Skip to content

Rebase to Amazon Linux 2023 and enable FIPS #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: develop
Choose a base branch
from
Draft

Rebase to Amazon Linux 2023 and enable FIPS #125

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5c48a4b
base: update to Amazon Linux 2023
maherthomsi Nov 13, 2025
3043588
feat: match cgroups between host system and container
maherthomsi Nov 13, 2025
e331812
Update bash to 5.2.15
maherthomsi Nov 13, 2025
b053194
crypto: implement FIPS 140-2 compliance support
maherthomsi Nov 13, 2025
0b10ea1
motd: update to show Amazon Linux 2023
maherthomsi Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 10 additions & 26 deletions start_admin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,15 @@ for key_alg in rsa ecdsa ed25519; do
fi
done

readonly host_cgroup="/.bottlerocket/rootfs/sys/fs/cgroup"

cgroup_fstype=$(findmnt -n -o FSTYPE "${host_cgroup}" || true)
if [[ "${cgroup_fstype}" == tmpfs ]]; then
# Host uses cgroup v1, so use cgroup v1 in container too
ln -sf "${host_cgroup}" /sys/fs/cgroup
log "cgroup v1 enabled in admin container to match host"
fi

install_proxy_profile

enable_systemd_services
Expand All @@ -236,32 +245,7 @@ enable_systemd_services

systemd_options=()

# cgroup v2 compatibility crimes: systemd 219 in the admin container only
# supports cgroup v1.
if [[ $(findmnt -n -o FSTYPE /sys/fs/cgroup) = cgroup2 ]]; then
# Mount an extra cgroup v1 hierarchy for use by systemd in the admin
# container. Vanilla systemd is hard-wired to look for it at /sys/fs/cgroup
# but that path is already taken by the host's proper cgroup hierarchy.
# Mounting a cgroup v1 hierarchy here might confuse the host and the systemd
# documentation advises against manually interfering with anything in that
# path. Therefore, mount the extra hierarchy elsewhere and tell systemd in
# the admin container where to look. Requirements:
#
# 1. The base must be a mount point.
# 2. The base must contain another mounted cgroup file system named "systemd".
#
# In either case there is no need to populate the file systems with any
# actual cgroup controllers, since the host is expected to manage processes.
readonly cgroup_base=/.bottlerocket/admin-container-cgroup
mkdir -p "${cgroup_base}"
mount -t tmpfs -o nosuid,nodev,noexec tmpfs "${cgroup_base}"
mkdir -p "${cgroup_base}"/systemd
mount -o remount,ro "${cgroup_base}"
mount -t cgroup -o none,name=systemd cgroup "${cgroup_base}"/systemd
systemd_options+=( --cgroup-base "${cgroup_base}" )
fi

# Persuade systemd that it's OK to run as a user manager.
export XDG_RUNTIME_DIR="/run/user/${UID}"
mkdir -p /run/systemd/system "${XDG_RUNTIME_DIR}"
exec /usr/lib/systemd/systemd "${systemd_options[@]}" --user --unit=admin.target
exec /usr/lib/systemd/systemd "${systemd_options[@]}" --user --unit=admin.target
Copy link
Contributor

@arnaldo2792 arnaldo2792 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are missing a new line at the end of this file.