Kernel 6.18

[mgsharm]

Issue number:

Closes #382

Related PRs

• Add SELinux permissions for kernel 6.18 bottlerocket-core-kit#847 — SELinux policy updates for kernel 6.18

Description of changes:

Commit 1: Add kernel-6.18 package

• Add packages/kernel-6.18/ with spec, kernel configs, bootconfig, and GPG key
• Add config-microcode-6-18 for x86_64 microcode support
• Add kernel-6.18 to workspace and kit build dependencies
• Update latest-kernel-full-config.sh to handle kernel 6.18

Commit 2: Add Bottlerocket patches for kernel 6.18

Patches carried forward and regenerated from kernel-6.12:

• 1001: Makefile prepare target for external modules (adjusted context for 6.18)
• 1002: Revert kbuild hide tools from external builds
• 1003: INITRAMFS_FORCE unlink from CMDLINE options
• 1004: af_unix increase default max_dgram_qlen to 512
• 1005: Select DRM prerequisites for GPU drivers (Kconfig moved from drm/tiny to drm/sysfb in 6.18)
• 1006: Disable EFI measurement of kernel command line

Patches dropped (not applicable to 6.18):

• 0001: Wireguard threaded NAPI revert (6.12-specific regression fix)
• 1005: Lustre cast fix (already fixed in the AL2023 6.18 SRPM Lustre sources)
• 1007: strscpy fix (already upstreamed in 6.18)

Commit 3: Add kmod-6.18-nvidia-r580 package

• Add NVIDIA r580 kernel module package for kernel 6.18
• Includes Tesla, Grid, and Open GPU module configurations

Commit 4: Add neuron driver support for kernel 6.18

• Add AWS Neuron driver support for both inf1 (v2.24.13.0) and inf2/trn1 (v2.26.10.0)
• Add driverdog configs, systemd services, and tmpfiles for both driver versions

Commit 5: Add kmod-6.18-efa package

• Add EFA kernel module package for kernel 6.18, modeled after kmod-6.12-efa

Commit 6: Add VMware bootconfig support for kernel 6.18

• Add bootconfig-vmware.conf and bootconfig-vmware subpackage to kernel-6.18 spec
• Add conditional Requires for VMware platform

Testing done:

• K8s conformance tests (IPv4 and IPv6) via kubetest2 + ginkgo on EKS 1.34
• kubetest2 quick tests — io_uring, CPU limits, node topology (IPv4 and IPv6)
• ECS functional tests — task execution, CPU stress, DNS, HTTP, volume mounts, multi-container bridge networking, health checks, env vars, memory/CPU cgroup limits, awsvpc network mode, task placement
• io_uring syscall validation (K8s and ECS)
• Netlink operations (ip route, ip addr, ip link)
• Mount namespace operations (/proc/self/mountinfo)
• cgroup v2 CPU controller (cpu.max, cpu.weight, memory.max)
• TCP networking stress
• File I/O stress (100MB write/read)
• Process/thread stress (20 parallel workers)
• kexec_image_load validation (SELinux enforcing, crash kernel loaded)
• NVIDIA GPU workloads on g4dn.xlarge (device query, unified memory, tensor core GEMM, vector add, atomics, ModernGL, etc.)
• Neuron driver tests on inf2.xlarge (all-reduce, distributed model parallel, MNIST training)
• Neuron driver tests on inf1.xlarge (device detection)
• EFA device validation on c5n.9xlarge (kernel module load, device exposure, ibv_devinfo PORT_ACTIVE)
• FSx for Lustre CSI driver (kernel module load, dynamic provisioning, mount + write)

Details

          Welcome to Bottlerocket's control container!
    ╱╲
   ╱┄┄╲   This container gives you access to the Bottlerocket API,
   │▗▖│   which in turn lets you inspect and configure the system.
  ╱│  │╲  You'll probably want to use the `apiclient` tool for that;
  │╰╮╭╯│  for example, to inspect the system:
    ╹╹
             apiclient -u /settings

You can run `apiclient --help` for usage details, and check the main
Bottlerocket documentation for descriptions of all settings and examples of
changing them.

If you need to debug the system further, you can use the admin container.  The
admin container has more debugging tools installed and allows you to get root
access to the host.  The easiest way to get started is like this, which enables
and enters the admin container using apiclient:

   enter-admin-container

You can also access the admin container through SSH if you have network access.
Just enable the container like this, then SSH to the host:

   enable-admin-container

You can disable the admin container like this:

   disable-admin-container

- Kernel version on booted Bottlerocket instance
[ssm-user@control]$ uname -r
6.18.8
[ssm-user@control]$

• Nvidia SMI

bash-5.2# nvidia-smi
Mon Mar  2 23:57:58 2026
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 580.126.09             Driver Version: 580.126.09     CUDA Version: 13.0     |
+-----------------------------------------+------------------------+----------------------+
| GPU  Name                 Persistence-M | Bus-Id          Disp.A | Volatile Uncorr. ECC |
| Fan  Temp   Perf          Pwr:Usage/Cap |           Memory-Usage | GPU-Util  Compute M. |
|                                         |                        |               MIG M. |
|=========================================+========================+======================|
|   0  Tesla T4                       On  |   00000000:00:1E.0 Off |                    0 |
| N/A   28C    P8              9W /   70W |       0MiB /  15360MiB |      0%      Default |
|                                         |                        |                  N/A |
+-----------------------------------------+------------------------+----------------------+

+-----------------------------------------------------------------------------------------+
| Processes:                                                                              |
|  GPU   GI   CI              PID   Type   Process name                        GPU Memory |
|        ID   ID                                                               Usage      |
|=========================================================================================|
|  No running processes found                                                             |
+-----------------------------------------------------------------------------------------+

• Inf1

bash-5.2# lspci -vvv | grep -i neuron -A 20 -B 5
        Capabilities: [b0] MSI-X: Enable+ Count=3 Masked-
                Vector table: BAR=0 offset=00002000
                PBA: BAR=0 offset=00003000
        Kernel driver in use: nvme

00:1f.0 System peripheral: Amazon.com, Inc. NeuronDevice (Inferentia) (rev 01)
        Physical Slot: 31
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 32 bytes
        Interrupt: pin A routed to IRQ 11
        Region 0: Memory at c0000000 (32-bit, non-prefetchable) [size=8M]
        Region 1: Memory at c1000000 (32-bit, non-prefetchable) [size=64K]
        Region 2: Memory at 100200000000 (64-bit, prefetchable) [size=512M]
        Region 4: Memory at 100000000000 (64-bit, prefetchable) [size=8G]
        Capabilities: [40] Power Management version 3
                Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot-,D3cold-)
                Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [70] Express (v2) Endpoint, IntMsgNum 0
                DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s unlimited, L1 unlimited
                        ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset+ SlotPowerLimit 0W TEE-IO-
                DevCtl: CorrErr+ NonFatalErr+ FatalErr+ UnsupReq-
                        RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+ FLReset-
                        MaxPayload 256 bytes, MaxReadReq 512 bytes
                DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr- TransPend-
                LnkCap: Port #0, Speed 16GT/s, Width x4, ASPM not supported
--
                         EqualizationPhase2+ EqualizationPhase3+ LinkEqualizationRequest-
                         Retimer- 2Retimers- CrosslinkRes: Upstream Port, FltMode-
        Capabilities: [b0] MSI-X: Enable- Count=8 Masked-
                Vector table: BAR=1 offset=00000000
                PBA: BAR=1 offset=00008000
        Kernel driver in use: neuron-driver

• Inf2

bash-5.2# lspci -vvv | grep -i neuron -A 20 -B 5
        Capabilities: [b0] MSI-X: Enable+ Count=3 Masked-
                Vector table: BAR=0 offset=00002000
                PBA: BAR=0 offset=00003000
        Kernel driver in use: nvme

00:1f.0 System peripheral: Amazon.com, Inc. NeuronDevice (Inferentia2)
        Physical Slot: 31
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0
        Interrupt: pin A routed to IRQ 11
        Region 0: Memory at 100800000000 (64-bit, prefetchable) [size=1G]
        Region 2: Memory at c0488000 (32-bit, non-prefetchable) [size=8K]
        Region 4: Memory at 100000000000 (64-bit, prefetchable) [size=32G]
        Capabilities: [40] Power Management version 3
                Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot-,D3cold-)
                Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [70] Express (v2) Endpoint, IntMsgNum 0
                DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s unlimited, L1 unlimited
                        ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset+ SlotPowerLimit 75W TEE-IO-
                DevCtl: CorrErr+ NonFatalErr+ FatalErr+ UnsupReq-
                        RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+ FLReset-
                        MaxPayload 256 bytes, MaxReadReq 512 bytes
                DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr- TransPend-
                LnkCap: Port #0, Speed 32GT/s, Width x8, ASPM not supported
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
--
                         EqualizationPhase2+ EqualizationPhase3+ LinkEqualizationRequest-
                         Retimer+ 2Retimers- CrosslinkRes: Upstream Port, FltMode-
        Capabilities: [b0] MSI-X: Enable- Count=8 Masked-
                Vector table: BAR=2 offset=00000000
                PBA: BAR=2 offset=00001000
        Kernel driver in use: neuron-driver

• EFA

bash-5.2# systemctl status load-efa-modules.service
● load-efa-modules.service - Load EFA modules
     Loaded: loaded (/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/load-efa-modules.service; enabled; preset: enabled)
    Drop-In: /x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/service.d
             └─00-aws-config.conf
     Active: active (exited) since Thu 2026-03-05 22:22:06 UTC; 5min ago
 Invocation: f7adc04a938349ad87ee9a6433fe9f6e
   Main PID: 13693 (code=exited, status=0/SUCCESS)
   Mem peak: 2.4M
        CPU: 21ms

Mar 05 22:22:06 localhost systemd[1]: Starting Load EFA modules...
Mar 05 22:22:06 localhost systemd[1]: Finished Load EFA modules.

bash-5.2# lspci | grep EFA
10:1b.0 Ethernet controller: Amazon.com, Inc. Elastic Fabric Adapter (EFA)

bash-5.2# modinfo efa
filename:       /lib/modules/6.18.8/updates/drivers/amazon/net/efa/efa.ko
description:    Elastic Fabric Adapter (EFA)
license:        Dual BSD/GPL
author:         Amazon.com, Inc. or its affiliates
softdep:        pre: ib_uverbs
version:        3.0.0g
srcversion:     07789AC73F98EF744EDAD6F
alias:          pci:v00001D0Fd0000EFA3sv*sd*bc*sc*i*
alias:          pci:v00001D0Fd0000EFA2sv*sd*bc*sc*i*
alias:          pci:v00001D0Fd0000EFA1sv*sd*bc*sc*i*
alias:          pci:v00001D0Fd0000EFA0sv*sd*bc*sc*i*
depends:        ib_uverbs,ib_core
name:           efa
retpoline:      Y
vermagic:       6.18.8 SMP preempt mod_unload modversions

bash-5.2# systemctl list-units | grep load-efa-modules.service
  load-efa-modules.service                                                          loaded active     exited       Load EFA modules

• lustre

bash-5.2# lsmod | grep lustre
lustre               1163264  34
mdc                   311296  2 lustre
lov                   376832  25 mdc,lustre
lmv                   233472  2 lustre
ptlrpc               1585152  8 fld,osc,fid,mgc,lov,mdc,lmv,lustre
obdclass             3448832  34 fld,osc,fid,ptlrpc,mgc,lov,mdc,lmv,lustre
lnet                  884736  7 osc,obdclass,ptlrpc,mgc,ksocklnd,lmv,lustre
libcfs                237568  12 fld,lnet,osc,fid,obdclass,ptlrpc,mgc,ksocklnd,lov,mdc,lmv,lustre
bash-5.2# modinfo lustre
filename:       /lib/modules/6.18.8/kernel/fs/lustre/llite/lustre.ko
license:        GPL
version:        2.15.6_723_gfa92cdb_dirty
description:    Lustre Client File System
author:         OpenSFS, Inc. <http://www.lustre.org/>
alias:          fs-lustre
srcversion:     2C355029E0411248C6F6E81
depends:        obdclass,ptlrpc,libcfs,lmv,lnet,lov,mdc
intree:         Y
name:           lustre
retpoline:      Y
vermagic:       6.18.8 SMP preempt mod_unload modversions
sig_id:         PKCS#7
signer:
sig_key:
sig_hashalgo:   unknown
signature:

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[yeazelm]

Do we need to make any other considerations with things like kubelet that will assume it can fall back to iptables legacy?

[mgsharm]

Kernel 6.18 disables CONFIG_NETFILTER_XTABLES_LEGACY (upstream default since 6.17). The Conflicts: iptables-legacy prevents installation of the legacy backend. The iptables-nft backend and NFT_COMPAT module are still available, so kubelet and kube-proxy continue to work iptables commands are transparently translated to nftables. Customers explicitly using iptables-legacy will need to migrate with this kernel. We should note this in the release announcement. I will make a note.