Release Notes: Milestone 85

Current Status

Image Family cos-85-lts
Deprecated After Dec 1, 2021
Kernel COS-5.4.49
Kubernetes v1.18.9
Docker v19.03.9

Changelog

cos-85-13310-1041-17

Date: Oct 12, 2020
  • Added PPP loadable modules back, which were removed in cos-rc-85-13310-1019-0.
  • Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-85-13310-1041-14

Date: Oct 08, 2020
  • Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-85-13310-1041-9 (vs Milestone 81)

Date: Sep 24, 2020

New features

  • Upgraded kernel to upstream 5.4.
  • Improved eBPF debug and tracing functionality by enabling:
    • Compressed kernel headers.
    • BTF (BPF Type Format) debug info.
  • Improved security by enabling more Kernel Self Protection Project (KSPP) settings:
    • Restrict dmesg access, prevent unprivileged users from viewing dmesg.
    • Incorporate lockdown LSM.
    • Enable Clang's stack initialization.
  • Added XFS in preview mode.
  • Added NVMe userspace utilities support sys-apps/nvm-cli.
  • Added file system ACL userspace utilities sys-apps/acl.
  • Added FUSE userspace utilities support sys-fs/fuse.
  • Added cos-extensions userspace utilities support app-admin/extensions-manager.
  • Added nfs utils packages.
  • Added ext4 block bitmap prefetching feature.
  • Made chrony the default NTP client.
  • Made Python3 the default Python interpreter.
  • Reduced user home directory permissions to 750.
  • Disabled hung_on_panic by default.
  • Enforced kernel module signature verification by default.
  • Added the cos-extensions-manager package.
  • Removed the metrics daemon.

Driver and package updates

  • Upgraded KTD to its beta.
  • Upgraded gVNIC driver to v1.1.0.
  • Upgraded Nvidia GPU driver support to 450.51.06.
  • Upgraded containerd to v1.4.1.
  • Upgraded docker to v19.03.9.
  • Upgraded the built-in kubectl/kubelet to v1.18.9.
  • Upgraded docker-credential-gcr to v2.0.2.
  • Upgraded cloud-init to v19.4.
  • Upgraded node-problem-detector to v0.8.1.
  • Upgraded cos-toolbox to 20200715-00.
  • Upgraded oslogin to v20200507.00.
  • Upgraded compute-image-packages to v20191210.
  • Upgraded dump-capture-kernel to 4.19.
  • Upgraded makedumpfile to v1.6.7.
  • Upgraded Konlet to v0.11.0.
  • Upgraded runc to v1.1.0-rc10.
  • Upgraded openssl to 1.1.0l.
  • Upgraded libseccomp to v2.4.2 to address CVE-2019-9893.

Bug fixes

  • Fixed a kernel bug where eBPF programs can cause softlockups.
  • Removed size limit on /etc/ to fix cluster creation failure because of large number of addons.
  • Enabled utmp in systemd to allow creation of utmp files.
  • Made dioread_nolock non-default.
  • Updated tcp_keepalive_time to 300 seconds.
  • Updated toolbox base container image to include security patches.
  • Fixed a bug that caused OS login to use excessive amounts of memory.
  • Increased kdump memory reservation to 256M for 8G-16G instances.
  • Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
  • Added mount exec option to /var/lib/containerd.
  • Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
  • Backported upstream patch 'perf_event: support for LSM and SELinux check'.
  • Updated e2fsprogs to fix partition resize issue.
  • Fixed Linux kernel vulnerability CVE-2020-14386.
  • Enabled utmp in systemd to allow creation of utmp files.