Merge pull request #2093 from gthao313/1.7.x

bottlerocket-os · Apr 22, 2022 · 28782dc · 28782dc
2 parents 5025d72 + e3f9502
commit 28782dc
Show file tree

Hide file tree

Showing 15 changed files with 175 additions and 41 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,20 @@
+# v1.7.2 (2022-04-22)
+
+## Security Fixes
+
+* Update kernel-5.4 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 ([a3b4674f7108][a3b4674f7108])
+* Update kernel-5.10 to patch CVE-2022-1015, CVE-2022-1016, CVE-2022-25636, CVE-2022-1048, CVE-2022-26490, CVE-2022-27666, CVE-2022-28356 ([37095415bab6][37095415bab6])
+
+## OS Changes
+
+* Update eni-max-pods with new instance types ([#2079])
+* Add support for AWS region ap-southeast-3: Jakarta ([#2080])
+
+[a3b4674f7108]: https://github.com/bottlerocket-os/bottlerocket/commit/a3b4674f7108a7f69f108a011042be2a5b91e563
+[37095415bab6]: https://github.com/bottlerocket-os/bottlerocket/commit/37095415bab67a24240d95b59c7bf20a112d7ae1
+[#2079]: https://github.com/bottlerocket-os/bottlerocket/pull/2079
+[#2080]: https://github.com/bottlerocket-os/bottlerocket/pull/2080
+
 # v1.7.1 (2022-04-05)
 
 ## Security Fixes

diff --git a/Release.toml b/Release.toml
@@ -1,4 +1,4 @@
-version = "1.7.1"
+version = "1.7.2"
 
 [migrations]
 "(0.3.1, 0.3.2)" = ["migrate_v0.3.2_admin-container-v0-5-0.lz4"]
@@ -113,3 +113,4 @@ version = "1.7.1"
     "migrate_v1.7.0_public-control-container-v0-6-0.lz4",
 ]
 "(1.7.0, 1.7.1)" = []
+"(1.7.1, 1.7.2)" = []
diff --git a/packages/kernel-5.10/Cargo.toml b/packages/kernel-5.10/Cargo.toml
@@ -13,8 +13,8 @@ path = "pkg.rs"
 
 [[package.metadata.build-package.external-files]]
 # Use latest-srpm-url.sh to get this.
-url = "https://cdn.amazonlinux.com/blobstore/abd0b3e08ff7d32abb916b2664e8de68bd7d16dbbfdcfe8e574d832aa19a3b1e/kernel-5.10.102-99.473.amzn2.src.rpm"
-sha512 = "ed17395fed0480d87e59f80899953641169fae7ef2f34eb74bad66ff92b2eec5c72dbff4a08af49de516cde8fe96218a102857e048073dd6d48fb73be4ef19e0"
+url = "https://cdn.amazonlinux.com/blobstore/3479900579a0dbe61cbe7e6d76620774513369246def8bae42ec791865d68df9/kernel-5.10.109-104.500.amzn2.src.rpm"
+sha512 = "66c840eee5333bb77f8661b14ec07b33ea7b6d9db82c89370c8109c0a315c6ad532364d0c879efd45fff0bfe3855876bbf53b11b5107b0dc55f9d2ac1a59cc6d"
 
 [build-dependencies]
 microcode = { path = "../microcode" }
diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec
@@ -1,13 +1,13 @@
 %global debug_package %{nil}
 
 Name: %{_cross_os}kernel-5.10
-Version: 5.10.102
+Version: 5.10.109
 Release: 1%{?dist}
 Summary: The Linux kernel
 License: GPL-2.0 WITH Linux-syscall-note
 URL: https://www.kernel.org/
 # Use latest-srpm-url.sh to get this.
-Source0: https://cdn.amazonlinux.com/blobstore/abd0b3e08ff7d32abb916b2664e8de68bd7d16dbbfdcfe8e574d832aa19a3b1e/kernel-5.10.102-99.473.amzn2.src.rpm
+Source0: https://cdn.amazonlinux.com/blobstore/3479900579a0dbe61cbe7e6d76620774513369246def8bae42ec791865d68df9/kernel-5.10.109-104.500.amzn2.src.rpm
 Source100: config-bottlerocket
 
 # Help out-of-tree module builds run `make prepare` automatically.

diff --git a/packages/kernel-5.4/Cargo.toml b/packages/kernel-5.4/Cargo.toml
@@ -13,8 +13,8 @@ path = "pkg.rs"
 
 [[package.metadata.build-package.external-files]]
 # Use latest-srpm-url.sh to get this.
-url = "https://cdn.amazonlinux.com/blobstore/d8a7e800750161a038954b2685ca8c5fb0a0dac22057530c4c0233d60f06c2d3/kernel-5.4.181-99.354.amzn2.src.rpm"
-sha512 = "39903e5164ea966b62ddfa70ffd9a73ba50af363cf87d20011ad8d2f1e471857b79503da75770a1e812058c9cd2a17a88000e6e9a4c44580d3c4210144aa3993"
+url = "https://cdn.amazonlinux.com/blobstore/a120999c2cd538adae1c97c87e6d60f3bcf6f761064204638a5647e06aea1aad/kernel-5.4.188-104.359.amzn2.src.rpm"
+sha512 = "ebb6f8460ddfccc50e89b499563dfa64f1c3228e9fe3cabd20ec1561ca8bf3764a50853b35085742dde3a219ad9314033d8c12cbc2d615f463aab0e062d9a229"
 
 [build-dependencies]
 microcode = { path = "../microcode" }
diff --git a/packages/kernel-5.4/kernel-5.4.spec b/packages/kernel-5.4/kernel-5.4.spec
@@ -1,13 +1,13 @@
 %global debug_package %{nil}
 
 Name: %{_cross_os}kernel-5.4
-Version: 5.4.181
+Version: 5.4.188
 Release: 1%{?dist}
 Summary: The Linux kernel
 License: GPL-2.0 WITH Linux-syscall-note
 URL: https://www.kernel.org/
 # Use latest-srpm-url.sh to get this.
-Source0: https://cdn.amazonlinux.com/blobstore/d8a7e800750161a038954b2685ca8c5fb0a0dac22057530c4c0233d60f06c2d3/kernel-5.4.181-99.354.amzn2.src.rpm
+Source0: https://cdn.amazonlinux.com/blobstore/a120999c2cd538adae1c97c87e6d60f3bcf6f761064204638a5647e06aea1aad/kernel-5.4.188-104.359.amzn2.src.rpm
 Source100: config-bottlerocket
 
 # Help out-of-tree module builds run `make prepare` automatically.

diff --git a/packages/os/eni-max-pods b/packages/os/eni-max-pods
@@ -11,7 +11,26 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 #
-# This file was generated at 2021-08-31T18:22:52Z
+# This file was generated at 2022-02-15T18:47:49Z
+#
+# The regions queried were:
+# - ap-northeast-1
+# - ap-northeast-2
+# - ap-northeast-3
+# - ap-south-1
+# - ap-southeast-1
+# - ap-southeast-2
+# - ca-central-1
+# - eu-central-1
+# - eu-north-1
+# - eu-west-1
+# - eu-west-2
+# - eu-west-3
+# - sa-east-1
+# - us-east-1
+# - us-east-2
+# - us-west-1
+# - us-west-2
 #
 # Mapping is calculated from AWS EC2 API using the following formula:
 # * First IP on each ENI is not used for pods
@@ -82,6 +101,16 @@ c5n.9xlarge 234
 c5n.large 29
 c5n.metal 737
 c5n.xlarge 58
+c6a.12xlarge 234
+c6a.16xlarge 737
+c6a.24xlarge 737
+c6a.2xlarge 58
+c6a.32xlarge 737
+c6a.48xlarge 737
+c6a.4xlarge 234
+c6a.8xlarge 234
+c6a.large 29
+c6a.xlarge 58
 c6g.12xlarge 234
 c6g.16xlarge 737
 c6g.2xlarge 58
@@ -108,6 +137,16 @@ c6gn.8xlarge 234
 c6gn.large 29
 c6gn.medium 8
 c6gn.xlarge 58
+c6i.12xlarge 234
+c6i.16xlarge 737
+c6i.24xlarge 737
+c6i.2xlarge 58
+c6i.32xlarge 737
+c6i.4xlarge 234
+c6i.8xlarge 234
+c6i.large 29
+c6i.metal 737
+c6i.xlarge 58
 cc2.8xlarge 234
 cr1.8xlarge 234
 d2.2xlarge 58
@@ -124,6 +163,7 @@ d3en.4xlarge 38
 d3en.6xlarge 58
 d3en.8xlarge 78
 d3en.xlarge 10
+dl1.24xlarge 737
 f1.16xlarge 394
 f1.2xlarge 58
 f1.4xlarge 234
@@ -145,10 +185,25 @@ g4dn.4xlarge 29
 g4dn.8xlarge 58
 g4dn.metal 737
 g4dn.xlarge 29
+g5.12xlarge 737
+g5.16xlarge 234
+g5.24xlarge 737
+g5.2xlarge 58
+g5.48xlarge 737
+g5.4xlarge 234
+g5.8xlarge 234
+g5.xlarge 58
+g5g.16xlarge 737
+g5g.2xlarge 58
+g5g.4xlarge 234
+g5g.8xlarge 234
+g5g.metal 737
+g5g.xlarge 58
 h1.16xlarge 737
 h1.2xlarge 58
 h1.4xlarge 234
 h1.8xlarge 234
+hpc6a.48xlarge 100
 hs1.8xlarge 234
 i2.2xlarge 58
 i2.4xlarge 234
@@ -169,10 +224,22 @@ i3en.6xlarge 234
 i3en.large 29
 i3en.metal 737
 i3en.xlarge 58
+im4gn.16xlarge 737
+im4gn.2xlarge 58
+im4gn.4xlarge 234
+im4gn.8xlarge 234
+im4gn.large 29
+im4gn.xlarge 58
 inf1.24xlarge 321
 inf1.2xlarge 38
 inf1.6xlarge 234
 inf1.xlarge 38
+is4gen.2xlarge 58
+is4gen.4xlarge 234
+is4gen.8xlarge 234
+is4gen.large 29
+is4gen.medium 8
+is4gen.xlarge 58
 m1.large 29
 m1.medium 12
 m1.small 8
@@ -249,6 +316,16 @@ m5zn.6xlarge 234
 m5zn.large 29
 m5zn.metal 737
 m5zn.xlarge 58
+m6a.12xlarge 234
+m6a.16xlarge 737
+m6a.24xlarge 737
+m6a.2xlarge 58
+m6a.32xlarge 737
+m6a.48xlarge 737
+m6a.4xlarge 234
+m6a.8xlarge 234
+m6a.large 29
+m6a.xlarge 58
 m6g.12xlarge 234
 m6g.16xlarge 737
 m6g.2xlarge 58
@@ -275,6 +352,7 @@ m6i.32xlarge 737
 m6i.4xlarge 234
 m6i.8xlarge 234
 m6i.large 29
+m6i.metal 737
 m6i.xlarge 58
 mac1.metal 234
 p2.16xlarge 234
@@ -375,6 +453,16 @@ r6gd.large 29
 r6gd.medium 8
 r6gd.metal 737
 r6gd.xlarge 58
+r6i.12xlarge 234
+r6i.16xlarge 737
+r6i.24xlarge 737
+r6i.2xlarge 58
+r6i.32xlarge 737
+r6i.4xlarge 234
+r6i.8xlarge 234
+r6i.large 29
+r6i.metal 737
+r6i.xlarge 58
 t1.micro 4
 t2.2xlarge 44
 t2.large 35
@@ -408,11 +496,15 @@ u-12tb1.112xlarge 737
 u-12tb1.metal 147
 u-18tb1.metal 737
 u-24tb1.metal 737
+u-3tb1.56xlarge 234
 u-6tb1.112xlarge 737
 u-6tb1.56xlarge 737
 u-6tb1.metal 147
 u-9tb1.112xlarge 737
 u-9tb1.metal 147
+vt1.24xlarge 737
+vt1.3xlarge 58
+vt1.6xlarge 234
 x1.16xlarge 234
 x1.32xlarge 234
 x1e.16xlarge 234
@@ -430,6 +522,12 @@ x2gd.large 29
 x2gd.medium 8
 x2gd.metal 737
 x2gd.xlarge 58
+x2iezn.12xlarge 737
+x2iezn.2xlarge 58
+x2iezn.4xlarge 234
+x2iezn.6xlarge 234
+x2iezn.8xlarge 234
+x2iezn.metal 737
 z1d.12xlarge 737
 z1d.2xlarge 58
 z1d.3xlarge 234

diff --git a/sources/Cargo.lock b/sources/Cargo.lock
diff --git a/sources/Cargo.toml b/sources/Cargo.toml
@@ -91,3 +91,11 @@ debug = true
 # webpki-roots-shim/Cargo.toml for more information about using the right version number.
 [patch.crates-io.webpki-roots]
 path = "webpki-roots-shim"
+
+# This patches rusoto with an upstream commit to support ap-southeast-3
+[patch.crates-io]
+rusoto_cloudformation = { git = "https://github.com/rusoto/rusoto", rev = "37bac105a0c16d2259f8390c1aeef068db713911" }
+rusoto_core = { git = "https://github.com/rusoto/rusoto", rev = "37bac105a0c16d2259f8390c1aeef068db713911" }
+rusoto_credential = { git = "https://github.com/rusoto/rusoto", rev = "37bac105a0c16d2259f8390c1aeef068db713911" }
+rusoto_eks = { git = "https://github.com/rusoto/rusoto", rev = "37bac105a0c16d2259f8390c1aeef068db713911" }
+rusoto_signature = { git = "https://github.com/rusoto/rusoto", rev = "37bac105a0c16d2259f8390c1aeef068db713911" }
diff --git a/sources/api/schnauzer/src/helpers.rs b/sources/api/schnauzer/src/helpers.rs
@@ -26,6 +26,7 @@ lazy_static! {
         m.insert("ap-south-1", "328549459982");
         m.insert("ap-southeast-1", "328549459982");
         m.insert("ap-southeast-2", "328549459982");
+        m.insert("ap-southeast-3", "386774335080");
         m.insert("ca-central-1", "328549459982");
         m.insert("eu-central-1", "328549459982");
         m.insert("eu-north-1", "328549459982");
@@ -63,6 +64,7 @@ lazy_static! {
         m.insert("ap-south-1", "602401143452");
         m.insert("ap-southeast-1", "602401143452");
         m.insert("ap-southeast-2", "602401143452");
+        m.insert("ap-southeast-3", "296578399912");
         m.insert("ca-central-1", "602401143452");
         m.insert("cn-north-1", "918309763551");
         m.insert("cn-northwest-1", "961992271922");

diff --git a/sources/deny.toml b/sources/deny.toml
@@ -82,3 +82,8 @@ skip-tree = [
 # Deny crates from unknown registries or git repositories.
 unknown-registry = "deny"
 unknown-git = "deny"
+
+allow-git = [
+    # rusoto is patched with an upstream commit to support ap-southeast-3
+    "https://github.com/rusoto/rusoto.git",
+]
diff --git a/sources/models/shared-defaults/kubernetes-aws.toml b/sources/models/shared-defaults/kubernetes-aws.toml
@@ -13,7 +13,7 @@ affected-services = ["kubernetes"]
 
 [metadata.settings.kubernetes.pod-infra-container-image]
 setting-generator = "schnauzer settings.kubernetes.pod-infra-container-image"
-template = "{{ pause-prefix settings.aws.region }}/eks/pause-{{ goarch os.arch }}:3.1"
+template = "{{ pause-prefix settings.aws.region }}/eks/pause:3.1-eksbuild.1"
 affected-services = ["kubernetes", "containerd"]
 
 [settings.metrics]