Skip to content

Add support for Go-1.25, python3-devel, Rust-1.90 and remove Go-1.23 #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 13, 2025
Merged

Add support for Go-1.25, python3-devel, Rust-1.90 and remove Go-1.23 #298

merged 6 commits into from
Oct 13, 2025

Conversation

@piyush-jena
Copy link
Contributor

@piyush-jena piyush-jena commented Oct 3, 2025
edited
Loading

Fixes: #290

Description of changes:

  • Remove Go-1.23. Make Go-1.24 default, Add Go-1.25
  • Add Go-1.25
  • Update Rust to v1.90.0 - Done via script
  • Add support for python3-devel

Testing done:

  1. Checking Rust version, default go version and go-1.25 and python3-devel support

I docker run the sdk image and checked Rust and Go version inside it

[fedora@ip-******* bottlerocket-sdk]$ docker image ls
REPOSITORY                                                       TAG                      IMAGE ID       CREATED        SIZE
bottlerocket-sdk                                                 v0.67.0-6e874fb7-arm64   e7f824869073   2 hours ago    6.33GB
hello-world                                                      latest                   ca9905c726f0   2 months ago   5.2kB
[fedora@ip-******* bottlerocket-sdk]$ docker run -u 0 -it --rm e7f824869073 sh
sh-5.2# rustc --version
rustc 1.90.0 (1159e78c4 2025-09-14) (built from a source tarball)
sh-5.2# go version
go version go1.24.8 linux/arm64
sh-5.2# GO_MAJOR="1.25" go version
go version go1.25.2 linux/arm64
sh-5.2# dnf list installed python3-devel
Updating and loading repositories:
 Fedora 41 - aarch64 - Updates                                                                                                                                                                                                                                              100% |  17.8 MiB/s |  23.0 MiB |  00m01s
 Fedora 41 - aarch64                                                                                                                                                                                                                                                        100% |  17.2 MiB/s |  34.2 MiB |  00m02s
Repositories loaded.
Installed packages
python3-devel.aarch64 3.13.7-1.fc41 updates
  1. Tested fips with Go-1.24 and Go-1.25
    Modified containerd-1.7 spec file to build it with Go-1.25. The following is the result from AMI built with that core-kit.

Checking Go version

[root@admin]# go version ./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/containerd
./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/containerd: go1.25.2 X:boringcrypto
[root@admin]# go version ./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/host-ctr
./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/host-ctr: go1.24.8 X:boringcrypto

This is from the bottlerocket-fips instance.

[root@admin]# sheltie ctr images pull ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:latest
INFO[0000] trying next host                              error="failed to do request: Head \"https://ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/v2/test/manifests/latest\": remote error: tls: handshake failure" host="ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043"
ctr: failed to resolve reference "ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:latest": failed to do request: Head "https://ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/v2/test/manifests/latest": remote error: tls: handshake failure
[root@admin]# sheltie host-ctr pull-image --source ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:test
time="2025-10-13T02:58:45Z" level=info msg="Image does not exist, proceeding to pull image from source." ref="ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:test"
time="2025-10-13T02:58:45Z" level=info msg="trying next host" error="failed to do request: Head \"https://ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/v2/test/manifests/test\": remote error: tls: handshake failure" host="ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043"
time="2025-10-13T02:58:45Z" level=warning msg="failed to pull image. waiting 4.066s before retrying..." error="failed to resolve reference \"ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:test\": failed to do request: Head \"https://ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/v2/test/manifests/test\": remote error: tls: handshake failure"
[root@admin]#

This is from the open ssl server which is a separate host that accepts connection request from the bottlerocket-fips host.

[root@nginx-mmbs7 ssl]# openssl s_server -accept 443 -cert server.crt -key server.key -cipher 'ECDHE-RSA-CHACHA20-POLY1305' -ciphersuites 'TLS_CHACHA20_POLY1305_SHA256'
Using default temp DH parameters
ACCEPT
ERROR
40A7D1B3B27F0000:error:0A0000C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1842:
shutting down SSL
CONNECTION CLOSED
ERROR
40A7D1B3B27F0000:error:0A0000C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1842:
shutting down SSL
CONNECTION CLOSED
ERROR
40A7D1B3B27F0000:error:0A0000C1:SSL routines:tls_early_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1842:
shutting down SSL
CONNECTION CLOSED

The handshake failure happens because fips instance is not accepting non-fips compliant cipher.

The 2nd time we reattempt this but with a fips compliant cipher

[root@admin]# sheltie ctr images pull ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:latest
ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:latest: resolving      |--------------------------------------|
elapsed: 24.0s                                                      total:   0.0 B (0.0 B/s)
^C
[root@admin]# sheltie host-ctr pull-image --source ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:test
time="2025-10-08T23:04:28Z" level=info msg="Image does not exist, proceeding to pull image from source." ref="ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043/test:test"
^C

This is from the open ssl server which is a separate host that accepts connection request from the bottlerocket-fips host.

[root@nginx-mmbs7 ssl]# openssl s_server -accept 443 -cert server.crt -key server.key -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -ciphersuites 'TLS_AES_128_GCM_SHA256'
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHMCAQECAgMEBAITAQQghk8H5LH6dmkMvuPjniAd8kKIIJloFTy8DHeF/Xn8UTQE
IFMqbrMOs3pb5SHVQ8OBv5ciX3qMXZJ6TMwq04xN5PcNoQYCBGjm7duiBAICHCCk
BgQEAQAAAK4HAgUA/qol8LMDAgEX
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Shared Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Supported groups: secp256r1:secp384r1:secp521r1
Shared groups: secp256r1:secp384r1:secp521r1
CIPHER is TLS_AES_128_GCM_SHA256
This TLS version forbids renegotiation.
HEAD /v2/test/manifests/latest HTTP/1.1
Host: ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043
User-Agent: containerd/1.7.28+bottlerocket
Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*

ERROR
40E764F4847F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
shutting down SSL
CONNECTION CLOSED
-----BEGIN SSL SESSION PARAMETERS-----
MHMCAQECAgMEBAITAQQg1/iS5uFaDccPa7JxxZ21CzvPlueL1TnBfqy74G8xO0UE
IG3j8huk2Nwg7P2j2yzzInz6FPyw2YvsgYBdtH+dPkB0oQYCBGjm7fyiBAICHCCk
BgQEAQAAAK4HAgUAlTLecrMDAgEX
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Shared Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Supported groups: secp256r1:secp384r1:secp521r1
Shared groups: secp256r1:secp384r1:secp521r1
CIPHER is TLS_AES_128_GCM_SHA256
This TLS version forbids renegotiation.
HEAD /v2/test/manifests/test HTTP/1.1
Host: ec2-54-149-221-64.us-west-2.compute.amazonaws.com:8043
User-Agent: containerd/1.7.28+unknown
Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*

ERROR
40E764F4847F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
shutting down SSL
  1. python3-devel
    Modified containerd-1.7 spec file to require python3-devel. The following are the build logs
[fedora@ip-********** bottlerocket-core-kit]$ PACKAGE="$PACKAGE_NAME" make twoliter build-package -e BUILDSYS_UPSTREAM_SOURCE_FALLBACK=true -e BUILDSYS_ARCH=x86_64
Found Twoliter v0.12.0 installed.
Skipping installation.
******
   Compiling glibc v0.1.0 (/home/fedora/Repositories/bottlerocket-core-kit/packages/glibc)
   Compiling containerd-1_7 v0.1.0 (/home/fedora/Repositories/bottlerocket-core-kit/packages/containerd-1.7)
******
  #10 0.339 Repositories loaded.
  #10 0.351 Package "git-2.51.0-2.fc41.x86_64" is already installed.
  #10 0.351 Package "python3-devel-3.13.7-1.fc41.x86_64" is already installed.
*******
  1. Quick Tests:
 NAME                                                TYPE               STATE                     PASSED           FAILED           SKIPPED   BUILD ID          LAST UPDATE                 
 aarch64-aws-k8s-128-nvidia-quick                    Test               passed                         5                0              7391   a2524ed7          2025-10-13T00:29:45Z      
 aarch64-aws-k8s-128-quick                           Test               passed                         5                0              7391   a2524ed7          2025-10-13T00:29:06Z        
 aarch64-aws-k8s-131-nvidia-quick                    Test               passed                         5                0              6606   a2524ed7          2025-10-13T00:29:27Z       
 aarch64-aws-k8s-131-quick                           Test               passed                         5                0              6606   a2524ed7          2025-10-13T00:30:37Z        
 aarch64-aws-k8s-134-nvidia-quick                    Test               passed                         5                0              7136   a2524ed7          2025-10-13T00:30:52Z     
 aarch64-aws-k8s-134-quick                           Test               passed                         5                0              7136   a2524ed7          2025-10-13T00:29:17Z        
 x86-64-aws-k8s-128-nvidia-quick                     Test               passed                         5                0              7391   a2524ed7          2025-10-13T00:29:40Z        
 x86-64-aws-k8s-131-nvidia-quick                     Test               passed                         5                0              6606   a2524ed7          2025-10-13T00:30:24Z       
 x86-64-aws-k8s-131-quick                            Test               passed                         5                0              6606   a2524ed7          2025-10-13T00:29:29Z        
 x86-64-aws-k8s-134-nvidia-quick                     Test               passed                         5                0              7136   a2524ed7          2025-10-13T00:29:42Z       
 x86-64-aws-k8s-134-quick                            Test               passed                         5                0              7136   a2524ed7          2025-10-13T00:30:20Z 
 aarch64-aws-ecs-2-quick                             Test               passed                         1                0              0      a2524ed7          2025-10-13T01:44:04Z         
 x86-64-aws-ecs-2-quick                              Test               passed                         1                0              0      a2524ed7          2025-10-13T01:42:48Z
  1. nvidia-tests - Tested on both arches
[fedora@ip-******* Repositories]$ kubectl get pods -o wide --kubeconfig test-cluster-128.kubeconfig
NAME                READY   STATUS      RESTARTS   AGE     IP               NODE                                           NOMINATED NODE   READINESS GATES
nvidia-smoke-test     0/1     Completed   0          9m20s   192.168.78.193   ip-192-168-90-13.us-west-2.compute.internal    <none>           <none>
nvidia-smoke-test-1   0/1     Completed   0          3m6s    192.168.27.96    ip-192-168-17-164.us-west-2.compute.internal   <none>           <none>
[fedora@ip-******* Repositories]$ kubectl get pods -o wide --kubeconfig test-cluster-131.kubeconfig
NAME                READY   STATUS      RESTARTS   AGE     IP               NODE                                           NOMINATED NODE   READINESS GATES
nvidia-smoke-test     0/1     Completed   0          9m21s   192.168.7.243    ip-192-168-25-115.us-west-2.compute.internal   <none>           <none>
nvidia-smoke-test-1   0/1     Completed   0          3m5s    192.168.89.167   ip-192-168-92-132.us-west-2.compute.internal   <none>           <none>
[fedora@ip-******* Repositories]$ kubectl get pods -o wide --kubeconfig test-cluster-134.kubeconfig
NAME                READY   STATUS      RESTARTS   AGE   IP               NODE                                           NOMINATED NODE   READINESS GATES
nvidia-smoke-test     0/1     Completed   0          11m   192.168.57.33    ip-192-168-38-242.us-west-2.compute.internal   <none>           <none>
nvidia-smoke-test-1   0/1     Completed   0          45s   192.168.38.226   ip-192-168-54-255.us-west-2.compute.internal   <none>           <none>
  1. Verifying CGO is enabled
[root@admin]# go version ./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/containerd
./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/containerd: go1.25.2 X:boringcrypto
[root@admin]# readelf -d ./.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/containerd

Dynamic section at offset 0x3773980 contains 30 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x000000000000000c (INIT)               0xa57000
 0x000000000000000d (FINI)               0x20f9c44
 0x0000000000000019 (INIT_ARRAY)         0x242afe0
 0x000000000000001b (INIT_ARRAYSZ)       16 (bytes)
 0x000000000000001a (FINI_ARRAY)         0x242aff0
 0x000000000000001c (FINI_ARRAYSZ)       16 (bytes)
 0x0000000000000004 (HASH)               0x448
 0x000000006ffffef5 (GNU_HASH)           0xada18
 0x0000000000000005 (STRTAB)             0x4cb068
 0x0000000000000006 (SYMTAB)             0x17ae00
 0x000000000000000a (STRSZ)              5446183 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000015 (DEBUG)              0x0
 0x0000000000000003 (PLTGOT)             0x3774bb0
 0x0000000000000002 (PLTRELSZ)           2832 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0xa43740
 0x0000000000000007 (RELA)               0xa43650
 0x0000000000000008 (RELASZ)             240 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x0000000000000018 (BIND_NOW)
 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
 0x000000006ffffffe (VERNEED)            0xa43570
 0x000000006fffffff (VERNEEDNUM)         1
 0x000000006ffffff0 (VERSYM)             0x9fca90
 0x0000000000000024 (<unknown>: 24)      0xa44250
 0x0000000000000023 (<unknown>: 23)      0x12258
 0x0000000000000025 (<unknown>: 25)      0x8
 0x0000000000000000 (NULL)               0x0

The shared library dependency on libc confirms this.
Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey
bcressey reviewed Oct 7, 2025
View reviewed changes
bcressey
bcressey reviewed Oct 7, 2025
View reviewed changes
bcressey
bcressey reviewed Oct 9, 2025
View reviewed changes
@piyush-jena piyush-jena changed the title go: add support for 1.25, drop 1.23 Add support for Go-1.25, python-devel, Rust-1.90 and remove Go-1.23, Oct 9, 2025
@piyush-jena piyush-jena marked this pull request as ready for review October 9, 2025 21:50
@piyush-jena piyush-jena changed the title Add support for Go-1.25, python-devel, Rust-1.90 and remove Go-1.23, Add support for Go-1.25, python-devel, Rust-1.90 and remove Go-1.23 Oct 9, 2025
@piyush-jena piyush-jena changed the title Add support for Go-1.25, python-devel, Rust-1.90 and remove Go-1.23 Add support for Go-1.25, python3-devel, Rust-1.90 and remove Go-1.23 Oct 9, 2025
@piyush-jena
Copy link
Contributor Author

^ Fixes to above comments

bcressey
bcressey reviewed Oct 10, 2025
View reviewed changes
@piyush-jena piyush-jena mentioned this pull request Oct 13, 2025
Merged
@piyush-jena
Copy link
Contributor Author

^ Force push adds new patch for aws-lc.

@piyush-jena piyush-jena merged commit 1553070 into bottlerocket-os:develop Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcressey bcressey bcressey approved these changes

@vigh-m vigh-m vigh-m approved these changes

@ytsssun ytsssun ytsssun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Possible to get python3-devel included in sdk?

4 participants

@piyush-jena @bcressey @vigh-m @ytsssun