Container-Optimized OS Release Notes: Milestone 97

cos-97-16919-29-40

Date Kernel Docker Containerd GPU Drivers
Jun 03, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Fixed the toolbox creation issue when service account is not available.

Fixed a bug in KTD LSM xattr handling.

cos-97-16919-29-36

Date Kernel Docker Containerd GPU Drivers
May 25, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Fixed CVE-2022-1729 in the Linux Kernel.

cos-97-16919-29-34

Date Kernel Docker Containerd GPU Drivers
May 23, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Fixed an issue that prevented large cloud-configs (~256KB) from working properly.

Upgraded openssl to v1.1.1o. This resolves CVE-2022-1292.

Upgraded dev-libs/libxml2 to v2.9.14. This resolves CVE-2022-29824.

Upgraded dev-libs/libxslt to v1.1.35. This resolves CVE-2022-29824.

Upgraded sys-libs/ncurses to v6.3_p20220423. This resolves CVE-2022-29458.

Fixed CVE-2022-1786, CVE-2022-28893 and CVE-2022-0494 in the Linux kernel.

cos-97-16919-29-21

Date Kernel Docker Containerd GPU Drivers
Apr 25, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Made /var/lib/chrony owned by chrony user.

Fixed CVE-2022-29581 and CVE-2022-29582 in the Linux kernel.

cos-97-16919-29-16

Date Kernel Docker Containerd GPU Drivers
Apr 18, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Make CIS-Scanner show results for passing benchmarks.

cos-97-16919-29-9

Date Kernel Docker Containerd GPU Drivers
Apr 11, 2022 COS-5.10.107 v20.10.12 v1.6.2 v470.82.01(default)

Updated containerd to v1.6.2. This resolves CVE-2022-24769.

Upgraded dev-libs/libxml2 to v2.9.13-r1. This resolves CVE-2022-23308.

cos-97-16919-29-5

Date Kernel Docker Containerd GPU Drivers
Apr 05, 2022 COS-5.10.107 v20.10.12 v1.6.1 v470.82.01(default)

Increased number of vCPUs support from 256 to 512.

Fixed the issue where kubelet fails on startup by adding cgroup-driver=systemd flag to kubelet.

cos-97-16919-29-2

Date Kernel Docker Containerd GPU Drivers
Mar 29, 2022 COS-5.10.107 v20.10.12 v1.6.1 v470.82.01(default)

Updated app-admin/localtoast(cis_scanner) to v1.1.4.3.

Updated the Linux kernel to v5.10.107.

Added an option to cos-extensions for populating and resetting a cache of GPU driver dependencies.

Updated app-editors/vim and app-editors/vim-core to v8.2.4586. This resolves CVE-2022-0714, CVE-2022-0696, CVE-2022-0685, CVE-2022-0729, CVE-2022-0572 and CVE-2022-0629.

cos-beta-97-16919-0-22

Date Kernel Docker Containerd GPU Drivers
Mar 25, 2022 COS-5.10.101 v20.10.12 v1.6.1 v470.82.01(default)

Fixed CVE-2022-27666 in the Linux Kernel.

Upgraded openssl package to v1.1.1n to fix CVE-2022-0778.

cos-beta-97-16919-0-18

Date Kernel Docker Containerd GPU Drivers
Mar 21, 2022 COS-5.10.101 v20.10.12 v1.6.1 v470.82.01(default)

Updated google-guest-configs to v20220211.00.

Updated CIS Scanner to v1.1.4.3.

Fixed a warning related to IPv4 parsing error in cloud-init.

Fixed CVE-2021-22570 in libprotobuf.

cos-beta-97-16919-0-14

Date Kernel Docker Containerd Default GPU Driver
Mar 16, 2022 COS-5.10.101 v20.10.12 v1.6.1 v470.82.01

Added get_status API in device policy manager.

Updated CIS Scanner to v1.1.4.2.

Fixed an issue in systemd to consider primary network interface configured only after non-link-local IPv4 address is available.

cos-beta-97-16919-0-8

Date Kernel Docker Containerd Default GPU Driver
Mar 07, 2022 COS-5.10.101 v20.10.12 v1.6.1 v470.82.01

Enabled disk_setup module in cloud-init.

Fixed CVE-2022-0847 in the Linux kernel.

Updated containerd to v1.6.1. This resolves CVE-2022-23648.

cos-beta-97-16919-0-3 (vs Milestone 93)

Date Kernel Kubernetes Docker Containerd Default GPU Driver
Feb 28, 2022 COS-5.10.101 v1.23.3 v20.10.12 v1.6.0 v470.82.01

Enabled cgroup v2 and provided command-line interface to change cgroup versions.

Added CIS scanner (app-admin/localtoast) v1.1.4.1.

Renamed cos-alphabet-compliance to cis-compliance. cis-compliance will only install scripts needed to make the VM Level 2 CIS compliant.

Added the support to export logs of the cis-level1, cis-level2 and cis-compliance-scanner systemd services via stackdriver logging.

Added command "cos-extensions list -- --gpu-installer" to show the default cos-gpu-installer.

Enabled CONFIG_BFQ_GROUP_IOSCHED kernel configuration.

Set NVMe IO timeout to 4294967295

Fixed an issue in the Linux Kernel where I/Os would sometimes fail on SEV-enabled machines due to a full swiotlb buffer.

Fixed an issue related to shim exiting during system shutdown.

Enabled XDP support in the Linux Kernel.

Add LZ4 compression support in kernel.

Enable ipip and fou kernel modules.

Made XFRM statistics available at /proc/net/xfrm_stat.

Added SEV live migration support to the Linux kernel.

Added dev-libs/userspace-rcu package.

Auto-updates will now only occur within a single milestone. Upgrading your VMs to a new COS milestone will now require you to recreate your VMs.

Added Google Guest Configs package.

Added lsof package.

Enabled virtual console.

Enabled configuring NTP server using cloud-init.

Added support for NFSv4 Kerberos authentication.

Enabled IBLOCK and FILEIO iSCSI backing stores in the Linux kernel.

Disabled VDSO on ARM by default.

Enabled ipv4 and ipv6 in sshd.

Updated containerd to v1.6.0.

Updated the Linux kernel to v5.10.101.

Upgraded sys-fs/e2fsprogs to v1.46.4.

Upgraded sys-libs/e2fsprogs-libs to v1.46.4.

Upgraded sys-fs/xfsprogs to v5.14.2.

Updated app-admin/sosreport to v4.2.

Upgraded runc to v1.1.0.

Updated the built-in kubectl/kubelet to v1.23.3.

Updated oslogin to v20220113.00.

Updated docker-cli to v20.10.12.

Updated docker to v20.10.12.

Updated Linux Audit (sys-process/audit) to v3.0.6.

Updated sys-apps/shadow to v4.11.1.

Upgraded Google OS Config Agent(aka VMManager) to v20220107.00.

Updated UEFI shim to v15.4.

Updated the makedumpfile package to v1.7.0.

Updated the stackdriver logging agent to v1.9.4.

Updated the default toolbox container to v20211027.

Upgraded app-admin/google-guest-agent to v20220104.00.

Updated cloud-init to v21.4.

Updated systemd to v249.6.

Updated docker-credential-gcr to v2.1.0.

Updated ChromeOS base to ChromeOS version 14283.0.0.

Upgraded net-dns/c-ares to v1.17.2.

Updated node-problem-detector to v0.8.10.

Updated nanopb to v0.4.5 in KTD.

Runtime sysctl changes:

  • Changed: net.ipv6.conf.all.forwarding: 1 -> 0
  • Changed: net.ipv6.conf.default.forwarding: 1 -> 0
  • Changed: net.ipv6.conf.docker0.forwarding: 1 -> 0
  • Changed: net.ipv6.conf.eth0.forwarding: 1 -> 0
  • Changed: net.ipv6.conf.lo.forwarding: 1 -> 0
  • Changed: kernel.bootloader_type: 114 -> 6
  • Changed: kernel.bootloader_version: 2 -> 38
  • Changed: kernel.core_pattern: |/sbin/crash_reporter --user=%P:%s:%u:%g:%f -> |/bin/false
  • Changed: kernel.core_pipe_limit: 4 -> 0
  • Changed: kernel.threads-max: 63623 -> 63574
  • Changed: net.ipv4.conf.all.log_martians: 0 -> 1
  • Changed: net.ipv4.conf.default.log_martians: 0 -> 1
  • Changed: net.ipv4.conf.docker0.log_martians: 0 -> 1
  • Changed: net.ipv4.conf.eth0.log_martians: 0 -> 1
  • Changed: user.max_cgroup_namespaces: 31811 -> 31787
  • Changed: user.max_ipc_namespaces: 31811 -> 31787
  • Changed: user.max_mnt_namespaces: 31811 -> 31787
  • Changed: user.max_net_namespaces: 31811 -> 31787
  • Changed: user.max_pid_namespaces: 31811 -> 31787
  • Changed: user.max_time_namespaces: 31811 -> 31787
  • Changed: user.max_user_namespaces: 31811 -> 31787
  • Changed: user.max_uts_namespaces: 31811 -> 31787
  • Added: dev.cdrom.autoclose: 1
  • Added: dev.cdrom.autoeject: 0
  • Added: dev.cdrom.check_media: 0
  • Added: dev.cdrom.debug: 0
  • Added: dev.cdrom.lock: 1
  • Changed: fs.epoll.max_user_watches: 1667911 -> 1667891
  • Changed: fs.file-max: 814101 -> 814087
  • Changed: net.ipv4.tcp_mem: 94251 125668 188502 -> 94248 125667 188496
  • Changed: net.ipv4.udp_mem: 188502 251336 377004 -> 188499 251335 376998

Fixed segmentation fault in ebtables.

Modified stackdriver logging default config to support multiple time formats which fixed bug of dropped logs in some conditions.

Updated toolbox script to use nspawn share system env var.

update cri-tools to v1.23.0.

Fixed a bug that created excessive warning logs on missing attrs.tag from container logs.

Updated cos-gpu-installer-v2 to v2.0.17 in cos-extensions.

Changed default file permissions used by stackdriver logging agent to not be world readable.

Fixed CVE-2021-35942 and CVE-2021-38604 in glibc.