Ben Cressey

> Just to confirm, the fix you are investigating will work from any container (suitably privileged) and not just need to use the admin container? That fix is specific to...

Suggested by @cmanzi in #987: > I wonder if the config could even be managed in a ConfigMap that the update-operator watches? Being able to manage node configs from a...

I like the DNS and DHCP options you mention. One idea I've been mulling over is something like an IMDS proxy that would listen on `169.254.169.254` and forward requests to...

There are a few key inputs for the Bottlerocket kernel today: * upstream LTS kernels (5.10 and 5.15 currently, 6.1 soon) * Amazon Linux versions of those LTS kernels *...

@joebowbeer right!

@arnaldo2792 we will also want to make sure the new variant uses cgroup v2, and update `daemon.json` to use the [systemd driver](https://github.com/sparrc/slides/blob/main/cgroups-v2/slides.md#cgroup-drivers).

Seems like it's still needed and we should expand the `oci-defaults.resource-limits` settings for all the limits in any case.

One fairly widespread example of a container dependency on host crypto is the kernel PRNG, accessible via `/dev/random`, `/dev/urandom`, or the `getrandom()` syscall. Pretty much every standard library or runtime...

I've owed this issue a more substantial update for a while so here goes. In the current plan, FIPS for Bottlerocket requires two modules: * AWS-LC Cryptographic module ([in "Coordination"...

Some exciting news from last week - [AWS-LC is now FIPS 140-3 certified](https://aws.amazon.com/blogs/security/aws-lc-is-now-fips-140-3-certified/) - so it's just the 6.1 kernel that's left.