Container-Optimized OS Release Notes: Milestone 113

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/cos-113-release-notes.xml

April 23, 2024

cos-beta-113-18244-1-44

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.15 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated app-containers/containerd to v1.7.15.

Fixed CVE-2024-26642 in the Linux kernel.

Fixed CVE-2024-26642, CVE-2024-26643 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.file-max: 812399 -> 812400
  • Changed: kernel.threads-max: 63503 -> 63504
  • Changed: user.max_cgroup_namespaces: 31751 -> 31752
  • Changed: user.max_ipc_namespaces: 31751 -> 31752
  • Changed: user.max_mnt_namespaces: 31751 -> 31752
  • Changed: user.max_net_namespaces: 31751 -> 31752
  • Changed: user.max_pid_namespaces: 31751 -> 31752
  • Changed: user.max_time_namespaces: 31751 -> 31752
  • Changed: user.max_user_namespaces: 31751 -> 31752
  • Changed: user.max_uts_namespaces: 31751 -> 31752

April 15, 2024

cos-113-18244-1-37

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.08(default),v550.54.15(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Fixed integrity-fs dm-crypt creation flakiness.

Updated NVIDIA GPU drivers to v550.54.15. Fixed a potential corruption when launching kernels on H100 GPUs, which is more likely to occur when the GPU is shared between multiple processes.

Updated NVIDIA GPU drivers to v535.161.08. Fixed a potential corruption when launching kernels on H100 GPUs.

Runtime sysctl changes:

  • Changed: fs.file-max: 812400 -> 812399
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751

April 01, 2024

cos-beta-113-18244-1-33

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.07(default),v550.54.14(latest),v470.239.06(R470 for compatibility with K80 GPUs)

Update app-containers/nvidia-container-toolkit to v1.14.6.

Added NVIDIA GPU drivers R550 branch and update latest to 550.54.14.

March 27, 2024

cos-beta-113-18244-1-31

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Upgraded app-admin/node-problem-detector to v0.8.17.

Upgraded localtoast to 1.1.7 and opted out of logging-service-running benchmark by default for cis-level2.

Upgraded app-admin/fluent-bit to v1.9.10.

Upgraded app-admin/sosreport to v4.7.0.

Upgraded app-admin/localtoast to v1.1.7.

Added infiniband and mlx5 device drivers.

Fixed bug in google-guest-agent service enablement.

Fixed CVE-2024-26584 in the Linux kernel.

Fixed CVE-2024-26585 in the Linux kernel.

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2024-26583 in the Linux kernel.

Fixed CVE-2024-26582 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

March 25, 2024

cos-beta-113-18244-1-7

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

Updates to Major Packages:

Updated cos-gpu-installer to v2.2.0. Some key features of this update include:

  • Switched precompiled driver and signature location to COS build artifacts for M109.
  • This fixes a permissions issue in the GPU driver install directory with OSS drivers.
  • Added major version specification for GPU driver installation.

Update default and latest NVIDIA GPU drivers to v535.154.05.

Updated sys-apps/systemd to v254.9.

Updated docker-credential-gcr to v2.1.22.

Updated app-containers/docker-cli to v24.0.5.

Updated app-emulation/kubernetes to v1.29.1.

Updated app-containers/containerd to v1.7.10.

Updated app-containers/runc to v1.1.12.

Upgraded app-emulation/cloud-init to v23.4.3.

Upgraded app-admin/oslogin to v20231004.00.

Upgraded app-admin/google-osconfig-agent to v20240126.00.

Upgraded app-admin/google-guest-agent to v20240213.00.

Upgraded app-admin/google-guest-configs to v20240122.00.

Updated app-admin/sosreport to v4.6.1.

Updated latest GPU driver to v535.104.05.

Updated GPU drivers to v535.54.03 (R535 LTSB NVIDIA branch).

Upgraded app-containers/docker-credential-helpers to v0.8.1.

Runtime sysctl changes:

  • Added: net.ipv4.tcp_backlog_ack_defer: 1
  • Changed: fs.epoll.max_user_watches: 1809920 -> 1809474
  • Changed: fs.fanotify.max_user_marks: 67577 -> 67560
  • Changed: fs.file-max: 812606 -> 812400
  • Changed: fs.inotify.max_user_watches: 63456 -> 63441
  • Changed: kernel.threads-max: 63520 -> 63504
  • Changed: net.core.optmem_max: 20480 -> 131072
  • Changed: net.ipv4.tcp_mem: 94092 125456 188184 -> 94068 125424 188136
  • Changed: net.ipv4.udp_mem: 188184 250912 376368 -> 188136 250848 376272
  • Changed: net.ipv6.route.max_size: 4096 -> 2147483647
  • Changed: user.max_cgroup_namespaces: 31760 -> 31752
  • Changed: user.max_fanotify_marks: 67577 -> 67560
  • Changed: user.max_inotify_watches: 63456 -> 63441
  • Changed: user.max_ipc_namespaces: 31760 -> 31752
  • Changed: user.max_mnt_namespaces: 31760 -> 31752
  • Changed: user.max_net_namespaces: 31760 -> 31752
  • Changed: user.max_pid_namespaces: 31760 -> 31752
  • Changed: user.max_time_namespaces: 31760 -> 31752
  • Changed: user.max_user_namespaces: 31760 -> 31752
  • Changed: user.max_uts_namespaces: 31760 -> 31752
  • Changed: vm.lowmem_reserve_ratio: 256 256 32 0 -> 256 256 32 0 0

  • Added: net.netfilter.nf_flowtable_tcp_timeout: 30
  • Added: net.netfilter.nf_flowtable_udp_timeout: 30

  • Changed: fs.file-max: 812608 -> 812606

  • Added: net.ipv4.tcp_shrink_window: 0
  • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0

  • Added: kernel.io_uring_disabled: 0
  • Changed: fs.file-max: 812619 -> 812608
  • Changed: kernel.threads-max: 63519 -> 63520
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd: 0 -> 3
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent: 0 -> 3
  • Changed: user.max_cgroup_namespaces: 31759 -> 31760
  • Changed: user.max_ipc_namespaces: 31759 -> 31760
  • Changed: user.max_mnt_namespaces: 31759 -> 31760
  • Changed: user.max_net_namespaces: 31759 -> 31760
  • Changed: user.max_pid_namespaces: 31759 -> 31760
  • Changed: user.max_time_namespaces: 31759 -> 31760
  • Changed: user.max_user_namespaces: 31759 -> 31760
  • Changed: user.max_uts_namespaces: 31759 -> 31760

  • Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
  • Changed: fs.file-max: 812400 -> 812392
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: net.ipv4.tcp_mem: 94068 125424 188136 -> 94065 125423 188130
  • Changed: net.ipv4.udp_mem: 188136 250848 376272 -> 188133 250847 376266
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751

  • Changed: fs.file-max: 812620 -> 812619

  • Added: fs.overflowgid: 65534
  • Added: fs.overflowuid: 65534

New Features and Changes in the Linux Kernel:

Added additional option to existing kernel cmdline flag that moves protected stateful partition integrity tags to memory.

Fixed a kernel crash that occurred when running Postgres databases.

Enabled TDX Guest support in the Linux Kernel.

Updated the Linux kernel to v6.1.77.

New Features and Changes in the Image:

Changed default umask value for a user to 027.

Removed legacy logging agent (fluentd).

Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

Enhanced integrity-fs with disk resize and dm-clone.

Removed deprecated R525 NVIDIA GPU drivers.

Added support for dm-zero and dm-clone.

Sosreport now includes GPU Installer logs.

Fixed a performance issue that was observed in Postgres databases.

Fixed a container performance issue that occurred after running systemctl start cloud-audit-setup.

Updated NVIDIA GPU drivers.

Backported support for TCP RTO configuration in networkd.

Enable portmapper registration reporting for lsof. This also fixes an issue where lsof is missing from SOS reports.

Add compiler mitigations to mitigate memory corruption vulnerabilities.

Sequence named before nss-lookup.target.

Restore systemd-logind restart behavior when dbus restarts.

Fixed an issue where symlinks could not be moved.

Fixed an issue where IPv6 networking would fail under high CPU load.

Fixed an issue with NFS reconnects on GKE.

The get_metadata_value script will now retry if it experiences a connection error.

Enabled persistence mode with Nvidia GPU driver installation.

Fixed an issue in ip6tables where the -C option did not work correctly.

Simplified GPU driver installation by remounting driver installation path as executable from cos-extensions.

Added support for user.* xattr on tmpfs.

Added automatic generation of known modules list to image build process.

Include nvidia plugin into sosreport.

Added support for iSCSI targets and RAM block devices.

Fixed a time-to-login slowdown introduced by cloud-init changes.

CVE/Security Fixes:

Fixed CVE-2024-21626 in app-containers/runc.

Upgraded app-editors/vim to v9.0.2167 and app-editors/vim-core to v9.0.2167. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736, CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.

Updated dev-lang/go to v1.21.5. This fixes CVE-2023-45285 and CVE-2023-39326.

Upgraded dev-go/crypto to v0.17.0. This fixes CVE-2023-48795.

Upgraded sys-apps/dbus to v1.12.28. This fixes CVE-2023-34969.

Fixed CVE-2023-49083 in package dev-python/cryptography.

Fixed CVE-2023-6622, CVE-2023-5197, CVE-2023-42753, CVE-2023-4921, CVE-2023-4623, CVE-2023-4194, CVE-2024-23851, CVE-2024-26581 in the Linux kernel.

Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.

Updated dev-go/net to v0.17.0. This resolves CVE-2023-44487 and CVE-2023-39325.

Fixed CVE-2023-4911 in sys-libs/glibc.

Fixed CVE-2023-38039 in net-misc/curl.

Fixed CVE-2023-5345 and CVE-2023-42756 in COS kernel.

Fixed CVE-2023-32636, CVE-2023-29499, CVE-2023-32643, CVE-2023-32665, CVE-2023-32611 in glib and glib-utils.

Upgraded sys-fs/mdadm to v4.2. This resolves CVE-2023-28938 and CVE-2023-28736.

Fixed CVE-2023-4016 in sys-process/procps.

Updated dev-go/yaml to v3.0.1. This resolves CVE-2022-28948.

Fixed CVE-2022-40896 in pygments.

Fixed CVE-2023-24329 and CVE-2023-40217 in dev-lang/python.

Fixed ncurses upgrade to 6.4p20220423. This resolves CVE-2023-29491.

Upgraded dev-db/sqlite to v3.45.1-r1. This also fixes CVE-2023-7104.

Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549, CVE-2023-40551, CVE-2023-40547, and CVE-2023-40550 in sys-boot/shim.

Upgrade docker to v24.0.9. This fixes CVE-2024-24557.

Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.

Fixed CVE-2024-0684 in sys-apps/coreutils.

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853 and CVE-2023-38545.

Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.

Updated default GPU driver to v470.199.02 and latest GPU driver to v525.125.06. This resolves CVE-2023-25515 and CVE-2023-25516.

Updates for Minor Packages:

Upgraded dev-libs/nss to v3.97.

Upgraded net-libs/gnutls to v3.8.3.

Upgraded dev-python/jinja to v3.1.3.

Upgraded app-admin/node-problem-detector to v0.8.15.

Upgraded app-eselect/eselect-iptables to v20220320.

Upgraded sys-libs/libcap-ng to v0.8.4-r1.

Upgraded net-misc/rsync to v3.2.7-r4.

Upgraded dev-python/netifaces to v0.11.0-r2.

Upgraded net-libs/libtirpc to v1.3.4-r1.

Upgraded app-admin/sudo to v1.9.15_p5.

Upgraded app-misc/jq to v1.7.1.

Upgraded sys-apps/pv to v1.8.5.

Upgraded sys-process/lsof to v4.99.3.

Upgraded dev-util/bsdiff to v4.3.1-r42.

Updated net-misc/openssh to v9.6_p1-r1.

Upgraded sys-apps/less to v643-r1.

Upgraded chromeos-base/mojo_service_manager to v0.0.1-r271.

Upgraded net-misc/socat to v1.8.0.0.

Upgraded dev-python/jsonpatch to v1.33.

Upgraded dev-python/pyyaml to v6.0.1-r1.

Upgraded dev-lang/python-exec to v2.4.10.

Upgraded dev-python/six to v1.16.0-r1.

Upgraded dev-python/configobj to v5.0.8.

Upgraded dev-python/nose to v1.3.7_p20221026.

Upgraded dev-python/mock to v5.1.0.

Upgraded dev-python/pyserial to v3.5-r2.

Upgraded sys-apps/hwdata to v0.376.

Upgraded sys-fs/xfsprogs to v6.5.0.

Upgraded dev-python/pygobject to v3.46.0.

Upgraded sys-devel/libtool to v2.4.6-r7.

Upgraded dev-libs/double-conversion to v3.2.1.

Upgraded net-fs/cifs-utils to v7.0-r1, Upgraded sys-libs/talloc to v2.4.1.

Upgraded app-arch/unzip to v6.0_p27-r1.

Upgraded sys-apps/dmidecode to v3.5-r3.

Upgraded dev-util/gn to v2121.

Upgraded chromeos-base/chromeos-dbus-bindings to v0.0.1-r2787.

Updated dev-embedded/libftdi to v1.5-r5.

Upgraded sys-apps/coreutils to v9.4.

Upgraded sys-process/procps to v4.0.4.

Updated dev-go/go-tools to v0.11.1_p20230712.

Upgraded app-arch/pigz to v2.8.

Upgraded sys-block/thin-provisioning-tools to v0.9.0-r2.

Upgraded app-arch/tar to v1.35.

Upgraded app-arch/xz-utils to v5.4.6-r1.

Upgraded app-misc/ca-certificates to v20230311.3.97.

Upgraded net-dns/c-ares to v1.26.0.

Upgraded net-dns/libidn2 to v2.3.7.

Upgraded sys-apps/attr to v2.5.2-r1.

Upgraded sys-apps/ethtool to v6.7.

Upgraded sys-apps/file to v5.45-r4.

Upgraded sys-libs/libcap to v2.69-r1.

Upgraded sys-libs/timezone-data to v2024a.

Upgraded sys-libs/zlib to v1.3.1-r1.

Upgraded dev-libs/libusb to v1.0.27.

Upgraded dev-libs/expat to v2.6.0.

Upgraded sys-apps/acl to v2.3.2.

Updated gzip to v1.13.

Upgraded sys-auth/pambase to v20240128.

Upgraded net-misc/chrony to v4.5.

Upgraded app-containers/cni-plugins to v1.4.0.

Upgraded sys-apps/makedumpfile to v1.7.4.

Upgraded chromeos-base/system_api to v0.0.1-r5643.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2385.

Upgraded chromeos-base/hiberman-client to v0.0.1-r455.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2859.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r884.

Upgraded chromeos-base/vm_protos to v0.0.1-r552.

Upgraded chromeos-base/shill-client to v0.0.1-r4325.

Upgraded chromeos-base/minijail to v18-r135.

Upgraded chromeos-base/debugd-client to v0.0.1-r2641.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2722.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r601.

Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r226.

Upgraded dev-util/puffin to v1.0.0-r450.

Upgraded sys-fs/squashfs-tools to v4.6.1.

Upgraded sys-apps/sandbox to v2.29-r1.