerocket to make sure Bottlerocket is working. We use EC2 and EKS for `aws-k8s` variants and vSphere for `vmware-k8s` variants, and so on. [Sonobuoy]: https://sonobuoy.io/ [task]: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/welcome-features.html We have attempted use sensible defaults for these behaviors when calling the `cargo make test` command. ### aws-k8s You need to [build](BUILDING.md) Bottlerocket and create an AMI before you can run a test. Change the commands below to the desired `aws-k8s` variant and AWS region: **Caution**: An EKS cluster will be created for you. Because these take a long time to create, the default testsys behavior is to leave this in place so you can re-use it. You will need to delete the EKS cluster manually when you are done using it. (EC2 instances are terminated automatically, but it's worth double-checking to make sure they were terminated.) ```shell cargo make \ -e BUILDSYS_VARIANT="aws-k8s-1.32" \ -e BUILDSYS_ARCH="x86_64" \ build cargo make \ -e BUILDSYS_VARIANT="aws-k8s-1.32" \ -e BUILDSYS_ARCH="x86_64" \ -e PUBLISH_REGIONS="us-west-2" \ ami cargo make \ -e BUILDSYS_VARIANT="aws-k8s-1.32" \ -e BUILDSYS_ARCH="x86_64" \ test ``` ```shell cargo make watch-test ``` **Note**: You can provision nodes with karpenter by specifying `resource-agent-type = "karpenter"` in `Test.toml`. To follow the generic mapping, use the following configuration: ```toml [aws-k8s.configuration.karpenter] test-type = "quick" resource-agent-type = "karpenter" block-device-mapping = [ {name = "/dev/xvda", volumeType = "gp3", volumeSize = 4, deleteOnTermination = true}, {name = "/dev/xvdb", volumeType = "gp3", volumeSize = 20, deleteOnTermination = true}, ] ``` This configuration creates a new test type for all `aws-k8s` variants called `karpenter` (the string following `.configuration` in the table heading). Before launching nodes with karpenter you will need to add the karpenter role to your cluster's `aws-auth` config map. ```bash # Change to your clusters name CLUSTER_NAME=my-cluster ACCOUNT_ID=your-account-id REGION=us-west-2 eksctl create iamidentity mapping \ -r ${REGION} \ --cluster ${CLUSTER_NAME} \ --arn arn:aws:iam::${ACCOUNT_ID}:role/KarpenterInstanceNodeRole \ --username system:node:{{EC2PrivateDNSName}} \ --group system:bootstrappers \ --group system:nodes ``` You can run the test by calling, ```bash cargo make -e TESTSYS_TEST=karpenter test ``` ### aws-ecs You need to [build](BUILDING.md) Bottlerocket and create an AMI before you can run a test. The default instance type to be used is `m5.large` for `x86_64` and `m6g.large` for `aarch64`, but can be controlled by setting the environment variable `TESTSYS_INSTANCE_TYPE`. This is useful while testing NVIDIA variants, since they require instance types with support for NVIDIA GPUs. Change the commands below to the desired `aws-ecs` variant and AWS region: ```shell cargo make \ -e BUILDSYS_VARIANT="aws-ecs-2" \ -e BUILDSYS_ARCH="x86_64" \ build cargo make \ -e BUILDSYS_VARIANT="aws-ecs-2" \ -e BUILDSYS_ARCH="x86_64" \ -e PUBLISH_REGIONS="us-west-2" \ ami cargo make \ -e BUILDSYS_VARIANT="aws-ecs-2" \ -e BUILDSYS_ARCH="x86_64" \ test ``` ```shell cargo make watch-test ``` **Note:** For more information on publishing AMIs see [publishing](PUBLISHING.md). ### vmware-k8s First, an initial management cluster needs to be created using [`EKS Anywhere`](https://anywhere.eks.amazonaws.com/docs/getting-started/production-environment/vsphere-getstarted/#create-an-initial-cluster). You can then set `TESTSYS_MGMT_CLUSTER_KUBECONFIG` to the path to the management clusters kubeconfig. You need to [build](BUILDING.md) Bottlerocket and a publicly accessible [TUF repository](https://github.com/bottlerocket-os/bottlerocket/blob/develop/PUBLISHING.md#repo-location) to test VMware variants. Either `Infra.toml` or your environment need to be configured. If using environment variables make sure to set the following environment variables: - GOVC_URL - GOVC_USERNAME - GOVC_PASSWORD - GOVC_DATACENTER - GOVC_DATASTORE - GOVC_NETWORK - GOVC_RESOURCE_POOL - GOVC_FOLDER Testsys will use the data center specified in `Test.toml` first. If no data center is specified in `Test.toml`, testsys will use the first data center listed in `Infra.toml` VMware testing also requires a `control-plane-endpoint` to be set in `Test.toml` for vSphere K8s cluster creation. Change the commands below to the desired `vmware-k8s` variant: First, build the VMware variant you want to test. ```shell cargo make \ -e BUILDSYS_VARIANT="vmware-k8s-1.31" \ -e BUILDSYS_ARCH="x86_64" \ build ``` Build the TUF repo containing the OVA templates. ```shell cargo make \ -e BUILDSYS_VARIANT="vmware-k8s-1.31" \ -e BUILDSYS_ARCH="x86_64" \ repo ``` Sync TUF repos containing the VMware variant's metadata and targets. Make sure the TUF repos are accessible via unauthenticated HTTP or HTTPS and match the URLs in `Infra.toml`. Now, you can run the test. ```shell cargo make \ -e BUILDSYS_VARIANT="vmware-k8s-1.31" \ -e BUILDSYS_ARCH="x86_64" \ test \ --mgmt-cluster-kubeconfig ${TESTSYS_MGMT_CLUSTER_KUBECONFIG} ``` You can monitor the tests with: ```shell cargo make watch-test ``` ## Migration Testing Migration testing is used to ensure Bottlerocket can update from one version to a new version and back. This involves launching Bottlerocket instances, upgrading them, and downgrading them. Migration testing launches instances of a starting Bottlerocket version, or a provided initial AMI and migrates instances to the target version. In order to accomplish this a few artifacts need to be created: * A publicly accessible TUF repository * A previous release of Bottlerocket signed with available keys * The AMI ID for the previous release * Image artifacts and local TUF repos of said artifacts for current changes ### The setup #### Prepare `Infra.toml` We need the URL of an accessible TUF repo so the Bottlerocket instances know where to retrieve the update metadata and targets. Follow our [publishing guide](PUBLISHING.md#repo-location) to set up TUF repos. `Infra.toml` is used by testsys to determine TUF repo locations, so `metadata_base_url` and `targets_base_url` need to be set based on the repo that was just created. The examples below also assume that the default repo is being used in `Infra.toml`, but any repo can be used by setting the `PUBLISH_REPO` environment variable. #### Starting Bottlerocket images In this example we will use `v1.9.0` as our starting Bottlerocket version, but any tag from Bottlerocket will work. The following bash script will checkout the proper branch from git and create the build images and TUF repos for testing. ```shell git checkout "v1.9.0" cargo make cargo make ami cargo make repo ``` Remember to sync your TUF repos with the new metadata and targets. #### Target Bottlerocket images Now, it's time to create the Bottlerocket artifacts that need to be upgraded to. Switch to the working git branch that should be built from. ```shell WORKING_BRANCH="develop" git checkout "${WORKING_BRANCH}" ``` Next, build Bottlerocket images and repos and sync TUF repos. The architecture and variant can be configured with `BUILDSYS_ARCH` and `BUILDSYS_VARIANT`. ```shell cargo make cargo make ami cargo make repo ``` Now, sync your TUF repos with the new metadata and targets. This completes the setup and it is time to test migrations! ### Testing Migrations The previous steps set up the artifacts necessary to perform migration testing using `testsys`. Ensure all environment variables are still set and set them if they aren't. To run the migration test set `TESTSYS_TEST=migration` in the `cargo make test` call. This will automatically determine the AMI that should be used by finding the latest released version of bottlerocket and checking the user's AMIs to find the correct starting AMI ID. Remember to set the environment variables for the architecture and variant. ```shell cargo make -e TESTSYS_TEST=migration test ``` To see the state of the tests as they run use `cargo make watch-test`. ### Testing Workloads Workload tests are tests designed to run as an orchestrated container. A workload test is defined in `Test.toml` with a map named `workloads`. ```toml [aws-nvidia] workloads = { = "" } ``` To run the workload test set `TESTSYS_TEST=workload` in the `cargo make test` call. ```shell cargo make -e TESTSYS_TEST=workload test ``` To see the state of the tests as they run use `cargo make watch-test`. For more information can be found in the [TestSys workload documentation](https://github.com/bottlerocket-os/bottlerocket-test-system/tree/develop/bottlerocket/tests/workload). ### Custom Test Types Custom tests can be run with TestSys by calling `cargo make -e TESTSYS_TEST= test -f `. First, a test agent needs to be constructed. The `test-agent-cli` provides an interface for creating bash based testing agents. Checkout the [runbook](https://github.com/bottlerocket-os/bottlerocket-test-system/blob/develop/agent/test-agent-cli/design/RUNBOOK.md) for instructions on creating an agent. Once an agent has been created, the yaml template can be created. Values from `Test.toml` can be inserted into a yaml manifest so that a single manifest can be used for all variants in a family. ```yaml apiVersion: {{api-version}} kind: Test metadata: # The name of the crd created is dependent on the arch and variant for # the test being run. name: {{kube-arch}}-{{kube-variant}}-custom namespace: {{namespace}} spec: retries: 5 agent: name: custom-test-agent image: example-test-agent-cli:latest keepRunning: false configuration: clusterName: {{cluster-name}} instanceType: {{instance-type}} resources: [] dependsOn: [] # The secrets will automatically be populated from the config file, # no template is needed. secrets: {} ``` After the agent has been build and the yaml file is created, the test can be run using `cargo make -e TESTSYS_TEST= test -f ` ================================================ FILE: TRADEMARKS.md ================================================ # TRADEMARK POLICY Updated April 13, 2023 This Policy provides guidelines for use of the "Bottlerocket" name and logos (the "Bottlerocket Trademarks") to identify the Bottlerocket software. Amazon.com, Inc. or its affiliates ("Amazon") strives to be a steward of the Bottlerocket brand for the entire Bottlerocket Community and is the owner of the Bottlerocket Trademarks. As such, the law obligates us to police and protect the trademarks. Therefore, we require use of the Bottlerocket Trademarks to be in accordance with this Policy. Indeed, Amazon’s own use is designed to be consistent with this Policy. Our goal is to ensure, on behalf of the Bottlerocket Community, that the Bottlerocket Trademark remain reliable indicators of quality and security while also permitting community members, software distributors and others to discuss Bottlerocket and to accurately describe their products’ affiliation with Bottlerocket or the Bottlerocket Community, as well as exercise their rights given Bottlerocket’s open source nature. Note that this Policy only applies to use of the Bottlerocket Trademarks. ## Overall Guidelines You may use the Bottlerocket Trademarks to refer to the Bottlerocket software provided that your use is in compliance with this Policy. Any other use of the Bottlerocket Trademarks requires prior written permission. Overall, your use of the Bottlerocket Trademarks must not be confusing, misleading, false, or damaging to the Bottlerocket software, the Bottlerocket Community or to the Bottlerocket Trademarks themselves. People should always know who they are dealing with, and where the software they are downloading and using came from. You may not use the Bottlerocket Trademarks in any manner that implies approval or endorsement by, or association with, the Bottlerocket project or the Bottlerocket Community. When using the Bottlerocket Trademarks, your branding should be distinguishable from Bottlerocket trade dress. You may not use the Bottlerocket Trademarks in a manner that may diminish or otherwise damage the goodwill in the Bottlerocket Trademarks. The "Bottlerocket" word mark should be used in its exact form, and not abbreviated or combined with any other word or words (e.g., "Bottlerocket" software rather than "BTLRKT" or "Bottlerocket-ified"). Similarly, the Bottlerocket logos should not be modified or integrated with your logos or other designs. You may create a lockup with your logo and a Bottlerocket logo side by side so long as your logo is not confusingly similar to the Bottlerocket logo and appears first and so long as your use complies with this policy. Your use of the Bottlerocket Trademarks does not transfer rights in the trademarks or goodwill to you. ## Uses that do not require permission Provided your use complies with this Policy, you may use the Bottlerocket logos to link to the Bottlerocket website, to indicate that your software or service uses the Bottlerocket software, in architecture diagrams to show how your software or service integrates with Bottlerocket, and in presentations, social media posts (but not as your account image or avatar), whitepapers, blog posts, and similar content as a reference to the Bottlerocket project itself. It should be clear what role the Bottlerocket project or software plays in the context of your software or services. The Bottlerocket logos should not be more prominent than your own branding. Use the official versions of the Bottlerocket logos available for download [here](https://avatars.githubusercontent.com/u/61023959?s=200&v=4). You may transform the file format itself for ease of use and modify the colors. ![Original Bottlerocket Logo](https://avatars.githubusercontent.com/u/61023959?s=200&v=4) Provided your use complies with this Policy, you may use the "Bottlerocket" word mark to accurately reference the Bottlerocket software, including on your website, in presentations and publications, at events, in advertising and marketing material, etc., for commercial and noncommercial purposes. You may use the "Bottlerocket" word mark and any logos we placed on the software in connection with a redistribution of an official distribution of the Bottlerocket software that has not been modified or changed in any way. Those taking full advantage of the open source nature of the Bottlerocket code may make modifications in accordance with the applicable open source license of Bottlerocket. You may use the "Bottlerocket" word mark to refer to your modified version of Bottlerocket provided (a) you include an additional identifier indicating you as the source of the modified version (e.g., "Foocorp’s Bottlerocket Derivative"), (b) you clearly identify your modifications and indicate you are the source of the modifications, (c) your use does not suggest any affiliation between Bottlerocket or the Bottlerocket Community and you or your modified version of Bottlerocket, and (d) your use of the "Bottlerocket" word mark should not be more prominent than your additional identifier. Those taking advantage of the open source nature of the Bottlerocket code may also offer services for, or software that works with, Bottlerocket or modified versions of Bottlerocket, such as cloud management services. Users should not be confused as to the source of your software or services. With that in mind, you may use the "Bottlerocket" word mark to refer to services for, or software that works with, Bottlerocket or modified versions of Bottlerocket provided (a) you include an additional identifier indicating you as the source of the software or services (e.g., "Foocorp’s Bottlerocket Tool" or "Foocorp Bottlerocket Service"), (b) if your services or software works with a modified version of Bottlerocket, you clearly identify the modifications and indicate the source of the modifications, (c) your use does not suggest any affiliation between Bottlerocket or the Bottlerocket Community and you or your work, and (d) your use of the "Bottlerocket" mark should not be more prominent than your additional identifier. You may also use the "Bottlerocket" word mark to make accurate statements about compatibility and interoperability using relational phrases such as "works with," "runs on," "compatible with," and the like (e.g., "Foocorp Software powered by Bottlerocket" or "Foocorp Software for Bottlerocket" or "Foocorp Software with Bottlerocket compatibility"). ## Uses that require permission The following uses of the Bottlerocket Trademarks require our prior written approval: * Use of the Bottlerocket logos in any way other than as expressly authorized by this Policy; * Use as part of a domain name, except that you may use the Bottlerocket Trademarks in a subdomain name provided your use otherwise complies with this Policy (e.g., Bottlerocket.foocorp.com); * Use with non-software goods or services (e.g., physical products like devices or services that do not directly use the Bottlerocket software), except that you may use the Bottlerocket Trademarks with a limited number of swag or promotional items not for sale such as t-shirts, lanyards, stickers, mugs, or pens; and * Use that does not comply with the terms of this Policy. You may not use the Bottlerocket Trademarks in connection with use or distribution of the Bottlerocket software, except as permitted by this Policy. ## Questions If you are unsure whether your use of the Bottlerocket Trademarks is permitted under this Policy, feel free to contact us and ask. If you have questions about these guidelines or use of any other Amazon trademark, please contact trademarks@amazon.com for assistance, or write to us at: ```text Amazon.com, Inc. Attention: Trademarks PO Box 81226 Seattle, WA 98108-1226 ``` This Policy is based in part on the [open source trademark policy defined by the Mozilla organization](https://www.mozilla.org/en-US/foundation/trademarks/policy/), therefore, the text of this Policy (and not the Bottlerocket Trademarks themselves) is licensed under the Creative Commons "Attribution-ShareAlike 2.0" license. ## FAQ **1. Can I create and redistribute my own builds of Bottlerocket?** If you build Bottlerocket from unmodified source and redistribute the results, you may use "Bottlerocket" only if it is clear in both the name of your distribution and the content associated with it that your distribution is your build of Bottlerocket and not the official build, and you must identify the commit from which it is built, including the commit date. **2. What OS changes do I need to make to a modified version of Bottlerocket to comply with this Policy?** You must modify the os-release file to either use Bottlerocket according to this Policy or to remove the Bottlerocket Trademarks. This can be done by modifying both `packages/release/release.spec` and `tools/rpm2img`. Names of the system root (e.g. `/x86_64-bottlerocket-linux-gnu/sys-root`), partition labels, directory paths, and service file descriptions do not need to be changed to comply with this Policy. **3. What can I do if I see abuse of the Bottlerocket Trademarks?** If you are aware of confusing or misleading use or other misuse of the Bottlerocket Trademarks, you may contact us as described above at trademarks@amazon.com so we can investigate further. **4. This Policy requires modifications and their source to be identified for modified versions of Bottlerocket, where should I put this information?** You may put this information in any location that is commonly used to convey differences from an upstream open source project, such as a NOTICE text or end-user documentation. ================================================ FILE: Twoliter.toml ================================================ schema-version = 2 release-version = "1.57.0" project-vendor = "Bottlerocket" [vendor.bottlerocket] registry = "public.ecr.aws/bottlerocket" [sdk] name = "bottlerocket-sdk" version = "0.72.0" vendor = "bottlerocket" [[kit]] name = "bottlerocket-kernel-kit" version = "5.2.0" vendor = "bottlerocket" [[kit]] name = "bottlerocket-core-kit" version = "13.3.0" vendor = "bottlerocket" ================================================ FILE: packages/.gitignore ================================================ *.patch.bz2 *.src.rpm *.zip ================================================ FILE: packages/build.rs ================================================ use std::process::{exit, Command}; fn main() -> Result<(), std::io::Error> { let ret = Command::new("buildsys").arg("build-package").status()?; if !ret.success() { exit(1); } Ok(()) } ================================================ FILE: packages/packages.rs ================================================ /*! This is an intentionally empty file that all of the package `Cargo.toml` files can point to as their `lib.rs`. The build system uses `build.rs` to invoke `buildsys` but Cargo needs something to compile so we give it an empty `lib.rs` file. !*/ ================================================ FILE: packages/settings-defaults/Cargo.toml ================================================ [package] name = "settings-defaults" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [lib] path = "../packages.rs" [package.metadata.build-package] source-groups = [ "settings-defaults" ] # RPM BuildRequires [build-dependencies] # RPM Requires [dependencies] ================================================ FILE: packages/settings-defaults/settings-defaults.spec ================================================ %global _cross_first_party 1 %undefine _debugsource_packages %global cargo_clean %{__cargo_cross_env} %{__cargo} clean %global _cross_defaultsdir %{_cross_datadir}/storewolf Name: %{_cross_os}settings-defaults Version: 0.0 Release: 1%{?dist} Summary: Settings defaults License: Apache-2.0 OR MIT URL: https://github.com/bottlerocket-os/bottlerocket BuildRequires: %{_cross_os}glibc-devel Requires: %{_cross_os}settings-defaults(any) %description %{summary}. %package aws-dev Summary: Settings defaults for the aws-dev variant Requires: %{_cross_os}variant(aws-dev) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-dev) Conflicts: %{_cross_os}settings-defaults(any) %description aws-dev %{summary}. %package aws-ecs-2 Summary: Settings defaults for the aws-ecs-2 FIPS and non-FIPS variants Requires: (%{shrink: %{_cross_os}variant(aws-ecs-2) or %{_cross_os}variant(aws-ecs-2-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-ecs-2) Provides: %{_cross_os}settings-defaults(aws-ecs-2-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-ecs-2 %{summary}. %package aws-ecs-2-nvidia Summary: Settings defaults for the aws-ecs-2-nvidia variant Requires: (%{shrink: %{_cross_os}variant(aws-ecs-2-nvidia) or %{_cross_os}variant(aws-ecs-2-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-ecs-2-nvidia) Provides: %{_cross_os}settings-defaults(aws-ecs-2-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-ecs-2-nvidia %{summary}. %package aws-ecs-3 Summary: Settings defaults for the aws-ecs-3 FIPS and non-FIPS variants Requires: (%{shrink: %{_cross_os}variant(aws-ecs-3) or %{_cross_os}variant(aws-ecs-3-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-ecs-3) Provides: %{_cross_os}settings-defaults(aws-ecs-3-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-ecs-3 %{summary}. %package aws-ecs-3-nvidia Summary: Settings defaults for the aws-ecs-3-nvidia variant Requires: (%{shrink: %{_cross_os}variant(aws-ecs-3-nvidia) or %{_cross_os}variant(aws-ecs-3-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-ecs-3-nvidia) Provides: %{_cross_os}settings-defaults(aws-ecs-3-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-ecs-3-nvidia %{summary}. %package aws-k8s-1.31 Summary: Settings defaults for the aws-k8s 1.29 through 1.31 variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.29) or %{_cross_os}variant(aws-k8s-1.29-fips) or %{_cross_os}variant(aws-k8s-1.30) or %{_cross_os}variant(aws-k8s-1.30-fips) or %{_cross_os}variant(aws-k8s-1.31) or %{_cross_os}variant(aws-k8s-1.31-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.29) Provides: %{_cross_os}settings-defaults(aws-k8s-1.29-fips) Provides: %{_cross_os}settings-defaults(aws-k8s-1.30) Provides: %{_cross_os}settings-defaults(aws-k8s-1.30-fips) Provides: %{_cross_os}settings-defaults(aws-k8s-1.31) Provides: %{_cross_os}settings-defaults(aws-k8s-1.31-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.31 %{summary}. %package aws-k8s-1.31-nvidia Summary: Settings defaults for the aws-k8s 1.29 through 1.31 nvidia variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.29-nvidia) or %{_cross_os}variant(aws-k8s-1.29-nvidia-fips) or %{_cross_os}variant(aws-k8s-1.30-nvidia) or %{_cross_os}variant(aws-k8s-1.30-nvidia-fips) or %{_cross_os}variant(aws-k8s-1.31-nvidia) or %{_cross_os}variant(aws-k8s-1.31-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.29-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.29-nvidia-fips) Provides: %{_cross_os}settings-defaults(aws-k8s-1.30-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.30-nvidia-fips) Provides: %{_cross_os}settings-defaults(aws-k8s-1.31-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.31-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.31-nvidia %{summary}. %package aws-k8s-1.32 Summary: Settings defaults for the aws-k8s 1.32 variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.32) or %{_cross_os}variant(aws-k8s-1.32-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.32) Provides: %{_cross_os}settings-defaults(aws-k8s-1.32-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.32 %{summary}. %package aws-k8s-1.32-nvidia Summary: Settings defaults for the aws-k8s 1.32 nvidia variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.32-nvidia) or %{_cross_os}variant(aws-k8s-1.32-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.32-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.32-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.32-nvidia %{summary}. %package aws-k8s-1.33 Summary: Settings defaults for the aws-k8s 1.33 variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.33) or %{_cross_os}variant(aws-k8s-1.33-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.33) Provides: %{_cross_os}settings-defaults(aws-k8s-1.33-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.33 %{summary}. %package aws-k8s-1.33-nvidia Summary: Settings defaults for the aws-k8s 1.33 nvidia variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.33-nvidia) or %{_cross_os}variant(aws-k8s-1.33-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.33-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.33-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.33-nvidia %{summary}. %package aws-k8s-1.34 Summary: Settings defaults for the aws-k8s 1.34 variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.34) or %{_cross_os}variant(aws-k8s-1.34-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.34) Provides: %{_cross_os}settings-defaults(aws-k8s-1.34-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.34 %{summary}. %package aws-k8s-1.34-nvidia Summary: Settings defaults for the aws-k8s 1.34 nvidia variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.34-nvidia) or %{_cross_os}variant(aws-k8s-1.34-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.34-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.34-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.34-nvidia %{summary}. %package aws-k8s-1.35 Summary: Settings defaults for the aws-k8s 1.35 variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.35) or %{_cross_os}variant(aws-k8s-1.35-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.35) Provides: %{_cross_os}settings-defaults(aws-k8s-1.35-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.35 %{summary}. %package aws-k8s-1.35-nvidia Summary: Settings defaults for the aws-k8s 1.35 nvidia variants Requires: (%{shrink: %{_cross_os}variant(aws-k8s-1.35-nvidia) or %{_cross_os}variant(aws-k8s-1.35-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(aws-k8s-1.35-nvidia) Provides: %{_cross_os}settings-defaults(aws-k8s-1.35-nvidia-fips) Conflicts: %{_cross_os}settings-defaults(any) %description aws-k8s-1.35-nvidia %{summary}. %package metal-dev Summary: Settings defaults for the metal-dev variant Requires: %{_cross_os}variant(metal-dev) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(metal-dev) Conflicts: %{_cross_os}settings-defaults(any) %description metal-dev %{summary}. %package vmware-dev Summary: Settings defaults for the vmware-dev variant Requires: %{_cross_os}variant(vmware-dev) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(vmware-dev) Conflicts: %{_cross_os}settings-defaults(any) %description vmware-dev %{summary}. %package vmware-k8s-1.32 Summary: Settings defaults for the vmware-k8s 1.29 through 1.32 variants Requires: (%{shrink: %{_cross_os}variant(vmware-k8s-1.29) or %{_cross_os}variant(vmware-k8s-1.29-fips) or %{_cross_os}variant(vmware-k8s-1.30) or %{_cross_os}variant(vmware-k8s-1.30-fips) or %{_cross_os}variant(vmware-k8s-1.31) or %{_cross_os}variant(vmware-k8s-1.31-fips) or %{_cross_os}variant(vmware-k8s-1.32) or %{_cross_os}variant(vmware-k8s-1.32-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.29) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.29-fips) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.30) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.30-fips) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.31) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.31-fips) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.32) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.32-fips) Conflicts: %{_cross_os}settings-defaults(any) %description vmware-k8s-1.32 %{summary}. %package vmware-k8s-1.33 Summary: Settings defaults for the vmware-k8s 1.33 variants Requires: (%{shrink: %{_cross_os}variant(vmware-k8s-1.33) or %{_cross_os}variant(vmware-k8s-1.33-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.33) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.33-fips) Conflicts: %{_cross_os}settings-defaults(any) %description vmware-k8s-1.33 %{summary}. %package vmware-k8s-1.35 Summary: Settings defaults for the vmware-k8s 1.35 variants Requires: (%{shrink: %{_cross_os}variant(vmware-k8s-1.35) or %{_cross_os}variant(vmware-k8s-1.35-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.35) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.35-fips) Conflicts: %{_cross_os}settings-defaults(any) %description vmware-k8s-1.35 %{summary}. %package vmware-k8s-1.34 Summary: Settings defaults for the vmware-k8s 1.34 variants Requires: (%{shrink: %{_cross_os}variant(vmware-k8s-1.34) or %{_cross_os}variant(vmware-k8s-1.34-fips) %{nil}}) Provides: %{_cross_os}settings-defaults(any) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.34) Provides: %{_cross_os}settings-defaults(vmware-k8s-1.34-fips) Conflicts: %{_cross_os}settings-defaults(any) %description vmware-k8s-1.34 %{summary}. %prep %setup -T -c %cargo_prep %build declare -a projects for defaults in \ aws-dev \ aws-ecs-2 \ aws-ecs-2-nvidia \ aws-ecs-3 \ aws-ecs-3-nvidia \ aws-k8s-1.31 \ aws-k8s-1.31-nvidia \ aws-k8s-1.32 \ aws-k8s-1.32-nvidia \ aws-k8s-1.33 \ aws-k8s-1.33-nvidia \ aws-k8s-1.34 \ aws-k8s-1.34-nvidia \ aws-k8s-1.35 \ aws-k8s-1.35-nvidia \ metal-dev \ vmware-dev \ vmware-k8s-1.32 \ vmware-k8s-1.33 \ vmware-k8s-1.34 \ vmware-k8s-1.35 \ ; do projects+=( "-p" "settings-defaults-$(echo "${defaults}" | sed -e 's,\.,_,g')" ) done # Output is written to an unpredictable directory name, so clean it up first to # avoid reusing any cached artifacts. %cargo_clean --manifest-path %{_builddir}/sources/Cargo.toml \ "${projects[@]}" \ %{nil} %cargo_build --manifest-path %{_builddir}/sources/Cargo.toml \ "${projects[@]}" \ %{nil} %install install -d %{buildroot}%{_cross_defaultsdir} install -d %{buildroot}%{_cross_tmpfilesdir} for defaults in \ aws-dev \ aws-ecs-2 \ aws-ecs-2-nvidia \ aws-ecs-3 \ aws-ecs-3-nvidia \ aws-k8s-1.31 \ aws-k8s-1.31-nvidia \ aws-k8s-1.32 \ aws-k8s-1.32-nvidia \ aws-k8s-1.33 \ aws-k8s-1.33-nvidia \ aws-k8s-1.34 \ aws-k8s-1.34-nvidia \ aws-k8s-1.35 \ aws-k8s-1.35-nvidia \ metal-dev \ vmware-dev \ vmware-k8s-1.32 \ vmware-k8s-1.33 \ vmware-k8s-1.34 \ vmware-k8s-1.35 \ ; do crate="$(echo "${defaults}" | sed -e 's,\.,_,g')" for f in $(find "${HOME}/.cache" -name "settings-defaults-${crate}.toml") ; do install -p -m 0644 "${f}" "%{buildroot}%{_cross_defaultsdir}/${defaults}.toml" done echo \ "L+ /etc/storewolf/defaults.toml - - - - %{_cross_defaultsdir}/${defaults}.toml" > \ "%{buildroot}%{_cross_tmpfilesdir}/storewolf-defaults-${defaults}.conf" done %files %dir %{_cross_defaultsdir} %files aws-dev %{_cross_defaultsdir}/aws-dev.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-dev.conf %files aws-ecs-2 %{_cross_defaultsdir}/aws-ecs-2.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-ecs-2.conf %files aws-ecs-2-nvidia %{_cross_defaultsdir}/aws-ecs-2-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-ecs-2-nvidia.conf %files aws-ecs-3 %{_cross_defaultsdir}/aws-ecs-3.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-ecs-3.conf %files aws-ecs-3-nvidia %{_cross_defaultsdir}/aws-ecs-3-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-ecs-3-nvidia.conf %files aws-k8s-1.31 %{_cross_defaultsdir}/aws-k8s-1.31.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.31.conf %files aws-k8s-1.31-nvidia %{_cross_defaultsdir}/aws-k8s-1.31-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.31-nvidia.conf %files aws-k8s-1.32 %{_cross_defaultsdir}/aws-k8s-1.32.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.32.conf %files aws-k8s-1.32-nvidia %{_cross_defaultsdir}/aws-k8s-1.32-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.32-nvidia.conf %files aws-k8s-1.33 %{_cross_defaultsdir}/aws-k8s-1.33.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.33.conf %files aws-k8s-1.33-nvidia %{_cross_defaultsdir}/aws-k8s-1.33-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.33-nvidia.conf %files aws-k8s-1.34 %{_cross_defaultsdir}/aws-k8s-1.34.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.34.conf %files aws-k8s-1.34-nvidia %{_cross_defaultsdir}/aws-k8s-1.34-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.34-nvidia.conf %files aws-k8s-1.35 %{_cross_defaultsdir}/aws-k8s-1.35.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.35.conf %files aws-k8s-1.35-nvidia %{_cross_defaultsdir}/aws-k8s-1.35-nvidia.toml %{_cross_tmpfilesdir}/storewolf-defaults-aws-k8s-1.35-nvidia.conf %files metal-dev %{_cross_defaultsdir}/metal-dev.toml %{_cross_tmpfilesdir}/storewolf-defaults-metal-dev.conf %files vmware-dev %{_cross_defaultsdir}/vmware-dev.toml %{_cross_tmpfilesdir}/storewolf-defaults-vmware-dev.conf %files vmware-k8s-1.32 %{_cross_defaultsdir}/vmware-k8s-1.32.toml %{_cross_tmpfilesdir}/storewolf-defaults-vmware-k8s-1.32.conf %files vmware-k8s-1.33 %{_cross_defaultsdir}/vmware-k8s-1.33.toml %{_cross_tmpfilesdir}/storewolf-defaults-vmware-k8s-1.33.conf %files vmware-k8s-1.34 %{_cross_defaultsdir}/vmware-k8s-1.34.toml %{_cross_tmpfilesdir}/storewolf-defaults-vmware-k8s-1.34.conf %files vmware-k8s-1.35 %{_cross_defaultsdir}/vmware-k8s-1.35.toml %{_cross_tmpfilesdir}/storewolf-defaults-vmware-k8s-1.35.conf ================================================ FILE: packages/settings-migrations/Cargo.toml ================================================ [package] name = "settings-migrations" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [lib] path = "../packages.rs" [package.metadata.build-package] source-groups = [ "settings-migrations" ] # RPM BuildRequires [build-dependencies] # RPM Requires [dependencies] ================================================ FILE: packages/settings-migrations/settings-migrations.spec ================================================ %global _cross_first_party 1 %undefine _debugsource_packages Name: %{_cross_os}migrations Version: 0.0 Release: 1%{?dist} Summary: Settings migrations License: Apache-2.0 OR MIT URL: https://github.com/bottlerocket-os/bottlerocket # Ideally this would be the package name, but for now the build system expects to find a package # named "bottlerocket-migrations". Provides: %{_cross_os}settings-migrations %description %{summary}. %prep %setup -T -c %cargo_prep %build # First we find the migrations in the source tree. We assume the directory name is the same as # the crate name. migrations=() for migration in $(find %{_builddir}/sources/settings-migrations/v[0-9]* -mindepth 1 -maxdepth 1 -type d); do migrations+=("-p $(basename ${migration})") done # We need to build migrations statically, because they need to run after a system update where # available libraries can change. %cargo_build_static --manifest-path %{_builddir}/sources/Cargo.toml ${migrations[*]} %install install -d %{buildroot}%{_cross_datadir}/migrations for version_path in %{_builddir}/sources/settings-migrations/v[0-9]*; do [ -e "${version_path}" ] || continue for migration_path in "${version_path}"/*; do [ -e "${migration_path}" ] || continue version="${version_path##*/}" crate_name="${migration_path##*/}" migration_binary_name="migrate_${version}_${crate_name#migrate-}" built_path="%{__cargo_outdir_static}/${crate_name}" target_path="%{buildroot}%{_cross_datadir}/migrations/${migration_binary_name}" install -m 0555 "${built_path}" "${target_path}" done done %files %dir %{_cross_datadir}/migrations %{_cross_datadir}/migrations ================================================ FILE: packages/settings-plugins/Cargo.toml ================================================ [package] name = "settings-plugins" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [lib] path = "../packages.rs" [package.metadata.build-package] source-groups = [ "settings-plugins" ] # RPM BuildRequires [build-dependencies] # RPM Requires [dependencies] ================================================ FILE: packages/settings-plugins/settings-plugins.spec ================================================ %global _cross_first_party 1 %undefine _debugsource_packages # Do not prefer shared linking, since the libstd we use at build time # may not match the one installed on the final image. %global __global_rustflags_shared %__global_rustflags -C link-arg=-Wl,-soname=libsettings.so %global _cross_pluginsdir %{_cross_libdir}/settings-plugins Name: %{_cross_os}settings-plugins Version: 0.0 Release: 1%{?dist} Summary: Settings plugins License: Apache-2.0 OR MIT URL: https://github.com/bottlerocket-os/bottlerocket BuildRequires: %{_cross_os}glibc-devel Requires: %{_cross_os}glibc Requires: %{_cross_os}settings-plugin(any) %description %{summary}. %package aws-dev Summary: Settings plugin for the aws-dev variant Requires: %{_cross_os}variant(aws-dev) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(aws-dev) Conflicts: %{_cross_os}settings-plugin(any) %description aws-dev %{summary}. %package aws-ecs-2 Summary: Settings plugin for the aws-ecs-2 variant Requires: (%{shrink: %{_cross_os}variant(aws-ecs-2) or %{_cross_os}variant(aws-ecs-2-fips) or %{_cross_os}variant(aws-ecs-2-nvidia) or %{_cross_os}variant(aws-ecs-2-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(aws-ecs-2) Provides: %{_cross_os}settings-plugin(aws-ecs-2-nvidia) Provides: %{_cross_os}settings-plugin(aws-ecs-2-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-ecs-2-fips) Conflicts: %{_cross_os}settings-plugin(any) %description aws-ecs-2 %{summary}. %package aws-ecs-3 Summary: Settings plugin for the aws-ecs-3 variant Requires: (%{shrink: %{_cross_os}variant(aws-ecs-3) or %{_cross_os}variant(aws-ecs-3-fips) or %{_cross_os}variant(aws-ecs-3-nvidia) or %{_cross_os}variant(aws-ecs-3-nvidia-fips) %{nil}}) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(aws-ecs-3) Provides: %{_cross_os}settings-plugin(aws-ecs-3-nvidia) Provides: %{_cross_os}settings-plugin(aws-ecs-3-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-ecs-3-fips) Conflicts: %{_cross_os}settings-plugin(any) %description aws-ecs-3 %{summary}. %package aws-k8s Summary: Settings plugin for the aws-k8s variants Requires: %{_cross_os}variant-family(aws-k8s) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(aws-k8s-1.29) Provides: %{_cross_os}settings-plugin(aws-k8s-1.29-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.30) Provides: %{_cross_os}settings-plugin(aws-k8s-1.30-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.31) Provides: %{_cross_os}settings-plugin(aws-k8s-1.31-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.32) Provides: %{_cross_os}settings-plugin(aws-k8s-1.32-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.33) Provides: %{_cross_os}settings-plugin(aws-k8s-1.33-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.34) Provides: %{_cross_os}settings-plugin(aws-k8s-1.34-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.35) Provides: %{_cross_os}settings-plugin(aws-k8s-1.35-fips) Conflicts: %{_cross_os}settings-plugin(any) Conflicts: %{_cross_os}variant-flavor(nvidia) %description aws-k8s %{summary}. %package aws-k8s-nvidia Summary: Settings plugin for the aws-k8s-nvidia variants Requires: (%{_cross_os}variant-family(aws-k8s) and %{_cross_os}variant-flavor(nvidia)) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(aws-k8s-1.29-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.29-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.30-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.30-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.31-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.31-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.32-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.32-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.33-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.33-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.34-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.34-nvidia-fips) Provides: %{_cross_os}settings-plugin(aws-k8s-1.35-nvidia) Provides: %{_cross_os}settings-plugin(aws-k8s-1.35-nvidia-fips) Conflicts: %{_cross_os}settings-plugin(any) %description aws-k8s-nvidia %{summary}. %package metal-dev Summary: Settings plugin for the metal-dev variant Requires: %{_cross_os}variant(metal-dev) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(metal-dev) Conflicts: %{_cross_os}settings-plugin(any) %description metal-dev %{summary}. %package vmware-dev Summary: Settings plugin for the vmware-dev variant Requires: %{_cross_os}variant(vmware-dev) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(vmware-dev) Conflicts: %{_cross_os}settings-plugin(any) %description vmware-dev %{summary}. %package vmware-k8s Summary: Settings plugin for the vmware-k8s variants Requires: %{_cross_os}variant-family(vmware-k8s) Provides: %{_cross_os}settings-plugin(any) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.29) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.29-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.30) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.30-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.31) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.31-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.32) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.32-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.33) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.33-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.34) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.34-fips) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.35) Provides: %{_cross_os}settings-plugin(vmware-k8s-1.35-fips) Conflicts: %{_cross_os}settings-plugin(any) %description vmware-k8s %{summary}. %prep %setup -T -c %cargo_prep %build %cargo_build --manifest-path %{_builddir}/sources/Cargo.toml \ -p settings-plugin-aws-dev \ -p settings-plugin-aws-ecs-2 \ -p settings-plugin-aws-ecs-3 \ -p settings-plugin-aws-k8s \ -p settings-plugin-aws-k8s-nvidia \ -p settings-plugin-metal-dev \ -p settings-plugin-vmware-dev \ -p settings-plugin-vmware-k8s \ %{nil} %install install -d %{buildroot}%{_cross_pluginsdir} install -d %{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d install -d %{buildroot}%{_cross_tmpfilesdir} for plugin in \ aws-dev \ aws-ecs-2 \ aws-ecs-3 \ aws-k8s-nvidia \ aws-k8s \ metal-dev \ vmware-dev \ vmware-k8s \ ; do install -d "%{buildroot}%{_cross_pluginsdir}/${plugin}" plugin_so="libsettings_$(echo "${plugin}" | sed -e 's,-,_,g' -e 's,\.,_,g').so" install -p -m 0755 \ "${HOME}/.cache/%{__cargo_target}/release/${plugin_so}" \ "%{buildroot}%{_cross_pluginsdir}/${plugin}/libsettings.so" echo \ "%{_cross_pluginsdir}/${plugin}" > \ "%{buildroot}%{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/${plugin}.conf" echo \ "C /etc/ld.so.conf.d/${plugin}.conf" > \ "%{buildroot}%{_cross_tmpfilesdir}/settings-plugin-${plugin}.conf" done %files %dir %{_cross_pluginsdir} %files aws-dev %{_cross_pluginsdir}/aws-dev/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/aws-dev.conf %{_cross_tmpfilesdir}/settings-plugin-aws-dev.conf %files aws-ecs-2 %{_cross_pluginsdir}/aws-ecs-2/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/aws-ecs-2.conf %{_cross_tmpfilesdir}/settings-plugin-aws-ecs-2.conf %files aws-ecs-3 %{_cross_pluginsdir}/aws-ecs-3/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/aws-ecs-3.conf %{_cross_tmpfilesdir}/settings-plugin-aws-ecs-3.conf %files aws-k8s %{_cross_pluginsdir}/aws-k8s/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/aws-k8s.conf %{_cross_tmpfilesdir}/settings-plugin-aws-k8s.conf %files aws-k8s-nvidia %{_cross_pluginsdir}/aws-k8s-nvidia/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/aws-k8s-nvidia.conf %{_cross_tmpfilesdir}/settings-plugin-aws-k8s-nvidia.conf %files metal-dev %{_cross_pluginsdir}/metal-dev/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/metal-dev.conf %{_cross_tmpfilesdir}/settings-plugin-metal-dev.conf %files vmware-dev %{_cross_pluginsdir}/vmware-dev/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/vmware-dev.conf %{_cross_tmpfilesdir}/settings-plugin-vmware-dev.conf %files vmware-k8s %{_cross_pluginsdir}/vmware-k8s/libsettings.so %{_cross_factorydir}%{_cross_sysconfdir}/ld.so.conf.d/vmware-k8s.conf %{_cross_tmpfilesdir}/settings-plugin-vmware-k8s.conf ================================================ FILE: sample-eksctl-ssh.yaml ================================================ --- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: bottlerocket region: us-west-2 version: '1.24' nodeGroups: - name: ng-bottlerocket instanceType: m5.large desiredCapacity: 4 amiFamily: Bottlerocket disableIMDSv1: true iam: attachPolicyARNs: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ssh: allow: true publicKeyName: YOUR_EC2_KEYPAIR_NAME bottlerocket: settings: motd: "Hello from eksctl!" ================================================ FILE: sample-eksctl.yaml ================================================ --- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: bottlerocket region: us-west-2 version: '1.24' nodeGroups: - name: ng-bottlerocket instanceType: m5.large desiredCapacity: 4 amiFamily: Bottlerocket disableIMDSv1: true iam: attachPolicyARNs: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore bottlerocket: settings: motd: "Hello from eksctl!" ================================================ FILE: sources/Cargo.toml ================================================ [workspace] resolver = "1" members = [ "api/datastore", "api/migration/migration-helpers", "bottlerocket-release", "constants", "generate-readme", "models", "retry-read", "settings-defaults/aws-dev", "settings-defaults/aws-ecs-2", "settings-defaults/aws-ecs-2-nvidia", "settings-defaults/aws-ecs-3", "settings-defaults/aws-ecs-3-nvidia", "settings-defaults/aws-k8s-1.31", "settings-defaults/aws-k8s-1.31-nvidia", "settings-defaults/aws-k8s-1.32", "settings-defaults/aws-k8s-1.32-nvidia", "settings-defaults/aws-k8s-1.33", "settings-defaults/aws-k8s-1.33-nvidia", "settings-defaults/aws-k8s-1.34", "settings-defaults/aws-k8s-1.34-nvidia", "settings-defaults/aws-k8s-1.35", "settings-defaults/aws-k8s-1.35-nvidia", "settings-defaults/metal-dev", "settings-defaults/metal-k8s-1.30", "settings-defaults/vmware-dev", "settings-defaults/vmware-k8s-1.32", "settings-defaults/vmware-k8s-1.33", "settings-defaults/vmware-k8s-1.34", "settings-defaults/vmware-k8s-1.35", # (all previous migrations archived; add new ones after this line) "settings-migrations/v1.34.0/kubelet-device-plugins-mig-settings", "settings-migrations/v1.36.0/kubernetes-ecr-credential-providers-expansion", "settings-migrations/v1.37.0/delete-configs-and-services-on-downgrade", "settings-migrations/v1.39.0/kubelet-setting-container-log-single-process-oom-kill", "settings-migrations/v1.40.0/kubelet-device-plugins-cdi-settings", "settings-migrations/v1.41.0/kubernetes-ecr-credential-providers-correction", "settings-migrations/v1.42.0/kubernetes-memory-swap-behavior-setting", "settings-migrations/v1.44.0/container-runtime-plugins-settings", "settings-migrations/v1.44.0/container-runtime-snapshotter-setting", "settings-migrations/v1.46.0/kubernetes-static-pods-enabled-setting", "settings-migrations/v1.47.0/container-runtime-concurrent-download-chunk-size", "settings-migrations/v1.47.0/host-bootstrap-containers-command-setting", "settings-migrations/v1.50.0/kubernetes-reserved-pid-settings", "settings-migrations/v1.51.0/kubernetes-ecr-credential-provider-patterns", "settings-migrations/v1.51.0/kubernetes-additional-settings", "settings-migrations/v1.51.0/kubernetes-beta-cpu-manager-policy-options", "settings-migrations/v1.54.0/kubelet-device-plugins-mps-settings", "settings-migrations/v1.54.0/kubelet-device-plugins-mps-prefix-settings", "settings-migrations/v1.56.0/image-verifier-plugins-extensible", "settings-plugins/aws-dev", "settings-plugins/aws-ecs-2", "settings-plugins/aws-ecs-3", "settings-plugins/aws-k8s", "settings-plugins/aws-k8s-nvidia", "settings-plugins/metal-dev", "settings-plugins/metal-k8s", "settings-plugins/vmware-dev", "settings-plugins/vmware-k8s", "constants", ] [workspace.dependencies] bottlerocket-release = { version = "0.1", path = "bottlerocket-release" } constants = { version = "0.1", path = "constants" } datastore = { version = "0.1", path = "api/datastore" } generate-readme = { version = "0.1", path = "generate-readme" } migration-helpers = { version = "0.1.0", path = "api/migration/migration-helpers" } models = { version = "0.1", path = "models" } retry-read = { version = "0.1", path = "retry-read" } abi_stable = "0.11.3" argh = "0.1" async-trait = "0.1" aws-lc-rs = "1" base64 = "0.21" cached = "0.49" cargo-readme = "3" dns-lookup = "2" envy = "0.4" futures = { version = "0.3", default-features = false } futures-channel = { version = "0.3", default-features = false } handlebars = "4" http = "0.2" httparse = "1" hyper = { version = "0.14", default-features = false } hyper-unix-connector = "0.2" lazy_static = "1" libc = "0.2" log = "0.4" maplit = "1.0" nix = "0.26" num_cpus = "1" percent-encoding = "2" pest = "2.5" pest_derive = "2.5" rand = "0.8" regex = "1" reqwest = { version = "0.12", default-features = false } rustls = "0.23" semver = "1" serde = "1" serde_json = "1" serde_plain = "1" shlex = "1" signal-hook = "0.3" simplelog = "0.12" snafu = "0.8" tokio = { version = "~1.43", default-features = false } tokio-tungstenite = { version = "0.20", default-features = false } toml = "0.8" unindent = "0.1" url = "2" walkdir = "2" [workspace.dependencies.bottlerocket-defaults-helper] git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk" tag = "bottlerocket-settings-models-v0.21.0" version = "0.1.1" [workspace.dependencies.bottlerocket-modeled-types] git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk" tag = "bottlerocket-settings-models-v0.21.0" version = "0.14.0" [workspace.dependencies.bottlerocket-settings-models] git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk" tag = "bottlerocket-settings-models-v0.21.0" version = "0.21.0" [workspace.dependencies.bottlerocket-settings-plugin] git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk" tag = "bottlerocket-settings-models-v0.21.0" version = "0.1.0" [workspace.dependencies.settings-extension-oci-defaults] git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk" tag = "bottlerocket-settings-models-v0.21.0" version = "0.1.0" [profile.release] debug = true ================================================ FILE: sources/README.md ================================================ ## Sources The `sources/` directory contains most of Bottlerocket's first-party code. Each subdirectory contains related code that's built together in one package in the `../packages/` directory. Each subdirectory has its own README - please read further inside. ================================================ FILE: sources/api/.gitignore ================================================ /target ================================================ FILE: sources/api/datastore/.gitignore ================================================ /target **/*.rs.bk ================================================ FILE: sources/api/datastore/Cargo.toml ================================================ [package] name = "datastore" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false build = "build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] log.workspace = true percent-encoding.workspace = true serde = { workspace = true, features = ["derive"] } serde_json.workspace = true snafu.workspace = true walkdir.workspace = true serde_plain.workspace = true [build-dependencies] generate-readme.workspace = true [dev-dependencies] maplit.workspace = true toml.workspace = true ================================================ FILE: sources/api/datastore/README.md ================================================ # datastore Current version: 0.1.0 ## Background A 'data store' in Bottlerocket is responsible for storing key/value pairs and metadata about those pairs, with the ability to commit changes in transactions. For more detail about their usage, see [apiserver](../apiserver). ## Library This library provides a trait defining the exact requirements, along with basic implementations for filesystem and memory data stores. There's also a common error type and some methods that implementations of DataStore should generally share, like scalar serialization. We represent scalars -- the actual values stored under a datastore key -- using JSON, just to have a convenient human-readable form. (TOML doesn't allow raw scalars. The JSON spec doesn't seem to either, but this works, and the format is so simple for scalars that it could be easily swapped out if needed.) ## Serialization and deserialization The `serialization` module provides code to serialize Rust types into a mapping of datastore-acceptable keys (a.b.c) and values. The `deserialization` module provides code to deserialize datastore-acceptable keys (a.b.c) and values into Rust types. ## Current limitations * The user (e.g. apiserver) needs to handle locking. * There's no support for rolling back transactions. * The `serialization` module can't handle complex types under lists; it assumes lists can be serialized as scalars. ## Colophon This text was generated using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/api/datastore/README.tpl ================================================ # {{crate}} Current version: {{version}} {{readme}} ## Colophon This text was generated using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/api/datastore/build.rs ================================================ fn main() { generate_readme::from_lib().unwrap(); } ================================================ FILE: sources/api/datastore/src/constraints_check.rs ================================================ //! The outcome of the constraint check determines whether the transaction can proceed to commit. //! A ‘rejected’ result means that one or more constraints have not been satisfied, //! preventing the transaction from being committed. On the other hand, an ‘approved’ //! result confirms that all constraints are satisfied and provides the required //! settings and metadata for the commit. //! Constraint checks can alter the write. use std::collections::HashMap; use crate::{error, Key}; type RejectReason = String; /// Represents a successful write operation after constraints have been approved. /// Contains the following fields: /// - `settings`: A collection of key-value pairs representing the settings to be committed. /// - `metadata`: A collection of metadata entries. #[derive(PartialEq)] pub struct ApprovedWrite { pub settings: HashMap, pub metadata: Vec<(Key, Key, String)>, } /// Represents the result of a constraint check. /// The result can either reject the operation or approve it with the required data. #[derive(PartialEq)] pub enum ConstraintCheckResult { Reject(RejectReason), Approve(ApprovedWrite), } impl TryFrom for ApprovedWrite { type Error = error::Error; fn try_from(constraint_check_result: ConstraintCheckResult) -> Result { match constraint_check_result { ConstraintCheckResult::Reject(err) => error::ConstraintCheckRejectSnafu { err }.fail(), ConstraintCheckResult::Approve(approved_write) => Ok(approved_write), } } } impl From> for ConstraintCheckResult { fn from(approved_write: Option) -> Self { match approved_write { None => ConstraintCheckResult::Reject( "The write for the given transaction is rejected".to_string(), ), Some(approved_write) => ConstraintCheckResult::Approve(approved_write), } } } ================================================ FILE: sources/api/datastore/src/deserialization/error.rs ================================================ use serde::de; use snafu::{IntoError, NoneError as NoSource, Snafu}; use crate::{Error as DataStoreError, ScalarError}; /// Potential errors from deserialization. #[derive(Debug, Snafu)] #[snafu(visibility(pub))] pub enum Error { // This error variant is required to implement ser::Error for serde. #[snafu(display("Error during deserialization: {}", msg))] Message { msg: String }, #[snafu(display("Error deserializing scalar value: {}", source))] DeserializeScalar { source: ScalarError }, #[snafu(display( "Data store deserializer must be used on a struct, or you must give a prefix" ))] BadRoot {}, #[snafu(display( "Removal of prefix '{}' from key '{}' failed: {}", prefix, name, source ))] StripPrefix { prefix: String, name: String, #[snafu(source(from(DataStoreError, Box::new)))] source: Box, }, #[snafu(display("Prefix '{}' is not a valid key: {}", prefix, source))] InvalidPrefix { prefix: String, #[snafu(source(from(DataStoreError, Box::new)))] source: Box, }, } pub type Result = std::result::Result; impl de::Error for Error { fn custom(msg: T) -> Self { MessageSnafu { msg: msg.to_string(), } .into_error(NoSource) } } ================================================ FILE: sources/api/datastore/src/deserialization/mod.rs ================================================ //! The deserialization module implements generic deserialization techniques that are particularly //! useful for populating Rust structures from the datastore. mod error; mod pairs; pub use error::{Error, Result}; pub use pairs::{from_map, from_map_with_prefix}; ================================================ FILE: sources/api/datastore/src/deserialization/pairs.rs ================================================ //! The goal of this module is to be able to turn a mapping of dotted keys -> values into a //! populated structure. The keys are of the form "a.b.c" and match up to nested structures //! A { B { C } }. //! //! For example, with these structures: //! struct A { //! b: B, //! } //! //! struct B { //! c: u64, //! d: u64, //! } //! //! An input map of {"a.b.c": 42, "a.b.d": 43} would return a populated structure: //! A { //! B { //! c: 42, //! d: 43, //! } //! } //! //! Note: serde deserialization is harder to understand than serialization, so this implementation //! was kept as simple as possible rather than taking advantage of all of the structure that serde //! provides. forward_to_deserialize_any lets us omit most type-specific functions so we can //! handle all scalars the same and all compound structures the same; see ValueDeserializer. //! //! The primary work is done by serde's MapDeserializer; it abstracts away the need to build the //! visitor that serde expects. It gives us the name of a field in a structure, and we have to //! provide the value. We use it recursively, and at each recursion, append a dot and the name of //! the field to our "path" string. In the example above, when we're looking at field "c", path //! would be "a.b", so we know we should look for "a.b.c" in our input mapping. use log::{error, trace}; use serde::de::{value::MapDeserializer, IntoDeserializer, Visitor}; use serde::{forward_to_deserialize_any, Deserialize}; use snafu::ResultExt; use std::borrow::Borrow; use std::collections::{HashMap, HashSet, VecDeque}; use std::hash::Hash; use super::{error, Error, Result}; use crate::{deserializer_for_scalar, Key, KeyType, ScalarDeserializer}; /// This is the primary interface to deserialization. We turn the input map into the requested /// output type, assuming all non-Option fields are provided, etc. /// /// This only allows for deserialization into structs; to deserialize into maps, see /// from_map_with_prefix. /// /// The BuildHasher bound on the input HashMap lets you use a HashMap with any hashing /// implementation. This is just an implementation detail and not something you have to specify /// about your input HashMap - any HashMap using string-like key/value types is fine. pub fn from_map<'de, K, S, T, BH>(map: &'de HashMap) -> Result where K: Borrow + Eq + Hash, S: AsRef, T: Deserialize<'de>, BH: std::hash::BuildHasher, { let de = CompoundDeserializer::new(map, map.keys().map(|s| s.borrow().clone()).collect(), None); trace!("Deserializing keys: {:?}", de.keys); T::deserialize(de) } /// This is an alternate interface to deserialization that allows deserializing into maps. /// /// To use this, you need to provide a string prefix, which represents the prefix of the map keys /// that needs to be stripped away in order to match the map's expected fields. /// /// For example, if you have `type Services = HashMap` and you have map keys like /// "services.x.y.z", then you need to strip away the "services" component that represents the /// map's "name", otherwise we'd think you have a "services" key in the map itself. (The dot is /// removed automatically, you don't need to specify it.) /// /// This isn't necessary for structs because serde knows the struct's name, so we /// can strip it automatically. pub fn from_map_with_prefix<'de, K, S, T, BH>( prefix: Option, map: &'de HashMap, ) -> Result where K: Borrow + Eq + Hash, S: AsRef, T: Deserialize<'de>, BH: std::hash::BuildHasher, { let key_prefix = match prefix { None => None, Some(ref p) => { Some(Key::new(KeyType::Data, p).context(error::InvalidPrefixSnafu { prefix: p })?) } }; let de = CompoundDeserializer::new( map, map.keys().map(|s| s.borrow().clone()).collect(), key_prefix, ); trace!( "Deserializing keys with prefix {:?}: {:?}", de.path, de.keys ); T::deserialize(de) } /// ValueDeserializer is what interfaces with serde's MapDeserializer, which expects to receive a /// key name and a deserializer for it on each iteration, i.e. for each field. Based on whether /// the key name has a dot, we know if we need to recurse again or just deserialize a final value, /// which we represent as the two arms of the enum. enum ValueDeserializer<'de, K, S, BH> { Scalar(ScalarDeserializer<'de>), Compound(CompoundDeserializer<'de, K, S, BH>), } impl<'de, K, S, BH> serde::de::Deserializer<'de> for ValueDeserializer<'de, K, S, BH> where K: Borrow + Eq + Hash, S: AsRef, BH: std::hash::BuildHasher, { type Error = Error; /// Here we either pass off a scalar value to actually turn into a Rust data type, or /// recursively call our CompoundDeserializer to handle nested structure. fn deserialize_any(self, visitor: V) -> Result where V: Visitor<'de>, { match self { ValueDeserializer::Scalar(mut scalar_deserializer) => { trace!("Handing off to scalar deserializer for deserialize_any"); scalar_deserializer .deserialize_any(visitor) .context(error::DeserializeScalarSnafu) } ValueDeserializer::Compound(compound_deserializer) => { compound_deserializer.deserialize_map(visitor) } } } /// Here we deserialize values into Some(value) for any Option fields to represent that /// yes, we do indeed have the data. fn deserialize_option(self, visitor: V) -> Result where V: Visitor<'de>, { match self { ValueDeserializer::Scalar(mut scalar_deserializer) => { trace!("Handing off to scalar deserializer for deserialize_option"); scalar_deserializer .deserialize_option(visitor) .context(error::DeserializeScalarSnafu) } ValueDeserializer::Compound(compound_deserializer) => { compound_deserializer.deserialize_option(visitor) } } } forward_to_deserialize_any! { bool i8 i16 i32 i64 i128 u8 u16 u32 u64 u128 f32 f64 char str string bytes byte_buf unit unit_struct newtype_struct seq tuple tuple_struct map struct enum identifier ignored_any } } impl<'de, K, S, BH> IntoDeserializer<'de, Error> for ValueDeserializer<'de, K, S, BH> where K: Borrow + Eq + Hash, S: AsRef, BH: std::hash::BuildHasher, { type Deserializer = Self; fn into_deserializer(self) -> Self::Deserializer { self } } /// CompoundDeserializer is our main structure that drives serde's MapDeserializer and stores the /// state we need to understand the recursive structure of the output. struct CompoundDeserializer<'de, K, S, BH> { /// A reference to the input data we're deserializing. map: &'de HashMap, /// The keys that we need to consider in this iteration. Starts out the same as the keys /// of the input map, but on recursive calls it's only the keys that are relevant to the /// sub-struct we're handling, with the duplicated prefix (the 'path') removed. keys: HashSet, /// The path tells us where we are in our recursive structures. path: Option, } impl<'de, K, S, BH> CompoundDeserializer<'de, K, S, BH> where BH: std::hash::BuildHasher, { fn new( map: &'de HashMap, keys: HashSet, path: Option, ) -> CompoundDeserializer<'de, K, S, BH> { CompoundDeserializer { map, keys, path } } } fn bad_root() -> Result { error::BadRootSnafu.fail() } impl<'de, K, S, BH> serde::de::Deserializer<'de> for CompoundDeserializer<'de, K, S, BH> where K: Borrow + Eq + Hash, S: AsRef, BH: std::hash::BuildHasher, { type Error = Error; fn deserialize_struct( mut self, name: &'static str, _fields: &'static [&'static str], visitor: V, ) -> Result where V: Visitor<'de>, { // On the first interaction for a struct, we won't have a prefix yet, unless the user called // from_map_with_prefix and specified it. We can make the prefix from the struct name. // (Recursive calls will have a path but no name, because we always treat nested structures // as maps, because we don't need any nested struct names and it lets us use the nice // MapDeserializer.) if !name.is_empty() { trace!("Path before name check: {:?}", self.path); if self.path.is_none() { self.path = Some( // to_lowercase handles the discrepancy between key naming and struct naming; // this initial 'path' creation is the only place we take the struct name from // serde, per above comment. Key::from_segments(KeyType::Data, &[name.to_lowercase()]) .context(error::InvalidPrefixSnafu { prefix: name })?, ); } trace!("Path after name check: {:?}", self.path); } if let Some(ref path) = self.path { // Remove the known path from the beginning of the keys. serde doesn't care about the // name of the top-level struct, just the fields inside, so we have to remove it before // handing it to the MapDeserializer. (Our real customer is the one specifying the // dotted keys, and we always use the struct name there for clarity.) trace!("Keys before path strip: {:?}", self.keys); let mut new_keys = HashSet::new(); for key in self.keys { new_keys.insert(key.strip_prefix_segments(path.segments()).context( error::StripPrefixSnafu { prefix: path.name(), name: key.name(), }, )?); } self.keys = new_keys; trace!("Keys after path strip: {:?}", self.keys); } // We have to track which structs we've already handled and skip over them. This is // because we could get keys like "a.b.c" and "a.b.d", so we'll see that "a" prefix // twice at the top level, but by the time we see the second one we've already recursed // and handled all of "a" from the first one. let mut structs_done = HashSet::new(); // As mentioned above, MapDeserializer does a lot of nice work for us. We just need to // give it an iterator that yields (key, deserializer) pairs. The nested deserializers // have the appropriate 'path' and a subset of 'keys' so they can do their job. visitor.visit_map(MapDeserializer::new(self.keys.iter().filter_map(|key| { let mut segments: VecDeque<_> = key.segments().clone().into(); // Inside this filter_map closure, we can't return early from the outer function, so we // log an error and skip the key. Errors in this path are generally logic errors // rather than user errors, so this isn't so bad. let struct_name = match segments.pop_front() { Some(s) => s, None => { error!("Logic error - Key segments.pop_front failed, empty Key?"); return None; } }; trace!("Visiting key '{}', struct name '{}'", key, &struct_name); // At the top level (None path) we start with struct_name as Key, otherwise append // struct_name. trace!("Old path: {:?}", &self.path); let path = match self.path { None => match Key::from_segments(KeyType::Data, &[&struct_name]) { Ok(key) => key, Err(e) => { error!( "Tried to construct invalid key from struct name '{}', skipping: {}", &struct_name, e ); return None; } }, Some(ref old_path) => match old_path.append_segments(&[&struct_name]) { Ok(key) => key, Err(e) => { error!( "Appending '{}' to existing key '{}' resulted in invalid key, skipping: {}", old_path, &struct_name, e ); return None; } } }; trace!("New path: {}", &path); if !segments.is_empty() { if structs_done.contains(&struct_name) { // We've handled this structure with a recursive call, so we're done. trace!("Already handled struct '{}', skipping", &struct_name); None } else { // Otherwise, mark it, and recurse. structs_done.insert(struct_name.clone()); // Subset the keys so the recursive call knows what it needs to handle - // only things starting with the new path. let keys = self .keys .iter() .filter(|new_key| new_key.starts_with_segments(&[&struct_name])) // Remove the prefix - should always work, but log and skip the key otherwise .filter_map(|new_key| new_key .strip_prefix(&struct_name) .map_err(|e| error!("Key starting with segment '{}' couldn't remove it as prefix: {}", &struct_name, e)).ok()) .collect(); // And here's what MapDeserializer expects, the key and deserializer for it trace!( "Recursing for struct '{}' with keys: {:?}", &struct_name, keys ); Some(( struct_name, ValueDeserializer::Compound(CompoundDeserializer::new( self.map, keys, Some(path), )), )) } } else { // No dot, so we have a scalar; hand the data to a scalar deserializer. trace!( "Key '{struct_name}' is scalar, getting '{path}' from input to deserialize" ); let val = self.map.get(&path)?; Some(( struct_name, ValueDeserializer::Scalar(deserializer_for_scalar(val.as_ref())), )) } }))) } /// We use deserialize_map for all maps, including top-level maps, but to allow top-level maps /// we require that the user specified a prefix for us using from_map_with_prefix. /// /// We also use it for structs below the top level, because you don't need a name once you're /// recursing - you'd always be pointed to by a struct field or map key whose name we use. fn deserialize_map(self, visitor: V) -> Result where V: Visitor<'de>, { match self.path { Some(_) => self.deserialize_struct("", &[], visitor), None => bad_root(), } } fn deserialize_option(self, visitor: V) -> Result where V: Visitor<'de>, { visitor.visit_some(self) } /// Scalar types, and compound types we can't use at the root, are forwarded here to be /// rejected. (Compound types need to have a name to serve at the root level.) fn deserialize_any(self, visitor: V) -> Result where V: Visitor<'de>, { if self.path.is_none() { return self.deserialize_struct("settings", &[], visitor); } bad_root() } // This gives us the rest of the implementations needed to compile, and forwards them to the // function above that will reject them. forward_to_deserialize_any! { bool i8 i16 i32 i64 i128 u8 u16 u32 u64 u128 f32 f64 char str string bytes byte_buf unit unit_struct newtype_struct seq tuple tuple_struct enum identifier ignored_any } } #[cfg(test)] mod test { use super::{from_map, from_map_with_prefix}; use crate::{deserialization::Error, Key, KeyType}; use maplit::hashmap; use serde::Deserialize; use std::collections::HashMap; // Helper macro for making a data Key for testing whose name we know is valid. macro_rules! key { ($name:expr) => { Key::new(KeyType::Data, $name).unwrap() }; } #[derive(Debug, Deserialize, PartialEq)] struct A { id: Option, name: String, list: Vec, nested: B, map: HashMap, } #[derive(Debug, Deserialize, PartialEq)] struct B { a: String, b: bool, c: Option, d: Option, } #[derive(Debug, Deserialize, PartialEq)] struct C { boolean: bool, } #[test] fn basic_struct_works() { let c: C = from_map(&hashmap! { key!("c.boolean") => "true".to_string(), }) .unwrap(); assert_eq!(c, C { boolean: true }); } #[test] fn deep_struct_works() { let a: A = from_map(&hashmap! { key!("a.id") => "1".to_string(), key!("a.name") => "\"it's my name\"".to_string(), key!("a.list") => "[1,2, 3, 4]".to_string(), key!("a.map.a") => "\"answer is always map\"".to_string(), key!("a.nested.a") => "\"quite nested\"".to_string(), key!("a.nested.b") => "false".to_string(), key!("a.nested.c") => "null".to_string(), key!("a.nested.d.boolean") => "true".to_string(), }) .unwrap(); assert_eq!( a, A { id: Some(1), name: "it's my name".to_string(), list: vec![1, 2, 3, 4], map: hashmap! { "a".to_string() => "answer is always map".to_string(), }, nested: B { a: "quite nested".to_string(), b: false, c: None, d: Some(C { boolean: true }) } } ); } #[test] fn map_doesnt_work_at_root() { let a: Result, Error> = from_map(&hashmap! { key!("a") => "\"it's a\"".to_string(), key!("b") => "\"it's b\"".to_string(), }); a.unwrap_err(); } #[test] fn map_works_at_root_with_prefix() { let map = &hashmap! { key!("x.boolean") => "true".to_string() }; let x: HashMap = from_map_with_prefix(Some("x".to_string()), map).unwrap(); assert_eq!( x, hashmap! { "boolean".to_string() => true, } ); } #[derive(Debug, Deserialize, PartialEq)] struct Bad { id: u64, } #[test] fn disallowed_data_type() { let bad: Result = from_map(&hashmap! { key!("id") => "42".to_string(), }); bad.unwrap_err(); } } ================================================ FILE: sources/api/datastore/src/error.rs ================================================ use snafu::Snafu; use std::io; use std::path::PathBuf; use super::{serialization, ScalarError}; /// Possible errors from datastore operations. #[derive(Debug, Snafu)] #[snafu(visibility(pub))] pub enum Error { #[snafu(display("Error serializing {}: {} ", given, source))] Serialization { given: String, source: serialization::Error, }, #[snafu(display("Error serializing scalar {}: {} ", given, source))] SerializeScalar { given: String, source: ScalarError }, #[snafu(display("Key would traverse outside data store: {}", name))] PathTraversal { name: String }, #[snafu(display("Reading key '{}' failed: {}", key, source))] KeyRead { key: String, source: io::Error }, #[snafu(display("Removing key at '{}' failed: {}", path.display(), source))] DeleteKey { path: PathBuf, source: io::Error }, #[snafu(display("IO error on '{}': {}", path.display(), source))] Io { path: PathBuf, source: io::Error }, #[snafu(display("Can't handle non-Unicode file for {}: {}", context, file))] NonUnicodeFile { file: String, context: String }, #[snafu(display("Data store logic error: {}", msg))] Internal { msg: String }, #[snafu(display("Data store integrity violation at {}: {}", path.display(), msg))] Corruption { msg: String, path: PathBuf }, #[snafu(display("Error building data store path: {}", source))] Path { source: std::path::StripPrefixError }, #[snafu(display("Error listing datastore keys: {}", source))] ListKeys { source: walkdir::Error }, #[snafu(display("Listed key '{}' not found on disk", key))] ListedKeyNotPresent { key: String }, #[snafu(display( "Listed metadata '{}' for key '{}' not found on disk", meta_key, data_key ))] ListedMetaNotPresent { meta_key: String, data_key: String }, #[snafu(display("Key name '{}' has invalid format: {}", name, msg))] InvalidKey { name: String, msg: String }, #[snafu(display("Key name beyond maximum length {}: {}", name, max))] KeyTooLong { name: String, max: usize }, #[snafu(display("Unable to serialize data: {}", source))] Serialize { source: serde_json::Error }, #[snafu(display("Unable to run the check constraint function: {}", source))] CheckConstraintExecution { source: Box, }, #[snafu(display( "Check constraint function rejected the transaction. Aborting commit : {}", err ))] ConstraintCheckReject { err: String }, } pub type Result = std::result::Result; ================================================ FILE: sources/api/datastore/src/filesystem.rs ================================================ //! This implementation of the DataStore trait relies on the filesystem for data and metadata //! storage. //! //! Data is kept in files with paths resembling the keys, e.g. a/b/c for a.b.c, and metadata is //! kept in a suffixed file next to the data, e.g. a/b/c.meta for metadata "meta" about a.b.c use log::{debug, error, trace}; use percent_encoding::{percent_decode_str, utf8_percent_encode, AsciiSet, NON_ALPHANUMERIC}; use snafu::{ensure, OptionExt, ResultExt}; use std::collections::{HashMap, HashSet}; use std::fs; use std::io; use std::path::{self, Path, PathBuf}; use walkdir::{DirEntry, WalkDir}; use crate::constraints_check::{ApprovedWrite, ConstraintCheckResult}; use super::key::{Key, KeyType}; use super::{error, Committed, DataStore, Result}; const METADATA_KEY_PREFIX: &str = "."; // This describes the set of characters we encode when making the filesystem path for a given key. // Any non-ASCII characters, plus these ones, will be encoded. // We start off very strict (anything not alphanumeric) and remove characters we'll allow. // To make inspecting the filesystem easier, we allow any filesystem-safe characters that are // allowed in a Key. const ENCODE_CHARACTERS: &AsciiSet = &NON_ALPHANUMERIC.remove(b'_').remove(b'-'); #[derive(Debug)] pub struct FilesystemDataStore { live_path: PathBuf, pending_base_path: PathBuf, } impl FilesystemDataStore { pub fn new>(base_path: P) -> FilesystemDataStore { FilesystemDataStore { live_path: base_path.as_ref().join("live"), pending_base_path: base_path.as_ref().join("pending"), } } /// Returns the appropriate filesystem path for pending or live data. fn base_path(&self, committed: &Committed) -> PathBuf { match committed { Committed::Pending { tx } => { let encoded = encode_path_component(tx); self.pending_base_path.join(encoded) } Committed::Live => self.live_path.clone(), } } /// Returns the appropriate path on the filesystem for the given data key. fn data_path(&self, key: &Key, committed: &Committed) -> Result { let base_path = self.base_path(committed); // Encode key segments so they're filesystem-safe let encoded: Vec<_> = key.segments().iter().map(encode_path_component).collect(); // Join segments with filesystem separator to get path underneath data store let path_suffix = encoded.join(path::MAIN_SEPARATOR_STR); // Make path from base + prefix // FIXME: canonicalize requires that the full path exists. We know our Key is checked // for acceptable characters, so join should be safe enough, but come back to this. // let path = fs::canonicalize(self.base_path.join(path_suffix))?; let path = base_path.join(path_suffix); // Confirm no path traversal outside of base ensure!( path != *base_path && path.starts_with(base_path), error::PathTraversalSnafu { name: key.name() } ); Ok(path) } /// Returns the appropriate path on the filesystem for the given metadata key. fn metadata_path( &self, metadata_key: &Key, data_key: &Key, committed: &Committed, ) -> Result { let path = self.data_path(data_key, committed)?; // We want to add to the existing file name, not create new path components (directories), // so we use a string type rather than a path type. let mut path_str = path.into_os_string(); // Key names have quotes as necessary to identify segments with special characters, so // we don't think "a.b" is actually two segments, for example. // Metadata keys only have a single segment, and we encode that as a single path // component, so we don't need the quotes in the filename. let raw_key_name = metadata_key .segments() .first() .context(error::InternalSnafu { msg: "metadata key with no segments", })?; let encoded_meta = encode_path_component(raw_key_name); path_str.push(METADATA_KEY_PREFIX); path_str.push(encoded_meta); Ok(path_str.into()) } /// Deletes the given path from the filesystem. Also removes the parent directory if empty /// (repeatedly, up to the base path), so as to have consistent artifacts on the filesystem /// after adding and removing keys. /// /// If the path doesn't exist, we still return Ok for idempotency, but if it exists and we /// fail to remove it, we return Err. /// /// If we fail to remove an empty directory, we log an error, but still return Ok. (The /// error for trying to remove an empty directory is not specific, and we don't want to rely /// on platform-specific error codes or the error description. We could check the directory /// contents ourself, but it would be more complex and subject to timing issues.) fn delete_key_path

(&mut self, path: P, committed: &Committed) -> Result<()> where P: AsRef, { let path = path.as_ref(); // Remove the file. If it doesn't exist, we're still OK. match fs::remove_file(path) { Ok(()) => {} Err(e) => { if e.kind() != io::ErrorKind::NotFound { return Err(e).context(error::DeleteKeySnafu { path }); } } } // Remove the directory if it's empty, i.e. if the setting we removed was the last setting // in that prefix. Continue up the tree until the base, in case it was the only thing in // that subtree. let base = self.base_path(committed); if let Some(parent) = path.parent() { // Note: ancestors() includes 'parent' itself for parent in parent.ancestors() { // Stop at the base directory; we don't expect anything here or above to be empty, // but stop as a safeguard. if parent == base { break; } if let Err(e) = fs::remove_dir(parent) { // If the directory doesn't exist, continue up the tree. Modulo timing issues, // this means the key didn't exist either, which means a previous attempt to remove // the directory failed or we got an unset request for a bogus key. Either way, we // can clean up and make things consistent. if e.kind() == io::ErrorKind::NotFound { continue; // "Directory not empty" doesn't have its own ErrorKind, so we have to check a // platform-specific error number or the error description, neither of which is // ideal. Still, we can at least log an error in the case we know. Don't // fail, though, because we've still accomplished our main purpose. } else if e.raw_os_error() != Some(39) { error!( "Failed to delete directory '{}' we believe is empty: {}", parent.display(), e ); } // We won't be able to delete parent directories if this one still exists. break; } } } Ok(()) } } // Filesystem helpers /// Encodes a string so that it's safe to use as a filesystem path component. fn encode_path_component>(segment: S) -> String { let encoded = utf8_percent_encode(segment.as_ref(), ENCODE_CHARACTERS); encoded.to_string() } /// Decodes a path component, removing the encoding that's applied to make it filesystem-safe. fn decode_path_component(segment: S, path: P) -> Result where S: AsRef, P: AsRef, { let segment = segment.as_ref(); percent_decode_str(segment) .decode_utf8() // Get back a plain String. .map(|cow| cow.into_owned()) // decode_utf8 will only fail if someone messed with the filesystem contents directly // and created a filename that contains percent-encoded bytes that are invalid UTF-8. .ok() .context(error::CorruptionSnafu { path: path.as_ref(), msg: format!("invalid UTF-8 in encoded segment '{segment}'"), }) } /// Helper for reading a key from the filesystem. Returns Ok(None) if the file doesn't exist /// rather than erroring. fn read_file_for_key(key: &Key, path: &Path) -> Result> { match fs::read_to_string(path) { Ok(s) => Ok(Some(s)), Err(e) => { if e.kind() == io::ErrorKind::NotFound { return Ok(None); } Err(e).context(error::KeyReadSnafu { key: key.name() }) } } } /// Helper for writing a file that makes the directory tree beforehand, so we can handle /// arbitrarily dotted keys without needing to create fixed structure first. fn write_file_mkdir>(path: PathBuf, data: S) -> Result<()> { // create key prefix directory if necessary let dirname = path.parent().with_context(|| error::InternalSnafu { msg: format!( "Given path to write without proper prefix: {}", path.display() ), })?; fs::create_dir_all(dirname).context(error::IoSnafu { path: dirname })?; fs::write(&path, data.as_ref().as_bytes()).context(error::IoSnafu { path: &path }) } /// KeyPath represents the filesystem path to a data or metadata key, relative to the base path of /// the live or pending data store. For example, the data key "settings.a.b" would be /// "settings/a/b" and the metadata key "meta1" for "settings.a.b" would be "settings/a/b.meta1". /// /// It allows access to the data_key and (if it's a metadata key) the metadata_key based on the /// path. /// /// This structure can be useful when it doesn't matter where the key is physically stored, but /// you still need to deal with the interaction between key name and filename, e.g. when /// abstracting over data and metadata keys during a search. // Note: this may be useful in other parts of the FilesystemDataStore code too. It may also be // useful enough to use its ideas to extend the Key type directly, instead. #[derive(Debug, Clone, PartialEq, Eq, Hash)] struct KeyPath { data_key: Key, metadata_key: Option, } impl KeyPath { /// Given a DirEntry, gives you a KeyPath if it's a valid path to a key. Specifically, we return /// Ok(Some(Key)) if it seems like a datastore key. Returns Ok(None) if it doesn't seem like a /// datastore key, e.g. a directory, or if it's a file otherwise invalid as a key. Returns Err if /// we weren't able to check. fn from_entry>( entry: &DirEntry, strip_path_prefix: P, ) -> Result> { if !entry.file_type().is_file() { trace!("Skipping non-file entry: {}", entry.path().display()); return Ok(None); } let key_path_raw = entry .path() .strip_prefix(strip_path_prefix) .context(error::PathSnafu)?; // If from_path doesn't think this is an OK key, we'll return Ok(None), otherwise the KeyPath Ok(Self::from_path(key_path_raw).ok()) } fn from_path(path: &Path) -> Result { let path_str = path.to_str().context(error::CorruptionSnafu { msg: "Non-UTF8 path", path, })?; // Split the data and metadata parts. // Any dots in key names are encoded. let mut keys = path_str.splitn(2, '.'); let data_key_raw = keys.next().context(error::InternalSnafu { msg: "KeyPath given empty path", })?; // Turn the data path into a dotted key let data_segments = data_key_raw .split(path::MAIN_SEPARATOR) .map(|s| decode_path_component(s, path)) .collect::>>()?; let data_key = Key::from_segments(KeyType::Data, &data_segments)?; // If we have a metadata portion, make that a Key too let metadata_key = match keys.next() { Some(meta_key_str) => Some(Key::new(KeyType::Meta, meta_key_str)?), None => None, }; Ok(KeyPath { data_key, metadata_key, }) } fn key_type(&self) -> KeyType { match self.metadata_key { Some(_) => KeyType::Meta, None => KeyType::Data, } } } /// Helper to walk through the filesystem to find populated keys of the given type, starting with /// the given prefix. Each item in the returned set is a KeyPath representing a data or metadata /// key. // Note: if we needed to list all possible keys, a walk would only work if we had empty files to // represent unset values, which could be ugly. // Another option would be to use a procedural macro to step through a structure to list possible // keys; this would be similar to serde, but would need to step through Option fields. fn find_populated_key_paths>( datastore: &FilesystemDataStore, key_type: KeyType, prefix: S, committed: &Committed, ) -> Result> { // Find the base path for our search, and confirm it exists. let base = datastore.base_path(committed); if !base.exists() { match committed { // No live keys; something must be wrong because we create a default datastore. Committed::Live => { return error::CorruptionSnafu { msg: "Live datastore missing", path: base, } .fail() } // No pending keys, OK, return empty set. Committed::Pending { .. } => { trace!( "Returning empty list because pending path doesn't exist: {}", base.display() ); return Ok(HashSet::new()); } } } // Walk through the filesystem. let walker = WalkDir::new(&base) .follow_links(false) // shouldn't be links... .same_file_system(true); // shouldn't be filesystems to cross... let mut key_paths = HashSet::new(); trace!( "Starting walk of filesystem to list {:?} key paths under {}", key_type, base.display() ); // For anything we find, confirm it matches the user's filters, and add it to results. for entry in walker { let entry = entry.context(error::ListKeysSnafu)?; if let Some(kp) = KeyPath::from_entry(&entry, &base)? { if !kp.data_key.name().starts_with(prefix.as_ref()) { trace!( "Discarded {:?} key whose data_key '{}' doesn't start with prefix '{}'", kp.key_type(), kp.data_key, prefix.as_ref() ); continue; } else if kp.key_type() != key_type { continue; } trace!("Found {:?} key at {}", key_type, entry.path().display()); key_paths.insert(kp); } } Ok(key_paths) } // TODO: maybe add/strip single newline at end, so file is easier to read impl DataStore for FilesystemDataStore { fn key_populated(&self, key: &Key, committed: &Committed) -> Result { let path = self.data_path(key, committed)?; Ok(path.exists()) } /// Returns the set of all data keys that are currently populated in the datastore, that /// start with the given prefix. fn list_populated_keys>( &self, prefix: S, committed: &Committed, ) -> Result> { let key_paths = find_populated_key_paths(self, KeyType::Data, prefix, committed)?; let keys = key_paths.into_iter().map(|kp| kp.data_key).collect(); Ok(keys) } /// Finds all metadata keys that are currently populated in the datastore whose data keys /// start with the given prefix. If you specify metadata_key_name, only metadata keys with /// that name will be returned. /// /// Returns a mapping of the data keys to the set of populated metadata keys for each. /// /// Note: The data keys do not need to be populated themselves; sometimes metadata is used /// to help generate the data, for example. (Committed status is then irrelevant, too.) fn list_populated_metadata( &self, prefix: S1, committed: &Committed, metadata_key_name: &Option, ) -> Result>> where S1: AsRef, S2: AsRef, { // Find metadata key paths on disk let key_paths = find_populated_key_paths(self, KeyType::Meta, prefix, committed)?; // For each file on disk, check the user's conditions, and add it to our output let mut result = HashMap::new(); for key_path in key_paths { let data_key = key_path.data_key; let meta_key = key_path.metadata_key.context(error::InternalSnafu { msg: format!("Found meta key path with no dot: {data_key}"), })?; // If the user requested specific metadata, move to the next key unless it matches. if let Some(name) = metadata_key_name { if name.as_ref() != meta_key.name() { continue; } } // Insert into output if we met the requested conditions; don't add an entry for // the data key unless we did find some metadata. let data_entry = result.entry(data_key).or_insert_with(HashSet::new); data_entry.insert(meta_key); } Ok(result) } fn get_key(&self, key: &Key, committed: &Committed) -> Result> { let path = self.data_path(key, committed)?; read_file_for_key(key, &path) } fn set_key>(&mut self, key: &Key, value: S, committed: &Committed) -> Result<()> { let path = self.data_path(key, committed)?; write_file_mkdir(path, value) } fn unset_key(&mut self, key: &Key, committed: &Committed) -> Result<()> { let path = self.data_path(key, committed)?; self.delete_key_path(path, committed) } fn get_metadata_raw( &self, metadata_key: &Key, data_key: &Key, committed: &Committed, ) -> Result> { let path = self.metadata_path(metadata_key, data_key, committed)?; read_file_for_key(metadata_key, &path) } fn set_metadata>( &mut self, metadata_key: &Key, data_key: &Key, value: S, committed: &Committed, ) -> Result<()> { let path = self.metadata_path(metadata_key, data_key, committed)?; write_file_mkdir(path, value) } fn unset_metadata(&mut self, metadata_key: &Key, data_key: &Key) -> Result<()> { let path = self.metadata_path(metadata_key, data_key, &Committed::Live)?; self.delete_key_path(path, &Committed::Live) } /// We commit by copying pending keys to live, then removing pending. Something smarter (lock, /// atomic flip, etc.) will be required to make the server concurrent. fn commit_transaction( &mut self, transaction: S, constraint_check: &C, ) -> Result> where S: Into + AsRef, C: Fn( &mut Self, &Committed, ) -> std::result::Result< ConstraintCheckResult, Box, >, { let mut pending_keys: HashSet = Default::default(); let transactions = self.list_transactions()?; if !transactions.contains(transaction.as_ref()) { return Ok(pending_keys); } let pending = Committed::Pending { tx: transaction.into(), }; let constraints_check_result = constraint_check(self, &pending).context(error::CheckConstraintExecutionSnafu)?; let approved_write = ApprovedWrite::try_from(constraints_check_result)?; trace!( "commit_transaction: transaction_metadata: {:?}", approved_write.metadata ); // write the metadata. for (metadata_key, data_key, value) in approved_write.metadata { self.set_metadata(&metadata_key, &data_key, value, &Committed::Live)?; } let pending_data = approved_write.settings; if !pending_data.is_empty() { // Save Keys for return value pending_keys = pending_data.keys().cloned().collect(); // Apply changes to live debug!("Writing pending keys to live"); self.set_keys(&pending_data, &Committed::Live)?; } // Remove pending debug!("Removing old pending keys"); let path = self.base_path(&pending); fs::remove_dir_all(&path).context(error::IoSnafu { path })?; Ok(pending_keys) } fn delete_transaction(&mut self, transaction: S) -> Result> where S: Into + AsRef, { let pending = Committed::Pending { tx: transaction.into(), }; // Get changed keys so we can return the list let pending_data = self.get_prefix("settings.", &pending)?; // Pull out just the keys so we can log them and return them let pending_keys = pending_data.into_keys().collect(); debug!("Found pending keys: {:?}", &pending_keys); // Delete pending from the filesystem, same as a commit let path = self.base_path(&pending); debug!("Removing transaction directory {}", path.display()); if let Err(e) = fs::remove_dir_all(&path) { // If path doesn't exist, it's fine, we'll just return an empty list. if e.kind() != io::ErrorKind::NotFound { return Err(e).context(error::IoSnafu { path }); } } Ok(pending_keys) } /// We store transactions as subdirectories of the pending data store, so to list them we list /// the names of the subdirectories. fn list_transactions(&self) -> Result> { // Any directory under pending should be a transaction name. let walker = WalkDir::new(&self.pending_base_path) .min_depth(1) .max_depth(1); let mut transactions = HashSet::new(); trace!( "Starting walk of filesystem to list transactions under {}", self.pending_base_path.display(), ); for entry in walker { let entry = match entry { Ok(entry) => entry, Err(e) => { if let Some(io_error) = e.io_error() { // If there's no pending directory, that's OK, just return empty set. if io_error.kind() == io::ErrorKind::NotFound { break; } } return Err(e).context(error::ListKeysSnafu); } }; if entry.file_type().is_dir() { // The directory name should be valid UTF-8, encoded by encode_path_component, // or the data store has been corrupted. let file_name = entry.file_name().to_str().context(error::CorruptionSnafu { msg: "Non-UTF8 path", path: entry.path(), })?; let transaction = decode_path_component(file_name, entry.path())?; transactions.insert(transaction); } } Ok(transactions) } } #[cfg(test)] mod test { use super::*; #[test] fn data_path() { let f = FilesystemDataStore::new("/base"); let key = Key::new(KeyType::Data, "a.b.c").unwrap(); let tx = "test transaction"; let pending = f .data_path(&key, &Committed::Pending { tx: tx.into() }) .unwrap(); assert_eq!( pending.into_os_string(), "/base/pending/test%20transaction/a/b/c" ); let live = f.data_path(&key, &Committed::Live).unwrap(); assert_eq!(live.into_os_string(), "/base/live/a/b/c"); } #[test] fn metadata_path() { let f = FilesystemDataStore::new("/base"); let data_key = Key::new(KeyType::Data, "a.b.c").unwrap(); let md_key = Key::new(KeyType::Meta, "my-metadata").unwrap(); let tx = "test transaction"; let pending = f .metadata_path(&md_key, &data_key, &Committed::Pending { tx: tx.into() }) .unwrap(); assert_eq!( pending.into_os_string(), "/base/pending/test%20transaction/a/b/c.my-metadata" ); let live = f .metadata_path(&md_key, &data_key, &Committed::Live) .unwrap(); assert_eq!(live.into_os_string(), "/base/live/a/b/c.my-metadata"); } #[test] fn encode_path_component_works() { assert_eq!(encode_path_component("a-b_42"), "a-b_42"); assert_eq!(encode_path_component("a.b"), "a%2Eb"); assert_eq!(encode_path_component("a/b"), "a%2Fb"); assert_eq!(encode_path_component("a b%ce"), "a%20b%25c%3Cd%3Ee"); } #[test] fn decode_path_component_works() { assert_eq!(decode_path_component("a-b_42", "").unwrap(), "a-b_42"); assert_eq!(decode_path_component("a%2Eb", "").unwrap(), "a.b"); assert_eq!(decode_path_component("a%2Fb", "").unwrap(), "a/b"); assert_eq!( decode_path_component("a%20b%25c%3Cd%3Ee", "").unwrap(), "a b%ce" ); // Invalid UTF-8 decode_path_component("%C3%28", "").unwrap_err(); } } ================================================ FILE: sources/api/datastore/src/key.rs ================================================ // Note: this only allows reading and writing UTF-8 keys and values; is that OK? use log::trace; use serde::{Serialize, Serializer}; use snafu::ensure; use std::fmt; use std::hash::{Hash, Hasher}; use super::{error, Result}; pub const KEY_SEPARATOR: char = '.'; // String refs are more convenient for some Rust functions pub const KEY_SEPARATOR_STR: &str = "."; /// Maximum key name length matches the maximum filename length of 255; if we need to have longer /// keys (up to 4096) we could make prefixes not count against this limit. const MAX_KEY_NAME_LENGTH: usize = 255; /// KeyType represents whether we want to check a Key as a data key or metadata key. #[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)] pub enum KeyType { Data, Meta, } /// A Key is a pointer into the datastore with a convenient name. Their names are simply dotted /// strings ("a.b.c") with the dots implying hierarchy, so "a.b.c" and "a.b.d" are probably /// related. /// /// Keys that need to include dots in the name can quote that segment of the name, for example the /// key a."b.c".d has three segments: "a", "b.c", and "d". #[derive(Clone, Debug)] pub struct Key { name: String, segments: Vec, } impl Key { /// Returns a list of the segments that make up the key name. /// /// Examples: /// * a.b.c -> ["a", "b", "c"] /// * "a.b".c -> ["a.b", "c"] pub fn segments(&self) -> &Vec { &self.segments } /// Returns the name of the key. /// /// If you created the Key using with_segments(), the segments are quoted as necessary to /// handle special characters. Examples: /// * created with segments ["a", "b", "c"] -> a.b.c /// * created with segments ["a.b", "c"] -> "a.b".c pub fn name(&self) -> &String { &self.name } /// Creates a Key of the given type from the given name. /// /// If there are special characters in the name, like "." which is used as a separator, /// then you should quote that segment, for example: a."b.c".d to represent three segments /// "a", "b.c", and "d". If possible, you should use `Key::from_segments` instead, to more /// accurately represent the individual segments. pub fn new>(key_type: KeyType, name: S) -> Result { let segments = Self::parse_name_segments(&name)?; Self::check_key(key_type, &name, &segments)?; Ok(Self { name: name.as_ref().to_string(), segments, }) } /// Creates a Key of the given type from the given name segments. /// /// For example, passing &["a", "b.c", "c"] will create a key named: a."b.c".c pub fn from_segments(key_type: KeyType, segments: &[S]) -> Result where S: AsRef, { let name = Self::encode_name_segments(segments)?; Self::check_key(key_type, &name, segments)?; Ok(Self { name, segments: segments.iter().map(|s| s.as_ref().into()).collect(), }) } /// Removes the given prefix from the key name, returning a new Key. /// /// This is intended to remove key name segments from the beginning of the name, therefore /// this only makes sense for Data keys, not Meta keys. A Data key will be returned. /// /// You should not include an ending separator (dot), it will be removed for you. /// /// If the key name does not begin with the given prefix, the returned key will be /// identical. /// /// Fails if the new key would be invalid, e.g. if the prefix is the entire key. pub(super) fn strip_prefix(&self, prefix: S) -> Result where S: AsRef, { let prefix = prefix.as_ref(); ensure!( prefix != self.name, error::InvalidKeySnafu { name: "", msg: format!("strip_prefix of '{prefix}' matches key") } ); let strip = prefix.to_string() + "."; // Check starts_with so we don't replace in the middle of the string... let name = if self.name.starts_with(&strip) { self.name.replacen(&strip, "", 1) } else { self.name.clone() }; Self::new(KeyType::Data, name) } /// Removes the given key segments from the beginning of the key, returning a new Key. /// /// This only makes sense for Data keys because Meta keys only have one segment. A Data key /// will be returned. /// /// If the key does not begin with all of the given segments, no segments will be removed, /// so the returned key will be identical. /// /// Fails if the new key would be invalid, e.g. if the given segments are the entire key. pub(super) fn strip_prefix_segments(&self, prefix: &[S]) -> Result where S: AsRef, { // We walk through the given prefix segments, looking for anything that doesn't match // our segments, at which point we know we're going to return an unchanged key. for (i, theirs) in prefix.iter().enumerate() { match self.segments().get(i) { // If we run out of our segments, the prefix is longer than the existing key, // and therefore can't match; we return an unchanged key. None => return Ok(self.clone()), Some(ours) => { // Difference found; return an unchanged key. if ours != theirs.as_ref() { return Ok(self.clone()); } } } } // No differences were found, so we remove the given segments. Self::from_segments(KeyType::Data, &self.segments[prefix.len()..]) } /// Adds the given segments to the key name, returning a new Key. /// /// The given segments should not be quoted even if they contain the separator character; /// using a segment list allows us to be precise about the distinction between segments. /// /// Fails if the new key would be invalid, e.g. the suffix contains invalid characters. pub(super) fn append_segments(&self, segments: &[S]) -> Result where S: AsRef, { let our_segments = self.segments().iter().map(|s| s.as_ref()); let their_segments = segments.iter().map(|s| s.as_ref()); let new_segments: Vec<_> = our_segments.chain(their_segments).collect(); Self::from_segments(KeyType::Data, &new_segments) } /// Adds the given key's name to this key name and returns a new Key. /// /// This is done precisely using each key's segments, so handling of separators and quoting /// is automatic. /// /// Fails if the new key would be invalid, e.g. too long. pub(super) fn append_key(&self, key: &Key) -> Result { let our_segments = self.segments().iter(); let their_segments = key.segments().iter(); let new_segments: Vec<_> = our_segments.chain(their_segments).collect(); Self::from_segments(KeyType::Data, &new_segments) } /// Additional safety checks for parsed or generated keys. fn check_key(key_type: KeyType, name: S1, segments: &[S2]) -> Result<()> where S1: AsRef, S2: AsRef, { let name = name.as_ref(); ensure!( name.len() <= MAX_KEY_NAME_LENGTH, error::KeyTooLongSnafu { name, max: MAX_KEY_NAME_LENGTH, } ); match key_type { KeyType::Data => { ensure!( !segments.is_empty(), error::InvalidKeySnafu { name, msg: "data keys must have at least one segment", } ); } KeyType::Meta => { ensure!( segments.len() == 1, error::InvalidKeySnafu { name, msg: "meta keys may only have one segment", } ); } } Ok(()) } /// Determines whether a character is acceptable within a segment of a key name. This is /// separate from quoting; if a character isn't valid, it isn't valid quoted, either. fn valid_character(c: char) -> bool { matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-' | '/') } /// Given a key name, returns a list of its name segments, separated by KEY_SEPARATOR. /// Respects quoting of segments so they can contain dots. /// /// Examples: /// * a.b.c -> ["a", "b", "c"] /// * "a.b".c -> ["a.b", "c"] fn parse_name_segments>(name: S) -> Result> { let name = name.as_ref(); ensure!( !name.is_empty(), error::InvalidKeySnafu { name, msg: "cannot be empty", } ); // The full list of name segments we're going to return. let mut segments = Vec::new(); // The current name segment we're checking. let mut segment = String::new(); // Track whether we're inside a quoted section of the key name let mut in_quotes = false; // Walk through each character, looking for quotes or separators to update state for c in name.chars() { if c == '"' { // Quotes don't go into the name segments, so we just flip the flag. in_quotes = !in_quotes; } else if c == KEY_SEPARATOR { if in_quotes { // If we see a separator inside quotes, it's just like any other character. segment.push(c); } else { // If we see a separator outside quotes, it should be ending a segment. // Segments can't be empty. ensure!( !segment.is_empty(), error::InvalidKeySnafu { name, msg: "empty key segment", } ); // Save the segment we just saw and start a new one. segments.push(segment); segment = String::new(); } } else { // Not a special character; make sure it's a valid part of a name segment. if Self::valid_character(c) { segment.push(c); } else { return error::InvalidKeySnafu { name, msg: format!("invalid character in key: '{c}'"), } .fail(); } } } ensure!( !in_quotes, error::InvalidKeySnafu { name, msg: "unbalanced quotes", } ); ensure!( !segment.is_empty(), error::InvalidKeySnafu { name, msg: "ends with separator", } ); // Push final segment (keys don't end with a dot, which is when we normally push) segments.push(segment); trace!("Parsed key name '{name}' to segments {segments:?}"); Ok(segments) } /// Given a list of key name segments, encodes them into a name string. Any segments with /// special characters (like the separator) are quoted. fn encode_name_segments>(segments: &[S]) -> Result { let segments: Vec<_> = segments.iter().map(|s| s.as_ref()).collect(); let mut outputs = Vec::new(); // Check whether we need quoting for each segment. for segment in segments.iter() { for chr in segment.chars() { ensure!( chr == KEY_SEPARATOR || Self::valid_character(chr), error::InvalidKeySnafu { // Give an understandable key name in the error, even if it's invalid name: segments.join("."), msg: format!("Segment '{segment}' contains invalid character '{chr}'"), } ); } if segment.chars().any(|c| c == KEY_SEPARATOR) { // Includes separator; quote the segment. outputs.push(format!("\"{segment}\"")); } else { // No special characters, no escaping needed. outputs.push(segment.to_string()); } } // Join the (possibly quoted) segments with our separator. let name = outputs.join(KEY_SEPARATOR_STR); trace!("Encoded key '{name}' from segments {segments:?}"); Ok(name) } pub fn starts_with_segments(&self, segments: &[S]) -> bool where S: AsRef, { if self.segments.len() < segments.len() { return false; } let ours = self.segments()[0..segments.len()].iter(); let theirs = segments.iter().map(|s| s.as_ref()); ours.zip(theirs).all(|(a, b)| a == b) } } impl fmt::Display for Key { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "{}", self.name) } } // We can't implement Deserialize for Key because Key doesn't store its key type, but we can // serialize it to its name. impl Serialize for Key { fn serialize(&self, serializer: S) -> std::result::Result where S: Serializer, { serializer.serialize_str(&self.name) } } // The segments are our source of truth. impl PartialEq for Key { fn eq(&self, other: &Key) -> bool { self.segments == other.segments } } impl Eq for Key {} impl Hash for Key { fn hash(&self, state: &mut H) { self.segments.hash(state); } } #[cfg(test)] mod test { use super::{Key, KeyType, MAX_KEY_NAME_LENGTH}; // Helper macro for testing conditions that apply to both data and metadata keys macro_rules! data_and_meta { ($fn:expr) => { $fn(KeyType::Data); $fn(KeyType::Meta); }; } #[test] fn short_key_ok() { data_and_meta!(|t| assert!(Key::new(t, "a").is_ok())); } #[test] fn dotted_data_key_ok() { assert!(Key::new(KeyType::Data, "a.b.c.d.e.f.g").is_ok()); } #[test] fn dotted_metadata_key_fails() { assert!(Key::new(KeyType::Meta, "a.b.c.d.e.f.g").is_err()); } #[test] fn quoted_data_key_ok() { let name = "a.\"b.c\".d"; let key = Key::new(KeyType::Data, name).unwrap(); assert_eq!(key.name(), name); assert_eq!(key.segments(), &["a", "b.c", "d"]); } #[test] fn quoted_metadata_key_ok() { // Metadata keys can only have one segment, but it can be quoted let name = "\"b.c\""; let key = Key::new(KeyType::Data, name).unwrap(); assert_eq!(key.name(), name); assert_eq!(key.segments(), &["b.c"]); } #[test] fn from_segments() { let name = "a.\"b.c\".d"; let segments = &["a", "b.c", "d"]; let key = Key::from_segments(KeyType::Data, segments).unwrap(); assert_eq!(key.name(), name); assert_eq!(key.segments(), segments); } #[test] fn key_with_special_chars_ok() { data_and_meta!(|t| assert!(Key::new(t, "a-b_c").is_ok())); } #[test] fn long_key_ok() { data_and_meta!(|t| assert!(Key::new(t, "a".repeat(MAX_KEY_NAME_LENGTH)).is_ok())); } #[test] fn key_too_long() { data_and_meta!(|t| assert!(Key::new(t, "a".repeat(MAX_KEY_NAME_LENGTH + 1)).is_err())); } #[test] fn key_bad_chars() { data_and_meta!(|t| assert!(Key::new(t, "!").is_err())); data_and_meta!(|t| assert!(Key::new(t, "$").is_err())); data_and_meta!(|t| assert!(Key::new(t, "&").is_err())); data_and_meta!(|t| assert!(Key::new(t, ";").is_err())); data_and_meta!(|t| assert!(Key::new(t, "|").is_err())); data_and_meta!(|t| assert!(Key::new(t, r"\").is_err())); } #[test] fn key_bad_format() { data_and_meta!(|t| assert!(Key::new(t, "a.").is_err())); } #[test] fn strip_prefix_ok() { // Remove plain prefix let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = "a.b"; assert_eq!(key.strip_prefix(prefix).unwrap().name(), "c.d"); // Don't remove non-matching prefix; no change let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = "x.y"; assert_eq!(key.strip_prefix(prefix).unwrap().name(), "a.b.c.d"); // Don't remove prefix that doesn't match whole quoted segment let key = Key::new(KeyType::Data, "a.\"b.c\".d").unwrap(); let prefix = "a.b"; assert_eq!(key.strip_prefix(prefix).unwrap().name(), "a.\"b.c\".d"); // Do remove prefix that does match whole quoted segment let key = Key::new(KeyType::Data, "a.\"b.c\".d").unwrap(); let prefix = "a.\"b.c\""; assert_eq!(key.strip_prefix(prefix).unwrap().name(), "d"); } #[test] fn strip_prefix_err() { let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = "a.b.c.d"; key.strip_prefix(prefix).unwrap_err(); } #[test] fn strip_prefix_segments_ok() { // Remove plain prefix let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = &["a", "b"]; assert_eq!(key.strip_prefix_segments(prefix).unwrap().name(), "c.d"); // Don't remove non-matching prefix; no change let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = &["x", "y"]; assert_eq!(key.strip_prefix_segments(prefix).unwrap().name(), "a.b.c.d"); // Don't remove prefix that doesn't match whole quoted segment let key = Key::new(KeyType::Data, "a.\"b.c\".d").unwrap(); let prefix = &["a", "b"]; assert_eq!( key.strip_prefix_segments(prefix).unwrap().name(), "a.\"b.c\".d" ); // Do remove prefix that does match whole quoted segment let key = Key::new(KeyType::Data, "a.\"b.c\".d").unwrap(); let prefix = &["a", "b.c"]; assert_eq!(key.strip_prefix_segments(prefix).unwrap().name(), "d"); } #[test] fn strip_prefix_segments_err() { let key = Key::new(KeyType::Data, "a.b.c.d").unwrap(); let prefix = &["a", "b", "c", "d"]; key.strip_prefix_segments(prefix).unwrap_err(); } #[test] fn append_segments_ok() { let key = Key::new(KeyType::Data, "a.b").unwrap(); let new = key.append_segments(&["x"]).unwrap(); assert_eq!(new.name(), "a.b.x"); let new = key.append_segments(&["x.y"]).unwrap(); assert_eq!(new.name(), "a.b.\"x.y\""); let new = key.append_segments(&["x", "y"]).unwrap(); assert_eq!(new.name(), "a.b.x.y"); } #[test] fn append_segments_err() { let key = Key::new(KeyType::Data, "a.b").unwrap(); key.append_segments(&["@"]).unwrap_err(); } #[test] fn append_key_ok() { let key = Key::new(KeyType::Data, "a.b").unwrap(); let key2 = Key::new(KeyType::Data, "c.d").unwrap(); let new = key.append_key(&key2).unwrap(); assert_eq!(new.name(), "a.b.c.d"); let key2 = Key::new(KeyType::Data, "\"c.d\"").unwrap(); let new = key.append_key(&key2).unwrap(); assert_eq!(new.name(), "a.b.\"c.d\""); } #[test] fn append_key_err() { let long_key = Key::new(KeyType::Data, "a".repeat(MAX_KEY_NAME_LENGTH)).unwrap(); let key2 = Key::new(KeyType::Data, "b").unwrap(); long_key.append_key(&key2).unwrap_err(); } #[test] fn starts_with_segments() { let key = Key::new(KeyType::Data, "a.b").unwrap(); assert!(key.starts_with_segments(&["a"])); assert!(!key.starts_with_segments(&["\"a.b\""])); assert!(!key.starts_with_segments(&["a."])); } } ================================================ FILE: sources/api/datastore/src/lib.rs ================================================ /*! # Background A 'data store' in Bottlerocket is responsible for storing key/value pairs and metadata about those pairs, with the ability to commit changes in transactions. For more detail about their usage, see [apiserver](../apiserver). # Library This library provides a trait defining the exact requirements, along with basic implementations for filesystem and memory data stores. There's also a common error type and some methods that implementations of DataStore should generally share, like scalar serialization. We represent scalars -- the actual values stored under a datastore key -- using JSON, just to have a convenient human-readable form. (TOML doesn't allow raw scalars. The JSON spec doesn't seem to either, but this works, and the format is so simple for scalars that it could be easily swapped out if needed.) # Serialization and deserialization The `serialization` module provides code to serialize Rust types into a mapping of datastore-acceptable keys (a.b.c) and values. The `deserialization` module provides code to deserialize datastore-acceptable keys (a.b.c) and values into Rust types. # Current limitations * The user (e.g. apiserver) needs to handle locking. * There's no support for rolling back transactions. * The `serialization` module can't handle complex types under lists; it assumes lists can be serialized as scalars. */ pub mod constraints_check; pub mod deserialization; pub mod error; pub mod filesystem; pub mod key; pub mod memory; pub mod serialization; use constraints_check::ConstraintCheckResult; pub use error::{Error, Result}; pub use filesystem::FilesystemDataStore; pub use key::{Key, KeyType, KEY_SEPARATOR, KEY_SEPARATOR_STR}; use log::{info, trace}; use serde::{Deserialize, Serialize}; use snafu::OptionExt; use std::collections::{HashMap, HashSet}; /// Committed represents whether we want to look at pending (uncommitted) or live (committed) data /// in the datastore. #[derive(Debug, Clone, PartialEq)] pub enum Committed { Live, Pending { // If the change is pending, we need to know the transaction name. tx: String, }, } pub trait DataStore { /// Returns whether a key is present (has a value) in the datastore. fn key_populated(&self, key: &Key, committed: &Committed) -> Result; /// Returns a list of the populated data keys in the datastore whose names start with the given /// prefix. fn list_populated_keys>( &self, prefix: S, committed: &Committed, ) -> Result>; /// Finds all metadata keys that are currently populated in the datastore whose data keys /// start with the given prefix. If you specify metadata_key_name, only metadata keys with /// that name will be returned. /// /// Returns a mapping of the data keys to the set of populated metadata keys for each. fn list_populated_metadata( &self, prefix: S1, committed: &Committed, metadata_key_name: &Option, ) -> Result>> where S1: AsRef, S2: AsRef; /// Retrieve the value for a single data key from the datastore. fn get_key(&self, key: &Key, committed: &Committed) -> Result>; /// Set the value of a single data key in the datastore. fn set_key>(&mut self, key: &Key, value: S, committed: &Committed) -> Result<()>; /// Removes the given data key from the datastore. If we succeeded, we return Ok(()); if /// the key didn't exist, we also return Ok(()); we return Err only if we failed to check /// or remove the key. fn unset_key(&mut self, key: &Key, committed: &Committed) -> Result<()>; /// Retrieve the value for a single metadata key from the datastore. Values will inherit from /// earlier in the tree, if more specific values are not found later. fn get_metadata( &self, metadata_key: &Key, data_key: &Key, committed: &Committed, ) -> Result> { let mut result = Ok(None); let mut current_path = Vec::new(); // Walk through segments of the data key in order, returning the last metadata we find for component in data_key.segments() { current_path.push(component); let data_key = Key::from_segments(KeyType::Data, ¤t_path).unwrap_or_else(|_| { unreachable!("Prefix of Key failed to make Key: {:?}", current_path) }); if let Some(md) = self.get_metadata_raw(metadata_key, &data_key, committed)? { result = Ok(Some(md)); } } result } /// Retrieve the value for a single metadata key from the datastore, without taking into /// account inheritance of metadata from earlier in the tree. fn get_metadata_raw( &self, metadata_key: &Key, data_key: &Key, committed: &Committed, ) -> Result>; /// Set the value of a single metadata key in the datastore. fn set_metadata>( &mut self, metadata_key: &Key, data_key: &Key, value: S, committed: &Committed, ) -> Result<()>; /// Removes the given metadata key from the given data key in the datastore. If we /// succeeded, we return Ok(()); if the data or metadata key didn't exist, we also return /// Ok(()); we return Err only if we failed to check or remove the key. fn unset_metadata(&mut self, metadata_key: &Key, data_key: &Key) -> Result<()>; /// Applies pending changes from the given transaction to the live datastore. Returns the /// list of changed keys. fn commit_transaction( &mut self, transaction: S, constraint_check: &C, ) -> Result> where S: Into + AsRef, C: Fn( &mut Self, &Committed, ) -> std::result::Result< ConstraintCheckResult, Box, >; /// Remove the given pending transaction from the datastore. Returns the list of removed /// keys. If the transaction doesn't exist, will return Ok with an empty list. fn delete_transaction(&mut self, transaction: S) -> Result> where S: Into + AsRef; /// Returns a list of the names of any pending transactions in the data store. fn list_transactions(&self) -> Result>; /// Set multiple data keys at once in the data store. /// /// Implementers can replace the default implementation if there's a faster way than setting /// each key individually. fn set_keys(&mut self, pairs: &HashMap, committed: &Committed) -> Result<()> where S: AsRef, { for (key, value) in pairs { match committed { Committed::Live => { info!("Committed data key {}", key.name()); } state => { trace!("Data key {} state changed to {:?}", key.name(), state); } }; self.set_key(key, value, committed)?; } Ok(()) } /// Removes multiple data keys at once in the data store. /// /// Implementers can replace the default implementation if there's a faster way than /// unsetting each key individually. fn unset_keys(&mut self, keys: &HashSet, committed: &Committed) -> Result<()> { for key in keys { trace!("Unsetting data key {}", key.name()); self.unset_key(key, committed)?; } Ok(()) } /// Retrieves all keys starting with the given prefix, returning them in a Key -> value map. /// /// Can be followed up by a deserialize::from_map call to build a structure. fn get_prefix>( &self, find_prefix: S, committed: &Committed, ) -> Result> { let keys = self.list_populated_keys(&find_prefix, committed)?; trace!("Found populated keys: {keys:?}"); if keys.is_empty() { return Ok(HashMap::new()); } let mut result = HashMap::new(); for key in keys { // Already confirmed key via listing keys, so an error is more serious. trace!("Pulling value from datastore for key: {key}"); let value = self .get_key(&key, committed)? .context(error::ListedKeyNotPresentSnafu { key: key.name() })?; result.insert(key, value); } Ok(result) } /// Retrieves all metadata for data keys starting with the given prefix. If you specify /// metadata_key_name, only metadata keys with that name will be returned. Returns a /// mapping of each data key to its metadata, where metadata is a mapping of metadata Key to /// string value. fn get_metadata_prefix( &self, find_prefix: S1, committed: &Committed, metadata_key_name: &Option, ) -> Result>> where S1: AsRef, S2: AsRef, { let meta_map = self.list_populated_metadata(&find_prefix, committed, metadata_key_name)?; trace!("Found populated metadata: {meta_map:?}"); if meta_map.is_empty() { return Ok(HashMap::new()); } let mut result = HashMap::new(); for (data_key, meta_keys) in meta_map { for meta_key in meta_keys { // If the user requested specific metadata, move to the next key unless it // matches. if let Some(name) = metadata_key_name { if name.as_ref() != meta_key.name() { continue; } } // Already confirmed key via listing keys, so an error is more serious. trace!( "Pulling metadata '{}' from datastore for key: {}", meta_key, &data_key ); let value = self .get_metadata(&meta_key, &data_key, committed)? .context(error::ListedMetaNotPresentSnafu { meta_key: meta_key.name(), data_key: data_key.name(), })?; // Insert a top-level map entry for the data key if we've found metadata. let data_entry = result.entry(data_key.clone()).or_insert_with(HashMap::new); data_entry.insert(meta_key, value); } } Ok(result) } } ///// // This section ties together serialization and deserialization of scalar values, so it's in the // parent module of serialization and deserialization. /// Concrete error type for scalar ser/de. pub type ScalarError = serde_json::Error; /// Serialize a given scalar value to the module-standard serialization format. pub fn serialize_scalar(scalar: &S) -> std::result::Result where S: Serialize, E: From, { serde_json::to_string(scalar).map_err(Into::into) } /// Deserialize a given scalar value from the module-standard serialization format. pub fn deserialize_scalar<'de, D, E>(scalar: &'de str) -> std::result::Result where D: Deserialize<'de>, E: From, { serde_json::from_str(scalar).map_err(Into::into) } /// Serde Deserializer type matching the deserialize_scalar implementation. type ScalarDeserializer<'de> = serde_json::Deserializer>; /// Constructor for ScalarDeserializer. fn deserializer_for_scalar(scalar: &str) -> ScalarDeserializer<'_> { serde_json::Deserializer::from_str(scalar) } /// Serde generic "Value" type representing a tree of deserialized values. Should be able to hold /// anything returned by the deserialization bits above. pub type Value = serde_json::Value; #[cfg(test)] mod test { use super::memory::MemoryDataStore; use super::{Committed, DataStore, Key, KeyType}; use maplit::{hashmap, hashset}; #[test] fn set_unset_keys() { let mut m = MemoryDataStore::new(); let k1 = Key::new(KeyType::Data, "memtest1").unwrap(); let k2 = Key::new(KeyType::Data, "memtest2").unwrap(); let k3 = Key::new(KeyType::Data, "memtest3").unwrap(); let v1 = "memvalue1".to_string(); let v2 = "memvalue2".to_string(); let v3 = "memvalue3".to_string(); let data = hashmap!( k1.clone() => &v1, k2.clone() => &v2, k3.clone() => &v3, ); let tx = "test transaction"; let pending = Committed::Pending { tx: tx.into() }; m.set_keys(&data, &pending).unwrap(); assert_eq!(m.get_key(&k1, &pending).unwrap(), Some(v1)); assert_eq!(m.get_key(&k2, &pending).unwrap(), Some(v2)); assert_eq!(m.get_key(&k3, &pending).unwrap(), Some(v3.clone())); let unset = hashset!(k1.clone(), k2.clone()); m.unset_keys(&unset, &pending).unwrap(); assert_eq!(m.get_key(&k1, &pending).unwrap(), None); assert_eq!(m.get_key(&k2, &pending).unwrap(), None); assert_eq!(m.get_key(&k3, &pending).unwrap(), Some(v3)); } #[test] fn get_metadata_inheritance() { let mut m = MemoryDataStore::new(); let meta = Key::new(KeyType::Meta, "mymeta").unwrap(); let parent = Key::new(KeyType::Data, "a").unwrap(); let grandchild = Key::new(KeyType::Data, "a.b.c").unwrap(); // Set metadata on parent m.set_metadata(&meta, &parent, "value", &Committed::Live) .unwrap(); // Metadata shows up on grandchild... assert_eq!( m.get_metadata(&meta, &grandchild, &Committed::Live) .unwrap(), Some("value".to_string()) ); // ...but only through inheritance, not directly. assert_eq!( m.get_metadata_raw(&meta, &grandchild, &Committed::Live) .unwrap(), None ); } #[test] fn get_prefix() { let mut m = MemoryDataStore::new(); let data = hashmap!( Key::new(KeyType::Data, "x.1").unwrap() => "x1".to_string(), Key::new(KeyType::Data, "x.2").unwrap() => "x2".to_string(), Key::new(KeyType::Data, "y.3").unwrap() => "y3".to_string(), ); let tx = "test transaction"; let pending = Committed::Pending { tx: tx.into() }; m.set_keys(&data, &pending).unwrap(); assert_eq!( m.get_prefix("x.", &pending).unwrap(), hashmap!(Key::new(KeyType::Data, "x.1").unwrap() => "x1".to_string(), Key::new(KeyType::Data, "x.2").unwrap() => "x2".to_string()) ); } #[test] fn get_metadata_prefix() { let mut m = MemoryDataStore::new(); // Build some data keys to which we can attach metadata; they don't actually have to be // set in the data store. let k1 = Key::new(KeyType::Data, "x.1").unwrap(); let k2 = Key::new(KeyType::Data, "x.2").unwrap(); let k3 = Key::new(KeyType::Data, "y.3").unwrap(); // Set some metadata to check let mk1 = Key::new(KeyType::Meta, "metatest1").unwrap(); let mk2 = Key::new(KeyType::Meta, "metatest2").unwrap(); let mk3 = Key::new(KeyType::Meta, "metatest3").unwrap(); m.set_metadata(&mk1, &k1, "41", &Committed::Live).unwrap(); m.set_metadata(&mk2, &k2, "42", &Committed::Live).unwrap(); m.set_metadata(&mk3, &k3, "43", &Committed::Live).unwrap(); // Check all metadata assert_eq!( m.get_metadata_prefix("x.", &Committed::Live, &None as &Option<&str>) .unwrap(), hashmap!(k1 => hashmap!(mk1 => "41".to_string()), k2.clone() => hashmap!(mk2.clone() => "42".to_string())) ); // Check metadata matching a given name assert_eq!( m.get_metadata_prefix("x.", &Committed::Live, &Some("metatest2")) .unwrap(), hashmap!(k2 => hashmap!(mk2 => "42".to_string())) ); } #[test] fn get_metadata_prefix_from_pending() { let mut m = MemoryDataStore::new(); // Build some data keys to which we can attach metadata; they don't actually have to be // set in the data store. let k1 = Key::new(KeyType::Data, "x.1").unwrap(); let k2 = Key::new(KeyType::Data, "x.2").unwrap(); let k3 = Key::new(KeyType::Data, "y.3").unwrap(); // Set some metadata to check let mk1 = Key::new(KeyType::Meta, "metatest1").unwrap(); let mk2 = Key::new(KeyType::Meta, "metatest2").unwrap(); let mk3 = Key::new(KeyType::Meta, "metatest3").unwrap(); m.set_metadata( &mk1, &k1, "41", &Committed::Pending { tx: "test".to_owned(), }, ) .unwrap(); m.set_metadata( &mk2, &k2, "42", &Committed::Pending { tx: "test".to_owned(), }, ) .unwrap(); m.set_metadata( &mk3, &k3, "43", &Committed::Pending { tx: "test".to_owned(), }, ) .unwrap(); // Check all metadata assert_eq!( m.get_metadata_prefix( "x.", &Committed::Pending { tx: "test".to_owned() }, &None as &Option<&str> ) .unwrap(), hashmap!(k1 => hashmap!(mk1 => "41".to_string()), k2.clone() => hashmap!(mk2.clone() => "42".to_string())) ); // Check metadata matching a given name assert_eq!( m.get_metadata_prefix( "x.", &Committed::Pending { tx: "test".to_owned() }, &Some("metatest2") ) .unwrap(), hashmap!(k2 => hashmap!(mk2 => "42".to_string())) ); } } ================================================ FILE: sources/api/datastore/src/memory.rs ================================================ //! In-memory datastore for use in testing other modules. //! //! Mimics some of the decisions made for FilesystemDataStore, e.g. metadata being committed //! immediately. use std::collections::{HashMap, HashSet}; use crate::constraints_check::{ApprovedWrite, ConstraintCheckResult}; use super::{Committed, DataStore, Key, Result}; #[derive(Debug, Default)] pub struct MemoryDataStore { // Transaction name -> (key -> data) pending: HashMap>, // Committed (live) data. live: HashMap, // Map of data keys to their metadata, which in turn is a mapping of metadata keys to // arbitrary (string/serialized) values. metadata: HashMap>, // Map of data keys to their metadata, which in turn is a mapping of metadata keys to // arbitrary (string/serialized) values in pending transaction pending_metadata: HashMap>, } impl MemoryDataStore { pub fn new() -> Self { Default::default() } fn dataset(&self, committed: &Committed) -> Option<&HashMap> { match committed { Committed::Live => Some(&self.live), Committed::Pending { tx } => self.pending.get(tx), } } fn dataset_mut(&mut self, committed: &Committed) -> &mut HashMap { match committed { Committed::Live => &mut self.live, Committed::Pending { tx } => self.pending.entry(tx.clone()).or_default(), } } } impl DataStore for MemoryDataStore { fn list_populated_keys>( &self, prefix: S, committed: &Committed, ) -> Result> { let empty = HashMap::new(); let dataset = self.dataset(committed).unwrap_or(&empty); Ok(dataset .keys() // Make sure the data keys start with the given prefix. .filter(|k| k.name().starts_with(prefix.as_ref())) .cloned() .collect()) } fn list_populated_metadata( &self, prefix: S1, committed: &Committed, metadata_key_name: &Option, ) -> Result>> where S1: AsRef, S2: AsRef, { let metadata_to_use = match committed { Committed::Live => &self.metadata, Committed::Pending { .. } => &self.pending_metadata, }; let mut result = HashMap::new(); for (data_key, meta_map) in metadata_to_use.iter() { // Confirm data key matches requested prefix. if !data_key.name().starts_with(prefix.as_ref()) { continue; } let mut meta_for_data = HashSet::new(); for meta_key in meta_map.keys() { // Confirm metadata key matches requested name, if any. if let Some(name) = metadata_key_name { if name.as_ref() != meta_key.name() { continue; } } meta_for_data.insert(meta_key.clone()); } // Only add an entry for the data key if we found metadata. if !meta_for_data.is_empty() { result.insert(data_key.clone(), meta_for_data); } } Ok(result) } fn get_key(&self, key: &Key, committed: &Committed) -> Result> { let empty = HashMap::new(); let dataset = self.dataset(committed).unwrap_or(&empty); Ok(dataset.get(key).cloned()) } fn set_key>(&mut self, key: &Key, value: S, committed: &Committed) -> Result<()> { self.dataset_mut(committed) .insert(key.clone(), value.as_ref().to_owned()); Ok(()) } fn unset_key(&mut self, key: &Key, committed: &Committed) -> Result<()> { self.dataset_mut(committed).remove(key); Ok(()) } fn key_populated(&self, key: &Key, committed: &Committed) -> Result { let empty = HashMap::new(); let dataset = self.dataset(committed).unwrap_or(&empty); Ok(dataset.contains_key(key)) } fn get_metadata_raw( &self, metadata_key: &Key, data_key: &Key, committed: &Committed, ) -> Result> { let metadata_to_use = match committed { Committed::Live => &self.metadata, Committed::Pending { .. } => &self.pending_metadata, }; let metadata_for_data = metadata_to_use.get(data_key); // If we have a metadata entry for this data key, then we can try fetching the requested // metadata key, otherwise we'll return early with Ok(None). let result = metadata_for_data.and_then(|m| m.get(metadata_key)); Ok(result.cloned()) } fn set_metadata>( &mut self, metadata_key: &Key, data_key: &Key, value: S, committed: &Committed, ) -> Result<()> { match committed { Committed::Live => set_metadata_raw(&mut self.metadata, metadata_key, data_key, value), Committed::Pending { .. } => { set_metadata_raw(&mut self.pending_metadata, metadata_key, data_key, value) } } } fn unset_metadata(&mut self, metadata_key: &Key, data_key: &Key) -> Result<()> { // If we have any metadata for this data key, remove the given metadata key. if let Some(metadata_for_data) = self.metadata.get_mut(data_key) { metadata_for_data.remove(metadata_key); } Ok(()) } fn commit_transaction( &mut self, transaction: S, constraint_check: &C, ) -> Result> where S: Into + AsRef, C: Fn( &mut Self, &Committed, ) -> std::result::Result< ConstraintCheckResult, Box, >, { let tx = transaction.as_ref(); let pending = Committed::Pending { tx: tx.into() }; let constraint_check_result = constraint_check(self, &pending).unwrap_or(ConstraintCheckResult::Reject( "Check constraint function rejected the transaction. Aborting commit".to_string(), )); let approved_write = ApprovedWrite::try_from(constraint_check_result)?; let mut pending_keys: HashSet = Default::default(); // Remove anything pending for this transaction if !approved_write.settings.is_empty() { // Save Keys for return value pending_keys = approved_write.settings.keys().cloned().collect(); // Apply pending changes to live self.set_keys(&approved_write.settings, &Committed::Live)?; } self.pending.remove(tx); // Return keys that were committed Ok(pending_keys) } fn delete_transaction(&mut self, transaction: S) -> Result> where S: Into + AsRef, { // Remove anything pending for this transaction if let Some(pending) = self.pending.remove(transaction.as_ref()) { // Return the old pending keys Ok(pending.keys().cloned().collect()) } else { Ok(HashSet::new()) } } fn list_transactions(&self) -> Result> { Ok(self.pending.keys().cloned().collect()) } } fn set_metadata_raw>( metadata_to_use: &mut HashMap>, metadata_key: &Key, data_key: &Key, value: S, ) -> Result<()> { // If we don't already have a metadata entry for this data key, insert one. let metadata_for_data = metadata_to_use // Clone data key because we want the HashMap key type to be Key, not &Key, and we // can't pass ownership because we only have a reference from our parameters. .entry(data_key.clone()) .or_default(); metadata_for_data.insert(metadata_key.clone(), value.as_ref().to_owned()); Ok(()) } #[cfg(test)] mod test { use std::collections::HashMap; use super::super::{Committed, DataStore, Key, KeyType}; use super::MemoryDataStore; use crate::constraints_check::{ApprovedWrite, ConstraintCheckResult}; use crate::{deserialize_scalar, serialize_scalar, ScalarError}; use maplit::hashset; fn constraint_check( datastore: &mut MemoryDataStore, committed: &Committed, ) -> super::Result> { let mut transaction_metadata = datastore .get_metadata_prefix("settings.", committed, &None as &Option<&str>) .unwrap(); let settings_to_commit: HashMap = match committed { Committed::Pending { tx: transaction } => datastore .pending .get(transaction) .unwrap_or(&HashMap::new()) .clone(), Committed::Live => HashMap::new(), }; let mut metadata_to_commit: Vec<(Key, Key, String)> = Vec::new(); for (key, value) in transaction_metadata.iter_mut() { for (metadata_key, metadata_value) in value { if metadata_key.name() != "strength" { continue; } // strength in pending transaction let pending_strength: String = deserialize_scalar::<_, ScalarError>(&metadata_value.clone()).unwrap(); let met_value = serialize_scalar::<_, ScalarError>(&pending_strength).unwrap(); metadata_to_commit.push((metadata_key.clone(), key.clone(), met_value)); } } let approved_write = ApprovedWrite { settings: settings_to_commit, metadata: metadata_to_commit, }; Ok(ConstraintCheckResult::from(Some(approved_write))) } #[test] fn get_set_unset() { let mut m = MemoryDataStore::new(); let k = Key::new(KeyType::Data, "memtest").unwrap(); let v = "memvalue"; m.set_key(&k, v, &Committed::Live).unwrap(); assert_eq!( m.get_key(&k, &Committed::Live).unwrap(), Some(v.to_string()) ); let mdkey = Key::new(KeyType::Meta, "testmd").unwrap(); let md = "mdval"; m.set_metadata(&mdkey, &k, md, &Committed::Live).unwrap(); assert_eq!( m.get_metadata_raw(&mdkey, &k, &Committed::Live).unwrap(), Some(md.to_string()) ); m.set_metadata( &mdkey, &k, md, &Committed::Pending { tx: "test".to_owned(), }, ) .unwrap(); assert_eq!( m.get_metadata_raw( &mdkey, &k, &Committed::Pending { tx: "test".to_owned() } ) .unwrap(), Some(md.to_string()) ); m.unset_metadata(&mdkey, &k).unwrap(); assert_eq!( m.get_metadata_raw(&mdkey, &k, &Committed::Live).unwrap(), None ); m.unset_key(&k, &Committed::Live).unwrap(); assert_eq!(m.get_key(&k, &Committed::Live).unwrap(), None); } #[test] fn populated() { let mut m = MemoryDataStore::new(); let k1 = Key::new(KeyType::Data, "memtest1").unwrap(); let k2 = Key::new(KeyType::Data, "memtest2").unwrap(); let v = "memvalue"; m.set_key(&k1, v, &Committed::Live).unwrap(); m.set_key(&k2, v, &Committed::Live).unwrap(); assert!(m.key_populated(&k1, &Committed::Live).unwrap()); assert!(m.key_populated(&k2, &Committed::Live).unwrap()); assert_eq!( m.list_populated_keys("", &Committed::Live).unwrap(), hashset!(k1, k2), ); let bad_key = Key::new(KeyType::Data, "memtest3").unwrap(); assert!(!m.key_populated(&bad_key, &Committed::Live).unwrap()); } #[test] fn commit() { let mut m = MemoryDataStore::new(); let k = Key::new(KeyType::Data, "settings.a.b.c").unwrap(); let v = "memvalue"; let tx = "test transaction"; let pending = Committed::Pending { tx: tx.into() }; m.set_key(&k, v, &pending).unwrap(); assert!(m.key_populated(&k, &pending).unwrap()); assert!(!m.key_populated(&k, &Committed::Live).unwrap()); m.commit_transaction(tx, &constraint_check).unwrap(); assert!(!m.key_populated(&k, &pending).unwrap()); assert!(m.key_populated(&k, &Committed::Live).unwrap()); } #[test] fn delete_transaction() { let mut m = MemoryDataStore::new(); let k = Key::new(KeyType::Data, "settings.a.b.c").unwrap(); let v = "memvalue"; let tx = "test transaction"; let pending = Committed::Pending { tx: tx.into() }; m.set_key(&k, v, &pending).unwrap(); // Set something in a different transaction to ensure it doesn't get deleted let k2 = Key::new(KeyType::Data, "settings.x.y.z").unwrap(); let v2 = "memvalue 2"; let tx2 = "test transaction 2"; let pending2 = Committed::Pending { tx: tx2.into() }; m.set_key(&k2, v2, &pending2).unwrap(); assert!(m.key_populated(&k, &pending).unwrap()); assert!(!m.key_populated(&k, &Committed::Live).unwrap()); m.delete_transaction(tx).unwrap(); assert!(!m.key_populated(&k, &pending).unwrap()); assert!(!m.key_populated(&k, &Committed::Live).unwrap()); // Assure other transactions were not deleted assert!(m.key_populated(&k2, &pending2).unwrap()); } } ================================================ FILE: sources/api/datastore/src/serialization/error.rs ================================================ use serde::ser; use snafu::{IntoError, NoneError as NoSource, Snafu}; use crate::ScalarError; /// Potential errors from serialization. #[derive(Debug, Snafu)] #[snafu(visibility(pub))] pub enum Error { // This error variant is required to implement ser::Error for serde. #[snafu(display("Error during serialization: {}", msg))] Message { msg: String }, #[snafu(display("Serializer logic error: {}", msg))] Internal { msg: String }, #[snafu(display("Error creating valid datastore key: {}", msg))] InvalidKey { // "msg" instead of just key name because we want to include the data store error // message, but can't have it as a "source" because that'd be circular msg: String, }, #[snafu(display("Tried to output concrete value without prefix; value: {}", value))] MissingPrefix { value: String }, #[snafu(display("Error serializing {}: {} ", given, source))] Serialization { given: String, source: ScalarError }, #[snafu(display("Error deserializing {}: {} ", given, source))] Deserialization { given: String, source: ScalarError }, #[snafu(display("'{}' not allowed by Serializer", typename))] InvalidType { typename: String }, #[snafu(display("'{}' not allowed as map key", typename))] BadMapKey { typename: String }, } pub type Result = std::result::Result; impl ser::Error for Error { fn custom(msg: T) -> Self { MessageSnafu { msg: msg.to_string(), } .into_error(NoSource) } } ================================================ FILE: sources/api/datastore/src/serialization/mod.rs ================================================ //! The serialization module implements generic serialization techniques that are particularly //! useful for turning Rust structures into simpler types that are easy to write to a datastore. mod error; mod pairs; pub use error::{Error, Result}; pub use pairs::{to_pairs, to_pairs_with_prefix}; use log::{debug, trace}; use serde::{ser, Serialize}; use snafu::{IntoError, NoneError as NoSource}; use crate::{Key, KeyType}; // Below are serializers not specific to the pairs module that could be used for other serializers. // For example, a 'keys' serializer that just returns a set of keys, without associated data. /// We use this in serialize_key to ensure map keys are only strings, for easy interoperability /// with TOML/JSON. /// /// We also ensure map keys are valid datastore keys. struct MapKeySerializer {} impl MapKeySerializer { fn new() -> Self { Self {} } } /// Most types are invalid map keys (only strings are OK) so we need to return an error in most /// cases. This simplifies the creation of that error, with a customizable message for the type. fn bad_key(typename: &str) -> Result { error::BadMapKeySnafu { typename }.fail() } impl ser::Serializer for &MapKeySerializer { type Ok = String; type Error = Error; type SerializeSeq = ser::Impossible; type SerializeTuple = ser::Impossible; type SerializeTupleStruct = ser::Impossible; type SerializeTupleVariant = ser::Impossible; type SerializeMap = ser::Impossible; type SerializeStruct = ser::Impossible; type SerializeStructVariant = ser::Impossible; // Allow serialization of strings for map keys, but nothing else. fn serialize_str(self, value: &str) -> Result { // Make sure string is valid as a key. let key = Key::from_segments(KeyType::Data, &[value]).map_err(|e| { debug!("MapKeySerializer got invalid key name: {value}"); error::InvalidKeySnafu { msg: format!("{e}"), } .into_error(NoSource) })?; trace!("MapKeySerializer got OK key: {key}"); Ok(key.to_string()) } fn serialize_bool(self, _value: bool) -> Result { bad_key("bool") } fn serialize_i8(self, _value: i8) -> Result { bad_key("i8") } fn serialize_i16(self, _value: i16) -> Result { bad_key("i16") } fn serialize_i32(self, _value: i32) -> Result { bad_key("i32") } fn serialize_i64(self, _value: i64) -> Result { bad_key("i64") } fn serialize_u8(self, _value: u8) -> Result { bad_key("u8") } fn serialize_u16(self, _value: u16) -> Result { bad_key("u16") } fn serialize_u32(self, _value: u32) -> Result { bad_key("u32") } fn serialize_u64(self, _value: u64) -> Result { bad_key("u64") } fn serialize_f32(self, _value: f32) -> Result { bad_key("f32") } fn serialize_f64(self, _value: f64) -> Result { bad_key("f64") } fn serialize_char(self, _value: char) -> Result { bad_key("char") } fn serialize_bytes(self, _value: &[u8]) -> Result { bad_key("bytes") } fn serialize_unit(self) -> Result { bad_key("unit") } fn serialize_unit_struct(self, _name: &'static str) -> Result { bad_key("unit_struct") } /// A simple enum can be used as if it were a string, so we allow these to serve as map keys. fn serialize_unit_variant( self, _name: &'static str, _variant_index: u32, variant: &'static str, ) -> Result { self.serialize_str(variant) } fn serialize_newtype_struct(self, _name: &'static str, _value: &T) -> Result where T: ?Sized + Serialize, { bad_key("newtype_struct") } fn serialize_newtype_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _value: &T, ) -> Result where T: ?Sized + Serialize, { bad_key("newtype_variant") } fn serialize_none(self) -> Result { bad_key("none") } fn serialize_some(self, _value: &T) -> Result where T: ?Sized + Serialize, { bad_key("some") } fn serialize_seq(self, _len: Option) -> Result { bad_key("seq") } fn serialize_tuple(self, _len: usize) -> Result { bad_key("tuple") } fn serialize_tuple_struct( self, _name: &'static str, _len: usize, ) -> Result { bad_key("tuple struct") } fn serialize_tuple_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _len: usize, ) -> Result { bad_key("tuple variant") } fn serialize_map(self, _len: Option) -> Result { bad_key("map") } fn serialize_struct(self, _name: &'static str, _len: usize) -> Result { bad_key("struct") } fn serialize_struct_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _len: usize, ) -> Result { bad_key("struct variant") } } #[cfg(test)] mod test { use super::MapKeySerializer; use serde::Serialize; // This enum is fine because its variants are "simple", thus it can be represented as a simple // string and can be used as a map key. #[derive(Debug, Serialize)] enum TestEnum { Value, } // This enum cannot be used as a map key because it has a variant that can't be serialized as a // simple string. #[derive(Debug, Serialize)] enum BadEnum { Value(i32), } #[test] fn ok_key() { let serializer = MapKeySerializer::new(); let m = "A".to_string(); let res = m.serialize(&serializer).unwrap(); assert_eq!(res, "A"); } #[test] fn ok_enum_key() { let serializer = MapKeySerializer::new(); let m = TestEnum::Value; let res = m.serialize(&serializer).unwrap(); assert_eq!(res, "Value"); } #[test] fn bad_keys() { let serializer = MapKeySerializer::new(); 42u8.serialize(&serializer).unwrap_err(); 42i32.serialize(&serializer).unwrap_err(); true.serialize(&serializer).unwrap_err(); 'q'.serialize(&serializer).unwrap_err(); ().serialize(&serializer).unwrap_err(); [1u8].serialize(&serializer).unwrap_err(); (None as Option).serialize(&serializer).unwrap_err(); Some(42).serialize(&serializer).unwrap_err(); BadEnum::Value(1).serialize(&serializer).unwrap_err(); } } ================================================ FILE: sources/api/datastore/src/serialization/pairs.rs ================================================ //! The goal of this module is to be able to turn serializable structures, primarily the API model, //! into a form that can be easily written to our data store, key by key, since we will often //! receive arbitrary subsets of the valid keys. We use serde to help walk through the structure, //! and use the Serializer's associated types to keep track of where we are in the tree of nested //! structures. //! The serialization pattern below could be used for other structures as well, but we're starting //! out by orienting it toward the API model. As such, data types are oriented around TOML/JSON //! types, to be sure we support the various forms of input/output we care about. use log::trace; use serde::{ser, Serialize}; use snafu::{IntoError, NoneError as NoSource, OptionExt, ResultExt}; use std::collections::HashMap; use super::{error, Error, MapKeySerializer, Result}; use crate::{serialize_scalar, Key, KeyType, ScalarError}; /// This is the primary interface to our serialization. We turn anything implementing Serialize /// into pairs of datastore keys and serialized values. For example, a nested struct like this: /// Settings -> DockerSettings -> bridge_ip = u64 /// would turn into a key of "settings.docker-settings.bridge-ip" and a serialized String /// representing the u64 data. pub fn to_pairs(value: &T) -> Result> { let mut output = HashMap::new(); let serializer = Serializer::new(&mut output, None); value.serialize(serializer)?; Ok(output) } /// Like to_pairs, but lets you add an arbitrary prefix to the resulting keys. A separator will /// automatically be added after the prefix. pub fn to_pairs_with_prefix(prefix: S, value: &T) -> Result> where S: AsRef, T: Serialize, { let prefix = prefix.as_ref(); let prefix_key = Key::new(KeyType::Data, prefix).map_err(|e| { error::InvalidKeySnafu { msg: format!("Prefix '{prefix}' not valid as Key: {e}"), } .into_error(NoSource) })?; let mut output = HashMap::new(); let serializer = Serializer::new(&mut output, Some(prefix_key)); value.serialize(serializer)?; Ok(output) } ///// /// Serializer does most of the work by recursively serializing compound structures, and trivially /// serializing scalars. /// /// Caveat: for a list/tuple, the elements inside only have indexes, which doesn't work well with /// the data store. Lists are common enough that we need some answer, so we say that lists can /// only contain scalars, not further compound objects. That way we can serialize the list /// directly (see FlatSerializer) rather than as a compound. /// /// (We could handle lists as proper compound structures by improving the data store such that it /// can store unnamed sub-components, perhaps by using a visible index ("a.b.c[0]", "a.b.c[1]"). /// It's more common to use a HashMap in the model, and then to use named keys instead of indexes, /// which works fine.) struct Serializer<'a> { output: &'a mut HashMap, prefix: Option, // This is temporary storage for serializing maps, because serde gives us keys and values // separately. See the SerializeMap implementation below. key: Option, } impl<'a> Serializer<'a> { fn new(output: &'a mut HashMap, prefix: Option) -> Self { Self { output, prefix, key: None, } } } /// This helps us handle the cases where we have to have an existing prefix in order to output a /// value. It creates an explanatory error if the given prefix is None. fn expect_prefix(maybe_prefix: Option, value: &str) -> Result { maybe_prefix.context(error::MissingPrefixSnafu { value }) } /// Serializes a concrete value and saves it to the output, assuming we have a prefix. macro_rules! concrete_output { ($self:expr, $value:expr) => { trace!("Serializing scalar at prefix {:?}", $self.prefix); let value = serialize_scalar::<_, ScalarError>(&$value).with_context(|_| { error::SerializationSnafu { given: format!("concrete value '{}'", $value), } })?; let prefix = expect_prefix($self.prefix, &value)?; $self.output.insert(prefix, value); return Ok(()); }; } /// Several types are invalid for our serialization so we commonly need to return an error. This /// simplifies the creation of that error, with a customizable message for the type. fn bad_type(typename: &str) -> Result { error::InvalidTypeSnafu { typename }.fail() } impl<'a> ser::Serializer for Serializer<'a> { type Ok = (); type Error = Error; // See the docs on Serializer for reasoning about this. type SerializeSeq = FlatSerializer<'a>; type SerializeTuple = ser::Impossible<(), Error>; type SerializeTupleStruct = ser::Impossible<(), Error>; type SerializeTupleVariant = ser::Impossible<(), Error>; type SerializeStructVariant = ser::Impossible<(), Error>; type SerializeMap = Self; type SerializeStruct = Self; // Simple concrete types. fn serialize_bool(self, v: bool) -> Result<()> { concrete_output!(self, v); } fn serialize_i8(self, v: i8) -> Result<()> { concrete_output!(self, v); } fn serialize_i16(self, v: i16) -> Result<()> { concrete_output!(self, v); } fn serialize_i32(self, v: i32) -> Result<()> { concrete_output!(self, v); } fn serialize_i64(self, v: i64) -> Result<()> { concrete_output!(self, v); } fn serialize_u8(self, v: u8) -> Result<()> { concrete_output!(self, v); } fn serialize_u16(self, v: u16) -> Result<()> { concrete_output!(self, v); } fn serialize_u32(self, v: u32) -> Result<()> { concrete_output!(self, v); } fn serialize_u64(self, v: u64) -> Result<()> { concrete_output!(self, v); } fn serialize_f32(self, v: f32) -> Result<()> { concrete_output!(self, v); } fn serialize_f64(self, v: f64) -> Result<()> { concrete_output!(self, v); } fn serialize_str(self, v: &str) -> Result<()> { concrete_output!(self, v); } // Don't serialize None at all; it should mean the key wasn't given. fn serialize_none(self) -> Result<()> { Ok(()) } // Serialize the Some(x) as x. Our basic structure is that all settings are optional, so // the API is ergonomic to call with a subset of keys, and so Some just means they wanted this // key set. fn serialize_some(self, value: &T) -> Result<()> where T: ?Sized + Serialize, { value.serialize(self) } // Compound types fn serialize_seq(self, _len: Option) -> Result { Ok(FlatSerializer::new( self.output, expect_prefix(self.prefix, "seq")?, )) } fn serialize_map(self, _len: Option) -> Result { Ok(Serializer::new(self.output, self.prefix)) } fn serialize_struct(self, name: &'static str, _len: usize) -> Result { trace!("Serializing struct '{}' at prefix {:?}", name, self.prefix); // If we already have a prefix, use it - could be because we're in a nested struct, or the // user gave a prefix. Otherwise, use the given name - this is a top-level struct. let prefix = match self.prefix { p @ Some(_) => p, None => { trace!("Had no prefix, starting with struct name: {name}"); let key = Key::from_segments(KeyType::Data, &[&name]).map_err(|e| { error::InvalidKeySnafu { msg: format!("struct '{name}' not valid as Key: {e}"), } .into_error(NoSource) })?; Some(key) } }; Ok(Serializer::new(self.output, prefix)) } // Types we can't (or don't want to) represent. // No char type, and using String would lose the distinction you were trying to make by // using a char. fn serialize_char(self, _v: char) -> Result<()> { bad_type("char") } // No binary type; could use base64 or similar if we implement our own deserialization // that understands it. fn serialize_bytes(self, _v: &[u8]) -> Result<()> { bad_type("bytes") } // We just don't expect to need these, and we doesn't have a great way to represent them. fn serialize_unit(self) -> Result<()> { bad_type("unit") } fn serialize_unit_struct(self, _name: &'static str) -> Result<()> { bad_type("unit struct") } // When we use "simple" enums (those that only have "unit" variants), we represent them as // strings in the data model. As far as the API is concerned, these are string values, but in // the model we constrain them using an enum. fn serialize_unit_variant( self, _name: &'static str, _variant_index: u32, variant: &'static str, ) -> Result<()> { self.serialize_str(variant) } fn serialize_newtype_struct(self, _name: &'static str, _value: &T) -> Result<()> where T: ?Sized + Serialize, { bad_type("newtype struct") } fn serialize_newtype_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _value: &T, ) -> Result<()> where T: ?Sized + Serialize, { bad_type("newtype variant") } // We don't expect to need tuples, and we don't have a great way to represent them, // distinct from lists. fn serialize_tuple(self, _len: usize) -> Result { bad_type("tuple") } fn serialize_tuple_struct( self, _name: &'static str, _len: usize, ) -> Result { bad_type("tuple struct") } fn serialize_tuple_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _len: usize, ) -> Result { bad_type("tuple variant") } fn serialize_struct_variant( self, _name: &'static str, _variant_index: u32, _variant: &'static str, _len: usize, ) -> Result { bad_type("struct variant") } } /// Helper that combines the existing prefix, if any, with a separator and the new key. fn key_append_or_create(old_prefix: &Option, key: &Key) -> Result { if let Some(old_prefix) = old_prefix { old_prefix.append_key(key).map_err(|e| { error::InvalidKeySnafu { msg: format!("appending '{key}' to '{old_prefix}' is invalid as Key: {e}"), } .into_error(NoSource) }) } else { Ok(key.clone()) } } /// Serialize map structures, recursively handling any inner compound structures by using the key /// name as the new prefix. /// /// Two important notes here. /// /// First, we can only allow map keys to be strings, for easy interoperability with TOML/JSON. /// We delegate to the MapKeySerializer to handle that. /// /// Second, serde is limited in the sense that it requires you to serialize keys and values /// separately, whereas we'd prefer a single pass because we only need to store the output. To /// work around this, we use the Option 'key' in the struct to store the last-serialized key, /// knowing that serde will serialize keys and values in that order. impl ser::SerializeMap for Serializer<'_> { type Ok = (); type Error = Error; fn serialize_key(&mut self, key: &T) -> Result<()> where T: ?Sized + Serialize, { trace!("Serializing map key at prefix {:?}", self.prefix); // We're given a serializable thing; need to serialize it to get a string we can work with. let key_str = key.serialize(&MapKeySerializer::new())?; // It should be valid as a Key. // Note: we use 'new', not 'from_segments', because we just serialized into a string, // meaning it's in quoted form. let key = Key::new(KeyType::Data, &key_str).map_err(|e| { error::InvalidKeySnafu { msg: format!("serialized map key '{}' not valid as Key: {}", &key_str, e), } .into_error(NoSource) })?; // Store the key to use later in serialize_value. self.key = Some(key_append_or_create(&self.prefix, &key)?); Ok(()) } fn serialize_value(&mut self, value: &T) -> Result<()> where T: ?Sized + Serialize, { // Pull out the stored key and serialize whatever's in the value using the key as its name // prefix. match self.key.take() { Some(key) => { trace!( "Recursively serializing map value at prefix {:?}", self.prefix ); value.serialize(Serializer::new(self.output, Some(key))) } None => error::InternalSnafu { msg: "Attempted to serialize value without key", } .fail(), } } // No need to "end" the structure, we're not serializing to a single text format. fn end(self) -> Result<()> { Ok(()) } } /// Serialize structs, recursively handling any inner compound structures by using the key name as /// the new prefix. (No need to use the struct's name; we're not at the root level, so it was /// already pointed to by some name.) impl ser::SerializeStruct for Serializer<'_> { type Ok = (); type Error = Error; fn serialize_field(&mut self, key_str: &'static str, value: &T) -> Result<()> where T: ?Sized + Serialize, { let key = Key::from_segments(KeyType::Data, &[&key_str]).map_err(|e| { error::InvalidKeySnafu { msg: format!("struct field '{key_str}' not valid as Key: {e}"), } .into_error(NoSource) })?; let new_root = key_append_or_create(&self.prefix, &key)?; trace!( "Recursively serializing struct with new root '{}' from prefix '{:?}' and key '{}'", new_root, self.prefix, &key ); value.serialize(Serializer::new(self.output, Some(new_root))) } fn end(self) -> Result<()> { Ok(()) } } ///// /// This serializes compound structures into a flat blob, for cases where recursively serializing /// compound structures doesn't make sense. See Serializer for detail on why it uses this. /// /// Warning; this requires hacks. serde gives you three callbacks during serialization - starting /// the structure, for each element, and ending the structure. There's no option to handle an /// entire structure at once, which is exactly what we'd want. We can't clone the elements, since /// we only have a Serialize bound, and I couldn't figure out how to store the references, so we do /// the unthinkable - serialize each element to a String, store those in a list during the /// serialization steps, and then at the end, deserialize the strings back into a list of the /// original type, and serialize the entire list. Sorry. struct FlatSerializer<'a> { output: &'a mut HashMap, prefix: Key, list: Vec, } impl<'a> FlatSerializer<'a> { fn new(output: &'a mut HashMap, prefix: Key) -> Self { FlatSerializer { output, prefix, list: Vec::new(), } } } impl ser::SerializeSeq for FlatSerializer<'_> { type Ok = (); type Error = Error; fn serialize_element(&mut self, value: &T) -> Result<()> where T: ?Sized + Serialize, { trace!("Serializing element of list"); self.list.push( serde_json::to_string(value).context(error::SerializationSnafu { given: "list element", })?, ); Ok(()) } fn end(self) -> Result<()> { let mut originals: Vec = Vec::new(); trace!("Deserializing elements of list"); for original in self.list { originals.push(original.parse().context(error::DeserializationSnafu { given: "list element", })?); } trace!("Serializing list"); self.output.insert( self.prefix, serde_json::to_string(&originals) .context(error::SerializationSnafu { given: "list" })?, ); Ok(()) } } #[cfg(test)] mod test { use super::{to_pairs, to_pairs_with_prefix}; use crate::{Key, KeyType}; use maplit::hashmap; use serde::Serialize; // Helper macro for making a data Key for testing whose name we know is valid. macro_rules! key { ($name:expr) => { Key::new(KeyType::Data, $name).unwrap() }; } #[derive(PartialEq, Serialize)] struct A { id: u8, b: Option, } #[derive(PartialEq, Serialize)] struct B { list: Vec, boolean: bool, } #[test] fn basic_struct_keys() { let b = B { list: vec![3, 4, 5], boolean: true, }; let keys = to_pairs(&b).unwrap(); assert_eq!( keys, hashmap!( key!("B.list") => "[3,4,5]".to_string(), key!("B.boolean") => "true".to_string(), ) ); } #[test] fn empty_value() { let val: toml::Value = toml::from_str("").unwrap(); let keys = to_pairs(&val).unwrap(); assert_eq!(keys, hashmap!()) } #[test] fn nested_struct_keys() { let b = B { list: vec![5, 6, 7], boolean: true, }; let a = A { id: 42, b: Some(b) }; let keys = to_pairs(&a).unwrap(); assert_eq!( keys, hashmap!( key!("A.b.list") => "[5,6,7]".to_string(), key!("A.b.boolean") => "true".to_string(), key!("A.id") => "42".to_string(), ) ); } #[test] fn map() { let m = hashmap!( key!("A") => hashmap!( key!("id") => 42, key!("ie") => 43, ), ); let keys = to_pairs_with_prefix("map", &m).unwrap(); assert_eq!( keys, hashmap!( key!("map.A.id") => "42".to_string(), key!("map.A.ie") => "43".to_string(), ) ); } #[test] fn map_no_root() { let m = hashmap!( key!("A") => hashmap!( key!("id") => 42, key!("ie") => 43, ), ); let keys = to_pairs(&m).unwrap(); assert_eq!( keys, hashmap!( key!("A.id") => "42".to_string(), key!("A.ie") => "43".to_string(), ) ); } #[test] fn concrete_fails() { let i = 42; to_pairs(&i).unwrap_err(); } #[test] fn string_values() { let m = hashmap!( key!("A") => hashmap!( key!("id") => "apples", key!("ie") => "oranges", ), ); let keys = to_pairs(&m).unwrap(); assert_eq!( keys, hashmap!( key!("A.id") => "\"apples\"".to_string(), key!("A.ie") => "\"oranges\"".to_string(), ) ); } #[derive(Serialize)] #[serde(rename_all = "kebab-case")] enum TestEnum { Alpha, Beta, } #[test] fn enum_values() { let m = hashmap!( key!("A") => hashmap!( key!("id") => TestEnum::Alpha, key!("ie") => TestEnum::Beta, ), ); let keys = to_pairs(&m).unwrap(); assert_eq!( keys, hashmap!( key!("A.id") => "\"alpha\"".to_string(), key!("A.ie") => "\"beta\"".to_string(), ) ); } } ================================================ FILE: sources/api/migration/migration-helpers/Cargo.toml ================================================ [package] name = "migration-helpers" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] bottlerocket-release.workspace = true datastore.workspace = true handlebars.workspace = true models.workspace = true regex.workspace = true serde.workspace = true serde_json.workspace = true shlex.workspace = true snafu.workspace = true tokio = { workspace = true, features = ["rt-multi-thread"] } [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/api/migration/migration-helpers/src/args.rs ================================================ //! Helpers for parsing arguments common to migrations. use std::env; use std::process; use crate::{MigrationType, Result}; /// Stores user-supplied arguments. pub struct Args { pub source_datastore: String, pub target_datastore: String, pub migration_type: MigrationType, } /// Informs the user about proper usage of the program and exits. fn usage() -> ! { let program_name = env::args().next().unwrap_or_else(|| "program".to_string()); eprintln!( r"Usage: {program_name} --source-datastore PATH --target-datastore PATH ( --forward | --backward )" ); process::exit(2); } /// Prints a more specific message before exiting through usage(). fn usage_msg>(msg: S) -> ! { eprintln!("{}\n", msg.as_ref()); usage(); } /// Parses user arguments into an Args structure. pub(crate) fn parse_args(args: env::Args) -> Result { let mut migration_type = None; let mut source_datastore = None; let mut target_datastore = None; let mut iter = args.skip(1); while let Some(arg) = iter.next() { match arg.as_ref() { "--source-datastore" => { source_datastore = Some(iter.next().unwrap_or_else(|| { usage_msg("Did not give argument to --source-datastore") })) } "--target-datastore" => { target_datastore = Some(iter.next().unwrap_or_else(|| { usage_msg("Did not give argument to --target-datastore") })) } "--forward" => migration_type = Some(MigrationType::Forward), "--backward" => migration_type = Some(MigrationType::Backward), _ => usage(), } } // In no other case should they be the same; we use it for compatibility checks. if source_datastore == target_datastore { usage_msg("--source-datastore and --target-datastore cannot be the same"); } Ok(Args { source_datastore: source_datastore.unwrap_or_else(|| usage()), target_datastore: target_datastore.unwrap_or_else(|| usage()), migration_type: migration_type.unwrap_or_else(|| usage()), }) } ================================================ FILE: sources/api/migration/migration-helpers/src/common_migrations.rs ================================================ use crate::{error, Migration, MigrationData, Result}; use regex::Regex; use snafu::{OptionExt, ResultExt}; /// We use this migration when we add settings and want to make sure they're removed before we go /// back to old versions that don't understand them. pub struct AddSettingsMigration<'a>(pub &'a [&'static str]); impl Migration for AddSettingsMigration<'_> { /// New versions must either have a default for the settings or generate them; we don't need to /// do anything. fn forward(&mut self, input: MigrationData) -> Result { println!( "AddSettingsMigration({:?}) has no work to do on upgrade.", self.0 ); Ok(input) } /// Older versions don't know about the settings; we remove them so that old versions don't see /// them and fail deserialization. (The settings must be defaulted or generated in new versions, /// and safe to remove.) fn backward(&mut self, mut input: MigrationData) -> Result { for setting in self.0 { if let Some(data) = input.data.remove(*setting) { println!("Removed {setting}, which was set to '{data}'"); } else { println!("Found no {setting} to remove"); } } Ok(input) } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration when we add a cluster of settings under known prefixes and want to make /// sure they're removed before we go back to old versions that don't understand them. Normally /// you'd use AddSettingsMigration since you know the key names, but this is useful for /// user-defined keys, for example in a map like settings.kernel.sysctl or /// settings.host-containers. pub struct AddPrefixesMigration(pub Vec<&'static str>); impl Migration for AddPrefixesMigration { /// New versions must either have a default for the settings or generate them; we don't need to /// do anything. fn forward(&mut self, input: MigrationData) -> Result { println!( "AddPrefixesMigration({:?}) has no work to do on upgrade.", self.0 ); Ok(input) } /// Older versions don't know about the settings; we remove them so that old versions don't see /// them and fail deserialization. (The settings must be defaulted or generated in new versions, /// and safe to remove.) fn backward(&mut self, mut input: MigrationData) -> Result { let settings = input .data .keys() .filter(|k| self.0.iter().any(|prefix| k.starts_with(prefix))) .cloned() .collect::>(); for setting in settings { if let Some(data) = input.data.remove(&setting) { println!("Removed {setting}, which was set to '{data}'"); } } Ok(input) } } #[cfg(test)] mod test_add_prefixes_migration { use super::AddPrefixesMigration; use crate::{Migration, MigrationData}; use maplit::hashmap; use std::collections::HashMap; #[test] fn single() { let data = MigrationData { data: hashmap! { "keep.me.a".into() => 0.into(), "remove.me.b".into() => 0.into(), "keep.this.c".into() => 0.into(), "remove.me.d.e".into() => 0.into(), }, metadata: HashMap::new(), }; // Run backward, e.g. downgrade, to test that the right keys are removed let result = AddPrefixesMigration(vec!["remove.me"]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.me.a".into() => 0.into(), "keep.this.c".into() => 0.into(), } ); } #[test] fn multiple() { let data = MigrationData { data: hashmap! { "keep.me.a".into() => 0.into(), "remove.me.b".into() => 0.into(), "keep.this.c".into() => 0.into(), "remove.this.d.e".into() => 0.into(), }, metadata: HashMap::new(), }; // Run backward, e.g. downgrade, to test that the right keys are removed let result = AddPrefixesMigration(vec!["remove.me", "remove.this"]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.me.a".into() => 0.into(), "keep.this.c".into() => 0.into(), } ); } #[test] fn no_match() { let data = MigrationData { data: hashmap! { "keep.me.a".into() => 0.into(), "remove.me.b".into() => 0.into(), "keep.this.c".into() => 0.into(), "remove.this.d.e".into() => 0.into(), }, metadata: HashMap::new(), }; // Run backward, e.g. downgrade, to test that the right keys are removed let result = AddPrefixesMigration(vec!["not.found", "nor.this"]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.me.a".into() => 0.into(), "remove.me.b".into() => 0.into(), "keep.this.c".into() => 0.into(), "remove.this.d.e".into() => 0.into(), } ); } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= pub struct PrefixSuffix { pub prefix: &'static str, pub suffix: &'static str, } pub struct AddPrefixSuffixMigration(pub Vec); impl Migration for AddPrefixSuffixMigration { /// New versions must either have a default for the settings or generate them; we don't need to /// do anything. fn forward(&mut self, input: MigrationData) -> Result { println!( "AddPrefixSuffixMigration({:?}) has no work to do on upgrade.", self.0 .iter() .map(|ps| format!("{}*{}", ps.prefix, ps.suffix)) .collect::>() ); Ok(input) } /// Older versions don't know about the settings; we remove them so that old versions don't see /// them and fail deserialization. fn backward(&mut self, mut input: MigrationData) -> Result { let mut compiled_patterns = Vec::new(); for pattern in &self.0 { let regex_pattern = format!( r"^{}\.(.+)\.{}$", regex::escape(pattern.prefix), regex::escape(pattern.suffix) ); let regex = Regex::new(®ex_pattern).context(error::InvalidPrefixSuffixPatternSnafu { prefix: pattern.prefix, suffix: pattern.suffix, })?; compiled_patterns.push(regex); } let settings = input .data .keys() .filter(|k| compiled_patterns.iter().any(|regex| regex.is_match(k))) .cloned() .collect::>(); for setting in settings { if let Some(data) = input.data.remove(&setting) { println!("Removed {setting}, which was set to '{data}'"); } } Ok(input) } } #[cfg(test)] mod test_add_prefix_suffix_migration { use super::{AddPrefixSuffixMigration, PrefixSuffix}; use crate::{Migration, MigrationData}; use maplit::hashmap; use std::collections::HashMap; #[test] fn single_entry() { let data = MigrationData { data: hashmap! { "keep.stuff.like.this".into() => 0.into(), "remove.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "remove.also.like.this".into() => 0.into(), }, metadata: HashMap::new(), }; let result = AddPrefixSuffixMigration(vec![PrefixSuffix { prefix: "remove", suffix: "this", }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), } ); } #[test] fn compound_suffix() { let data = MigrationData { data: hashmap! { "keep.stuff.like.this".into() => 0.into(), "remove.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "remove.not.this".into() => 0.into(), }, metadata: HashMap::new(), }; let result = AddPrefixSuffixMigration(vec![PrefixSuffix { prefix: "remove", suffix: "like.this", }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "remove.not.this".into() => 0.into(), } ); } #[test] fn multiple_entries() { let data = MigrationData { data: hashmap! { "keep.stuff.like.this".into() => 0.into(), "remove.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "remove.also.this".into() => 0.into(), "delete.something.here".into() => 0.into(), }, metadata: HashMap::new(), }; let result = AddPrefixSuffixMigration(vec![ PrefixSuffix { prefix: "remove", suffix: "this", }, PrefixSuffix { prefix: "delete", suffix: "here", }, ]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), } ); } #[test] fn no_match() { let data = MigrationData { data: hashmap! { "keep.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "other.setting.here".into() => 0.into(), }, metadata: HashMap::new(), }; let result = AddPrefixSuffixMigration(vec![PrefixSuffix { prefix: "remove.", suffix: ".this", }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "keep.stuff.like.this".into() => 0.into(), "keep.this.too".into() => 0.into(), "other.setting.here".into() => 0.into(), } ); } #[test] fn tight_matching() { let data = MigrationData { data: hashmap! { "settings.host-containers.admin.command".into() => 0.into(), "settings.host-containers.command".into() => 0.into(), // No middle segment "settings.host-containersadmincommand".into() => 0.into(), // No dots "keep.this".into() => 0.into(), }, metadata: HashMap::new(), }; let result = AddPrefixSuffixMigration(vec![PrefixSuffix { prefix: "settings.host-containers", suffix: "command", }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "settings.host-containers.command".into() => 0.into(), "settings.host-containersadmincommand".into() => 0.into(), "keep.this".into() => 0.into(), } ); } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration when we remove settings from the model, so the new version doesn't see /// them and error. pub struct RemoveSettingsMigration<'a>(pub &'a [&'static str]); impl Migration for RemoveSettingsMigration<'_> { /// Newer versions don't know about the settings; we remove them so that new versions don't see /// them and fail deserialization. (The settings must be defaulted or generated in old versions, /// and safe to remove.) fn forward(&mut self, mut input: MigrationData) -> Result { for setting in self.0 { if let Some(data) = input.data.remove(*setting) { println!("Removed {setting}, which was set to '{data}'"); } else { println!("Found no {setting} to remove"); } } Ok(input) } /// Old versions must either have a default for the settings or generate it; we don't need to /// do anything. fn backward(&mut self, input: MigrationData) -> Result { println!( "RemoveSettingsMigration({:?}) has no work to do on downgrade.", self.0 ); Ok(input) } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration when we replace a setting's old string value with a new string value. pub struct ReplaceStringMigration { pub setting: &'static str, pub old_val: &'static str, pub new_val: &'static str, } impl Migration for ReplaceStringMigration { fn forward(&mut self, mut input: MigrationData) -> Result { if let Some(data) = input.data.get_mut(self.setting) { match data { serde_json::Value::String(data) => { if data == self.old_val { self.new_val.clone_into(data); println!( "Changed value of '{}' from '{}' to '{}' on upgrade", self.setting, self.old_val, self.new_val ); } else { println!( "'{}' is not set to '{}', leaving alone", self.setting, self.old_val ); } } _ => { println!( "'{}' is set to non-string value '{}'; ReplaceStringMigration only handles strings", self.setting, data ); } } } else { println!("Found no '{}' to change on upgrade", self.setting); } Ok(input) } fn backward(&mut self, mut input: MigrationData) -> Result { if let Some(data) = input.data.get_mut(self.setting) { match data { serde_json::Value::String(data) => { if data == self.new_val { self.old_val.clone_into(data); println!( "Changed value of '{}' from '{}' to '{}' on downgrade", self.setting, self.new_val, self.old_val ); } else { println!( "'{}' is not set to '{}', leaving alone", self.setting, self.new_val ); } } _ => { println!( "'{}' is set to non-string value '{}'; ReplaceStringMigration only handles strings", self.setting, data ); } } } else { println!("Found no '{}' to change on downgrade", self.setting); } Ok(input) } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration when we need to replace settings that contain lists of string values; /// for example, when a release changes the list of configuration-files associated with a service. // String is the only type we use today, and handling multiple value types is more complicated than // we need at the moment. Allowing &[serde_json::Value] seems nice, but it would allow arbitrary // data transformations that the API model would then fail to load. pub struct ListReplacement { pub setting: &'static str, pub old_vals: &'static [&'static str], pub new_vals: &'static [&'static str], } pub struct ReplaceListsMigration(pub Vec); impl Migration for ReplaceListsMigration { fn forward(&mut self, mut input: MigrationData) -> Result { for replacement in &self.0 { if let Some(data) = input.data.get_mut(replacement.setting) { match data { serde_json::Value::Array(data) => { // We only handle string lists; convert each value to a str we can compare. let list: Vec<&str> = data .iter() .map(|v| v.as_str()) .collect::>>() .with_context(|| error::ReplaceListContentsSnafu { setting: replacement.setting, data: data.clone(), })?; if list == replacement.old_vals { // Convert back to the original type so we can store it. *data = replacement.new_vals.iter().map(|s| (*s).into()).collect(); println!( "Changed value of '{}' from {:?} to {:?} on upgrade", replacement.setting, replacement.old_vals, replacement.new_vals ); } else { println!( "'{}' is not set to {:?}, leaving alone", replacement.setting, list ); } } _ => { println!( "'{}' is set to non-list value '{}'; ReplaceListsMigration only handles lists", replacement.setting, data ); } } } else { println!("Found no '{}' to change on upgrade", replacement.setting); } } Ok(input) } fn backward(&mut self, mut input: MigrationData) -> Result { for replacement in &self.0 { if let Some(data) = input.data.get_mut(replacement.setting) { match data { serde_json::Value::Array(data) => { // We only handle string lists; convert each value to a str we can compare. let list: Vec<&str> = data .iter() .map(|v| v.as_str()) .collect::>>() .with_context(|| error::ReplaceListContentsSnafu { setting: replacement.setting, data: data.clone(), })?; if list == replacement.new_vals { // Convert back to the original type so we can store it. *data = replacement.old_vals.iter().map(|s| (*s).into()).collect(); println!( "Changed value of '{}' from {:?} to {:?} on downgrade", replacement.setting, replacement.new_vals, replacement.old_vals ); } else { println!( "'{}' is not set to {:?}, leaving alone", replacement.setting, list ); } } _ => { println!( "'{}' is set to non-list value '{}'; ReplaceListsMigration only handles lists", replacement.setting, data ); } } } else { println!("Found no '{}' to change on downgrade", replacement.setting); } } Ok(input) } } #[cfg(test)] mod test_replace_list { use super::{ListReplacement, ReplaceListsMigration}; use crate::{Migration, MigrationData}; use maplit::hashmap; use std::collections::HashMap; #[test] fn single() { let data = MigrationData { data: hashmap! { "hi".into() => vec!["there"].into(), }, metadata: HashMap::new(), }; let result = ReplaceListsMigration(vec![ListReplacement { setting: "hi", old_vals: &["there"], new_vals: &["sup"], }]) .forward(data) .unwrap(); assert_eq!( result.data, hashmap! { "hi".into() => vec!["sup"].into(), } ); } #[test] fn backward() { let data = MigrationData { data: hashmap! { "hi".into() => vec!["there"].into(), }, metadata: HashMap::new(), }; let result = ReplaceListsMigration(vec![ListReplacement { setting: "hi", old_vals: &["sup"], new_vals: &["there"], }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "hi".into() => vec!["sup"].into(), } ); } #[test] fn multiple() { let data = MigrationData { data: hashmap! { "hi".into() => vec!["there", "you"].into(), "hi2".into() => vec!["hey", "listen"].into(), "ignored".into() => vec!["no", "change"].into(), }, metadata: HashMap::new(), }; let result = ReplaceListsMigration(vec![ ListReplacement { setting: "hi", old_vals: &["there", "you"], new_vals: &["sup", "hey"], }, ListReplacement { setting: "hi2", old_vals: &["hey", "listen"], new_vals: &["look", "watch out"], }, ]) .forward(data) .unwrap(); assert_eq!( result.data, hashmap! { "hi".into() => vec!["sup", "hey"].into(), "hi2".into() => vec!["look", "watch out"].into(), "ignored".into() => vec!["no", "change"].into(), } ); } #[test] fn no_match() { let data = MigrationData { data: hashmap! { "hi".into() => vec!["no", "change"].into(), "hi2".into() => vec!["no", "change"].into(), }, metadata: HashMap::new(), }; let result = ReplaceListsMigration(vec![ListReplacement { setting: "hi", old_vals: &["there"], new_vals: &["sup", "hey"], }]) .forward(data) .unwrap(); // No change assert_eq!( result.data, hashmap! { "hi".into() => vec!["no", "change"].into(), "hi2".into() => vec!["no", "change"].into(), } ); } #[test] fn not_list() { let data = MigrationData { data: hashmap! { "hi".into() => "just a string, not a list".into(), }, metadata: HashMap::new(), }; let result = ReplaceListsMigration(vec![ListReplacement { setting: "hi", old_vals: &["there"], new_vals: &["sup", "hey"], }]) .forward(data) .unwrap(); // No change assert_eq!( result.data, hashmap! { "hi".into() => "just a string, not a list".into(), } ); } #[test] fn not_string() { let data = MigrationData { data: hashmap! { "hi".into() => vec![0].into(), }, metadata: HashMap::new(), }; ReplaceListsMigration(vec![ListReplacement { setting: "hi", old_vals: &["there"], new_vals: &["sup", "hey"], }]) .forward(data) .unwrap_err(); } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// When we add conditional migrations that can only run for specific variants, we need to run this /// migration helper for cases where the migration does NOT apply so migrator will still create a valid /// intermediary datastore that the host can transition to. #[derive(Debug)] pub struct NoOpMigration; impl Migration for NoOpMigration { /// No work to do on forward migrations, copy the same datastore fn forward(&mut self, input: MigrationData) -> Result { println!("NoOpMigration has no work to do on upgrade.",); Ok(input) } /// No work to do on backward migrations, copy the same datastore fn backward(&mut self, input: MigrationData) -> Result { println!("NoOpMigration has no work to do on downgrade.",); Ok(input) } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration when we add new values to a list setting that older versions don't /// understand. On downgrade, we filter the list to only include values the old version accepts. pub struct ListRestriction { pub setting: &'static str, pub allowed_vals: &'static [&'static str], } pub struct RestrictListsMigration(pub Vec); impl Migration for RestrictListsMigration { /// New versions can handle all values; no work needed on upgrade. fn forward(&mut self, input: MigrationData) -> Result { println!( "RestrictListsMigration({:?}) has no work to do on upgrade.", self.0.iter().map(|r| r.setting).collect::>() ); Ok(input) } /// Older versions only understand certain values; remove any values not in the allowed list. fn backward(&mut self, mut input: MigrationData) -> Result { for restriction in &self.0 { if let Some(data) = input.data.get_mut(restriction.setting) { match data { serde_json::Value::Array(data) => { let list: Vec<&str> = data .iter() .map(|v| v.as_str()) .collect::>>() .with_context(|| error::ReplaceListContentsSnafu { setting: restriction.setting, data: data.clone(), })?; let filtered: Vec<&str> = list .into_iter() .filter(|val| restriction.allowed_vals.contains(val)) .collect(); if filtered.len() != data.len() { let new_data: Vec = filtered.iter().map(|s| (*s).into()).collect(); println!( "Filtered '{}' to allowed values {:?} on downgrade", restriction.setting, filtered ); *data = new_data; } else { println!( "'{}' already contains only allowed values, leaving alone", restriction.setting ); } } _ => { println!( "'{}' is set to non-list value '{}'; RestrictListsMigration only handles lists", restriction.setting, data ); } } } else { println!("Found no '{}' to filter on downgrade", restriction.setting); } } Ok(input) } } #[cfg(test)] mod test_restrict_lists { use super::{ListRestriction, RestrictListsMigration}; use crate::{Migration, MigrationData}; use maplit::hashmap; use std::collections::HashMap; #[test] fn filter_values() { let data = MigrationData { data: hashmap! { "setting".into() => vec!["old1", "old2", "new1", "new2"].into(), }, metadata: HashMap::new(), }; let result = RestrictListsMigration(vec![ListRestriction { setting: "setting", allowed_vals: &["old1", "old2"], }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "setting".into() => vec!["old1", "old2"].into(), } ); } #[test] fn no_filtering_needed() { let data = MigrationData { data: hashmap! { "setting".into() => vec!["old1", "old2"].into(), }, metadata: HashMap::new(), }; let result = RestrictListsMigration(vec![ListRestriction { setting: "setting", allowed_vals: &["old1", "old2", "new1"], }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "setting".into() => vec!["old1", "old2"].into(), } ); } #[test] fn forward_no_change() { let data = MigrationData { data: hashmap! { "setting".into() => vec!["old1", "new1", "new2"].into(), }, metadata: HashMap::new(), }; let result = RestrictListsMigration(vec![ListRestriction { setting: "setting", allowed_vals: &["old1"], }]) .forward(data) .unwrap(); assert_eq!( result.data, hashmap! { "setting".into() => vec!["old1", "new1", "new2"].into(), } ); } #[test] fn multiple_restrictions() { let data = MigrationData { data: hashmap! { "setting1".into() => vec!["a", "b", "c"].into(), "setting2".into() => vec!["x", "y", "z"].into(), }, metadata: HashMap::new(), }; let result = RestrictListsMigration(vec![ ListRestriction { setting: "setting1", allowed_vals: &["a", "b"], }, ListRestriction { setting: "setting2", allowed_vals: &["x"], }, ]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "setting1".into() => vec!["a", "b"].into(), "setting2".into() => vec!["x"].into(), } ); } #[test] fn not_list() { let data = MigrationData { data: hashmap! { "setting".into() => "not a list".into(), }, metadata: HashMap::new(), }; let result = RestrictListsMigration(vec![ListRestriction { setting: "setting", allowed_vals: &["old1"], }]) .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "setting".into() => "not a list".into(), } ); } } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// We use this migration to remove a setting string if it matches the old value. /// We will need this migration once to adapt the concept of Strength on settings. pub struct RemoveMatchingString { pub setting: &'static str, pub old_val: &'static str, } impl Migration for RemoveMatchingString { fn forward(&mut self, mut input: MigrationData) -> Result { if let Some(data) = input.data.get_mut(self.setting) { match data { serde_json::Value::String(data) => { if data == self.old_val { input.data.remove(self.setting); } else { println!( "'{}' is not set to '{}', leaving alone", self.setting, self.old_val ); } } _ => { println!( "'{}' is set to non-string value '{}'; RemoveOldData expects a string setting value", self.setting, data ); } } } else { println!("Found no '{}' to change on upgrade", self.setting); } Ok(input) } fn backward(&mut self, input: MigrationData) -> Result { println!("RemoveOldData has no work to do on downgrade.",); Ok(input) } } ================================================ FILE: sources/api/migration/migration-helpers/src/datastore_helper.rs ================================================ //! This module contains the functions that interact with the data store, retrieving data to //! migrate and writing back migrated data. use bottlerocket_release::BottlerocketRelease; use snafu::ResultExt; use std::collections::HashMap; use crate::{error, MigrationData, Result}; use datastore::{ deserialize_scalar, serialization::to_pairs_with_prefix, serialize_scalar, Committed, DataStore, Key, KeyType, }; // To get input data from the existing data store, we use datastore methods, because we assume // breaking changes in the basic data store API would be a major-version migration of the data // store, and that would be handled separately. This method is private to the crate, so we can // reconsider as needed. /// Retrieves data from the specified data store in a consistent format for easy modification. pub(crate) fn get_input_data( datastore: &D, committed: &Committed, ) -> Result { let raw_data = datastore .get_prefix("", committed) .with_context(|_| error::GetDataSnafu { committed: committed.clone(), })?; let mut data = HashMap::new(); for (data_key, value_str) in raw_data.into_iter() { // Store keys with just their name, rather than the full Key, so that migrations are easier // to write, and we don't tie migrations to any specific data store version. Migrations // shouldn't need to link against data store code. let key_name = data_key.name(); // Deserialize values to Value so there's a consistent input type. (We can't specify item // types because we'd have to know the model structure.) let value = deserialize_scalar(&value_str).context(error::DeserializeSnafu { input: value_str })?; data.insert(key_name.clone(), value); } // We also want to make "os.*" values, like variant and arch, available to migrations. let release = BottlerocketRelease::new().context(error::BottlerocketReleaseSnafu)?; let os_pairs = to_pairs_with_prefix("os", &release).context(error::SerializeReleaseSnafu)?; for (data_key, value_str) in os_pairs.into_iter() { let value = deserialize_scalar(&value_str).context(error::DeserializeSnafu { input: value_str })?; data.insert(data_key.name().clone(), value); } // Metadata isn't committed, it goes live immediately, so we only populate the metadata // output for Committed::Live. let mut metadata = HashMap::new(); if let Committed::Live = committed { let raw_metadata = datastore .get_metadata_prefix("", committed, &None as &Option<&str>) .context(error::GetMetadataSnafu)?; for (data_key, meta_map) in raw_metadata.into_iter() { // See notes above about storing key Strings and Values. let data_key_name = data_key.name(); let data_entry = metadata .entry(data_key_name.clone()) .or_insert_with(HashMap::new); for (metadata_key, value_str) in meta_map.into_iter() { let metadata_key_name = metadata_key.name(); let value = deserialize_scalar(&value_str) .context(error::DeserializeSnafu { input: value_str })?; data_entry.insert(metadata_key_name.clone(), value); } } } Ok(MigrationData { data, metadata }) } // Similar to get_input_data, we use datastore methods here; please read the comment on // get_input_data. This method is also private to the crate, so we can reconsider as needed. /// Updates the given data store with the given (migrated) data. pub(crate) fn set_output_data( datastore: &mut D, input: &MigrationData, committed: &Committed, ) -> Result<()> { // Prepare serialized data let mut data = HashMap::new(); for (data_key_name, raw_value) in &input.data { // See notes above about storing key Strings and Values. let data_key = Key::new(KeyType::Data, data_key_name).context(error::InvalidKeySnafu { key_type: KeyType::Data, key: data_key_name, })?; let value = serialize_scalar(raw_value).context(error::SerializeSnafu)?; data.insert(data_key, value); } // This is one of the rare cases where we want to set keys directly in the datastore: // * We're operating on a temporary copy of the datastore, so no concurrency issues // * We're either about to reboot or just have, and the settings applier will run afterward datastore .set_keys(&data, committed) .context(error::DataStoreWriteSnafu)?; // Set metadata in a loop (currently no batch API) for (data_key_name, meta_map) in &input.metadata { let data_key = Key::new(KeyType::Data, data_key_name).context(error::InvalidKeySnafu { key_type: KeyType::Data, key: data_key_name, })?; for (metadata_key_name, raw_value) in meta_map.iter() { let metadata_key = Key::new(KeyType::Meta, metadata_key_name).context(error::InvalidKeySnafu { key_type: KeyType::Meta, key: metadata_key_name, })?; let value = serialize_scalar(&raw_value).context(error::SerializeSnafu)?; datastore .set_metadata(&metadata_key, &data_key, value, committed) .context(error::DataStoreWriteSnafu)?; } } Ok(()) } ================================================ FILE: sources/api/migration/migration-helpers/src/error.rs ================================================ //! Contains the Error and Result types used by the migration helper functions and migrations. use snafu::Snafu; use std::path::PathBuf; /// Error contains the errors that can happen in the migration helper functions and in migrations. #[derive(Debug, Snafu)] #[snafu(visibility(pub))] pub enum Error { #[snafu(display("Unable to get system release data: {}", source))] BottlerocketRelease { source: bottlerocket_release::Error }, #[snafu(display("Unable to get {:?} data for migration: {}", committed, source))] GetData { committed: datastore::Committed, #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display("Unable to get metadata for migration: {}", source))] GetMetadata { #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display("Unable to deserialize to Value from '{}': {}", input, source))] Deserialize { input: String, source: datastore::ScalarError, }, #[snafu(display("Unable to serialize Value: {}", source))] Serialize { source: datastore::ScalarError }, #[snafu(display("Unable to serialize datastore for rendering templates: {}", source))] SerializeTemplateData { source: serde_json::Error }, #[snafu(display("Unable to serialize release data: {}", source))] SerializeRelease { source: datastore::serialization::Error, }, #[snafu(display("Unable to write to data store: {}", source))] DataStoreWrite { #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display("Unable to remove key '{}' from data store: {}", key, source))] DataStoreRemove { key: String, #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display("Migrated data failed validation: {}", msg))] Validation { msg: String }, // Generic error variant for migration authors #[snafu(display("Migration returned error: {}", msg))] Migration { msg: String }, // More specific error variants for migration authors to handle common cases #[snafu(display("Migration requires missing key: {}", key))] MissingData { key: String }, #[snafu(display("Migration used invalid {:?} key '{}': {}", key_type, key, source))] InvalidKey { key_type: datastore::KeyType, key: String, #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display( "Invalid regex pattern for prefix '{}' and suffix '{}': {}", prefix, suffix, source ))] InvalidPrefixSuffixPattern { prefix: String, suffix: String, source: regex::Error, }, #[snafu(display("Unable to list transactions in data store: {}", source))] ListTransactions { #[snafu(source(from(datastore::Error, Box::new)))] source: Box, }, #[snafu(display("'{}' is set to non-string value", setting))] NonStringSettingDataType { setting: String }, #[snafu(display("Unable to deserialize datastore data: {}", source))] DeserializeDatastore { source: datastore::deserialization::Error, }, #[snafu(display("Unable to create new key: {}", source))] NewKey { source: datastore::error::Error }, #[snafu(display("Setting '{}' contains non-string item: {:?}", setting, data))] ReplaceListContents { setting: String, data: Vec, }, #[snafu(display( "Metadata '{}' for setting '{}' contains non-string item: {:?}", metadata, setting, data ))] ReplaceMetadataListContents { setting: String, metadata: String, data: Vec, }, #[snafu(display("Failed to delete file '{}': '{}'", path.display(), source))] RemoveFile { path: PathBuf, source: std::io::Error, }, #[snafu(display("Failed to create async runtime: {}", source))] CreateTokioRuntime { source: std::io::Error }, #[snafu(display( "Error in deserializing response value to SettingsGenerator: {}", source ))] DeserializeSettingsGenerator { source: serde_json::Error }, #[snafu(display("Setting data '{}' must be either a string or a list", data))] InvalidSettingType { data: String }, } /// Result alias containing our Error type. pub type Result = std::result::Result; ================================================ FILE: sources/api/migration/migration-helpers/src/lib.rs ================================================ //! This module aims to make it as easy as possible to migrate a data store between minor //! versions. Migration authors just implement one trait, and can then use helper methods to take //! care of everything else in their main function. //! //! Note that you must still name your migration binary according to spec for it to be handled //! properly by the migration runner. // Note that migrations must be run serially; technically, this is because the data store isn't // locked, and also because migration authors are given an interface for ordering via migration // name, and running in parallel would violate that. mod args; pub mod common_migrations; mod datastore_helper; pub mod error; use snafu::ResultExt; use std::collections::HashMap; use std::env; use std::fmt; use datastore::{Committed, Value}; pub use datastore::{DataStore, FilesystemDataStore}; use args::{parse_args, Args}; use datastore_helper::{get_input_data, set_output_data}; pub use error::Result; /// The data store implementation currently in use. Used by the simpler `migrate` interface; can /// be overridden by using the `run_migration` interface. type DataStoreImplementation = FilesystemDataStore; /// Migrations must implement this trait, and can then use the migrate method to let this module /// do the rest of the work. /// /// Migrations must implement forward and backward methods so changes can be rolled back as /// necessary. /// /// Migrations must not assume any key will exist because they're run on pending data as well as /// live, and pending transactions usually do not impact all keys. For the same reason, migrations /// must not add a key in all cases if it's missing, because you could be adding the key to an /// unrelated pending transaction. Instead, make sure you're adding a key to an existing /// structure. pub trait Migration { /// Migrates data forward from the prior version to the version specified in the migration /// name. fn forward(&mut self, input: MigrationData) -> Result; /// Migrates data backward from the version specified in the migration name to the prior /// version. fn backward(&mut self, input: MigrationData) -> Result; } /// Mapping of metadata key name to arbitrary value. Each data key can have a Metadata describing /// its metadata keys. pub type Metadata = HashMap; /// MigrationData holds all data that can be migrated in a migration, and serves as the input and /// output format of migrations. A serde Value type is used to hold the arbitrary data of each /// key because we can't represent types when they could change in the migration. #[derive(Debug, Clone, PartialEq, Eq)] pub struct MigrationData { /// Mapping of data key names to their arbitrary values. pub data: HashMap, /// Mapping of data key names to their metadata. pub metadata: HashMap, } /// Returns the default settings for a given path so you can easily replace a given section of the /// datastore with new defaults. For example, you could request "settings" to get all new default /// settings, or "settings.serviceX.subsection" to scope it down. pub fn defaults_for>(_path: S) -> Result { unimplemented!() } /// Ensures we can use the migrated data in the new data store. Can use this result to stop the /// migration process before saving any data. fn validate_migrated_data(_migrated: &MigrationData) -> Result<()> { // No validations yet. // You can check the migrated data and throw error::Validation if anything seems wrong. Ok(()) } /// If you need a little more control over a migration than with migrate, or you're using this /// module as a library, you can call run_migration directly with the arguments that would /// normally be parsed from the migration binary's command line. pub fn run_migration(mut migration: impl Migration, args: &Args) -> Result<()> { let source = DataStoreImplementation::new(&args.source_datastore); let mut target = DataStoreImplementation::new(&args.target_datastore); // Run for live data and for each pending transaction let mut committeds = vec![Committed::Live]; let transactions = source .list_transactions() .context(error::ListTransactionsSnafu)?; committeds.extend(transactions.into_iter().map(|tx| Committed::Pending { tx })); for committed in committeds { let input = get_input_data(&source, &committed)?; let mut migrated = input.clone(); migrated = match args.migration_type { MigrationType::Forward => migration.forward(migrated), MigrationType::Backward => migration.backward(migrated), }?; validate_migrated_data(&migrated)?; set_output_data(&mut target, &migrated, &committed)?; } Ok(()) } /// Represents the type of migration, so we know which Migration trait method to call. #[derive(Debug, Copy, Clone)] pub enum MigrationType { Forward, Backward, } impl fmt::Display for MigrationType { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { match self { MigrationType::Forward => write!(f, "forward"), MigrationType::Backward => write!(f, "backward"), } } } /// This is the primary entry point for migration authors. When you've implemented the Migration /// trait, you should just be able to pass it to this function from your main function and let it /// take care of the rest. The migration runner will pass in the appropriate datastore paths and /// migration type. pub fn migrate(migration: impl Migration) -> Result<()> { let args = parse_args(env::args())?; run_migration(migration, &args) } ================================================ FILE: sources/bottlerocket-release/Cargo.toml ================================================ [package] name = "bottlerocket-release" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] envy.workspace = true log.workspace = true semver = { workspace = true, features = ["serde"] } serde = { workspace = true, features = ["derive"] } snafu.workspace = true [build-dependencies] generate-readme.workspace = true ================================================ FILE: sources/bottlerocket-release/README.md ================================================ # bottlerocket-release Current version: 0.1.0 ## Background This library lets you get a BottlerocketRelease struct that represents the data in the standard os-release file, or another file you point to. The VERSION_ID is returned as a semver::Version for convenience. The information is pulled at runtime because build_id changes frequently and would cause unnecessary rebuilds. ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/bottlerocket-release/README.tpl ================================================ # {{crate}} Current version: {{version}} {{readme}} ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/bottlerocket-release/build.rs ================================================ use std::path::Path; use std::{env, fs}; fn generate_readme() { generate_readme::from_lib().unwrap(); } fn generate_constants() { let out_dir = env::var("OUT_DIR").unwrap(); let arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap(); let contents = format!("const ARCH: &str = \"{arch}\";"); let path = Path::new(&out_dir).join("constants.rs"); fs::write(path, contents).unwrap(); } fn main() { generate_readme(); generate_constants(); } ================================================ FILE: sources/bottlerocket-release/src/lib.rs ================================================ /*! # Background This library lets you get a BottlerocketRelease struct that represents the data in the standard os-release file, or another file you point to. The VERSION_ID is returned as a semver::Version for convenience. The information is pulled at runtime because build_id changes frequently and would cause unnecessary rebuilds. */ const DEFAULT_RELEASE_FILE: &str = "/usr/lib/os-release"; include!(concat!(env!("OUT_DIR"), "/constants.rs")); use log::debug; use semver::Version; use serde::{Deserialize, Serialize}; use snafu::ResultExt; use std::fs; use std::path::Path; /// BottlerocketRelease represents the data found in the release file. #[derive(Debug, Deserialize, Serialize, Clone, PartialEq, Eq)] pub struct BottlerocketRelease { // Fields from os-release pub pretty_name: String, pub variant_id: String, pub version_id: Version, pub build_id: String, // Other system information pub arch: String, } mod error { use snafu::Snafu; use std::io; use std::path::PathBuf; #[derive(Debug, Snafu)] #[snafu(visibility(pub(super)))] pub enum Error { #[snafu(display("Unable to read release file '{}': {}", path.display(), source))] ReadReleaseFile { path: PathBuf, source: io::Error }, #[snafu(display("Unable to load release data from file '{}': {}", path.display(), source))] LoadReleaseData { path: PathBuf, source: envy::Error }, } } pub use error::Error; type Result = std::result::Result; impl BottlerocketRelease { pub fn new() -> Result { Self::from_file(DEFAULT_RELEASE_FILE) } pub fn from_file

(path: P) -> Result where P: AsRef, { let path = path.as_ref(); let release_data = fs::read_to_string(path).context(error::ReadReleaseFileSnafu { path })?; // Split and process each line let mut pairs: Vec<(String, String)> = release_data .lines() .filter_map(|line| { // Allow for comments if line.starts_with('#') { return None; } // Split out KEY=VALUE; if there is no "=" we skip the line let mut parts = line.splitn(2, '='); let key = parts.next().expect("split returned zero parts"); let mut value = match parts.next() { Some(part) => part, None => return None, }; // If the value was quoted (unnecessary in this file) then remove the quotes if value.starts_with('"') { value = &value[1..]; } if value.ends_with('"') { value = &value[..value.len() - 1]; } debug!("Found os-release value {key}={value}"); Some((key.to_owned(), value.to_owned())) }) .collect(); // Add information from other sources pairs.push(("arch".to_string(), ARCH.to_string())); envy::from_iter(pairs).context(error::LoadReleaseDataSnafu { path }) } } ================================================ FILE: sources/clarify.toml ================================================ [clarify.actix-macros] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x31de3fcd }, { path = "LICENSE-MIT", hash = 0xfeb1e4a7 }, ] [clarify.actix-codec] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x31de3fcd }, { path = "LICENSE-MIT", hash = 0xfeb1e4a7 }, ] [clarify.actix-http] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x31de3fcd }, { path = "LICENSE-MIT", hash = 0xfeb1e4a7 }, ] [clarify.backtrace-sys] # backtrace-sys is MIT/Apache-2.0, libbacktrace is BSD-3-Clause expression = "(MIT OR Apache-2.0) AND BSD-3-Clause" license-files = [ { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0x9374b940 }, { path = "src/libbacktrace/LICENSE", hash = 0x0ce09262 }, ] [[clarify.bstr]] version = "^0.2" expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016" license-files = [ { path = "COPYING", hash = 0x28398560 }, { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0x462dee44 }, { path = "src/unicode/data/LICENSE-UNICODE", hash = 0x70f7339 }, ] [[clarify.bstr]] version = "=1" expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016" license-files = [ { path = "COPYING", hash = 0x278afbcf }, { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0x462dee44 }, { path = "src/unicode/data/LICENSE-UNICODE", hash = 0x70f7339 }, ] [clarify.cached] expression = "MIT" license-files = [ { path = "COPYRIGHT", hash = 0xaf811590 }, { path = "LICENSE", hash = 0x77e163f0 }, ] [clarify.crossbeam-queue] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0x386ca1bc }, { path = "LICENSE-THIRD-PARTY", hash = 0x7e40bc60 }, ] [clarify.crossbeam-channel] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0xbc436f08 }, { path = "LICENSE-THIRD-PARTY", hash = 0x847bf39 }, ] # https://github.com/hsivonen/encoding_rs The non-test code that isn't generated from the WHATWG data in this crate is # under Apache-2.0 OR MIT. Test code is under CC0. [clarify.encoding_rs] expression = "(Apache-2.0 OR MIT) AND BSD-3-Clause" license-files = [ { path = "COPYRIGHT", hash = 0x39f8ad31 }, { path = "LICENSE-APACHE", hash = 0x18785531 }, { path = "LICENSE-MIT", hash = 0xafaec4cb }, { path = "LICENSE-WHATWG", hash = 0xbcb87a0c }, { path = "COPYRIGHT", hash = 0x39f8ad31 }, ] [clarify.lz4-sys] # The lz4-sys crate's license is listed as MIT. # # lz4-sys compiles four files from liblz4 as a static library: # - lib/lz4.c # - lib/lz4frame.c # - lib/lz4hc.c # - lib/xxhash.c # # liblz4's LICENSE file states: # > This repository uses 2 different licenses : # > - all files in the `lib` directory use a BSD 2-Clause license # > - all other files use a GPLv2 license, unless explicitly stated otherwise expression = "MIT AND BSD-2-Clause" license-files = [ { path = "liblz4/lib/LICENSE", hash = 0xe411c460 }, ] skip-files = [ "liblz4/LICENSE", # top-level explainer file "liblz4/contrib/djgpp/LICENSE", "liblz4/examples/COPYING", "liblz4/programs/COPYING", "liblz4/tests/COPYING", ] [clarify.minimal-lexical] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE.md", hash = 0xfe66d806 }, { path = "LICENSE-APACHE", hash = 0x4fccb6b7 }, { path = "LICENSE-MIT", hash = 0x386ca1bc }, ] [clarify.pulldown-cmark] expression = "MIT" license-files = [ { path = "LICENSE", hash = 0x4cb272b3 }, ] skip-files = [ "third_party/CommonMark/LICENSE", # only contains the commonmark specification ] [clarify.regex] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0xb755395b }, ] skip-files = [ "src/testdata/LICENSE", # we aren't using the test data ] [[clarify.regex-automata]] version = "^0.1" expression = "Unlicense OR MIT" license-files = [ { path = "COPYING", hash = 0x969f37d8 }, { path = "LICENSE-MIT", hash = 0x616d8a83 }, { path = "UNLICENSE", hash = 0x87b84020 }, ] skip-files = [ "data/fowler-tests/LICENSE", # we aren't using the test data "data/tests/fowler/LICENSE", ] [[clarify.regex-automata]] version = "^0.3" expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE-MIT", hash = 0xb755395b }, { path = "LICENSE-APACHE", hash = 0x24b54f4b }, ] [clarify.regex-syntax] expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016" license-files = [ { path = "LICENSE-APACHE", hash = 0x24b54f4b }, { path = "LICENSE-MIT", hash = 0xb755395b }, { path = "src/unicode_tables/LICENSE-UNICODE", hash = 0xa7f28b93 }, ] [clarify.ring] expression = "MIT AND ISC AND OpenSSL" license-files = [ { path = "LICENSE", hash = 0xbd0eed23 }, { path = "third_party/fiat/LICENSE", hash = 0x75829ee2 }, ] [clarify.tokio-macros] expression = "MIT" license-files = [ { path = "LICENSE", hash = 0x402b08de }, ] [clarify.unicode-ident] expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016" license-files = [ { path = "LICENSE-APACHE", hash = 0xb5518783 }, { path = "LICENSE-MIT", hash = 0x386ca1bc }, { path = "LICENSE-UNICODE", hash = 0x9698cbbe }, ] [clarify.vmw_backdoor] expression = "MIT OR Apache-2.0" license-files = [ { path = "COPYRIGHT", hash = 0x3fd7d639 }, { path = "LICENSE-APACHE-2.0", hash = 0x18785531 }, { path = "LICENSE-MIT", hash = 0x28392cf3 }, ] [clarify.typenum] expression = "MIT OR Apache-2.0" license-files = [ { path = "LICENSE", hash = 0xa4618a29 }, { path = "LICENSE-MIT", hash = 0xb9f15462 }, { path = "LICENSE-APACHE", hash = 0x91d5a0a7 }, ] ================================================ FILE: sources/constants/Cargo.toml ================================================ [package] name = "constants" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] [build-dependencies] generate-readme.workspace = true ================================================ FILE: sources/constants/README.md ================================================ # constants Current version: 0.1.0 This crate contains constants shared across multiple Bottlerocket crates ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/main.rs`. ================================================ FILE: sources/constants/README.tpl ================================================ # {{crate}} Current version: {{version}} {{readme}} ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/main.rs`. ================================================ FILE: sources/constants/build.rs ================================================ fn main() { generate_readme::from_lib().unwrap(); } ================================================ FILE: sources/constants/src/lib.rs ================================================ /*! This crate contains constants shared across multiple Bottlerocket crates */ // Shared API settings pub const API_SOCKET: &str = "/run/api.sock"; pub const API_SETTINGS_URI: &str = "/settings"; pub const API_SETTINGS_GENERATORS_URI: &str = "/metadata/setting-generators"; // Shared transaction used by boot time services pub const LAUNCH_TRANSACTION: &str = "bottlerocket-launch"; // Shared binaries' locations pub const SYSTEMCTL_BIN: &str = "/bin/systemctl"; pub const HOST_CTR_BIN: &str = "/bin/host-ctr"; ================================================ FILE: sources/deny.toml ================================================ [licenses] version = 2 # We want really high confidence when inferring licenses from text confidence-threshold = 0.93 # Commented license types are allowed but not currently used allow = [ "Apache-2.0", # "BSD-2-Clause", "BSD-3-Clause", # "BSL-1.0", # "CC0-1.0", "ISC", "MIT", # "OpenSSL", "Unlicense", "Zlib", "MPL-2.0", "Unicode-3.0", ] exceptions = [ { name = "unicode-ident", version = "1.0.4", allow = [ "MIT", "Apache-2.0", "Unicode-DFS-2016", ] }, ] # https://github.com/hsivonen/encoding_rs The non-test code that isn't generated from the WHATWG data in this crate is # under Apache-2.0 OR MIT. Test code is under CC0. [[licenses.clarify]] name = "encoding_rs" version = "0.8.30" expression = "(Apache-2.0 OR MIT) AND BSD-3-Clause" license-files = [{ path = "COPYRIGHT", hash = 0x39f8ad31 }] [[licenses.clarify]] name = "ring" expression = "MIT AND ISC AND OpenSSL" license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] [[licenses.clarify]] name = "webpki" expression = "ISC" license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] [bans] # Deny multiple versions or wildcard dependencies. multiple-versions = "deny" wildcards = "deny" deny = [{ name = "structopt" }, { name = "clap", wrappers = ["cargo-readme"] }] skip = [ # bottlerocket-settings-sdk requires syn 1.x and 2.x for proc-macros # within itself and its dependencies. { name = "syn", version = "=1.0" }, ] skip-tree = [ # windows-sys is not a direct dependency. mio and schannel # are using different versions of windows-sys. we skip the # dependency tree because windows-sys has many sub-crates # that differ in major version. { name = "windows-sys" }, ] [advisories] # generational-arena is currently unmaintained. ignore = ["RUSTSEC-2024-0014"] [sources] # Deny crates from unknown registries or git repositories. unknown-registry = "deny" unknown-git = "deny" allow-git = [ # The settings SDK is currently provided as a git dependency, # We will allow it as an exception until the following is resolved: # https://github.com/bottlerocket-os/bottlerocket-settings-sdk/issues/18 "https://github.com/bottlerocket-os/bottlerocket-settings-sdk", ] ================================================ FILE: sources/generate-readme/Cargo.toml ================================================ [package] name = "generate-readme" version = "0.1.0" authors = ["Matt Briggs "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false [dependencies] cargo-readme.workspace = true snafu.workspace = true ================================================ FILE: sources/generate-readme/src/lib.rs ================================================ /*! This small lib is used to generate README files for the crates in the `sources` workspace. These functions are called in a crate's build.rs file to generate a README from Rust doc comments. !*/ use snafu::ResultExt; use std::fs::File; use std::io::Write; use std::path::{Path, PathBuf}; pub type Result = std::result::Result; pub mod error { use snafu::Snafu; use std::path::PathBuf; #[derive(Debug, Snafu)] #[snafu(visibility(pub(super)))] pub enum Error { #[snafu(display("Unable to create the 'README.md' file: {}", source))] ReadmeCreate { source: std::io::Error }, #[snafu(display("Unable to generate the 'README.md' file contents: {}", error))] ReadmeGenerate { error: String }, #[snafu(display("Unable to open '{}': {}", file.display(), source))] ReadmeSourceOpen { file: PathBuf, source: std::io::Error, }, #[snafu(display("Unable to open 'README.tpl': {}", source))] ReadmeTemplateOpen { source: std::io::Error }, #[snafu(display("Unable to write to the 'README.md' file: {}", source))] ReadmeWrite { source: std::io::Error }, } } /// When this function is called in a `build.rs` file, it will generate a `README.md` (as a sibling /// to `build.rs`). It uses the doc comments found in `src/main.rs` and the `cargo-readme` crate to /// do so. The template for `cargo-readme` is expected to be `README.tpl` as a sibling file to /// `build.rs`. pub fn from_main() -> Result<()> { from_file("src/main.rs") } /// When this function is called in a `build.rs` file, it will generate a `README.md` (as a sibling /// to `build.rs`). It uses the doc comments found in `src/lib.rs` and the `cargo-readme` crate to /// do so. The template for `cargo-readme` is expected to be `README.tpl` as a sibling file to /// `build.rs`. pub fn from_lib() -> Result<()> { from_file("src/lib.rs") } /// When this function is called in a `build.rs` file, it will generate a `README.md` (as a sibling /// to `build.rs`). It uses the doc comments found in `rust_file` and the `cargo-readme` crate to do /// so. The template for `cargo-readme` is expected to be `README.tpl` as a sibling file to /// `build.rs`. pub fn from_file

(rust_file: P) -> Result<()> where P: AsRef, { // Check for environment variable "SKIP_README". If it is set, // skip README generation if std::env::var_os("SKIP_README").is_some() { return Ok(()); } let mut source = File::open(rust_file.as_ref()).context(error::ReadmeSourceOpenSnafu { file: rust_file.as_ref(), })?; let mut template = File::open("README.tpl").context(error::ReadmeTemplateOpenSnafu)?; let mut content = cargo_readme::generate_readme( &PathBuf::from("."), // root &mut source, // source Some(&mut template), // template // The "add x" arguments don't apply when using a template. true, // add title false, // add badges false, // add license true, // indent headings ) .map_err(|e| error::ReadmeGenerateSnafu { error: e }.build())?; // Make sure the end of the file has a newline if content.chars().last().unwrap_or_default() != '\n' { content += "\n"; } let mut readme = File::create("README.md").context(error::ReadmeCreateSnafu)?; readme .write_all(content.as_bytes()) .context(error::ReadmeWriteSnafu)?; Ok(()) } ================================================ FILE: sources/models/.gitignore ================================================ /src/variant/current /src/variant/mod.rs ================================================ FILE: sources/models/Cargo.toml ================================================ [package] name = "models" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false build = "build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] bottlerocket-release.workspace = true libc.workspace = true serde = { workspace = true, features = ["derive"] } serde_json.workspace = true serde_plain.workspace = true toml.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true [build-dependencies] generate-readme.workspace = true [lib] # We're loading the correct *model* at runtime, so users shouldn't think about # importing *models* (plural), just the one current model. name = "model" path = "src/lib.rs" ================================================ FILE: sources/models/README.md ================================================ # models Current version: 0.1.0 ## API models Bottlerocket has different variants supporting different features and use cases. Each variant has its own set of software, and therefore needs its own configuration. We support having an API model for each variant to support these different configurations. The model here defines a top-level `Settings` structure, and delegates the actual implementation to a ["settings plugin"](https://github.com/bottlerocket-os/bottlerocket-settings-sdk/tree/develop/bottlerocket-settings-plugin). Settings plugin are written in Rust as a "cdylib" crate, and loaded at runtime. Each settings plugin must define its own private `Settings` structure. It can use pre-defined structures inside, or custom ones as needed. `apiserver::datastore` offers serialization and deserialization modules that make it easy to map between Rust types and the data store, and thus, all inputs and outputs are type-checked. At the field level, standard Rust types can be used, or ["modeled types"](https://github.com/bottlerocket-os/bottlerocket-settings-sdk/tree/develop/bottlerocket-settings-models/modeled-types) that add input validation. The `#[model]` attribute on Settings and its sub-structs reduces duplication and adds some required metadata; see [its docs](model-derive/) for details. ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/models/README.tpl ================================================ # {{crate}} Current version: {{version}} {{readme}} ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/models/build.rs ================================================ fn main() { generate_readme::from_lib().unwrap(); } ================================================ FILE: sources/models/src/exec.rs ================================================ //! The 'exec' module holds types used to communicate between client and server for //! 'apiclient exec'. use libc::winsize as WinSize; use serde::{Deserialize, Serialize}; use std::ffi::OsString; // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// Server messages to client. #[derive(Debug, Clone, Serialize, Deserialize)] pub enum ServerMessage { Capacity(Capacity), } /// A capacity update; this tells the client how many writes the server has completed so the client /// can figure out how many more input messages it can read and send. #[derive(Debug, Clone, Serialize, Deserialize)] pub struct Capacity { /// The maximum number of messages the server is willing to have outstanding before it /// terminates the client. pub max_messages_outstanding: u64, /// The number of input messages the server has successfully written to the child process. pub messages_written: u64, } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= /// Client messages to server. #[derive(Debug, Clone, Deserialize, Serialize)] pub enum ClientMessage { // It'd be nice to include initialization parameters in the initial HTTP request body, but not // all WebSocket clients support data there. Initialize(Initialize), ContentComplete, Winch(Size), } /// Tells the server how to initialize the command the user is requesting. #[derive(Debug, Clone, Deserialize, Serialize)] pub struct Initialize { /// What command (and arguments) to run. pub command: Vec, /// What container (task) to run the command in. pub target: String, /// Whether the user wants a TTY. pub tty: Option, } /// If the user wants a TTY, these are the initial parameters the TTY should be set up with. #[derive(Debug, Clone, Deserialize, Serialize)] pub struct TtyInit { /// Initial size of the TTY window. pub size: Option, } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= // Helper types // Note: nix::pty::Winsize == libc::winsize. // WinSize doesn't support serde, so we make a slim wrapper. /// Size of the terminal window. #[derive(Debug, Copy, Clone, Deserialize, Serialize)] pub struct Size { pub rows: u16, pub cols: u16, } impl From for WinSize { fn from(size: Size) -> Self { Self { ws_row: size.rows, ws_col: size.cols, ws_xpixel: 0, ws_ypixel: 0, } } } impl From for Size { fn from(winsize: WinSize) -> Self { Self { rows: winsize.ws_row, cols: winsize.ws_col, } } } ================================================ FILE: sources/models/src/generator.rs ================================================ //! The 'generator' module holds types that handles the settings generator metadata //! definition (containing command, strength and depth) among various systems //! like apiserver, sundog, datastore. //! //! The command field defines the command that needs to be executed to populate the //! setting. //! The strength field defines whether a setting needs to be deleted on reboot. //! The depth field defines how metadata is inherited across hierarchical levels, //! allowing a parent to provide metadata that can be applied at children at a given depth. //! //! SettingsGenerator type is used to hold generator that is applied strictly //! to the given setting and have depth 0. //! The RawSettingsGenerator holds the generators that can be dynamically applied //! to the successors at the given depth where a depth '0' means the generator //! should be applied on the given key. //! //! We use a custom deserializer because the metadata may not always be //! structured as an object; it can also appear as a string. This deserializer //! handles both formats, keeping the deserialization logic close to the struct //! for maintainability and clarity. use serde::{ de::{self, MapAccess, Visitor}, Deserialize, Deserializer, Serialize, }; use serde_plain::derive_fromstr_from_deserialize; use std::fmt::{self, Display}; /// Weak settings are ephemeral and deleted on upgrade/downgrade, regardless of whether or not it /// is written by a setting generator. #[derive(Default, Deserialize, Serialize, Debug, Clone, Copy, PartialEq)] #[serde(rename_all = "kebab-case")] pub enum Strength { #[default] Strong, Weak, } impl Display for Strength { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { match self { Strength::Strong => write!(f, "strong"), Strength::Weak => write!(f, "weak"), } } } derive_fromstr_from_deserialize!(Strength); /// Struct to hold the setting generator definition containing /// command, strength, depth #[derive(Clone, Default, Serialize, Debug, PartialEq)] #[serde(rename_all = "kebab-case", deny_unknown_fields)] pub struct RawSettingsGenerator { pub command: String, pub strength: Strength, pub depth: u32, } impl RawSettingsGenerator { pub fn is_weak(&self) -> bool { self.strength == Strength::Weak } } impl<'de> Deserialize<'de> for RawSettingsGenerator { fn deserialize(deserializer: D) -> Result where D: Deserializer<'de>, { struct SettingsGeneratorVisitor; impl<'de> Visitor<'de> for SettingsGeneratorVisitor { type Value = RawSettingsGenerator; fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result { formatter.write_str("a string or a map") } fn visit_str(self, value: &str) -> Result where E: de::Error, { // If the value is a string, use it as the `command` with defaults for other fields. Ok(RawSettingsGenerator { command: value.to_string(), ..RawSettingsGenerator::default() }) } fn visit_map(self, mut map: M) -> Result where M: MapAccess<'de>, { // Extract values from the map let mut command = None; let mut strength = None; let mut depth = None; while let Some(key) = map.next_key::()? { match key.as_str() { "command" => command = Some(map.next_value()?), "strength" => strength = Some(map.next_value()?), "depth" => depth = Some(map.next_value()?), _ => { return Err(de::Error::unknown_field( &key, &["command", "strength", "depth"], )) } } } Ok(RawSettingsGenerator { command: command.ok_or_else(|| de::Error::missing_field("command"))?, strength: strength.unwrap_or_default(), depth: depth.unwrap_or_default(), }) } } deserializer.deserialize_any(SettingsGeneratorVisitor) } } #[cfg(test)] mod test { use std::collections::HashMap; use super::*; #[test] fn test_setting_generator_deserialization() { let api_response = r#" { "host-containers.admin.source": "generator1", "host-containers.control.source": { "command": "generator2", "strength": "weak", "depth": 0 }, "host-containers.no_depth.source": { "command": "generator3", "strength": "weak" }, "host-containers.depth_given.source": { "command": "generator4", "strength": "weak", "depth": 1 } }"#; let expected_admin = RawSettingsGenerator { command: "generator1".to_string(), strength: Strength::Strong, depth: 0, }; let expected_control = RawSettingsGenerator { command: "generator2".to_string(), strength: Strength::Weak, depth: 0, }; let expected_no_depth = RawSettingsGenerator { command: "generator3".to_string(), strength: Strength::Weak, depth: 0, }; let expected_depth_given = RawSettingsGenerator { command: "generator4".to_string(), strength: Strength::Weak, depth: 1, }; let result: HashMap = serde_json::from_str(api_response).unwrap(); assert_eq!( result.get("host-containers.admin.source").unwrap(), &expected_admin ); assert_eq!( result.get("host-containers.control.source").unwrap(), &expected_control ); assert_eq!( result.get("host-containers.no_depth.source").unwrap(), &expected_no_depth ); assert_eq!( result.get("host-containers.depth_given.source").unwrap(), &expected_depth_given ); } } /// Struct to hold the setting generator definition containing /// command, strength #[derive(Default, Serialize, std::fmt::Debug, PartialEq)] pub struct SettingsGenerator { pub command: String, pub strength: Strength, } impl From for SettingsGenerator { fn from(value: RawSettingsGenerator) -> Self { SettingsGenerator { command: value.command, strength: value.strength, } } } impl<'de> Deserialize<'de> for SettingsGenerator { fn deserialize(deserializer: D) -> Result where D: Deserializer<'de>, { struct SettingsGeneratorVisitor; impl<'de> Visitor<'de> for SettingsGeneratorVisitor { type Value = SettingsGenerator; fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result { formatter.write_str("a string or a map") } fn visit_str(self, value: &str) -> Result where E: de::Error, { // If the value is a string, use it as the `command` with defaults for other fields. Ok(SettingsGenerator { command: value.to_string(), ..SettingsGenerator::default() }) } fn visit_map(self, mut map: M) -> Result where M: MapAccess<'de>, { // Extract values from the map let mut command = None; let mut strength = None; while let Some(key) = map.next_key::()? { match key.as_str() { "command" => command = Some(map.next_value()?), "strength" => strength = Some(map.next_value()?), _ => return Err(de::Error::unknown_field(&key, &["command", "strength"])), } } Ok(SettingsGenerator { command: command.ok_or_else(|| de::Error::missing_field("command"))?, strength: strength.unwrap_or_default(), }) } } deserializer.deserialize_any(SettingsGeneratorVisitor) } } ================================================ FILE: sources/models/src/lib.rs ================================================ /*! # API models Bottlerocket has different variants supporting different features and use cases. Each variant has its own set of software, and therefore needs its own configuration. We support having an API model for each variant to support these different configurations. The model here defines a top-level `Settings` structure, and delegates the actual implementation to a ["settings plugin"](https://github.com/bottlerocket-os/bottlerocket-settings-sdk/tree/develop/bottlerocket-settings-plugin). Settings plugin are written in Rust as a "cdylib" crate, and loaded at runtime. Each settings plugin must define its own private `Settings` structure. It can use pre-defined structures inside, or custom ones as needed. `apiserver::datastore` offers serialization and deserialization modules that make it easy to map between Rust types and the data store, and thus, all inputs and outputs are type-checked. At the field level, standard Rust types can be used, or ["modeled types"](https://github.com/bottlerocket-os/bottlerocket-settings-sdk/tree/develop/bottlerocket-settings-models/modeled-types) that add input validation. The `#[model]` attribute on Settings and its sub-structs reduces duplication and adds some required metadata; see [its docs](model-derive/) for details. */ // Types used to communicate between client and server for 'apiclient exec'. pub mod exec; // Types used to handle the settings generator metadata among various systems pub mod generator; use bottlerocket_release::BottlerocketRelease; use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::BottlerocketSettings; use serde::{Deserialize, Serialize}; use std::collections::HashMap; use bottlerocket_settings_models::modeled_types::SingleLineString; #[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize)] #[serde(transparent)] pub struct Settings { inner: BottlerocketSettings, } // This is the top-level model exposed by the API system. It contains the common sections for all // variants. This allows a single API call to retrieve everything the API system knows, which is // useful as a check and also, for example, as a data source for templated configuration files. #[model] pub struct Model { settings: Settings, services: Services, configuration_files: ConfigurationFiles, os: BottlerocketRelease, } ///// Internal services // Note: Top-level objects that get returned from the API should have a "rename" attribute // matching the struct name, but in kebab-case, e.g. ConfigurationFiles -> "configuration-files". // This lets it match the datastore name. // Objects that live inside those top-level objects, e.g. Service lives in Services, should have // rename="" so they don't add an extra prefix to the datastore path that doesn't actually exist. // This is important because we have APIs that can return those sub-structures directly. pub type Services = HashMap; #[model(add_option = false, rename = "")] struct Service { configuration_files: Vec, restart_commands: Vec, } pub type ConfigurationFiles = HashMap; #[model(add_option = false, rename = "")] struct ConfigurationFile { path: SingleLineString, template_path: SingleLineString, #[serde(skip_serializing_if = "Option::is_none")] mode: Option, } ///// Metadata #[model(add_option = false, rename = "metadata")] struct Metadata { key: SingleLineString, md: SingleLineString, val: toml::Value, } #[model(add_option = false)] struct Report { name: String, description: String, } ================================================ FILE: sources/models/src/variant/.keep ================================================ FIXME: this directory is no longer needed for builds, but can't be removed yet because Twoliter expects it to exist. ================================================ FILE: sources/retry-read/Cargo.toml ================================================ [package] name = "retry-read" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [build-dependencies] generate-readme.workspace = true ================================================ FILE: sources/retry-read/README.md ================================================ # retry-read Current version: 0.1.0 This library provides a `RetryRead` trait with a `retry_read` function that's available for any `Read` type. `retry_read` retries after standard interruptions (unlike `read`) but also returns the number of bytes read (unlike `read_exact`), and without needing to read to the end of the input (unlike `read_to_end` and `read_to_string`). ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/retry-read/README.tpl ================================================ # {{crate}} Current version: {{version}} {{readme}} ## Colophon This text was generated from `README.tpl` using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`. ================================================ FILE: sources/retry-read/build.rs ================================================ fn main() { generate_readme::from_lib().unwrap(); } ================================================ FILE: sources/retry-read/src/lib.rs ================================================ //! This library provides a `RetryRead` trait with a `retry_read` function that's available for any //! `Read` type. `retry_read` retries after standard interruptions (unlike `read`) but also //! returns the number of bytes read (unlike `read_exact`), and without needing to read to the end //! of the input (unlike `read_to_end` and `read_to_string`). use std::io::{ErrorKind, Read, Result}; /// Provides a way to retry standard read operations while also returning the number of bytes read. pub trait RetryRead { fn retry_read(&mut self, buf: &mut [u8]) -> Result; } impl RetryRead for R { // This implementation is based on stdlib Read::read_exact, but hitting EOF isn't a failure, we // just want to return the number of bytes we could read. /// Like `Read::read` but retries on ErrorKind::Interrupted, returning the number of bytes read. fn retry_read(&mut self, mut buf: &mut [u8]) -> Result { let mut count = 0; // Read until we have no more space in the output buffer while !buf.is_empty() { match self.read(buf) { // No bytes left, done Ok(0) => break, // Read n bytes, slide ahead n in the output buffer and read more Ok(n) => { count += n; let tmp = buf; buf = &mut tmp[n..]; } // Retry on interrupt Err(e) if e.kind() == ErrorKind::Interrupted => {} // Other failures are fatal Err(e) => return Err(e), } } Ok(count) } } #[cfg(test)] mod test { use super::{ErrorKind, Read, Result, RetryRead}; use std::io::{Error, Write}; // Helper method for simple test cases, confirming we read the full given slice. fn test(data: &[u8]) { let mut output = vec![0; data.len()]; let count = (&data[..]).retry_read(&mut output).unwrap(); assert_eq!(count, data.len()); assert_eq!(data, &output); } #[test] fn zero_read() { test(&[]); } #[test] fn small_read() { test(&[0, 1, 2, 3, 42]); } #[test] fn large_read() { test(&[42; 9999]); } // Confirm we retry reads when interrupted. #[test] fn retried_read() { let mut reader = InterruptedReader::new(5); let mut output = vec![0; 5]; let count = reader.retry_read(&mut output).unwrap(); assert_eq!(count, 5); assert_eq!(output, vec![42, 42, 42, 42, 42]); } // Helper that implements Read, eventually returning the requested number of bytes, but returns // ErrorKind::Interrupted every other call. struct InterruptedReader { requested_reads: u64, finished_reads: u64, interrupt: bool, } impl InterruptedReader { fn new(requested_reads: u64) -> Self { Self { requested_reads, finished_reads: 0, interrupt: false, } } } impl Read for InterruptedReader { fn read(&mut self, mut buf: &mut [u8]) -> Result { if self.finished_reads > self.requested_reads { return Ok(0); } if self.interrupt { self.interrupt = false; Err(Error::new(ErrorKind::Interrupted, "you asked for it")) } else { self.interrupt = true; self.finished_reads += 1; buf.write(&[42]) } } } } ================================================ FILE: sources/settings-defaults/aws-dev/Cargo.toml ================================================ [package] name = "settings-defaults-aws-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-dev/defaults.d/50-aws-dev.toml ================================================ # Metrics [settings.metrics] send-metrics = false service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "docker"] # Network [metadata.settings.network] affected-services = ["containerd", "docker", "host-containerd", "host-containers", "updog"] ================================================ FILE: sources/settings-defaults/aws-ecs-2/Cargo.toml ================================================ [package] name = "settings-defaults-aws-ecs-2" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-ecs-2-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-ecs-2-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-ecs-3/Cargo.toml ================================================ [package] name = "settings-defaults-aws-ecs-3" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-ecs-3-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-ecs-3-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.31/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_31" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.31-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_31-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.32/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_32" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.32-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_32-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.33/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_33" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.33-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_33-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.34/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_34" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.34-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_34-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.35/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_35" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/aws-k8s-1.35-nvidia/Cargo.toml ================================================ [package] name = "settings-defaults-aws-k8s-1_35-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/build-defaults.rs ================================================ fn main() { bottlerocket_defaults_helper::generate_defaults_toml().unwrap(); } ================================================ FILE: sources/settings-defaults/defaults-toml.rs ================================================ // This "crate" only generates a defaults.toml as a side effect of the build. ================================================ FILE: sources/settings-defaults/metal-dev/Cargo.toml ================================================ [package] name = "settings-defaults-metal-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/metal-dev/defaults.d/50-metal-dev.toml ================================================ # Metrics [settings.metrics] send-metrics = false service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "docker"] # Network [metadata.settings.network] affected-services = ["containerd", "docker", "host-containerd", "host-containers", "updog"] ================================================ FILE: sources/settings-defaults/metal-k8s-1.30/Cargo.toml ================================================ [package] name = "settings-defaults-metal-k8s-1_30" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/vmware-dev/Cargo.toml ================================================ [package] name = "settings-defaults-vmware-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/vmware-dev/defaults.d/50-vmware-dev.toml ================================================ # Metrics [settings.metrics] send-metrics = false service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "docker", "vmtoolsd"] # Network [metadata.settings.network] affected-services = ["containerd", "docker", "host-containerd", "host-containers", "updog"] ================================================ FILE: sources/settings-defaults/vmware-k8s-1.32/Cargo.toml ================================================ [package] name = "settings-defaults-vmware-k8s-1_32" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/vmware-k8s-1.33/Cargo.toml ================================================ [package] name = "settings-defaults-vmware-k8s-1_33" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/vmware-k8s-1.34/Cargo.toml ================================================ [package] name = "settings-defaults-vmware-k8s-1_34" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-defaults/vmware-k8s-1.35/Cargo.toml ================================================ [package] name = "settings-defaults-vmware-k8s-1_35" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false build = "../build-defaults.rs" [lib] path = "../defaults-toml.rs" [build-dependencies] bottlerocket-defaults-helper.workspace = true ================================================ FILE: sources/settings-migrations/.keep ================================================ ================================================ FILE: sources/settings-migrations/archived/v0.3.2/migrate-admin-container-v0-5-0/Cargo.toml ================================================ [package] name = "migrate-admin-container-v0-5-0" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v0.3.2/migrate-admin-container-v0-5-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-admin:v0.4.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-admin:v0.5.0"; /// We bumped the version of the default admin container from v0.4.0 to v0.5.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v0.4.1/add-version-lock-ignore-waves/Cargo.toml ================================================ [package] name = "add-version-lock-ignore-waves" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v0.4.1/add-version-lock-ignore-waves/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings, `updates.version-lock` and `updates.ignore-waves` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.updates.version-lock", "settings.updates.ignore-waves", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v0.4.1/pivot-repo-2020-07-07/Cargo.toml ================================================ [package] name = "pivot-repo-2020-07-07" version = "0.1.0" authors = ["Jamie Anderson Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.updates.metadata-base-url", old_template: BEFORE_PIVOT_REPO_URL, new_template: AFTER_PIVOT_REPO_URL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/add-cluster-domain/Cargo.toml ================================================ [package] name = "add-cluster-domain" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/add-cluster-domain/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting, `kubernetes.cluster-domain` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.cluster-domain", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/migrate-admin-container-v0-5-2/Cargo.toml ================================================ [package] name = "migrate-admin-container-v0-5-2" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/migrate-admin-container-v0-5-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-admin:v0.5.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-admin:v0.5.2"; /// We bumped the version of the default admin container from v0.5.0 to v0.5.2 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/migrate-control-container-v0-4-1/Cargo.toml ================================================ [package] name = "migrate-control-container-v0-4-1" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v0.5.0/migrate-control-container-v0-4-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-control:v0.4.0"; const NEW_CONTROL_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-control:v0.4.1"; /// We bumped the version of the default control container from v0.4.0 to v0.4.1 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.0/ecr-helper-admin/Cargo.toml ================================================ [package] name = "ecr-helper-admin" version = "0.1.0" authors = ["Matt Briggs "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.0/ecr-helper-admin/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-admin:v0.5.2"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.5.2"; /// We added a helper to lookup an ECR registry number by region. fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.0/ecr-helper-control/Cargo.toml ================================================ [package] name = "ecr-helper-control" version = "0.1.0" authors = ["Matt Briggs "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.0/ecr-helper-control/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "328549459982.dkr.ecr.{{ settings.aws.region }}.amazonaws.com/bottlerocket-control:v0.4.1"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.4.1"; /// We added a helper to lookup an ECR registry number by region. fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "metadata.settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.2/add-enable-spot-instance-draining/Cargo.toml ================================================ [package] name = "add-enable-spot-instance-draining" version = "0.1.0" authors = ["Magnus Kulke "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.2/add-enable-spot-instance-draining/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting, `ecs.enable-spot-instance-draining` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.ecs.enable-spot-instance-draining", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.3/add-sysctl/Cargo.toml ================================================ [package] name = "add-sysctl" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.3/add-sysctl/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added the ability to set sysctl keys via API settings. We don't want to track all possible /// Linux sysctl keys, so we remove the whole prefix if we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kernel.sysctl", "services.sysctl", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-lockdown/Cargo.toml ================================================ [package] name = "add-lockdown" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-lockdown/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added the ability to set kernel lockdown mode through a setting, so on downgrade we need to /// remove the setting and the associated settings for the service that writes out changes. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kernel.lockdown", "services.lockdown", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-network-settings/Cargo.toml ================================================ [package] name = "add-network-settings" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-network-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a set of settings for configuring service network behavior and their associated /// configuration file. Remove the whole `settings.network`, `configuration-files.proxy-env` prefix /// if we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.network", "configuration-files.proxy-env", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-proxy-restart/Cargo.toml ================================================ [package] name = "add-proxy-restart" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-proxy-restart/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the restart-commands and configuration-files settings for several existing services. /// We need to replace them upon downgrades and upgrades fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ ListReplacement { setting: "services.containerd.configuration-files", old_vals: &["containerd-config-toml"], new_vals: &["containerd-config-toml", "proxy-env"], }, ListReplacement { setting: "services.containerd.restart-commands", old_vals: &[], new_vals: &["/bin/systemctl try-restart containerd.service"], }, ListReplacement { setting: "services.kubernetes.configuration-files", old_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt", ], new_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt", "proxy-env", ], }, ListReplacement { setting: "services.kubernetes.restart-commands", old_vals: &[], new_vals: &["/bin/systemctl try-restart kubelet.service"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-proxy-services/Cargo.toml ================================================ [package] name = "add-proxy-services" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-proxy-services/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new configuration files and restart commands for docker and host-containerd. /// On downgrade we need to remove all settings under these services fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "services.docker", "services.host-containerd", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-user-data/Cargo.toml ================================================ [package] name = "add-user-data" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/add-user-data/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; /// This migration removes host-container user data settings when downgrading to versions that /// don't understand them. pub struct AddUserDataMigration; impl Migration for AddUserDataMigration { /// There's no user data by default, it's just left empty on upgrade. fn forward(&mut self, input: MigrationData) -> Result { println!("AddUserDataMigration has no work to do on upgrade."); Ok(input) } /// Older versions don't know about the user-data settings; we remove them so that old versions /// don't see them and fail deserialization. fn backward(&mut self, mut input: MigrationData) -> Result { for setting in input.data.clone().keys() { // We don't currently have structured data available to migrations, and we don't want // to re-parse keys. We know no other keys could match these basic patterns. if setting.starts_with("settings.host-containers.") && setting.ends_with(".user-data") { if let Some(data) = input.data.remove(setting) { println!("Removed {}, which was set to '{}'", setting, data); } } } Ok(input) } } fn run() -> Result<()> { migrate(AddUserDataMigration) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/sysctl-subcommand/Cargo.toml ================================================ [package] name = "sysctl-subcommand" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.5/sysctl-subcommand/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We changed corndog to use subcommands so it can handle different kernel settings without having /// to apply them all every time. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.sysctl.restart-commands", old_vals: &["/usr/bin/corndog"], new_vals: &["/usr/bin/corndog sysctl"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/add-shibaken/Cargo.toml ================================================ [package] name = "add-shibaken" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/add-shibaken/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting metadata, `host-containers.admin.user-data.setting-generator` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator"], setting: "settings.host-containers.admin.user-data", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/add-static-pods/Cargo.toml ================================================ [package] name = "add-static-pods" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/add-static-pods/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for defining k8s static pods. /// Remove `settings.kubernetes.static-pods`, `services.static-pods` prefixes when we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.static-pods", "services.static-pods", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/admin-container-v0-6-0/Cargo.toml ================================================ [package] name = "admin-container-v0-6-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/admin-container-v0-6-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.5.2"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.6.0"; /// We bumped the version of the default admin container from v0.5.2 to v0.6.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/control-container-v0-4-2/Cargo.toml ================================================ [package] name = "control-container-v0-4-2" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/control-container-v0-4-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.4.1"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.4.2"; /// We bumped the version of the default control container from v0.4.1 to v0.4.2 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/kubelet-standalone-tls-services/Cargo.toml ================================================ [package] name = "kubelet-standalone-tls-services" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/kubelet-standalone-tls-services/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the configuration files and restart commands to support running kubelet in /// standalone mode, and for configuring it to use TLS auth. They need to be restored to /// the prior values on downgrade. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ ListReplacement { setting: "services.kubernetes.configuration-files", old_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt", "proxy-env", ], new_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubelet-bootstrap-kubeconfig", "kubelet-exec-start-conf", "kubernetes-ca-crt", "proxy-env", ], }, ListReplacement { setting: "services.kubernetes.restart-commands", old_vals: &["/bin/systemctl try-restart kubelet.service"], new_vals: &[ "/usr/bin/systemctl daemon-reload", "/bin/systemctl try-restart kubelet.service", ], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/kubelet-standalone-tls-settings/Cargo.toml ================================================ [package] name = "kubelet-standalone-tls-settings" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/kubelet-standalone-tls-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for running kubelet in standalone mode, and for using TLS auth. /// We also added new configuration files to apply these settings. They need to be removed /// when we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.bootstrap-token", "settings.kubernetes.authentication-mode", "settings.kubernetes.standalone-mode", "configuration-files.kubelet-bootstrap-kubeconfig", "configuration-files.kubelet-exec-start-conf", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/metricdog-init/Cargo.toml ================================================ [package] name = "metricdog-init" version = "0.1.0" authors = ["Matt Briggs "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.6/metricdog-init/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// Add settings for the new `metricdog` program. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.metrics", "services.metricdog", "configuration-files.metricdog", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/add-bootstrap-containers/Cargo.toml ================================================ [package] name = "add-bootstrap-containers" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/add-bootstrap-containers/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added the setting `bootstrap-containers` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.bootstrap-containers", "services.bootstrap-containers", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/admin-container-v0-7-0/Cargo.toml ================================================ [package] name = "admin-container-v0-7-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/admin-container-v0-7-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.6.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.0"; /// We bumped the version of the default admin container from v0.6.0 to v0.7.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/control-container-v0-5-0/Cargo.toml ================================================ [package] name = "control-container-v0-5-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/control-container-v0-5-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.4.2"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.0"; /// We bumped the version of the default control container from v0.4.2 to v0.5.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/kubelet-eviction-hard/Cargo.toml ================================================ [package] name = "kubelet-eviction-hard" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/kubelet-eviction-hard/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new settings for configuring kubelet,`settings.kubernetes.eviction-hard`. /// We don't want to track all possible keys for these settings, /// so we remove the whole prefix when we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.eviction-hard", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/kubelet-unsafe-sysctl-kube-reserved/Cargo.toml ================================================ [package] name = "kubelet-unsafe-sysctl-kube-reserved" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/kubelet-unsafe-sysctl-kube-reserved/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `kubernetes.allowed-unsafe-sysctls` /// `kubernetes.kube-reserved` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.allowed-unsafe-sysctls", "settings.kubernetes.kube-reserved", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/proxy-affect-host-containers/Cargo.toml ================================================ [package] name = "proxy-affect-host-containers" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.0.8/proxy-affect-host-containers/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.network' to include /// host-containers. The metadata list need to be restored to the prior value on downgrade and /// updated to include host-containers on upgrades. /// We're trying to match old values for different variants. fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "host-containerd"], new_vals: &["containerd", "host-containerd", "host-containers"], }, // For K8S variants MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "kubernetes", "host-containerd"], new_vals: &[ "containerd", "kubernetes", "host-containerd", "host-containers", ], }, // For the aws-ecs-1 variant MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "docker", "ecs", "host-containerd"], new_vals: &[ "containerd", "docker", "ecs", "host-containerd", "host-containers", ], }, // For aws-dev and vmware-dev variants MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "docker", "host-containerd"], new_vals: &["containerd", "docker", "host-containerd", "host-containers"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-cloud-provider/Cargo.toml ================================================ [package] name = "kubelet-cloud-provider" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-cloud-provider/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new settings for configuring kubelet, `settings.kubernetes.cloud-provider` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.cloud-provider", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-event-qps-event-burst/Cargo.toml ================================================ [package] name = "kubelet-event-qps-event-burst" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-event-qps-event-burst/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `settings.kubernetes.event-qps` /// and `settings.kubernetes.event-burst` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.event-qps", "settings.kubernetes.event-burst", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-kube-api-qps-kube-api-burst/Cargo.toml ================================================ [package] name = "kubelet-kube-api-qps-kube-api-burst" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-kube-api-qps-kube-api-burst/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `settings.kubernetes.kube-api-qps` /// and `settings.kubernetes.kube-api-burst` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.kube-api-qps", "settings.kubernetes.kube-api-burst", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-registry-qps-registry-burst/Cargo.toml ================================================ [package] name = "kubelet-registry-qps-registry-burst" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-registry-qps-registry-burst/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `settings.kubernetes.registry-qps` /// and `settings.kubernetes.registry-burst` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.registry-qps", "settings.kubernetes.registry-burst", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-server-tls-bootstrap/Cargo.toml ================================================ [package] name = "kubelet-server-tls-bootstrap" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/kubelet-server-tls-bootstrap/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring kubelet, `kubernetes.server-tls-bootstrap` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.server-tls-bootstrap", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/schnauzer-paws/Cargo.toml ================================================ [package] name = "schnauzer-paws" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } serde_json = "1.0" ================================================ FILE: sources/settings-migrations/archived/v1.1.0/schnauzer-paws/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const SETTING: &str = "settings.kubernetes.pod-infra-container-image"; const OLD_SETTING_GENERATOR: &str = "pluto pod-infra-container-image"; const NEW_SETTING_GENERATOR: &str = "schnauzer settings.kubernetes.pod-infra-container-image"; const NEW_TEMPLATE: &str = "{{ pause-prefix settings.aws.region }}/eks/pause-{{ goarch os.arch }}:3.1"; /// We moved from using pluto to schnauzer for generating the pause container image URL, since it /// lets us reuse the existing region and arch settings, improving reliability and allowing for /// testing new regions through settings overrides. pub struct SchnauzerPaws; impl Migration for SchnauzerPaws { fn forward(&mut self, mut input: MigrationData) -> Result { // Check if we have this setting at all. if let Some(metadata) = input.metadata.get_mut(SETTING) { if let Some(metadata_value) = metadata.get_mut("setting-generator") { // Make sure the value is what we expect. match metadata_value { serde_json::Value::String(string) => { if string == OLD_SETTING_GENERATOR { // Happy path. Update the generator. *metadata_value = NEW_SETTING_GENERATOR.into(); println!( "Changed setting-generator for '{}' from {:?} to {:?} on upgrade", SETTING, OLD_SETTING_GENERATOR, NEW_SETTING_GENERATOR ); // Set the associated template. We didn't have a template for this // setting before, and metadata can't be changed by the user, so we can // just set it. metadata.insert("template".to_string(), NEW_TEMPLATE.into()); println!( "Set 'template' metadata on '{}' to '{}'", SETTING, NEW_TEMPLATE ); } else { println!( "setting-generator for '{}' is not set to {:?}, leaving alone", SETTING, OLD_SETTING_GENERATOR ); } } _ => { println!( "setting-generator for '{}' is set to non-string value '{}'; SchnauzerPaws only handles strings", SETTING, metadata_value ); } } } else { println!("Found no setting-generator for '{}'", SETTING); } } else { println!("Found no metadata for '{}'", SETTING); } Ok(input) } fn backward(&mut self, mut input: MigrationData) -> Result { // Check if we have this setting at all. if let Some(metadata) = input.metadata.get_mut(SETTING) { if let Some(metadata_value) = metadata.get_mut("setting-generator") { // Make sure the value is what we expect. match metadata_value { serde_json::Value::String(string) => { if string == NEW_SETTING_GENERATOR { // Happy path. Update the generator. *metadata_value = OLD_SETTING_GENERATOR.into(); println!( "Changed setting-generator for '{}' from {:?} to {:?} on downgrade", SETTING, NEW_SETTING_GENERATOR, OLD_SETTING_GENERATOR ); // Remove the associated template. We didn't have a template for this // setting before, and metadata can't be changed by the user, so we can // just remove it. if let Some(metadata_value) = metadata.remove("template") { println!( "Removed 'template' metadata on '{}', which was set to '{}'", SETTING, metadata_value ); } else { println!( "Found no 'template' metadata to remove on setting '{}'", SETTING ); } } else { println!( "setting-generator for '{}' is not set to {:?}, leaving alone", SETTING, NEW_SETTING_GENERATOR ); } } _ => { println!( "setting-generator for '{}' is set to non-string value '{}'; SchnauzerPaws only handles strings", SETTING, metadata_value ); } } } else { println!("Found no setting-generator for '{}'", SETTING); } } else { println!("Found no metadata for '{}'", SETTING); } Ok(input) } } fn run() -> Result<()> { migrate(SchnauzerPaws) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.0/shared-containerd-configs/Cargo.toml ================================================ [package] name = "shared-containerd-configs" version = "0.1.0" authors = ["Tom Kirchner "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] lazy_static = "1.4" migration-helpers = { path = "../../../migration-helpers" } serde_json = "1.0" ================================================ FILE: sources/settings-migrations/archived/v1.1.0/shared-containerd-configs/src/main.rs ================================================ use lazy_static::lazy_static; use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const SETTING: &'static str = "configuration-files.containerd-config-toml.template-path"; lazy_static! { static ref TEMPLATE_CHANGES: &'static [(&'static str, &'static str)] = &[ ( "/usr/share/templates/containerd-config-toml_aws-dev", "/usr/share/templates/containerd-config-toml_basic" ), ( "/usr/share/templates/containerd-config-toml_aws-ecs-1", "/usr/share/templates/containerd-config-toml_basic" ), ( "/usr/share/templates/containerd-config-toml_aws-k8s", "/usr/share/templates/containerd-config-toml_k8s" ), ( "/usr/share/templates/containerd-config-toml_vmware-dev", "/usr/share/templates/containerd-config-toml_basic" ), ]; } /// We refactored containerd config file templates to share data where possible, instead of /// duplicating them for variants with identical configs. thar-be-settings runs at startup and /// regenerates all files based on templates, so if we change the source during migration (early in /// boot) it'll automatically be written out based on the new template. fn run() -> Result<()> { migrate(SharedContainerdConfigs {}) } pub struct SharedContainerdConfigs {} impl SharedContainerdConfigs { fn migrate( &mut self, mut input: MigrationData, transforms: &[(&str, &str)], action: &'static str, ) -> Result { if let Some(data) = input.data.get_mut(SETTING) { match data { serde_json::Value::String(string) => { for (outgoing, incoming) in transforms { if string == outgoing { *data = (*incoming).into(); println!( "Changed '{}' from {:?} to {:?} on {}", SETTING, outgoing, incoming, action ); // We've done what we came to do - the transformations don't // overlap, so we do one at most. (Without this, Rust knows that // we still have a reference to 'data' for another iteration, and // it won't let us change it. So smart.) break; } else { println!("'{}' is not set to {:?}, leaving alone", SETTING, outgoing); } } } _ => { println!( "'{}' is set to non-string value '{}'; SharedContainerdConfigs only handles strings", SETTING, data ); } } } else { println!("Found no setting '{}'", SETTING); } Ok(input) } } impl Migration for SharedContainerdConfigs { fn forward(&mut self, input: MigrationData) -> Result { self.migrate(input, *TEMPLATE_CHANGES, "upgrade") } fn backward(&mut self, input: MigrationData) -> Result { let transforms: Vec<(&str, &str)> = TEMPLATE_CHANGES.iter().map(|(a, b)| (*b, *a)).collect(); self.migrate(input, &transforms, "downgrade") } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/admin-container-v0-7-1/Cargo.toml ================================================ [package] name = "admin-container-v0-7-1" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/admin-container-v0-7-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.1"; /// We bumped the version of the default admin container from v0.7.0 to v0.7.1 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/control-container-v0-5-1/Cargo.toml ================================================ [package] name = "control-container-v0-5-1" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/control-container-v0-5-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.0"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.1"; /// We bumped the version of the default control container from v0.5.0 to v0.5.1 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/kubelet-container-log/Cargo.toml ================================================ [package] name = "kubelet-container-log" version = "0.1.0" authors = ["Sungwon Cho "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/kubelet-container-log/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new settings for configuring kubelet, `settings.kubernetes.container-log-max-size` /// and `settings.kubernetes.container-log-max-files` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.container-log-max-size", "settings.kubernetes.container-log-max-files", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/kubelet-system-reserved/Cargo.toml ================================================ [package] name = "kubelet-system-reserved" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.2/kubelet-system-reserved/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new settings for configuring kubelet, `settings.kubernetes.system-reserved` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.system-reserved", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.3/kubelet-cpu-manager/Cargo.toml ================================================ [package] name = "kubelet-cpu-manager" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.1.3/kubelet-cpu-manager/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `settings.kubernetes.cpu-manager-reconcile-period` /// and `settings.kubernetes.cpu-manager-policy` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.cpu-manager-policy", "settings.kubernetes.cpu-manager-reconcile-period", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.1.3/kubelet-cpu-manager-state/Cargo.toml ================================================ [package] name = "kubelet-cpu-manager-state" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } snafu = "0.8" ================================================ FILE: sources/settings-migrations/archived/v1.1.3/kubelet-cpu-manager-state/src/main.rs ================================================ use migration_helpers::{error, migrate, Migration, MigrationData, Result}; use snafu::ResultExt; use std::fs; use std::io; use std::process; const CPU_MANAGER_POLICY_CHECKPOINT: &str = "/var/lib/kubelet/cpu_manager_state"; /// forward - We always remove the state file on boot, therefore we don't need to explicitly /// remove the file during forward migration. /// backward - We remove cpu manager policy checkpoint value on downgrade, since older versions did not /// clean up this state file on boot. pub struct CpuManagerPolicyCleaner; impl Migration for CpuManagerPolicyCleaner { fn forward(&mut self, input: MigrationData) -> Result { println!("CpuManagerPolicyCleaner has no work to do on upgrade."); Ok(input) } fn backward(&mut self, input: MigrationData) -> Result { // removing existing cpu_manager_policy_state file println!( "Deleting existing cpu manager policy checkpoint: '{}'", CPU_MANAGER_POLICY_CHECKPOINT ); if let Err(e) = fs::remove_file(CPU_MANAGER_POLICY_CHECKPOINT) { if e.kind() != io::ErrorKind::NotFound { return Err(e).context(error::RemoveFile { path: CPU_MANAGER_POLICY_CHECKPOINT, }); } else { println!("NotFound: '{}'", CPU_MANAGER_POLICY_CHECKPOINT) } } Ok(input) } } /// We changed the default for CPU manager policy and need to handle kubelet's state file. fn run() -> Result<()> { migrate(CpuManagerPolicyCleaner) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/aws-admin-container-v0-9-2/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-9-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/aws-admin-container-v0-9-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.2"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/aws-control-container-v0-6-3/Cargo.toml ================================================ [package] name = "aws-control-container-v0-6-3" version = "0.1.0" authors = ["Ethan Pullen "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/aws-control-container-v0-6-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.1"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.3"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/dns-settings/Cargo.toml ================================================ [package] name = "dns-settings" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/dns-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings under `settings.dns` for configuring /etc/resolv.conf fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.dns", "services.dns", "configuration-files.netdog-toml", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/dns-settings-metadata/Cargo.toml ================================================ [package] name = "dns-settings-metadata" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/dns-settings-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and `affected-services` metadata for `settings.dns` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.dns", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/kubelet-log-level/Cargo.toml ================================================ [package] name = "kubelet-log-level" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/kubelet-log-level/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new settings for configuring kubelet logging verbosity: /// `settings.kubernetes.log-level`. fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.kubernetes.log-level"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/public-admin-container-v0-9-2/Cargo.toml ================================================ [package] name = "public-admin-container-v0-9-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/public-admin-container-v0-9-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.0"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.2"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/public-control-container-v0-6-3/Cargo.toml ================================================ [package] name = "public-control-container-v0-6-3" version = "0.1.0" authors = ["Ethan Pullen "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/public-control-container-v0-6-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.1"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.3"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.0/reboot-to-reconcile-setting/Cargo.toml ================================================ [package] name = "reboot-to-reconcile-setting" version = "0.1.0" edition = "2018" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.0/reboot-to-reconcile-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for letting the host reboot if boot settings changed, /// `settings.boot.reboot-to-reconcile` fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.boot.reboot-to-reconcile"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.1/container-runtime/Cargo.toml ================================================ [package] name = "container-runtime" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.1/container-runtime/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring container runtime (containerd) settings. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec!["settings.container-runtime"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.10.1/container-runtime-metadata/Cargo.toml ================================================ [package] name = "container-runtime-metadata" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.10.1/container-runtime-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring container runtime (containerd) settings. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.container-runtime", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-admin-container-v0-9-3/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-9-3" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-admin-container-v0-9-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.2"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.3"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-config-settings/Cargo.toml ================================================ [package] name = "aws-config-settings" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-config-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring the AWS client configuration. This /// can be used by any client expecting to find settings in the default /// `~/.aws/*` location. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "services.aws", "configuration-files.aws-config", "configuration-files.aws-credentials", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-control-container-v0-6-4/Cargo.toml ================================================ [package] name = "aws-control-container-v0-6-4" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-control-container-v0-6-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.3"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.4"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-creds/Cargo.toml ================================================ [package] name = "aws-creds" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-creds/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-creds/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, AddSettingsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for AWS credential configuration. fn run() -> Result<()> { if cfg!(variant_platform = "aws") { migrate(AddSettingsMigration(&[ "settings.aws.config", "settings.aws.credentials", "settings.aws.profile", ])) } else { // Non-AWS variants did not have any AWS setting until this point, // so need to completely clean up on downgrade. migrate(AddPrefixesMigration(vec!["settings.aws"])) } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-creds-metadata/Cargo.toml ================================================ [package] name = "aws-creds-metadata" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/aws-creds-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for AWS credential configuration. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.aws", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/credential-providers/Cargo.toml ================================================ [package] name = "credential-providers" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/credential-providers/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring kubelet's image credential /// provider plugins. Initially this is only to support ecr-credential-provider, /// but others may be added as needed. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.credential-providers", "configuration-files.credential-provider-config-yaml", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/ecs-additional-configurations/Cargo.toml ================================================ [package] name = "ecs-additional-configurations" version = "0.1.0" edition = "2018" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/ecs-additional-configurations/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added additional configurations for the ECS agent fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.ecs.container-stop-timeout", "settings.ecs.task-cleanup-wait", "settings.ecs.metadata-service-rps", "settings.ecs.metadata-service-burst", "settings.ecs.reserved-memory", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-new-config-files/Cargo.toml ================================================ [package] name = "kubelet-new-config-files" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-new-config-files/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// Handle new configuration files for kubelet configuration. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.kubernetes.configuration-files", old_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubelet-bootstrap-kubeconfig", "kubelet-exec-start-conf", "kubernetes-ca-crt", "proxy-env", ], new_vals: &[ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubelet-bootstrap-kubeconfig", "kubelet-exec-start-conf", "kubernetes-ca-crt", "proxy-env", "kubelet-server-crt", "kubelet-server-key", "credential-provider-config-yaml", ], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-tls-config/Cargo.toml ================================================ [package] name = "kubelet-tls-config" version = "0.1.0" edition = "2018" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-tls-config/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // We added a new setting for providing TLS certs. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.server-certificate", "settings.kubernetes.server-key", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-tls-files/Cargo.toml ================================================ [package] name = "kubelet-tls-files" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/kubelet-tls-files/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added support for adding new kubelet TLS certs/keys for communicating with the Kubernetes API server. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.kubelet-server-crt", "configuration-files.kubelet-server-key", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/public-admin-container-v0-9-3/Cargo.toml ================================================ [package] name = "public-admin-container-v0-9-3" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/public-admin-container-v0-9-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.2"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.3"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.11.0/public-control-container-v0-6-4/Cargo.toml ================================================ [package] name = "public-control-container-v0-6-4" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.11.0/public-control-container-v0-6-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.3"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.4"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting/Cargo.toml ================================================ [package] name = "add-k8s-autoscaling-warm-pool-setting" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting prefix for configuring autoscaling in k8s variants. /// Remove the whole `settings.autoscaling` prefix if we downgrade. fn run() -> Result<()> { if cfg!(variant_family = "aws-k8s") { migrate(AddPrefixesMigration(vec![ "settings.autoscaling", "services.autoscaling-warm-pool", "configuration-files.warm-pool-wait-toml", ]))?; } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting-metadata/Cargo.toml ================================================ [package] name = "add-k8s-autoscaling-warm-pool-setting-metadata" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting-metadata/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/add-k8s-autoscaling-warm-pool-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and `affected-services` metadata for `settings.autoscaling` fn run() -> Result<()> { if cfg!(variant_family = "aws-k8s") { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.autoscaling", }]))?; } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/aws-admin-container-v0-9-4/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-9-4" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.12.0/aws-admin-container-v0-9-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.3"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.4"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/aws-control-container-v0-7-0/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.12.0/aws-control-container-v0-7-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.4"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.0"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/k8s-private-pki-path/Cargo.toml ================================================ [package] name = "k8s-private-pki-path" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} serde_json = "1.0" ================================================ FILE: sources/settings-migrations/archived/v1.12.0/k8s-private-pki-path/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const SETTING: &str = "configuration-files.kubelet-server-key.path"; const OLD_VALUE: &str = "/etc/kubernetes/pki/kubelet-server.key"; const NEW_VALUE: &str = "/etc/kubernetes/pki/private/kubelet-server.key"; /// We moved the render output location for the kubelet PKI private key to be in a restricted /// subdirectory. We need to update this output path in the stored configuration so updated nodes /// pick up the change. fn run() -> Result<()> { migrate(KubeletServerKey {}) } pub struct KubeletServerKey {} impl KubeletServerKey { fn migrate(&mut self, mut input: MigrationData, action: &'static str) -> Result { let old_value; let new_value; if action == "upgrade" { old_value = OLD_VALUE; new_value = NEW_VALUE; } else { // Downgrade: everything old is new again old_value = NEW_VALUE; new_value = OLD_VALUE; } if let Some(data) = input.data.get_mut(SETTING) { match data { serde_json::Value::String(current_value) => { if current_value == old_value { *data = new_value.into(); println!( "Changed '{}' from {:?} to {:?} on {}", SETTING, old_value, new_value, action ); } else { println!( "'{}' is already set to {:?}, leaving alone", SETTING, new_value ); } } _ => { println!( "'{}' is set to non-string value '{}'; KubeletServerKey only handles strings", SETTING, data ); } } } else { println!("Found no setting '{}'", SETTING); } Ok(input) } } impl Migration for KubeletServerKey { fn forward(&mut self, input: MigrationData) -> Result { self.migrate(input, "upgrade") } fn backward(&mut self, input: MigrationData) -> Result { self.migrate(input, "downgrade") } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting/Cargo.toml ================================================ [package] name = "oci-defaults-setting" version = "0.1.0" edition = "2021" authors = ["Mahdi Chaker "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for configuring the default OCI runtime spec, /// `settings.oci-defaults`, which will initially contain /// `settings.oci-defaults.capabilities` and /// `settings.oci-defaults.resource-limits` fn run() -> Result<()> { if cfg!(variant_runtime = "k8s") { migrate(AddPrefixesMigration(vec![ "settings.oci-defaults", "services.oci-defaults", "configuration-files.oci-defaults", ]))? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting-metadata/Cargo.toml ================================================ [package] name = "oci-defaults-setting-metadata" version = "0.1.0" edition = "2021" authors = ["Mahdi Chaker "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting-metadata/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/oci-defaults-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.oci-defaults' /// to include itself and containerd on upgrade, and to remove those values on /// downgrade, depending on the running variant. fn run() -> Result<()> { if cfg!(variant_runtime = "k8s") { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.oci-defaults", }]))? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/public-admin-container-v0-9-4/Cargo.toml ================================================ [package] name = "public-admin-container-v0-9-4" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.12.0/public-admin-container-v0-9-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.3"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.4"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.12.0/public-control-container-v0-7-0/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.12.0/public-control-container-v0-7-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.4"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.0"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.0/aws-admin-container-v0-10-0/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-10-0" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.0/aws-admin-container-v0-10-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.4"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.0/aws-control-container-v0-7-1/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-1" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.0/aws-control-container-v0-7-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.0"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.1"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.0/k8s-registry/Cargo.toml ================================================ [package] name = "k8s-registry" version = "0.1.0" authors = ["John McBride "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.0/k8s-registry/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_K8S_PAUSE_IMAGE: &str = "k8s.gcr.io/pause:3.2"; const NEW_K8S_PAUSE_IMAGE: &str = "public.ecr.aws/eks-distro/kubernetes/pause:3.3"; // The `k8s.gcr.io` registry, as of April 2023 will be frozen and // images will no longer be pushed to that registry. // For further details: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ // // In this migration, we move pause container image references from `k8s.gcr.io` to `public.ecr.aws/eks-distro/kubernetes/` fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.kubernetes.pod-infra-container-image", old_val: OLD_K8S_PAUSE_IMAGE, new_val: NEW_K8S_PAUSE_IMAGE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.0/public-admin-container-v0-10-0/Cargo.toml ================================================ [package] name = "public-admin-container-v0-10-0" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.0/public-admin-container-v0-10-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.4"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.0/public-control-container-v0-7-1/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-1" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.0/public-control-container-v0-7-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.0"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.1"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.1/aws-profile-cred-provider/Cargo.toml ================================================ [package] name = "aws-profile-cred-provider" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.1/aws-profile-cred-provider/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added `affected-services` metadata for `aws.profile` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.aws.profile", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.3/aws-k8s-provider-id-gen/Cargo.toml ================================================ [package] name = "aws-k8s-provider-id-gen" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.3/aws-k8s-provider-id-gen/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new `setting-generator` metadata for `kubernetes.provider-id` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator"], setting: "settings.kubernetes.provider-id", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.4/add-hostname-override/Cargo.toml ================================================ [package] name = "add-hostname-override" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.4/add-hostname-override/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for specifying the '--hostname-override' kubelet option for kubernetes variants fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.hostname-override", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.13.4/add-hostname-override-metadata/Cargo.toml ================================================ [package] name = "add-hostname-override-metadata" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.13.4/add-hostname-override-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added the `setting-generator` metadata for `kubernetes.hostname-override` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator"], setting: "settings.kubernetes.hostname-override", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/aws-admin-container-v0-10-1/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-10-1" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/aws-admin-container-v0-10-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.1"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/aws-control-container-v0-7-2/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-2" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/aws-control-container-v0-7-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.1"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.2"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/k8s-services-mode/Cargo.toml ================================================ [package] name = "k8s-services-mode" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} serde_json = "1.0" ================================================ FILE: sources/settings-migrations/archived/v1.14.0/k8s-services-mode/src/main.rs ================================================ use migration_helpers::{common_migrations::AddSettingsMigration, migrate, Result}; use std::process; /// Mode settings were added for a handful of the templated kubelet configuration files. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "configuration-files.kubelet-config.mode", "configuration-files.kubelet-kubeconfig.mode", "configuration-files.kubelet-bootstrap-kubeconfig.mode", "configuration-files.kubelet-exec-start-conf.mode", "configuration-files.credential-provider-config-yaml.mode", "configuration-files.kubernetes-ca-crt.mode", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubelet-config-settings/Cargo.toml ================================================ [package] name = "kubelet-config-settings" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubelet-config-settings/src/main.rs ================================================ use migration_helpers::{common_migrations::AddSettingsMigration, migrate, Result}; use std::process; /// Additional `settings.kubernetes` options for this release. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.cpu-manager-policy-options", "settings.kubernetes.cpu-cfs-quota-enforced", "settings.kubernetes.shutdown-grace-period", "settings.kubernetes.shutdown-grace-period-for-critical-pods", "settings.kubernetes.eviction-soft", "settings.kubernetes.eviction-soft-grace-period", "settings.kubernetes.eviction-max-pod-grace-period", "settings.kubernetes.memory-manager-policy", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubelet-prefix-config-settings/Cargo.toml ================================================ [package] name = "kubelet-prefix-config-settings" version = "0.1.0" authors = ["Sean McGinnis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubelet-prefix-config-settings/src/main.rs ================================================ use migration_helpers::{common_migrations::AddPrefixesMigration, migrate, Result}; use std::process; /// Additional `settings.kubernetes` options for this release. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.memory-manager-reserved-memory", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubernetes-gc-percent-type-change/Cargo.toml ================================================ [package] name = "kubernetes-gc-percent-type-change" version = "0.1.0" authors = ["Matt Briggs "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} serde_json = "1" ================================================ FILE: sources/settings-migrations/archived/v1.14.0/kubernetes-gc-percent-type-change/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use serde_json::Value; use std::process; const GC_HIGH_SETTING: &str = "settings.kubernetes.image-gc-high-threshold-percent"; const GC_LOW_SETTING: &str = "settings.kubernetes.image-gc-low-threshold-percent"; /// We changed these settings so that they can be specified as numbers. Previously they could only /// be specified as strings, which was confusing since they are numeric. On upgrade we don't need /// to do anything because a valid string representation will still be accepted. On downgrade, we /// need to check if the values are represented as numbers, and if so, convert them to strings. pub struct ChangeK8sGcPercentType; fn convert_to_string(value: &mut Value) { let s = if let Value::Number(n) = value { n.to_string() } else { return; }; *value = Value::String(s); } impl Migration for ChangeK8sGcPercentType { /// On upgrade there is nothing to do (see above). fn forward(&mut self, input: MigrationData) -> Result { Ok(input) } /// On downgrade, if the value is a number, we need to convert it to a string (see above). fn backward(&mut self, mut input: MigrationData) -> Result { if let Some(v) = input.data.get_mut(GC_HIGH_SETTING) { convert_to_string(v); } if let Some(v) = input.data.get_mut(GC_LOW_SETTING) { convert_to_string(v); } Ok(input) } } /// We made changes to `image-gc-low-threshold-percent` and `image-gc-high-threshold-percent`. fn run() -> Result<()> { migrate(ChangeK8sGcPercentType) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/public-admin-container-v0-10-1/Cargo.toml ================================================ [package] name = "public-admin-container-v0-10-1" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/public-admin-container-v0-10-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.0"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.1"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.0/public-control-container-v0-7-2/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-2" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.0/public-control-container-v0-7-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.1"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.2"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.2/ecs-images-cleanup/Cargo.toml ================================================ [package] name = "ecs-images-cleanup" version = "0.1.0" edition = "2018" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.2/ecs-images-cleanup/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added additional configurations for the ECS agent fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.ecs.image-cleanup-wait", "settings.ecs.image-cleanup-delete-per-cycle", "settings.ecs.image-cleanup-enabled", "settings.ecs.image-cleanup-age", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.3/aws-admin-container-v0-10-2/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-10-2" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.3/aws-admin-container-v0-10-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.1"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.2"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.3/aws-control-container-v0-7-3/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-3" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.3/aws-control-container-v0-7-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.2"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.3"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.3/public-admin-container-v0-10-2/Cargo.toml ================================================ [package] name = "public-admin-container-v0-10-2" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.3/public-admin-container-v0-10-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.1"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.2"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.14.3/public-control-container-v0-7-3/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-3" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.14.3/public-control-container-v0-7-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.2"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.3"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/aws-admin-container-v0-11-0/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-0" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/aws-admin-container-v0-11-0/src/main.rs ================================================ #![allow(deprecated)] use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.10.2"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/aws-control-container-v0-7-4/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-4" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/aws-control-container-v0-7-4/src/main.rs ================================================ #![allow(deprecated)] use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.3"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.4"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/deprecate-log4j-hotpatch-enabled/Cargo.toml ================================================ [package] name = "deprecate-log4j-hotpatch-enabled" version = "0.1.0" edition = "2021" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/deprecate-log4j-hotpatch-enabled/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new service to log a warning to the journal when log4j-hotpatch-enabled /// is true fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "services.log4j-hotpatch-enabled", "configuration-files.log4j-hotpatch-enabled-log-message", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/log4j-hotpatch-enabled-metadata/Cargo.toml ================================================ [package] name = "log4j-hotpatch-enabled-metadata" version = "0.1.0" edition = "2021" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/log4j-hotpatch-enabled-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new service to print a warning when log4j-hotpatch-enabled is true. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.oci-hooks.log4j-hotpatch-enabled", }]))?; Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting/Cargo.toml ================================================ [package] name = "oci-defaults-docker-setting" version = "0.1.0" edition = "2021" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for configuring the default OCI runtime spec for ECS, /// `settings.oci-defaults`, which will initially contain /// `settings.oci-defaults.capabilities` and /// `settings.oci-defaults.resource-limits` fn run() -> Result<()> { if cfg!(variant_runtime = "ecs") { migrate(AddPrefixesMigration(vec![ "settings.oci-defaults", "services.oci-defaults", "configuration-files.oci-defaults", ]))? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml ================================================ [package] name = "oci-defaults-docker-setting-metadata" version = "0.1.0" edition = "2021" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting-metadata/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.oci-defaults' /// to include itself and containerd on upgrade, and to remove those values on /// downgrade, depending on the running variant. fn run() -> Result<()> { if cfg!(variant_runtime = "ecs") { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.oci-defaults", }]))? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-max-open-files/Cargo.toml ================================================ [package] name = "oci-defaults-max-open-files" version = "0.1.0" edition = "2021" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} serde_json = "1" [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-max-open-files/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-max-open-files/src/main.rs ================================================ use migration_helpers::common_migrations::NoOpMigration; use migration_helpers::{migrate, Migration, MigrationData, Result}; use serde_json::Value; use std::process; const HARD_RESOURCE_LIMIT_SETTING_NAME: &str = "settings.oci-defaults.resource-limits.max-open-files.hard-limit"; const SOFT_RESOURCE_LIMIT_SETTING_NAME: &str = "settings.oci-defaults.resource-limits.max-open-files.soft-limit"; /// This migration changes the hard and soft limit for rlimit_nofile to u32 from i64 on downgrade. /// There is no need of migration on upgrade as u32 will automatically change to i64 pub struct ChangeMaxOpenFileResourceLimitType; fn convert_to_u32(value: &mut Value) { if !value.is_i64() { return; } let v: i64 = serde_json::from_value(value.clone()).unwrap(); let s = match v { -1 => u32::MAX, v if v > u32::MAX as i64 => u32::MAX, _ => v as u32, }; *value = Value::Number(s.into()); } impl Migration for ChangeMaxOpenFileResourceLimitType { /// On upgrade there is nothing to do (see above). fn forward(&mut self, input: MigrationData) -> Result { Ok(input) } /// On downgrade, if the value is an i64 integer, we need to convert it to a u32. /// /// Note that this potentially causes data loss, if current value of the setting /// is -1 or higher than u_32::MAX we will set it to max possible value i.e. u32::MAX. fn backward(&mut self, mut input: MigrationData) -> Result { if let Some(v) = input.data.get_mut(HARD_RESOURCE_LIMIT_SETTING_NAME) { convert_to_u32(v); } if let Some(v) = input.data.get_mut(SOFT_RESOURCE_LIMIT_SETTING_NAME) { convert_to_u32(v); } Ok(input) } } fn run() -> Result<()> { if cfg!(variant_runtime = "k8s") { migrate(ChangeMaxOpenFileResourceLimitType)? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-resource-setting/Cargo.toml ================================================ [package] name = "oci-defaults-resource-setting" version = "0.1.0" edition = "2021" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-resource-setting/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/oci-defaults-resource-setting/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new resource limit settings for configuring the default OCI runtime spec. fn run() -> Result<()> { if cfg!(variant_runtime = "k8s") { migrate(AddPrefixesMigration(vec![ "settings.oci-defaults.resource-limits.max-address-space", "settings.oci-defaults.resource-limits.max-core-file-size", "settings.oci-defaults.resource-limits.max-cpu-time", "settings.oci-defaults.resource-limits.max-data-size", "settings.oci-defaults.resource-limits.max-file-locks", "settings.oci-defaults.resource-limits.max-file-size", "settings.oci-defaults.resource-limits.max-locked-memory", "settings.oci-defaults.resource-limits.max-msgqueue-size", "settings.oci-defaults.resource-limits.max-nice-priority", "settings.oci-defaults.resource-limits.max-pending-signals", "settings.oci-defaults.resource-limits.max-processes", "settings.oci-defaults.resource-limits.max-realtime-priority", "settings.oci-defaults.resource-limits.max-realtime-timeout", "settings.oci-defaults.resource-limits.max-resident-set", "settings.oci-defaults.resource-limits.max-stack-size", ]))? } else { migrate(NoOpMigration)?; } Ok(()) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/public-admin-container-v0-11-0/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-0" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/public-admin-container-v0-11-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.10.2"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/public-control-container-v0-7-4/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-4" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/public-control-container-v0-7-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.3"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.4"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.15.0/seccomp-default-setting/Cargo.toml ================================================ [package] name = "seccomp-default-setting" version = "0.1.0" edition = "2021" authors = ["Cartrius Phipps "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.15.0/seccomp-default-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting to expose the ability to toggle the SeccompDefault setting. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.seccomp-default", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/aws-admin-container-v0-11-1/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-1" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.16.0/aws-admin-container-v0-11-1/src/main.rs ================================================ #![allow(deprecated)] use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.1"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/aws-control-container-v0-7-5/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-5" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.16.0/aws-control-container-v0-7-5/src/main.rs ================================================ #![allow(deprecated)] use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.4"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.5"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-configs/Cargo.toml ================================================ [package] name = "kernel-modules-autoload-configs" version = "0.1.0" authors = ["Leonard Foerster "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers/", version = "0.1.0" } serde_json = "1" ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-configs/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings under `settings.kernel.modules` for configuring /// /etc/modules-load.d/modules-load.conf. The actual autoload settings are /// migrated separately in kernel-modules-autoload-settings migration as they /// require a custom migration implementation. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.modules-load", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-files/Cargo.toml ================================================ [package] name = "kernel-modules-autoload-files" version = "0.1.0" authors = ["Leonard Foerster "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers/", version = "0.1.0" } serde_json = "1" ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-files/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added a config file to the configuration-files list for services.kernel-modules /// to facilitate module autoload. This needs to be restored to prior values on downgrade. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.kernel-modules.configuration-files", old_vals: &["modprobe-conf"], new_vals: &["modprobe-conf", "modules-load"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-restart/Cargo.toml ================================================ [package] name = "kernel-modules-autoload-restart" version = "0.1.0" authors = ["Leonard Foerster "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers/", version = "0.1.0" } serde_json = "1" ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-restart/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new `autoload` setting to `settings.kernel.modules`, which needs /// re restart of `systemd-modules-load.services`. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.kernel-modules.restart-commands", old_vals: &[], new_vals: &["/usr/bin/systemctl try-restart systemd-modules-load"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-settings/Cargo.toml ================================================ [package] name = "kernel-modules-autoload-settings" version = "0.1.0" authors = ["Leonard Foerster "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers/", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/kernel-modules-autoload-settings/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const KMOD_AUTOLOAD_PREFIX: &str = "settings.kernel.modules"; const KMOD_AUTOLOAD_SETTING: &str = "autoload"; /// We added a new autoload setting to the kernel.mudules set of tables. These tables /// come with a variable name containing the module name. We can hence not just use /// an `AddSettingsMigration` as these require the full name. We rather need a hybrid /// of `AddSettingsMigration` and `AddPrefixesMigration` in order to select the correct /// parts of these variably named tables to remove on downgrade. Similar to the common /// forms of `Add*Migrations` we do not need to do anything on upgrade. pub struct AddKmodAutoload; impl Migration for AddKmodAutoload { /// On upgrade there is nothing to do (see above). fn forward(&mut self, input: MigrationData) -> Result { Ok(input) } /// On downgrade, we need to find the `autoload` setting in all tables with /// prefix `settings.kernel.modules` and remove them. fn backward(&mut self, mut input: MigrationData) -> Result { let settings = input .data .keys() .filter(|k| k.starts_with(KMOD_AUTOLOAD_PREFIX)) .filter(|k| k.ends_with(KMOD_AUTOLOAD_SETTING)) .cloned() .collect::>(); for setting in settings { if let Some(data) = input.data.remove(&setting) { println!("Removed {}, which was set to '{}'", setting, data); } } Ok(input) } } /// We added `settigns.kernel.modules..auotload`. fn run() -> Result<()> { migrate(AddKmodAutoload) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/public-admin-container-v0-11-1/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-1" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.16.0/public-admin-container-v0-11-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.0"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.1"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/public-control-container-v0-7-5/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-5" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.16.0/public-control-container-v0-7-5/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.4"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.5"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/schnauzer-v2-generators/Cargo.toml ================================================ [package] name = "schnauzer-v2-generators" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/schnauzer-v2-generators/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.16.0/schnauzer-v2-generators/src/main.rs ================================================ use migration_helpers::common_migrations::{MetadataReplacement, ReplaceMetadataMigration}; use migration_helpers::{migrate, Result}; use std::process; fn build_metadata_migrations() -> Vec { let mut migrations = vec![]; // On AWS platforms, we use regional ECR repositories. // Elsewhere, we use ecr-public, which is global. #[cfg(variant_platform = "aws")] { migrations.append(&mut vec![ MetadataReplacement { setting: "settings.host-containers.admin.source", metadata: "setting-generator", old_val: "schnauzer settings.host-containers.admin.source", new_val: "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.1'", }, MetadataReplacement { setting: "settings.host-containers.control.source", metadata: "setting-generator", old_val: "schnauzer settings.host-containers.control.source", new_val: "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.5'", }, MetadataReplacement { setting: "settings.updates.metadata-base-url", metadata: "setting-generator", old_val: "schnauzer settings.updates.metadata-base-url", new_val: "schnauzer-v2 render --requires 'aws@v1' --requires 'updates@v1(helpers=[metadata-prefix, tuf-prefix])' --template '{{ tuf-prefix settings.aws.region }}{{ metadata-prefix settings.aws.region }}/2020-07-07/{{ os.variant_id }}/{{ os.arch }}/'", }, MetadataReplacement { setting: "settings.updates.targets-base-url", metadata: "setting-generator", old_val: "schnauzer settings.updates.targets-base-url", new_val: "schnauzer-v2 render --requires 'aws@v1' --requires 'updates@v1(helpers=[tuf-prefix])' --template '{{ tuf-prefix settings.aws.region }}/targets/'", }, ]); } #[cfg(not(variant_platform = "aws"))] { migrations.append(&mut vec![ MetadataReplacement { setting: "settings.updates.metadata-base-url", metadata: "setting-generator", old_val: "schnauzer settings.updates.metadata-base-url", new_val: "schnauzer-v2 render --template 'https://updates.bottlerocket.aws/2020-07-07/{{ os.variant_id }}/{{ os.arch }}/'", }, ]); } #[cfg(variant_family = "aws-k8s")] { migrations.append(&mut vec![ MetadataReplacement { setting: "settings.kubernetes.pod-infra-container-image", metadata: "setting-generator", old_val: "schnauzer settings.kubernetes.pod-infra-container-image", new_val: "schnauzer-v2 render --requires 'aws@v1' --requires 'kubernetes@v1(helpers=[pause-prefix])' --template '{{ pause-prefix settings.aws.region }}/eks/pause:3.1-eksbuild.1'", }, ]); } migrations } fn run() -> Result<()> { migrate(ReplaceMetadataMigration(build_metadata_migrations())) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.16.1/updog-network-affected/Cargo.toml ================================================ [package] name = "updog-network-affected" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.16.1/updog-network-affected/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.network' to include /// updog. The metadata list need to be restored to the prior value on downgrade and /// updated to include updog on upgrades. /// We're trying to match old values for different variants. fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "host-containerd", "host-containers"], new_vals: &["containerd", "host-containerd", "host-containers", "updog"], }, // For K8S variants MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &[ "containerd", "kubernetes", "host-containerd", "host-containers", ], new_vals: &[ "containerd", "kubernetes", "host-containerd", "host-containers", "updog", ], }, // For the ECS variants MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &[ "containerd", "docker", "ecs", "host-containerd", "host-containers", ], new_vals: &[ "containerd", "docker", "ecs", "host-containerd", "host-containers", "updog", ], }, // For *-dev variants MetadataListReplacement { setting: "settings.network", metadata: "affected-services", old_vals: &["containerd", "docker", "host-containerd", "host-containers"], new_vals: &[ "containerd", "docker", "host-containerd", "host-containers", "updog", ], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.17.0/aws-admin-container-v0-11-2/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.17.0/aws-admin-container-v0-11-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.1'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.2'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.17.0/aws-control-container-v0-7-6/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-6" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.17.0/aws-control-container-v0-7-6/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.5'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.6'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.17.0/public-admin-container-v0-11-2/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.17.0/public-admin-container-v0-11-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.1"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.2"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.17.0/public-control-container-v0-7-6/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-6" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.17.0/public-control-container-v0-7-6/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.5"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.6"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.18.0/aws-admin-container-v0-11-3/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-3" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.18.0/aws-admin-container-v0-11-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.2'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.3'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.18.0/aws-control-container-v0-7-7/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-7" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.18.0/aws-control-container-v0-7-7/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.6'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.7'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.18.0/public-admin-container-v0-11-3/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-3" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.18.0/public-admin-container-v0-11-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.2"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.3"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.18.0/public-control-container-v0-7-7/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-7" version = "0.1.0" authors = ["Markus Boehme "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.18.0/public-control-container-v0-7-7/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.6"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.7"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.0/add-additional-ecs-settings/Cargo.toml ================================================ [package] name = "add-additional-ecs-settings" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.0/add-additional-ecs-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added additional configurations for the ECS agent fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.ecs.backend-host", "settings.ecs.awsvpc-block-imds", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.1/aws-admin-container-v0-11-4/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-4" version = "0.1.0" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.1/aws-admin-container-v0-11-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.3'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.4'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.1/aws-control-container-v0-7-8/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-8" version = "0.1.0" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.1/aws-control-container-v0-7-8/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.7'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.8'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.1/public-admin-container-v0-11-4/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-4" version = "0.1.0" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.1/public-admin-container-v0-11-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.3"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.4"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.1/public-control-container-v0-7-8/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-8" version = "0.1.0" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.1/public-control-container-v0-7-8/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.7"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.8"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.2/add-ecs-enable-container-metadata/Cargo.toml ================================================ [package] name = "add-ecs-enable-container-metadata" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.2/add-ecs-enable-container-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added additional configurations for the ECS agent fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.ecs.enable-container-metadata", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.2/certdog-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "certdog-config-file-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.19.2/certdog-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// Add settings for the new certdog-toml config file fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.certdog-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.2/certdog-service-cfg-v0-1-0/Cargo.toml ================================================ [package] name = "certdog-service-cfg-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.19.2/certdog-service-cfg-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// Add settings for the new certdog-toml config file fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.pki.configuration-files", old_vals: &[], new_vals: &["certdog-toml"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.3/aws-admin-container-v0-11-6/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-6" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.3/aws-admin-container-v0-11-6/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.4'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.6'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.3/aws-control-container-v0-7-10/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-10" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.3/aws-control-container-v0-7-10/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.8'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.10'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.3/public-admin-container-v0-11-6/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-6" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.3/public-admin-container-v0-11-6/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.4"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.6"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.3/public-control-container-v0-7-10/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-10" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.3/public-control-container-v0-7-10/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.8"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.10"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.5/aws-admin-container-v0-11-7/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-7" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.5/aws-admin-container-v0-11-7/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.6'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.7'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.5/aws-control-container-v0-7-11/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-11" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.5/aws-control-container-v0-7-11/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.10'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.11'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.5/public-admin-container-v0-11-7/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-7" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.5/public-admin-container-v0-11-7/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.6"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.7"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.19.5/public-control-container-v0-7-11/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-11" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.19.5/public-control-container-v0-7-11/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.10"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.11"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/add-custom-certificates/Cargo.toml ================================================ [package] name = "add-custom-certificates" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/add-custom-certificates/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added the settings and services for `pki` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec!["settings.pki", "services.pki"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/admin-container-v0-7-2/Cargo.toml ================================================ [package] name = "admin-container-v0-7-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/admin-container-v0-7-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.1"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.2"; /// We bumped the version of the default admin container from v0.7.1 to v0.7.2 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/container-registry-config-restarts/Cargo.toml ================================================ [package] name = "container-registry-config-restarts" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/container-registry-config-restarts/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We templatized the configuration file for the Docker daemon. /// We also added a new configuration file for host-containers and bootstrap-containers fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ ListReplacement { setting: "services.docker.configuration-files", old_vals: &["proxy-env"], new_vals: &["docker-daemon-config", "proxy-env"], }, ListReplacement { setting: "services.bootstrap-containers.configuration-files", old_vals: &[], new_vals: &["host-ctr-toml"], }, ListReplacement { setting: "services.host-containers.configuration-files", old_vals: &[], new_vals: &["host-ctr-toml"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/container-registry-mirrors/Cargo.toml ================================================ [package] name = "container-registry-mirrors" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/container-registry-mirrors/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring image registries, `settings.container-registry` /// We also added a new configuration template file for the Docker daemon fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.container-registry", "configuration-files.docker-daemon-config", "configuration-files.host-ctr-toml", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/hostname-setting/Cargo.toml ================================================ [package] name = "hostname-setting" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/hostname-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for configuring hostname fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.network.hostname", "services.hostname", "configuration-files.hostname", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/hostname-setting-metadata/Cargo.toml ================================================ [package] name = "hostname-setting-metadata" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/hostname-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for configuring hostname fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator", "affected-services"], setting: "settings.network.hostname", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/kubelet-topology-manager/Cargo.toml ================================================ [package] name = "kubelet-topology-manager" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers" } ================================================ FILE: sources/settings-migrations/archived/v1.2.0/kubelet-topology-manager/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added two new settings for configuring kubelet, `settings.kubernetes.topology-manager-policy` /// and `settings.kubernetes.topology-manager-scope` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.topology-manager-scope", "settings.kubernetes.topology-manager-policy", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/add-ntp-default-options-v0-1-0/Cargo.toml ================================================ [package] name = "add-ntp-default-options-v0-1-0" version = "0.1.0" authors = ["Dom Goodwin "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.0/add-ntp-default-options-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added the ability to set additional options for NTP fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.ntp.options"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/aws-admin-container-v0-11-8/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-8" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.0/aws-admin-container-v0-11-8/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.7'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.8'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/aws-control-container-v0-7-12/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-12" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.0/aws-control-container-v0-7-12/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.11'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.12'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/bootstrap-containers-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "bootstrap-containers-config-file-v0-1-0" version = "0.1.0" edition = "2021" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/bootstrap-containers-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.bootstrap-containers-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/bootstrap-containers-services-cfg-v0-1-0/Cargo.toml ================================================ [package] name = "bootstrap-containers-services-cfg-v0-1-0" version = "0.1.0" edition = "2021" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/bootstrap-containers-services-cfg-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.bootstrap-containers.configuration-files", old_vals: &["host-ctr-toml"], new_vals: &["host-ctr-toml", "bootstrap-containers-toml"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-metadata-nvidia/Cargo.toml ================================================ [package] name = "container-runtime-metadata-nvidia" version = "0.1.0" edition = "2021" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-metadata-nvidia/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-metadata-nvidia/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata}; use migration_helpers::migrate; use migration_helpers::Result; use std::process; /// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants. fn run() -> Result<()> { if cfg!(variant_family = "aws-k8s") && cfg!(variant_flavor = "nvidia") { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.container-runtime", }])) } else { migrate(NoOpMigration) } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-nvidia/Cargo.toml ================================================ [package] name = "container-runtime-nvidia" version = "0.1.0" edition = "2021" authors = ["Matthew Yeazel "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-nvidia/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/container-runtime-nvidia/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants. fn run() -> Result<()> { if cfg!(variant_family = "aws-k8s") && cfg!(variant_flavor = "nvidia") { migrate(AddPrefixesMigration(vec!["settings.container-runtime"])) } else { migrate(NoOpMigration) } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/corndog-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "corndog-config-file-v0-1-0" version = "0.1.0" edition = "2021" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/corndog-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.corndog-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/corndog-services-cfg-v0-1-0/Cargo.toml ================================================ [package] name = "corndog-services-cfg-v0-1-0" version = "0.1.0" edition = "2021" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/corndog-services-cfg-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ ListReplacement { setting: "services.sysctl.configuration-files", old_vals: &[], new_vals: &["corndog-toml"], }, ListReplacement { setting: "services.lockdown.configuration-files", old_vals: &[], new_vals: &["corndog-toml"], }, ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/host-containers-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "host-containers-config-file-v0-1-0" version = "0.1.0" authors = ["Sam Berning "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/host-containers-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; // Create the new config file fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.host-containers-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/host-containers-config-list-v0-1-0/Cargo.toml ================================================ [package] name = "host-containers-config-list-v0-1-0" version = "0.1.0" authors = ["Sam Berning "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/host-containers-config-list-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; // Add new config file to host-containers fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.host-containers.configuration-files", old_vals: &["host-ctr-toml"], new_vals: &["host-ctr-toml", "host-containers-toml"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/prairiedog-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "prairiedog-config-file-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/prairiedog-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.prairiedog-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/prairiedog-services-cfg-v0-1-0/Cargo.toml ================================================ [package] name = "prairiedog-services-cfg-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/prairiedog-services-cfg-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.bootconfig.configuration-files", old_vals: &[], new_vals: &["prairiedog-toml"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/public-admin-container-v0-11-8/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-8" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.0/public-admin-container-v0-11-8/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.7"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.8"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/public-control-container-v0-7-12/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-12" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.0/public-control-container-v0-7-12/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.11"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.12"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/remove-ecs-settings-applier/Cargo.toml ================================================ [package] name = "remove-ecs-settings-applier" version = "0.1.0" edition = "2021" authors = ["Arnaldo Garcia "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/remove-ecs-settings-applier/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.ecs' to remove /// ecs-settings-applier on upgrade, and to add it on downgrade. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.ecs.restart-commands", old_vals: &[ "/usr/bin/ecs-settings-applier", "/bin/systemctl try-reload-or-restart ecs.service", ], new_vals: &["/bin/systemctl try-reload-or-restart ecs.service"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/static-pods-add-prefix-v0-1-0/Cargo.toml ================================================ [package] name = "static-pods-add-prefix-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/static-pods-add-prefix-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.static-pods-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/static-pods-services-cfg-v0-1-0/Cargo.toml ================================================ [package] name = "static-pods-services-cfg-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/static-pods-services-cfg-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.static-pods.configuration-files", old_vals: &[], new_vals: &["static-pods-toml"], }])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/thar-be-updates-affected-services-v0-1-0/Cargo.toml ================================================ [package] name = "thar-be-updates-affected-services-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/thar-be-updates-affected-services-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.updates", metadata: "affected-services", old_vals: &["updog"], new_vals: &["updog", "thar-be-updates"], }, ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/thar-be-updates-config-file-v0-1-0/Cargo.toml ================================================ [package] name = "thar-be-updates-config-file-v0-1-0" version = "0.1.0" edition = "2021" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/thar-be-updates-config-file-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "configuration-files.thar-be-updates-toml", "services.thar-be-updates", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/update-ecs-config-path/Cargo.toml ================================================ [package] name = "update-ecs-config-path" version = "0.1.0" edition = "2021" authors = ["Arnaldo Garcia "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/update-ecs-config-path/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'path' string for 'ecs-config' fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "configuration-files.ecs-config.path", old_val: "/etc/ecs/ecs.config", new_val: "/etc/systemd/system/ecs.service.d/10-base.conf", }) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/update-ecs-config-template-path/Cargo.toml ================================================ [package] name = "update-ecs-config-template-path" version = "0.1.0" edition = "2021" authors = ["Arnaldo Garcia "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.20.0/update-ecs-config-template-path/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'template-path' for 'ecs-config' fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "configuration-files.ecs-config.template-path", old_val: "/usr/share/templates/ecs.config", new_val: "/usr/share/templates/ecs-base-conf", }) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.5/aws-admin-container-v0-11-9/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-9" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.5/aws-admin-container-v0-11-9/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.8'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.9'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.5/aws-control-container-v0-7-13/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-13" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.5/aws-control-container-v0-7-13/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.12'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.13'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.5/public-admin-container-v0-11-9/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-9" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.5/public-admin-container-v0-11-9/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.8"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.9"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.20.5/public-control-container-v0-7-13/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-13" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.20.5/public-control-container-v0-7-13/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.12"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.13"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/add-hostname-override-source/Cargo.toml ================================================ [package] name = "add-hostname-override-source" version = "0.1.0" authors = ["Todd Neal "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/add-hostname-override-source/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added one new settings for configuring the override method for the method used to determine /// the node fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.hostname-override-source", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/k8s-reserved-cpus-v0-1-0/Cargo.toml ================================================ [package] name = "k8s-reserved-cpus-v0-1-0" version = "0.1.0" authors = ["James Masson "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/k8s-reserved-cpus-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// Add the option to set Kubernetes reserved-cpus fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.kubernetes.reserved-cpus"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pluto-remove-generators-v0-1-0/Cargo.toml ================================================ [package] name = "pluto-remove-generators-v0-1-0" version = "0.1.0" authors = ["Jarrett Tierney "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pluto-remove-generators-v0-1-0/src/main.rs ================================================ use migration_helpers::common_migrations::{RemoveMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(RemoveMetadataMigration(&[ SettingMetadata { setting: "settings.kubernetes.max-pods", metadata: &["setting-generator"], }, SettingMetadata { setting: "settings.kubernetes.cluster-dns-ip", metadata: &["setting-generator"], }, SettingMetadata { setting: "settings.kubernetes.node-ip", metadata: &["setting-generator"], }, SettingMetadata { setting: "settings.kubernetes.provider-id", metadata: &["setting-generator"], }, SettingMetadata { setting: "settings.kubernetes.hostname-override", metadata: &["setting-generator"], }, ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-affected-services/Cargo.toml ================================================ [package] name = "pod-infra-container-image-affected-services" version = "0.1.0" authors = ["Todd Neal "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-affected-services/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.kubernetes.pod-infra-container-image", metadata: "affected-services", old_vals: &["kubernetes", "containerd"], new_vals: &["pod-infra-container-image"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-remove-settings-generator/Cargo.toml ================================================ [package] name = "pod-infra-container-image-remove-settings-generator" version = "0.1.0" authors = ["Todd Neal "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-remove-settings-generator/src/main.rs ================================================ use migration_helpers::common_migrations::{RemoveMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(RemoveMetadataMigration(&[SettingMetadata { setting: "settings.kubernetes.pod-infra-container-image", metadata: &["setting-generator"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-services/Cargo.toml ================================================ [package] name = "pod-infra-container-image-services" version = "0.1.0" authors = ["Todd Neal "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.0/pod-infra-container-image-services/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "services.pod-infra-container-image", "configuration-files.pod-infra-container-image-log-message", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.1/aws-admin-container-v0-11-10/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-10" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.1/aws-admin-container-v0-11-10/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.9'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.10'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.1/aws-control-container-v0-7-14/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-14" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.1/aws-control-container-v0-7-14/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.13'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.14'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.1/public-admin-container-v0-11-10/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-10" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.1/public-admin-container-v0-11-10/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.9"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.10"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.21.1/public-control-container-v0-7-14/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-14" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.21.1/public-control-container-v0-7-14/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.13"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.14"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/aws-admin-container-v0-11-11/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-11" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/aws-admin-container-v0-11-11/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.10'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.11'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/aws-control-container-v0-7-15/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-15" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/aws-control-container-v0-7-15/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.14'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.15'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/bootstrap-commands-metadata/Cargo.toml ================================================ [package] name = "bootstrap-commands-metadata" version = "0.1.0" edition = "2021" authors = ["Piyush Jena "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/bootstrap-commands-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::migrate; use migration_helpers::Result; use std::process; /// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.bootstrap-commands", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/bootstrap-commands-settings/Cargo.toml ================================================ [package] name = "bootstrap-commands-settings" version = "0.1.0" edition = "2021" authors = ["Piyush Jena "] license = "Apache-2.0 OR MIT" publish = false exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/bootstrap-commands-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.bootstrap-commands", "services.bootstrap-commands", "configuration-files.bootstrap-commands-toml", ])) } fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/public-admin-container-v0-11-11/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-11" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/public-admin-container-v0-11-11/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.10"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.11"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.22.0/public-control-container-v0-7-15/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-15" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.22.0/public-control-container-v0-7-15/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.14"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.15"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.23.0/kubelet-device-plugins-metadata/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-metadata" version = "0.1.0" authors = ["Monirul Islam "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.23.0/kubelet-device-plugins-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring the NVIDIA k8s device plugin. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.kubelet-device-plugins", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.23.0/kubelet-device-plugins-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-settings" version = "0.1.0" authors = ["Monirul Islam "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.23.0/kubelet-device-plugins-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring the NVIDIA k8s device plugin. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubelet-device-plugins", "services.nvidia-k8s-device-plugin", "configuration-files.nvidia-k8s-device-plugin-conf", "configuration-files.nvidia-k8s-device-plugin-exec-start-conf", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.23.0/nvidia-container-runtime-metadata/Cargo.toml ================================================ [package] name = "nvidia-container-runtime-metadata" version = "0.1.0" authors = ["Monirul Islam "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.23.0/nvidia-container-runtime-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.nvidia-container-runtime", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.23.0/nvidia-container-runtime-settings/Cargo.toml ================================================ [package] name = "nvidia-container-runtime-settings" version = "0.1.0" authors = ["Monirul Islam "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.23.0/nvidia-container-runtime-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring container runtime (containerd) settings only for NVIDIA k8s variants. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.nvidia-container-runtime", "services.nvidia-container-toolkit", "configuration-files.nvidia-container-toolkit", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.24.1/aws-admin-container-v0-11-12/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-12" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.24.1/aws-admin-container-v0-11-12/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.11'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.12'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.24.1/aws-control-container-v0-7-16/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-16" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.24.1/aws-control-container-v0-7-16/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.15'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.16'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.24.1/public-admin-container-v0-11-12/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-12" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.24.1/public-admin-container-v0-11-12/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.11"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.12"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.24.1/public-control-container-v0-7-16/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-16" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.24.1/public-control-container-v0-7-16/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.15"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.16"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/aws-admin-container-v0-11-13/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-13" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/aws-admin-container-v0-11-13/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.12'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.13'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/aws-control-container-v0-7-17/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-17" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/aws-control-container-v0-7-17/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.16'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.17'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/kubelet-device-plugins-time-slicing-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-time-slicing-settings" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/kubelet-device-plugins-time-slicing-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for configuring the NVIDIA k8s device plugin. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubelet-device-plugins.nvidia.device-sharing-strategy", "settings.kubelet-device-plugins.nvidia.time-slicing.replicas", "settings.kubelet-device-plugins.nvidia.time-slicing.rename-by-default", "settings.kubelet-device-plugins.nvidia.time-slicing.fail-requests-greater-than-one", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/kubernetes-service-config/Cargo.toml ================================================ [package] name = "kubernetes-service-config" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/kubernetes-service-config/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_MODE: &str = "0600"; const NEW_MODE: &str = "0644"; /// We changed the version of configuration mode fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "configuration-files.kubelet-exec-start-conf.mode", old_val: OLD_MODE, new_val: NEW_MODE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/public-admin-container-v0-11-13/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-13" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/public-admin-container-v0-11-13/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.12"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.13"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.25.0/public-control-container-v0-7-17/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-17" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.25.0/public-control-container-v0-7-17/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.16"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.17"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.27.0/aws-config/Cargo.toml ================================================ [package] name = "aws-config" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.27.0/aws-config/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings metadata, `aws.config.setting-generator` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator"], setting: "settings.aws.config", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.28.0/aws-admin-container-v0-11-14/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-14" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.28.0/aws-admin-container-v0-11-14/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.13'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.14'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.28.0/aws-control-container-v0-7-18/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-18" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.28.0/aws-control-container-v0-7-18/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.17'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.18'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.28.0/kernel-sysctl-hugepages/Cargo.toml ================================================ [package] name = "kernel-sysctl-hugepages" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.28.0/kernel-sysctl-hugepages/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings metadata, `metadata.settings.kernel.sysctl.vm/nr_hugepages.setting-generator` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["setting-generator"], setting: "settings.kernel.sysctl.vm/nr_hugepages", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.28.0/public-admin-container-v0-11-14/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-14" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.28.0/public-admin-container-v0-11-14/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.13"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.14"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.28.0/public-control-container-v0-7-18/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-18" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.28.0/public-control-container-v0-7-18/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.17"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.18"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/control-container-v0-5-2/Cargo.toml ================================================ [package] name = "control-container-v0-5-2" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/control-container-v0-5-2/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.1"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.2"; /// We bumped the version of the default control container from v0.5.1 to v0.5.2 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/etc-hosts-service/Cargo.toml ================================================ [package] name = "etc-hosts-service" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/etc-hosts-service/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for configuring hostname fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "services.hosts", "configuration-files.hosts", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/hostname-affects-etc-hosts/Cargo.toml ================================================ [package] name = "hostname-affects-etc-hosts" version = "0.1.0" authors = ["Zac Mrowicki "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.3.0/hostname-affects-etc-hosts/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.network.hostname' to include the /// hosts "service" on upgrade, and to remove it on downgrade. fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.network.hostname", metadata: "affected-services", old_vals: &["hostname"], new_vals: &["hostname", "hosts"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/aws-admin-container-v0-11-15/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-15" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/aws-admin-container-v0-11-15/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.14'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.15'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/aws-control-container-v0-7-19/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-19" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/aws-control-container-v0-7-19/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.18'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.19'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/kubernetes-device-ownership-metadata/Cargo.toml ================================================ [package] name = "kubernetes-device-ownership-metadata" version = "0.1.0" authors = ["Vighnesh Maheshwari "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/kubernetes-device-ownership-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting, `settings.kubernetes.device-ownership-from-security-context` to allow containers to gain /// ownership of the requested device fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.device-ownership-from-security-context", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/kubernetes-device-ownership-settings/Cargo.toml ================================================ [package] name = "kubernetes-device-ownership-settings" version = "0.1.0" authors = ["Vighnesh Maheshwari "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/kubernetes-device-ownership-settings/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting, `settings.kubernetes.device-ownership-from-security-context` to allow containers to gain /// ownership of the requested device fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.kubernetes.device-ownership-from-security-context", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/public-admin-container-v0-11-15/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-15" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/public-admin-container-v0-11-15/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.14"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.15"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.30.0/public-control-container-v0-7-19/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-19" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.30.0/public-control-container-v0-7-19/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.18"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.19"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.31.0/aws-admin-container-v0-11-16/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-11-16" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.31.0/aws-admin-container-v0-11-16/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.15'"; const NEW_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.16'"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.admin.source", old_schnauzer_cmdline: OLD_ADMIN_CTR_CMDLINE, new_schnauzer_cmdline: NEW_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.31.0/aws-control-container-v0-7-20/Cargo.toml ================================================ [package] name = "aws-control-container-v0-7-20" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.31.0/aws-control-container-v0-7-20/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.19'"; const NEW_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.20'"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceSchnauzerMigration { setting: "settings.host-containers.control.source", old_schnauzer_cmdline: OLD_CONTROL_CTR_CMDLINE, new_schnauzer_cmdline: NEW_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.31.0/public-admin-container-v0-11-16/Cargo.toml ================================================ [package] name = "public-admin-container-v0-11-16" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.31.0/public-admin-container-v0-11-16/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.15"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.16"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.31.0/public-control-container-v0-7-20/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-20" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.31.0/public-control-container-v0-7-20/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.19"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.20"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/aws-remove-schnauzer-admin/Cargo.toml ================================================ [package] name = "aws-remove-schnauzer-admin" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/aws-remove-schnauzer-admin/src/main.rs ================================================ use migration_helpers::common_migrations::RemoveSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.11.16'"; /// We are removing settings.host-containers.admin.source setting /// to populate it from defaults. fn run() -> Result<()> { migrate(RemoveSchnauzerMigration { setting: "settings.host-containers.admin.source", old_cmdline: OLD_ADMIN_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/aws-remove-schnauzer-control/Cargo.toml ================================================ [package] name = "aws-remove-schnauzer-control" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/aws-remove-schnauzer-control/src/main.rs ================================================ use migration_helpers::common_migrations::RemoveSchnauzerMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_CMDLINE: &str = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.7.20'"; /// We are removing settings.host-containers.control.source setting /// to populate it from defaults. fn run() -> Result<()> { migrate(RemoveSchnauzerMigration { setting: "settings.host-containers.control.source", old_cmdline: OLD_CONTROL_CTR_CMDLINE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-control-container-v0-7-19-update/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-19-update" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-control-container-v0-7-19-update/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.18"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.19"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-control-container-v0-7-20-update/Cargo.toml ================================================ [package] name = "public-control-container-v0-7-20-update" version = "0.1.0" authors = ["Sparks Song "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-control-container-v0-7-20-update/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.19"; const NEW_CONTROL_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.20"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR_SOURCE_VAL, new_val: NEW_CONTROL_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-remove-source-admin/Cargo.toml ================================================ [package] name = "public-remove-source-admin" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-remove-source-admin/src/main.rs ================================================ use migration_helpers::common_migrations::RemoveMatchingString; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.11.16"; /// We are removing settings.host-containers.admin.source setting /// to populate it from defaults. fn run() -> Result<()> { migrate(RemoveMatchingString { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-remove-source-control/Cargo.toml ================================================ [package] name = "public-remove-source-control" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/public-remove-source-control/src/main.rs ================================================ use migration_helpers::common_migrations::RemoveMatchingString; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.7.20"; /// We are removing settings.host-containers.admin.source setting /// to populate it from defaults. fn run() -> Result<()> { migrate(RemoveMatchingString { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_CTR, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.33.0/remove-metadata-and-weak-settings-migration/Cargo.toml ================================================ [package] name = "remove-metadata-and-weak-settings-migration" version = "0.1.0" authors = ["Shikha Vyaghra "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/archived/v1.33.0/remove-metadata-and-weak-settings-migration/src/main.rs ================================================ use migration_helpers::common_migrations::RemoveMetadataAndWeakSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // Remove the weak settings and metadata on downgrade fn run() -> Result<()> { migrate(RemoveMetadataAndWeakSettingsMigration) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.4.0/registry-mirror-representation/Cargo.toml ================================================ [package] name = "registry-mirror-representation" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} serde_json = "1.0" ================================================ FILE: sources/settings-migrations/archived/v1.4.0/registry-mirror-representation/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use serde_json::{Map, Value}; use std::collections::HashMap; use std::process; const MIRRORS_SETTING_NAME: &'static str = "settings.container-registry.mirrors"; const DATASTORE_KEY_SEPARATOR: char = '.'; /// This migration changes the model type of `settings.container-registry.mirrors` from `HashMap>` /// to `Vec` on upgrade and vice-versa on downgrades. pub struct ChangeRegistryMirrorsType; // Snapshot of the `datastore::Key::valid_character` method in Bottlerocket version 1.3.0 // // Determines whether a character is acceptable within a segment of a key name. This is // separate from quoting; if a character isn't valid, it isn't valid quoted, either. fn valid_character(c: char) -> bool { match c { 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-' | '/' => true, _ => false, } } impl Migration for ChangeRegistryMirrorsType { /// Newer versions store `settings.container-registry.mirrors` as `Vec`. /// Need to convert from `HashMap>`. fn forward(&mut self, mut input: MigrationData) -> Result { let mirrors: HashMap<_, _> = input .data .iter() .filter(|&(k, _)| k.starts_with(format!("{}.", MIRRORS_SETTING_NAME).as_str())) .map(|(k, v)| (k.to_owned(), v.to_owned())) .collect(); let mut new_mirrors = Vec::new(); for (setting, endpoint) in mirrors { // Get the registry name from the settings name. Trim any quotes the settings name might have. let registry = setting .strip_prefix(&format!("{}.", MIRRORS_SETTING_NAME)) .unwrap_or_default() .trim_matches('"'); let mut registry_mirrors = Map::new(); registry_mirrors.insert("registry".to_string(), Value::String(registry.to_string())); registry_mirrors.insert("endpoint".to_string(), endpoint.to_owned()); new_mirrors.push(Value::Object(registry_mirrors)); if let Some(data) = input.data.remove(&setting) { println!("Removed setting '{}', which was set to '{}'", setting, data); } } let data = Value::Array(new_mirrors); println!( "Creating new setting '{}', which is set to '{}'", MIRRORS_SETTING_NAME, &data ); input.data.insert(MIRRORS_SETTING_NAME.to_string(), data); Ok(input) } /// Older versions store `settings.container-registry.mirrors` as `HashMap>`. /// Need to convert from `Vec`. fn backward(&mut self, mut input: MigrationData) -> Result { if let Some(data) = input.data.get_mut(MIRRORS_SETTING_NAME).cloned() { match data { Value::Array(arr) => { if let Some(data) = input.data.remove(MIRRORS_SETTING_NAME) { println!( "Removed setting '{}', which was set to '{}'", MIRRORS_SETTING_NAME, data ); } for obj in arr { if let Some(obj) = obj.as_object() { if let (Some(registry), Some(endpoint)) = ( obj.get("registry").and_then(|s| s.as_str()), obj.get("endpoint"), ) { // Ensure the registry contains valid datastore key characters. // If we encounter any invalid key characters, we skip writing out // the setting key to prevent breakage of the datastore. if registry .chars() .all(|c| valid_character(c) || c == DATASTORE_KEY_SEPARATOR) { let setting_name = format!(r#"{}."{}""#, MIRRORS_SETTING_NAME, registry); println!( "Creating new setting '{}', which is set to '{}'", setting_name, &endpoint ); input.data.insert(setting_name, endpoint.to_owned()); } else { eprintln!( "Container registry '{}' contains invalid datastore key character(s). Skipping to prevent datastore breakage...", registry ); } } } else { println!( "'{}' contains non-JSON Object value: '{}'.", MIRRORS_SETTING_NAME, obj ); } } } _ => { println!( "'{}' is not a JSON Array value: '{}'.", MIRRORS_SETTING_NAME, data ); } } } else { println!("Didn't find setting '{}'", MIRRORS_SETTING_NAME); } Ok(input) } } fn run() -> Result<()> { migrate(ChangeRegistryMirrorsType) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.4.2/admin-container-v0-7-3/Cargo.toml ================================================ [package] name = "admin-container-v0-7-3" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.4.2/admin-container-v0-7-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.2"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.3"; /// We bumped the version of the default admin container from v0.7.2 to v0.7.3 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.4.2/control-container-v0-5-3/Cargo.toml ================================================ [package] name = "control-container-v0-5-3" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.4.2/control-container-v0-5-3/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.2"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.3"; /// We bumped the version of the default control container from v0.5.2 to v0.5.3 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.5.0/oci-hooks-setting/Cargo.toml ================================================ [package] name = "oci-hooks-setting" version = "0.1.0" authors = ["Arnaldo Garcia "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.5.0/oci-hooks-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for configuring oci hooks fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.oci-hooks", "services.oci-hooks", "configuration-files.oci-hooks", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.5.0/oci-hooks-setting-metadata/Cargo.toml ================================================ [package] name = "oci-hooks-setting-metadata" version = "0.1.0" authors = ["Arnaldo Garcia "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.5.0/oci-hooks-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for configuring oci hooks fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.oci-hooks", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.5.1/control-container-v0-5-4/Cargo.toml ================================================ [package] name = "control-container-v0-5-4" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.5.1/control-container-v0-5-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.3"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.4"; /// We bumped the version of the default control container from v0.5.3 to v0.5.4 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.5.3/vmware-host-containers/Cargo.toml ================================================ [package] name = "vmware-host-containers" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] serde_json = "1" migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.5.3/vmware-host-containers/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const ADMIN_CONTAINER_SOURCE_SETTING_NAME: &str = "settings.host-containers.admin.source"; const ADMIN_CONTAINER_IMAGE_REPOSITORY: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin"; const PREVIOUS_ADMIN_CONTAINER_VERSIONS: &[&str] = &["v0.7.0", "v0.7.1", "v0.7.2"]; const TARGET_ADMIN_CONTAINER_VERSION: &str = "v0.7.3"; const CONTROL_CONTAINER_SOURCE_SETTING_NAME: &str = "settings.host-containers.control.source"; const CONTROL_CONTAINER_IMAGE_REPOSITORY: &str = "public.ecr.aws/bottlerocket/bottlerocket-control"; const PREVIOUS_CONTROL_CONTAINER_VERSIONS: &[&str] = &["v0.5.0", "v0.5.1", "v0.5.2", "v0.5.3"]; const TARGET_CONTROL_CONTAINER_VERSION: &str = "v0.5.4"; pub struct VmwareHostContainerVersions; impl Migration for VmwareHostContainerVersions { fn forward(&mut self, mut input: MigrationData) -> Result { // For admin container if let Some(data) = input.data.get_mut(ADMIN_CONTAINER_SOURCE_SETTING_NAME) { match data { serde_json::Value::String(source) => { for ver in PREVIOUS_ADMIN_CONTAINER_VERSIONS { let prev_source = format!("{}:{}", ADMIN_CONTAINER_IMAGE_REPOSITORY, ver); if *source == prev_source { *source = format!( "{}:{}", ADMIN_CONTAINER_IMAGE_REPOSITORY, TARGET_ADMIN_CONTAINER_VERSION ); println!( "Changed value of '{}' from '{}' to '{}' on upgrade", ADMIN_CONTAINER_SOURCE_SETTING_NAME, prev_source, source ); break; } } } _ => { println!( "'{}' is set to non-string value '{}'", ADMIN_CONTAINER_SOURCE_SETTING_NAME, data ); } } } else { println!( "Found no '{}' to change on upgrade", ADMIN_CONTAINER_SOURCE_SETTING_NAME ); } // For control container if let Some(data) = input.data.get_mut(CONTROL_CONTAINER_SOURCE_SETTING_NAME) { match data { serde_json::Value::String(source) => { for ver in PREVIOUS_CONTROL_CONTAINER_VERSIONS { let prev_source = format!("{}:{}", CONTROL_CONTAINER_IMAGE_REPOSITORY, ver); if *source == prev_source { *source = format!( "{}:{}", CONTROL_CONTAINER_IMAGE_REPOSITORY, TARGET_CONTROL_CONTAINER_VERSION ); println!( "Changed value of '{}' from '{}' to '{}' on upgrade", CONTROL_CONTAINER_SOURCE_SETTING_NAME, prev_source, source ); break; } } } _ => { println!( "'{}' is set to non-string value '{}'", CONTROL_CONTAINER_SOURCE_SETTING_NAME, data ); } } } else { println!( "Found no '{}' to change on upgrade", CONTROL_CONTAINER_SOURCE_SETTING_NAME ); } Ok(input) } fn backward(&mut self, input: MigrationData) -> Result { // It's unclear what version of the host-containers we should downgrade to since it could // be any of the older host-container versions. // We can just stay on the latest host-container version since there are no breaking changes. println!("Vmware host-container versions migration has no work to do on downgrade"); Ok(input) } } fn run() -> Result<()> { migrate(VmwareHostContainerVersions) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/aws-admin-container-v0-7-4/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-7-4" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.0/aws-admin-container-v0-7-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.3"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.4"; /// We bumped the version of the default admin container from v0.7.3 to v0.7.4 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/aws-control-container-v0-5-5/Cargo.toml ================================================ [package] name = "aws-control-container-v0-5-5" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/aws-control-container-v0-5-5/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.4"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.5"; /// We bumped the version of the default control container from v0.5.4 to v0.5.5 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/node-taints-representation/Cargo.toml ================================================ [package] name = "node-taints-representation" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } serde_json = "1" snafu = "0.8" ================================================ FILE: sources/settings-migrations/archived/v1.6.0/node-taints-representation/src/main.rs ================================================ use migration_helpers::{error, migrate, Migration, MigrationData, Result}; use serde_json::Value; use snafu::OptionExt; use std::process; const NODE_TAINTS_SETTING_NAME: &str = "settings.kubernetes.node-taints"; /// This migration changes the model type of `settings.kubernetes.node-taints` from `HashMap` /// to `HashMap>` on upgrade and vice-versa on downgrades. pub struct ChangeNodeTaintsType; impl Migration for ChangeNodeTaintsType { /// Newer versions store `settings.kubernetes.node-taints` as `HashMap>`. /// Need to convert from `HashMap`. fn forward(&mut self, mut input: MigrationData) -> Result { for (taint_key, taint_val) in input .data .iter_mut() .filter(|&(k, _)| k.starts_with(format!("{}.", NODE_TAINTS_SETTING_NAME).as_str())) { match taint_val { Value::String(taint_val_string) => { let taint_val_array = Value::Array(vec![Value::String(taint_val_string.to_owned())]); println!( "Changing '{}', from '{}' to '{}' on upgrade", taint_key, &taint_val, taint_val_array ); *taint_val = taint_val_array; } _ => { println!( "'{}' is not a JSON string value: '{}'", taint_key, taint_val ); } } } Ok(input) } /// Older versions store `settings.kubernetes.node-taints` as `HashMap`. /// Need to convert from `HashMap>`. /// /// Note that this potentially causes data loss if there are more than one taint value/effect assigned to a taint key. /// Older versions can only map one taint value/effect to a taint key, so we default to choosing the first in the list if there are multiple. fn backward(&mut self, mut input: MigrationData) -> Result { for (taint_key, taint_val) in input .data .iter_mut() .filter(|&(k, _)| k.starts_with(format!("{}.", NODE_TAINTS_SETTING_NAME).as_str())) { match taint_val { Value::Array(taint_val_array) => { // There should always at least be one value in the sequence let first_taint_val = Value::String( taint_val_array .first() .cloned() .unwrap_or_default() .as_str() .context(error::NonStringSettingDataTypeSnafu { setting: taint_key.to_string(), })? .to_string(), ); println!( "Changing '{}', from '{}' to '{}' on downgrade", taint_key, &taint_val, first_taint_val ); *taint_val = first_taint_val; } _ => { println!("'{}' is not a JSON Array value: '{}'", taint_key, taint_val); } } } Ok(input) } } fn run() -> Result<()> { migrate(ChangeNodeTaintsType) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/public-admin-container-v0-7-4/Cargo.toml ================================================ [package] name = "public-admin-container-v0-7-4" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.0/public-admin-container-v0-7-4/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.7.3"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.7.4"; /// We bumped the version of the default admin container from v0.7.3 to v0.7.4 fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.0/public-control-container-v0-5-5/Cargo.toml ================================================ [package] name = "public-control-container-v0-5-5" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.0/public-control-container-v0-5-5/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.5.4"; const NEW_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.5.5"; /// We bumped the version of the default control container from v0.5.4 to v0.5.5 fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_SOURCE_VAL, new_val: NEW_CONTROL_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.2/add-cfsignal/Cargo.toml ================================================ [package] name = "add-cfsignal" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.2/add-cfsignal/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a set of settings for configuring service cfsignal. /// Remove the whole `settings.cloudformation` prefix if we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.cloudformation", "services.cfsignal", "configuration-files.cfsignal-toml", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.2/container-registry-credentials/Cargo.toml ================================================ [package] name = "container-registry-credentials" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.2/container-registry-credentials/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring image credentials, `settings.container-registry.credentials` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.container-registry.credentials", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.6.2/container-registry-credentials-metadata/Cargo.toml ================================================ [package] name = "container-registry-credentials-metadata" version = "0.1.0" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.6.2/container-registry-credentials-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and `affected-services` metadata for `container-registry.credentials` /// We subdivided metadata for `container-registry` into `container-registry.mirrors` and `container-registry.credentials` /// This is for the docker variants where don't want to restart the docker daemon when credentials settings change. fn run() -> Result<()> { migrate(AddMetadataMigration(&[ SettingMetadata { metadata: &["affected-services"], setting: "settings.container-registry.credentials", }, SettingMetadata { metadata: &["affected-services"], setting: "settings.container-registry.mirrors", }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.7.0/aws-admin-container-v0-8-0/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-8-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.7.0/aws-admin-container-v0-8-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.7.4"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.8.0"; /// We bumped the version of the default admin container from v0.7.4 to v0.8.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.7.0/aws-control-container-v0-6-0/Cargo.toml ================================================ [package] name = "aws-control-container-v0-6-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.7.0/aws-control-container-v0-6-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.5.5"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.0"; /// We bumped the version of the default control container from v0.5.5 to v0.6.0 fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.7.0/public-admin-container-v0-8-0/Cargo.toml ================================================ [package] name = "public-admin-container-v0-8-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.7.0/public-admin-container-v0-8-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.7.4"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.8.0"; /// We bumped the version of the default admin container from v0.7.4 to v0.8.0 fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.7.0/public-control-container-v0-6-0/Cargo.toml ================================================ [package] name = "public-control-container-v0-6-0" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.7.0/public-control-container-v0-6-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.5.5"; const NEW_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.0"; /// We bumped the version of the default control container from v0.5.5 to v0.6.0 fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_SOURCE_VAL, new_val: NEW_CONTROL_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/add-autoscaling/Cargo.toml ================================================ [package] name = "add-autoscaling" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/add-autoscaling/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a setting prefix for configuring autoscaling. /// Remove the whole `settings.autoscaling` prefix if we downgrade. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec!["settings.autoscaling"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/add-pull-behavior/Cargo.toml ================================================ [package] name = "add-pull-behavior" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/add-pull-behavior/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added one new settings for configuring ecs-agent, `settings.ecs.image-pull-behavior` fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.ecs.image-pull-behavior"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/aws-admin-container-v0-9-0/Cargo.toml ================================================ [package] name = "aws-admin-container-v0-9-0" version = "0.1.0" authors = ["Richard Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/aws-admin-container-v0-9-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.8.0"; const NEW_ADMIN_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.9.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.admin.source", old_template: OLD_ADMIN_CTR_TEMPLATE, new_template: NEW_ADMIN_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/aws-control-container-v0-6-1/Cargo.toml ================================================ [package] name = "aws-control-container-v0-6-1" version = "0.1.0" authors = ["Richard Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/aws-control-container-v0-6-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceTemplateMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.0"; const NEW_CONTROL_CTR_TEMPLATE: &str = "{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.6.1"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceTemplateMigration { setting: "settings.host-containers.control.source", old_template: OLD_CONTROL_CTR_TEMPLATE, new_template: NEW_CONTROL_CTR_TEMPLATE, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/boot-setting/Cargo.toml ================================================ [package] name = "boot-setting" version = "0.1.0" edition = "2018" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/boot-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for kernel boot configuration fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.boot", "services.bootconfig", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/boot-setting-metadata/Cargo.toml ================================================ [package] name = "boot-setting-metadata" version = "0.1.0" edition = "2018" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/boot-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and generator for kernel boot configuration fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.boot", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/cluster-dns-ip-list/Cargo.toml ================================================ [package] name = "cluster-dns-ip-list" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} [dev-dependencies] serde_json = "1" ================================================ FILE: sources/settings-migrations/archived/v1.8.0/cluster-dns-ip-list/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const CLUSTER_DNS_IP_KEY: &str = "settings.kubernetes.cluster-dns-ip"; /// We changed `settings.kubernetes.cluster-dns-ip` to support being either a string or a list of strings. fn run() -> Result<()> { migrate(ClusterDNSIPListMigration) } struct ClusterDNSIPListMigration; impl Migration for ClusterDNSIPListMigration { /// New versions allow the older string values to be present, so we don't need to do anything. fn forward(&mut self, input: MigrationData) -> Result { println!("ClusterDNSIPListMigration has no work to do on upgrade."); Ok(input) } /// Older versions don't know about list-style settings, so we need to create a scalar setting using the first value. fn backward(&mut self, mut input: MigrationData) -> Result { let maybe_prior_value = input.data.get(CLUSTER_DNS_IP_KEY); // If the current value is a string, don't touch it. if let Some(prior_value) = maybe_prior_value { if prior_value.is_string() { println!( "{} is already a string value ('{}'), and does not require migration.", CLUSTER_DNS_IP_KEY, prior_value ); return Ok(input); } } // If the current value is an array and the first element is a string, that element becomes the new value. // Any other cases result in clearing the value. let new_value = maybe_prior_value .and_then(|dns_ip_value| { println!( "Found existing value for '{}': '{}'", CLUSTER_DNS_IP_KEY, dns_ip_value ); dns_ip_value.as_array() }) .and_then(|ip_array| ip_array.iter().next()) .map(|ip_value| ip_value.clone()); match new_value { Some(ip_value) if ip_value.is_string() => { input .data .insert(CLUSTER_DNS_IP_KEY.to_string(), ip_value.clone()); println!( "Replaced prior value for '{}' with '{}'", CLUSTER_DNS_IP_KEY, ip_value ); } _ => { println!( "Prior value for '{}' was not recognized. Removing it.", CLUSTER_DNS_IP_KEY ); input.data.remove(CLUSTER_DNS_IP_KEY); } }; Ok(input) } } #[cfg(test)] mod test { use super::*; use std::collections::HashMap; #[test] fn test_downgrade_string() { let input = MigrationData { data: serde_json::from_str(r#"{"settings.kubernetes.cluster-dns-ip": "10.0.0.1"}"#) .unwrap(), metadata: HashMap::new(), }; let expected = MigrationData { data: serde_json::from_str(r#"{"settings.kubernetes.cluster-dns-ip": "10.0.0.1"}"#) .unwrap(), metadata: HashMap::new(), }; assert_eq!(ClusterDNSIPListMigration.backward(input).unwrap(), expected); } #[test] fn test_downgrade_list() { let test_cases = [ ( MigrationData { data: serde_json::from_str( r#"{"settings.kubernetes.cluster-dns-ip": ["10.0.0.1"]}"#, ) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: serde_json::from_str( r#"{"settings.kubernetes.cluster-dns-ip": "10.0.0.1"}"#, ) .unwrap(), metadata: HashMap::new(), }, ), ( MigrationData { data: serde_json::from_str(r#"{"settings.kubernetes.cluster-dns-ip": []}"#) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: HashMap::new(), metadata: HashMap::new(), }, ), ( MigrationData { data: serde_json::from_str( r#"{"settings.kubernetes.cluster-dns-ip": ["10.0.0.2", "10.0.0.1"]}"#, ) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: serde_json::from_str( r#"{"settings.kubernetes.cluster-dns-ip": "10.0.0.2"}"#, ) .unwrap(), metadata: HashMap::new(), }, ), ]; for (input, expected) in test_cases.iter() { assert_eq!( ClusterDNSIPListMigration.backward(input.clone()).unwrap(), *expected ); } } #[test] fn test_downgrade_other() { let test_cases = [ ( MigrationData { data: serde_json::from_str( r#"{"settings.kubernetes.cluster-dns-ip": {"1": 2}}"#, ) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: HashMap::new(), metadata: HashMap::new(), }, ), ( MigrationData { data: serde_json::from_str(r#"{"settings.kubernetes.cluster-dns-ip": 56}"#) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: HashMap::new(), metadata: HashMap::new(), }, ), ( MigrationData { data: serde_json::from_str(r#"{"settings.kubernetes.cluster-dns-ip": false}"#) .unwrap(), metadata: HashMap::new(), }, MigrationData { data: HashMap::new(), metadata: HashMap::new(), }, ), ]; for (input, expected) in test_cases.iter() { assert_eq!( ClusterDNSIPListMigration.backward(input.clone()).unwrap(), *expected ); } } } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/etc-hosts/Cargo.toml ================================================ [package] name = "etc-hosts" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/etc-hosts/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting under `settings.network` for configuring /etc/hosts: `settings.network.hosts` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec!["settings.network.hosts"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/etc-hosts-metadata/Cargo.toml ================================================ [package] name = "etc-hosts-metadata" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/etc-hosts-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and `affected-services` metadata for `network.hosts` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.network.hosts", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/kubelet-pod-pids-limit/Cargo.toml ================================================ [package] name = "kubelet-pod-pids-limit" version = "0.1.0" authors = ["Tianhao Geng "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/kubelet-pod-pids-limit/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring pod-pids-limit, `settings.kubernetes.pod-pids-limit` fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubernetes.pod-pids-limit", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/kubelet-provider-id/Cargo.toml ================================================ [package] name = "kubelet-provider-id" version = "0.1.0" edition = "2018" authors = ["Erikson Tung "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/kubelet-provider-id/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring kubelet's provider-id option, `settings.kubernetes.provider-id` fn run() -> Result<()> { migrate(AddSettingsMigration(&["settings.kubernetes.provider-id"])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/pki-affected-services/Cargo.toml ================================================ [package] name = "pki-affected-services" version = "0.1.0" authors = ["Arnaldo Garcia Rincon "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false build = "build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } [build-dependencies] bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/pki-affected-services/build.rs ================================================ use bottlerocket_variant::Variant; fn main() { let variant = Variant::from_env().unwrap(); variant.emit_cfgs(); } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/pki-affected-services/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.pki' to include /// containerd or docker on upgrade, and to remove them on downgrade depending on the /// running variant. fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.pki", metadata: "affected-services", old_vals: &["pki"], new_vals: if cfg!(variant_runtime = "k8s") { &["pki", "containerd"] } else { &["pki", "docker"] }, }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/public-admin-container-v0-9-0/Cargo.toml ================================================ [package] name = "public-admin-container-v0-9-0" version = "0.1.0" authors = ["Richard Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/public-admin-container-v0-9-0/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.8.0"; const NEW_ADMIN_CTR_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-admin:v0.9.0"; /// We bumped the version of the default admin container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.admin.source", old_val: OLD_ADMIN_CTR_SOURCE_VAL, new_val: NEW_ADMIN_CTR_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.8.0/public-control-container-v0-6-1/Cargo.toml ================================================ [package] name = "public-control-container-v0-6-1" version = "0.1.0" authors = ["Richard Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.8.0/public-control-container-v0-6-1/src/main.rs ================================================ use migration_helpers::common_migrations::ReplaceStringMigration; use migration_helpers::{migrate, Result}; use std::process; const OLD_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.0"; const NEW_CONTROL_SOURCE_VAL: &str = "public.ecr.aws/bottlerocket/bottlerocket-control:v0.6.1"; /// We bumped the version of the default control container fn run() -> Result<()> { migrate(ReplaceStringMigration { setting: "settings.host-containers.control.source", old_val: OLD_CONTROL_SOURCE_VAL, new_val: NEW_CONTROL_SOURCE_VAL, }) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/image-gc-thresholds/Cargo.toml ================================================ [package] name = "image-gc-thresholds" version = "0.1.0" edition = "2018" authors = ["Mahdi Chaker "] license = "Apache-2.0 OR MIT" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/image-gc-thresholds/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting for configuring kubelet's image-gc-high-threshold-percent /// and image-gc-low-threshold-percent options, /// `settings.kubernetes.image-gc-high-threshold-percent` and /// `settings.kubernetes.image-gc-low-threshold-percent` fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.image-gc-high-threshold-percent", "settings.kubernetes.image-gc-low-threshold-percent", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kernel-modules-setting/Cargo.toml ================================================ [package] name = "kernel-modules-setting" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kernel-modules-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings under `settings.kernel.modules` for configuring /// /etc/modprobe.d/modprobe.conf. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kernel.modules", "services.kernel-modules", "configuration-files.modprobe-conf", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kernel-modules-setting-metadata/Cargo.toml ================================================ [package] name = "kernel-modules-setting-metadata" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kernel-modules-setting-metadata/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a new setting and `affected-services` metadata for `settings.kernel.modules` fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { metadata: &["affected-services"], setting: "settings.kernel.modules", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kubelet-no-daemon-reload/Cargo.toml ================================================ [package] name = "kubelet-no-daemon-reload" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/kubelet-no-daemon-reload/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We updated the restart commands for kubelet to avoid an unnecessary reload /// of systemd. They need to be restored to the prior values on downgrade. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "services.kubernetes.restart-commands", old_vals: &[ "/usr/bin/systemctl daemon-reload", "/usr/bin/systemctl try-restart kubelet.service", ], new_vals: &["/usr/bin/systemctl try-restart kubelet.service"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/ntp-affected-services/Cargo.toml ================================================ [package] name = "ntp-affected-services" version = "0.1.0" authors = ["Ben Cressey "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0" } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/ntp-affected-services/src/main.rs ================================================ use migration_helpers::common_migrations::{ MetadataListReplacement, ReplaceMetadataListsMigration, }; use migration_helpers::{migrate, Result}; use std::process; /// We updated the 'affected-services' list metadata for 'settings.ntp' to refer /// to the correct service name ("ntp") instead of the incorrect one ("chronyd"). fn run() -> Result<()> { migrate(ReplaceMetadataListsMigration(vec![ MetadataListReplacement { setting: "settings.ntp", metadata: "affected-services", old_vals: &["chronyd"], new_vals: &["ntp"], }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/shibaken-admin-userdata-semantics/Cargo.toml ================================================ [package] name = "shibaken-admin-userdata-semantics" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/shibaken-admin-userdata-semantics/src/main.rs ================================================ use migration_helpers::common_migrations::{MetadataReplacement, ReplaceMetadataMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We modified the setting generator for `settings.host-containers.admin.user-data` to use the /// new interface to shibaken. fn run() -> Result<()> { migrate(ReplaceMetadataMigration(vec![MetadataReplacement { setting: "settings.host-containers.admin.user-data", metadata: "setting-generator", old_val: "shibaken", new_val: "shibaken generate-admin-userdata", }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/shibaken-send-metrics/Cargo.toml ================================================ [package] name = "shibaken-send-metrics" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/shibaken-send-metrics/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a `setting-generator` for `settings.metrics.send-metrics` on AWS variants. /// This migration will do nothing on upgrade, but will remove the metadata if present on downgrade. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { setting: "settings.metrics.send-metrics", metadata: &["setting-generator"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/archived/v1.9.0/updates-targets-base-url/Cargo.toml ================================================ [package] name = "updates-targets-base-url" version = "0.1.0" authors = ["Patrick J.P. Culp "] license = "Apache-2.0 OR MIT" edition = "2018" publish = false [dependencies] migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} ================================================ FILE: sources/settings-migrations/archived/v1.9.0/updates-targets-base-url/src/main.rs ================================================ use migration_helpers::common_migrations::{AddMetadataMigration, SettingMetadata}; use migration_helpers::{migrate, Result}; use std::process; /// We added a `setting-generator` for `settings.updates.targets-base-url` on AWS variants. /// This migration will do nothing on upgrade, but will remove the metadata if present on downgrade. fn run() -> Result<()> { migrate(AddMetadataMigration(&[SettingMetadata { setting: "settings.updates.targets-base-url", metadata: &["setting-generator"], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{}", e); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.34.0/kubelet-device-plugins-mig-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-mig-settings" version = "0.1.0" authors = ["Piyush Jena "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.34.0/kubelet-device-plugins-mig-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for configuring the NVIDIA k8s device plugin. fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubelet-device-plugins.nvidia.device-partitioning-strategy", "settings.kubelet-device-plugins.nvidia.mig", "configuration-files.nvidia-k8s-device-plugin-mig-conf", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.36.0/kubernetes-ecr-credential-providers-expansion/Cargo.toml ================================================ [package] name = "kubernetes-ecr-credential-providers-expansion" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.36.0/kubernetes-ecr-credential-providers-expansion/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new hostname patterns to be matched by the ECR credential provider. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "settings.kubernetes.credential-providers.ecr-credential-provider.image-patterns", old_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr.eu-isoe-west-1.cloud.adc-e.uk", "*.dkr.ecr-fips.eu-isoe-west-1.cloud.adc-e.uk", "*.dkr.ecr.us-iso-east-1.c2s.ic.gov", "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov", ], new_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr.*.on.aws", "*.dkr.ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.37.0/delete-configs-and-services-on-downgrade/Cargo.toml ================================================ [package] name = "delete-configs-and-services-on-downgrade" version = "0.1.0" authors = ["Sean P. Kelly "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true snafu.workspace = true [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/settings-migrations/v1.37.0/delete-configs-and-services-on-downgrade/src/main.rs ================================================ //! In core-kit 6.4.0, we introduced a change to delete all configuration-files and services on //! whenever the migrator runs (https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/456). //! //! This migrations ensures that nodes downgrading to versions prior to core-kit 6.4.0 will delete //! and re-populate these keys. use migration_helpers::{migrate, Migration, MigrationData, Result}; const PREFIXES_TO_DELETE: &[&str] = &["configuration-files.", "services."]; #[snafu::report] fn main() -> Result<()> { migrate(DeleteConfigsAndServicesOnDowngradeMigration) } pub struct DeleteConfigsAndServicesOnDowngradeMigration; impl Migration for DeleteConfigsAndServicesOnDowngradeMigration { fn forward(&mut self, input: MigrationData) -> Result { println!("DeleteConfigsAndServicesOnDowngradeMigration has no work to do on upgrade.",); Ok(input) } fn backward(&mut self, mut input: MigrationData) -> Result { input.data.retain(|key, _| { let to_keep = !(PREFIXES_TO_DELETE .iter() .any(|prefix| key.starts_with(prefix))); if !to_keep { println!("Removed '{key}'"); } to_keep }); Ok(input) } } #[cfg(test)] mod test { use super::*; use maplit::hashmap; use std::collections::HashMap; #[test] fn nothing_to_clear() { let data = MigrationData { data: hashmap! { "settings.hello".into() => "there".into(), "settings.something.configuration-files".into() => "retain this!".into(), "settings.something.services".into() => "and this!".into(), }, metadata: HashMap::new(), }; let result = DeleteConfigsAndServicesOnDowngradeMigration .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "settings.hello".into() => "there".into(), "settings.something.configuration-files".into() => "retain this!".into(), "settings.something.services".into() => "and this!".into(), } ); } #[test] fn all_clear() { let data = MigrationData { data: hashmap! { "services.delete-this".into() => "yep".into(), "configuration-files.delete-this".into() => "this too".into(), "configuration-files.another-one".into() => "bye".into(), "services.and-this".into() => "au revoir".into(), }, metadata: HashMap::new(), }; let result = DeleteConfigsAndServicesOnDowngradeMigration .backward(data) .unwrap(); assert_eq!(result.data, HashMap::new()); } #[test] fn delete_some() { let data = MigrationData { data: hashmap! { "services.delete-this".into() => "deleted".into(), "configuration-files.and-this".into() => "deleted".into(), "settings.but-not-this".into() => "stays".into(), "or-this-either.configuration-files".into() => "also-stays".into(), }, metadata: HashMap::new(), }; let result = DeleteConfigsAndServicesOnDowngradeMigration .backward(data) .unwrap(); assert_eq!( result.data, hashmap! { "settings.but-not-this".into() => "stays".into(), "or-this-either.configuration-files".into() => "also-stays".into(), } ); } #[test] fn dont_touch_the_metadata() { let data = MigrationData { data: hashmap! { "configuration-files.delete".into() => "delete".into(), "services.delete".into() => "delete".into(), "settings.keep".into() => "keep".into(), }, metadata: hashmap! { "configuration-files.delete".into() => hashmap! { "keep".into() => "yep!".into(), }, "services.delete".into() => hashmap! { "keep".into() => "yep!".into(), }, "settings.keep".into() => hashmap! { "keep".into() => "yep!".into(), }, }, }; let result = DeleteConfigsAndServicesOnDowngradeMigration .backward(data) .unwrap(); assert_eq!( result, MigrationData { data: hashmap! { "settings.keep".into() => "keep".into(), }, metadata: hashmap! { "configuration-files.delete".into() => hashmap! { "keep".into() => "yep!".into(), }, "services.delete".into() => hashmap! { "keep".into() => "yep!".into(), }, "settings.keep".into() => hashmap! { "keep".into() => "yep!".into(), }, }, }, ); } } ================================================ FILE: sources/settings-migrations/v1.39.0/kubelet-setting-container-log-single-process-oom-kill/Cargo.toml ================================================ [package] name = "kubelet-setting-container-log-single-process-oom-kill" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true snafu.workspace = true [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/settings-migrations/v1.39.0/kubelet-setting-container-log-single-process-oom-kill/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new k8s settings for: /// - singleProcessOOMKill /// - containerLogMaxWorkers /// - containerLogMonitorInterval fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.container-log-max-workers", "settings.kubernetes.container-log-monitor-interval", "settings.kubernetes.single-process-oom-kill", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.40.0/kubelet-device-plugins-cdi-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-cdi-settings" version = "0.1.0" authors = ["Jingwei Wang "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true serde_json.workspace = true snafu.workspace = true [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/settings-migrations/v1.40.0/kubelet-device-plugins-cdi-settings/src/main.rs ================================================ use migration_helpers::{error, migrate, Migration, MigrationData, Result}; use snafu::OptionExt; const DEVICE_LIST_STRATEGY_SETTING: &str = "settings.kubelet-device-plugins.nvidia.device-list-strategy"; #[snafu::report] fn main() -> Result<()> { migrate(ReplaceDeviceListStrategy) } /// We changed the type of the device-list-strategy in the NVIDIA Kubernetes Device /// plugin API from a string to a list, and accept "cdi-cri" as a valid value pub struct ReplaceDeviceListStrategy; impl Migration for ReplaceDeviceListStrategy { /// New versions must either have a default for the settings or generate them; we don't need to /// do anything. fn forward(&mut self, input: MigrationData) -> Result { println!("ReplaceDeviceListStrategy has no work to do on upgrade."); Ok(input) } /// Older versions don't know about the setting now accepting both a string, a list and a new accepted value "cdi-cri"; /// we remove the list option and the "cdi-cri" value so that old versions don't see them and fail deserialization. /// (The settings must be defaulted or generated in new versions, and safe to remove.) fn backward(&mut self, mut input: MigrationData) -> Result { let setting = DEVICE_LIST_STRATEGY_SETTING; if let Some(data) = input.data.get_mut(setting) { match data { serde_json::Value::Array(arr) => { let list: Vec<&str> = arr .iter() .map(|v| v.as_str()) .collect::>>() .context(error::ReplaceListContentsSnafu { setting, data: arr.clone(), })?; let new_value = match list.first() { None | Some(&"cdi-cri") => "volume-mounts".to_string(), Some(value) => value.to_string(), }; *data = serde_json::Value::String(new_value.to_string()); } serde_json::Value::String(setting_str) => { if setting_str == "cdi-cri" { *data = serde_json::Value::String("volume-mounts".to_string()); } else { *data = serde_json::Value::String(setting_str.to_string()); } } _ => error::InvalidSettingTypeSnafu { data: setting.to_string(), } .fail()?, } } else { println!("Found no '{setting}' to change on downgrade"); } Ok(input) } } #[cfg(test)] mod test_replace_list { use super::*; use crate::{Migration, MigrationData}; use maplit::hashmap; use serde_json::Value; use std::collections::HashMap; #[test] fn forward_test() { let data = MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, metadata: HashMap::new(), }; let result = ReplaceDeviceListStrategy.forward(data).unwrap(); assert_eq!( result.data, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), } ); } #[test] fn backward_test() { let test_cases: Vec<(MigrationData, HashMap)> = vec![ ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["cdi-cri"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => Vec::::new().into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["volume-mounts", "envvar"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["envvar", "volume-mounts"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "envvar".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["cdi-cri", "envvar"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["cdi-cri", "envvar", "volume-mounts"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["envvar", "volume-mounts"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "envvar".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => vec!["volume-mounts", "envvar"].into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "cdi-cri".into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "volume-mounts".into(), }, ), ( MigrationData { data: hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "envvar".into(), }, metadata: HashMap::new(), }, hashmap! { DEVICE_LIST_STRATEGY_SETTING.into() => "envvar".into(), }, ), ]; for (input, expected) in test_cases { let result = ReplaceDeviceListStrategy.backward(input).unwrap(); assert_eq!(result.data, expected); } } } ================================================ FILE: sources/settings-migrations/v1.41.0/kubernetes-ecr-credential-providers-correction/Cargo.toml ================================================ [package] name = "kubernetes-ecr-credential-providers-correction" version = "0.1.0" authors = ["Carter McKinnon "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.41.0/kubernetes-ecr-credential-providers-correction/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; // We added incorrect hostname patterns to be matched by the ECR credential provider. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "settings.kubernetes.credential-providers.ecr-credential-provider.image-patterns", old_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr.*.on.aws", "*.dkr.ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ], new_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr-ecr.*.on.aws", "*.dkr-ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.42.0/kubernetes-memory-swap-behavior-setting/Cargo.toml ================================================ [package] name = "kubernetes-memory-swap-behavior-setting" version = "0.1.0" authors = ["Jan Teske "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.42.0/kubernetes-memory-swap-behavior-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // We added a new kubernetes setting controlling the memory swap behavior. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.memory-swap-behavior", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.44.0/container-runtime-plugins-settings/Cargo.toml ================================================ [package] name = "container-runtime-plugins-settings" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.44.0/container-runtime-plugins-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; // We added new settings container-runtime-plugins fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.container-runtime-plugins", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.44.0/container-runtime-snapshotter-setting/Cargo.toml ================================================ [package] name = "container-runtime-snapshotter-setting" version = "0.1.0" authors = ["Gavin Inglis "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.44.0/container-runtime-snapshotter-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // We added a new container-runtime setting for selecting snapshotter. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.container-runtime.snapshotter", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.46.0/kubernetes-static-pods-enabled-setting/Cargo.toml ================================================ [package] name = "kubernetes-static-pods-enabled-setting" version = "0.1.0" authors = ["Vighnesh Maheshwari "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true snafu.workspace = true [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/settings-migrations/v1.46.0/kubernetes-static-pods-enabled-setting/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new k8s settings for: /// - static_pods_enabled fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.static-pods-enabled", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.47.0/container-runtime-concurrent-download-chunk-size/Cargo.toml ================================================ [package] name = "container-runtime-concurrent-download-chunk-size" version = "0.1.0" authors = ["Kyle Sessions "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.47.0/container-runtime-concurrent-download-chunk-size/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new container-runtime setting for: /// - concurrent_download_chunk_size fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.container-runtime.concurrent-download-chunk-size", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.47.0/host-bootstrap-containers-command-setting/Cargo.toml ================================================ [package] name = "host-bootstrap-containers-command-setting" version = "0.1.0" authors = ["Yutong Sun "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true snafu.workspace = true [dev-dependencies] maplit.workspace = true ================================================ FILE: sources/settings-migrations/v1.47.0/host-bootstrap-containers-command-setting/src/main.rs ================================================ use migration_helpers::common_migrations::{AddPrefixSuffixMigration, PrefixSuffix}; use migration_helpers::{migrate, Result}; use std::process; // We added new settings container-runtime-plugins fn run() -> Result<()> { migrate(AddPrefixSuffixMigration(vec![ PrefixSuffix { prefix: "settings.host-containers", suffix: "command", }, PrefixSuffix { prefix: "settings.bootstrap-containers", suffix: "command", }, ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.50.0/kubernetes-reserved-pid-settings/Cargo.toml ================================================ [package] name = "kubernetes-reserved-pid-settings" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.50.0/kubernetes-reserved-pid-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // We added new kubernetes settings to reserve pids for kubernetes and system components. fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.kube-reserved.pid", "settings.kubernetes.system-reserved.pid", ])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-additional-settings/Cargo.toml ================================================ [package] name = "kubernetes-additional-settings" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-additional-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddSettingsMigration; use migration_helpers::{migrate, Result}; use std::process; // We added new kubernetes settings to configure: // - min/max duration before an unused image is garbage-collected // - max number of image pulls in parallel // - mapping length of UIDs and GIDs fn run() -> Result<()> { migrate(AddSettingsMigration(&[ "settings.kubernetes.image-minimum-gc-age", "settings.kubernetes.image-maximum-gc-age", "settings.kubernetes.max-parallel-image-pulls", "settings.kubernetes.ids-per-pod", ])) } fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-beta-cpu-manager-policy-options/Cargo.toml ================================================ [package] name = "kubernetes-beta-cpu-manager-policy-options" version = "0.1.0" authors = ["Kush Upadhyay "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-beta-cpu-manager-policy-options/src/main.rs ================================================ use migration_helpers::common_migrations::{ListRestriction, RestrictListsMigration}; use migration_helpers::{migrate, Result}; use std::process; // Beta options for cpu-manager-policy-options became available without feature gates: // - strict-cpu-reservation: 1.32 or higher // - distribute-cpus-across-numa: 1.33 or higher // - prefer-align-cpus-by-uncorecache: 1.34 or higher // // On downgrade, we remove these newer options to prevent kubelet from receiving // incompatible configuration values. We keep full-pcpus-only as it's stable. fn run() -> Result<()> { migrate(RestrictListsMigration(vec![ListRestriction { setting: "settings.kubernetes.cpu-manager-policy-options", allowed_vals: &["full-pcpus-only"], }])) } fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-ecr-credential-provider-patterns/Cargo.toml ================================================ [package] name = "kubernetes-ecr-credential-provider-patterns" version = "0.1.0" authors = ["Sam Berning "] license = "Apache-2.0 OR MIT" edition = "2021" publish = false # Don't rebuild crate just because of changes to README. exclude = ["README.md"] # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.51.0/kubernetes-ecr-credential-provider-patterns/src/main.rs ================================================ use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; use migration_helpers::{migrate, Result}; use std::process; /// We added new hostname patterns to be matched by the ECR credential provider. fn run() -> Result<()> { migrate(ReplaceListsMigration(vec![ListReplacement { setting: "settings.kubernetes.credential-providers.ecr-credential-provider.image-patterns", old_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr.*.on.aws", "*.dkr.ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ], new_vals: &[ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr.*.amazonaws.eu", "*.dkr.ecr.*.on.aws", "*.dkr.ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr-fips.*.amazonaws.eu", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ], }])) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.54.0/kubelet-device-plugins-mps-prefix-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-mps-prefix-settings" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.54.0/kubelet-device-plugins-mps-prefix-settings/src/main.rs ================================================ use migration_helpers::common_migrations::AddPrefixesMigration; use migration_helpers::{migrate, Result}; use std::process; /// We added new settings for configuring NVIDIA MPS (Multi-Process Service) /// GPU sharing in the device plugin, remove the prefix for these settings fn run() -> Result<()> { migrate(AddPrefixesMigration(vec![ "settings.kubelet-device-plugins.nvidia.mps", ])) } fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.54.0/kubelet-device-plugins-mps-settings/Cargo.toml ================================================ [package] name = "kubelet-device-plugins-mps-settings" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true serde_json.workspace = true ================================================ FILE: sources/settings-migrations/v1.54.0/kubelet-device-plugins-mps-settings/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const DEVICE_SHARING_STRATEGY_SETTING: &str = "settings.kubelet-device-plugins.nvidia.device-sharing-strategy"; pub struct ReplaceDeviceSharingStrategy; impl Migration for ReplaceDeviceSharingStrategy { fn forward(&mut self, input: MigrationData) -> Result { println!("ReplaceDeviceSharingStrategy has no work to do on upgrade."); Ok(input) } fn backward(&mut self, mut input: MigrationData) -> Result { if let Some(data) = input.data.get_mut(DEVICE_SHARING_STRATEGY_SETTING) { if let serde_json::Value::String(s) = data { if s == "mps" { *data = serde_json::Value::String("none".to_string()); println!("Changed device-sharing-strategy from 'mps' to 'none' on downgrade."); } } } Ok(input) } } /// We added new enum variant for configuring NVIDIA MPS (Multi-Process Service) /// GPU sharing in the device plugin. fn run() -> Result<()> { migrate(ReplaceDeviceSharingStrategy) } fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-migrations/v1.56.0/image-verifier-plugins-extensible/Cargo.toml ================================================ [package] name = "image-verifier-plugins-extensible" version = "0.1.0" license = "Apache-2.0 OR MIT" edition = "2021" publish = false exclude = ["README.md"] [dependencies] migration-helpers.workspace = true ================================================ FILE: sources/settings-migrations/v1.56.0/image-verifier-plugins-extensible/src/main.rs ================================================ use migration_helpers::{migrate, Migration, MigrationData, Result}; use std::process; const PREFIX: &str = "settings.image-verifier-plugins."; /// Keys known to the old model that should be preserved on downgrade. const KNOWN_KEYS: &[&str] = &["enabled", "notation"]; /// Image verifier plugins changed from a fixed `notation` field to an extensible plugin map. /// On downgrade, remove any plugin keys that the old model doesn't recognize. pub struct ImageVerifierPluginsExtensible; impl Migration for ImageVerifierPluginsExtensible { /// New model is a superset of the old; existing data is compatible. fn forward(&mut self, input: MigrationData) -> Result { println!("ImageVerifierPluginsExtensible has no work to do on upgrade."); Ok(input) } /// Remove plugin keys that older versions don't understand. fn backward(&mut self, mut input: MigrationData) -> Result { let keys: Vec = input .data .keys() .filter(|k| { k.starts_with(PREFIX) && !KNOWN_KEYS.iter().any(|known| { let rest = &k[PREFIX.len()..]; rest == *known || rest.starts_with(&format!("{known}.")) }) }) .cloned() .collect(); for key in keys { if let Some(data) = input.data.remove(&key) { println!("Removed {key}, which was set to '{data}'"); } } Ok(input) } } fn run() -> Result<()> { migrate(ImageVerifierPluginsExtensible) } // Returning a Result from main makes it print a Debug representation of the error, but with Snafu // we have nice Display representations of the error, so we wrap "main" (run) and print any error. // https://github.com/shepmaster/snafu/issues/110 fn main() { if let Err(e) = run() { eprintln!("{e}"); process::exit(1); } } ================================================ FILE: sources/settings-plugins/aws-dev/Cargo.toml ================================================ [package] name = "settings-plugin-aws-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_aws_dev" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/aws-dev/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct AwsDevSettings { motd: bottlerocket_settings_models::MotdV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, cloudformation: bottlerocket_settings_models::CloudFormationSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, } ================================================ FILE: sources/settings-plugins/aws-ecs-2/Cargo.toml ================================================ [package] name = "settings-plugin-aws-ecs-2" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_aws_ecs_2" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/aws-ecs-2/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct AwsEcs2Settings { motd: bottlerocket_settings_models::MotdV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, ecs: bottlerocket_settings_models::ECSSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, cloudformation: bottlerocket_settings_models::CloudFormationSettingsV1, autoscaling: bottlerocket_settings_models::AutoScalingSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, } ================================================ FILE: sources/settings-plugins/aws-ecs-3/Cargo.toml ================================================ [package] name = "settings-plugin-aws-ecs-3" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_aws_ecs_3" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/aws-ecs-3/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct AwsEcs3Settings { motd: bottlerocket_settings_models::MotdV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, ecs: bottlerocket_settings_models::ECSSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, cloudformation: bottlerocket_settings_models::CloudFormationSettingsV1, autoscaling: bottlerocket_settings_models::AutoScalingSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, image_verifier_plugins: bottlerocket_settings_models::ImageVerifierPluginsSettingsV1, } ================================================ FILE: sources/settings-plugins/aws-k8s/Cargo.toml ================================================ [package] name = "settings-plugin-aws-k8s" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_aws_k8s" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/aws-k8s/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct AwsK8sSettings { motd: bottlerocket_settings_models::MotdV1, kubernetes: bottlerocket_settings_models::KubernetesSettingsV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, cloudformation: bottlerocket_settings_models::CloudFormationSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, container_runtime_plugins: bottlerocket_settings_models::ContainerRuntimePluginsSettingsV1, autoscaling: bottlerocket_settings_models::AutoScalingSettingsV1, } ================================================ FILE: sources/settings-plugins/aws-k8s-nvidia/Cargo.toml ================================================ [package] name = "settings-plugin-aws-k8s-nvidia" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_aws_k8s_nvidia" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-plugin = { workspace = true } bottlerocket-settings-models = { workspace = true } ================================================ FILE: sources/settings-plugins/aws-k8s-nvidia/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct AwsK8sSettings { motd: bottlerocket_settings_models::MotdV1, kubernetes: bottlerocket_settings_models::KubernetesSettingsV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, cloudformation: bottlerocket_settings_models::CloudFormationSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, container_runtime_plugins: bottlerocket_settings_models::ContainerRuntimePluginsSettingsV1, autoscaling: bottlerocket_settings_models::AutoScalingSettingsV1, nvidia_container_runtime: bottlerocket_settings_models::NvidiaContainerRuntimeSettingsV1, kubelet_device_plugins: bottlerocket_settings_models::KubeletDevicePluginsV1, } ================================================ FILE: sources/settings-plugins/metal-dev/Cargo.toml ================================================ [package] name = "settings-plugin-metal-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_metal_dev" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/metal-dev/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct MetalDevSettings { motd: bottlerocket_settings_models::MotdV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, } ================================================ FILE: sources/settings-plugins/metal-k8s/Cargo.toml ================================================ [package] name = "settings-plugin-metal-k8s" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_metal_k8s" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/metal-k8s/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct MetalK8sSettings { motd: bottlerocket_settings_models::MotdV1, kubernetes: bottlerocket_settings_models::KubernetesSettingsV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, } ================================================ FILE: sources/settings-plugins/vmware-dev/Cargo.toml ================================================ [package] name = "settings-plugin-vmware-dev" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_vmware_dev" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/vmware-dev/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct VmwareDevSettings { motd: bottlerocket_settings_models::MotdV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, } ================================================ FILE: sources/settings-plugins/vmware-k8s/Cargo.toml ================================================ [package] name = "settings-plugin-vmware-k8s" version = "0.1.0" edition = "2021" license = "Apache-2.0 OR MIT" publish = false [lib] crate-type = ["cdylib"] name = "settings_vmware_k8s" [dependencies] abi_stable.workspace = true serde.workspace = true serde_json.workspace = true # settings plugins bottlerocket-settings-models.workspace = true bottlerocket-settings-plugin.workspace = true ================================================ FILE: sources/settings-plugins/vmware-k8s/src/lib.rs ================================================ use bottlerocket_settings_models::model_derive::model; use bottlerocket_settings_plugin::SettingsPlugin; #[derive(SettingsPlugin)] #[model(rename = "settings", impl_default = true)] struct VmwareK8sSettings { motd: bottlerocket_settings_models::MotdV1, kubernetes: bottlerocket_settings_models::KubernetesSettingsV1, updates: bottlerocket_settings_models::UpdatesSettingsV1, host_containers: bottlerocket_settings_models::HostContainersSettingsV1, bootstrap_commands: bottlerocket_settings_models::BootstrapCommandsSettingsV1, bootstrap_containers: bottlerocket_settings_models::BootstrapContainersSettingsV1, ntp: bottlerocket_settings_models::NtpSettingsV1, network: bottlerocket_settings_models::NetworkSettingsV1, kernel: bottlerocket_settings_models::KernelSettingsV1, aws: bottlerocket_settings_models::AwsSettingsV1, boot: bottlerocket_settings_models::BootSettingsV1, metrics: bottlerocket_settings_models::MetricsSettingsV1, pki: bottlerocket_settings_models::PkiSettingsV1, container_registry: bottlerocket_settings_models::RegistrySettingsV1, oci_defaults: bottlerocket_settings_models::OciDefaultsV1, oci_hooks: bottlerocket_settings_models::OciHooksSettingsV1, dns: bottlerocket_settings_models::DnsSettingsV1, container_runtime: bottlerocket_settings_models::ContainerRuntimeSettingsV1, container_runtime_plugins: bottlerocket_settings_models::ContainerRuntimePluginsSettingsV1, } ================================================ FILE: sources/shared-defaults/aws-autoscaling.toml ================================================ # Autoscaling warm pool support [settings.autoscaling] should-wait = false ================================================ FILE: sources/shared-defaults/aws-bootstrap-container.toml ================================================ [metadata.settings.bootstrap-containers.source.setting-generator] command = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-bootstrap:v0.2.14'" strength = "weak" depth = 1 ================================================ FILE: sources/shared-defaults/aws-creds.toml ================================================ [settings.aws] profile = "default" [metadata.settings.aws.config] setting-generator = "schnauzer-v2 render --requires 'aws@v1(helpers=[aws-config])' --template '{{ aws-config settings.aws.config settings.aws.profile }}'" [services.aws] configuration-files = [ "aws-config", "aws-credentials", ] restart-commands = [] [metadata.settings.aws] affected-services = ["aws"] [configuration-files.aws-config] path = "/root/.aws/config" template-path = "/usr/share/templates/aws-config" [configuration-files.aws-credentials] path = "/root/.aws/credentials" template-path = "/usr/share/templates/aws-credentials" ================================================ FILE: sources/shared-defaults/aws-host-containers.toml ================================================ [settings.host-containers.admin] enabled = false superpowered = true [metadata.settings.host-containers.admin.source.setting-generator] command = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-admin:v0.20.4'" strength = "weak" [metadata.settings.host-containers.admin.user-data] setting-generator = "shibaken generate-admin-userdata" [settings.host-containers.control] enabled = true superpowered = false [metadata.settings.host-containers.control.source.setting-generator] command = "schnauzer-v2 render --requires 'aws@v1(helpers=[ecr-prefix])' --template '{{ ecr-prefix settings.aws.region }}/bottlerocket-control:v0.20.4'" strength = "weak" ================================================ FILE: sources/shared-defaults/aws-tuf.toml ================================================ [metadata.settings.updates.targets-base-url] setting-generator = "schnauzer-v2 render --requires 'aws@v1' --requires 'updates@v1(helpers=[tuf-prefix])' --template '{{ tuf-prefix settings.aws.region }}/targets/'" [metadata.settings.updates.metadata-base-url] setting-generator = "schnauzer-v2 render --requires 'aws@v1' --requires 'updates@v1(helpers=[metadata-prefix, tuf-prefix])' --template '{{ tuf-prefix settings.aws.region }}{{ metadata-prefix settings.aws.region }}/2020-07-07/{{ os.variant_id }}/{{ os.arch }}/'" ================================================ FILE: sources/shared-defaults/boot.toml ================================================ # Boot related settings [metadata.settings.boot] affected-services = ["bootconfig"] setting-generator = "/usr/bin/prairiedog generate-boot-settings" [services.bootconfig] configuration-files = ["prairiedog-toml"] restart-commands = ["/usr/bin/prairiedog generate-boot-config"] [configuration-files.prairiedog-toml] path = "/etc/prairiedog.toml" template-path = "/usr/share/templates/prairiedog-toml" ================================================ FILE: sources/shared-defaults/cf-signal.toml ================================================ [settings.cloudformation] should-signal = false stack-name = "" logical-resource-id = "" [services.cfsignal] configuration-files = ["cfsignal-toml"] restart-commands = ["/bin/systemctl try-restart cfsignal.service"] [configuration-files.cfsignal-toml] path = "/etc/cfsignal.toml" template-path = "/usr/share/templates/cfsignal-toml" [metadata.settings.cloudformation] affected-services = ["cfsignal"] ================================================ FILE: sources/shared-defaults/containerd-cri-pki.toml ================================================ [metadata.settings.pki] affected-services = ["pki", "containerd"] ================================================ FILE: sources/shared-defaults/defaults.toml ================================================ # Here we define a common set of default settings for most variants. # A variant includes these by symlinking this file into its `defaults.d` directory. # It can override these settings in any file listed after that in the directory. # The structures, fields, and types here need to match those of the API model, # as defined in src/VARIANT/mod.rs. [settings] motd = "Welcome to Bottlerocket!" [metadata.settings.motd] affected-services = ["motd"] [services.motd] configuration-files = ["motd"] restart-commands = [] [configuration-files.motd] path = "/etc/motd" template-path = "/usr/share/templates/motd" # Container runtime. [services.containerd] configuration-files = ["containerd-config-toml", "proxy-env"] restart-commands = ["/bin/systemctl try-restart containerd.service"] [configuration-files.containerd-config-toml] path = "/etc/containerd/config.toml" template-path = "/usr/share/templates/containerd-config-toml_basic" # Container runtime settings. [metadata.settings.container-runtime] affected-services = ["containerd"] # Host-container runtime [services.host-containerd] configuration-files = ["proxy-env"] restart-commands = ["/bin/systemctl try-restart host-containerd.service"] # Updates. [settings.updates] version-lock = "latest" ignore-waves = false [services.thar-be-updates] configuration-files = ["thar-be-updates-toml"] restart-commands = [] [services.updog] configuration-files = ["updog-toml"] restart-commands = [] [configuration-files.thar-be-updates-toml] path = "/etc/thar-be-updates.toml" template-path = "/usr/share/templates/thar-be-updates-toml" [configuration-files.updog-toml] path = "/etc/updog.toml" template-path = "/usr/share/templates/updog-toml" [metadata.settings.updates] affected-services = ["updog", "thar-be-updates"] seed.setting-generator = "bork seed" # HostContainers [services.host-containers] configuration-files = ["host-ctr-toml", "host-containers-toml"] restart-commands = ["/usr/bin/host-containers"] [configuration-files.host-ctr-toml] path = "/etc/host-containers/host-ctr.toml" template-path = "/usr/share/templates/host-ctr-toml" [configuration-files.host-containers-toml] path = "/etc/host-containers/host-containers.toml" template-path = "/usr/share/templates/host-containers-toml" [metadata.settings.host-containers] affected-services = ["host-containers"] # Network [configuration-files.proxy-env] path = "/etc/network/proxy.env" template-path = "/usr/share/templates/proxy-env" [metadata.settings.network] affected-services = ["containerd", "host-containerd", "host-containers", "updog"] [metadata.settings.network.hostname] affected-services = ["hostname", "hosts"] setting-generator = "netdog generate-hostname" [services.hostname] configuration-files = ["hostname"] restart-commands = ["/bin/systemctl try-restart set-hostname.service"] [configuration-files.hostname] path = "/etc/network/hostname.env" template-path = "/usr/share/templates/hostname-env" [metadata.settings.network.hosts] affected-services = ["hosts"] [services.hosts] configuration-files = ["hosts"] restart-commands = [] [configuration-files.hosts] path = "/etc/hosts" template-path = "/usr/share/templates/hosts" # NTP [settings.ntp] time-servers = ["169.254.169.123", "2.amazon.pool.ntp.org"] options = ["iburst"] [services.ntp] configuration-files = ["chrony-conf"] restart-commands = ["/bin/systemctl try-reload-or-restart chronyd.service"] [configuration-files.chrony-conf] path = "/etc/chrony.conf" template-path = "/usr/share/templates/chrony-conf" [metadata.settings.ntp] affected-services = ["ntp"] # Kernel [services.sysctl] configuration-files = ["corndog-toml"] restart-commands = ["/usr/bin/corndog sysctl"] [metadata.settings.kernel.sysctl] affected-services = ["sysctl"] [services.kernel-modules] configuration-files = ["modprobe-conf", "modules-load"] restart-commands = ["/usr/bin/systemctl try-restart systemd-modules-load"] [configuration-files.modprobe-conf] path = "/etc/modprobe.d/modprobe.conf" template-path = "/usr/share/templates/modprobe-conf" [configuration-files.modules-load] path = "/etc/modules-load.d/modules-load.conf" template-path = "/usr/share/templates/modules-load" [metadata.settings.kernel.modules] affected-services = ["kernel-modules"] [services.lockdown] configuration-files = ["corndog-toml"] restart-commands = ["/usr/bin/corndog lockdown"] [metadata.settings.kernel.lockdown] affected-services = ["lockdown"] [configuration-files.corndog-toml] path = "/etc/corndog.toml" template-path = "/usr/share/templates/corndog-toml" # Bootstrap Commands [services.bootstrap-commands] configuration-files = ["bootstrap-commands-toml"] restart-commands = [] [metadata.settings.bootstrap-commands] affected-services = ["bootstrap-commands"] [configuration-files.bootstrap-commands-toml] path = "/etc/bootstrap-commands/bootstrap-commands.toml" template-path = "/usr/share/templates/bootstrap-commands-toml" # Bootstrap Containers [services.bootstrap-containers] configuration-files = ["host-ctr-toml", "bootstrap-containers-toml"] restart-commands = ["/usr/bin/bootstrap-containers create-containers"] [metadata.settings.bootstrap-containers] affected-services = ["bootstrap-containers"] [configuration-files.bootstrap-containers-toml] path = "/etc/bootstrap-containers/bootstrap-containers.toml" template-path = "/usr/share/templates/bootstrap-containers-toml" # Certdog [services.pki] configuration-files = ["certdog-toml"] restart-commands = ["/usr/bin/certdog"] # DNS [metadata.settings.dns] affected-services = ["dns"] [services.dns] configuration-files = ["netdog-toml"] restart-commands = ["netdog write-resolv-conf"] [configuration-files.netdog-toml] path = "/etc/netdog.toml" template-path = "/usr/share/templates/netdog-toml" [configuration-files.certdog-toml] path = "/etc/certdog.toml" template-path = "/usr/share/templates/certdog-toml" # thar-be-registries - renders hosts.toml files for containerd registry config [services.thar-be-registries] configuration-files = ["thar-be-registries-toml"] restart-commands = ["/usr/bin/thar-be-registries"] [configuration-files.thar-be-registries-toml] path = "/etc/containerd/thar-be-registries.toml" template-path = "/usr/share/templates/thar-be-registries-toml" ================================================ FILE: sources/shared-defaults/docker-daemon-nvidia.toml ================================================ [configuration-files.docker-daemon-config] path = "/etc/docker/daemon.json" template-path = "/usr/share/templates/docker-daemon-nvidia-json" ================================================ FILE: sources/shared-defaults/docker-pki.toml ================================================ [metadata.settings.pki] affected-services = ["pki", "docker"] ================================================ FILE: sources/shared-defaults/docker-services.toml ================================================ [services.docker] restart-commands = ["/bin/systemctl try-restart docker.service"] configuration-files = ["docker-daemon-config", "proxy-env"] [configuration-files.docker-daemon-config] path = "/etc/docker/daemon.json" template-path = "/usr/share/templates/docker-daemon-json" # Image registries. Retained for backwards compatibility, but superseded by the # more specific metadata for mirrors and credentials. [metadata.settings.container-registry] affected-services = ["docker", "host-containers", "bootstrap-containers", "thar-be-registries"] # Image registry mirrors [metadata.settings.container-registry.mirrors] affected-services = ["docker", "host-containers", "bootstrap-containers", "thar-be-registries"] # Image registry credentials [metadata.settings.container-registry.credentials] affected-services = ["host-containers", "bootstrap-containers", "thar-be-registries"] ================================================ FILE: sources/shared-defaults/ecs.toml ================================================ # ECS [services.ecs] restart-commands = ["/bin/systemctl try-reload-or-restart ecs.service"] configuration-files = ["ecs-config"] [configuration-files.ecs-config] path = "/etc/systemd/system/ecs.service.d/10-base.conf" template-path = "/usr/share/templates/ecs-base-conf" [metadata.settings.ecs] affected-services = ["ecs"] [settings.ecs] allow-privileged-containers = false image-pull-behavior = "default" logging-drivers = ["json-file", "awslogs", "none"] loglevel = "info" # Metrics [settings.metrics] service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "docker", "ecs"] # Network [metadata.settings.network] affected-services = ["containerd", "docker", "ecs", "host-containerd", "host-containers", "updog"] # Image registry credentials [metadata.settings.container-registry.credentials] affected-services = ["ecs", "host-containers", "bootstrap-containers", "thar-be-registries"] ================================================ FILE: sources/shared-defaults/image-verification.toml ================================================ # Container runtime - image verification [services.image-verification] configuration-files = [ "containerd-image-verifiers-toml", "thar-be-image-verifiers-toml", ] restart-commands = ["/usr/bin/thar-be-image-verifiers"] [metadata.settings.image-verifier-plugins] affected-services = ["image-verification"] # Reload the containerd configuration drop-in [metadata.settings.image-verifier-plugins.enabled] affected-services = ["containerd", "image-verification"] [configuration-files.containerd-image-verifiers-toml] path = "/etc/containerd/config.d/002-image-verification-plugins.toml" template-path = "/usr/share/templates/containerd-image-verifiers-toml" [configuration-files.thar-be-image-verifiers-toml] path = "/etc/thar-be-image-verifiers.toml" template-path = "/usr/share/templates/thar-be-image-verifiers-toml" ================================================ FILE: sources/shared-defaults/kubernetes-aws-credential-provider.toml ================================================ [settings.kubernetes.credential-providers.ecr-credential-provider] enabled = true cache-duration = "12h" image-patterns = [ "*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn", "*.dkr.ecr.*.amazonaws.eu", "*.dkr-ecr.*.on.aws", "*.dkr-ecr.*.on.amazonwebservices.com.cn", "*.dkr.ecr-fips.*.amazonaws.com", "*.dkr.ecr-fips.*.amazonaws.eu", "*.dkr.ecr.*.cloud.adc-e.uk", "*.dkr.ecr-fips.*.cloud.adc-e.uk", "*.dkr.ecr.*.c2s.ic.gov", "*.dkr.ecr-fips.*.c2s.ic.gov", "*.dkr.ecr.*.sc2s.sgov.gov", "*.dkr.ecr-fips.*.sc2s.sgov.gov", "*.dkr.ecr.*.csp.hci.ic.gov", "*.dkr.ecr-fips.*.csp.hci.ic.gov", "public.ecr.aws", ] ================================================ FILE: sources/shared-defaults/kubernetes-aws-external-cloud-provider.toml ================================================ [settings.kubernetes] cloud-provider = "external" hostname-override-source = "private-dns-name" ================================================ FILE: sources/shared-defaults/kubernetes-aws-graceful-shutdown.toml ================================================ [settings.kubernetes] shutdown-grace-period = "150s" shutdown-grace-period-for-critical-pods = "30s" ================================================ FILE: sources/shared-defaults/kubernetes-aws.toml ================================================ [settings.kubernetes] cluster-domain = "cluster.local" standalone-mode = false authentication-mode = "aws" server-tls-bootstrap = true cloud-provider = "aws" [metadata.settings.kubernetes] affected-services = ["kubernetes"] [metadata.settings.kubernetes.pod-infra-container-image] affected-services = ["pod-infra-container-image"] [services.pod-infra-container-image] configuration-files = ["pod-infra-container-image-log-message"] restart-commands = ["systemctl restart deprecation-warning@pod-infra-container-image.timer"] [configuration-files.pod-infra-container-image-log-message] path = "/etc/deprecated-settings/pod-infra-container-image" template-path = "/usr/share/templates/pod-infra-container-image" [settings.metrics] service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "kubelet"] [metadata.settings.network] affected-services = ["containerd", "kubernetes", "host-containerd", "host-containers", "updog"] [services.autoscaling-warm-pool] configuration-files = ["warm-pool-wait-toml"] restart-commands = [] [configuration-files.warm-pool-wait-toml] path = "/etc/warm-pool-wait.toml" template-path = "/usr/share/templates/warm-pool-wait-toml" [metadata.settings.autoscaling] affected-services = ["autoscaling-warm-pool"] ================================================ FILE: sources/shared-defaults/kubernetes-containerd-nvidia.toml ================================================ [configuration-files.containerd-config-toml] # No override to path template-path = "/usr/share/templates/containerd-config-toml_k8s_nvidia_containerd_sock" # Image registries [metadata.settings.container-registry] affected-services = ["containerd", "host-containers", "bootstrap-containers", "soci-snapshotter", "thar-be-registries"] [configuration-files.snapshotter-toml] path = "/etc/containerd/config.d/001-snapshotter.toml" template-path = "/usr/share/templates/snapshotter-toml" overwrite-path-if-present = false # Container runtime - soci. [services.soci-snapshotter] configuration-files = ["soci-config-toml"] restart-commands = ["/bin/systemctl try-restart soci-snapshotter.service"] [configuration-files.soci-config-toml] path = "/etc/soci-snapshotter/config.toml" template-path = "/usr/share/templates/soci-config-toml" [configuration-files.selected-snapshotter] path = "/etc/containerd/selected-snapshotter" template-path = "/usr/share/templates/selected-snapshotter" # Container runtime plugins settings. [metadata.settings.container-runtime-plugins.soci-snapshotter] affected-services = ["soci-snapshotter"] ================================================ FILE: sources/shared-defaults/kubernetes-containerd.toml ================================================ [configuration-files.containerd-config-toml] # No override to path template-path = "/usr/share/templates/containerd-config-toml_k8s_containerd_sock" # Image registries [metadata.settings.container-registry] affected-services = ["containerd", "host-containers", "bootstrap-containers", "soci-snapshotter", "thar-be-registries"] [configuration-files.snapshotter-toml] path = "/etc/containerd/config.d/001-snapshotter.toml" template-path = "/usr/share/templates/snapshotter-toml" overwrite-path-if-present = false # Container runtime - soci. [services.soci-snapshotter] configuration-files = ["soci-config-toml"] restart-commands = ["/bin/systemctl try-restart soci-snapshotter.service"] [configuration-files.soci-config-toml] path = "/etc/soci-snapshotter/config.toml" template-path = "/usr/share/templates/soci-config-toml" [configuration-files.selected-snapshotter] path = "/etc/containerd/selected-snapshotter" template-path = "/usr/share/templates/selected-snapshotter" # Container runtime plugins settings. [metadata.settings.container-runtime-plugins.soci-snapshotter] affected-services = ["soci-snapshotter"] ================================================ FILE: sources/shared-defaults/kubernetes-device-ownership-default-false.toml ================================================ [settings.kubernetes] device-ownership-from-security-context = false [metadata.settings.kubernetes.device-ownership-from-security-context] affected-services = ["containerd"] ================================================ FILE: sources/shared-defaults/kubernetes-device-ownership-default-true.toml ================================================ [settings.kubernetes] device-ownership-from-security-context = true [metadata.settings.kubernetes.device-ownership-from-security-context] affected-services = ["containerd"] ================================================ FILE: sources/shared-defaults/kubernetes-kubelet-env-nvidia.toml ================================================ [configuration-files.kubelet-env] template-path = "/usr/share/templates/kubelet-env-nvidia" ================================================ FILE: sources/shared-defaults/kubernetes-metal.toml ================================================ [settings.kubernetes] cluster-domain = "cluster.local" standalone-mode = false authentication-mode = "tls" pod-infra-container-image = "public.ecr.aws/eks-distro/kubernetes/pause:3.5" server-tls-bootstrap = false cloud-provider = "" [metadata.settings.kubernetes] node-ip.setting-generator = "netdog node-ip" affected-services = ["kubernetes"] # Metrics [settings.metrics] service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "kubelet"] # Network [metadata.settings.network] affected-services = ["containerd", "kubernetes", "host-containerd", "host-containers", "updog"] ================================================ FILE: sources/shared-defaults/kubernetes-seccomp-default-false.toml ================================================ [settings.kubernetes] seccomp-default = false ================================================ FILE: sources/shared-defaults/kubernetes-seccomp-default-true.toml ================================================ [settings.kubernetes] seccomp-default = true ================================================ FILE: sources/shared-defaults/kubernetes-services.toml ================================================ [services.kubernetes] configuration-files = [ "kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubelet-bootstrap-kubeconfig", "kubelet-exec-start-conf", "kubernetes-ca-crt", "proxy-env", "kubelet-server-crt", "kubelet-server-key", "credential-provider-config-yaml", "k8s-snapshotter-conf", ] restart-commands = [ "/usr/bin/systemctl try-restart kubelet.service" ] [configuration-files.kubelet-env] path = "/etc/kubernetes/kubelet/env" template-path = "/usr/share/templates/kubelet-env" [configuration-files.kubelet-config] path = "/etc/kubernetes/kubelet/config" template-path = "/usr/share/templates/kubelet-config" mode = "0600" [configuration-files.k8s-snapshotter-conf] path = "/etc/kubernetes/kubelet/config.d/001-snapshotter.conf" template-path = "/usr/share/templates/k8s-snapshotter-conf" mode = "0600" overwrite-path-if-present = false [configuration-files.kubelet-kubeconfig] path = "/etc/kubernetes/kubelet/kubeconfig" template-path = "/usr/share/templates/kubelet-kubeconfig" mode = "0600" [configuration-files.kubelet-bootstrap-kubeconfig] path = "/etc/kubernetes/kubelet/bootstrap-kubeconfig" template-path = "/usr/share/templates/kubelet-bootstrap-kubeconfig" mode = "0600" [configuration-files.kubernetes-ca-crt] path = "/etc/kubernetes/pki/ca.crt" template-path = "/usr/share/templates/kubernetes-ca-crt" mode = "0600" [configuration-files.kubelet-server-crt] path = "/etc/kubernetes/pki/kubelet-server.crt" template-path = "/usr/share/templates/kubelet-server-crt" [configuration-files.kubelet-server-key] path = "/etc/kubernetes/pki/private/kubelet-server.key" template-path = "/usr/share/templates/kubelet-server-key" mode = "0600" [configuration-files.kubelet-exec-start-conf] path = "/etc/systemd/system/kubelet.service.d/exec-start.conf" template-path = "/usr/share/templates/kubelet-exec-start-conf" mode = "0600" [configuration-files.credential-provider-config-yaml] path = "/etc/kubernetes/kubelet/credential-provider-config.yaml" template-path = "/usr/share/templates/credential-provider-config-yaml" mode = "0600" [configuration-files.static-pods-toml] path = "/etc/kubernetes/static-pods-manifest.toml" template-path = "/usr/share/templates/static-pods-toml" [services.static-pods] configuration-files = ["static-pods-toml"] restart-commands = ["/usr/bin/static-pods"] [metadata.settings.kubernetes.static-pods] affected-services = ["static-pods"] [metadata.settings.aws.profile] affected-services = ["kubernetes"] ================================================ FILE: sources/shared-defaults/kubernetes-vmware.toml ================================================ [settings.kubernetes] cluster-domain = "cluster.local" standalone-mode = false authentication-mode = "tls" pod-infra-container-image = "public.ecr.aws/eks-distro/kubernetes/pause:3.3" server-tls-bootstrap = false cloud-provider = "external" [metadata.settings.kubernetes] node-ip.setting-generator = "netdog node-ip" affected-services = ["kubernetes"] # Metrics [settings.metrics] service-checks = ["apiserver", "chronyd", "containerd", "host-containerd", "kubelet", "vmtoolsd"] # Network [metadata.settings.network] affected-services = ["containerd", "kubernetes", "host-containerd", "host-containers", "updog"] ================================================ FILE: sources/shared-defaults/lockdown-integrity.toml ================================================ # Kernel [settings.kernel] lockdown = "integrity" ================================================ FILE: sources/shared-defaults/lockdown-none.toml ================================================ # Kernel [settings.kernel] lockdown = "none" ================================================ FILE: sources/shared-defaults/metrics.toml ================================================ [settings.metrics] # the URL to which anonymous health metrics will be sent metrics-url = "https://metrics.bottlerocket.aws/v1/metrics" # the list of services that are checked to determine if a host is healthy, # overridden in each variant to list services critical to that variant service-checks = ["apiserver", "chronyd", "containerd", "host-containerd"] [services.metricdog] configuration-files = ["metricdog-toml", "proxy-env"] restart-commands = ["/bin/systemctl try-restart metricdog.service"] [configuration-files.metricdog-toml] path = "/etc/metricdog.toml" template-path = "/usr/share/templates/metricdog-toml" ================================================ FILE: sources/shared-defaults/nvidia-k8s-container-toolkit.toml ================================================ [settings.nvidia-container-runtime] visible-devices-as-volume-mounts = true visible-devices-envvar-when-unprivileged = false [metadata.settings.nvidia-container-runtime] affected-services = ["nvidia-container-toolkit"] [services.nvidia-container-toolkit] configuration-files = ["nvidia-container-toolkit"] restart-commands = [] [configuration-files.nvidia-container-toolkit] path = "/etc/nvidia-container-runtime/config.toml" template-path = "/usr/share/templates/nvidia-container-runtime/nvidia-container-toolkit-config-k8s" ================================================ FILE: sources/shared-defaults/nvidia-k8s-device-plugin-cdi.toml ================================================ [settings.kubelet-device-plugins.nvidia] device-list-strategy="cdi-cri" ================================================ FILE: sources/shared-defaults/nvidia-k8s-device-plugin-legacy.toml ================================================ [settings.kubelet-device-plugins.nvidia] device-list-strategy="volume-mounts" ================================================ FILE: sources/shared-defaults/nvidia-k8s-device-plugin.toml ================================================ # nvidia device plugin service [services.nvidia-k8s-device-plugin] restart-commands = [ "/bin/systemctl try-reload-or-restart nvidia-k8s-device-plugin.service", ] configuration-files = [ "nvidia-k8s-device-plugin-conf", "nvidia-k8s-device-plugin-exec-start-conf", "nvidia-k8s-device-plugin-mig-conf", ] [services.nvidia-mps-control-daemon] restart-commands = [ "/bin/systemctl try-reload-or-restart nvidia-mps-control-daemon.service", ] configuration-files = [ "nvidia-k8s-device-plugin-conf", "nvidia-mps-control-daemon-exec-start-conf", "nvidia-k8s-device-plugin-mig-conf", ] [configuration-files.nvidia-k8s-device-plugin-conf] path = "/etc/nvidia-k8s-device-plugin/settings.yaml" template-path = "/usr/share/templates/nvidia-k8s-device-plugin-conf" [configuration-files.nvidia-k8s-device-plugin-exec-start-conf] path = "/etc/systemd/system/nvidia-k8s-device-plugin.service.d/exec-start.conf" template-path = "/usr/share/templates/nvidia-k8s-device-plugin-exec-start-conf" [configuration-files.nvidia-k8s-device-plugin-mig-conf] path = "/etc/nvidia-migmanager/nvidia-migmanager.toml" template-path = "/usr/share/templates/nvidia-k8s-device-plugin-mig-conf" [configuration-files.nvidia-mps-control-daemon-exec-start-conf] path = "/etc/systemd/system/nvidia-mps-control-daemon.service.d/exec-start.conf" template-path = "/usr/share/templates/nvidia-mps-control-daemon-exec-start-conf" [metadata.settings.kubelet-device-plugins.nvidia] affected-services = [ "nvidia-k8s-device-plugin", "nvidia-container-toolkit", "nvidia-mps-control-daemon", ] [settings.kubelet-device-plugins.nvidia] pass-device-specs = true device-id-strategy = "index" device-sharing-strategy = "none" device-partitioning-strategy = "none" ================================================ FILE: sources/shared-defaults/oci-defaults-capabilities.toml ================================================ [settings.oci-defaults.capabilities] # These values represent the default capabilities for Docker and Containerd. audit-write = true chown = true dac-override = true fowner = true fsetid = true kill = true mknod = true net-bind-service = true net-raw = true setgid = true setfcap = true setpcap = true setuid = true sys-chroot = true ================================================ FILE: sources/shared-defaults/oci-defaults-containerd-cri-resource-limits.toml ================================================ [settings.oci-defaults.resource-limits.max-open-files] hard-limit = 1048576 soft-limit = 65536 ================================================ FILE: sources/shared-defaults/oci-defaults-containerd-cri.toml ================================================ [metadata.settings.oci-defaults] affected-services = ["oci-defaults", "containerd"] [services.oci-defaults] configuration-files = ["oci-defaults"] restart-commands = [] [configuration-files.oci-defaults] path = "/etc/containerd/cri-base.json" template-path = "/usr/share/templates/containerd-cri-base-json" ================================================ FILE: sources/shared-defaults/oci-defaults-docker-resource-limits.toml ================================================ [settings.oci-defaults.resource-limits.max-open-files] hard-limit = 4096 soft-limit = 1024 ================================================ FILE: sources/shared-defaults/oci-defaults-docker.toml ================================================ [metadata.settings.oci-defaults] affected-services = ["docker"] ================================================ FILE: sources/shared-defaults/oci-hooks.toml ================================================ [settings.oci-hooks] log4j-hotpatch-enabled = false [metadata.settings.oci-hooks.log4j-hotpatch-enabled] affected-services = ["log4j-hotpatch-enabled"] [services.log4j-hotpatch-enabled] configuration-files = ["log4j-hotpatch-enabled-log-message"] restart-commands = ["systemctl restart deprecation-warning@log4j-hotpatch-enabled.timer"] [configuration-files.log4j-hotpatch-enabled-log-message] path = "/etc/deprecated-settings/log4j-hotpatch-enabled" template-path = "/usr/share/templates/log4j-hotpatch-enabled" ================================================ FILE: sources/shared-defaults/public-bootstrap-containers.toml ================================================ [metadata.settings.bootstrap-containers.source.setting-generator] command = "schnauzer-v2 render --template 'public.ecr.aws/bottlerocket/bottlerocket-bootstrap:v0.2.14'" strength = "weak" depth = 1 ================================================ FILE: sources/shared-defaults/public-host-containers.toml ================================================ # Both containers are disabled by default in off-AWS variants because the user # must supply user data in order to use the containers. The admin container # isn't useful without SSH keys/CA certs, and the control container can only be # used with hybrid SSM off of AWS. Users of off-AWS variants might not want to # use either of those options. [settings.host-containers.admin] enabled = false superpowered = true [metadata.settings.host-containers.admin.source.setting-generator] command = "schnauzer-v2 render --template 'public.ecr.aws/bottlerocket/bottlerocket-admin:v0.20.4'" strength = "weak" [settings.host-containers.control] enabled = false superpowered = false [metadata.settings.host-containers.control.source.setting-generator] command = "schnauzer-v2 render --template 'public.ecr.aws/bottlerocket/bottlerocket-control:v0.20.4'" strength = "weak" ================================================ FILE: sources/shared-defaults/public-ntp.toml ================================================ # Use a public endpoint, don't assume any local ones. [settings.ntp] time-servers = ["2.amazon.pool.ntp.org"] ================================================ FILE: sources/shared-defaults/public-tuf.toml ================================================ [settings.updates] targets-base-url = "https://updates.bottlerocket.aws/targets/" [metadata.settings.updates.metadata-base-url] setting-generator = "schnauzer-v2 render --template 'https://updates.bottlerocket.aws/2020-07-07/{{ os.variant_id }}/{{ os.arch }}/'" ================================================ FILE: sources/shared-defaults/send-metrics-aws.toml ================================================ [metadata.settings.metrics.send-metrics] # only enable metrics in partitions with unhindered access to the metrics endpoint setting-generator = "shibaken is-partition --partition aws --partition aws-us-gov" ================================================ FILE: sources/shared-defaults/send-metrics-global.toml ================================================ [settings.metrics] # whether or not health metrics will be sent. set to false to opt-out send-metrics = true ================================================ FILE: tools/.gitignore ================================================ /bin /twoliter /.crates.toml /.crates2.json ================================================ FILE: tools/diff-kernel-config ================================================ #!/usr/bin/env bash # # Common error handling # exit_trap_cmds=() on_exit() { exit_trap_cmds+=( "$1" ) } run_exit_trap_cmds() { for cmd in "${exit_trap_cmds[@]}"; do eval "${cmd}" done } trap run_exit_trap_cmds EXIT warn() { >&2 echo "Warning: $*" } bail() { if [[ $# -gt 0 ]]; then >&2 echo "Error: $*" fi exit 1 } usage() { cat <&2 usage bail "$1" } # # Parse arguments # kernel_versions=() variants=() while [[ $# -gt 0 ]]; do case $1 in -a|--after) shift; gitrev_after_arg=$1 ;; -b|--before) shift; gitrev_before_arg=$1 ;; -v|--variant) shift; variants+=( "$1" ) ;; -o|--output-dir) shift; output_dir=$1 ;; -r|--resume) shift; resume=1 ;; -h|--help) usage; exit 0 ;; *) usage_error "Invalid option '$1'" ;; esac shift done if [[ ${#variants[@]} -eq 0 ]]; then variants=( aws-k8s-1.23 metal-k8s-1.23 aws-dev metal-dev ) fi for var in "${variants[@]}"; do [[ -d variants/${var} ]] || bail "Unknown variant '${var}'" done readonly variants [[ -n ${output_dir} ]] || usage_error 'require -o|--output-dir' [[ -e ${output_dir} && ! -v resume ]] && bail "Output directory '${output_dir}' exists already, not touching it" readonly output_dir # Validate and resolve the given before and after Git revisions. Resolving # them now prevents relative references from moving around after the first # checkout. [[ -n ${gitrev_before_arg} ]] || usage_error 'require -b|--before' [[ -n ${gitrev_after_arg} ]] || usage_error 'require -a|--after' gitrev_before=$(git rev-parse --verify --end-of-options "${gitrev_before_arg}^{commit}") gitrev_after=$(git rev-parse --verify --end-of-options "${gitrev_after_arg}^{commit}") [[ -n ${gitrev_before} ]] || bail "Invalid Git revision '${gitrev_before_arg}'" [[ -n ${gitrev_after} ]] || bail "Invalid Git revision '${gitrev_after_arg}'" readonly gitrev_before readonly gitrev_after # # Prepare working tree # # We'll check out the before and after states to compare. For that the working # tree and the index need to be clean. if [[ -n $(git status --porcelain --untracked-files=no) ]]; then bail 'The working tree or index of the repository are not clean. ' \ 'Consider running "git stash" to temporarily stow away your changes.' fi # Restore current repository state whenever we exit (either a checked out # branch or the current detached head state). gitrev_original=$(git rev-parse --abbrev-ref HEAD) if [[ -z ${gitrev_original} ]]; then gitrev_original=$(git rev-parse HEAD) || bail 'Cannot determine current repository HEAD.' fi readonly gitrev_original on_exit "git checkout --quiet '${gitrev_original}'" # # Iterate over all viable build configurations in before and after states # mkdir -p "${output_dir}" || bail "Failed to create output directory '${output_dir}'" for state in after before; do gitrev_var=gitrev_${state} git checkout --quiet "${!gitrev_var}" || bail "Cannot check out '${!gitrev_var}'." for variant in "${variants[@]}"; do arches=() IFS=" " read -r -a arches <<< "$(grep "supported-arches" "variants/${variant}/Cargo.toml" | cut -d ' ' -f 3 | tr -d '"[]')" if [[ ${#arches[@]} -eq 0 ]]; then arches=( aarch64 x86_64 ) fi kver=$(grep "packages/kernel" "variants/${variant}/Cargo.toml" | cut -d ' ' -f 1 | cut -d '-' -f 2 | tr '_' '.') kernel_versions+=( "${kver}" ) for arch in "${arches[@]}"; do config_path=${output_dir}/config-${arch}-${variant}-${state} if [[ -v resume && -e ${config_path} ]]; then echo "${config_path} already exists, skipping" continue fi debug_id="state=${state} arch=${arch} variant=${variant} kernel=${kver}" IFS=- read -ra variant_parts <<<"${variant}" variant_platform="${variant_parts[0]}" variant_runtime="${variant_parts[1]}" variant_family="${variant_platform}-${variant_runtime}" # # Run build # cargo make \ -e BUILDSYS_ARCH="${arch}" \ -e BUILDSYS_VARIANT="${variant}" \ -e BUILDSYS_VARIANT_PLATFORM="${variant_platform}" \ -e BUILDSYS_VARIANT_RUNTIME="${variant_runtime}" \ -e BUILDSYS_VARIANT_FAMILY="${variant_family}" \ -e PACKAGE="kernel-${kver/./_}" \ build-package \ || bail "Build failed for ${debug_id}" # # Find kernel RPM # shopt -s nullglob kernel_rpms=( ./build/rpms/bottlerocket-*kernel-"${kver}"-"${kver}".*."${arch}".rpm ./build/rpms/bottlerocket-"${arch}"-*kernel-"${kver}"-"${kver}".*.rpm ) shopt -u nullglob case ${#kernel_rpms[@]} in 0) bail "No kernel RPM found for ${debug_id}" ;; 1) kernel_rpm=${kernel_rpms[0]} ;; *) # shellcheck disable=SC2012 # find(1) cannot sort by mtime kernel_rpm=$(ls -1t "${kernel_rpms[@]}" | head -n 1) warn "More than one kernel RPM found for ${debug_id}. Choosing '${kernel_rpm}' as the latest build." ;; esac kver_full=$(rpm --query --queryformat '%{VERSION}-%{RELEASE}' "${kernel_rpm}") # # Extract kernel config # rpm2cpio "${kernel_rpm}" \ | cpio --quiet --extract --to-stdout ./boot/config >"${config_path}" [[ -s "${config_path}" ]] || bail "Failed to extract config for ${debug_id}" echo "config-${arch}-${variant}-${state} -> ${kver_full}" >> "${output_dir}"/kver_mapping done # arch done # variant done # state # # Post-process the collected pairs of "before" and "after" configs (generate diffs, a report, a summary) # # Get the helpful diffconfig script from the kernel source tree. We package it # in the kernel-archive RPM from where it can be extracted. Here we extract the # latest version of the script, but any kernel version and arch will do. latest_kver=$(printf '%s\n' "${kernel_versions[@]}" | sort -V | tail -n1) latest_archive_rpms=( ./build/rpms/bottlerocket-*kernel-"${latest_kver}"-archive-*.rpm ) diffconfig=$(mktemp --suffix -bottlerocket-diffconfig) on_exit "rm '${diffconfig}'" rpm2cpio "${latest_archive_rpms[0]}" \ | cpio --quiet --extract --to-stdout \ | tar --xz --extract --to-stdout kernel-devel/scripts/diffconfig >"${diffconfig}" [[ -s ${diffconfig} ]] || bail "Failed to extract diffconfig tool from '${latest_archive_rpms[0]}'." chmod +x "${diffconfig}" # Diff the before and after states for each collected pair for config_before in "${output_dir}"/config-*-before; do config_after=${config_before/before/after} config_diff=${config_before/before/diff} "${diffconfig}" "${config_before}" "${config_after}" >"${config_diff}" \ || bail "Failed to diff '${config_before}' and '${config_after}'" done # Generate diff summary echo for config_diff in "${output_dir}"/config-*-diff; do config_base=${config_diff##*/} awk " /^-/ { removed += 1 } /^+/ { added += 1 } / -> / { changed += 1 } END { printf \"${config_base}:\t%3d removed, %3d added, %3d changed\n\", removed, added, changed } " "${config_diff}" done | sort -V | tee "${output_dir}"/diff-summary echo # Generate combined report of changes head -v -n 999999 "${output_dir}"/*-diff >"${output_dir}"/diff-report echo "A full report has been placed in '${output_dir}/diff-report'" # Generate combined report in tabular form (csv) echo "config change" > "${output_dir}"/diff-table cat "${output_dir}"/*-diff | sort | uniq >> "${output_dir}"/diff-table for config_diff in "${output_dir}"/config-*-diff; do variant_name=$(echo "${config_diff}" | sed -e "s%^${output_dir}/config-%%" -e "s%-diff$%%") kver_before=$(grep "${variant_name}-before" "${output_dir}/kver_mapping" | cut -d ' ' -f 3) kver_after=$(grep "${variant_name}-after" "${output_dir}/kver_mapping" | cut -d ' ' -f 3) col_name="${variant_name} (${kver_before} -> ${kver_after})" sed -i "s/$/,/" "${output_dir}"/diff-table sed -i "/^config change/ s/$/${col_name}/" "${output_dir}"/diff-table mapfile -t diff_lines < "${config_diff}" for line in "${diff_lines[@]}"; do sed -i "/^${line}/ s/$/x/" "${output_dir}"/diff-table done done echo "A tabular report in csv-format has been placed in '${output_dir}/diff-table'" ================================================ FILE: tools/install-twoliter.sh ================================================ #!/usr/bin/env bash # # Common error handling # exit_trap_cmds=() on_exit() { exit_trap_cmds+=( "$1" ) } run_exit_trap_cmds() { for cmd in "${exit_trap_cmds[@]}"; do eval "${cmd}" done } trap run_exit_trap_cmds EXIT warn() { >&2 echo "Warning: $*" } bail() { if [[ $# -gt 0 ]]; then >&2 echo "Error: $*" fi exit 1 } usage() { cat <&2 usage bail "$1" } # # Parse arguments # while [[ $# -gt 0 ]]; do case $1 in -r|--repo) shift; repo=$1 ;; -v|--version) shift; version=$1 ;; -d|--directory) shift; dir=$1 ;; -e|--reuse-existing-install) reuse_existing="true" ;; -b|--allow-binary-install) allow_bin="true"; shift; bin_checksum=$1 ;; -s|--allow-from-source) from_source="true" ;; -k|--skip-version-check) skip_version_check="true" ;; -h|--help) usage; exit 0 ;; *) usage_error "Invalid option '$1'" ;; esac shift done set -e workdir="$(mktemp -d)" on_exit "rm -rf ${workdir}" mkdir -p "${dir}" if [ "${reuse_existing}" = "true" ] ; then if [ -x "${dir}/twoliter" ] ; then if [ "${skip_version_check}" = "true" ]; then echo "Twoliter binary found and --skip-version-check is true. Skipping install." exit 0 fi version_output="$("${dir}/twoliter" --version)" found_version=v$(echo $version_output | awk '{print $2}') echo "Found Twoliter ${found_version} installed." if [ "${found_version}" = "${version}" ] ; then echo "Skipping installation." exit 0 fi fi fi if [ "${allow_bin}" = "true" ] ; then host_arch="$(uname -m)" host_arch="${host_arch,,}" host_kernel="$(uname -s)" host_kernel="${host_kernel,,}" case "${host_kernel}-${host_arch}" in linux-x86_64 | linux-aarch64) echo "Installing Twoliter from binary release." twoliter_release="${repo}/releases/download/${version}" twoliter_target="${host_arch}-unknown-${host_kernel}-musl" cd "${workdir}" curl -sSL "${twoliter_release}/twoliter-${twoliter_target}.tar.xz" -o "twoliter.tar.xz" echo "Checking binary checksum..." sha256sum -c <<< "${bin_checksum} twoliter.tar.xz" tar xf twoliter.tar.xz mv "./twoliter-${twoliter_target}/twoliter" "${dir}" exit 0 ;; *) echo "No pre-built binaries available for twoliter ${version}." ;; esac else echo "Skipping binary installation of twoliter ${version} because --allow-binary-install was not set." fi if [ "${from_source}" = "true" ] ; then echo "Installing Twoliter version ${version} from source" cargo +nightly install \ -Z bindeps \ --locked \ --root "${workdir}" \ --git "${repo}" \ --rev "${version}" \ --bin twoliter \ --quiet \ twoliter mv "${workdir}/bin/twoliter" "${dir}/twoliter" echo "Installed twoliter ${version} from source." exit 0 else echo "Skipped installing twoliter ${version} from source." fi if [ ! -x "${dir}/twoliter" ] ; then echo "Could not install twoliter ${version}" >&2 exit 1 fi ================================================ FILE: tools/pubsys/Infra.toml.example ================================================ # This is an example infrastructure configuration for pubsys, the tool that # creates repos when you call `cargo make repo`. Save a copy as `Infra.toml` # at the root of the repo, then edit the settings below to match your use case. # You can have any number of repos defined and build a specific one by running like this: # cargo make -e PUBLISH_REPO=myrepo repo [repo.default] # URL to your root role JSON file; can be a file:// URL for local files. If # you don't specify one here, a file will be generated for you under /roles. # For production use, you should store them somewhere safer. root_role_url = "https://example.com/root.json" # SHA512 checksum of your root role JSON file. root_role_sha512 = "0123456789abcdef" # For reference, this is the Bottlerocket root role: #root_role_url = "https://cache.bottlerocket.aws/root.json" #root_role_sha512 = "4fcb272345fd6adb94d4c04834400548178fecb57407ca79bc2c3d20e0428fc9ed3a82cea268d7f9c667b5803524a4f465acd701a86953d5d732bf6ecb064888" # pubsys assumes a single publication key that signs the snapshot, targets, # and timestamp roles. Here you specify where that key lives so we can sign # the created repo. If you don't specify one here, a key will be generated for # you under /keys. For production use, you should use a key stored in a # trusted service like KMS or SSM. # (Need inline table syntax until this is fixed: https://github.com/alexcrichton/toml-rs/issues/225) signing_keys = { file = { path = "/home/user/key.pem" } } #signing_keys = { kms = { key_id = "abc-def-123" } } #signing_keys = { ssm = { parameter = "/my/parameter" } } # If these URLs are uncommented, the repo will be pulled and used as a starting # point, and your images (and related files) will be added as a new update in # the created repo. Otherwise, we build a new repo from scratch. metadata_base_url = "https://example.com/" targets_url = "https://example.com/targets/" [aws] # The list of regions in which you want to publish AMIs. We register an AMI in # the first region and copy it to all other regions. regions = ["us-west-2", "us-east-1", "us-east-2"] # If specified, we use this named profile from ~/.aws/credentials, rather than # the default path of trying credentials from the environment, from a # credential process, from the default profile, and then from an IAM instance # profile. profile = "my-profile" # If specified, we assume this role before making any API calls. role = "arn:aws:iam::012345678901:role/assume-global" # If specified, this string will be prefixed on all parameter names published to SSM. ssm_prefix = "/your/prefix/here" [aws.region.us-west-2] # If specified, we assume this role before making any API calls in this region. # (This is assumed after the "global" aws.role, if that is also specified.) role = "arn:aws:iam::012345678901:role/assume-regional" [vmware] # A list of datacenter names to which you would like to upload an OVA. These # are "friendly" names, and do not need to be the actual name of the # software-defined datacenter, but can be. For example, you may have have # multiple vSphere instances with datacenters that still carry the default # "SDDC-Datacenter" name; this field allows you to differentiate them. datacenters = ["north", "south"] # *** # GOVC_* environment variables set in the current environment override any # configuration set in the sections below! # *** # Optional common configuration # This configuration allow values to be set in a single place if they are common in # multiple datacenters. They can be overridden in the datacenter's block below. [vmware.common] network = "a_network" # Datacenter specific configuration # This specifies all of the values necessary to communicate with this # datacenter via `govc`. Each value maps directly to the GOVC_* environment # variable in the corresponding comment. If any of these values is missing and # isn't in the environment, we will look for them in `vmware.common`. [vmware.datacenter.north] vsphere_url = "https://vcenter.1234.vmwarevmc.com" # GOVC_URL datacenter = "SDDC-Datacenter" # GOVC_DATACENTER datastore = "WorkloadDatastore" # GOVC_DATASTORE network = "sddc-cgw-network-1" # GOVC_NETWORK folder = "my_folder" # GOVC_FOLDER resource_pool = "/SDDC-Datacenter/host/Cluster/Resources/Compute-ResourcePool" # GOVC_RESOURCE_POOL ================================================ FILE: tools/pubsys/policies/repo-expiration/2w-2w-1w.toml ================================================ snapshot_expiration = '2 weeks' targets_expiration = '2 weeks' timestamp_expiration = '1 week' ================================================ FILE: tools/pubsys/policies/ssm/README.md ================================================ # Parameter templates Files in this directory contain template strings that are used to generate SSM parameter names and values. You can pass a different directory to `pubsys` to use a different set of parameters. The directory is expected to contain a file named `defaults.toml` with a table entry per parameter, like this: ```toml [[parameter]] name = "{variant}/{arch}/{image_version}/image_id" value = "{image_id}" ``` The `name` and `value` can contain template variables that will be replaced with information from the current build and from the AMI registered from that build. The available variables include: * `variant`, for example "aws-ecs-2" * `arch`, for example "x86_64" or "arm64". * Note: "amd64" and "aarch64" are mapped to "x86_64" and "arm64", respectively, to match the names used by EC2. * `image_id`, for example "ami-0612c21373a768f20" * `image_name`, for example "bottlerocket-aws-ecs-2-x86_64-v1.42.0-5ed15786" * `image_version`, for example "1.42.0-5ed15786" * `region`, for example "us-west-2" # Conditional parameters You can also list parameters that only apply to specific variants or architectures. To do so, add `variant` or `arch` keys (or both) to your parameter definition. The parameter will only be populated if the current `variant` or `arch` matches one of the values in the list. (If both `variant` and `arch` are listed, the build must match an entry from both lists.) For example, to add an extra parameter that's only set for "aarch64" builds of the "aws-ecs-2" variant: ```toml [[parameter]] arch = ["aarch64"] variant = ["aws-ecs-2"] name = "/a/special/aarch64/ecs/parameter" value = "{image_name}" ``` ================================================ FILE: tools/pubsys/policies/ssm/defaults.toml ================================================ [[parameter]] name = "{variant}/{arch}/{image_version}/image_id" value = "{image_id}" [[parameter]] name = "{variant}/{arch}/{image_version}/image_version" value = "{image_version}" ================================================ FILE: tools/pubsys/support/vmware/import_spec.template ================================================ \{ "DiskProvisioning": "flat", "IPAllocationPolicy": "dhcpPolicy", "IPProtocol": "IPv4", "NetworkMapping": [ \{ "Name": "VM Network", "Network": "{ network }" } ], "MarkAsTemplate": { mark_as_template }, "PowerOn": false, "InjectOvfEnv": false, "WaitForIP": false, "Name": null } ================================================ FILE: tools/start-local-vm ================================================ #!/usr/bin/env bash # shellcheck disable=SC2054 # Arrays are formatted for passing args to other tools # # Common error handling # exit_trap_cmds=() on_exit() { exit_trap_cmds+=( "$1" ) } run_exit_trap_cmds() { for cmd in "${exit_trap_cmds[@]}"; do eval "${cmd}" done } trap run_exit_trap_cmds exit bail() { >&2 echo "$@" exit 1 } shopt -s nullglob arch=${BUILDSYS_ARCH} variant=${BUILDSYS_VARIANT} product_name=${BUILDSYS_NAME:-bottlerocket} host_port_forwards=tcp::2222-:22 vm_mem=4G vm_cpus=4 force_extract= declare -A extra_files=() os_image= data_image= if ! git_toplevel=$(git rev-parse --show-toplevel); then bail "Failed to get the root of the repo." else readonly repo_root="${git_toplevel}" fi show_usage() { echo "\ usage: ${0##*/} [--arch BUILDSYS_ARCH] [--variant BUILDSYS_VARIANT] [--host-port-forwards HOST_PORT_FWDS] [--product-name NAME] [--vm-memory VM_MEMORY] [--vm-cpus VM_CPUS] [--force-extract] [--inject-file LOCAL_PATH[:IMAGE_PATH]]... [--firmware-code PATH] [--firmware-vars PATH] [--os-image-size SIZE] [--data-image-size SIZE] Launch a local virtual machine from a Bottlerocket image. Options: --arch architecture of the Bottlerocket image (must match the host architecture ($(uname -m)); may be omitted if the BUILDSYS_ARCH environment variable is set) --variant Bottlerocket variant to run (may be omitted if the BUILDSYS_VARIANT environment variable is set) --product-name short product name used as prefix for file and directory names (defaults to the BUILDSYS_NAME environment variable or 'bottlerocket' when that is unset) --host-port-forwards list of host ports to forward to the VM; HOST_PORT_FWDS must be a valid QEMU port forwarding specifier (default is ${host_port_forwards}) --vm-memory amount of memory to assign to the VM; VM_MEMORY must be a valid QEMU memory specifier (default is ${vm_mem}) --vm-cpus number of CPUs to spawn for VM (default is ${vm_cpus}) --force-extract force recreation of the extracted Bottlerocket image, e.g. to force first boot behavior --inject-file adds a local file to the private partition of the Bottlerocket image before launching the virtual machine (may be given multiple times); existing data on the private partition will be lost --firmware-code override the default firmware executable file --firmware-vars override the initial firmware variable storage file --os-image-size resize the OS disk image to the given size (e.g. 4096M) --data-image-size resize the data disk image to the given size (e.g. 20G) --help shows this usage text By default, the virtual machine's port 22 (SSH) will be exposed via the local port 2222, i.e. if the Bottlerocket admin container has been enabled via user-data, it can be reached by running ssh -p 2222 ec2-user@localhost from the host. Usage example: ${0##*/} --arch $(uname -m) --variant metal-dev --inject-file net.toml " } usage_error() { local error=$1 { if [[ -n ${error} ]]; then printf "%s\n\n" "${error}" fi show_usage } >&2 exit 1 } parse_args() { while [[ $# -gt 0 ]]; do case $1 in -h|--help) show_usage; exit 0 ;; --arch) shift; arch=$1 ;; --variant) shift; variant=$1 ;; --product-name) shift; product_name=$1 ;; --host-port-forwards) shift; host_port_forwards=$1 ;; --vm-memory) shift; vm_mem=$1 ;; --vm-cpus) shift; vm_cpus=$1 ;; --force-extract) force_extract=yes ;; --inject-file) shift; local file_spec=$1 if [[ ${file_spec} = *:* ]]; then local local_file=${file_spec%%:*} local image_file=${file_spec#*:} else local local_file=${file_spec} local image_file=${file_spec##*/} fi extra_files[${local_file}]=${image_file} ;; --firmware-code) shift; firmware_code=$1 ;; --firmware-vars) shift; firmware_vars=$1 ;; --os-image-size) shift; os_image_size=$1 ;; --data-image-size) shift; data_image_size=$1 ;; *) usage_error "unknown option '$1'" ;; esac shift done [[ -n ${arch} ]] || usage_error 'Architecture needs to be set via either --arch or BUILDSYS_ARCH.' [[ -n ${variant} ]] || usage_error 'Variant needs to be set via either --variant or BUILDSYS_VARIANT.' declare -l host_arch host_arch=$(uname -m) [[ ${arch} == "${host_arch}" ]] || bail "Architecture needs to match host architecture (${host_arch}) for hardware virtualization." for path in "${!extra_files[@]}"; do [[ -e ${path} ]] || bail "Cannot find local file '${path}' to inject." done } extract_image() { local -r compressed_image=$1 local -r uncompressed_image=$2 if [[ ${force_extract} = yes ]] || [[ ${compressed_image} -nt ${uncompressed_image} ]]; then lz4 --decompress --force --keep "${compressed_image}" "${uncompressed_image}" \ || bail "Failed to extract '${compressed_image}'." fi } prepare_raw_images() { local -r image_dir=build/images/${arch}-${variant}/latest local -r compressed_os_image=${image_dir}/${product_name}-${variant}-${arch}.img.lz4 local -r compressed_data_image=${image_dir}/${product_name}-${variant}-${arch}-data.img.lz4 if [[ -e ${compressed_os_image} ]]; then readonly os_image=${compressed_os_image%*.lz4} extract_image "${compressed_os_image}" "${os_image}" else bail 'Boot image not found. Did the last build fail?' fi if [[ -e ${compressed_data_image} ]]; then readonly data_image=${compressed_data_image%*.lz4} extract_image "${compressed_data_image}" "${data_image}" else # Missing data image is fine. This variant may not be a split build. readonly data_image= fi if [[ -n ${os_image_size} ]]; then truncate --no-create --size "${os_image_size}" "${os_image}" \ || bail "Failed to resize OS image '${os_image}'." fi if [[ -n ${data_image_size} ]]; then if [[ -e ${data_image} ]]; then truncate --no-create --size "${data_image_size}" "${data_image}" \ || bail "Failed to resize data image '${data_image}'." else >&2 echo "Ignoring option --data-image-size ${data_image_size} since no data image was found." fi fi } prepare_firmware() { # Create local copies of the edk2 firmware variable storage, to help with # facilitate Secure Boot testing where custom variables are needed for both # architectures, but can't safely be reused across QEMU invocations. Also # set reasonable defaults for both firmware files, if nothing more specific # was requested. local original_vars if [[ ${arch} = x86_64 ]]; then firmware_code=${firmware_code:-/usr/share/edk2/ovmf/OVMF_CODE.fd} original_vars=${firmware_vars:-/usr/share/edk2/ovmf/OVMF_VARS.fd} firmware_vars="$(mktemp)" on_exit "rm '${firmware_vars}'" cp "${original_vars}" "${firmware_vars}" fi if [[ ${arch} = aarch64 ]]; then original_code=${firmware_code:-/usr/share/edk2/aarch64/QEMU_EFI.silent.fd} original_vars=${firmware_vars:-/usr/share/edk2/aarch64/QEMU_VARS.fd} firmware_code="$(mktemp)" firmware_vars="$(mktemp)" on_exit "rm '${firmware_code}' '${firmware_vars}'" cat "${original_code}" /dev/zero \ | head -c 64m > "${firmware_code}" cat "${original_vars}" /dev/zero \ | head -c 64m > "${firmware_vars}" fi } create_extra_files() { # Explicitly instruct the kernel to send its output to the serial port on # x86 via a bootconfig initrd. Passing in settings via user-data would be # too late to get console output of the first boot. if [[ ${arch} = x86_64 ]]; then extra_files["${repo_root}/tools/bootconfig/qemu-x86-console-bootconfig.data"]=bootconfig.data fi # If the private partition needs to be recreated, ensure that any bootconfig # data file is present, otherwise GRUB will notice the missing file and wait # for a key press. if [[ ${#extra_files[@]} -gt 0 ]]; then local has_bootconfig=no for image_file in "${extra_files[@]}"; do if [[ ${image_file} = bootconfig.data ]]; then has_bootconfig=yes break fi done if [[ ${has_bootconfig} = no ]]; then extra_files["${repo_root}/tools/bootconfig/empty-bootconfig.data"]=bootconfig.data fi fi } inject_files() { if [[ ${#extra_files[@]} -eq 0 ]]; then return 0 fi # We inject files into the boot image by replacing the private partition # entirely. The new partition has to perfectly fit over the original one. # Find the first and last sector, then calculate the partition's size. In # absence of actual hardware, assume a traditional sector size of 512 bytes. local private_first_sector private_last_sector read -r private_first_sector private_last_sector < <( fdisk --list-details "${os_image}" \ | awk '/BOTTLEROCKET-PRIVATE/ { print $2, $3 }') if [[ -z ${private_first_sector} ]] || [[ -z ${private_last_sector} ]]; then bail "Failed to find the private partition in '${os_image}'." fi local private_size_mib=$(( (private_last_sector - private_first_sector + 1) * 512 / 1024 / 1024 )) local private_mount private_image private_mount=$(mktemp -d) private_image=$(mktemp) on_exit "rm -rf '${private_mount}' '${private_image}'" for local_file in "${!extra_files[@]}"; do local image_file=${extra_files[${local_file}]} cp "${local_file}" "${private_mount}/${image_file}" done if ! mkfs.ext4 -d "${private_mount}" "${private_image}" "${private_size_mib}M" \ || ! dd if="${private_image}" of="${os_image}" conv=notrunc bs=512 seek="${private_first_sector}" then rm -f "${private_image}" rm -rf "${private_mount}" bail "Failed to inject files into '${os_image}'." fi } launch_vm() { local -a qemu_args=( -nographic -enable-kvm -cpu host -smp "${vm_cpus}" -m "${vm_mem}" -drive if=pflash,format=raw,unit=0,file="${firmware_code}",readonly=on -drive if=pflash,format=raw,unit=1,file="${firmware_vars}" -drive index=0,if=virtio,format=raw,file="${os_image}" ) # Plug the virtual primary NIC in as BDF 00:10.0 so udev will give it a # consistent name we can know ahead of time--enp0s16 or ens16. qemu_args+=( -netdev user,id=net0,hostfwd="${host_port_forwards}" -device virtio-net-pci,netdev=net0,addr=10.0 ) # Resolve the last bit of uncertainty by disabling ACPI-based PCI hot plug, # causing udev to use the bus location when naming the NIC (enp0s16). Since # QEMU does not support PCI hot plug via ACPI on Arm, turn it off for the # emulated x86_64 chipset only to achieve parity. if [[ ${arch} = x86_64 ]]; then qemu_args+=( -global PIIX4_PM.acpi-root-pci-hotplug=off ) qemu_args+=( -machine q35,smm=on ) fi if [[ ${arch} = aarch64 ]]; then qemu_args+=( -machine virt ) fi if [[ -n ${data_image} ]]; then qemu_args+=( -drive index=1,if=virtio,format=raw,file="${data_image}" ) fi qemu-system-"${arch}" "${qemu_args[@]}" } parse_args "$@" prepare_raw_images prepare_firmware create_extra_files inject_files launch_vm ================================================ FILE: variants/README.md ================================================ # Bottlerocket Variants This document describes what Bottlerocket variants are and how they are built. In the [Background](#background) section, we discuss the motivation for variants. In the [Variants](#variants) section, we list the variants that exist today. In the [Development](#development) section, we provide a short guide for adding a new variant. ## Background Bottlerocket is purpose-built for hosting containers. It can run one of several container orchestrator agents. It is also image-based and does not include a package manager for customization at runtime. Conceptually, each image could include all orchestrator agents, but that would conflict with our design goals. We want to keep the footprint of Bottlerocket as small as possible for security and performance reasons. Instead, we make different variants available for use, each with its own set of software and API settings. A variant is essentially a list of packages to install, plus a model that defines the API. The documentation for [packages](https://github.com/bottlerocket-os/bottlerocket-core-kit/tree/develop/packages) covers how to create a package. Information about API settings for variants can be found in the [models](../sources/models/) documentation. ### User data Bottlerocket variants ingest TOML-formatted [user data](../README.md#using-user-data) from various sources in a predefined order. All variants first attempt to read user data from `/var/lib/bottlerocket/user-data.toml`. AWS variants then retrieve user data from IMDS. VMware variants will attempt to read user data from a mounted CD-ROM (from a file named "user-data" or from an OVF file), and then from VMware's guestinfo interface. If a setting is defined in more than one source, the value in later sources will override earlier values. For example, in a VMware variant, settings read from the guestinfo interface will override settings from CD-ROM, and settings from CD-ROM will override settings from the file. ## Variants See [_Update Policy_ in the Security Features document](../SECURITY_FEATURES.md#update-policy) for information on when and how Bottlerocket applies security patches to variants. ### aws-k8s-1.29: Kubernetes 1.29 node The [aws-k8s-1.29](aws-k8s-1.29/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.29, 1.30, 1.31, and 1.32 clusters. ### aws-k8s-1.29-nvidia: Kubernetes 1.29 NVIDIA node The [aws-k8s-1.29-nvidia](aws-k8s-1.29-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.29, 1.30, 1.31 and 1.32 clusters. ### aws-k8s-1.29-nvidia-fips: Kubernetes 1.29 NVIDIA FIPS node The [aws-k8s-1.29-nvidia-fips](aws-k8s-1.29-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.29, 1.30, 1.31 and 1.32 clusters. ### aws-k8s-1.30: Kubernetes 1.30 node The [aws-k8s-1.30](aws-k8s-1.30/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.30, 1.31, 1.32, and 1.33 clusters. ### aws-k8s-1.30-nvidia: Kubernetes 1.30 NVIDIA node The [aws-k8s-1.30-nvidia](aws-k8s-1.30-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.30, 1.31, 1.32, and 1.33 clusters. ### aws-k8s-1.30-nvidia-fips: Kubernetes 1.30 NVIDIA FIPS node The [aws-k8s-1.30-nvidia-fips](aws-k8s-1.30-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.30, 1.31, 1.32, and 1.33 clusters. ### aws-k8s-1.31: Kubernetes 1.31 node The [aws-k8s-1.31](aws-k8s-1.31/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.31, 1.32, 1.33, and 1.34 clusters. ### aws-k8s-1.31-nvidia: Kubernetes 1.31 NVIDIA node The [aws-k8s-1.31-nvidia](aws-k8s-1.31-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.31, 1.32, 1.33, and 1.34 clusters. ### aws-k8s-1.31-nvidia-fips: Kubernetes 1.31 NVIDIA FIPS node The [aws-k8s-1.31-nvidia-fips](aws-k8s-1.31-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.31, 1.32, 1.33, and 1.34 clusters. ### aws-k8s-1.32: Kubernetes 1.32 node The [aws-k8s-1.32](aws-k8s-1.32/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.32, 1.33, 1.34 and 1.35 clusters. ### aws-k8s-1.32-nvidia: Kubernetes 1.32 NVIDIA node The [aws-k8s-1.32-nvidia](aws-k8s-1.32-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.32, 1.33, 1.34 and 1.35 clusters. ### aws-k8s-1.32-nvidia-fips: Kubernetes 1.32 NVIDIA FIPS node The [aws-k8s-1.32-nvidia-fips](aws-k8s-1.32-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.32, 1.33, 1.34 and 1.35 clusters. ### aws-k8s-1.33: Kubernetes 1.33 node The [aws-k8s-1.33](aws-k8s-1.33/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.33, 1.34, 1.35 and 1.36 clusters. ### aws-k8s-1.33-nvidia: Kubernetes 1.33 NVIDIA node The [aws-k8s-1.33-nvidia](aws-k8s-1.33-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.33, 1.34, 1.35 and 1.36 clusters. ### aws-k8s-1.33-nvidia-fips: Kubernetes 1.33 NVIDIA FIPS node The [aws-k8s-1.33-nvidia-fips](aws-k8s-1.33-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.33, 1.34, 1.35 and 1.36 clusters. ### aws-k8s-1.34: Kubernetes 1.34 node The [aws-k8s-1.34](aws-k8s-1.34/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.34, 1.35, 1.36 and 1.37 clusters. ### aws-k8s-1.34-nvidia: Kubernetes 1.34 NVIDIA node The [aws-k8s-1.34-nvidia](aws-k8s-1.34-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.34, 1.35, 1.36 and 1.37 clusters. ### aws-k8s-1.34-nvidia-fips: Kubernetes 1.34 NVIDIA FIPS node The [aws-k8s-1.34-nvidia-fips](aws-k8s-1.34-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.34, 1.35, 1.36 and 1.37 clusters. ### aws-k8s-1.35: Kubernetes 1.35 node The [aws-k8s-1.35](aws-k8s-1.35/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.35, 1.36, 1.37 and 1.38 clusters. ### aws-k8s-1.35-nvidia: Kubernetes 1.35 NVIDIA node The [aws-k8s-1.35-nvidia](aws-k8s-1.35-nvidia/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.35, 1.36, 1.37 and 1.38 clusters. ### aws-k8s-1.35-nvidia-fips: Kubernetes 1.35 NVIDIA FIPS node The [aws-k8s-1.35-nvidia-fips](aws-k8s-1.35-nvidia-fips/Cargo.toml) variant includes the packages needed to run a Kubernetes node in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. It supports self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant is compatible with Kubernetes 1.35, 1.36, 1.37 and 1.38 clusters. ### aws-ecs-2: Amazon ECS container instance The [aws-ecs-2](aws-ecs-2/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. ### aws-ecs-2-nvidia: Amazon ECS container instance The [aws-ecs-2-nvidia](aws-ecs-2-nvidia/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. ### aws-ecs-2-nvidia-fips: Amazon ECS container instance The [aws-ecs-2-nvidia-fips](aws-ecs-2-nvidia-fips/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. ### aws-ecs-3: Amazon ECS container instance The [aws-ecs-3](aws-ecs-3/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. ### aws-ecs-3-fips: Amazon ECS container instance with FIPS The [aws-ecs-3-fips](aws-ecs-3-fips/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also is FIPS-enabled. ### aws-ecs-3-nvidia: Amazon ECS container instance with NVIDIA The [aws-ecs-3-nvidia](aws-ecs-3-nvidia/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs. ### aws-ecs-3-nvidia-fips: Amazon ECS container instance with NVIDIA and FIPS The [aws-ecs-3-nvidia-fips](aws-ecs-3-nvidia-fips/Cargo.toml) variant includes the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also includes the required packages to configure containers to leverage NVIDIA GPUs and is FIPS-enabled. ### aws-dev: AWS development build The [aws-dev](aws-dev/Cargo.toml) variant has useful packages for local development of the OS. It includes tools for troubleshooting as well as Docker for running containers. User data will be read from IMDS. ### vmware-dev: VMware development build The [vmware-dev](vmware-dev/Cargo.toml) variant has useful packages for local development of the OS, and is intended to run as a VMware guest. It includes tools for troubleshooting as well as Docker for running containers. ## vmware-k8s-1.29: VMware Kubernetes 1.29 node The [vmware-k8s-1.29](vmware-k8s-1.29/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.29, 1.30, 1.31, and 1.32 clusters. ## vmware-k8s-1.30: VMware Kubernetes 1.30 node The [vmware-k8s-1.30](vmware-k8s-1.30/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.30, 1.31, 1.32, and 1.33 clusters. ## vmware-k8s-1.31: VMware Kubernetes 1.31 node The [vmware-k8s-1.31](vmware-k8s-1.31/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.31, 1.32, 1.33, and 1.34 clusters. ## vmware-k8s-1.32: VMware Kubernetes 1.32 node The [vmware-k8s-1.32](vmware-k8s-1.32/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.32, 1.33, 1.34, and 1.35 clusters. ## vmware-k8s-1.33: VMware Kubernetes 1.33 node The [vmware-k8s-1.33](vmware-k8s-1.33/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.33, 1.34, 1.35, and 1.36 clusters. ## vmware-k8s-1.34: VMware Kubernetes 1.34 node The [vmware-k8s-1.34](vmware-k8s-1.34/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.34, 1.35, 1.36, and 1.37 clusters. ## vmware-k8s-1.35: VMware Kubernetes 1.35 node The [vmware-k8s-1.35](vmware-k8s-1.35/Cargo.toml) variant includes the packages needed to run a Kubernetes worker node as a VMware guest. It supports self-hosted clusters. This variant is compatible with Kubernetes 1.35, 1.36, 1.37, and 1.38 clusters. ### metal-dev: Metal development build The [metal-dev](metal-dev/Cargo.toml) variant has useful packages for local development of the OS and is intended to run bare metal. It includes tools for troubleshooting as well as Docker for running containers. ### Deprecated variants #### aws-k8s-1.15: Kubernetes 1.15 node The aws-k8s-1.15 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.15, 1.16, and 1.17 clusters. It reached end-of-life on May 3, 2021. Upstream support for Kubernetes 1.15 has ended and this variant will no longer be supported in Bottlerocket releases. ### aws-k8s-1.16: Kubernetes 1.16 node The aws-k8s-1.16 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.16, 1.17, and 1.18 clusters. It reached end-of-life on July 25, 2021. Upstream support for Kubernetes 1.16 has ended and this variant will no longer be supported in Bottlerocket releases. ### aws-k8s-1.17: Kubernetes 1.17 node The aws-k8s-1.17 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.17, 1.18, and 1.19 clusters. It reached end-of-life on November 2, 2021. Upstream support for Kubernetes 1.17 has ended and this variant will no longer be supported in Bottlerocket releases. ### aws-k8s-1.18: Kubernetes 1.18 node The aws-k8s-1.18 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.18, 1.19, and 1.20 clusters. It reached end-of-life on March 31st, 2022. Upstream support for Kubernetes 1.18 has ended and this variant will no longer be supported in Bottlerocket releases. ### aws-k8s-1.19: Kubernetes 1.19 node The aws-k8s-1.19 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.19, 1.20, and 1.21 clusters. It reached end-of-life on August 1st, 2022. Upstream support for Kubernetes 1.19 has ended and this variant will no longer be supported in Bottlerocket releases. ### aws-k8s-1.20: Kubernetes 1.20 node The aws-k8s-1.20 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.20, 1.21, and 1.22 clusters. It reached end-of-life on November 1st, 2022. Upstream support for Kubernetes 1.20 has ended and this variant will no longer be supported in Bottlerocket releases. ### vmware-k8s-1.20: VMware Kubernetes 1.20 node The vmware-k8s-1.20 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.20, 1.21, and 1.22 clusters. ### aws-k8s-1.21: Kubernetes 1.21 node The aws-k8s-1.21 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.21, 1.22, and 1.23 clusters. ### aws-k8s-1.21-nvidia: Kubernetes 1.21 NVIDIA node The aws-k8s-1.21-nvidia variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.21, 1.22, and 1.23 clusters. ### metal-k8s-1.21: Metal Kubernetes 1.21 node The metal-k8s-1.21 variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.21, 1.22, and 1.23 clusters. ### vmware-k8s-1.21: VMware Kubernetes 1.21 node The vmware-k8s-1.21 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.21, 1.22, and 1.23 clusters. ### aws-k8s-1.22: Kubernetes 1.22 node The aws-k8s-1.22 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.22, 1.23, and 1.24 clusters. ### aws-k8s-1.22-nvidia: Kubernetes 1.22 NVIDIA node The aws-k8s-1.22-nvidia variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.22, 1.23, and 1.24 clusters. ### metal-k8s-1.22: Metal Kubernetes 1.22 node The metal-k8s-1.22 variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.22, 1.23, and 1.24 clusters. ### vmware-k8s-1.22: VMware Kubernetes 1.22 node The vmware-k8s-1.22 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.22, 1.23, and 1.24 clusters. ### aws-k8s-1.23: Kubernetes 1.23 node The [aws-k8s-1.23](aws-k8s-1.23/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.23, 1.24, and 1.25 clusters. ### aws-k8s-1.23-nvidia: Kubernetes 1.23 NVIDIA node The [aws-k8s-1.23-nvidia](aws-k8s-1.23-nvidia/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.23, 1.24, and 1.25 clusters. ### metal-k8s-1.23: Metal Kubernetes 1.23 node The metal-k8s-1.23 variant included the packages needed to run a Kubernetes worker node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.23, 1.24, and 1.25 clusters. ### vmware-k8s-1.23: VMware Kubernetes 1.23 node The vmware-k8s-1.23 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.23, 1.24, and 1.25 clusters. ### vmware-k8s-1.24: VMware Kubernetes 1.24 node The vmware-k8s-1.24 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.24, 1.25, and 1.26 clusters. ### aws-k8s-1.24: Kubernetes 1.24 node The [aws-k8s-1.24](aws-k8s-1.24/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.24, 1.25, and 1.26 clusters. ### aws-k8s-1.24-nvidia: Kubernetes 1.24 NVIDIA node The [aws-k8s-1.24-nvidia](aws-k8s-1.24-nvidia/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.24, 1.25, and 1.26 clusters. ### metal-k8s-1.24: Metal Kubernetes 1.24 node The metal-k8s-1.24 variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.24, 1.25, and 1.26 clusters. ### vmware-k8s-1.25: VMware Kubernetes 1.25 node The [vmware-k8s-1.25](vmware-k8s-1.25/Cargo.toml) variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.25, 1.26, 1.27, and 1.28 clusters. ### aws-k8s-1.25: Kubernetes 1.25 node The [aws-k8s-1.25](aws-k8s-1.25/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.25, 1.26, 1.27, and 1.28 clusters. ### aws-k8s-1.25-nvidia: Kubernetes 1.25 NVIDIA node The [aws-k8s-1.25-nvidia](aws-k8s-1.25-nvidia/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.25, 1.26, 1.27, and 1.28 clusters. ### metal-k8s-1.25: Metal Kubernetes 1.25 node The [metal-k8s-1.25](metal-k8s-1.25/Cargo.toml) variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.25, 1.26, 1.27, and 1.28 clusters. ### vmware-k8s-1.26: VMware Kubernetes 1.26 node The vmware-k8s-1.26 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.26, 1.27, 1.28, and 1.29 clusters. ### aws-k8s-1.26: Kubernetes 1.26 node The [aws-k8s-1.26](aws-k8s-1.26/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.26, 1.27, 1.28, and 1.29 clusters. ### aws-k8s-1.26-nvidia: Kubernetes 1.26 NVIDIA node The [aws-k8s-1.26-nvidia](aws-k8s-1.26-nvidia/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.26, 1.27, 1.28, and 1.29 clusters. ### metal-k8s-1.26: Metal Kubernetes 1.26 node The metal-k8s-1.26 variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.26, 1.27, 1.28, and 1.29 clusters. ## vmware-k8s-1.27: VMware Kubernetes 1.27 node The [vmware-k8s-1.27](vmware-k8s-1.27/Cargo.toml) variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.27, 1.28, 1.29, and 1.30 clusters. ### aws-k8s-1.27: Kubernetes 1.27 node The [aws-k8s-1.27](aws-k8s-1.27/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.27, 1.28, 1.29, and 1.30 clusters. ### aws-k8s-1.27-nvidia: Kubernetes 1.27 NVIDIA node The [aws-k8s-1.27-nvidia](aws-k8s-1.27-nvidia/Cargo.toml) variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.27, 1.28, 1.29, and 1.30 clusters. ### metal-k8s-1.27: Metal Kubernetes 1.27 node The [metal-k8s-1.27](metal-k8s-1.27/Cargo.toml) variant included the packages needed to run a Kubernetes node on bare metal. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.27, 1.28, 1.29, and 1.30 clusters. ### metal-k8s-1.28: Metal Kubernetes 1.28 node The [metal-k8s-1.28](metal-k8s-1.28/Cargo.toml) variant included the packages needed to run a Kubernetes node on bare metal. It supports self-hosted clusters. This variant was compatible with Kubernetes 1.28, 1.29, 1.30, and 1.31 clusters. ### metal-k8s-1.29: Metal Kubernetes 1.29 node The [metal-k8s-1.29](metal-k8s-1.29/Cargo.toml) variant included the packages needed to run a Kubernetes node on bare metal. It supports self-hosted clusters. This variant was compatible with Kubernetes 1.29, 1.30, 1.31, and 1.32 clusters. ### aws-ecs-1: Amazon ECS container instance The [aws-ecs-1](aws-ecs-1/Cargo.toml) variant included the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. ### aws-ecs-1-nvidia: Amazon ECS container instance The [aws-ecs-1-nvidia](aws-ecs-1-nvidia/Cargo.toml) variant included the packages needed to run an [Amazon ECS](https://ecs.aws) container instance in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. ### aws-k8s-1.28: Kubernetes 1.28 node The aws-k8s-1.28 variant included the packages needed to run a Kubernetes node in AWS. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.28, 1.29, 1.30, and 1.31 clusters. ### aws-k8s-1.28-nvidia: Kubernetes 1.28 NVIDIA node The aws-k8s-1.28-nvidia variant included the packages needed to run a Kubernetes node in AWS. It also included the required packages to configure containers to leverage NVIDIA GPUs. It supported self-hosted clusters and clusters managed by [EKS](https://aws.amazon.com/eks/). This variant was compatible with Kubernetes 1.28, 1.29, 1.30, and 1.31 clusters. ## vmware-k8s-1.28: VMware Kubernetes 1.28 node The vmware-k8s-1.28 variant included the packages needed to run a Kubernetes worker node as a VMware guest. It supported self-hosted clusters. This variant was compatible with Kubernetes 1.28, 1.29, 1.30, and 1.31 clusters. ## Development Say we want to create `my-variant`, a custom build of Bottlerocket that runs `my-agent`. ### Structure This listing shows the directory structure of our sample variant. ``` variants/my-variant └── Cargo.toml ``` Each variant has a `Cargo.toml` file that lists the packages to install. It also refers to a `build.rs` [build script](https://doc.rust-lang.org/cargo/reference/build-scripts.html) which tells Cargo to invoke our [buildsys](../tools/buildsys/) tool. Artifacts for the variant are built as a side effect of Cargo running the script. It points to `/dev/null` for the actual crate, since Cargo expects some Rust code to build, and is happy with an empty file. ### Cargo.toml Our sample variant has the following manifest. ```toml [package] name = "my-variant" version = "0.1.0" edition = "2018" publish = false build = "../build.rs" [package.metadata.build-variant] included-packages = [ "release", "my-agent", ] [package.metadata.build-variant.image-layout] os-image-size-gib = 8 data-image-size-gib = 20 partition-plan = "unified" [lib] path = "../variants.rs" [build-dependencies] "my-agent" = { path = "../../packages/my-agent" } "release" = { path = "../../packages/release" } ``` The [package.metadata](https://doc.rust-lang.org/cargo/reference/manifest.html#the-metadata-table-optional) table is ignored by Cargo and interpreted by our `buildsys` tool. It contains an `included-packages` list which specifies the packages to install when building the image. In the `[build-dependencies]` section, we specify the packages that need to be built, which is sometimes slightly different than `included-packages`. This populates the Cargo build graph with all of the RPM packages that need to be built before the variant can be constructed. Variants should almost always include the `release` package. This pulls in the other core packages and includes essential configuration and services. This variant includes the (optional) `image-layout` section, which allows the user to customize the layout of the image they are building. `os-image-size-gib` is the size of the "OS" disk image in GiB. `data-image-size-gib` is the size of the "data" disk image in GiB. Though we've done so here for sake of demonstration, resizing the "data" disk image isn't necessary as it expands to fill the disk on boot. `partition-plan` is the strategy used for image partitioning, with the options being "split" (the default) or "unified". The "split" partition strategy has separate volumes for "OS" and "data", while "unified" has "OS" and "data" on a single volume. See [the documentation](../tools/buildsys/src/manifest.rs) for the defaults and additional details. Be sure to include `publish = false` for all packages, as these are not standard crates and should never appear on [crates.io](https://crates.io/). ### build.rs We reuse the same build script for all variants. ```rust use std::process::{exit, Command}; fn main() -> Result<(), std::io::Error> { let ret = Command::new("buildsys").arg("build-variant").status()?; if !ret.success() { exit(1); } Ok(()) } ``` If you need a build script with different behavior, the recommended approach is to modify the `buildsys` tool. The `package.metadata` table can be extended with declarative elements that enable the new feature. ### Next Steps To build your variant, run the following command in the top-level Bottlerocket directory. ```shell cargo make -e BUILDSYS_VARIANT=my-variant ``` This will build all packages first, not just the ones needed by your variant. ================================================ FILE: variants/aws-dev/Cargo.toml ================================================ [package] name = "aws-dev" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true xfs-data-partition = true uefi-secure-boot = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true [package.metadata.build-variant] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # docker "docker-cli-29", "docker-engine-29", "docker-init", # tools "login", "iputils", "strace", "chrony-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-2/Cargo.toml ================================================ [package] name = "aws-ecs-2" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # docker "docker-cli", "docker-engine", "docker-init", # ecs "ecs-agent-config", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-2-fips/Cargo.toml ================================================ [package] name = "aws-ecs-2-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # docker "docker-cli", "docker-engine", "docker-init", # ecs "ecs-agent-config", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-2-nvidia/Cargo.toml ================================================ [package] name = "aws-ecs-2-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # docker "docker-cli", "docker-engine", "docker-init", # ecs "ecs-agent-nvidia-config", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-2-nvidia-fips/Cargo.toml ================================================ [package] name = "aws-ecs-2-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # docker "docker-cli", "docker-engine", "docker-init", # ecs "ecs-agent-nvidia-config", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-3/Cargo.toml ================================================ [package] name = "aws-ecs-3" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # docker "docker-cli-29", "docker-engine-29", "docker-init", # ecs "ecs-agent-config", "aws-signer-notation-plugin", "notation-image-verifier", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-3/amispec.toml ================================================ description = "This variant is in preview. It contains the newly released Docker v29.0.0 along with features related to image verification and encrypted storage." # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html imds-support = "v2.0" # Override the pubsys "gp2" default [block-device-mappings."/dev/xvda".ebs] volume-type = "gp3" [block-device-mappings."/dev/xvdb".ebs] volume-type = "gp3" ================================================ FILE: variants/aws-ecs-3-fips/Cargo.toml ================================================ [package] name = "aws-ecs-3-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # docker "docker-cli-29", "docker-engine-29", "docker-init", # ecs "ecs-agent-config", "aws-signer-notation-plugin", "notation-image-verifier", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-3-fips/amispec.toml ================================================ description = "This variant is in preview. It contains the newly released Docker v29.0.0 along with features related to image verification and encrypted storage." # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html imds-support = "v2.0" # Override the pubsys "gp2" default [block-device-mappings."/dev/xvda".ebs] volume-type = "gp3" [block-device-mappings."/dev/xvdb".ebs] volume-type = "gp3" ================================================ FILE: variants/aws-ecs-3-nvidia/Cargo.toml ================================================ [package] name = "aws-ecs-3-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # docker "docker-cli-29", "docker-engine-29", "docker-init", # ecs "ecs-agent-nvidia-config", "aws-signer-notation-plugin", "notation-image-verifier", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-3-nvidia/amispec.toml ================================================ description = "This variant is in preview. It contains the newly released Docker v29.0.0 along with features related to image verification and encrypted storage." # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html imds-support = "v2.0" # Override the pubsys "gp2" default [block-device-mappings."/dev/xvda".ebs] volume-type = "gp3" [block-device-mappings."/dev/xvdb".ebs] volume-type = "gp3" ================================================ FILE: variants/aws-ecs-3-nvidia-fips/Cargo.toml ================================================ [package] name = "aws-ecs-3-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true fips = true [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # docker "docker-cli-29", "docker-engine-29", "docker-init", # ecs "ecs-agent-nvidia-config", "aws-signer-notation-plugin", "notation-image-verifier", # NVIDIA support "ecs-gpu-init", "nvidia-container-toolkit-ecs", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-ecs-3-nvidia-fips/amispec.toml ================================================ description = "This variant is in preview. It contains the newly released Docker v29.0.0 along with features related to image verification and encrypted storage." # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html imds-support = "v2.0" # Override the pubsys "gp2" default [block-device-mappings."/dev/xvda".ebs] volume-type = "gp3" [block-device-mappings."/dev/xvdb".ebs] volume-type = "gp3" ================================================ FILE: variants/aws-k8s-1.29/Cargo.toml ================================================ [package] # This is the aws-k8s-1.29 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_29" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.29-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.29-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_29-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.29-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.29-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_29-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.29-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.29-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_29-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.30/Cargo.toml ================================================ [package] # This is the aws-k8s-1.30 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_30" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.30-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.30-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_30-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.30-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.30-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_30-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.30-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.30-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_30-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.31/Cargo.toml ================================================ [package] # This is the aws-k8s-1.31 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_31" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.31-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.31-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_31-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.31-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.31-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_31-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.31-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.31-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_31-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.32/Cargo.toml ================================================ [package] # This is the aws-k8s-1.32 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_32" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.32-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.32-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_32-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.32-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.32-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_32-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.32-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.32-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_32-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.1-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.33/Cargo.toml ================================================ [package] # This is the aws-k8s-1.33 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_33" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.33-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.33-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_33-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.33-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.33-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_33-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.33-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.33-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_33-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.34/Cargo.toml ================================================ [package] # This is the aws-k8s-1.34 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_34" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.34-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.34-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_34-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.34-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.34-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_34-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.34-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.34-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_34-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false fips = true [package.metadata.build-variant] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.35/Cargo.toml ================================================ [package] # This is the aws-k8s-1.35 variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_35" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.35-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.35-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_35-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.35-nvidia/Cargo.toml ================================================ [package] # This is the aws-k8s-1.35-nvidia variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_35-nvidia" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/aws-k8s-1.35-nvidia-fips/Cargo.toml ================================================ [package] # This is the aws-k8s-1.35-nvidia-fips variant. "." is not allowed in crate names, but we # don't use this crate name anywhere. name = "aws-k8s-1_35-nvidia-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] os-image-size-gib = 4 [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false fips = true [package.metadata.build-variant] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "aws-iam-authenticator", "soci-snapshotter", # nvidia "nvidia-container-toolkit-k8s", "nvidia-k8s-device-plugin", "kmod-6.12-nvidia-r580-tesla", ] kernel-parameters = [ "console=tty0", "console=ttyS0,115200n8", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/build.rs ================================================ use std::process::{exit, Command}; fn main() -> Result<(), std::io::Error> { let ret = Command::new("buildsys").arg("build-variant").status()?; if !ret.success() { exit(1); } Ok(()) } ================================================ FILE: variants/metal-dev/Cargo.toml ================================================ [package] name = "metal-dev" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true xfs-data-partition = true erofs-root-partition = true uefi-secure-boot = true systemd-networkd = true [package.metadata.build-variant] image-format = "raw" kernel-parameters = [ # Only reserve if there are at least 2GB "crashkernel=2G-:256M" ] included-packages = [ # core "release", "kernel-6.1", "linux-firmware", "whippet", # docker "docker-cli", "docker-engine", "docker-init", # tools "login", "iputils", "strace", "chrony-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/shared/amispec-split.toml ================================================ # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html imds-support = "v2.0" # Override the pubsys "gp2" default [block-device-mappings."/dev/xvda".ebs] volume-type = "gp3" [block-device-mappings."/dev/xvdb".ebs] volume-type = "gp3" ================================================ FILE: variants/shared/template-split-secboot.ovf ================================================ List of the virtual disks The list of logical networks The network A Virtual machine The operating system installed Other 4.x or later Linux (64-bit) Virtual hardware requirements Virtual Hardware Family 0 vmx-15 hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 2 byte * 2^20 Memory Size 8192MB of memory 2 4 8192 0 NVMe Controller NVMe Controller 1 4 vmware.nvme.controller 20 0 Hard Disk 1 ovf:/disk/vmdisk1 6 4 17 1 Hard Disk 2 ovf:/disk/vmdisk2 7 4 17 0 true VM Network Network adapter 1 9 VmxNet3 10 ================================================ FILE: variants/shared/template-split.ovf ================================================ List of the virtual disks The list of logical networks The network A Virtual machine The operating system installed Other 4.x or later Linux (64-bit) Virtual hardware requirements Virtual Hardware Family 0 vmx-15 hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 2 byte * 2^20 Memory Size 8192MB of memory 2 4 8192 0 NVMe Controller NVMe Controller 1 4 vmware.nvme.controller 20 0 Hard Disk 1 ovf:/disk/vmdisk1 6 4 17 1 Hard Disk 2 ovf:/disk/vmdisk2 7 4 17 0 true VM Network Network adapter 1 9 VmxNet3 10 ================================================ FILE: variants/shared/template-unified-secboot-tpm.ovf ================================================ List of the virtual disks The list of logical networks The network A Virtual machine The operating system installed Other 4.x or later Linux (64-bit) Virtual hardware requirements Virtual Hardware Family 0 vmx-15 hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 2 byte * 2^20 Memory Size 8192MB of memory 2 4 8192 0 NVMe Controller NVMe Controller 1 4 vmware.nvme.controller 20 0 Hard Disk 1 ovf:/disk/vmdisk1 6 4 17 0 true VM Network Network adapter 1 9 VmxNet3 10 true Virtual TPM 13 vmware.vtpm 1 ================================================ FILE: variants/shared/template-unified-secboot.ovf ================================================ List of the virtual disks The list of logical networks The network A Virtual machine The operating system installed Other 4.x or later Linux (64-bit) Virtual hardware requirements Virtual Hardware Family 0 vmx-15 hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 2 byte * 2^20 Memory Size 8192MB of memory 2 4 8192 0 NVMe Controller NVMe Controller 1 4 vmware.nvme.controller 20 0 Hard Disk 1 ovf:/disk/vmdisk1 6 4 17 0 true VM Network Network adapter 1 9 VmxNet3 10 ================================================ FILE: variants/shared/template-unified.ovf ================================================ List of the virtual disks The list of logical networks The network A Virtual machine The operating system installed Other 4.x or later Linux (64-bit) Virtual hardware requirements Virtual Hardware Family 0 vmx-15 hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 2 byte * 2^20 Memory Size 8192MB of memory 2 4 8192 0 NVMe Controller NVMe Controller 1 4 vmware.nvme.controller 20 0 Hard Disk 1 ovf:/disk/vmdisk1 6 4 17 0 true VM Network Network adapter 1 9 VmxNet3 10 ================================================ FILE: variants/variants.rs ================================================ /*! This is an intentionally empty file that all of the variant `Cargo.toml` files can point to as their `lib.rs`. The build system uses `build.rs` to invoke `buildsys` but Cargo needs something to compile so we give it an empty `lib.rs` file. !*/ ================================================ FILE: variants/vmware-dev/Cargo.toml ================================================ [package] name = "vmware-dev" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true xfs-data-partition = true uefi-secure-boot = true systemd-networkd = true erofs-root-partition = true external-kmod-development = false encrypted-storage = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", "open-vm-tools", # docker "docker-cli-29", "docker-engine-29", "docker-init", # tools "login", "iputils", "strace", "chrony-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.29/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.29 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_29" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.29-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.29-fips variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_29-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.29", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.30/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.30 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_30" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.30-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.30-fips variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_30-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.30", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.31/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.31 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_31" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.31-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.31-fips variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_31-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.31", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.32/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.32 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_32" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.32-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.32-fips variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_32-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.32", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.33/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.33 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_33" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.33-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.33-fips variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_33-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.1", "containerd-2.1", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.33", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.34/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.34 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_34" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.34-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.34 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_34-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.34", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.35/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.35 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_35" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" } ================================================ FILE: variants/vmware-k8s-1.35-fips/Cargo.toml ================================================ [package] # This is the vmware-k8s-1.35 variant. "." is not allowed in crate names, but # we don't use this crate name anywhere. name = "vmware-k8s-1_35-fips" version = "0.1.0" edition = "2021" publish = false build = "../build.rs" # Don't rebuild crate just because of changes to README. exclude = ["README.md"] [package.metadata.build-variant.image-layout] partition-plan = "unified" [package.metadata.build-variant.image-features] grub-set-private-var = true uefi-secure-boot = true xfs-data-partition = true erofs-root-partition = true systemd-networkd = true fips = true external-kmod-development = false [package.metadata.build-variant] image-format = "vmdk" supported-arches = ["x86_64"] kernel-parameters = [ "console=tty1", # Only reserve if there are at least 2GB "crashkernel=2G-:256M", "net.ifnames=0", "netdog.default-interface=eth0:dhcp4,dhcp6?", "quiet", ] included-packages = [ # core "release-swap", "kernel-6.12", "containerd-2.1", "systemd-257", "nftables", "whippet", # k8s "cni", "cni-plugins", "kubelet-1.35", "soci-snapshotter", # vmware "open-vm-tools", ] [lib] path = "../variants.rs" [build-dependencies] settings-defaults = { path = "../../packages/settings-defaults" } settings-plugins = { path = "../../packages/settings-plugins" } settings-migrations = { path = "../../packages/settings-migrations" }