Kernels 2024 04 02

[larvacea]

Description of changes:

Update kernels to latest AL kernels available in the repositories.

• 5.10.213-201.855.amzn2
• 5.15.152-100.162.amzn2
• 6.1.82-99.168.amzn2023

Testing done:

Validate basic functionality through sonobuoy quick test:

> kubectl get nodes -o wide
NAME                                           STATUS   ROLES    AGE     VERSION                INTERNAL-IP      EXTERNAL-IP      OS-IMAGE                                KERNEL-VERSION   CONTAINER-RUNTIME
ip-192-168-34-176.us-west-2.compute.internal   Ready    <none>   4m55s   v1.26.14-eks-b063426   192.168.34.176   34.217.144.177   Bottlerocket OS 1.20.0 (aws-k8s-1.26)   5.15.152         containerd://1.6.30+bottlerocket
ip-192-168-37-19.us-west-2.compute.internal    Ready    <none>   96s     v1.28.7-eks-c5c5da4    192.168.37.19    35.85.222.82     Bottlerocket OS 1.20.0 (aws-k8s-1.28)   6.1.82           containerd://1.6.30+bottlerocket
ip-192-168-76-173.us-west-2.compute.internal   Ready    <none>   7m53s   v1.23.17-eks-ea94ec3   192.168.76.173   35.86.240.231    Bottlerocket OS 1.20.0 (aws-k8s-1.23)   5.10.213         containerd://1.6.30+bottlerocket

> sonobuoy run --mode=quick --wait
[...]

Changes to the configs as reported by tools/diff-kernel-config:

config-aarch64-aws-k8s-1.23-diff:         2 removed,   0 added,   0 changed
config-aarch64-aws-k8s-1.26-diff:         2 removed,   0 added,   0 changed
config-aarch64-aws-k8s-1.28-diff:         3 removed,   1 added,   0 changed
config-x86_64-aws-k8s-1.23-diff:          2 removed,   0 added,   0 changed
config-x86_64-aws-k8s-1.26-diff:          2 removed,   0 added,   0 changed
config-x86_64-aws-k8s-1.28-diff:          3 removed,   3 added,   0 changed
config-x86_64-metal-k8s-1.26-diff:        2 removed,   0 added,   0 changed
config-x86_64-metal-k8s-1.28-diff:        3 removed,   3 added,   0 changed
config-x86_64-vmware-k8s-1.26-diff:       2 removed,   0 added,   0 changed
config-x86_64-vmware-k8s-1.28-diff:       3 removed,   3 added,   0 changed

Summary:

• All kernels: remove network scheduling "Class Based Queuing" and "Differentiated Services Marker," formerly loadable kmods.
• 6.1: Add mitigation for Intel Atom® vulnerability where kernel data could be visible in register files (floating-point, vector, or integer).
• 6.1: Support EFI Handover Protocol.
• 6.1: Turn off NFS v2 support (for nfsd). NFS v2 was 32-bit-only. NFS v3 was introduced in 1995.

Patches:

• All kernels: Update ENA driver to 2.12.0g
• 5.10, 5.15: Dropped SMB client patch accepted upstream (out of bounds access)

Terms of contribution

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

6.1: Turn off NFS v2 support (for nfsd). NFS v2 was 32-bit-only. NFS v3 was introduced in 1995.

This should have already been turned off via # CONFIG_NFS_V2 is not set in config-bottlerocket. Can you post the full config diff?

[larvacea]

Here's what the diff has to say:

configs_kernels-2024-04-02-a/config-x86_64-aws-k8s-1.28-after:# CONFIG_NFSD_V2 is not set
configs_kernels-2024-04-02-a/config-x86_64-aws-k8s-1.28-before:CONFIG_NFSD_V2_ACL=y
configs_kernels-2024-04-02-a/config-x86_64-aws-k8s-1.28-diff:-NFSD_V2_ACL y
configs_kernels-2024-04-02-a/config-x86_64-aws-k8s-1.28-diff:+NFSD_V2 n

It appears that AL2023 had set CONFIG_NFSD_V2_ACL. That depends on (implies) NFSD_V2. My summary misrepresented the change. A more accurate bullet point:

• 6.1: Turn off NFS V2 ACL support and NFS V2 support in the NFS daemon.

I remember NFS V2. It was lovely, 40 years ago.