Release Notes: Milestone 81

Current Status

Image Family cos-81-lts
Deprecated After Jun 24, 2021
Kernel 4.19.112
Kubernetes v1.17.6
Docker v19.03.6

Changelog

cos-81-12871-1216-0

Date: Oct 19, 2020
  • Fixed CVE-2020-14356.

cos-81-12871-1210-0

Date: Oct 12, 2020
  • Added PPP loadable modules back, which were removed in cos-81-12871-1185-0.
  • Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-81-12871-1207-0

Date: Oct 08, 2020
  • Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.
  • Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-81-12871-1196-0

Date: Sep 05, 2020
  • Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.

cos-81-12871-1190-0

Date: Aug 20, 2020
  • Reverted the change that enforcing kernel modules must be signed.
  • Removed cos-extensions utility. Users should use [cos-gpu-installer](https://github.com/GoogleCloudPlatform/cos-gpu-installer) to install GPU drivers on COS milestone 81.
  • Enabled utmp in systemd to allow creation of utmp files.
  • Upgraded default GPU driver version to 450.51.06.

cos-81-12871-1185-0

Date: Aug 07, 2020
  • Fixed CVE-2020-14308, CVE-2020-14311 and CVE-2020-15705 in grub.
  • Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
  • Added the cos-extensions-manager package. Click here to learn more about cos-extensions.
  • Updated docker-credential-gcr to v2.0.2.

cos-81-12871-1174-0

Date: July 30, 2020
  • Removed the metrics daemon to address an issue where it would periodically cause CPU usage spikes in some cases.
  • Changed kernel command line to enforce kernel module must be signed.

cos-81-12871-1160-0

Date: July 24, 2020
  • Updated node problem detector to 0.8.1

cos-81-12871-181-0

Date: July 13, 2020
  • Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
  • Mount /var/lib/containerd with exec option.
  • Fixed CVE-2019-9169.
  • Enabled support for Confidential VMs.

cos-81-12871-148-0

Date: June 17, 2020
  • Made dioread_nolock non-default.

cos-81-12871-146-0

Date: June 16, 2020
  • Updated toolbox base container image to include security patches.

cos-81-12871-130-0

Date: June 16, 2020
  • Updated the built-in kubectl/kubelet to v1.17.6 to fix a bug that could result in the inability to start a cluster.

cos-81-12871-119-0

Date: May 28, 2020
  • Fixed a few OS Login CVEs: CVE-2020-8903, CVE-2020-8907, CVE-2020-8933.

cos-81-12871-117-0

Date: May 27, 2020
  • Upgraded sys-libs/libseccomp to version 2.4.2-r1 to fix CVE-2019-9893.

cos-81-12871-103-0

Date: May 07, 2020
  • Added package sys-apps/acl.

cos-81-12871-96-0

Date: Apr 29, 2020
  • Fixed a kernel bug where eBPF programs can cause softlockups.

cos-81-12871-76-0

Date: Apr 29, 2020
  • Disabled `accept_ra` on all interfaces by default.

cos-81-12871-69-0

Date: Apr 05, 2020
  • Upgraded the Linux kernel to v4.19.112.
  • Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.
  • Upgraded dev-db/sqlite to 3.31.1.
  • Moved kernel repository to cos.googlesource.com/third_party/kernel.
  • Backported necessary ext4 patches and made dioread_nolock default.

cos-81-12871-59-0 (vs Milestone 77)

Date: Mar 27, 2020

New features

  • Added support for new Google Compute Engine virtual network interface (GVNIC).
  • Added support for AMD's Secure Encrypted Virtualization.
  • Added support to implement SCSI devices in user space.
  • Added support for snapshotting any block device without massive copying.
  • Enhanced security by reducing the predictability of the kernel slab allocator against heap overflows and providing a lightweight support for detecting buffer overflow.
  • Added chrony package for time synchronization.
  • Disabled multicast protocol LLMNR and MDNS by default.

Package updates

  • Upgraded docker to v19.03.6.
  • Upgraded containerd to v1.3.2.
  • Upgraded runc to v1.0.0.
  • Upgraded docker-credential-gcr to v2.0.0.
  • Upgraded the built-in kubectl/kubelet to v1.17.3.
  • Upgraded node-problem-detector to v0.8.0.
  • Upgraded cos-toolbox to 20191218-00.
  • Upgraded openssl to 1.0.2u.
  • Upgraded oslogin to v20190315.
  • Upgraded compute-image-packages to v20190801.

Bug fixes

  • Changed the MTU of the default docker network to 1460 to make it consistent with Google Compute Engine's default MTU value.
  • Fixed a regression that blocks user-level statically defined tracking probes (requires a semaphore) to work.
  • Fixed vulnerability in glibc (CVE-2019-19126).