March 5, 2024 [GDCH 1.12.1]
- Google Distributed Cloud air-gapped 1.12.1 is now available.
See the product overview to learn about the features of Google Distributed Cloud air-gapped.
Updated Canonical Ubuntu OS image version to 20240212 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
- CVE-2017-16516
- CVE-2020-14394
- CVE-2020-19726
- CVE-2020-24165
- CVE-2020-28493
- CVE-2021-3638
- CVE-2021-46174
- CVE-2022-1725
- CVE-2022-1771
- CVE-2022-1897
- CVE-2022-2000
- CVE-2022-24795
- CVE-2022-35205
- CVE-2022-44840
- CVE-2022-45703
- CVE-2022-47007
- CVE-2022-47008
- CVE-2022-47010
- CVE-2022-47011
- CVE-2023-0340
- CVE-2023-1544
- CVE-2023-23931
- CVE-2023-2861
- CVE-2023-2953
- CVE-2023-31085
- CVE-2023-3180
- CVE-2023-33460
- CVE-2023-3354
- CVE-2023-4408
- CVE-2023-4641
- CVE-2023-5517
- CVE-2023-6228
- CVE-2023-6277
- CVE-2023-6516
- CVE-2023-6915
- CVE-2023-22995
- CVE-2023-37453
- CVE-2023-39189
- CVE-2023-39192
- CVE-2023-39193
- CVE-2023-39804
- CVE-2023-42754
- CVE-2023-43040
- CVE-2023-45871
- CVE-2023-46218
- CVE-2023-46246
- CVE-2023-50387
- CVE-2023-4806
- CVE-2023-4813
- CVE-2023-48231
- CVE-2023-48233
- CVE-2023-48234
- CVE-2023-48235
- CVE-2023-48236
- CVE-2023-48237
- CVE-2023-48733
- CVE-2023-48795
- CVE-2023-50782
- CVE-2023-50868
- CVE-2023-51779
- CVE-2023-51781
- CVE-2023-51782
- CVE-2023-52356
- CVE-2023-5088
- CVE-2023-51764
- CVE-2023-5178
- CVE-2023-5717
- CVE-2023-6004
- CVE-2023-6040
- CVE-2023-6606
- CVE-2023-6918
- CVE-2023-6931
- CVE-2023-6932
- CVE-2023-7104
- CVE-2024-0553
- CVE-2024-0565
- CVE-2024-22195
- CVE-2024-22365
- CVE-2024-24806
Updated Rocky Linux image version to 20240131 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
The following container image security vulnerabilities are fixed:
- CVE-2022-2586
- CVE-2023-1829
- CVE-2023-1380
- CVE-2023-0286
- CVE-2023-0461
- CVE-2023-32233
- CVE-2022-0492
- CVE-2022-24407
- CVE-2023-1281
- CVE-2022-42703
- CVE-2022-34918
- CVE-2022-29581
- CVE-2022-21499
- CVE-2023-31436
- CVE-2022-3515
- CVE-2023-30456
- CVE-2022-32250
- CVE-2022-0001
- CVE-2022-0002
- CVE-2022-43945
- CVE-2022-2588
- CVE-2022-0778
- CVE-2022-23960
- CVE-2022-42896
- CVE-2022-2509
- CVE-2022-1016
- CVE-2021-3999
- CVE-2022-26373
- CVE-2022-3116
- CVE-2022-47673
- CVE-2022-20421
- CVE-2022-1516
- CVE-2022-3028
- CVE-2022-20423
- CVE-2022-1664
- CVE-2022-2318
- CVE-2022-1204
- CVE-2022-21123
- CVE-2021-4159
- CVE-2022-1353
- CVE-2022-47929
- CVE-2022-3586
- CVE-2022-2964
- CVE-2022-36946
- CVE-2022-32296
- CVE-2022-22942
- CVE-2022-0812
- CVE-2022-3643
- CVE-2022-3239
- CVE-2023-1095
- CVE-2022-3521
- CVE-2022-3564
- CVE-2022-1679
- CVE-2021-4083
- CVE-2022-43750
- CVE-2022-0435
- CVE-2022-24958
- CVE-2022-23039
- CVE-2022-2526
- CVE-2023-2162
- CVE-2022-3567
- CVE-2023-0266
- CVE-2021-28715
- CVE-2023-0215
- CVE-2021-4149
- CVE-2022-3111
- CVE-2021-45469
- CVE-2021-3923
- CVE-2022-3424
- CVE-2022-1304
- CVE-2023-31484
- CVE-2022-4304
- CVE-2022-3821
- CVE-2022-20369
- CVE-2022-25258
- CVE-2022-23040
- CVE-2022-1734
- CVE-2022-20566
- CVE-2022-3524
- CVE-2022-3640
- CVE-2022-2068
- CVE-2021-39685
- CVE-2022-25375
- CVE-2022-1462
- CVE-2023-25585
- CVE-2021-33655
- CVE-2022-2978
- CVE-2022-1199
- CVE-2022-2977
- CVE-2021-39698
- CVE-2022-41916
- CVE-2022-29900
- CVE-2021-4197
- CVE-2022-3646
- CVE-2022-2097
- CVE-2020-36516
- CVE-2022-1012
- CVE-2022-3628
- CVE-2022-2991
- CVE-2022-3061
- CVE-2021-3506
- CVE-2021-39711
- CVE-2022-20154
- CVE-2022-40768
- CVE-2022-21125
- CVE-2022-26966
- CVE-2022-29155
- CVE-2022-1419
- CVE-2022-23038
- CVE-2022-0487
- CVE-2018-16860
- CVE-2022-26365
- CVE-2022-33741
- CVE-2023-2513
- CVE-2023-1073
- CVE-2022-26490
- CVE-2018-25032
- CVE-2022-20572
- CVE-2021-45095
- CVE-2022-1205
- CVE-2021-4202
- CVE-2023-26545
- CVE-2022-40307
- CVE-2022-3545
- CVE-2022-47696
- CVE-2022-45934
- CVE-2022-42898
- CVE-2021-33656
- CVE-2022-48303
- CVE-2023-25588
- CVE-2022-4450
- CVE-2021-22600
- CVE-2022-42329
- CVE-2021-28714
- CVE-2023-2650
- CVE-2022-42895
- CVE-2020-35525
- CVE-2022-28389
- CVE-2023-0394
- CVE-2023-0458
- CVE-2022-20009
- CVE-2021-4155
- CVE-2023-0459
- CVE-2022-2663
- CVE-2022-41858
- CVE-2022-45142
- CVE-2022-3437
- CVE-2022-1011
- CVE-2022-37434
- CVE-2022-47629
- CVE-2022-3566
- CVE-2022-3649
- CVE-2022-2639
- CVE-2022-23036
- CVE-2022-20422
- CVE-2022-2153
- CVE-2022-20368
- CVE-2022-33742
- CVE-2023-1074
- CVE-2022-0330
- CVE-2022-29901
- CVE-2020-16156
- CVE-2021-43975
- CVE-2022-42328
- CVE-2022-35737
- CVE-2022-2503
- CVE-2022-33740
- CVE-2023-23559
- CVE-2022-23491
- CVE-2022-24448
- CVE-2022-30594
- CVE-2022-39188
- CVE-2021-44733
- CVE-2022-36879
- CVE-2023-25584
- CVE-2021-26401
- CVE-2022-4095
- CVE-2022-21166
- CVE-2023-29491
- CVE-2022-38533
- CVE-2022-1652
- CVE-2022-27666
- CVE-2022-28390
- CVE-2023-28328
- CVE-2022-3629
- CVE-2023-23455
- CVE-2022-44640
- CVE-2022-1271
- CVE-2022-33981
- CVE-2022-1292
- CVE-2022-28388
- CVE-2022-1048
- CVE-2022-33744
- CVE-2022-23042
- CVE-2022-36280
- CVE-2022-23037
- CVE-2021-44758
- CVE-2023-32269
- CVE-2022-34903
- CVE-2023-24540
- CVE-2023-24538
- CVE-2023-29405
- CVE-2023-29404
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-45287
- CVE-2023-29400
- CVE-2023-39323
- CVE-2023-45285
- CVE-2023-24537
- CVE-2022-41724
- CVE-2023-2253
- CVE-2023-44487
- CVE-2023-28840
- CVE-2023-24536
- CVE-2022-41725
- CVE-2023-24539
- CVE-2023-24534
- CVE-2023-39325
- CVE-2022-41723
- CVE-2023-29409
- CVE-2023-48795
- CVE-2023-24532
- CVE-2023-29406
- CVE-2023-39326
- CVE-2023-28842
- CVE-2023-39318
- CVE-2023-3978
- CVE-2023-39319
- CVE-2023-28841
- CVE-2024-20952
- CVE-2024-20918
- CVE-2024-20932
- GHSA-m425-mq94-257g
- GHSA-jq35-85cj-fj4p
Backup and restore:
- An issue prevents volume backups to org buckets.
- The backup route to orgs fails.
Cluster management:
- User clusters with Kubernetes version 1.27.x might have node pools that fail to initialize.
Istio:
-
Pods in the
ImagePullBackOffstate with theBack-off pulling image "auto"event.
File and block storage:
-
When upgrading from 1.11.1 to 1.12.1,
file-netapp-tridentsubcomponent rollout might fail.
Hardware security module:
- A rotatable secret for hardware security modules is in an unknown state.
Logging:
-
When upgrading from 1.11.1 to 1.12.1,
ValidatingWebhookConfigurations,MutatingWebhookConfigurations, andMonitoringRulesdeployed by the Log component might fail to upgrade. -
The
cortex-ingesterpod shows anOOMKilledstatus. - After enabling logs export to an external SIEM destination, the forwarded logs don't contain any Kubernetes API server logs.
Monitoring:
-
Configuring the ServiceNow webhook results in Lifecycle Management (LCM) re-reconciling and reverting the changes made to the
ConfigMapobjectmon-alertmanager-servicenow-webhook-backendand theSecretobjectmon-alertmanager-servicenow-webhook-backendin themon-systemnamespace. - Audit logs and operational logs are not collected.
- When upgrading from 1.11.x to 1.12.1, Cortex bucket deletion might fail.
- The metrics storage class is incorrectly defined in the configuration.
Networking:
- GDC experiences issues with VM and container updates, termination, and scheduling.
- The preinstall script fails on several switches.
- Upgrading from 1.11 to 1.12.1 fails due to an unsuccessful generation of the
hairpinlinkcustom resource.
Node platform:
- When upgrading from 1.11.x to 1.12.1, a switch image download pod might get stuck in the
ErrImagePullstate. - When upgrading from 1.11.x to 1.12.1, the host firewall blocks the switch image downloading.
NTP server:
- The NTP relay server pod crashes after restarting.
- The NTP relay job pod crashes after restarting.
Physical servers:
- When upgrading from 1.11.x to 1.12.1,
NodeUpgradecontains multiple versions for the same hardware model, blocking firmware upgrade verification.
- When installing a server manually, the server installation might get stuck.
- The servers are stuck in the provisioning state.
System artifact registry:
- Harbor crash loops after an ABM upgrade.
- When upgrading from 1.11.x to 1.12.1, the Harbor cluster status might be
unhealthy.
Upgrade:
- When upgrading from 1.11.x to 1.12.1, node upgrade gets stuck with the
MaintenanceModeHealthCheckReadyundrain error. - When upgrading from 1.11.x to 1.12.1, a cluster node might not exit the maintenance mode due to a health check failure for
registy_mirror. - OS in-place node upgrade might stop responding.
VM manager:
- When upgrading from 1.11.x to 1.12.x, a VM might not be ready due to too many pods.
- VMRuntime might not be ready due to network-controller-manager installation failure
Billing:
- Fixed the issue causing the patch upgrade to fail with the upgrade check.
- Fixed the issue causing the creation of multiple
billing-storage-init-jobobjects.
Firewall:
- Fixed the issue with blocked traffic to object storage from the bootstrapper, caused by a
denypolicy configured on port8082.
Monitoring:
- Fixed the issue of not collecting metrics from the user clusters, affecting the user VM clusters but not the system cluster.
- Fixed the issue of primary Prometheus sending metrics to Cortex tenant across cluster boundaries.
Operations Suite Infrastructure Core Services (OIC):
- Fixed the issue with Desired State Configuration (DSC) return incorrect results and fail to update resources.
- Fixed the issue where Microsoft System Center Configuration Manager (SCCM) deployment doesn't finish successfully and requires manual intervention to fix.
VM Backup and Restore:
- Fixed an issue where role-based access control (RBAC) and schema settings in the VM manager was stopping users from starting VM backup and restore processes.
Add-on Manager:
- The GKE on Bare Metal version is updated to 1.28.100-gke.150 to apply the latest security patches and important updates.
Operations Suite Infrastructure Core Services (OIC):
Google Distributed Cloud air-gapped 1.12.1 added instructions for partners to prepare OIC artifacts excluded from the release.
Security Information and Event Management (SIEM):
Splunk Enterprise and Splunk Universal Forwarder are upgraded to version 9.1.3.
Version update:
The Debian-based image version is updated to bookworm-v1.0.1-gke.1.