Ben Cressey
Ben Cressey
In #1966 support was added for obtaining the process and mount labels on an SELinux-enabled system. This works correctly for labeling the process, and for labeling most mounts. However, the...
**Issue number:** N/A **Description of changes:** Update `shim` to 15.8 which includes recent CVE fixes. Update `grub` to the latest version from AL23, and revert two patches that aren't required...
Bottlerocket’s current approach to bare metal variants does not support the project’s goal of providing a minimal, purpose-built Linux OS optimized for containers. Supporting the diversity of bare metal environments...
**Image I'm using:** `aws-k8s-1.28` **What I expected to happen:** I ran a pod with this security context: ``` securityContext: privileged: true seLinuxOptions: type: super_t ``` I expected the pod's process...
**Image I'm using:** aws-k8s-1.21 1.6.0 **What I expected to happen:** I deployed ["rootless" buildkit](https://github.com/moby/buildkit/blob/master/examples/kubernetes/statefulset.rootless.yaml) and then ran these steps after enabling user namespaces on the node. ``` kubectl exec -it...
**Issue number:** Related: https://github.com/bottlerocket-os/bottlerocket/issues/1667 **Description of changes:** All of the packages in the main repo should now be building binaries for FIPS and non-FIPS. Enable the FIPS check by default...
**Image I'm using:** `v0.11.7` **Issue or Feature Request:** When testing locally in `aws-dev`, I issued an `apiclient reboot` command and hit an error where this pair of messages spammed the...
Currently we follow a circuitous path to get `root.json` into the image: * When building any package, the [PUBLISH_REPO](https://github.com/bottlerocket-os/twoliter/blob/b836d71c53a7c3905e43c37ce6c817d76ade16a9/tools/buildsys/src/builder.rs#L120) environment variable is passed through. * The Dockerfile uses this to...
**Issue number:** Related: https://github.com/bottlerocket-os/bottlerocket/pull/3932 **Description of changes:** With conditional compilation being eliminated, it is no longer always the case that all of the modules built by the kernel package will...
Today we use `systemctl try-restart` to attempt a service restart after applying settings. Partly this is because we process settings early in the boot, when the affected services haven't been...