Current Status
Image Family | cos-81-lts |
Deprecated After | Jun 24, 2021 |
Kernel | 4.19.150 |
Kubernetes | v1.17.6 |
Docker | v19.03.6 |
Changelog
cos-81-12871-1230-3
Date: Jan 11, 2021- Created /var/lib/chrony for chrony to work accurately.
- Fixed CVE-2020-29660 in the Linux kernel.
- Fixed CVE-2020-29661 in the Linux kernel.
cos-81-12871-1226-0
Date: Dec 02, 2020- Fixed CVE-2020-15257 in containerd.
cos-81-12871-1218-0
Date: Oct 26, 2020- Updated the Linux kernel to v4.19.150.
cos-81-12871-1216-0
Date: Oct 19, 2020- Fixed CVE-2020-14356.
cos-81-12871-1210-0
Date: Oct 12, 2020- Added PPP loadable modules back, which were removed in cos-81-12871-1185-0.
- Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.
cos-81-12871-1207-0
Date: Oct 08, 2020- Fixed an issue in containerd that can cause the Kubelet on master VMs to fail to restart containers in static pods.
- Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.
cos-81-12871-1196-0
Date: Sep 05, 2020- Fixed Linux kernel vulnerability CVE-2020-14386 by fixing an integer overflow issue in tpacket_rcv.
cos-81-12871-1190-0
Date: Aug 20, 2020- Reverted the change that enforcing kernel modules must be signed.
- Removed cos-extensions utility. Users should use [cos-gpu-installer](https://github.com/GoogleCloudPlatform/cos-gpu-installer) to install GPU drivers on COS milestone 81.
- Enabled utmp in systemd to allow creation of utmp files.
- Upgraded default GPU driver version to 450.51.06.
cos-81-12871-1185-0
Date: Aug 07, 2020- Fixed CVE-2020-14308, CVE-2020-14311 and CVE-2020-15705 in grub.
- Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
- Added the cos-extensions-manager package. Click here to learn more about cos-extensions.
- Updated docker-credential-gcr to v2.0.2.
cos-81-12871-1174-0
Date: July 30, 2020- Removed the metrics daemon to address an issue where it would periodically cause CPU usage spikes in some cases.
- Changed kernel command line to enforce kernel module must be signed.
cos-81-12871-1160-0
Date: July 24, 2020- Updated node problem detector to 0.8.1
cos-81-12871-181-0
Date: July 13, 2020- Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
- Mount /var/lib/containerd with exec option.
- Fixed CVE-2019-9169.
- Enabled support for Confidential VMs.
cos-81-12871-148-0
Date: June 17, 2020- Made dioread_nolock non-default.
cos-81-12871-146-0
Date: June 16, 2020- Updated toolbox base container image to include security patches.
cos-81-12871-130-0
Date: June 16, 2020- Updated the built-in kubectl/kubelet to v1.17.6 to fix a bug that could result in the inability to start a cluster.
cos-81-12871-119-0
Date: May 28, 2020- Fixed a few OS Login CVEs: CVE-2020-8903, CVE-2020-8907, CVE-2020-8933.
cos-81-12871-117-0
Date: May 27, 2020- Upgraded sys-libs/libseccomp to version 2.4.2-r1 to fix CVE-2019-9893.
cos-81-12871-103-0
Date: May 07, 2020- Added package sys-apps/acl.
cos-81-12871-96-0
Date: Apr 29, 2020- Fixed a kernel bug where eBPF programs can cause softlockups.
cos-81-12871-76-0
Date: Apr 29, 2020- Disabled `accept_ra` on all interfaces by default.
cos-81-12871-69-0
Date: Apr 05, 2020- Upgraded the Linux kernel to v4.19.112.
- Backported systemd patch ba0d56f55 to address an issue that resulted in leaked mount units.
- Upgraded dev-db/sqlite to 3.31.1.
- Moved kernel repository to cos.googlesource.com/third_party/kernel.
- Backported necessary ext4 patches and made dioread_nolock default.
cos-81-12871-59-0 (vs Milestone 77)
Date: Mar 27, 2020New features
- Added support for new Google Compute Engine virtual network interface (GVNIC).
- Added support for AMD's Secure Encrypted Virtualization.
- Added support to implement SCSI devices in user space.
- Added support for snapshotting any block device without massive copying.
- Enhanced security by reducing the predictability of the kernel slab allocator against heap overflows and providing a lightweight support for detecting buffer overflow.
- Added chrony package for time synchronization.
- Disabled multicast protocol LLMNR and MDNS by default.
Package updates
- Upgraded docker to v19.03.6.
- Upgraded containerd to v1.3.2.
- Upgraded runc to v1.0.0.
- Upgraded docker-credential-gcr to v2.0.0.
- Upgraded the built-in kubectl/kubelet to v1.17.3.
- Upgraded node-problem-detector to v0.8.0.
- Upgraded cos-toolbox to 20191218-00.
- Upgraded openssl to 1.0.2u.
- Upgraded oslogin to v20190315.
- Upgraded compute-image-packages to v20190801.
Bug fixes
- Changed the MTU of the default docker network to 1460 to make it consistent with Google Compute Engine's default MTU value.
- Fixed a regression that blocks user-level statically defined tracking probes (requires a semaphore) to work.
- Fixed vulnerability in glibc (CVE-2019-19126).