February 16, 2024 [GDC 1.12.0]
- Google Distributed Cloud air-gapped 1.12.0 is now available.
See the product overview to learn about the features of Google Distributed Cloud air-gapped. - Google Distributed Cloud air-gapped 1.12.0 supports two operating systems:
- Ubuntu 20231205
- Rocky Linux 20231208
Updated Canonical Ubuntu OS image version to 20231208 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
The following container image security vulnerabilities are fixed:
- CVE-2020-24736
- CVE-2020-29509
- CVE-2020-29511
- CVE-2020-29652
- CVE-2021-29923
- CVE-2021-31525
- CVE-2021-33195
- CVE-2021-33196
- CVE-2021-33197
- CVE-2021-33198
- CVE-2021-34558
- CVE-2021-36221
- CVE-2021-38297
- CVE-2021-38561
- CVE-2021-39293
- CVE-2021-41771
- CVE-2021-41772
- CVE-2021-43565
- CVE-2021-44716
- CVE-2022-1705
- CVE-2022-1962
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-3063
- CVE-2022-21235
- CVE-2022-21698
- CVE-2022-23471
- CVE-2022-23524
- CVE-2022-23525
- CVE-2022-23526
- CVE-2022-23648
- CVE-2022-23772
- CVE-2022-23773
- CVE-2022-23806
- CVE-2022-24675
- CVE-2022-24921
- CVE-2022-27191
- CVE-2022-27664
- CVE-2022-28131
- CVE-2022-28327
- CVE-2022-29526
- CVE-2022-30580
- CVE-2022-30630
- CVE-2022-30631
- CVE-2022-30632
- CVE-2022-30633
- CVE-2022-30635
- CVE-2022-31030
- CVE-2022-32148
- CVE-2022-32149
- CVE-2022-32189
- CVE-2022-41715
- CVE-2022-41717
- CVE-2022-41721
- CVE-2022-41723
- CVE-2022-41724
- CVE-2022-41725
- CVE-2022-41912
- CVE-2022-48174
- CVE-2023-1667
- CVE-2023-2253
- CVE-2023-2283
- CVE-2023-2603
- CVE-2023-2975
- CVE-2023-3446
- CVE-2023-3817
- CVE-2023-3978
- CVE-2023-22036
- CVE-2023-22041
- CVE-2023-22049
- CVE-2023-24532
- CVE-2023-24534
- CVE-2023-24536
- CVE-2023-24537
- CVE-2023-24538
- CVE-2023-24539
- CVE-2023-24540
- CVE-2023-25153
- CVE-2023-25165
- CVE-2023-25173
- CVE-2023-25193
- CVE-2023-26604
- CVE-2023-27533
- CVE-2023-27535
- CVE-2023-27536
- CVE-2023-27538
- CVE-2023-28321
- CVE-2023-28484
- CVE-2023-28840
- CVE-2023-28841
- CVE-2023-28842
- CVE-2023-29400
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-29404
- CVE-2023-29405
- CVE-2023-29406
- CVE-2023-29409
- CVE-2023-29469
- CVE-2023-29491
- CVE-2023-36054
- CVE-2023-39318
- CVE-2023-39319
- CVE-2023-39323
- CVE-2023-39325
- CVE-2023-39326
- CVE-2023-39417
- CVE-2023-39533
- CVE-2023-45142
- CVE-2023-45285
- CVE-2023-45287
- CVE-2023-48795
- CVE-2023-49568
- CVE-2023-49569
- CVE-2023-51385
Updated the gcr.io/distroless/base base image to digest sha256:eda29d6da91216123f1c1841b7c7a7abe1eece155cfe8d20d2a29e5daf9ad497 to apply the latest security patches and important updates.
Add-on Manager:
The Google Distributed Cloud version is updated to 1.28.0-gke.435 to apply the latest security patches and important updates.
See Google Distributed Cloud 1.28.0-gke.435 release notes for details.
Build and package:
The Golang version is upgraded to 1.20.
Google Distributed Cloud air-gapped 1.12.0 adds additional Software Bills Of Materials (SBOMs) to output and updates logic to ensure such SBOMs are published in the future.
Google Distributed Cloud air-gapped 1.12.0 adds
gdch_notice_license_filestar files to upload manifests.
Inventory management:
- Google Distributed Cloud air-gapped 1.12.0 adds validations for hardware version 3.0 connection listings.
- Google Distributed Cloud air-gapped 1.12.0 updates console server management port pattern to allow LAN1A and LAN2A.
- Google Distributed Cloud air-gapped 1.12.0 adds a message to mitigate the confusion of PA850 active and passive modes.
- Google Distributed Cloud air-gapped 1.12.0 supports a breakout cassette in validation.
- Google Distributed Cloud air-gapped 1.12.0 adds validation of the permanent firewall to management firewall connection.
- Google Distributed Cloud air-gapped 1.12.0 adds an OI Classless Inter-Domain Routing (CIDR) prompt to the Customer Intake Questionnaire generator.
- Google Distributed Cloud air-gapped 1.12.0 improves an error message on mac address missing failure to mitigate preflight check instability when validating hsm and mgmtsw connection.
Operations Center IT organization:
The Operations Center IT organization has the following name updates:
Operations Center (OC) has been renamed to Operations Suite Facility (OIF).
OC Core has been renamed to Operations Suite Infrastructure Core Rack (OIR).
Operations Center IT (OCIT) has been renamed to Operations Suite Infrastructure (OI).
OCIT has been renamed to OI.
For more information, see Terminology.
Google Distributed Cloud air-gapped 1.12.0 updates the Userlock configuration script to permit the use of a failover server.
Google Distributed Cloud air-gapped 1.12.0 pre-creates additional Operations Suite Infrastructure (OI) security groups to allow fine-grained access across OI systems.
System artifact registry:
- Google Distributed Cloud air-gapped 1.12.0 removes
-f(--force) short flag from CLI assets.
Version update:
The Debian-based image version is updated to bookworm-v1.0.0-gke.3.
Certificate manager:
- Introduced configuration of the key size in a web-tls certificate for organizations.
Database Service:
- Support for point-in-time recovery (PITR) for its Oracle databases.
- Support for Postgres advanced migration to migrate on-premises databases to databases managed by the GDC database service.
Logging:
- Added the Log Query gRPC API to programmatically query operational and audit logs from the API endpoints.
- Included the capability to export PA logs to an external SIEM system.
Marketplace:
- MongoDB Enterprise Advanced (BYOL) is now available on the Google Distributed Cloud air-gapped 1.12.0 Marketplace.
It is a collection of products and services that drive security, efficiency, and put you in control of your MongoDB databases.
Object storage:
- Added new image required to host upgrade files in the object storage software.
- Added an encryption version label to bucket webhooks.
- Added a reconciler for object credential rotation.
Operations Suite Infrastructure Core Services (OIC)
- Google Distributed Cloud air-gapped 1.12.0 collects OIC logs in Grafana.
- Google Distributed Cloud air-gapped 1.12.0 moves the
Copy-BareMetalFiles.ps1script from installation documentation to scripts inprivate-cloud/operations/dsc/.
- A web TLS certificate for a root admin cluster is issued by the Google Distributed Cloud air-gapped internal public key infrastructure.
Security compliance:
- Google Distributed Cloud air-gapped 1.12.0 introduces port security required to pass a security assessment.
Ticketing system
- Updated scheduled jobs in ServiceNow to stagger when they are run to prevent database spikes.
- Infrastructure Operator receives an alert when a meta monitoring incident in ServiceNow is stale.
Upgrade
- Added the Upgrade Status dashboard for Infrastructure Operators and Platform Administrators.
- Added a command for triggering user cluster upgrade.
Vertex AI:
- Added online predictions preview to serve requests using your own prediction models on a set of supported containers.
- Added Document Vision Service (DVS) preview to translate formatted PDF documents directly and preserve the original formatting and layout in translations.
- Included support for backing and restoring notebook data in the home directory of Vertex AI Workbench JupyterLab instances.
Virtual machine management
- Added Windows OS support for virtual machines to create, import, and connect to a Windows VM.
Billing:
- Fixed the issue with the
onetimeusagejob always failing at updating labels on theonetimeusageobject, causing failure alerts.
- Fixed the issue causing the aggregate cost for a custom resource (CR) to duplicate when the job restarts after the cost of the CR writes to the database, before the label updates to processed.
Hardware security module:
- Fixed the issue causing the hardware security module to frequently toggle between the
ServicesNotStartedandreadystates.
Hybrid identity:
- Fixed the issue with network configuration in identity pods.
Inventory management:
- Fixed the issue with the license parser not parsing object storage files whose license JSON text spreads multiple lines.
- Fixed the issue with hardware 3.0 CellCfg CableType Validation regular expression.
- Fixed the issue with including bootstrapper node in hardware validation.
- Fixed the issue with root admin cluster node having
SecureBootEnableturned off after server bootstrapping.
Operations Suite Infrastructure Core Services (OIC)
- Fixed the issue with
Initialize-BareMetalHost.ps1not detecting that a reboot is required. - Fixed the issue with an enterprise CA root and not issuing a req file to submit for an offline CA root.
- Fixed the issue where the OIC VM creation process left Hyper-V time synchronization enabled.
Ticketing system
- Fixed MariaDB Audit issue.
Upgrade
- Fixed the issue with Identity and Access Management (IAM) alerts by adding IAM postflight upgrade checks.
Virtual machine management
-
Fixed the issue with the VM status previously showing
PendingIPAllocationif the VM is not able to be scheduled. After the fix, the VM status showsErrorUnscheduable. - Fixed the issue with the incorrect object storage secret being used in VM image import operations.
Backup and restore:
- Alerts for a backup repository may fire even when the repository is healthy.
Cluster management:
- The
machine-initjob fails during cluster provisioning.
Physical servers:
- The root admin cluster update progress is stuck at node upgrade, specifically
NodeBIOSFirmwareUpgradeCompleted.
Database Service:
- Database Service workloads operate within the system cluster, which could result in database workloads sharing compute infrastructure with other database instances and various control plane systems.
Harbor as a service (HAAS):
- Being a preview feature of Google Distributed Cloud air-gapped 1.12.0, HaaS is not expected to operate in production environments.
The preinstall job fails by design to prevent the subcomponents from reconciling properly, which prevents users from using HaaS.
It is expected to find HaaS subcomponents in the reconciling state, which does not impact the functionality of other components.
Firewall:
- During customer deployment, the
secret.yamlfile administrator username must beadmin, and instead containsTO-BE-FILLEDafter the first creation. Theadminusername must be used to initialize the first configuration onto the firewall.
Hardware security module:
- When deleting a KMS
CTMKey, the PA might encounter unexpected behaviors, including the KMS service not starting for the organization. - A rotatable secret for hardware security modules is in an unknown state.
Logging:
- After enabling logs export to an external SIEM destination, the forwarded logs don't contain any Kubernetes API server logs.
Monitoring:
- Node Exporter certificates might not become ready when creating an organization.
- Some metrics from the user clusters are not collected. This issue affects the user VM clusters but not the system cluster.
- The metrics storage class is incorrectly defined in the configuration.
-
The
mon-prober-backend-prometheus-configConfigMap gets reset to include no probe jobs, and alertMON-A0001is triggered.
Node platform:
- The node upgrade fails due to an outdated
lvm.conffile.
Physical servers:
- The root admin cluster update progress is stuck at node upgrade, specifically
NodeBIOSFirmwareUpgradeCompleted.
- When installing a server manually, the server installation might get stuck.
Upgrade:
- Node upgrade fails for
NodeOSInPlaceUpgradeCompleted. - Switch upgrade fails to run command
install add bootflash://.. - Several pods in a system cluster might get stuck in the
TaintTolerationstate.
Upper networking:
- A user VM cluster gets stuck in the
ContainerCreatingstate with theFailedCreatePodSandBoxwarning.
Vertex AI:
-
The
MonitoringTargetshows aNot Readystatus when user clusters are being created, causing pre-trained APIs to continually show anEnablingstate in the user interface.
VM Backup and Restore:
- Role-based access control (RBAC) and schema settings in the VM manager is stopping users from starting VM backup and restore processes.
- The VM image import fails at the image translation step due to insufficient disk size and timeout on obj storage proxy response.
SIEM:
- OCLCM Preinstall jobs repeatedly fail on feature gate check.
Performance:
Google Distributed Cloud air-gapped 1.12.0 deprecates the ability to execute
provision keybenchmarks.