AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2025-05-01 · Documentation low

File: eks/latest/userguide/hybrid-nodes-troubleshooting.md

Summary

Added troubleshooting sections for Ubuntu and Bottlerocket, including log collection and system service debugging commands

Security assessment

The changes add operational troubleshooting guidance but do not address specific security vulnerabilities or document security features. The Bottlerocket section focuses on debugging tools and log collection without explicit security context.

Diff

diff --git a/eks/latest/userguide/hybrid-nodes-troubleshooting.md b/eks/latest/userguide/hybrid-nodes-troubleshooting.md
index f99a68eea..1becec460 100644
--- a//eks/latest/userguide/hybrid-nodes-troubleshooting.md
+++ b//eks/latest/userguide/hybrid-nodes-troubleshooting.md
@@ -578 +578 @@ In the `kubelet` logs, if you see an access denied issue for setting the `roleSe
-**RHEL**
+### RHEL
@@ -586,0 +587,2 @@ If you are running `nodeadm install` and encounter a failure to install the hybr
+### Ubuntu
+
@@ -600,0 +603,48 @@ Run the following commands to install the dependency:
+### Bottlerocket
+
+If you have the Bottlerocket admin container enabled, you can access it with SSH for advanced debugging and troubleshooting with elevated privileges. The following sections contain commands that need to be run on the context of the Bottlerocket host. Once you are on the admin container, you can run `sheltie` to get a full root shell in the Bottlerocket host.
+    
+    
+    sheltie
+
+You can also run the commands in the following sections from the admin container shell by prefixing each command with `sudo chroot /.bottlerocket/rootfs`.
+    
+    
+    sudo chroot /.bottlerocket/rootfs <command>
+
+**Using logdog for log collection**
+
+Bottlerocket provides the `logdog` utility to efficiently collect logs and system information for troubleshooting purposes.
+    
+    
+    logdog
+
+The `logdog` utility gathers logs from various locations on a Bottlerocket host and combines them into a tarball. By default, the tarball will be created at `/var/log/support/bottlerocket-logs.tar.gz`, and is accessible from host containers at `/.bottlerocket/support/bottlerocket-logs.tar.gz`.
+
+**Accessing system logs with journalctl**
+
+You can check the status of the various system services such as `kubelet`, `containerd`, etc and view their logs with the following commands. The `-f` flag will follow the logs in real time.
+
+For checking `kubelet` service status and retrieving `kubelet` logs, you can run:
+    
+    
+    systemctl status kubelet
+    journalctl -u kubelet -f
+
+For checking `containerd` service status and retrieving the logs for the orchestrated `containerd` instance, you can run:
+    
+    
+    systemctl status containerd
+    journalctl -u containerd -f
+
+For checking `host-containerd` service status and retrieving the logs for the host `containerd` instance, you can run:
+    
+    
+    systemctl status host-containerd
+    journalctl -u host-containerd -f
+
+For retrieving the logs for the bootstrap containers and host containers, you can run:
+    
+    
+    journalctl _COMM=host-ctr -f
+
@@ -607 +657 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Traffic flows
+Hybrid nodes nodeadm