da Agency

Amazon Bedrock expands support for Service Quotas

Amazon Bedrock is a fully managed service that provides secure, enterprise-grade access to high-performing foundation models from leading AI companies, enabling you to build and scale generative AI applications. Amazon Bedrock customers can now view inference quotas for the bedrock-mantle endpoint through AWS Service Quotas. This gives customers a familiar, consistent way to track limits for this endpoint, the same way they already do for the bedrock-runtime endpoint and other AWS services, and gives them clear visibility into the limits that apply to their workloads. The bedrock-mantle endpoint supports the OpenAI Responses API, OpenAI Chat Completions API, and the Anthropic Messages API, letting customers run existing OpenAI or Anthropic based applications on Amazon Bedrock with minimal code changes. AWS Service Quotas now exposes per-model input-tokens-per-minute and output-tokens-per-minute quotas for supported models on the endpoint. With this launch, customers gain visibility into how much limits they have on the bedrock-mantle endpoint and can proactively plan for production scale. To get started, open the AWS Service Quotas console, choose Amazon Bedrock, and search for “Bedrock Mantle” to view your current quotas. To request an increase to any of these quotas, follow the standard Amazon Bedrock limit increase process. Service Quotas support for the bedrock-mantle endpoint is available in all AWS Regions where the endpoint is offered: US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Mumbai, Tokyo, Sydney, Jakarta), Europe (Frankfurt, Ireland, London, Milan, Stockholm), and South America (São Paulo). To learn more, see Quotas for Amazon Bedrock. 
Quelle: aws.amazon.com

da Agency

Announcing Region Expansion of P6-B200 instances on SageMaker Notebook Instances

We are pleased to announce general availability of Amazon EC2 P6-B200 instances in AWS US East (N. Virginia) on SageMaker notebook instances.
Amazon EC2 P6-B200 instances are powered by 8 NVIDIA Blackwell GPUs with 1440 GB of high-bandwidth GPU memory and 5th Generation Intel Xeon processors (Emerald Rapids). These instances deliver up to 2x better performance compared to P5en instances for AI training. Customers can use P6-B200 instances to interactively develop and fine-tune large foundation models, including LLMs, mixture of experts models, and multi-modal reasoning models. These instances enable efficient experimentation with larger models directly in JupyterLab or CodeEditor environments for generative AI applications such as enterprise copilots and content generation across text, images, and video.
Visit developer guides for instructions on setting up and using JupyterLab and CodeEditor applications on SageMaker Studio and SageMaker notebook instances.
Quelle: aws.amazon.com

da Agency

Mitigating CVE-2026-31431 (“Copy Fail”) in Docker Engine

CVE-2026-31431 is a Linux kernel vulnerability that was recently disclosed. This CVE does not compromise Docker infrastructure.

That said, Docker Engine’s default profiles prior to v29.4.3 allowed containers to create AF_ALG sockets, which is the syscall surface the exploit uses. You are not exposed if you are running Docker Engine v29.4.3 or later, OR a patched host kernel. If either of those is missing, you have exposure on that host, and you should read the rest of this post.

As of writing, the kernel patch is available on Debian (CVE-2026-31431) and RHEL 9 (RHSB-2026-002) but not yet on Ubuntu. For users on distros that haven’t shipped a kernel fix, upgrading Docker Engine is the mitigation you can apply today.

Why you should read about Copy-Fail

This CVE drew a lot of attention because the exploit became public before many Linux distributions had kernel patches available. As a result, most distros were still vulnerable and had no ready fix at the time of disclosure. It was especially notable because the bug affected Linux kernels going back to around 2017, making the potential impact unusually broad.

On the Docker Engine team, I started investigating what we could do from our end to protect users on vulnerable hosts. It turned out the mitigation was more involved than it first looked, and the first attempt broke 32-bit binaries. This post is what we shipped, what broke, what we learned, and where things stand now.

What Copy Fail is

On April 29, researchers disclosed CVE-2026-31431, dubbed “Copy Fail,” a privilege escalation vulnerability in the Linux kernel’s AF_ALG crypto subsystem.

The flaw is in the algif_aead module. It allows any unprivileged user with access to an AF_ALG socket to perform controlled writes to the page cache. Since the page cache backs file reads across the entire system, an attacker can temporarily modify the contents of any readable file as seen by every process on the host. Corrupting a setuid binary is the most direct path to local root, but the primitive itself is more general.

The exploit is trivial and works on every unpatched Linux kernel shipped since 2017.

The correct fix is a kernel update. The mitigations described below reduce exposure for containers running on unpatched kernels, but they do not fix the underlying vulnerability. If your kernel vendor has released a patch, apply it.

What does this mean for containers?

Inside a container running with default security profiles, an attacker with code execution can use Copy Fail to corrupt pages in the page cache. One possible outcome is escalating to root inside the container by corrupting setuid binaries.

But the page cache is shared across the host, so the impact is not confined to the attacker’s container. Modified pages are visible to the host and to every other container that maps the same file, including shared image layers. Other workloads on the same node can be affected.

The attack does not require any special capabilities or privileges beyond what a default container provides. The only requirement is the ability to create an AF_ALG socket, which was previously allowed by Docker’s default security profiles.

First attempt: seccomp (v29.4.2)

We updated Docker Engine’s default seccomp profile to block AF_ALG sockets. The seccomp filter inspects the first argument to socket(2) and denies address families AF_ALG and AF_VSOCK (which was already blocked).

Blocking socket(2) is not enough on its own. There is another way to create sockets on x86_64 Linux: socketcall(2), an older multiplexed syscall that wraps socket, bind, connect, and other socket operations behind a single syscall number.

There is another way to create sockets on Linux: socketcall(2), an older multiplexed syscall that wraps socket, bind, connect, and other socket operations behind a single syscall number.

The problem for seccomp is that socketcall packs the real arguments (including the address family) into a userspace array and passes a pointer, which BPF cannot dereference and inspect. There is no way to selectively block AF_ALG through socketcall with seccomp.

Linux 4.3 already added direct socket syscalls for i386 and s390, so we assumed most modern binaries would already use the new socket syscall and that socketcall would only matter for old binaries. So we blocked it entirely and shipped Docker Engine v29.4.2 (release notes).

What broke

The socketcall deny turned out to be too broad.

Older versions of glibc on i386 route all socket operations through socketcall, the Go runtime uses it unconditionally for GOARCH=386 (independent of glibc), and many legacy and gaming workloads (SteamCMD, Wine) depend on it.

Blocking socketcall broke networking for a lot of 32-bit binaries running inside a container (moby/moby#52506).

And this is not just an i386 problem. On amd64, any process can switch into ia32 compatibility mode with int $0x80 and invoke socketcall directly, bypassing the socket(2) arg filter entirely. You do not need a 32-bit container or a 32-bit binary to reach that path.

Affected containers could work around this by using a custom seccomp profile that re-enables socketcall while keeping AF_ALG blocked for the direct socket(2) path.But that just pokes a hole in the hardening for those containers, since an attacker inside them could still reach AF_ALG through socketcall.

Second attempt: LSM-based enforcement (v29.4.3)

The fundamental problem is that seccomp operates at the syscall boundary, and socketcall multiplexes many operations behind a single syscall number with pointer arguments. You cannot selectively block AF_ALG through socketcall with seccomp alone.

AppArmor and SELinux operate on a different level. Linux Security Modules hook directly into the kernel’s security_socket_create() callback, which fires when the kernel actually creates the socket object, regardless of which syscall entry point was used. An LSM can deny AF_ALG specifically while leaving all other socketcall usage intact.

In v29.4.3 (release notes), we:

Reverted the socketcall seccomp deny to restore 32-bit compatibility.

Added deny network alg, to the default AppArmor profile (moby/profiles#22).On systems with AppArmor enabled (e.g. Ubuntu, Debian), this blocks AF_ALG through both socket(2) and socketcall(2).

Integrated a SELinux CIL policy module for systems running SELinux (Fedora, RHEL, CentOS).The module denies alg_socket creation for all container_domain types and can be loaded via semodule.SELinux enforcement requires the daemon to be running with –selinux-enabled.

Kept the seccomp socket(AF_ALG) arg filter as defense-in-depth for the direct socket(2) syscall path.

What you should do

Patch your kernel.This is the real fix.Check with your distribution for a kernel update that addresses CVE-2026-31431.

Upgrade Docker Engine to v29.4.3 or later. You get the updated seccomp + AppArmor + SELinux defaults. A systemctl restart docker (or equivalent) is enough; no host reboot required.

If you cannot upgrade the kernel or the engine immediately:

Blacklist the kernel modules: add blacklist af_alg and blacklist algif_aead to /etc/modprobe.d/.This only works if the modules are built as loadable modules (CONFIG_CRYPTO_USER_API=m), not compiled into the kernel.

Apply a custom seccomp profile that denies AF_ALG using –security-opt seccomp=/path/to/profile.json or the seccomp-profile option in daemon.json.

Closing thoughts

Security comes in layers, and sometimes no single layer is enough. Seccomp blocks socket(AF_ALG) on every system but is blind to socketcall. AppArmor and SELinux block both paths, but they depend on host configuration. Together, they cover what neither can alone.

On systems without an LSM, the socketcall path remains unblocked from Docker’s side. Ultimately, the kernel bug is what needs to be fixed.

Kernel vulnerabilities will keep coming. When they do, the container runtime is often the fastest place to deploy a mitigation, because updating the engine is one change that protects every container on the host. The Copy Fail timeline made that especially clear: the embargo broke before distros had fixes ready, and for several days the engine was the only place users could mitigate anything without waiting for a kernel rebuild.

Keeping Docker Engine up to date is not just about new features. It is one of the most effective ways to shrink the window between a kernel CVE going public and your workloads being protected against it.

Quelle: https://blog.docker.com/feed/

da Agency

Amazon EC2 X8i instances are now available in additional regions

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) X8i instances are available in the Asia Pacific (Singapore), Asia Pacific (Sydney) and AWS GovCloud (US-West) regions. These instances are powered by custom Intel Xeon 6 processors available only on AWS. X8i instances are SAP-certified and deliver the highest performance and fastest memory bandwidth among comparable Intel processors in the cloud. They deliver up to 43% higher performance, 1.5x more memory capacity (up to 6TB), and 3.3x more memory bandwidth compared to previous generation X2i instances. X8i instances are designed for memory-intensive workloads like SAP HANA, large databases, data analytics, and Electronic Design Automation (EDA). Compared to X2i instances, X8i instances offer up to 50% higher SAPS performance, up to 47% faster PostgreSQL performance, 88% faster Memcached performance, and 46% faster AI inference performance. X8i instances come in 14 sizes, from large to 96xlarge, including two bare metal options. To get started, visit the AWS Management Console. X8i instances can be purchased via Savings Plans, On-Demand instances, and Spot instances. For more information visit X8i instances page
Quelle: aws.amazon.com

da Agency

Amazon SageMaker HyperPod Slurm clusters now support specifying minimum capacity requirements with continuous provisioning

Amazon SageMaker HyperPod now supports minimum capacity requirements (MinCount) for clusters using Slurm orchestration with continuous provisioning. With continuous provisioning, HyperPod provisions clusters with available partial capacity so you can start your AI/ML jobs quickly, while continuing to provision remaining instances asynchronously in the background. While this provides flexibility, some training workloads require a guaranteed minimum number of nodes before they can start effectively. MinCount lets you specify the minimum number of instances that must be successfully provisioned before an instance group transitions to InService status, giving you greater control over when your cluster becomes available for job scheduling. This is particularly useful for distributed training workloads using frameworks such as PyTorch FSDP, Megatron-LM, or NVIDIA NeMo, where training jobs are commonly configured with a fixed number of participating nodes and may not start efficiently or correctly with partial cluster capacity. It also benefits teams that need to guarantee a baseline GPU count to meet SLA or cost-efficiency targets before committing to a training run. You can specify MinInstanceCount in the CreateCluster or UpdateCluster API request to set a minimum capacity threshold for an instance group. The instance group remains in Creating or Updating status until the threshold is met, then transitions to InService and nodes become available for Slurm job scheduling. HyperPod continues launching additional instances beyond MinCount until the target count is reached. If MinCount cannot be satisfied within 3 hours, the system automatically rolls back the instance group to its last known good state. MinCount for Slurm clusters with continuous provisioning is available in all AWS Regions where Amazon SageMaker HyperPod is supported. To get started on specifying minimum capacity requirements for your cluster, see Minimum capacity requirements (MinCount) in the Amazon SageMaker AI documentation.
Quelle: aws.amazon.com