3p packages update 1.15.0 #3362

vyaghras · 2023-08-24T06:03:58Z

Issue number:

Description of changes:

packages: update xfsprogs to 6.4.0
packages: update util-linux to 2.39.2
packages: update strace to 6.4
packages:update runc to 1.1.8
packages: update pigz to 2.8
packages: update open-vm-tools to  12.2.5
packages: update nvidia-k8s-device-plugin to 0.14.1
packages: update nvidia-container-toolkit to 1.13.5
packages: update libz to 1.3
packages: update libxcrypt to 4.4.36
packages: update libnvidia-container to 1.13.5
packages: update libnftnl to 1.2.6
packages: update liblzma to 5.4.4
packages: update libinih to 57
packages: update libglib to 2.77.0
packages: update libdbus to 1.15.6
packages: update libcap to 2.69
packages: update libaudit to 3.1.2
packages: update iproute to 6.4.0
packages: update ethtool to 6.4
packages: update ecs-agent to 1.75.0
packages: update containerd to 1.6.23
packages: update chrony to 4.4
packages: update cni-plugins to 1.3.0
packages: update ca-certificates to 2023-08-22
packages: update aws-iam-authenticator to 0.6.11 
packages: update amazon-ssm-agent to 3.2.1478.0

Regenerated ecs-agent patches that no longer cleanly apply.

Updates all third party packages except for the following:

binutils 2.38 -> 2.40 - bottlerocket-sdk has to move to 2.40 first.
docker related packages(docker-cli, docker-engine) 20.12.21 -> 20.12.23 - To sync with ECS-optimized AMI packaged docker version listed in its version table.
wicked 0.6.68 -> 0.6.70 - See update wicked to 0.6.70+ #2591

Testing done:

aws-k8s-1.24 x86_64

Every 2.0s: testsys --kubeconfig /home/ec2-user/bottlerocket/testsys.kubeconfig status                                                                 Fri Aug 25 22:12:49 2023

 NAME                               TYPE               STATE                     PASSED          FAILED          SKIPPED   BUILD ID                LAST UPDATE
 x86-64-aws-k8s-124-quick           Test               passed                         1               0             6972   2a501be5-dirty          2023-08-25T22:11:14Z
 x86-64-aws-k8s-124                 Resource           completed                                                           2a501be5-dirty          2023-08-25T22:06:05Z

aws-k8s-1.24 aarch64

NAME                                TYPE              STATE                     PASSED          FAILED          SKIPPED   BUILD ID                LAST UPDATE
 aarch64-aws-k8s-124-quick           Test              passed                         1               0             6972   9767282d-dirty          2023-08-27T21:32:41Z
 aarch64-aws-k8s-124                 Resource          completed                                                           9767282d-dirty          2023-08-27T21:31:08Z

aws-k8s-1.24-nvidia x86_64

NAME                                      TYPE              STATE                     PASSED          FAILED          SKIPPED   BUILD ID          LAST UPDATE
 x86-64-aws-k8s-124-nvidia-quick           Test              passed                         1               0             6972   9767282d          2023-08-26T17:05:04Z
 x86-64-aws-k8s-124-nvidia                 Resource          completed                                                           9767282d          2023-08-26T17:03:00Z

aws-k8s-1.24-nvidia aarch64

NAME                                      TYPE              STATE                   PASSED         FAILED         SKIPPED   BUILD ID               LAST UPDATE
 aarch64-aws-k8s-124-nvidia-quick          Test              passed                       1              0            6972   9767282d-dirty         2023-08-27T22:44:43Z
 aarch64-aws-k8s-124-nvidia                Resource          completed                                                       9767282d-dirty         2023-08-27T22:42:35Z

aws-k8s-1.27 x86_64

Every 2.0s: testsys --kubeconfig /home/ec2-user/bottlerocket/testsys.kubeconfig status                                                                 Fri Aug 25 23:28:12 2023

 NAME                               TYPE               STATE                       PASSED           FAILED           SKIPPED   BUILD ID           LAST UPDATE
 x86-64-aws-k8s-127-quick           Test               passed                           5                0              7206   9767282d           2023-08-25T23:25:52Z
 x86-64-aws-k8s-127                 Resource           completed                                                               9767282d           2023-08-25T23:24:16Z

aws-k8s-1.27 aarch64

NAME                                TYPE              STATE                     PASSED          FAILED          SKIPPED   BUILD ID                LAST UPDATE
 aarch64-aws-k8s-127-quick           Test              passed                         5               0             7206   9767282d-dirty          2023-08-27T22:08:13Z
 aarch64-aws-k8s-127                 Resource          completed                                                           9767282d-dirty          2023-08-27T22:06:44Z

aws-k8s-1.27-nvidia x86_64

Every 2.0s: testsys --kubeconfig /home/ec2-user/bottlerocket/testsys.kubeconfig status                                                                 Sat Aug 26 00:09:02 2023

 NAME                                      TYPE              STATE                     PASSED          FAILED          SKIPPED   BUILD ID          LAST UPDATE
 x86-64-aws-k8s-127-nvidia-quick           Test              passed                         5               0             7206   9767282d          2023-08-26T00:07:23Z
 x86-64-aws-k8s-127-nvidia                 Resource          completed                                                           9767282d          2023-08-26T00:05:19Z

aws-k8s-1.27-nvidia aarch64

 NAME                                      TYPE              STATE                   PASSED         FAILED         SKIPPED   BUILD ID               LAST UPDATE
 aarch64-aws-k8s-127-nvidia-quick          Test              passed                       5              0            7206   9767282d-dirty         2023-08-27T23:16:35Z
 aarch64-aws-k8s-127-nvidia                Resource          completed                                                       9767282d-dirty         2023-08-27T23:14:26Z

aws-ecs-1 - Also MACIS tests passes

NAME                              TYPE            STATE                     PASSED           FAILED           SKIPPED   BUILD ID                 LAST UPDATE
 x86-64-aws-ecs-1-quick            Test            passed                         1                0                 0   9767282d-dirty           2023-08-27T23:31:25Z

aws-ecs-1-nvidia

NAME                                   TYPE              STATE                     PASSED          FAILED         SKIPPED   BUILD ID               LAST UPDATE
 x86-64-aws-ecs-1-nvidia-quick          Test              passed                         1               0               0   9767282d-dirty         2023-08-27T23:47:15Z
 x86-64-aws-ecs-1-nvidia                Resource          completed                                                          9767282d-dirty         2023-08-27T23:46:36Z

aws-ecs-2

NAME                              TYPE            STATE                     PASSED           FAILED           SKIPPED   BUILD ID                 LAST UPDATE
 x86-64-aws-ecs-2-quick            Test            passed                         1                0                 0   9767282d-dirty           2023-08-27T23:59:20Z

aws-ecs-2-nvidia
vmware-k8s-1.24,

$ kubectl --kubeconfig br-eksa-124-eks-a-cluster.kubeconfig get nodes -o wide
NAME                                     STATUS   ROLES           AGE     VERSION                INTERNAL-IP      EXTERNAL-IP      OS-IMAGE                                   KERNEL-VERSION   CONTAINER-RUNTIME
br-eksa-124-md-0-66869c5b6x4scxd-92r7m   Ready    <none>          4m26s   v1.24.16-eks-a483404   198.19.0.126     198.19.0.126     Bottlerocket OS 1.15.0 (vmware-k8s-1.24)   5.15.122         containerd://1.6.23+bottlerocket
br-eksa-124-md-0-66869c5b6x4scxd-wsjnw   Ready    <none>          4m28s   v1.24.16-eks-a483404   198.19.0.62      198.19.0.62      Bottlerocket OS 1.15.0 (vmware-k8s-1.24)   5.15.122         containerd://1.6.23+bottlerocket
br-eksa-124-xnpdw                        Ready    control-plane   6m10s   v1.24.16-eks-a483404   198.19.134.175   198.19.134.175   Bottlerocket OS 1.15.0 (vmware-k8s-1.24)   5.15.122         containerd://1.6.23+bottlerocket
br-eksa-124-zbcjv                        Ready    control-plane   4m40s   v1.24.16-eks-a483404   198.19.16.153    198.19.16.153    Bottlerocket OS 1.15.0 (vmware-k8s-1.24)   5.15.122         containerd://1.6.23+bottlerocket

metal-k8s-1.27,

br@br-admin:~/1.14.3-release/baremetal/eksa-colo/br-127$ kubectl --kubeconfig br-127-eks-a-cluster.kubeconfig get nodes -o wide
NAME                                STATUS   ROLES           AGE     VERSION               INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                                  KERNEL-VERSION   CONTAINER-RUNTIME
br-127-h76ff                        Ready    control-plane   10m     v1.27.4-eks-cedffd4   10.80.50.24   <none>        Bottlerocket OS 1.15.0 (metal-k8s-1.27)   5.15.122         containerd://1.6.23+bottlerocket
br-127-md-0-c6486db87xlw4cp-2pm9g   Ready    <none>          2m50s   v1.27.4-eks-cedffd4   10.80.50.27   <none>        Bottlerocket OS 1.15.0 (metal-k8s-1.27)   5.15.122         containerd://1.6.23+bottlerocket
br-127-md-0-c6486db87xlw4cp-jvnxv   Ready    <none>          2m53s   v1.27.4-eks-cedffd4   10.80.50.22   <none>        Bottlerocket OS 1.15.0 (metal-k8s-1.27)   5.15.122         containerd://1.6.23+bottlerocket
br@br-admin:~/1.14.3-release/baremetal/eksa-colo/br-127$ sonobuoy --kubeconfig br-127-eks-a-cluster.kubeconfig run --mode=quick --plugin=e2e --wait
...
...
18:17:58       e2e   global   complete   passed   Passed:  1, Failed:  0, Remaining:  0

Testing ecs variants for the configuration changes done using config files instead of doing using patch

Third party patch change
bash-5.1# ls /usr/share/licenses/ecs-agent/
LICENSE                         NOTICE           vendor
LICENSE.amazon-ecs-cni-plugins  THIRD_PARTY.md
LICENSE.amazon-vpc-cni-plugins  attribution.txt

On develop
bash-5.1# ls /usr/share/licenses/ecs-agent/
LICENSE                         LICENSE.amazon-vpc-cni-plugins  THIRD-PARTY      vendor
LICENSE.amazon-ecs-cni-plugins  NOTICE                          attribution.txt


/etc/ecs/ecs.config.json
Third party patch change
bash-5.1# cat /etc/ecs/ecs.config.json
{"Cluster":"bottlerocket-ecs","InstanceAttributes":{"bottlerocket.variant":"aws-ecs-1"},"PrivilegedDisabled":true,"AvailableLoggingDrivers":["json-file","awslogs","none"],"WarmPoolsSupport":false,"ImagePullBehavior":0,"TaskIAMRoleEnabled":true,"TaskIAMRoleEnabledForNetworkHost":true,"SELinuxCapable":true,"OverrideAWSLogsExecutionRole":true,"TaskENIEnabled":true,"GPUSupportEnabled":false,"ImageCleanupDisabled":false,"CNIPluginsPath":"/usr/libexec/amazon-ecs-agent","CredentialsAuditLogFile":"/var/log/ecs/audit.log","RuntimeStatsLogFile":"/var/log/ecs/agent-runtime-stats.log"}bash-5.1#

Develop
bash-5.1# cat /etc/ecs/ecs.config.json
{"Cluster":"bottlerocket-ecs","InstanceAttributes":{"bottlerocket.variant":"aws-ecs-1"},"PrivilegedDisabled":true,"AvailableLoggingDrivers":["json-file","awslogs","none"],"WarmPoolsSupport":false,"ImagePullBehavior":0,"TaskIAMRoleEnabled":true,"TaskIAMRoleEnabledForNetworkHost":true,"SELinuxCapable":true,"OverrideAWSLogsExecutionRole":true,"TaskENIEnabled":true,"GPUSupportEnabled":false,"ImageCleanupDisabled":false}bash-5.1#


Develop 
bash-5.1# ls /usr/libexec/amazon-ecs-agent
aws-appmesh  ecs-bridge  ecs-eni  ecs-ipam  managed-agents  vpc-branch-eni

Third party patch change
bash-5.1# ls /usr/libexec/amazon-ecs-agent
aws-appmesh  ecs-bridge  ecs-eni  ecs-ipam  managed-agents  vpc-branch-eni

Develop 
bash-5.1# ls /usr/lib/amazon-ecs-agent/
amazon-ecs-pause.tar

Third party patch change
bash-5.1# ls /usr/lib/amazon-ecs-agent/
amazon-ecs-pause.tar

Third party patch change
bash-5.1# docker exec -it a1bd77837f1c bash
root@ip-172-31-4-216:/# curl http://169.254.170.2/v1/credentials
{"code":"NoIdInRequest","message":"CredentialsV1Request: No Credential ID in the request","HTTPErrorCode":400}root@ip-172-31-4-216:/#
root@ip-172-31-4-216:/#
root@ip-172-31-4-216:/#
root@ip-172-31-4-216:/# exit
exit
bash-5.1# ls /var/log/ecs
audit.log      ecs-agent.log.2023-08-24-19  ecs-cni-bridge-plugin.log  exec
ecs-agent.log  ecs-agent.log.2023-08-24-20  ecs-cni-eni-plugin.log
bash-5.1# cat /var/log/ecs/audit.log
2023-08-24T21:38:04Z 400 169.254.172.2:45808 "/v1/credentials" "curl/7.88.1" -
bash-5.1#  cat /var/log/ecs/audit.log

Develop
docker exec -it b69c1b7da909  bash
root@ip-172-31-6-77:/# curl $ECS_CONTAINER_METADATA_URI_V2
curl: try 'curl --help' or 'curl --manual' for more information
root@ip-172-31-6-77:/# curl $ECS_CONTAINER_METADATA_URI_V4/credentials
404 page not found
root@ip-172-31-6-77:/# echo  $ECS_CONTAINER_METADATA_URI_V4
http://169.254.170.2/v4/e78c9d20-3596-47bc-bec6-9898978d9628
root@ip-172-31-6-77:/# http://169.254.170.2/v1/e78c9d20-3596-47bc-bec6-9898978d9628
bash: http://169.254.170.2/v1/e78c9d20-3596-47bc-bec6-9898978d9628: No such file or directory
root@ip-172-31-6-77:/# curl http://169.254.170.2/v1/e78c9d20-3596-47bc-bec6-9898978d9628
404 page not found
root@ip-172-31-6-77:/# curl http://169.254.170.2/v1/credentials
{"code":"NoIdInRequest","message":"CredentialsV1Request: No Credential ID in the request","HTTPErrorCode":400}root@ip-172-31-6-77:/#
root@ip-172-31-6-77:/#
root@ip-172-31-6-77:/# exit
exit
bash-5.1# ls /var/log/ecs/
audit.log      ecs-agent.log.2023-08-24-20  ecs-cni-eni-plugin.log
ecs-agent.log  ecs-cni-bridge-plugin.log    exec
bash-5.1#  cat /var/log/ecs/audit.log
2023-08-24T21:37:12Z 400 169.254.172.2:40972 "/v1/credentials" "curl/7.88.1" -


Third party patch change
ls /usr/share/licenses/ecs-agent/
LICENSE                         LICENSE.amazon-vpc-cni-plugins  THIRD_PARTY.md   vendor
LICENSE.amazon-ecs-cni-plugins  NOTICE  

Develop 
ls /usr/share/licenses/ecs-agent/
LICENSE                         LICENSE.amazon-vpc-cni-plugins  THIRD-PARTY      vendor
LICENSE.amazon-ecs-cni-plugins  NOTICE                          attribution.txt

xfsprogs update and util-linux update
With 10 GB /dev/xvdb
nvme1n1 259:1 0 10G 0 disk
nvme1n1p1 259:16 0 10G 0 part /.bottlerocket/rootfs/local
With 100 GB /dev/xvdb
nvme1n1 259:1 0 100G 0 disk
nvme1n1p1 259:16 0 10G 0 part /var
Runc test
- Ran a cron job to replicate the issues.
- The kubelet memory usage holds at 2626 MB.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

vyaghras · 2023-08-24T20:44:11Z

Following four commands are newly added in 2.39 version of util_linux( https://github.com/util-linux/util-linux/blob/master/Documentation/releases/v2.39-ReleaseNotes). These have been excluded for now:

fadvise - utility to use the posix_fadvise system call
waitpid - utility to wait for arbitrary processes
pipesz - set or examine pipe and FIFO buffer sizes
blkpr - run persistent reservations command on a device

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch

packages/ecs-agent/0002-bottlerocket-remove-unsupported-capabilities.patch

yeazelm · 2023-08-25T22:15:10Z

packages/ecs-agent/ecs-agent.spec

@@ -296,7 +296,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo}
 # ├── LICENSE.amazon-ecs-cni-plugins
 # ├── LICENSE.amazon-vpc-cni-plugins
 # ├── NOTICE
-# ├── THIRD-PARTY
+# ├── THIRD_PARTY.md


I would like to double check that the contents have not changed meaningfully. I don't expect they have, but when paths and extensions change, its worth confirming nothing has changed under us.

This has been validated, the contents are same as earlier.

packages/libz/libz.spec

packages/util-linux/util-linux.spec

sources/api/ecs-settings-applier/src/ecs.rs

stmcginnis

Good to have some answers to Matt's questions yet, but built an aws-k8s-1.27 node and poked around. Everything happy and no errors seen. Ran a sonobuoy quick test which passed. Functionally, everything looks good to me.

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch

packages/cni-plugins/cni-plugins.spec

packages/libglib/Cargo.toml

packages/strace/Cargo.toml

packages/util-linux/util-linux.spec

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch

packages/ecs-agent/Cargo.toml

As iproute2 is backward compatible to kernel

packages/runc/runc.spec

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch

- Update amazon-ecs-cni-plugins dependency - Update amazon-vpc-cni-plugins dependency - Fix patches that was not applicable - Remove defaultCredentialsAuditLogFile, defaultRuntimeStatsLogFile defaultCredentialsAuditLogFile, defaultRuntimeStatsLogFile settings from 0001-bottlerocket-default-filesystem-locations.patch and do these settings using configuration instead. - Change THIRD-PARTY path form / to ecs-agent/THIRD_PARTY

packages/cni-plugins/cni-plugins.spec

packages/util-linux/util-linux.spec

Remove the excluded *.la files as these files do not exist anymore in version 2.39.2. Also added new added command files fadvise, pipesz, waitpid, blkpr to the excluded files

Exclude cni/bin/*.debug and cni/bin/tap

vyaghras · 2023-08-30T18:43:08Z

Ran quick test for k8s-1.24 and ecs-1 variants again. Test passes.

vyaghras added 2 commits August 24, 2023 05:11

packages: update amazon-ssm-agent to 3.2.1478.0

93da1cb

packages: update aws-iam-authenticator to 0.6.11

6a79bb5

vyaghras marked this pull request as draft August 24, 2023 06:04

vyaghras force-pushed the 3p-packages-update-1.15.0 branch from 105da99 to 2a501be Compare August 25, 2023 17:05

vyaghras marked this pull request as ready for review August 25, 2023 17:05

yeazelm reviewed Aug 25, 2023

View reviewed changes

vyaghras force-pushed the 3p-packages-update-1.15.0 branch 4 times, most recently from 28f013e to 5291c19 Compare August 28, 2023 13:48

yeazelm mentioned this pull request Aug 28, 2023

host-ctr: upgrades Go dependencies #3369

Merged

stmcginnis approved these changes Aug 28, 2023

View reviewed changes

etungsten reviewed Aug 28, 2023

View reviewed changes

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch Show resolved Hide resolved

vyaghras force-pushed the 3p-packages-update-1.15.0 branch 4 times, most recently from 8f861ad to 95a29ae Compare August 29, 2023 13:42

arnaldo2792 reviewed Aug 29, 2023

View reviewed changes

vyaghras added 11 commits August 29, 2023 17:51

packages: update chrony to 4.4

e714e7f

packages: update containerd to 1.6.23

fd1fd35

packages: update ethtool to 6.4

2ec6f1f

packages: update iproute to 6.4.0

02fa6c0

As iproute2 is backward compatible to kernel

packages: update libaudit to 3.1.2

0c2bdea

packages: update libcap to 2.69

b157e7f

packages: update libdbus to 1.15.6

691ff19

packages: update libinih to 57

2c75f05

packages: update liblzma to 5.4.4

855e472

packages: update libnftnl to 1.2.6

74168c4

packages: update libnvidia-container to 1.13.5

e34c7f4

vyaghras added 5 commits August 29, 2023 17:51

packages: update libxcrypt to 4.4.36

f62c33e

packages: update libz to 1.3

dd28a52

packages: update nvidia-container-toolkit to 1.13.5

d04fde9

packages: update nvidia-k8s-device-plugin to 0.14.1

9ea34db

packages: update pigz to 2.8

7d65553

vyaghras force-pushed the 3p-packages-update-1.15.0 branch 2 times, most recently from 95d1bb0 to be9f742 Compare August 29, 2023 22:43

bcressey reviewed Aug 29, 2023

View reviewed changes

packages/runc/runc.spec Outdated Show resolved Hide resolved

packages/ecs-agent/0001-bottlerocket-default-filesystem-locations.patch Show resolved Hide resolved

vyaghras added 6 commits August 29, 2023 23:24

packages: update xfsprogs to 6.4.0

4c0a71c

packages: update ca-certificates to 2023-08-22

176e6f2

packages: update open-vm-tools to 12.2.5

7295f7b

packages: update libglib to 2.77.2

433f833

packages: update strace to 6.4

203a0ca

vyaghras force-pushed the 3p-packages-update-1.15.0 branch from be9f742 to 8d4cd96 Compare August 29, 2023 23:26

yeazelm reviewed Aug 30, 2023

View reviewed changes

packages/cni-plugins/cni-plugins.spec Outdated Show resolved Hide resolved

packages/util-linux/util-linux.spec Show resolved Hide resolved

vyaghras added 3 commits August 30, 2023 14:08

packages: update util-linux to 2.39.2

1589ed4

Remove the excluded *.la files as these files do not exist anymore in version 2.39.2. Also added new added command files fadvise, pipesz, waitpid, blkpr to the excluded files

packages:update runc to 1.1.9

b9dbeb6

packages: update cni-plugins to 1.3.0

1f0e2cc

Exclude cni/bin/*.debug and cni/bin/tap

vyaghras force-pushed the 3p-packages-update-1.15.0 branch from 8d4cd96 to 1f0e2cc Compare August 30, 2023 14:09

bcressey approved these changes Aug 30, 2023

View reviewed changes

yeazelm approved these changes Aug 30, 2023

View reviewed changes

arnaldo2792 approved these changes Aug 30, 2023

View reviewed changes

vyaghras merged commit c9ea4be into bottlerocket-os:develop Aug 30, 2023
42 checks passed

vyaghras deleted the 3p-packages-update-1.15.0 branch August 30, 2023 19:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

3p packages update 1.15.0 #3362

3p packages update 1.15.0 #3362

vyaghras commented Aug 24, 2023 •

edited by stmcginnis

Loading

vyaghras commented Aug 24, 2023

yeazelm Aug 25, 2023

vyaghras Aug 30, 2023

stmcginnis left a comment

vyaghras commented Aug 30, 2023

3p packages update 1.15.0 #3362

3p packages update 1.15.0 #3362

Conversation

vyaghras commented Aug 24, 2023 • edited by stmcginnis Loading

vyaghras commented Aug 24, 2023

yeazelm Aug 25, 2023

Choose a reason for hiding this comment

vyaghras Aug 30, 2023

Choose a reason for hiding this comment

stmcginnis left a comment

Choose a reason for hiding this comment

vyaghras commented Aug 30, 2023

vyaghras commented Aug 24, 2023 •

edited by stmcginnis

Loading