Container-Optimized OS Release Notes: DEV

cos-dev-97-16778-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Dec 01, 2021 COS-5.10.81 v1.22.4 v20.10.6 v1.5.8 v450.119.04

Upgraded the built-in Kubelet to v1.22.4.

Updated ChromeOS base to ChromeOS version 14283.0.0.

Updated the Linux kernel to v5.10.81.

Enabled cgroup v2.

Enabled ipv4 and ipv6 in sshd.

Updated containerd to v1.5.8. This resolves CVE-2021-41190 in containerd.

Fixed CVE-2021-35942 and CVE-2021-38604 in glibc.

Updated openssl to 1.1.1l. This resolves CVE-2021-3711 and CVE-2021-3712.

Fixed CVE-2020-12403 in nss.

Fixed CVE-2021-41617 in openssh.

Fixed CVE-2020-14387 in rsync.

Upgraded dev-libs/libgcrypt to v1.9.4. This resolves CVE-2021-40528.

Updated vim and vim-core to v8.2.3582. This resolves CVE-2021-3928, CVE-2021-3927, CVE-2021-3872, CVE-2021-3903, and CVE-2021-3875.

cos-dev-97-16748-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Nov 08, 2021 COS-5.10.77 v1.21.3 v20.10.6 v1.5.7 v450.119.04

Updated the Linux kernel to v5.10.77.

Enabled virtual console.

Enabled cos-extensions to fetch artifacts with geo-redundancy when installing GPU driver.

Upgraded openssl to v1.1.1l. This fixes CVE-2021-3711.

Upgraded app-arch/libarchive to v3.5.2. This fixes CVE-2021-36976.

Runtime sysctl changes:

  • Added: dev.cdrom.autoclose: 1
  • Added: dev.cdrom.autoeject: 0
  • Added: dev.cdrom.check_media: 0
  • Added: dev.cdrom.debug: 0
  • Added: dev.cdrom.lock: 1
  • Changed: fs.epoll.max_user_watches: 1667911 -> 1667891
  • Changed: fs.file-max: 814101 -> 814087
  • Changed: net.ipv4.tcp_mem: 94251 125668 188502 -> 94248 125667 188496
  • Changed: net.ipv4.udp_mem: 188502 251336 377004 -> 188499 251335 376998

cos-dev-97-16723-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 18, 2021 COS-5.10.72 v1.21.3 v20.10.6 v1.5.7 v450.119.04

Updated the Linux kernel to v5.10.72.

Upgraded net-dns/c-ares to v1.17.2.

Add LZ4 compression support in kernel.

Upgraded net-misc/curl to v7.79.1. This resolves CVE-2021-22945.

Fixed CVE-2021-39537 in sys-libs/ncurses.

cos-dev-97-16714-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 11, 2021 COS-5.10.71 v1.21.3 v20.10.6 v1.5.7 v450.119.04

Updated the Linux kernel to v5.10.71.

Enable ipip and fou kernel modules.

Added crictl commands to sosreport.

Fixed an issue where GPU drivers wouldn't load due to being incorrectly linked.

Updated containerd to 1.5.7. This resolves CVE-2021-41103.

Updated vim to version 8.2.3428. This resolves CVE-2021-3796, CVE-2021-3778, and CVE-2021-3770.

cos-dev-97-16699-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 04, 2021 COS-5.10.69 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Updated the Linux kernel to v5.10.69.

cos-dev-97-16695-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 27, 2021 COS-5.10.68 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Updated node-problem-detector to v0.8.10.

Updated the Linux kernel to v5.10.68.

Made XFRM statistics available at /proc/net/xfrm_stat.

Created kernel config file under /boot directory.

Fixed CVE-2020-12403 in dev-libs/nss.

Updated glib, glib-utils and gdbus-codegen to v2.68.3. This resolves CVE-2021-28153.

cos-dev-97-16687-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 20, 2021 COS-5.10.65 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Updated the Linux kernel to v5.10.65.

Updated app-emulation/containerd to v1.5.4. This resolves CVE-2021-32760.

cos-dev-97-16678-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 13, 2021 COS-5.10.62 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Updated the Linux kernel to v5.10.62.

cos-dev-97-16669-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 07, 2021 COS-5.10.61 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Upgraded sys-libs/ncurses to v6.2. This resolves CVE-2019-17594 and CVE-2019-17595.

Upgraded net-misc/wget to v1.21.1. This resolves CVE-2021-31879.

Upgraded net-misc/curl to v7.78.0. This resolves CVE-2021-22924 and CVE-2021-22926.

Enabled configuring NTP server using cloud-init.

Updated the Linux kernel to v5.10.61.

Updated nanopb to v0.4.5 in KTD.

cos-dev-93-16594-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Aug 02, 2021 COS-5.10.53 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Updated the built-in kubectl/kubelet to v1.21.3.

Updated containerd to v1.5.3.

Updated sosreport to v4.1.

Updated chronyd to v4.1.

Updated containerd to v1.5.3.

Updated docker-credential-gcr to v2.0.5.

Updated docker-cli to v20.10.6.

Updated ChromeOS base to ChromeOS version 14056.0.0.

Updated the Linux kernel to v5.10.53.

Upgraded Linux Audit (sys-process/audit) to v3.0.2.

Upgraded openssl package to v1.1.1k to resolve CVEs CVE-2021-3449 and CVE-2021-3450.

Upgraded xfsprogs to version v5.10.

Upgraded dev-util/gdbus-codegen to version 2.66.7 on x86.

Upgraded dev-libs/glib and dev-util/glib-utils to v2.66.7.

Removed toolbox's dependency on docker command.

Added sys-block/open-iscsi package.

Renamed 99-virtio.network to 99-default.network to include gve driver support.

Enabled IPV6 configuration by default. This does not disable IPV4 configuration. In addition, fixed an issue where enabling both IPv6 and IPv4 configuration on IPv4-exclusive networks resulted in slow boot times.

Fixed CVE-2021-33910 in sys-apps/systemd.

cos-dev-93-16546-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jul 12, 2021 COS-5.10.48 v1.20.5 v20.10.6 v1.4.4 v450.119.04

Updated the stackdriver logging agent to v1.8.9.

Updated runc to v1.0.0.

Upgraded cos-gpu-installer-v2 to v2.0.6 in cos-extensions. Users can now specify --version=latest when installing GPU drivers.

Updated app-emulation/docker-proxy to v0.8.0_p20210525.

Updated the Linux kernel to v5.10.48.

Enabled CONFIG_MEMORY_FAILURE and CONFIG_X86_MCE in the Linux kernel.

Upgraded libgcrypt to v1.9.3. This fixes CVE-2021-33560.

Added support for ext4 journal checkpointing in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.epoll.max_user_watches: 1668341 -> 1667911
  • Changed: fs.file-max: 814308 -> 814100
  • Changed: kernel.threads-max: 63641 -> 63625
  • Changed: net.ipv4.tcp_mem: 94275 125700 188550 -> 94251 125668 188502
  • Changed: net.ipv4.udp_mem: 188550 251401 377100 -> 188502 251336 377004
  • Changed: user.max_cgroup_namespaces: 31820 -> 31812
  • Changed: user.max_ipc_namespaces: 31820 -> 31812
  • Changed: user.max_mnt_namespaces: 31820 -> 31812
  • Changed: user.max_net_namespaces: 31820 -> 31812
  • Changed: user.max_pid_namespaces: 31820 -> 31812
  • Changed: user.max_time_namespaces: 31820 -> 31812
  • Changed: user.max_user_namespaces: 31820 -> 31812
  • Changed: user.max_uts_namespaces: 31820 -> 31812

cos-dev-93-16511-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 28, 2021 COS-5.10.44 v1.20.5 v20.10.6 v1.4.4 v450.119.04

Updated app-emulation/docker-credential-helpers to v0.6.4.

cos-dev-93-16509-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 21, 2021 COS-5.10.44 v1.20.5 v20.10.6 v1.4.4 v450.119.04

Updated the Linux kernel to v5.10.44.

Set kernel config flag to enable dump capture kernel for ARM64.

Runtime sysctl changes:

  • Changed: fs.epoll.max_user_watches: 1668321 -> 1668341
  • Changed: fs.file-max: 814309 -> 814308

cos-dev-93-16482-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 09, 2021 COS-5.10.42 v1.20.5 v20.10.6 v1.4.4 v450.119.04

Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

Upgraded Google OS Config Agent (VMManager) to version 20210607.00.

Upgraded cloud-init to v21.2.

Upgraded the Linux kernel to v5.10.42.

Stackdriver logs now record Docker container names by default.

As a result of the kernel upgrade, the following sysctl changes occurred:

  • Added: kernel.hung_task_all_cpu_backtrace: 0
  • Added: kernel.oops_all_cpu_backtrace: 0
  • Added: kernel.sched_deadline_period_max_us: 4194304
  • Added: kernel.sched_deadline_period_min_us: 100
  • Added: net.ipv4.ip_autobind_reuse: 0
  • Added: net.ipv4.nexthop_compat_mode: 1
  • Added: net.ipv4.tcp_comp_sack_slack_ns: 100000
  • Added: net.ipv4.tcp_no_ssthresh_metrics_save: 1
  • Added: net.ipv4.tcp_reflect_tos: 0
  • Added: net.ipv6.conf.all.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.default.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.docker0.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.eth0.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.lo.rpl_seg_enabled: 0
  • Added: user.max_time_namespaces: 31820
  • Added: vm.compaction_proactiveness: 20
  • Added: vm.page_lock_unfairness: 5
  • Changed: fs.epoll.max_user_watches: 1668751 -> 1668321
  • Changed: fs.file-max: 814576 -> 814309
  • Changed: kernel.cap_last_cap: 37 -> 40
  • Changed: kernel.threads-max: 63658 -> 63641
  • Changed: kernel.usermodehelper.bset: 4294967295 63 -> 4294967295 511
  • Changed: kernel.usermodehelper.inheritable: 4294967295 63 -> 4294967295 511
  • Changed: net.core.bpf_jit_kallsyms: 0 -> 1
  • Changed: net.ipv4.tcp_mem: 94299 125733 188598 -> 94275 125700 188550
  • Changed: net.ipv4.udp_mem: 188598 251466 377196 -> 188550 251401 377100
  • Changed: user.max_cgroup_namespaces: 31829 -> 31820
  • Changed: user.max_ipc_namespaces: 31829 -> 31820
  • Changed: user.max_mnt_namespaces: 31829 -> 31820
  • Changed: user.max_net_namespaces: 31829 -> 31820
  • Changed: user.max_pid_namespaces: 31829 -> 31820
  • Changed: user.max_user_namespaces: 31829 -> 31820
  • Changed: user.max_uts_namespaces: 31829 -> 31820
  • Deleted: kernel.random.read_wakeup_threshold: 64

cos-dev-93-16442-0-0

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 01, 2021 COS-5.4.120 v1.20.5 v20.10.6 v1.4.4 v450.119.04

Fixed CPU usage for workloads with heavy page cache usage.

Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.

Fixed CVE-2021-3537 in libxml2.

Automatically mount OEM partition if it is sealed.

Upgraded the default GPU drver version to 450.119.04.

Upgraded Google OS Config Agent to v20210506.00.

Updated docker to v20.10.6.

Updated the Linux kernel to v5.4.120.

Updated makedumpfile package to v1.6.9.

cos-dev-93-16391-0-0

Date Kernel Kubernetes Docker Containerd
May 10, 2021 COS-5.4.116 v1.20.5 v20.10.3 v1.4.4

Updated the Linux kernel to v5.4.116.

cos-dev-93-16379-0-0

Date Kernel Kubernetes Docker Containerd
May 03, 2021 COS-5.4.114 v1.20.5 v20.10.3 v1.4.4

Updated the Linux kernel to v5.4.114.

Updated sshd.service to not drop active ssh sessions when sshd is restarted.

Updated google-guest-agent to v20210408.00.

Fixed CVE-2020-24977 in libxml2.

cos-dev-93-16351-0-0

Date Kernel Kubernetes Docker Containerd
Apr 22, 2021 COS-5.4.113 v1.20.5 v20.10.3 v1.4.4

Updated the Linux kernel to v5.4.113.

Upgraded dev-vcs/git to version 2.31.0. This resolves CVE-2021-21300.

Fixed an out-of-bounds write issue in the Linux kernel.

cos-dev-93-16340-0-0

Date Kernel Kubernetes Docker Containerd
Apr 19, 2021 COS-5.4.112 v1.20.5 v20.10.3 v1.4.4

Updated the Linux kernel to v5.4.112.

Updated kubernetes to v1.20.5.

Upgrade tar to 1.34.

Enable ip6table_nat as module.

cos-dev-93-16331-0-0

Date Kernel Kubernetes Docker Containerd
Apr 12, 2021 COS-5.4.110 v1.20.2 v20.10.3 v1.4.4

Updated the Linux kernel to v5.4.110.

Upgraded dev-db/sqlite to version 3.34.1. This resolves CVE-2021-20227.

Upgraded Google OS Config Agent to version 20210331.00.

Updated containerd to version 1.4.4.

Configured google-guest-agent to use usermod instead of gpasswd to add users to groups. This fixes an issue where users created through cloud-init sometimes were not added to the appropriate groups.

Enabled CONFIG_IP6_NF_MANGLE to allow ip6table_mangle kernel module.

cos-dev-93-16303-0-0

Date Kernel Kubernetes Docker
Apr 05, 2021 COS-5.4.108 v1.20.2 v20.10.3

Updated openssl to 1.1.1k to resolve CVE-2021-3449 and CVE-2021-3450.

Enabled CONFIG_TLS and CONFIG_TLS_DEVICE in the kernel to support kTLS.

cos-dev-93-16295-0-0

Date Kernel Kubernetes Docker
Mar 29, 2021 COS-5.4.108 v1.20.2 v20.10.3

Upgraded OpenSSH to v8.5_p1. This resolved CVE-2021-28041.

Updated docker-credential-gcr to v2.0.4.

Updated the Linux kernel to v5.4.108.

Fixed an issue in google-guest-agent where the GID of a user's home directory referred to a different user after a reboot.

Enabled CONFIG_TLS in the kernel to support OpenSSL3.0.

cos-dev-93-16259-0-0

Date Kernel Kubernetes Docker
Mar 22, 2021 COS-5.4.104 v1.20.2 v20.10.3

Updated cos-gpu-installer to v2.0.5 in cos-extensions.

Upgrade e2fsprogs to version 1.46.2

Updated the Linux kernel to upstream/v5.4.104.

cos-dev-93-16240-0-0

Date Kernel Kubernetes Docker
Mar 15, 2021 COS-5.4.102 v1.20.2 v20.10.3

Updated the Linux kernel to v5.4.102.

cos-dev-93-16234-0-0

Date Kernel Kubernetes Docker
Mar 08, 2021 COS-5.4.101 v1.20.2 v20.10.3

Revert "Stackdriver logs now record Docker container names by default" due to an incompatibility with Kubernetes.

Upgraded sys-auth/pambase to version 20201103.

Upgraded sys-libs/pam to version 1.5.1.

Upgraded sys-auth/passwdqc to version 1.4.0.

Updated the Linux kernel to upstream/v5.4.101.

Updated Docker to 20.10.3.

Updated chronyd to run as the chrony user instead of the root user.

Updated openssl to version 1.1.1j. This resolves CVE-2021-23840 and CVE-2021-23841.

cos-dev-93-16207-0-0

Date Kernel Kubernetes Docker
Mar 01, 2021 COS-5.4.100 v1.20.2 v20.10.2

Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

Upgraded dev-python/jinja to v2.11.3. This addresses CVE-2020-28493.

Updated glib to v2.66.7. This addresses CVE-2021-27218 and CVE-2021-27219.

Updated the Linux kernel to v5.4.100.

Updated cos-gpu-installer to v2.0.4 in cos-extensions.

Fixed warning in docker when homedir not present.

Added support for multiple architectures in toolbox.

cos-dev-93-16173-0-0

Date Kernel Kubernetes Docker
Feb 22, 2021 COS-5.4.98 v1.20.2 v20.10.2

Fixed a kernel crash due to fast commit changes.

Updated the Linux kernel to upstream/v5.4.98.

cos-dev-93-16136-0-0

Date Kernel Kubernetes Docker
Feb 08, 2021 COS-5.4.95 v1.20.2 v20.10.2

Remove read/write/execute permissions of group and other user accounts for systemd timer files.

Upgraded e2fsprogs to version 1.46.0.

Upgraded sys-libs/e2fsprogs-libs-1.46.0.

Downgraded Google OS Config Agent to v20201229.01.

Updated the Linux kernel to v5.4.95.

Added package net-fs/cifs-utils v6.11.