feat: First steps of V1.28 based on Alpine 3.19

2024-03-12 15:18:42 +00:00 · 2024-03-12 15:18:42 +00:00 · bfba223c17
parent a2acb94732
commit bfba223c17
24 changed files with 273 additions and 121 deletions
--- a/12
+++ b/12
@ -1,13 +1,11 @@
-FROM    alpine:3.18
-ARG     ALPINE="v3.18"
+FROM    alpine:3.19
+ARG     ALPINE="v3.19"
 ARG     BUILDUSER=alpine

 RUN     echo "http://dl-cdn.alpinelinux.org/alpine/${ALPINE}/main" > /etc/apk/repositories && \
        echo "http://dl-cdn.alpinelinux.org/alpine/${ALPINE}/community" >> /etc/apk/repositories && \
        echo "@edge-main http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \
-        echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
-        echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
-        wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
+        echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories

 RUN     apk -U --no-cache upgrade && \
        apk --no-cache add \
@ -24,7 +22,9 @@ RUN     adduser -D $BUILDUSER && \
        install -d -g abuild -m 775 /var/cache/distfiles && \
        install -d -g abuild -m 775 /packages && \
        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
-        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid
+        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
+        echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
+        wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub

 COPY    abuilder aarch64-toolchain.sh /usr/bin/

--- a/2
+++ b/2
@ -4,7 +4,7 @@ REGION := us-east-1

 include .ci/podman.mk

-BUILDER := v3.18.4
+BUILDER := v3.19.1
 PKG := '*'
 CF_DIST := E11OFTOA3L8IVY

--- a/2
+++ b/2
@ -11,7 +11,7 @@ if [ "$1" = 'aarch64-toolchain' ]; then
 else
  # Set ENV for cross compile for aarch64
  if [ "$2" = "cross-arm64" ]; then
-    ALPINE="v3.18"
+    ALPINE="v3.19"
    TARGET_ARCH=aarch64
    SUDO_APK=abuild-apk
    APORTS=/home/alpine/aports
--- a/kubezero/aws-iam-authenticator/APKBUILD
+++ b/kubezero/aws-iam-authenticator/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=aws-iam-authenticator
-pkgver=0.6.10
+pkgver=0.6.11
 pkgrel=0
 pkgdesc="AWS aws-iam-authenticator"
 url="https://github.com/kubernetes-sigs/aws-iam-authenticator"
@ -20,5 +20,5 @@ package() {
 }

 sha512sums="
-2b5da6dfbec1f5483ead8da280de8dd719b71157a9bfa4751c015dbc77a4f4c01a59486015cd2231ffb4232a0bf4a35ef843007605dd0b9fffd51ca0208f8fda  aws-iam-authenticator-0.6.10.tar.gz
+6d78fbe95d6e36a7a3835b4df257e96fff3ab53fe4abd8ef525c24aebaf8727e2a6016107024bebe031b2e24295172190407ca892d1b3478329c62cdd9fe553f  aws-iam-authenticator-0.6.11.tar.gz
 "
--- a/kubezero/cri-o/APKBUILD
+++ b/kubezero/cri-o/APKBUILD
@ -3,7 +3,7 @@
 # Contributor: TBK <alpine@jjtc.eu>
 # Maintainer: ungleich <foss@ungleich.ch>
 pkgname=cri-o
-pkgver=1.26.4
+pkgver=1.27.1
 pkgrel=0
 pkgdesc="OCI-based implementation of Kubernetes Container Runtime Interface"
 url="https://github.com/cri-o/cri-o/"
@ -14,8 +14,8 @@ license="Apache-2.0"
 options="net chmod-clean !check"
 depends="
 	cni-plugins
-	conntrack-tools
 	conmon
+	conntrack-tools
 	containers-common
 	iproute2
 	iptables
@ -33,6 +33,7 @@ makedepends="
 	libselinux-dev
 	lvm2-dev
 	ostree-dev
+	sqlite-dev
 	tzdata
 	"
 checkdepends="bats cri-tools jq parallel sudo conmon"
@ -40,9 +41,10 @@ subpackages="
 	$pkgname-doc
 	$pkgname-bash-completion
 	$pkgname-zsh-completion
-	$pkgname-fish-completion
 	$pkgname-openrc
 	"
+	#$pkgname-fish-completion
+
 source="
 	$pkgname-$pkgver.tar.gz::https://github.com/cri-o/cri-o/archive/v$pkgver/cri-o-$pkgver.tar.gz
 	crio.conf
@ -70,7 +72,7 @@ export GOBIN="$GOPATH/bin"

 build() {
 	# https://github.com/cri-o/cri-o/blob/master/install.md#build-tags
-	make BUILDTAGS="seccomp selinux apparmor containers_image_openpgp containers_image_ostree_stub"
+	make BUILDTAGS="libsqlite3 seccomp selinux apparmor containers_image_openpgp containers_image_ostree_stub"
 }

 check() {
@ -78,11 +80,17 @@ check() {
 }

 package() {
-	make DESTDIR="$pkgdir" PREFIX=/usr CRICTL_CONFIG_DIR="/etc/crio" OCIUMOUNTINSTALLDIR="/etc/crio" install
+	make \
+		DESTDIR="$pkgdir" \
+		PREFIX=/usr \
+		CRICTL_CONFIG_DIR="/etc/crio" \
+		OCIUMOUNTINSTALLDIR="/etc/crio" \
+		FISHINSTALLDIR=/usr/share/fish/vendor_completions.d \
+		install.bin-nobuild install.man-nobuild install.completions install.config-nobuild

 	# We want it in etc so apk does not overwrite it
 	mkdir -p  "$pkgdir"/usr/share/oci-umount/oci-umount.d/
-	ln -sf /etc/crio/crio-umount.conf "$pkgdir"/usr/share/oci-umount/oci-umount.d/crio-umount.conf
+	ln -sf ../../../../etc/crio/crio-umount.conf "$pkgdir"/usr/share/oci-umount/oci-umount.d/crio-umount.conf

 	# The CNI plugins are recommended to be installed as examples
 	install -Dm644 contrib/cni/*.conflist -t "$pkgdir"/usr/share/doc/cri-o/examples/cni/
@ -95,9 +103,9 @@ package() {
 }

 sha512sums="
-99bf6b438da236491fcc33ddaa28aeb381fc40c04138918be98fca1117132c5616598e4d758a6852071a67e4884895494b091c9206490a964a559723f77b84e7  cri-o-1.26.4.tar.gz
+27fb79141dd60c1744df8761a4d43603256f7f06e32d2f9c76be62b95dcf62924c7501d0461efabb013ae397c16030b6a2b037eeaae7a5daec7c28943f71bc7e  cri-o-1.27.1.tar.gz
 1f60719677295c9c5c615eb25d9159bde0af68a132eee67747f57fe76642d457c98c896c6189f85637d7b4ac24ba55fd9eaeb1699f43c3c5077b645f72a479fb  crio.conf
-cfc4c144931400023e6642fa0b9880f0e3c09c187542905ca56044cedafb5e1f1d49708e4352233abee4e02181155c02fc9688bf93202fc8d80dfc1ffc90699b  crio.initd
+e9149cc2ddd24328c5290d3aea895c01e2798e066897535384f615a556496acdd52a603a0f4ac3c4c70bd5c363592f23c8b4d1987bf738300112fc62e1def555  crio.initd
 1115228546a696eeebeb6d4b3e5c3152af0c99a2559097fc5829d8b416d979c457b4b1789e0120054babf57f585d3f63cbe49949d40417ae7aab613184bf4516  crio.logrotated
 0a567dfa431ab1e53f2a351689be8d588a60cc5fcdbda403ec4f8b6ab9b1c18ad425f6c47f9a5ab1491e3a61a269dc4efa6a59e91e7521fa2b6bb165074aa8e0  cni-plugins-path.patch
 f9577aa7b1c90c6809010e9e406e65092251b6e82f6a0adbc3633290aa35f2a21895e1a8b6ba4b6375dcad3e02629b49a34ab16387e1c36eeb32c8f4dac74706  makefile-fix-install.patch
--- a/kubezero/cri-o/crio.initd
+++ b/kubezero/cri-o/crio.initd
@ -16,6 +16,7 @@ start_stop_daemon_args="-N 1 \

 depend() {
 	need net
+	use dns
 }

 checkconfig() {
--- a/kubezero/cri-tools/APKBUILD
+++ b/kubezero/cri-tools/APKBUILD
@ -1,11 +1,11 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=cri-tools
-pkgver=1.26.1
-pkgrel=1
+pkgver=1.27.1
+pkgrel=0
 pkgdesc="CLI tool for Kubelet Container Runtime Interface (CRI)"
 url="https://github.com/kubernetes-sigs/cri-tools"
-arch="x86_64 aarch64 ppc64le s390x armv7 x86"
+arch="all !armhf"
 license="Apache-2.0"
 makedepends="go"
 options="!check" # no check available
@ -27,5 +27,5 @@ package() {
 }

 sha512sums="
-1900b5d22a20ab1f01c13832be4dcf1e9845b64afb3cdcb6169752bbb20a6e69dcbb6ccc8d31b9d4bf091bf81aa04b9979544586763ea985499f229e7ab2a39d  cri-tools-1.26.1.tar.gz
+7e4349fa9a0a16d27fbde363a26978fe6e65a326d29b344f13cd2b43009f12f8cdf14fd9557ac29beb913d4258160e0fa4108d40378dd1216ff631922e40392e  cri-tools-1.27.1.tar.gz
 "
--- a/kubezero/ecr-credential-provider/APKBUILD
+++ b/kubezero/ecr-credential-provider/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=ecr-credential-provider
-pkgver=1.26.1
+pkgver=1.27.1
 pkgrel=0
 pkgdesc="AWS Kubernetes ecr-credential-provider"
 url="https://github.com/kubernetes/cloud-provider-aws"
@ -24,5 +24,5 @@ package() {
 }

 sha512sums="
-59ec934a93b94290b0dce830a53301957842d8d45118471bb6eaa142b06dc37ed7f32e4c4a83f1f5341b0dda6745cfa7d8ebbac6d31378e3288857808f2aef71  ecr-credential-provider-1.26.1.tar.gz
+d7a28f4fb3cb2a1e7ee8d94405e3268608562af0ac509b51c32fcca19353eb68c87b023bd7dae1e84a76d9e856e4951cbc8a2260bab358d1eb492e47caedd29d  ecr-credential-provider-1.27.1.tar.gz
 "
--- a/kubezero/falco-kernel/APKBUILD
+++ b/kubezero/falco-kernel/APKBUILD
@ -1,13 +1,16 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
-pkgname=falco-kernel
-pkgver=0.36.2
+_flavor=lts
+_extra_flavors=virt
+
+pkgver=0.37.1
 pkgrel=0
+pkgname=falco-kernel-$_flavor
 pkgdesc="Falco kernel module"
 url="https://github.com/falcosecurity/falco"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-makedepends="cmake linux-virt-dev linux-headers"
+makedepends="cmake linux-$_flavor-dev linux-headers"
             # protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
             # perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev"
 options="!check"
@ -17,34 +20,52 @@ source="
  "
 builddir="$srcdir/falco-$pkgver"

-prepare() {
-  [[ -d build ]] || mkdir build
-}
+for f in $_extra_flavors; do
+        makedepends="$makedepends linux-$f-dev"
+        subpackages="$subpackages falco-kernel-$f:_extra"
+done

 build() {
-  # Hack running the build inside a container other uname -r returns host kernel
-  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+  for flavor in $_flavor $_extra_flavors; do
+    mkdir -p $srcdir/falco-$pkgver/build-$flavor

-  cd build
-  cmake .. \
-    -DCMAKE_BUILD_TYPE=Release \
-    -DFALCO_VERSION=$pkgver \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DUSE_BUNDLED_DEPS=On \
-    -DMUSL_OPTIMIZED_BUILD=On
+    # Hack running the build inside a container other uname -r returns host kernel
+    KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor"))

-  KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver
+    cd $srcdir/falco-$pkgver/build-$flavor
+    cmake .. \
+      -DCMAKE_BUILD_TYPE=Release \
+      -DFALCO_VERSION=$pkgver \
+      -DCMAKE_INSTALL_PREFIX=/usr \
+      -DUSE_BUNDLED_DEPS=On \
+      -DMUSL_OPTIMIZED_BUILD=On
+
+    KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver
+  done
+}
+
+_package() {
+  local flavor=$1
+  local _out=$2
+
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-"$flavor"))
+  depends="linux-$flavor~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
+
+  cd $srcdir/falco-$pkgver/build-$flavor
+  mkdir -p "$_out"/lib/modules/$KERNEL_VERSION/kernel
+  gzip -9 -c driver/falco.ko > "$_out"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz 
 }

 package() {
-  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
-  depends="linux-virt~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
+  _package $_flavor $pkgdir
+}

-  cd $srcdir/falco-$pkgver/build
-  mkdir -p "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel
-  gzip -9 -c driver/falco.ko > "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz 
+_extra() {
+  flavor=${subpkgname##*-}
+
+  _package $flavor $subpkgdir
 }

 sha512sums="
-dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
+257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28  falco-0.37.1.tar.gz
 "
--- a/kubezero/falco/APKBUILD
+++ b/kubezero/falco/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falco
-pkgver=0.36.2
+pkgver=0.37.1
 pkgrel=0
 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
 url="https://github.com/falcosecurity/falco"
@ -11,10 +11,16 @@ makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-st
             musl-fts-dev
             musl-libintl
             musl-legacy-error
-             musl-obstack-dev
-            "
+             musl-obstack-dev "
+#            protobuf-dev
+#            c-ares-dev
+#            openssl-dev
+#            curl-dev
+#            grpc-dev
+#            yaml-cpp-dev
+#           "
 options="!check"
-depends="falco-kernel~$pkgver"
+#depends="falco-kernel~$pkgver"

 # Original config
 # https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
@ -40,13 +46,15 @@ build() {
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DFALCO_ETC_DIR=/etc/falco \
    -DUSE_BUNDLED_DEPS=On \
+    -DMINIMAL_BUILD=On \
+    -DUSE_DYNAMIC_LIBELF=Off \
    -DMUSL_OPTIMIZED_BUILD=On \
    -DBUILD_DRIVER=Off \
    -DBUILD_BPF=Off \
    -DBUILD_LIBSCAP_MODERN_BPF=Off \
    ..

-  make falco
+  make falco || bash
 }

 package() {
@ -65,7 +73,7 @@ package() {
 }

 sha512sums="
-a3fef235ab4f3121bd0400827712652530ec417498c44ada8b6bf565f7631d035673b53dad94ea6ae9c854d45202ed71b2771f19e0c92eea3fc3503e5b75b02e  falco-0.36.2.tar.gz
+257d526c4d3eadbe2c79852221fdb8076f94e421aa66753628770ae7384137b4672064cbe1ba0a4d88d14e8a7d08e2521d5bd82a312c4b1442d8ea6fbbbb2f28  falco-0.37.1.tar.gz
 b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
 487b8b64d2399fd7b706be29e3722983bcdfde3ab5cf0f78b2e9fe1055a4ad958976f591e739491e25a06d7cdf6894c1e153e892a87b83c7a962e23c9a104528  rules.patch
 "
--- a/kubezero/fluent-bit/APKBUILD
+++ b/kubezero/fluent-bit/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=fluent-bit
-pkgver=2.1.10
+pkgver=2.2.2
 pkgrel=0
 pkgdesc="Fast and Lightweight Log processor and forwarder"
 url="https://fluentbit.io/"
@ -101,9 +101,9 @@ package() {
 }

 sha512sums="
-55caefa81cdeaf293b727829383c6eaa75bc2f8b8c61ebe15e1478c66033921fde6e50c39fc8c39a7d2d93d03892f709daf4d1b6caacf586133de5268de10299  fluent-bit-2.1.10.tar.gz
+681c1db0256d0b50d986194597b700f790726a1394b3ad92c92a26c95d04bf2b65203e94ef2aeb0f0b3403870748ec0ebbec2cd49548857fbadc5c745581452f  fluent-bit-2.2.2.tar.gz
 f6431397c80a036980b5377b51e38aec25dfceeb8dbe4cd54dce1f6e77d669d9f8daf983fcc96d25332385888f1809ced5e8ab0e8ccfcd93d19494036e3dc949  fluent-bit.confd
-e17bad6abd597da620fdb930e3f18612a828dd956abf87ce850e2660b83db4d9ab7d373ab3a9bf1d07f605b5077998234ce4774007c0197cfbfdad465ca6b47a  fluent-bit.initd
+8ba6c8e84dee90176f9b4375fb2c6444fa5d32fa601d9bcf3ea7960fec87f1ef664f175caf08bd0b052843e971efdbf08e2a5cd180ad9a8f23ff2c5cb233814f  fluent-bit.initd
 6bd7d8b4da93a17f29b6ea1e0286ea226d0e376024284741110936779b3229bd8d6cd03ffbdc5d3b4842294e7f32a888de0dd16b0851b65d91b062ca58530ea0  chunkio-static-lib-fts.patch
 e3308a8377fb8ba496415b7a31e9e022e5aa9965d27a0c33ea5166a29049b72cb364bbcdf9d8611ef3407b0968f9bd4adff12cdb39728bbebd382710e5bc75d0  exclude-luajit.patch
 d61f30344af997f126486fa5b34cd3fbfe88bfc9aea394a8c60d0206f4db8db998eadf637a3a581b89512411c1e7980c414e236e455d5e2b889d20a556ee6577  xsi-strerror.patch
--- a/kubezero/fluent-bit/fluent-bit.initd
+++ b/kubezero/fluent-bit/fluent-bit.initd
@ -7,5 +7,5 @@ command_args="$fluentbit_opts"

 depend() {
 	need net
-	after firewall cloudbender
+	after firewall
 }
--- a/kubezero/kubernetes/APKBUILD
+++ b/kubezero/kubernetes/APKBUILD
@ -5,12 +5,11 @@
 # Contributor: Dave <dj.2dixx@gmail.com>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubernetes
-pkgver=1.26.8
+pkgver=1.27.8
 pkgrel=0
 pkgdesc="Container Cluster Manager"
 url="https://kubernetes.io/"
-# ppc64le: failed to build
-arch="x86_64 aarch64 armv7 x86"
+arch="all !armhf !riscv64"
 license="Apache-2.0"
 options="!check chmod-clean net" # Tests hang

@ -72,18 +71,16 @@ _services="kube-apiserver kube-controller-manager kube-proxy kube-scheduler"
 export GOCACHE="${GOCACHE:-"$srcdir/go-cache"}"
 export GOTMPDIR="${GOTMPDIR:-"$srcdir"}"
 export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
-export FORCE_HOST_GO="y"

 build() {
-	hack/update-codegen.sh
 	for _pkgs in $_agent $_cli $_services ; do
-		make -j1 GOFLAGS="-buildmode=pie -v -tags=providerless" GOLDFLAGS="-extldflags=-static" WHAT=cmd/$_pkgs
+		make -j1 GOFLAGS="$GOFLAGS -buildmode=pie -v -tags=providerless" GOLDFLAGS="-extldflags=-static" WHAT=cmd/$_pkgs
 	done
 }

 package() {
 	for bin in $_agent $_cli $_services; do
-		install -Dm755 _output/local/bin/linux/*/$bin "$pkgdir"/usr/bin/$bin
+		install -Dm755 _output/local/go/bin/$bin "$pkgdir"/usr/bin/$bin
 	done
 	mkdir -p "$pkgdir"/etc/kubernetes
 }
@ -208,7 +205,7 @@ _do_zshcomp() {
 }

 sha512sums="
-38649d4c8a85e236a8ceffe5bba5146cf1a4eb9191534707dd39443303f99d830e95dc4e9be0febfb2a8bd4d0b57f13b5cb883b51fea57306f1f2ceff2052d69  kubernetes-1.26.8.tar.gz
+ddc14d21ba470d24d115de67cdb801c742f04124101ff0e2741170971fdf6bcf0a75ef82807d63394dd8b06dc186a86cccf93a7aab4f9e49b922b981ce5ed8aa  kubernetes-1.27.8.tar.gz
 5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40  make-e2e_node-run-over-distro-bins.patch
 94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64  make-test-cmd-run-over-hyperkube-based-kubectl.patch
 e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1  kube-apiserver.initd
@ -223,7 +220,7 @@ d7e022ee22da191bda7382f87cb293d9c9d115a3df0c2054bf918279eb866f99c6d5c21e4c98eae8
 561bef5633ba4b9021720624443d9c279a561e5fabea76e5d0fbee2e7ad8999029a2511a45895fbec8448026212a3c5b4c197b248a6afa7f8bd945f705524ea7  kube-scheduler.initd
 af88b382ab75657d0ff13c3f8f6d924cef9f2df7807a9a27daa63495981801bc4b607998f65c0758c11a7e070e43c24f7184ba7720711109c74b1c4d57919e34  kube-scheduler.confd
 3692da349dd6ed0f5acc09d7b95ac562ffecb103e2270bebdfe4a7808d48dada9d2debff262d85b11c47f9ca3f0c20000712d03629ed813ff08a3e02d69267e6  kube-scheduler.logrotated
-7cb03bde52820c3ce8b10df1a16cf0b46b39d185e01b4d312400f70bba5875992ec71166539d3820cf59ddbabeb48dec7ae8185820646fae3f851c4cd144fe69  kubelet.initd
+372cdf2fbb24a229ed7b3450b54197c006928cb8d2fd756f2713e1e6961849c7aaa35b20b14fb75d1a12ef1e35258048738aa22b5f9783af8fa0a31dfd1b5bbd  kubelet.initd
 44eb973de8ee8e0c5a77d76ab0e105fe0ae892be1ff86c238a5449b43f83cab6f844575b6c3218f08c5ff077e9f828f5aef72425c1d77546cce2e0136e8a8da8  kubelet.confd
 941f4a7579dcf78da2d323ac69195e95eba6600e6fcefe9231447f11c9867a7aa57b4189ee1fefb10eab19c89665ea2e7696b539c92e99fbcde905d2ff85be58  kubelet.logrotated
 "
--- a/kubezero/kubernetes/kubelet.initd
+++ b/kubezero/kubernetes/kubelet.initd
@ -24,5 +24,6 @@ pidfile="${KUBELET_PIDFILE:-/run/${RC_SVCNAME}.pid}"

 depend() {
 	after net cloudbender
-	need cgroups crio
+	need cgroups
+	want containerd crio
 }
--- a/kubezero/kubezero/APKBUILD
+++ b/kubezero/kubezero/APKBUILD
@ -1,11 +1,11 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubezero
-pkgver=1.26
+pkgver=1.27
 pkgrel=0
 pkgdesc="KubeZero release package"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/kubezero"
-arch="noarch"
+arch="x86_64"
 license="AGPL-3.0"
 depends="
        podman
@ -15,7 +15,7 @@ depends="
        kubelet~$pkgver
        kubectl~$pkgver
        ecr-credential-provider~$pkgver
-        aws-iam-authenticator~0.6.10
+        aws-iam-authenticator~0.6.11
        "
 options="!check"
 #install="$pkgname.post-install"
@ -24,20 +24,26 @@ subpackages="
        $pkgname-imagecache
        "

+IMAGES="
+       quay.io/cilium/cilium:v1.14.4
+       ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
+       "
+
+#multus_version="4.0.2"
+
 source="
       shared-sys-fs.start
       evictLocalNode.sh
       credential-provider.yaml
       kubelet.monit
+       crio.monit
       crio.conf
       "
+       #multus-"$multus_version".tar.gz::https://github.com/k8snetworkplumbingwg/multus-cni/releases/download/v"$multus_version"/multus-cni_"$multus_version"_linux_amd64.tar.gz

-IMAGES="
-       quay.io/cilium/cilium:v1.13.5
-       ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
-       "
-
+# get multus and cilium binaries and drop them in /usr/libexec/cni
 build() {
+  # pre loaded images
  for i in $IMAGES; do
    IMAGE_NAME=$(echo $i | sed -e 's/.*\///' -e 's/:.*//')
    podman --storage-driver vfs pull $i
@ -52,10 +58,15 @@ package() {
  mkdir -p $pkgdir/etc/kubernetes/manifests
  install -Dm644 "$srcdir"/credential-provider.yaml "$pkgdir/etc/kubernetes/credential-provider.yaml"

-  install -Dm644 "$srcdir"/kubelet.monit "$pkgdir/etc/monit.d/kubelet.conf"
-
  # crio settings
  install -Dm644 "$srcdir"/crio.conf "$pkgdir/etc/crio/crio.conf.d/01-kubezero.conf"
+
+  # monit
+  install -Dm644 "$srcdir"/kubelet.monit "$pkgdir/etc/monit.d/kubelet.conf"
+  install -Dm644 "$srcdir"/crio.monit "$pkgdir/etc/monit.d/crio.conf"
+
+  # multus
+  #install -Dm755 "$srcdir"/multus-cni_"$multus_version"_linux_amd64/multus $pkgdir/usr/libexec/cni/multus
 }

 # Preload container images all nodes need to speed up boot time and reduce data transfer
@ -71,7 +82,8 @@ imagecache() {
 sha512sums="
 ecb33fc3a0ffc378723624858002f9f5e180e851b55b98ab6611ecc6a73d4719bc7de240f87683fc58de8bf577059e6f19b417655b5301ef8c32deff67a29dff  shared-sys-fs.start
 fce1013f7b1bfa8ee526de62e642a37fda3168889723e873d3fb69e257f4caa1423b5a14b9343b12a87f3b6f93c7d3861b854efda67ef2d6a42a5ca8cf3d1593  evictLocalNode.sh
-716ec3404d7016bce57d663f750a18db3ede07c1ba7a2908f9f01f41c5ca8fe4e7232ded27bc2bccd705b11ae5cd26574322a8eacefcf8c102bba0f8e4995e59  credential-provider.yaml
+92499ec9a8b3634c42b16c01d27f1c1bb650bcc074a2c8d9d16cfe2ea08942948989c6aae79bd2df562ff17df11bbc329e0971f15c4e64f944457825dee7aa79  credential-provider.yaml
 8b81eb0fb66e6a739965db6af6a31c443e8f612c06146bd51107372abd833b527423299ee11b27e011f46cfbee11415234b3fa0dea695dbbb06711e0ad58f08d  kubelet.monit
+e801df9ede6065395db75154735ca9368882d4225452a33f2b54b98cd0c4f3ceb730762d8745c6aea350a3a50a1df0c79ab46f422f94e9a40e621528e9d82055  crio.monit
 064fc245b7ffd67834a2f5fd13cb0bcb5f4a5caf79b8113b3669bf1d0e1a4af2042e69f8f496991de76d621fd01bc7e67de37c59f034584d12622c6af96376ff  crio.conf
 "
--- a/kubezero/kubezero/credential-provider.yaml
+++ b/kubezero/kubezero/credential-provider.yaml
@ -1,4 +1,4 @@
-apiVersion: kubelet.config.k8s.io/v1alpha1
+apiVersion: kubelet.config.k8s.io/v1
 kind: CredentialProviderConfig
 providers:
  - name: ecr-credential-provider
@ -9,4 +9,4 @@ providers:
      - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
      - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
    defaultCacheDuration: "12h"
-    apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
--- a/kubezero/kubezero/crio.monit
+++ b/kubezero/kubezero/crio.monit
@ -0,0 +1,4 @@
+check process crio pidfile /run/crio.pid
+  start program = "/sbin/rc-service crio start"
+  stop program  = "/sbin/rc-service crio stop"
+  restart program = "/sbin/rc-service crio restart"
--- a/kubezero/zdt-base/APKBUILD
+++ b/kubezero/zdt-base/APKBUILD
@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=zdt-base
-pkgver=0.3.18
+pkgver=0.3.19
 pkgrel=0
 pkgdesc="ZeroDownTime Alpine additions and customizations"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/zdt-base"
@ -31,6 +31,7 @@ source="
        route53.py
        get_iam_sshkeys.py
        uniq_hostname.py
+        write_parameters.py
        "

 build() {
@ -83,19 +84,20 @@ aws() {
  install -Dm755 "$srcdir"/route53.py "$subpkgdir"/usr/sbin/route53.py
  install -Dm755 "$srcdir"/uniq_hostname.py "$subpkgdir"/usr/sbin/uniq_hostname.py
  install -Dm755 "$srcdir"/get_iam_sshkeys.py "$subpkgdir"/usr/sbin/get_iam_sshkeys.py
+  install -Dm755 "$srcdir"/write_parameters.py "$subpkgdir"/usr/sbin/write_parameters.py

  # Cloudbender SNS integration
  install -Dm755 "$srcdir"/monit_alert.sh.aws "$pkgdir"/usr/bin/monit_alert.sh
 }

 sha512sums="
-a870cc7657757770fb573a0fb5df61887d1b9d2a6a57b3ee8be93a7dfb34df6a1d489cd5572ab273dfe896b97faad7e7479571f993a3e13cfefe24c4720bcbf4  common.sh
+2ddef702aae2783335c8b2836daa00a279d253c33b27170a0979d283d06d7ac666750fa026d2d2eed5759e7d6fd54ea898971fabe1e343ee1d09ffed42cf6355  common.sh
 7f6a69a77d6a4a3c34928609108b7939cd43a892d72fb14bebc1d935cd66eda3bd625d15eebb4d6026715b36b12919fcaf863ed5f65ffdc0e2de9fc1b969cb3e  boot.sh
-ee19dcc0b46bdff8581c2661cda69fd8a3fa2de4dd30d96a4ce438b2536043a9f0bc57a6b0d4056e2715a2663a89bc1b07ec33798d5430a2046a65069a327cda  cloudbender-early.init
-df610d896c6b2821925df8d65ab44a0008b31e5b738172076234ae7645e8ef7e25d710c43f9b3999fb3f0303ccd81b57327c2e7694e1fc3f790abdbc77e0a097  cloudbender.init
-b9479835d8667fa99f8b1b140f969f0464a9bb3c60c7d19b57e306cfe82357d453932791e446caded71fddd379161ae8328367f1ee75ae3afc1b85e12294b621  zdt-sysctl.conf
+eb7d5b6f92f500dbaba04a915cdd8d66e90456ca86bed86b3a9243f0c25577a9aa42c2ba28c3cad9dda6e6f2d14363411d78eff35656c7c60a6a8646f43dcba5  cloudbender-early.init
+336a211e6708432f185c911d0c990209c5af79f289d5cc331e0542e258e0309616e1386efd660d5439928562feaf3559970f66e950f9ce6e5aaf20c334596143  cloudbender.init
+06102e56c847637f705d0b29b05b07fbbb2bda9ba69f0a7fe1d716126d3b1c7922fb0df159199809908fa0dc143209775edb1dd5976faa84244dbcaa45f00364  zdt-sysctl.conf
 76e6a4f309f31bfa07de2d3b1faebe5670722752e18157b69d6e868cbe9e85eda393aed0728b0347a01a810eee442844c78259f86ff71e3136a013f4cbfaaea4  ps_mem.py
-5376f4bf8356ce9249c45e78085073245181e8742c7b4be47c71dcd97a611ae125a7dfd3060502bdd591560af070334f89fe60dbc09c008926149c538ab0560a  syslog-ng.conf
+44b2dcf90709a51e4d804d4bb22eb866aa678089647b33b253a48fe29861e4ae85312b23f8a7ab8a20ed184bd6f341e9b919f3d1586f1c0d9c350b8206b29e04  syslog-ng.conf
 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329  syslog-ng.logrotate.conf
 e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee  syslog-ng.apparmor
 f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189  dhcpcd-mtu.hook
@ -107,4 +109,5 @@ c3e72cd92936b03f2b9eab5e97e9a12fcddcdf2c943342e42e7702e2d2407e00859c62dc9b4de337
 816049360aa442f9e9aa4d6525795913cfe3dc7c6c14dc4ccad59c0880500f9d42f198edc442fe036bc84ba2690d9c5bc8ae622341d8276b3f14947db6b879b1  route53.py
 7da28446762a36a6737c5b30becbce78775bd943b4d0c5ef938a50f49b4f51f66708434aa79004c19d16c56c83f54c8d6d68e1502ebc250c73f8aae12bed83c0  get_iam_sshkeys.py
 ae1941fc45e61fa8d211f5ef7eff2dd01510a6d364c4302cab267812321a10e7434ecc8d8c9263d8671ce5604d04d6531601bf42886a55fb6aec7f321651e1dc  uniq_hostname.py
+ee4264337d86ad99ba6cf9ec3017986c804ac208c0beb5fc8651345bd277bb6de03e7c3a8c1b751767647be48f9d45ac47a7d14cf040d9c827780984394e826d  write_parameters.py
 "
--- a/kubezero/zdt-base/cloudbender-early.init
+++ b/kubezero/zdt-base/cloudbender-early.init
@ -1,7 +1,8 @@
 #!/sbin/openrc-run
 # vim:set ts=8 noet ft=sh:

-description="CloudBender early tasks (no network / metadata available yet)"
+# no network / metadata available yet
+description="CloudBender early tasks"

 depend() {
  need fsck root
--- a/kubezero/zdt-base/cloudbender.init
+++ b/kubezero/zdt-base/cloudbender.init
@ -13,6 +13,8 @@ depend() {
 start() {
  source /usr/lib/cloudbender/common.sh

+  ebegin "CloudBender"
+
  get_meta_data
  import_meta_data

@ -34,6 +36,7 @@ start() {

  register_service_dns

+  is_enabled $PROMETHEUS_ENABLED && setup_prometheus $PROMETHEUS_ALLOW
  is_enabled $LOGGING_ENABLED && setup_fluentbit $LOGGING_HOST

  # cleanup previous reboot logs
@ -50,7 +53,7 @@ stop() {

  unmount_volumes "$VOLUMES"

-  [ -n "$DEBUG" ] && [ -r /tmp/shutdown.log ] && SHUTDOWNLOG="$(cat /tmp/shutdown.log)"
+  is_enabled $ZDT_CLOUDBENDER_DEBUG && [ -r /tmp/shutdown.log ] && SHUTDOWNLOG="$(cat /tmp/shutdown.log)"

  [ -n "$RC_REBOOT" ] && ACTION="rebooting" || ACTION="terminated"
  [ -z "$DISABLE_SCALING_EVENTS" ] && /var/lib/cloud/sns_alarm.sh "Instance $ACTION" "" Info "$SHUTDOWNLOG"
--- a/kubezero/zdt-base/common.sh
+++ b/kubezero/zdt-base/common.sh
@ -10,6 +10,17 @@ _imds() {
        "http://$IMDS_ENDPOINT/$IMDS_URI/$1$IMDS_QUERY"
 }

+# boolean flags
+is_enabled() {
+  local flag=$(echo "$1" | tr '[:upper:]' '[:lower:]')
+
+  [ "$flag" == 1 -o "$flag" == "true" ] && return 0
+  [ "$flag" == 0 -o "$flag" == "false" -o "$flag" == "none" -o -z "$flag" ] && return 1
+
+  log -t user-data warn "Unknown value for boolean option: $flag - assuming False"
+  return 1
+}
+
 # Todo: This should go into a yaml file
 query_imds() {
  MAC=$(_imds meta-data/mac)
@ -71,12 +82,8 @@ import_meta_data() {
  export AWS_DEFAULT_REGION=$REGION
  export AWS_DEFAULT_OUTPUT=text

-  # some basic logic
-  if [ "$DEBUG" == "None" -o "$DEBUG" == "False" ]; then
-    unset DEBUG
-
-    LAUNCH_HOOK="CloudBenderLaunchHook"
-  fi
+  # Enabled LaunchHooks if not DEBUG
+  is_enabled $ZDT_CLOUDBENDER_DEBUG || LAUNCH_HOOK="CloudBenderLaunchHook"

  # Workaround for current CFN ASG_<parameter> hack
  _key=$(echo $AWS_CLOUDFORMATION_LOGICAL_ID | tr '[:lower:]' '[:upper:]') 
@ -102,14 +109,14 @@ setup_instance() {

  add_once /etc/hosts "${IP_ADDRESS} ${_META_HOSTNAME} ${HOSTNAME}"

-  # Set system wide default region for boto3
-  echo "export AWS_DEFAULT_REGION=$REGION" > /etc/profile.d/aws.sh
-
  # workaround for dhcpcd / openresolv to omit search domain if equal to domain breaking DNS resolution of shortnames for eg. etcd and kube-apiserver
  add_once /etc/resolv.conf "search $DOMAIN_NAME"

  case "$CLOUD" in
    aws)
+      # Set system wide default region for boto3
+      echo "export AWS_DEFAULT_REGION=$REGION" > /etc/profile.d/aws.sh
+
      setup_sns_alarms
      ;;
    *)
@ -139,7 +146,7 @@ configure_sshd() {
        sed -i -e 's,^[\s#]*AuthorizedKeysCommand\s.*,AuthorizedKeysCommand /usr/sbin/get_iam_sshkeys.py --user %u --group '$group' --iamRole "'$role'",' /etc/ssh/sshd_config
        sed -i -e 's,^[\s#]*AuthorizedKeysCommandUser\s.*,AuthorizedKeysCommandUser nobody,' /etc/ssh/sshd_config

-        ebegin "added $group to SSH admin keys"
+        einfo "added $group to SSH admin keys"
      fi
      ;;
    *)
@ -294,7 +301,7 @@ mount_volumes() {
    mkdir -p $volPath
    mount -t xfs -o noatime $volDevice $volPath

-    ebegin "mounting $volDevice at $volPath"
+    einfo "mounting $volDevice at $volPath"
  done
 }

@ -311,17 +318,6 @@ unmount_volumes() {
 # msg used for sns event, last one wins
 msg() { MSG="$@"; log -t user-data info "$@"; }

-# boolean flags
-is_enabled() {
-  local flag=$(echo "$1" | tr '[:upper:]' '[:lower:]')
-
-  [ "$flag" == 1 -o "$flag" == "true" ] && return 0
-  [ "$flag" == 0 -o "$flag" == "false" -o -z "$flag" ] && return 1
-
-  log -t user-data warn "Unknown value for boolean option: $flag - assuming False"
-  return 1
-}
-
 # Generic retry command wrapper, incl. timeout of 30s
 # $1 = number of tries; 0 = forever
 # $2 = number of seconds to sleep between tries
@ -373,6 +369,29 @@ asg_heartbeat() {
  [ -n "$LAUNCH_HOOK" ] && aws autoscaling record-lifecycle-action-heartbeat --instance-id $INSTANCE_ID --lifecycle-hook-name $LAUNCH_HOOK --auto-scaling-group-name $AWS_AUTOSCALING_GROUPNAME || true
 }

+# upload various useful logs to s3 if configured
+upload_debug_logs(){
+  [ -z $ZDT_CLOUDBENDER_DEBUG_REMOTELOGS ] && return 0
+
+  local s3Url="$ZDT_CLOUDBENDER_DEBUG_REMOTELOGS/$INSTANCE_ID/$(date +'%Y%m%d-%H%M%Z')"
+  local _tmp=$(mktemp -d)
+
+  ps -ef > ${_tmp}/process.list
+  cp /var/log/messages \
+     /var/log/rc.log \
+     /var/log/user-data.log \
+     /etc/cloudbender.conf \
+     /var/lib/cloud/meta-data \
+     /var/log/kubelet/kubelet.log \
+     /var/log/crio/crio.log \
+     $_tmp
+
+  tar cfz /tmp/debuglogs.tgz -C $_tmp .
+  aws s3 cp /tmp/debuglogs.tgz $s3Url/debuglogs.tgz
+
+  return 0
+}
+
 setup_sns_alarms() {
  # store SNS message json template
  cat <<EOF > /var/lib/cloud/sns_alarm.json
@ -434,7 +453,7 @@ exit_trap() {
        MSG="$ERR_CMD"
      fi

-      if [ -n "$DEBUG" ]; then
+      if [ -n "$ZDT_CLOUDBENDER_DEBUG" ]; then
        SUBJECT="$SUBJECT Instance kept running for debug."
      else
        SUBJECT="$SUBJECT Instance terminated by ASG lifecycle hook."
@ -462,8 +481,10 @@ exit_trap() {
  end_uptime=$(awk '{print $1}' < /proc/uptime)
  log -t user-data info "Exiting user-data. Duration: $(echo "$end_uptime-$start_uptime" | bc) seconds"

-  # Shutdown / poweroff if we ran into error and not DEBUG
-  [ $ERR_CODE -ne 0 -a -z "$DEBUG" ] && poweroff
+  # if we ran into error, either upload debug files or poweroff
+  if [ $ERR_CODE -ne 0 ]; then
+    is_enabled $ZDT_CLOUDBENDER_DEBUG && upload_debug_logs || poweroff
+  fi

  exit 0
 }
@ -575,6 +596,8 @@ EOF

    # Short cut our public IP to private one to allow talking to our own service name
    add_once /etc/hosts "${IP_ADDRESS} ${SERVICENAME}.${DNSZONE}"
+
+    log -t user-data info "Registered $_IP with ${SERVICENAME}.$DNSZONE"
  fi
 }

@ -646,17 +669,17 @@ register_routes() {
 }


-setup_nat() {
-  local mode=$1
+setup_prometheus() {
+  rc-update add node-exporter default
+  rc-service node-exporter start

-  # Masquerade all outgoing traffic
-  iptables -t nat -A POSTROUTING -o $DEFAULT_GW_INTERFACE -s ${VPC_CIDR_RANGE} -j MASQUERADE
+  log -t user-data info "Enabled and started Prometheus node-exporter"
 }


 setup_fluentbit() {
  local key="cloudbender"
-  local host="$1"
+  local host="${1:-fluentd}"

  if [[ "$host" =~ "@" ]]; then
    key=${host%%@*}
@ -693,4 +716,9 @@ EOF

  ## TODO:
  # Add parameter parsing for custom logfile tailing
+
+  rc-update add fluent-bit default
+  rc-service fluent-bit start
+
+  log -t user-data info "Enabled and started fluent-bit logging agent sending logs to $host"
 }
--- a/kubezero/zdt-base/syslog-ng.conf
+++ b/kubezero/zdt-base/syslog-ng.conf
@ -1,7 +1,7 @@
 # syslog-ng, format all json into messages
 # https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.23/administration-guide/63#TOPIC-1268643

-@version: 4.1
+@version: 4.5
@include "scl.conf"

 options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
@ -15,8 +15,9 @@ destination d_mesg { file("/var/log/messages" template("$(format-json time=\"$UN

 # filter ipvs loggging each SYN to closed port
 # IPVS: rr: TCP 10.52.82.199:31021 - no destination available
-filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); };
+# filter f_drop_ipvs { not (facility(kern) and match("IPVS: rr:.*no destination available" value("MESSAGE"))); };
 # "message":"net_ratelimit: 16 callbacks suppressed"
-filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); };
+# filter f_drop_ipvs_ratelimit { not (facility(kern) and match("net_ratelimit:.*callbacks suppressed" value("MESSAGE"))); };
+# log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); };

-log { source(s_sys); filter(f_drop_ipvs); filter(f_drop_ipvs_ratelimit); destination(d_mesg); };
+log { source(s_sys); destination(d_mesg); };
--- a/kubezero/zdt-base/write_parameters.py
+++ b/kubezero/zdt-base/write_parameters.py
@ -0,0 +1,63 @@
+#!/usr/bin/python3
+import os
+import boto3
+import argparse
+
+parser = argparse.ArgumentParser(
+    description="Get SSM parameters beyond <path> and write to files")
+parser.add_argument(
+    "--path",
+    dest="path",
+    action="store",
+    required=True,
+    help="SSM parameter path")
+parser.add_argument(
+    "--root",
+    dest="root",
+    action="store",
+    required=True,
+    help="root filesystem path to create files")
+
+args = parser.parse_args()
+
+
+session = boto3.Session()
+awsSSMClient = session.client('ssm')
+
+
+def get_parameters_by_path(nextToken=None):
+    params = {
+        'Path': args.path,
+        'Recursive': True,
+        'WithDecryption': True
+    }
+    if nextToken is not None:
+        params['NextToken'] = nextToken
+    return awsSSMClient.get_parameters_by_path(**params)
+
+
+def getParameters():
+    nextToken = None
+    while True:
+        response = get_parameters_by_path(nextToken)
+        parameters = response['Parameters']
+        if len(parameters) == 0:
+            break
+        for parameter in parameters:
+            yield parameter
+        if 'NextToken' not in response:
+            break
+        nextToken = response['NextToken']
+
+
+for parameter in getParameters():
+    file_name = os.path.join(
+        args.root, parameter["Name"].removeprefix(
+            args.path).lstrip("/"))
+
+    os.makedirs(os.path.dirname(file_name), mode=0o755, exist_ok=True)
+
+    #print(f'{file_name}={parameter["Value"]}')
+
+    with open(file_name, "w") as file:
+        file.write(parameter["Value"])
--- a/kubezero/zdt-base/zdt-sysctl.conf
+++ b/kubezero/zdt-base/zdt-sysctl.conf
@ -13,3 +13,4 @@ net.ipv4.ip_forward_use_pmtu = 0
 kernel.panic = 10
 kernel.panic_on_oops = 1
 vm.oom_dump_tasks = 0
+vm.max_map_count=262144