Release Notes: Milestone 85

Current Status

Image Family cos-85-lts
Deprecated After Dec 1, 2021
Kernel COS-5.4.109
Kubernetes v1.18.15
Docker v19.03.15
Containerd v1.4.3

Changelog

cos-85-13310-1260-23

Date: Jun 14, 2021
  • Fixed a network regression on single-core systems when using the GVE network interface.

cos-85-13310-1260-22

Date: Jun 09, 2021
  • Fixed a network regression on multi-core systems when using the GVE network interface.
  • Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

cos-85-13310-1260-17

Date: Jun 07, 2021
  • Fixed CPU usage for workloads with heavy page cache usage.

cos-85-13310-1260-8

Date: May 03, 2021
  • Upgraded dev-vcs/git to version 2.26.3. This resolves CVE-2021-21300.

cos-85-13310-1260-5

Date: Apr 22, 2021
  • Fixed an out-of-bounds write issue in the Linux kernel.

cos-85-13310-1260-1

Date: Apr 13, 2021
  • Updated the Linux kernel to v5.4.109.
  • Updated glib to v2.66.7. This fixes CVE-2021-27218 and CVE-2021-27219.
  • Updated the built-in kubectl/kubelet to v1.18.15.
  • Fixed CVE-2020-28493 in dev-python/jinja.
  • Fixed CVE-2020-13630,CVE-2020-9327,CVE-2020-13871, CVE-2020-11656,CVE-2020-11655,CVE-2020-15358, CVE-2020-13631,CVE-2020-13632,CVE-2020-13434,CVE-2020-9327,CVE-2020-13435 for dev-db/sqlite
  • Upgraded docker to v19.03.15
  • Upgraded net-misc/openssh to version 8.5_p1. This fixes CVE-2021-28041.
  • Added cos-package-info.json file containing the installed packages as well as packages used during build time of COS image.

cos-85-13310-1209-29

Date: Apr 12, 2021
  • Updated openssh to version 8.5_p1. This resolves CVE-2021-28041.
  • Upgraded openssl to version 1.1.1k. This resolves CVE-2021-3449 and CVE-2021-3450.

cos-85-13310-1209-24

Date: Apr 05, 2021
  • Updated openssl to version 1.1.1j. This resolves CVE-2021-23840 and CVE-2021-23841.

cos-85-13310-1209-17

Date: Mar 01, 2021
  • Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

cos-85-13310-1209-12

Date: Feb 22, 2021
  • Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.

cos-85-13310-1209-10

Date: Feb 08, 2021
  • Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.

cos-85-13310-1209-7

Date: Feb 01, 2021
  • Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.

cos-85-13310-1209-3

Date: Jan 25, 2021
  • LTS Refresh Release.
  • Updated cos-gpu-installer to v2.0.3 in cos-extensions. Fixed an issue in which installing GPU drivers was failing due to loading GPU kernel modules in incorrect order.
  • Fixed an authenication error when using go-dbus to connect systemd.
  • Updated Docker to v19.03.14.
  • Updated the Linux kernel to upstream/v5.4.89.
  • Updated the built-in kubectl/kubelet to v1.18.13.
  • Added support for the bpf_get_netns_cookie eBPF helper.
  • Updated containerd to v1.4.3.

cos-85-13310-1041-161

Date: Jan 11, 2021
  • Fixed CVE-2020-29661 in the Linux kernel.
  • Fixed CVE-2020-29660 in the Linux kernel.
  • Fixed an issue where sshd is restarted every minute if no oslogin users are returned by the metadata server.

cos-85-13310-1041-38

Date: Dec 02, 2020
  • Fixed CVE-2020-15257 in containerd.

cos-85-13310-1041-28

Date: Nov 11, 2020
  • cloud-init starts after network-online because cloud-init does not configure network for COS on GCP.

cos-85-13310-1041-24

Date: Oct 19, 2020
  • Backported INIT_STACK_ALL_ZERO to replace INIT_STACK_ALL.
  • Fixed data corruption in network packet for gve-1.1.0.

cos-85-13310-1041-17

Date: Oct 12, 2020
  • Added PPP loadable modules back, which were removed in cos-rc-85-13310-1019-0.
  • Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-85-13310-1041-14

Date: Oct 08, 2020
  • Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-85-13310-1041-9 (vs Milestone 81)

Date: Sep 24, 2020

New features

  • Upgraded kernel to upstream 5.4.
  • Improved eBPF debug and tracing functionality by enabling:
    • Compressed kernel headers.
    • BTF (BPF Type Format) debug info.
  • Improved security by enabling more Kernel Self Protection Project (KSPP) settings:
    • Restrict dmesg access, prevent unprivileged users from viewing dmesg.
    • Incorporate lockdown LSM.
    • Enable Clang's stack initialization.
  • Added XFS in preview mode.
  • Added NVMe userspace utilities support sys-apps/nvm-cli.
  • Added file system ACL userspace utilities sys-apps/acl.
  • Added FUSE userspace utilities support sys-fs/fuse.
  • Added cos-extensions userspace utilities support app-admin/extensions-manager.
  • Added nfs utils packages.
  • Added ext4 block bitmap prefetching feature.
  • Made chrony the default NTP client.
  • Made Python3 the default Python interpreter.
  • Reduced user home directory permissions to 750.
  • Disabled hung_on_panic by default.
  • Enforced kernel module signature verification by default.
  • Added the cos-extensions-manager package.
  • Removed the metrics daemon.

Driver and package updates

  • Upgraded KTD to its beta.
  • Upgraded gVNIC driver to v1.1.0.
  • Upgraded Nvidia GPU driver support to 450.51.06.
  • Upgraded containerd to v1.4.1.
  • Upgraded docker to v19.03.9.
  • Upgraded the built-in kubectl/kubelet to v1.18.9.
  • Upgraded docker-credential-gcr to v2.0.2.
  • Upgraded cloud-init to v19.4.
  • Upgraded node-problem-detector to v0.8.1.
  • Upgraded cos-toolbox to 20200715-00.
  • Upgraded oslogin to v20200507.00.
  • Upgraded compute-image-packages to v20191210.
  • Upgraded dump-capture-kernel to 4.19.
  • Upgraded makedumpfile to v1.6.7.
  • Upgraded Konlet to v0.11.0.
  • Upgraded runc to v1.1.0-rc10.
  • Upgraded openssl to 1.1.0l.
  • Upgraded libseccomp to v2.4.2 to address CVE-2019-9893.

Bug fixes

  • Fixed a kernel bug where eBPF programs can cause softlockups.
  • Removed size limit on /etc/ to fix cluster creation failure because of large number of addons.
  • Enabled utmp in systemd to allow creation of utmp files.
  • Made dioread_nolock non-default.
  • Updated tcp_keepalive_time to 300 seconds.
  • Updated toolbox base container image to include security patches.
  • Fixed a bug that caused OS login to use excessive amounts of memory.
  • Increased kdump memory reservation to 256M for 8G-16G instances.
  • Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.
  • Added mount exec option to /var/lib/containerd.
  • Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.
  • Backported upstream patch 'perf_event: support for LSM and SELinux check'.
  • Updated e2fsprogs to fix partition resize issue.
  • Fixed Linux kernel vulnerability CVE-2020-14386.
  • Enabled utmp in systemd to allow creation of utmp files.