[kitchen/e2e] update amazon linux 2023 x86_64

[pducolin]

What does this PR do?

• Update Amazon Linux 2023 x86_64 AMI for kitchen an E2E tests with a copy of AMI ami-0bb84b8ffd87024d8, Amazon Linux 2023 x86_64, targeting runc-1.1.11-1.amzn2023.0.1.src.rpm
• Update Amazon Linux 2023 arm64 AMI for kitchen and E2E tests with a copy of AMI ami-04b395c05193adbbd from al2023-ami-2023.4.20240513.0-kernel-6.1-arm64 targeting runc-1.1.11-1.amzn2023.0.1.src.rpm

Motivation

Previous hosts are affected by https://nvd.nist.gov/vuln/detail/CVE-2024-21626

Incident-27459
Incident-27490

The previous Amazon Linux 2023 x86_64 in use in our e2e tests had a security vulnerability due to the version of runc, installed at docker install within the agent security kitchen tests.

The CVE mentions that the vulnerability is fixed in runc 1.1.12+, but for Amazon Linux 2023 this is fixed in runc-1.1.11-1.amzn2023.0.1+, as mentioned in https://alas.aws.amazon.com/AL2023/ALAS-2024-501.html

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

• cd to ~/dd/test-infra-definitions
• create a VM using

inv create-vm -m ami-0a515c154e76934f7 -o amazonlinux --no-install-agent   

• ssh to the VM
• Run yum info runc and ensure the target package version is runc-1.1.11-1.amzn2023.0.1.src.rpm
• Destroy the VM with inv destroy-vm -y
• Create a VM using

inv create-vm -m ami-064ed2d3fc01d3ec1 -o amazonlinux --no-install-agent   

• ssh to the VM
• Run yum info runc and ensure the target package version is runc-1.1.11-1.amzn2023.0.1.src.rpm
• Destroy the VM with inv destroy-vm -y

[amenasria]

LGTM !

[agent-platform-auto-pr]

[Fast Unit Tests Report]

On pipeline 34710190 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

• tests_deb-arm64-py3
• tests_deb-x64-py3
• tests_flavor_dogstatsd_deb-x64
• tests_flavor_heroku_deb-x64
• tests_flavor_iot_deb-x64
• tests_rpm-arm64-py3
• tests_rpm-x64-py3
• tests_windows-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-developer-experience

[pr-commenter]

Regression Detector

Regression Detector Results

Run ID: dc0dec76-b10d-4f19-a045-1bdab1f1a728
Baseline: 1eb7adc
Comparison: 7b31a0c

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI
➖	basic_py_check	% cpu utilization	+0.99	[-1.51, +3.50]
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.01	[-0.03, +0.05]
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.20, +0.21]
➖	trace_agent_json	ingress throughput	-0.00	[-0.01, +0.01]
➖	trace_agent_msgpack	ingress throughput	-0.00	[-0.00, +0.00]
➖	otel_to_otel_logs	ingress throughput	-0.21	[-0.58, +0.15]
➖	idle	memory utilization	-0.55	[-0.59, -0.51]
➖	pycheck_1000_100byte_tags	% cpu utilization	-0.89	[-5.58, +3.79]
➖	file_tree	memory utilization	-1.04	[-1.12, -0.95]
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-2.15	[-4.91, +0.62]
➖	tcp_syslog_to_blackhole	ingress throughput	-14.85	[-34.26, +4.55]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[f4usto]

/lgtm

Can we add the CVE reference to the PR/Commit description? it would be good to later correlate/search if needed.

[pducolin]

/merge

[dd-devflow]

🚂 MergeQueue

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

Use /merge -c to cancel this operation!

[pducolin]

/remove

[dd-devflow]

🚂 Devflow: /remove

[dd-devflow]

⚠️ MergeQueue

This merge request was unqueued

If you need support, contact us on Slack #devflow!

[pducolin]

/merge

[dd-devflow]

🚂 MergeQueue

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

Use /merge -c to cancel this operation!

[dd-devflow]

🚂 MergeQueue

Pull request added to the queue.

There are 3 builds ahead! (estimated merge in less than 2h)

Use /merge -c to cancel this operation!