Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel: Update to 5.10.184, 5.15.117, and 6.1.29 #3238

Merged
merged 9 commits into from
Jun 30, 2023
Merged

kernel: Update to 5.10.184, 5.15.117, and 6.1.29 #3238

merged 9 commits into from
Jun 30, 2023

Conversation

foersleo
Copy link
Contributor

@foersleo foersleo commented Jun 28, 2023
edited
Loading

Issue number: -

Description of changes:

Update kernels to latest AL kernels available in the repositories. With those updates we ingest upstream variants for nftables fix from #3126 , so drop the downstream backports.

Through AL we also got some additional config changes that I went ahead and reverted for us. Some of those are enabling quite substantial code changes that AL has backported (newer version of smartpqi driver and bbr2 congestion control algorithm). I do not think we want to enable those mid-series.

Testing done:

  • Compiles
  • Sonobuoy quick test

Sonobuoy quick test results. (No test for the 6.1 kernel update as 6.1 currently is only on *-dev variants):

> kubectl get nodes -o wide
NAME                                             STATUS   ROLES    AGE   VERSION                INTERNAL-IP     EXTERNAL-IP     OS-IMAGE                                KERNEL-VERSION   CONTAINER-RUNTIME
ip-192-168-8-237.eu-central-1.compute.internal   Ready    <none>   32m   v1.27.1-eks-61789d8    192.168.8.237   18.195.80.186   Bottlerocket OS 1.15.0 (aws-k8s-1.27)   5.15.117         containerd://1.6.20+bottlerocket
ip-192-168-93-82.eu-central-1.compute.internal   Ready    <none>   33m   v1.23.17-eks-1c2761d   192.168.93.82   3.64.127.141    Bottlerocket OS 1.15.0 (aws-k8s-1.23)   5.10.184         containerd://1.6.20+bottlerocket

> sonobuoy run --mode=quick --wait
[...]
19:06:34    systemd-logs   ip-192-168-8-237.eu-central-1.compute.internal   complete   passed                                        
19:06:34    systemd-logs   ip-192-168-93-82.eu-central-1.compute.internal   complete   passed                                        
19:06:34             e2e                                           global   complete   passed   Passed:  1, Failed:  0, Remaining:  0

Config diff reports quite some changes:

config-aarch64-aws-dev-diff:              1 removed,  19 added,   5 changed
config-aarch64-aws-k8s-1.23-diff:         2 removed,   3 added,   2 changed
config-aarch64-aws-k8s-1.26-diff:         2 removed,   2 added,   0 changed
config-aarch64-metal-dev-diff:            1 removed,  20 added,   5 changed
config-x86_64-aws-dev-diff:               1 removed,  11 added,   7 changed
config-x86_64-aws-k8s-1.23-diff:          1 removed,   6 added,   2 changed
config-x86_64-aws-k8s-1.26-diff:          2 removed,   1 added,   1 changed
config-x86_64-metal-dev-diff:             1 removed,  12 added,   7 changed
config-x86_64-metal-k8s-1.23-diff:        1 removed,   1 added,   0 changed
config-x86_64-metal-k8s-1.26-diff:        2 removed,   1 added,   1 changed

The full diff report can be found on Gist.

Summary of changes per kernel series:

5.10

  • BLK_DEV_SX8 - Driver has been removed upstream in v5.10.184
  • DRM_RCAR_LVDS and DRM_RCAR_USE_LVDS - clean up of drm rcar config options in v5.10.183
  • INFINIBAND_I40W - removed from aarch64 for consistency with x86_64
  • SCSI_DPT_I2O - unclear why this one comes up now. The functionality is not new and it has been removed upstream, but the removal has not made it to 5.10 tree.
  • IXGBE* and MDIO - Add the ixgbe driver to x86_64 for consistency with aarch64 - MDIO gets selected by IXGBE

5.15

  • BLK_DEV_SX8 - Driver has been removed upstream in v5.15.117
  • DRM_RCAR_LVDS and DRM_RCAR_USE_LVDS - clean up of drm rcar config options in v5.15.116
  • SCSI_DPT_I2O - unclear why this one comes up now. The functionality is not new and it has been removed upstream, but the removal has not made it to 5.10 tree.
  • HP_ACCEL and X86_PLATFORM_DRIVERS_HP - move HP drivers into central location, renaming options in v5.15.113
  • X86_CPUID - enable cpuid interface for consistency between kernel series

6.1

  • GCC12_NO_ARRAY_BOUNDS - option removed to use version agnostic option CC_NO_ARRAY_BOUNDS in v6.1.26
  • CRYPTO_FIPS_NAME - set to be AL specific. I am not quite sure if we want to carry this forward
  • PTP* and PPS* - these are needed for functionality in the newer ENA drivers and a dependency for loading newer ena
  • SFC_SIENA - depends on PTP_1588_CLOCK and is thus now visible
  • RT_GROUP_SCHED - disable, as allocating real CPU bandwidth for task groups can be problematic with systemd (https://github.com/systemd/systemd/blob/main/README#L144-L150)
  • DP83640_PHY - new driver for ultra-low-power Ethernet phy - not needed
  • HAVE_*, LIVEPATCH, OBJTOOL, STACK_VALIDATION, UNWINDER_FRAME_POINTER - port livepatch capabilities to aarch64, we have these available on previous kernel series as well
  • X86_CPUID and X86_MSR - enable cpuid and msr interface for consistency between kernel series

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@markusboehme
Copy link
Member

  • CONFIG_IXGBE*: I think going the opposite direction for achieving consistency makes more sense for Bottlerocket (i.e. disable it for all non-metal variants on both architectures). For Enhanced Networking with the Intel 82599 VF on EC2 there will still be the ixgbevf driver which is independent of the host's ixgbe.
  • CRYPTO_FIPS_NAME: If we want to base FIPS certification off Amazon Linux' eventually, it may make sense to keep it. Not sure whether now is the right time. What do you think, @bcressey?

markusboehme
markusboehme reviewed Jun 29, 2023
View reviewed changes
packages/kernel-5.10/config-bottlerocket Show resolved Hide resolved
packages/kernel-5.10/config-bottlerocket Outdated Show resolved Hide resolved
packages/kernel-5.15/config-bottlerocket Outdated Show resolved Hide resolved
packages/kernel-5.10/config-bottlerocket Outdated Show resolved Hide resolved
@foersleo
kernel-5.10: update to 5.10.184
f2e7e91 
Rebase to Amazon Linux upstream version based on 5.10.184.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
Revert "kernel-5.10: cherry-pick fix for CVE-2023-32233"
cade579 
This reverts commit e2083a2.

The fix was introduced upstream into the 5.10 series starting with
version v5.10.180. We do not need to carry the patch downstream anymore.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.15: update to 5.15.117
97120a6 
Rebase to Amazon Linux upstream version based on 5.15.117.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
Revert "kernel-5.15: cherry-pick fix for CVE-2023-32233"
ed9921a 
This reverts commit a349613.

The fix was introduced into the stable 5.15 series upstream in version
v5.15.111. We do not need to carry the downstream variant anymore.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-6.1: update to 6.1.29
d0c0b9d 
Rebase to Amazon Linux upstream version based on 6.1.29.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.10: Choose upstream smartpqi driver over backport
75b8572 
In the past we have built-in the upstream smartpqi driver for our metal
platforms and inherited the module build on aws/vmware platforms from
AL. AL recently introduced a newer version of that driver alongside the
in-tree driver. Keep the status quo by only building the in-tree
variant, effectively reducing the amount of code built and shipped.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.10, -5.15: Disable edac driver for Intel 10NM memory controller
9cfaa4e 
We have not used and currently, do not have requests to support edac on
that style of hardware. Keep with our kernels small and at the status
quo.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.10: Remove specialized IPMI drivers
590ad7e 
AL has recently added a bunch of IPMI drivers to their kernels. In
Bottlerocket those do not get used currently. Remove the unneeded
drivers.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
kernel-5.10: Disable Amazon Linux BBR2 port
4ff9396 
Amazon Linux introduced a port of the BBR2 congestion control
algorithm. As this is a comparably large patch set that has not made it
upstream yet and is marked as alpha/preview state.

Disabling it for now to keep our kernel more stable.

Signed-off-by: Leonard Foerster <[email protected]>
@foersleo
Copy link
Contributor Author

Update to latest minor version of AL for 5.10 and 5.15.
Leaving an extra update of 6.1 series out as it incurs a bigger update and 6.1 is currently only in dev variants. Going to do that update independently from this PR.

stmcginnis
stmcginnis approved these changes Jun 30, 2023
View reviewed changes
Copy link
Contributor

@stmcginnis stmcginnis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Things look good to me.

@foersleo foersleo merged commit 931865c into bottlerocket-os:develop Jun 30, 2023
@stmcginnis stmcginnis mentioned this pull request Jun 30, 2023
Closed
6 tasks
@foersleo foersleo mentioned this pull request Jun 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markusboehme markusboehme markusboehme approved these changes

@stmcginnis stmcginnis stmcginnis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@foersleo @markusboehme @stmcginnis