Container-Optimized OS Release Notes: Milestone 93

cos-93-16623-39-6

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 18, 2021 COS-5.10.68 v1.21.3 v20.10.6 v1.5.4 v450.119.04

This is a Stable release.

cos-beta-93-16623-39-6

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Oct 07, 2021 COS-5.10.68 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Installed the kernel configuration in the /boot directory.

Fixed an issue where GPU drivers wouldn't load due to being incorrectly linked.

Fixed an issue where `docker stats` returned zeroes for some containers.

cos-beta-93-16623-39-1

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 29, 2021 COS-5.10.68 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Updated the Linux kernel to v5.10.68.

Fixed CVE-2020-12403 in dev-libs/nss.

Fixed CVE-2019-17594 and CVE-2019-17595 in sys-libs/ncurses.

cos-beta-93-16623-0-23

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 27, 2021 COS-5.10.57 v1.21.3 v20.10.6 v1.5.4 v450.119.04

Updated app-emulation/containerd to v1.5.4. This resolves CVE-2021-32760.

Updated glib, glib-utils and gdbus-codegen to v2.68.3. This resolves CVE-2021-28153.

cos-beta-93-16623-0-15

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 07, 2021 COS-5.10.57 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Upgraded net-misc/curl to v7.78.0. This resolves CVE-2021-22924 and CVE-2021-22926.

cos-beta-93-16623-0-13

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Sep 02, 2021 COS-5.10.57 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Fixed an issue where some NFS clients ran out of memory and crashed.

Runtime sysctl changes:

  • Changed: fs.file-max: 9223372036854775807 -> 814100
  • Changed: fs.nr_open: 1073741816 -> 1048576
  • Changed: net.ipv4.tcp_fastopen_key: 763328f0-eed1e25b-33ba5cd4-36e8e00d -> 11665687-fa208935-2719c70f-e7f2feb2

cos-beta-93-16623-0-5 (vs Milestone 89)

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Aug 23, 2021 COS-5.10.57 v1.21.3 v20.10.6 v1.5.3 v450.119.04

Upgraded systemd to v248.6.

Upgraded sys-apps/cloud-disk-resize to commit edbe236.

Updated oslogin to v20210707.00.

Updated google-guest-agent to v20210707.00.

Upgraded the Linux kernel to v5.10.57.

Updated the built-in kubectl/kubelet to v1.21.3.

Upgraded containerd to v1.5.3.

Updated sosreport to v4.1.

Updated chronyd to v4.1.

Updated docker-credential-gcr to v2.0.5.

Updated docker-cli to v20.10.6.

Updated ChromeOS base to ChromeOS version v14056.0.0.

Upgraded Linux Audit (sys-process/audit) to v3.0.2.

Upgraded xfsprogs to version v5.10.

Upgraded dev-util/gdbus-codegen to version v2.66.7 on x86.

Updated the stackdriver logging agent to v1.8.9.

Updated app-emulation/docker-proxy to v0.8.0_p20210525.

Updated app-emulation/docker-credential-helpers to v0.6.4.

Upgraded cloud-init to v21.2.

Updated docker to v20.10.6.

Updated makedumpfile package to v1.6.9.

Upgraded sys-auth/pambase to version v20201103.

Upgraded sys-libs/pam to version v1.5.1.

Upgraded sys-auth/passwdqc to version v1.4.0.

Updated chronyd to run as the chrony user instead of the root user.

Runtime sysctl changes:

  • Added: kernel.hung_task_all_cpu_backtrace: 0
  • Added: kernel.oops_all_cpu_backtrace: 0
  • Added: kernel.sched_deadline_period_max_us: 4194304
  • Added: kernel.sched_deadline_period_min_us: 100
  • Added: net.ipv4.ip_autobind_reuse: 0
  • Added: net.ipv4.nexthop_compat_mode: 1
  • Added: net.ipv4.tcp_comp_sack_slack_ns: 100000
  • Added: net.ipv4.tcp_no_ssthresh_metrics_save: 1
  • Added: net.ipv4.tcp_reflect_tos: 0
  • Added: net.ipv6.conf.all.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.default.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.docker0.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.eth0.rpl_seg_enabled: 0
  • Added: net.ipv6.conf.lo.rpl_seg_enabled: 0
  • Added: user.max_time_namespaces: 31820
  • Added: vm.compaction_proactiveness: 20
  • Added: vm.page_lock_unfairness: 5
  • Changed: fs.epoll.max_user_watches: 1668751 -> 1668321
  • Changed: fs.file-max: 814576 -> 9223372036854775807
  • Changed: fs.nr_open: 1048576 -> 1073741816
  • Changed: fs.epoll.max_user_watches: 1668321 -> 1667911
  • Changed: kernel.printk_devkmsg: ratelimit -> on
  • Changed: kernel.threads-max: 63658 -> 63625
  • Changed: kernel.cap_last_cap: 37 -> 40
  • Changed: kernel.usermodehelper.bset: 4294967295 63 -> 4294967295 511
  • Changed: kernel.usermodehelper.inheritable: 4294967295 63 -> 4294967295 511
  • Changed: net.ipv4.tcp_fastopen_blackhole_timeout_sec: 3600 -> 0
  • Changed: net.ipv4.tcp_fastopen_key: 00000000-00000000-00000000-00000000 -> 763328f0-eed1e25b-33ba5cd4-36e8e00d
  • Changed: net.ipv4.tcp_mem: 94299 125733 188598 -> 94251 125668 188502
  • Changed: net.ipv4.udp_mem: 188598 251466 377196 -> 188502 251336 377004
  • Changed: net.ipv6.conf.all.forwarding: 0 -> 1
  • Changed: net.ipv6.conf.default.forwarding: 0 -> 1
  • Changed: net.ipv6.conf.docker0.forwarding: 0 -> 1
  • Changed: net.ipv6.conf.eth0.forwarding: 0 -> 1
  • Changed: net.ipv6.conf.lo.forwarding: 0 -> 1
  • Changed: net.core.bpf_jit_kallsyms: 0 -> 1
  • Changed: user.max_cgroup_namespaces: 31829 -> 31812
  • Changed: user.max_ipc_namespaces: 31829 -> 31812
  • Changed: user.max_mnt_namespaces: 31829 -> 31812
  • Changed: user.max_net_namespaces: 31829 -> 31812
  • Changed: user.max_pid_namespaces: 31829 -> 31812
  • Changed: user.max_time_namespaces: 31820 -> 31812
  • Changed: user.max_user_namespaces: 31829 -> 31812
  • Changed: user.max_uts_namespaces: 31829 -> 31812
  • Deleted: kernel.random.read_wakeup_threshold: 64

Removed toolbox's dependency on docker command.

Added sys-block/open-iscsi package.

Renamed 99-virtio.network to 99-default.network to include gve driver support.

Enabled IPV6 configuration by default. This does not disable IPV4 configuration. In addition, fixed an issue where enabling both IPv6 and IPv4 configuration on IPv4-exclusive networks resulted in slow boot times.

Upgraded cos-gpu-installer-v2 to v2.0.9 in cos-extensions. Users can now specify --version=latest when installing GPU drivers.

Added support for ext4 journal checkpointing in the Linux kernel.

Enabled ip6table_nat as module.

Enabled CONFIG_TLS and CONFIG_TLS_DEVICE in the kernel to support kTLS.

Enabled CONFIG_MEMORY_FAILURE and CONFIG_X86_MCE in the Linux kernel.

Enabled CONFIG_IP6_NF_MANGLE to allow ip6table_mangle kernel module.

Enabled CONFIG_TLS in the kernel to support OpenSSL3.0.

Added support for multiple architectures in toolbox.

Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.

Fixed an issue in google-guest-agent where the GID of a user's home directory referred to a different user after a reboot.

Fixed a kernel crash due to fast commit changes.

Configured google-guest-agent to use usermod instead of gpasswd to add users to groups. This fixes an issue where users created through cloud-init sometimes were not added to the appropriate groups.

Upgraded openssl package to v1.1.1k to resolve CVEs CVE-2021-3449 and CVE-2021-3450.

Upgraded net-misc/wget to v1.21.1. This also resolves CVE-2021-31879.

Upgraded libgcrypt to v1.9.3. This fixes CVE-2021-33560.

Upgraded OpenSSH to v8.5_p1. This resolved CVE-2021-28041.

Upgraded libgcrypt to v1.9.1. This addresses CVE-2021-3345.

Upgraded dev-python/jinja to v2.11.3. This addresses CVE-2020-28493.