Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update kernels to 5.10.135 and 5.15.59 #2465

Merged
merged 2 commits into from
Oct 4, 2022
Merged

Update kernels to 5.10.135 and 5.15.59 #2465

merged 2 commits into from
Oct 4, 2022

Conversation

markusboehme
Copy link
Member

Issue number: n/a

Description of changes: This rebases the Bottlerocket kernels in preparation for the 1.10 release. The new kernels are based on 5.10.135 and 5.15.59, respectively.

Note that this picks up the mitigations against retbleed, an attack targeting previous Spectre mitigations. The configuration for these mitigations matches upstream defaults.

Testing done:

Report from tools/diff-kernel-config:

config-aarch64-5.10-aws-k8s-1.23-diff:    0 removed,   0 added,   1 changed
config-aarch64-5.15-aws-dev-diff:         0 removed,   0 added,   0 changed
config-aarch64-5.15-metal-dev-diff:       0 removed,   0 added,   0 changed
config-x86_64-5.10-aws-k8s-1.23-diff:     0 removed,   6 added,   1 changed
config-x86_64-5.10-metal-k8s-1.23-diff:   0 removed,   6 added,   1 changed
config-x86_64-5.15-aws-dev-diff:          0 removed,   6 added,   1 changed
config-x86_64-5.15-metal-dev-diff:        0 removed,   6 added,   1 changed

You can find the full report in this Gist.

The newly added options for x86 builds are related to the retbleed mitigations. The upstream community used this as an opportunity to also restructure the configuration of various hardware vulnerability mitigations, which can be seen in the full report.

The changed option in some kernel builds relates to the Amazon Linux kernel dropping the qlge NIC driver, and me deciding to follow suit for the Bottlerocket kernels. The driver has known deficiencies which is the reason it lives in the staging tree of the kernel. Given that its hardware has been EOL'd more than 8 years ago, there is likely to be little interest in the driver in its current form, let alone in fixing its quality problems.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@markusboehme
kernel-5.10: update to 5.10.135
6d46b73 
Rebase to Amazon Linux upstream version based on 5.10.135. Apply two
config changes in the process:

    * Stop building the qlge NIC driver. The hardware has been EOL'd
      more than 8 years ago, and the driver has known quality problems
      which is the reason it lives in the staging tree. The Amazon Linux
      kernel based on 5.15.59 dropped it and I don't see a good reason
      to retain it for Bottlerocket either, so drop it from the 5.10
      builds, too.
    * Continue not building the sch_cake qdisc. CAKE is targeted for
      residential links, and building devices such as routers in
      particular. It is unlikely to be useful for Bottlerocket for the
      time being. Since upstream builds it as a module now, sch_cake
      needs to be explicitly disabled.

Signed-off-by: Markus Boehme <[email protected]>
@markusboehme
kernel-5.15: update to 5.15.59
21324e8 
Rebase to Amazon Linux upstream version based on 5.15.59. Apply a
config change in the process:

    * Continue not building the sch_cake qdisc. CAKE is targeted for
      residential links, and building devices such as routers in
      particular. It is unlikely to be useful for Bottlerocket for the
      time being. Since upstream builds it as a module now, sch_cake
      needs to be explicitly disabled.

Signed-off-by: Markus Boehme <[email protected]>
@markusboehme
Copy link
Member Author

I forgot to to upload the new SRPMs to the look-aside cache, hence the build failures. Odd that some succeeded anyway.

@foersleo
Copy link
Contributor

Interesting that all the nvidia variants succeeded while all the others did not.

@markusboehme
Copy link
Member Author

Good call-out! The NVIDIA variants are built with fetch-upstream=true/BUILDSYS_UPSTREAM_SOURCE_FALLBACK=true and fetch the upstream if the look-aside cache is missing a file.

@bcressey
Copy link
Contributor

bcressey commented Oct 1, 2022

I assume the answer is "no" given the source, but wanted to double check - neither stable kernel update includes a backport of this nvme commit?

@markusboehme
Copy link
Member Author

@bcressey: No, we're good. The commit in question was not backported from when it was introduced in 5.19.

@markusboehme markusboehme merged commit 6fc96db into bottlerocket-os:develop Oct 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@stmcginnis stmcginnis stmcginnis approved these changes

@foersleo foersleo foersleo approved these changes

@arnaldo2792 arnaldo2792 Awaiting requested review from arnaldo2792

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@markusboehme @foersleo @bcressey @stmcginnis