Container-Optimized OS Release Notes: Milestone 85

cos-85-13310-1366-9

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Nov 15, 2021 COS-5.4.150 v1.18.20 v19.03.15 v1.4.8 v450.119.04

Fixed UUID parsing in kernel crash dump collection.

Updated vim and vim-core to v8.2.3567. This fixes CVE-2021-3872, CVE-2021-3903 and CVE-2021-3875.

Upgraded app-arch/libarchive to v3.5.2. This fixes CVE-2021-36976.

cos-85-13310-1366-5

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Nov 04, 2021 COS-5.4.150 v1.18.20 v19.03.15 v1.4.8 v450.119.04

Enabled cos-extensions to fetch artifacts with geo-redundancy when installing GPU driver.

Upgraded openssl to 1.1.1l. This fixes CVE-2021-3711.

cos-85-13310-1366-3

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Nov 01, 2021 COS-5.4.150 v1.18.20 v19.03.15 v1.4.8 v450.119.04

Fixed CVE-2021-41864 in the Linux Kernel.

cos-85-13310-1366-2

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 18, 2021 COS-5.4.150 v1.18.20 v19.03.15 v1.4.8 v450.119.04

Updated the Linux kernel to v5.4.150. This resolves CVE-2021-35477, CVE-2021-34556, CVE-2021-38205, CVE-2021-38198, CVE-2021-38199, CVE-2021-40490 and CVE-2021-3653.

Fixed CVE-2020-10029 in sys-libs/glibc.

Fixed CVE-2021-22945 in net-misc/curl.

Updated vim to v8.2.3428. This resolves CVE-2021-3796, CVE-2021-3778, and CVE-2021-3770.

Fixed CVE-2019-17594, CVE-2019-17595 and CVE-2021-39537 in sys-libs/ncurses.

Created kernel config file under /boot directory.

Updated the built-in kubectl/kubelet to v1.18.20.

cos-85-13310-1308-25

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 11, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.8 v450.119.04

Fixed an issue where GPU drivers wouldn't load due to being incorrectly linked.

Fixed CVE-2021-41103 in containerd.

cos-85-13310-1308-23

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 04, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.8 v450.119.04

Fixed CVE-2020-12403 in dev-libs/nss.

cos-85-13310-1308-22

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 27, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.8 v450.119.04

Fixed CVE-2021-28153 in glib and glib-utils.

Upgraded app-arch/libarchive to v3.5.1. This resolves CVE-2021-36976.

cos-85-13310-1308-19

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 20, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.8 v450.119.04

Fixed CVE-2021-3612 in the Linux kernel.

cos-85-13310-1308-18

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 13, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.8 v450.119.04

Upgraded net-misc/curl to v7.78.0. This resolves CVE-2021-22876, CVE-2021-22898, CVE-2021-22897, CVE-2021-22890, CVE-2021-22926 and CVE-2021-22924.

Fixed CVE-2021-32760 in containerd.

Upgraded net-misc/wget to v1.21.1. This resolves CVE-2021-31879.

cos-85-13310-1308-10

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Aug 23, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.6 v450.119.04

Fixed cleanup context of teardownPodNetwork.

cos-85-13310-1308-7

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Aug 02, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.6 v450.119.04

Added the cos.enable_ipv6 kernel command line option that enables IPv6 configuration. This option does not disable IPv4 configuration; COS always configures IPv4 by default.

Fixed an issue where enabling both IPv6 and IPv4 configuration on IPv4-exclusive networks resulted in slow boot times.

cos-85-13310-1308-6

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jul 26, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.6 v450.119.04

Fixed CVE-2021-33910 in systemd.

Fixed CVE-2021-33909 in the Linux kernel.

cos-85-13310-1308-1

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jul 12, 2021 COS-5.4.129 v1.18.17 v19.03.15 v1.4.6 v450.119.04

Updated containerd to v1.4.6.

Updated the built-in kubelet to v1.18.17.

Updated the Linux kernel to v5.4.129.

Upgraded the default GPU driver version to 450.119.04.

Upgraded tar to 1.34.

Upgraded sqlite to 3.34.1.

Upgraded libgcrypt to 1.9.3. This fixes CVE-2021-33560.

Fixed CVE-2021-3537 in libxml2.

Fixed CVE-2020-24977 in libxml2.

cos-85-13310-1260-26

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 21, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3 v450.51.06

Fixed a memory leak in the GVE kernel driver.

Fixed a low network bandwidth issue in the Linux kernel.

cos-85-13310-1260-23

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 14, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3 v450.51.06

Fixed a network regression on single-core systems when using the GVE network interface.

cos-85-13310-1260-22

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 09, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3 v450.51.06

Fixed a network regression when using the GVE network interface.

Updated runc to v1.0.0_rc95. This resolves CVE-2021-30465.

cos-85-13310-1260-17

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Jun 07, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3 v450.51.06

Fixed CPU usage for workloads with heavy page cache usage.

cos-85-13310-1260-8

Date Kernel Kubernetes Docker Containerd
May 03, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3

Upgraded dev-vcs/git to version 2.26.3. This resolves CVE-2021-21300.

cos-85-13310-1260-5

Date Kernel Kubernetes Docker Containerd
Apr 22, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3

Fixed an out-of-bounds write issue in the Linux kernel.

cos-85-13310-1260-1

Date Kernel Kubernetes Docker Containerd
Apr 13, 2021 COS-5.4.109 v1.18.15 v19.03.15 v1.4.3

Updated the Linux kernel to v5.4.109.

Updated the built-in kubectl/kubelet to v1.18.15.

Upgraded docker to v19.03.15

Updated glib to v2.66.7. This fixes CVE-2021-27218 and CVE-2021-27219.

Fixed CVE-2020-28493 in dev-python/jinja.

Fixed CVE-2020-13630,CVE-2020-9327,CVE-2020-13871, CVE-2020-11656,CVE-2020-11655,CVE-2020-15358, CVE-2020-13631,CVE-2020-13632,CVE-2020-13434,CVE-2020-9327,CVE-2020-13435 for dev-db/sqlite

Upgraded net-misc/openssh to version 8.5_p1. This fixes CVE-2021-28041.

Added cos-package-info.json file containing the installed packages as well as packages used during build time of COS image.

cos-85-13310-1209-29

Date Kernel Kubernetes Docker Containerd
Apr 12, 2021 COS-5.4.89 v1.18.13 v19.03.14 v1.4.3

Updated openssh to version 8.5_p1. This resolves CVE-2021-28041.

Upgraded openssl to version 1.1.1k. This resolves CVE-2021-3449 and CVE-2021-3450.

cos-85-13310-1209-24

Date Kernel Kubernetes Docker
Apr 05, 2021 COS-5.4.89 v1.18.13 v19.03.14

Updated openssl to version 1.1.1j. This resolves CVE-2021-23840 and CVE-2021-23841.

cos-85-13310-1209-17

Date Kernel Kubernetes Docker
Mar 01, 2021 COS-5.4.89 v1.18.13 v19.03.14

Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

cos-85-13310-1209-12

Date Kernel Kubernetes Docker
Feb 22, 2021 COS-5.4.89 v1.18.13 v19.03.14

Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.

cos-85-13310-1209-10

Date Kernel Kubernetes Docker
Feb 08, 2021 COS-5.4.89 v1.18.13 v19.03.14

Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.

cos-85-13310-1209-7

Date Kernel Kubernetes Docker
Feb 01, 2021 COS-5.4.89 v1.18.13 v19.03.14

Upgraded app-admin/sudo to version 1.9.5_p2. This resolves CVE-2021-3156.

cos-85-13310-1209-3

Date Kernel Kubernetes Docker
Jan 25, 2021 COS-5.4.89 v1.18.13 v19.03.14

Updated the Linux kernel to upstream/v5.4.89.

Added support for the bpf_get_netns_cookie eBPF helper.

Updated cos-gpu-installer to v2.0.3 in cos-extensions. Fixed an issue in which installing GPU drivers was failing due to loading GPU kernel modules in incorrect order.

Fixed an authenication error when using go-dbus to connect systemd.

Updated Docker to v19.03.14.

Updated the built-in kubectl/kubelet to v1.18.13.

Updated containerd to v1.4.3.

cos-85-13310-1041-161

Date Kernel Kubernetes Docker
Jan 11, 2021 COS-5.4.49 v1.18.9 v19.03.9

Fixed CVE-2020-29661 in the Linux kernel.

Fixed CVE-2020-29660 in the Linux kernel.

Fixed an issue where sshd is restarted every minute if no oslogin users are returned by the metadata server.

cos-85-13310-1041-38

Date Kernel Kubernetes Docker
Dec 02, 2020 COS-5.4.49 v1.18.9 v19.03.9

Fixed CVE-2020-15257 in containerd.

cos-85-13310-1041-28

Date Kernel Kubernetes Docker
Nov 11, 2020 COS-5.4.49 v1.18.9 v19.03.9

cloud-init starts after network-online because cloud-init does not configure network for COS on GCP.

cos-85-13310-1041-24

Date Kernel Kubernetes Docker
Oct 19, 2020 COS-5.4.49 v1.18.9 v19.03.9

Backported INIT_STACK_ALL_ZERO to replace INIT_STACK_ALL.

cos-85-13310-1041-17

Date Kernel Kubernetes Docker
Oct 12, 2020 COS-5.4.49 v1.18.9 v19.03.9

Added PPP loadable modules back, which were removed in cos-rc-85-13310-1019-0.

Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

cos-85-13310-1041-14

Date Kernel Kubernetes Docker
Oct 08, 2020 COS-5.4.49 v1.18.9 v19.03.9

Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

cos-85-13310-1041-9 (vs Milestone 81)

Date Kernel Kubernetes Docker
Sep 24, 2020 COS-5.4.49 v1.18.9 v19.03.9

Upgraded kernel to upstream 5.4.

Improved eBPF debug and tracing functionality by enabling:
Compressed kernel headers
BTF (BPF Type Format) debug info.

Improved security by enabling more Kernel Self Protection Project (KSPP) settings:
Incorporate lockdown LSM.
Enable Clang's stack initialization.

Added XFS in preview mode.

Added NVMe userspace utilities support sys-apps/nvm-cli.

Added file system ACL userspace utilities sys-apps/acl.

Added FUSE userspace utilities support sys-fs/fuse.

Added cos-extensions userspace utilities support app-admin/extensions-manager.

Added nfs utils packages.

Added ext4 block bitmap prefetching feature.

Made chrony the default NTP client.

Made Python3 the default Python interpreter.

Reduced user home directory permissions to 750.

Disabled hung_on_panic by default.

Enforced kernel module signature verification by default.

Added the cos-extensions-manager package.

Removed the metrics daemon.

Backported upstream patch 'perf_event: support for LSM and SELinux check'.

Enabled utmp in systemd to allow creation of utmp files.

Upgraded KTD to its beta.

Upgraded gVNIC driver to v1.1.0.

Upgraded Nvidia GPU driver support to 450.51.06.

Upgraded containerd to v1.4.1.

Upgraded docker to v19.03.9.

Upgraded the built-in kubectl/kubelet to v1.18.9.

Upgraded docker-credential-gcr to v2.0.2.

Upgraded cloud-init to v19.4.

Upgraded node-problem-detector to v0.8.1.

Upgraded cos-toolbox to 20200715-00.

Upgraded oslogin to v20200507.00.

Upgraded compute-image-packages to v20191210.

Upgraded dump-capture-kernel to 4.19.

Upgraded makedumpfile to v1.6.7.

Upgraded Konlet to v0.11.0.

Upgraded runc to v1.1.0-rc10.

Upgraded openssl to 1.1.0l.

Updated toolbox base container image to include security patches.

Upgraded libseccomp to v2.4.2 to address CVE-2019-9893.

Disabled CONFIG_PPP to mitigate Linux Kernel CVE-2020-14416.

Fixed Linux kernel vulnerability CVE-2020-14386.

Fixed a kernel bug where eBPF programs can cause softlockups.

Removed size limit on /etc/ to fix cluster creation failure because of large number of addons.

Fixed a bug that caused OS login to use excessive amounts of memory.

Updated e2fsprogs to fix partition resize issue.

Enabled utmp in systemd to allow creation of utmp files.

Made dioread_nolock non-default.

Increased kdump memory reservation to 256M for 8G-16G instances.

Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.

Added mount exec option to /var/lib/containerd.