Container-Optimized OS Release Notes: Milestone 101

Stay organized with collections Save and categorize content based on your preferences.


Date Kernel Docker Containerd GPU Drivers
Jan 23, 2023 COS-5.15.65 v20.10.12 v1.6.12 v470.161.03(default),v510.108.03

Fixed a use-after-free bug in TCP in the Linux kernel.

Fixed CVE-2022-40897 in dev-python/setuptools.


Date Kernel Docker Containerd GPU Drivers
Jan 09, 2023 COS-5.15.65 v20.10.12 v1.6.12 v470.161.03(default),v510.108.03

Updated app-emulation/containerd to version v1.6.12.

Fixed no CNI info for pod sandbox on restart in app-emulation/containerd.

Fixed proc_skip_spaces in the Linux kernel to follow existing convention instead of acting as a wrapper to skip_spaces.

Updated Nvidia default drivers to v470.161.03 fixing CVE-2022-34670, CVE-2022-34674, CVE-2022-34675, CVE-2022-34677, CVE-2022-34679, CVE-2022-34680, CVE-2022-34682, CVE-2022-42254, CVE-2022-42255, CVE-2022-42256, CVE-2022-42257, CVE-2022-42258, CVE-2022-42259, CVE-2022-42260, CVE-2022-42261, CVE-2022-42262, CVE-2022-42263, CVE-2022-42264 and latest to v510.108.03 fixing CVE-2022-34670, CVE-2022-34674, CVE-2022-34675, CVE-2022-34677, CVE-2022-34679,CVE-2022-34680, CVE-2022-34682, CVE-2022-34684, CVE-2022-42254, CVE-2022-42255,CVE-2022-42256, CVE-2022-42257, CVE-2022-42258, CVE-2022-42259, CVE-2022-42260,CVE-2022-42261, CVE-2022-42262, CVE-2022-42263, CVE-2022-42264.

Fixed CVE-2022-23471 in app-emulation/containerd.

Fixed CVE-2022-35260 and CVE-2022-32221 in net-misc/curl.

Fixed CVE-2022-42328 and CVE-2022-42329 in the Linux kernel.


Date Kernel Docker Containerd GPU Drivers
Dec 12, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Updated dev-go/text to v0.3.8. This fixes CVE-2022-32149.

Updated dev-libs/libxml2 to v2.10.3. This resolves CVE-2022-40304 and CVE-2022-40303.

Fixed CVE-2022-36227 in app-arch/libarchive package.


Date Kernel Docker Containerd GPU Drivers
Dec 05, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Set ManageForeignRoutes and ManageForeignRoutingPolicyRules to no in case cos.disable_systemd_route_mgmt is present in the kernel command line.

Fixed CVE-2022-3821 in sys-apps/systemd.

Fixed CVE-2022-3169 in the Linux kernel.


Date Kernel Docker Containerd GPU Drivers
Nov 10, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Fixed a bug that /etc/pam.d/sudo-i was missing.

Updated cos-gpu-installer to v2.0.29. This addresses CVE-2022-3602 in cos-gpu-installer.

Updated app-editors/vim and app-editors/vim-core to v9.0.0828. This resolves CVE-2022-3234, CVE-2022-3235, CVE-2022-3256, CVE-2022-3278, CVE-2022-3296, CVE-2022-3297, CVE-2022-3324, CVE-2022-3352 and CVE-2022-3705.

Fixed CVE-2022-43945 in the Linux kernel.

Fixed CVE-2022-3543 in the Linux kernel.


Date Kernel Docker Containerd GPU Drivers
Nov 07, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Fixed CVE-2022-42915 in curl.

Updated vim/vim-core to v9.0.0467. This resolves CVE-2022-3153, CVE-2022-3134, CVE-2022-3099, CVE-2022-3037, CVE-2022-3016, CVE-2022-2982, CVE-2022-2980, CVE-2022-2946, CVE-2022-2923, CVE-2022-2889, CVE-2022-2874, CVE-2022-2862, CVE-2022-2849, CVE-2022-2845, CVE-2022-2819, CVE-2022-2817 CVE-2022-2816, CVE-2022-2598, CVE-2022-2581, CVE-2022-2580, CVE-2022-2571.

Fixed CVE-2022-40320 in confuse package.


Date Kernel Docker Containerd GPU Drivers
Oct 31, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Fixed gVNIC support for jumbo frames.

Fixed CVE-2021-46848 in libtasn1.

Fixed CVE-2022-3586 and CVE-2022-3524 in the Linux Kernel.


Date Kernel Docker Containerd GPU Drivers
Oct 24, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Enabled kernel config CONFIG_PVPANIC_MMIO.

Fixed CVE-2022-2602 in the Linux kernel.


Date Kernel Docker Containerd GPU Drivers
Oct 17, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Fixed an issue related to IP leakage in containerd.

Fixed an issue in cloud-init where cloud-init fails when not able to log to /dev/console.

Fixed an out-of-bounds read in libarchive. This resolves CVE-2022-26280.


Date Kernel Docker Containerd GPU Drivers
Sep 19, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Updated cos-gpu-installer to v2.0.27. This resolves the issue where multiple installers can be started in the same VM.

Updated app-arch/gzip to v1.12. This resolves CVE-2022-1271.

Updated net-libs/gnutls to v3.7.7. This resolves CVE-2022-2509.

Updated net-libs/libtirpc to v1.3.3. This resolves CVE-2021-46828.


Date Kernel Docker Containerd GPU Drivers
Sep 15, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

COS M101 is stable.


Date Kernel Docker Containerd GPU Drivers
Sep 12, 2022 COS-5.15.65 v20.10.12 v1.6.6 v470.141.03(default),v510.47.03

Upgraded the GPU driver version in the "latest" track to v510.47.03.

Updated the built-in kubectl/kubelet to v1.23.10.

Updated the Linux kernel to v5.15.65.

Updated cos-gpu-installer to v2.0.26. This resolves the compatibility issue with K80 GPU devices. When an incompatible driver version (R510+) is chosen in an instance with K80 GPU, the installer will automatically fall back to an available R470 driver version.

Opting out of a CIS Benchmark will now prevent scripts from adjusting your instance.

Upgraded Google OS Config Agent(aka VMManager) to v20220801.00.

Fixed a scenario of high contention state of the system in case filesystem is almost full and processes is trying to write content.

Fixed memory leak in the seccomp subsystem.

Updated open-vm-tools to v12.1.0 fixing CVE-2022-31676.

Updated app-editors/vim and app-editors/vim-core to 9.0.0099. This resolves CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2288,CVE-2022-2289,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522


Date Kernel Docker Containerd GPU Drivers
Sep 06, 2022 COS-5.15.57 v20.10.12 v1.6.6 v470.141.03(default)

Fixed kdump on NVME disks.

Updated gnutls to v3.7.6. This resolves CVE-2021-4209.


Date Kernel Docker Containerd GPU Drivers
Aug 29, 2022 COS-5.15.57 v20.10.12 v1.6.6 v470.141.03(default)

Fixed issues in cos-gpu-installer where nvidia-peermem.ko was not installed and where driver signatures were included in the cached build tools.

Updated toolbox to v20220722.

Fixed CVE-2022-1158 in Linux Kernel.


Date Kernel Docker Containerd GPU Drivers
Aug 22, 2022 COS-5.15.57 v20.10.12 v1.6.6 v470.141.03(default)

Updated net-misc/rsync to v3.2.5 and fixed CVE-2022-29154.

Updated dev-db/sqlite to v3.39.2 to fix CVE-2022-35737.


Date Kernel Docker Containerd GPU Drivers
Aug 15, 2022 COS-5.15.57 v20.10.12 v1.6.6 v470.141.03(default)

Removed stackdriver-correct-container benchmark for cis-level2 compliance.

Updated default and latest Nvidia drivers to 470.141.03.

Enable IOMMU_SUPPORT and IRQ_REMAP kernel configurations.

Fixed CVE-2022-21505 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.epoll.max_user_watches: 1811300 -> 1810832
  • Changed: fs.fanotify.max_user_marks: 67627 -> 67610
  • Changed: fs.file-max: 813249 -> 813043
  • Changed: fs.inotify.max_user_watches: 63503 -> 63488
  • Changed: kernel.threads-max: 63567 -> 63551
  • Changed: net.ipv4.tcp_mem: 94164 125552 188328 -> 94140 125520 188280
  • Changed: net.ipv4.udp_mem: 188328 251105 376656 -> 188280 251041 376560
  • Changed: user.max_cgroup_namespaces: 31783 -> 31775
  • Changed: user.max_fanotify_marks: 67627 -> 67610
  • Changed: user.max_inotify_watches: 63503 -> 63488
  • Changed: user.max_ipc_namespaces: 31783 -> 31775
  • Changed: user.max_mnt_namespaces: 31783 -> 31775
  • Changed: user.max_net_namespaces: 31783 -> 31775
  • Changed: user.max_pid_namespaces: 31783 -> 31775
  • Changed: user.max_time_namespaces: 31783 -> 31775
  • Changed: user.max_user_namespaces: 31783 -> 31775
  • Changed: user.max_uts_namespaces: 31783 -> 31775

cos-beta-101-17162-0-3 (vs Milestone 97)

Date Kernel Docker Containerd GPU Drivers
Aug 01, 2022 COS-5.15.57 v20.10.12 v1.6.6 v470.82.01(default)

Updated sosreport to v4.3.

Backported support for SEV-SNP in the Linux kernel.

Updated the Linux kernel to v5.15.57.

Updated the built-in kubectl/kubelet to v1.23.9.

Updated stackdriver logging agent to v1.9.8.

Updated the built-in kubelet to be compiled from source instead of using official Kubernetes releases.

Updated sys-apps/irqbalance to v1.8.0-r1.

Moved the toolchain source from gs://chromiumos-sdk to gs://cos-sdk.

Updated default toolbox container to v20220614.

Upgraded Google OS Config Agent(aka VMManager) to v20220606.00.

Updated docker-credential-gcr to v2.1.5.

Updated cos-gpu-installer to fetch the COS toolchain from gs://cos-tools instead of gs://chromiumos-sdk.

Updated net-misc/netplan to v0.104.

Upgraded sys-fs/e2tools to v0.1.0.

Upgraded sys-fs/xfsprogs to v5.18.0 and sys-fs/e2fsprogs to v1.46.5.

Updated google-guest-agent to v20220523.00.

Updated runc to v1.1.2.

Upgraded package sys-boot/shim to version 15.5.

Updated the default toolbox container to v20220429.

Upgraded docker-credential-gcr to v2.1.2.

Upgraded dump-capture-kernel to 5.15.

Added pci=clearmsi option in dump-capture-kernel command line.

Updated net-misc/chrony to v4.2.

Upgraded docker-credential-gcr to v2.1.1.

Updated app-admin/localtoast(cis_scanner) to v1.1.4.3.

Updated google-guest-configs to v20220211.00.

Updated ChromeOS base to ChromeOS version 14542.0.0.

Updated containerd to v1.6.0.

Updated cri-tools to v1.23.0.

Runtime sysctl changes:

  • Added: fs.fanotify.max_queued_events: 16384
  • Added: fs.fanotify.max_user_groups: 128
  • Added: fs.fanotify.max_user_marks: 54813
  • Added: kernel.max_rcu_stall_to_panic: 0
  • Added: kernel.sched_schedstats: 0
  • Added: kernel.task_delayacct: 0
  • Added: net.core.netdev_unregister_timeout_secs: 10
  • Added: net.ipv4.fib_multipath_hash_fields: 7
  • Added: net.ipv4.fib_notify_on_flag_change: 0
  • Added: net.ipv4.icmp_echo_enable_probe: 0
  • Added: net.ipv4.tcp_migrate_req: 0
  • Added: net.ipv6.conf.all.ioam6_enabled: 0
  • Added: net.ipv6.conf.all.ioam6_id: 65535
  • Added: net.ipv6.conf.all.ioam6_id_wide: 4294967295
  • Added: net.ipv6.conf.all.ra_defrtr_metric: 1024
  • Added: net.ipv6.conf.default.ioam6_enabled: 0
  • Added: net.ipv6.conf.default.ioam6_id: 65535
  • Added: net.ipv6.conf.default.ioam6_id_wide: 4294967295
  • Added: net.ipv6.conf.default.ra_defrtr_metric: 1024
  • Added: net.ipv6.conf.docker0.ioam6_enabled: 0
  • Added: net.ipv6.conf.docker0.ioam6_id: 65535
  • Added: net.ipv6.conf.docker0.ioam6_id_wide: 4294967295
  • Added: net.ipv6.conf.docker0.ra_defrtr_metric: 1024
  • Added: net.ipv6.conf.eth0.ioam6_enabled: 0
  • Added: net.ipv6.conf.eth0.ioam6_id: 65535
  • Added: net.ipv6.conf.eth0.ioam6_id_wide: 4294967295
  • Added: net.ipv6.conf.eth0.ra_defrtr_metric: 1024
  • Added: net.ipv6.conf.lo.ioam6_enabled: 0
  • Added: net.ipv6.conf.lo.ioam6_id: 65535
  • Added: net.ipv6.conf.lo.ioam6_id_wide: 4294967295
  • Added: net.ipv6.conf.lo.ra_defrtr_metric: 1024
  • Added: net.ipv6.fib_multipath_hash_fields: 7
  • Added: net.ipv6.fib_notify_on_flag_change: 0
  • Added: net.ipv6.ioam6_id: 16777215
  • Added: net.ipv6.ioam6_id_wide: 72057594037927935
  • Added: net.netfilter.nf_conntrack_tcp_ignore_invalid_rst: 0
  • Added: net.netfilter.nf_hooks_lwtunnel: 0
  • Added: user.max_fanotify_groups: 128
  • Added: user.max_fanotify_marks: 54813
  • Added: vm.percpu_pagelist_high_fraction: 0
  • Changed: fs.epoll.max_user_watches: 1666560 -> 1811300
  • Changed: fs.file-max: 813432 -> 813248
  • Changed: fs.inotify.max_user_watches: 8192 -> 51557
  • Changed: fs.xfs.speculative_cow_prealloc_lifetime: 1800 -> 300
  • Changed: kernel.threads-max: 63574 -> 63567
  • Changed: net.ipv4.tcp_mem: 94173 125565 188346 -> 94164 125552 188328
  • Changed: net.ipv4.udp_mem: 188346 251131 376692 -> 188328 251105 376656
  • Changed: net.netfilter.nf_conntrack_buckets: 65536 -> 262144
  • Changed: net.netfilter.nf_conntrack_expect_max: 1024 -> 4096
  • Changed: user.max_cgroup_namespaces: 31787 -> 31783
  • Changed: user.max_inotify_watches: 8192 -> 51557
  • Changed: user.max_ipc_namespaces: 31787 -> 31783
  • Changed: user.max_mnt_namespaces: 31787 -> 31783
  • Changed: user.max_net_namespaces: 31787 -> 31783
  • Changed: user.max_pid_namespaces: 31787 -> 31783
  • Changed: user.max_time_namespaces: 31787 -> 31783
  • Changed: user.max_user_namespaces: 31787 -> 31783
  • Changed: user.max_uts_namespaces: 31787 -> 31783
  • Changed: fs.file-max: 813250 -> 813249
  • Changed: fs.fanotify.max_user_marks: 54813 -> 67627
  • Changed: fs.inotify.max_user_watches: 51557 -> 63503
  • Changed: user.max_fanotify_marks: 54813 -> 67627
  • Changed: user.max_inotify_watches: 51557 -> 63503
  • Changed: kernel.random.poolsize: 4096 -> 256
  • Changed: kernel.random.write_wakeup_threshold: 896 -> 256
  • Deleted: vm.block_dump: 0
  • Deleted: vm.percpu_pagelist_fraction: 0

Fixed an issue where the "logs", "crictl", and "kdump" sosreport plugins did not work properly.

Added a new systemd unit to group stackdriver logging agents.


Added TPU driver v20220117.

Made CIS-Scanner show results for passing and non-passing benchmarks.

Added option to GPU driver installation script for populating and resetting toolchain cache.

Built cos-gpu-installer using debian:bookworm.

Increased number of vCPUs support from 256 to 512.

Added get_status API in device policy manager.

cos_extensions and toolbox utilities now fetch container images from multi-region Artifact Registry.

Enabled disk_setup module in cloud-init.

Added CLI to change cgroup versions.

Added CIS Scanner (app-admin/localtoast) v1.1.4.1.

Renamed cos-alphabet-compliance to cis-compliance. cis-compliance will only install scripts needed to make the VM Level 2 CIS compliant.

Added the support to export logs of the cis-level1, cis-level2 and cis-compliance-scanner systemd services via stackdriver logging.

Enabled CONFIG_BFQ_GROUP_IOSCHED kernel configuration.

Added command "cos-extensions list -- --gpu-installer" to show the default cos-gpu-installer.

Set NVMe IO timeout to 4294967295.

Fixed an issue in the Linux kernel where I/Os would sometimes fail on SEV-enabled machines due to a full swiotlb buffer.

Added xemu kernel module.

Added support for NFSv4 Kerberos authentication.

Updated oslogin to v20220721.00

Upgrade ice kernel module from v1.3.2 to v1.8.8 due to incompatibility with kernel 5.15.

Add 5.15 vanilla and rt kernel in project-edgeos.

Updated toolbox to v20220630.

Fixed the bug in toolbox where long project name/container image tag can fail to run the toolbox container.

Fixed an issue that prevented large cloud-configs (~256KB) from working properly.

Disabled bracketed paste mode by default in readline.

Backported upstream patch to fix the issue where systemd affects BFQ IO setup.

Added cgroup-driver=systemd flag to kubelet.

Fixed a warning related to IPv4 parsing error in cloud-init.

Fixed an issue in systemd to consider primary network interface configured only after non-link-local IPv4 address is available.

Updated CIS Scanner to v1.1.4.2.

Fixed segmentation fault in ebtables.

Updated stackdriver logging default config to support multiple time formats which fixed bug of dropped logs in some conditions.

Updated toolbox script to use nspawn share system environment variable.

Updated openssl to v1.1.1q. This resolves CVE-2022-2097.

Updated net-misc/curl to v7.84.0. This resolves CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, and CVE-2022-32208.

Upgraded openssl to 1.1.1p to resolve CVE-2022-2068.

Fixed CVE-2022-29217 in dev-python/pyjwt.

Updated app-editors/vim and app-editors/vim-core to v8.2.5066. This resolves CVE-2022-2126,CVE-2022-2125,CVE-2022-2124,CVE-2022-2129,CVE-2022-1720, CVE-2022-1942,CVE-2022-1886,CVE-2022-1851,CVE-2022-1160,CVE-2022-1154, CVE-2022-1381,CVE-2022-1420,CVE-2022-1733,CVE-2022-1796,CVE-2022-1769, CVE-2022-1735,CVE-2022-1674,CVE-2022-1771,CVE-2022-1620,CVE-2022-1785, CVE-2022-1629,CVE-2022-1616,CVE-2022-1621,CVE-2022-1619,CVE-2022-1927, CVE-2022-1898,CVE-2021-4187,CVE-2022-0128,CVE-2022-0156,CVE-2022-0158, CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0392,CVE-2022-0368, CVE-2022-0393,CVE-2022-0361,CVE-2022-0359,CVE-2022-0413,CVE-2022-0408, CVE-2022-0407,CVE-2022-0443,CVE-2022-0714,CVE-2022-0696,CVE-2022-0685, CVE-2022-0729,CVE-2022-0572 and CVE-2022-0629.

Fixed CVE-2021-22570 in libprotobuf.

Updated app-emulation/containerd to v1.6.6. This resolves CVE-2022-31030.

Updated net-misc/curl to v7.83.1. This resolves CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115.

Upgraded openssl to v1.1.1o. This resolves CVE-2022-1292.

Upgraded dev-libs/libxml2 to v2.9.14. This resolves CVE-2022-29824.

Upgraded dev-libs/libxslt to v1.1.35. This resolves CVE-2022-29824.

Upgraded sys-libs/ncurses to v6.3_p20220423. This resolves CVE-2022-29458.

Fixed CVE-2022-28893 in the Linux kernel.

Upgraded contanerd to v1.6.2. This resolves CVE-2022-24769.

Upgraded open-vm-tools package to v12.0.0_p19345655. This resolves CVE-2022-22943.

Upgraded openssl package to v1.1.1n. This resolves CVE-2022-0778.

Upgraded dev-libs/libxml2 to v2.9.13. This resolves CVE-2022-23308.

Fixed CVE-2021-25217 in net-misc/dhcp.

Fixed CVE-2022-29581 in the Linux kernel.

Fixed CVE-2022-0847 in the Linux kernel.

Updated containerd to v1.6.1. This resolves CVE-2022-23648.

Fixed CVE-2021-45346 in dev-db/sqlite.