search

bottlerocket-os / bottlerocket

An operating system designed for hosting containers
https://bottlerocket.dev
Other
8.78k stars 519 forks source link

Update kernels 5.10 and 5.15 #3976

Closed larvacea closed 5 months ago

larvacea commented 5 months ago

Description of changes:

Update kernels to latest AL kernels available in the repositories.

Testing done:

Validate basic functionality through sonobuoy quick test:

> kubectl get nodes -o wide
NAME                                           STATUS   ROLES    AGE     VERSION                INTERNAL-IP      EXTERNAL-IP    OS-IMAGE                                KERNEL-VERSION   CONTAINER-RUNTIME
ip-192-168-13-112.us-east-2.compute.internal   Ready    <none>   115s    v1.26.14-eks-b063426   192.168.13.112   3.17.153.160   Bottlerocket OS 1.21.0 (aws-k8s-1.26)   5.15.158         containerd://1.6.31+bottlerocket
ip-192-168-90-94.us-east-2.compute.internal    Ready    <none>   5m18s   v1.23.17-eks-ea94ec3   192.168.90.94    3.144.42.106   Bottlerocket OS 1.21.0 (aws-k8s-1.23)   5.10.216         containerd://1.6.31+bottlerocket

> sonobuoy run --mode=quick --wait
[...]

Changes to the configs as reported by tools/diff-kernel-config:

==> configs_HEAD/config-aarch64-aws-k8s-1.23-diff <==
+CPU_MITIGATIONS y

==> configs_HEAD/config-aarch64-aws-k8s-1.26-diff <==
+CPU_MITIGATIONS y
+NF_FLOW_TABLE_PROCFS y

==> configs_HEAD/config-x86_64-aws-k8s-1.23-diff <==
-SPECULATION_MITIGATIONS y
+ARCH_CONFIGURES_CPU_MITIGATIONS y
+CPU_MITIGATIONS y

==> configs_HEAD/config-x86_64-aws-k8s-1.26-diff <==
-SPECULATION_MITIGATIONS y
+ARCH_CONFIGURES_CPU_MITIGATIONS y
+CPU_MITIGATIONS y
+NF_FLOW_TABLE_PROCFS y

==> configs_HEAD/config-x86_64-metal-k8s-1.26-diff <==

==> configs_HEAD/config-x86_64-vmware-k8s-1.26-diff <==

The upstream configuration change to CONFIG_NF_FLOW_TABLE_PROCFS turns on netfilter flow table offload statistics in /proc/net/netfilter/nf_flowtable in the 5.15 kernel.

Kernel 5.15 dropped one patch that is no longer needed. Both kernels added 5 patches in the TLS component in networking.

Terms of contribution"

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

larvacea commented 5 months ago

I reran the sonobuoy tests. They still passed, and (even better news) I have the results:

22:30:56             e2e                           global   complete   passed   Passed:  1, Failed:  0, Remaining:  0
22:30:56    systemd-logs     ip-192-168-1-96.ec2.internal   complete   passed                                        
22:30:56    systemd-logs   ip-192-168-43-111.ec2.internal   complete   passed                                        
22:30:56 Sonobuoy has completed. Use `sonobuoy retrieve` to get results.