Google Cloud release notes

The following release notes cover the most recent changes over the last 60 days. For a comprehensive list of product-specific release notes, see the individual product release note pages.

You can also see and filter all release notes in the Google Cloud console or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/gcp-release-notes.xml

March 28, 2024

Assured Workloads

The following compliance programs now support the following products. See supported products for more information:

  • Australia Regions with Assured Support:
    • Access Transparency
  • Canada Regions and Support:
    • Access Transparency
  • EU Regions and Support:
    • Access Approval
    • Certificate Authority Service
    • Cloud Monitoring
    • Cloud Run
    • Firestore
    • Sensitive Data Protection
  • FedRAMP Moderate:
    • Artifact Registry
    • Cloud Workstations
  • Israel Regions and Support:
    • Dataflow
    • Memorystore for Redis
  • Japan Regions:
    • Access Approval
    • Access Transparency
  • US Regions and Support:
    • Access Transparency
Capacity Planner

Preview: Capacity planner supports the following for data aggregated by organization ID:

  • View and export the actual and forecasted usage data of the VMs and persistent disks in your organization.

  • Generate gcloud CLI commands to create future reservation requests based on the actual or forecasted usage data of your VMs by organization.

For more information, see the following pages:

Cloud Logging

Pie charts are now available for visualizing data in the Log Analytics page. For more information, see Change chart type.

Cloud Monitoring

Uptime checks now support authentication by using a service account and a generated OpenID Connect (OIDC) token, as an alternative to providing a username and password. For more information, see Create public uptime checks.

Dataflow

The Dataflow right fitting feature is now supported by non-Prime batch pipelines.

Sensitive Data Protection

The SWITZERLAND_SOCIAL_SECURITY_NUMBER infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

March 27, 2024

BigQuery

An updated version of JDBC driver for BigQuery is now available.

Cloud Database Migration Service

A new migration job status called Running with errors is available for heterogeneous Oracle migrations in Database Migration Service. This status represents migration jobs that encounter errors, but continue replicating data for unaffected objects and attempt to retry faulty operations.

For more information, see Migration job statuses for Oracle to AlloyDB for PostgreSQL and Migration job statuses for Oracle to Cloud SQL for PostgreSQL.

Database Migration Service now supports faster migrations of large PostgreSQL databases to Cloud SQL for PostgreSQL.

For information about creating migration jobs using the high-performance parallelism settings, see Create a migration job to a new destination instance and Create a migration job to an existing destination instance.

Cloud Load Balancing

Typically with HTTPS communication, the authentication works only one way: the client verifies the identity of the server. For applications that require the load balancer to authenticate the identity of clients that connect to it, regional external Application Load Balancer, regional internal Application Load Balancer, and cross-region internal Application Load Balancer support mutual TLS (mTLS).

With mTLS, the load balancer requests that the client send a certificate to authenticate itself during the TLS handshake with the load balancer. You can configure a trust store that the load balancer uses to validate the client certificate's chain of trust.

For details, see the following:

This capability is in Preview.

Global external Application Load Balancer and global external Application Load Balancer (classic) already support frontend mTLS(General Availability).

Cloud SQL for PostgreSQL

The pgvector extension is upgraded from version 0.5.1 to version 0.6.0. Use this extension to store and search for vector embeddings in PostgreSQL databases. For more information, see Configure PostgreSQL extensions.

To use this version of the extension, update your instance to [PostgreSQL version].R20240130.00_07. For more information, see Self-service maintenance.

The rollout of the following items in the February 7 release note is now complete:

  • Extensions
  • Flags
  • Minor versions
  • Extension versions
  • Plugin versions
Container Optimized OS

cos-beta-113-18244-1-31

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Upgraded app-admin/node-problem-detector to v0.8.17.

Upgraded localtoast to 1.1.7 and opted out of logging-service-running benchmark by default for cis-level2.

Upgraded app-admin/fluent-bit to v1.9.10.

Upgraded app-admin/sosreport to v4.7.0.

Upgraded app-admin/localtoast to v1.1.7.

Added infiniband and mlx5 device drivers.

Fixed bug in google-guest-agent service enablement.

Fixed CVE-2024-26584 in the Linux kernel.

Fixed CVE-2024-26585 in the Linux kernel.

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2024-26583 in the Linux kernel.

Fixed CVE-2024-26582 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

cos-97-16919-450-41

Kernel Docker Containerd GPU Drivers
COS-5.10.208 v20.10.24 v1.6.21 v470.239.06(default),v535.161.07(latest)

Fixed bug in google-guest-agent service enablement.

Fixed CVE-2024-26589 in the Linux kernel.

Fixed CVE-2024-26585 in the Linux kernel.

Fixed CVE-2023-52439 in the Linux kernel.

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

Fixed CVE-2023-52443 in the Linux kernel.

cos-109-17800-147-41

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.9 v1.7.13 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2024-26583 in the Linux kernel.

Fixed CVE-2024-26582 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

cos-dev-117-18313-0-0

Kernel Docker Containerd GPU Drivers
COS-6.1.80 v24.0.9 v1.7.10 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Fixed integrity-fs dm-crypt creation flakiness.

Dataplex

Data insights in Dataplex is now available in Preview. Data insights offers an automated and intuitive way to explore and understand your data. It uses Gemini large language models to generate queries based on the metadata of a table, and lets you uncover patterns, assess data quality, and perform statistical analysis.

Dataproc

New Dataproc Serverless for Spark runtime versions:

  • 1.1.56
  • 1.2.0
  • 2.0.64
  • 2.1.43
  • 2.2.0

Announcing the General Availability (GA) release of Dataproc Serverless for Spark runtime versions 1.2 and 2.2, which include the following components:

  • Spark 3.5.1
  • BigQuery Spark Connector 0.36.1
  • Cloud Storage Connector 3.0.0
  • Conda 24.1
  • Java 17
  • Python 3.12
  • R 4.3
  • Scala 2.12 (1.2 runtime) and Scala 2.13 (2.2 runtime)

Dataproc Serverless for Spark:

  • Upgraded Spark to version 3.5.1 in the latest 1.2 and 2.2 runtimes.
  • Upgraded Conda to version 24.1 in the latest 1.2 and 2.2 runtimes.
  • Upgraded Spark BigQuery connector to version 0.36.1 in the latest 1.2 and 2.2 runtimes.
Firestore

Firestore now supports using range and inequality filters on multiple fields in a single query. This feature is in Preview.

Support for Query Explain. This feature is in Preview.

Query Explain lets you submit queries and receive detailed query plan, billing and performance statistics on query execution in return. It helps you understand how your queries are executed, showing you inefficiencies.

It functions like the EXPLAIN [ANALYZE] operation in many relational database systems.

For more information, see the guide for Query Explain.

Firestore in Datastore mode

Datastore now supports using range and inequality filters on multiple fields in a single query. This feature is in Preview.

Support for Query Explain. This feature is in Preview.

Query Explain lets you submit queries and receive detailed query plan, billing and performance statistics on query execution in return. It helps you understand how your queries are executed, showing you inefficiencies.

It functions like the EXPLAIN [ANALYZE] operation in many relational database systems.

For more information, see the guide for Query Explain.

Google Distributed Cloud Virtual for VMware

GKE on VMware 1.15.10-gke.32 is now available. To upgrade, see Upgrading GKE on VMware. GKE on VMware 1.15.10-gke.32 runs on Kubernetes v1.26.13-gke.1100.

If you are using a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

The following issue is fixed in 1.15.10-gke.32:

  • Fixed the known issue where the controlPlaneNodePort field defaults to 30968 when the manualLB spec is empty.

The following vulnerabilities are fixed in 1.15.10-gke.32:

March 26, 2024

Apigee X

On March 26, 2024, we released an updated version of Apigee (1-12-0-apigee-1).

New Apigee API Monitoring Metrics

An new suite of metrics for monitoring Apigee proxies and target endpoints is now available. With improved scalability and accuracy, the new suite can support large workloads and withstand underlying infrastructure changes.

Apigee's API Monitoring tables and dashboards have been updated to include the following new metrics, which can be used to configure alerts and create custom dashboards:

proxy/request_count
proxy/response_count
proxy/latencies
target/request_count
target/response_count
target/latencies
Bug ID Description
322843888 Fixed issue with incorrect proxy routing when using base paths in proxy chaining.
293933387 KVM list operation now permits entries with null or empty values.
239523766 Removed Unable to evaluate jsonVariable, returning null error string from ExtractVariable Policy logging.
285592278 Fixed issue with deduction of recurring fees from prepaid balances.
237656263 Resolved issue with async mode in the ServiceCallout policy when the <Response> element is removed.
321744310 Added support for caching JSON results retrieved from the ExtractVariables policy.
295341973 Resolved issue causing delay in updating southbound SSL certificates in truststore and keystore references.
App Engine flexible environment Go

Go 1.22 is now generally available.

Starting in Go version 1.22 and later:

  • You can't use go get outside of a module in the legacy GOPATH mode (GO111MODULE=off).
  • Go recommends that you use a go.mod file for managing dependencies.

For more information, see Specify dependencies.

App Engine standard environment Go

Go 1.22 is now generally available.

Starting in Go version 1.22 and later:

  • You can't use go get outside of a module in the legacy GOPATH mode (GO111MODULE=off).
  • Go recommends that you use a go.mod file for managing dependencies.

For more information, see Specify dependencies.

BigQuery

The Help me code tool lets you use natural language to generate a SQL query that can then be run in BigQuery. This feature is now in preview.

The following Generative AI features are now in preview:

Try these features with the Generate text that describes visual content how-to topic.

Duet AI in BigQuery is now Gemini for BigQuery. See our blog post for more information.

Chronicle Security Operations

Gemini in Security Operations

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

Cloud Composer

Cloud Composer 2.6.6 release started on March 26, 2024. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.

The Logs in Cloud Logging only feature is available in all regions.

In new environments with Airflow 2.6.3 and 2.7.3 the default values of the following Airflow configuration options are changed to provide more optimized Cloud Composer environments:

  • [scheduler]job_heartbeat_sec to 30
  • [scheduler]scheduler_health_check_threshold to 60
  • [scheduler]scheduler_heartbeat_sec to 15

If you want to override the [scheduler]scheduler_heartbeat_sec option's value, then also adjust the [scheduler]scheduler_health_check_threshold option, as described in Cloud Composer documentation.

Cloud Composer 2.6.6 images are available:

  • composer-2.6.6-airflow-2.7.3
  • composer-2.6.6-airflow-2.6.3 (default)
  • composer-2.6.6-airflow-2.5.3

Cloud Composer versions 2.1.11 and 1.20.11 have reached their end of full support period.

Cloud Data Fusion

The Amazon Redshift batch source connector version 1.11.1 is available in Preview in Cloud Data Fusion 6.10.0 and later. This source lets you load batch data from your Redshift dataset to a destination, such as BigQuery.

The Amazon Redshift batch source connector version 1.10.6 is available in Preview in Cloud Data Fusion 6.9 versions. This source lets you load batch data from your Redshift dataset to a destination, such as BigQuery.

Cloud Data Fusion is available in the following regions:

  • asia-south2
  • me-central2

For more information, see Pricing.

Cloud Functions

Cloud Functions (2nd gen) now supports the Go 1.22 runtime at the General Availability release level.

Cloud Logging

You can now configure your aggregated sink to be intercepting, which prevents logs from being passed through the Log Router of child resources. For more information, see Collate and route organization-level logs to supported destinations.

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

Cloud Monitoring

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

Cloud SQL for PostgreSQL

You can now integrate Cloud SQL and Vertex AI. This integration lets you apply large language models (LLMs), which are hosted in Vertex AI, to a Cloud SQL for PostgreSQL database, version 12 and later. For more information, see Integrate Cloud SQL with Vertex AI.

Colab Enterprise

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

Contact Center AI Platform

Version 3.13 is released

All release notes published on this date are part of version 3.13.

Agent alias

Agents can use aliases instead of their real names when communicating with end-users. Admins can configure agent aliases manually or with a bulk upload. Agents can also configure their own aliases. The agent alias feature is available when using the mobile and web SDKs. For more information, see Agent alias.

Country code of the outbound phone number is included with the added party's phone number

When an agent adds a party to a call, the country code from the outbound phone number is automatically included with the added party's phone number.

Calls waiting indicator

The call adapter includes a calls waiting indicator that indicates the number of calls in the queue waiting to be answered. You can find the calls waiting indicator in the Calls tab of the call adaptor.

Time stamp in the chat adapter displays seconds

The message time stamp in the chat adapter displays seconds.

Virtual task assistant for chats

The virtual task assistant is available for chats. Configuration and use are similar to that of the virtual task assistant for calls. Available for the web SDK only. For more information, see Virtual task assistants.

Configure SSO for your email channel using OAuth credentials from Google Cloud

You can configure single sign-on (SSO) for your Contact Center AI Platform email channel using OAuth 2.0 credentials from Google Cloud. For more information, see Configure your email channel for OAuth with Google Cloud.

Deflections are available for agent-to-agent calls

You can configure agent-to-agent calls to deflect to voicemail after a period of time that you set. You can also include these "voice internal" calls in your call reports. For more information, see Turn on deflections.

Support phone number is included for incoming calls

The incoming call screen shows the support phone number that the end-user used to call your support center. For more information, see Receive an inbound call.

Support for multiple data parameters in API requests to the DAPs for your IVR queues

You can capture data in the headers of incoming Session Initiation Protocol (SIP) calls and pass them in API requests to the Direct Access Points (DAPs) for your Interactive Voice Response (IVR) queues. For more information, see API DAPs.

Fixed an issue that resulted in an error being returned whenever an agent tried to send a blended SMS message, despite preset SMS being disabled.

Fixed an issue where the queue-level call music section was not displayed to users with a custom role.

Fixed an issue where calls sometimes got stuck in a queued state when an agent had a poor network connection.

Fixed an issue where the Copy CRM Link button in the call adapter sometimes copied the CRM ID instead of the URL.

Fixed an issue where the Assign Agents button wasn't working on top-level queues.

Fixed an issue where using keyboard shortcuts or arrow keys to scroll in a window did not allow scrolling beyond a single screen of text.

Fixed an issue where a CRM page did not load in the Call Center AI Platform portal.

Google Cloud Architecture Center

(New guide) Cross-silo and cross-device federated learning on Google Cloud: Provides guidance to help you create a federated learning platform that supports either a cross-silo or cross-device architecture.

Migrate to Virtual Machines

Preview: Migrate to Virtual Machines supports the ARM64 migration journey. This feature lets you migrate ARM virtual machine (VM) instances from AWS and Azure cloud services to ARM VM instances on Compute Engine, and is supported for the following operating systems:

  • Debian 11 and 12
  • RHEL 9
  • Rocky Linux 8 and 9
  • SLES 15 SP5
  • Ubuntu 20.04 and 22.04
Spanner

Duet AI in Google Cloud is now Gemini for Google Cloud. See our blog post for more information.

You can now optimize your writes by setting the maximum delay time of your Spanner write requests between 0 and 500 milliseconds. For more information, see Throughput optimized writes.

March 25, 2024

AlloyDB for PostgreSQL

AlloyDB clusters created using the Google Cloud CLI, the AlloyDB Admin API, or Terraform have PostgreSQL 14 compatibility by default, instead of PostgreSQL 15 compatibility.

To mitigate this issue, take either one of the following steps:

  • Specify PostgreSQL version 15 when creating a cluster, instead of relying on the default value.
  • Use the Google Cloud console to create the cluster.
Artifact Registry

The software bill of materials (SBOM) feature is now Generally Available (GA). To learn more, see SBOM overview.

Artifact Analysis support for Vulnerability Exploitability eXchange (VEX) statements now includes the capability to upload VEX statements for multiple versions of an image. You can specify whether to associate a VEX statement with one image digest, or all versions of an image. This feature is in Preview. To learn more, see Upload VEX statements.

Backup and DR

Backup and DR Service added support to view daily scheduled compliance logs in Cloud Logging.

Backup and DR Service added support to view daily scheduled compliance reports in BigQuery.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.38.2 (2024-03-21)

Dependencies
  • Update actions/checkout action (#3190) (940e4f6)
  • Update arrow.version to v15.0.1 (#3189) (fb6284e)
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.39.0 (#3186) (9e705a1)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240229-2.0.0 (#3188) (a018424)
  • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.43.0 (#3187) (497ff29)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#3196) (61f23a3)
  • Update github/codeql-action action to v2.24.6 (#3178) (8843cae)
  • Update github/codeql-action action to v2.24.7 (#3194) (2e2d730)
  • Update github/codeql-action action to v2.24.8 (#3198) (bd81a56)
Chronicle

Chronicle Applied Threat Intelligence helps you identify and respond to threats. When enabled, it ingests IOCs curated by Mandiant Threat Intelligence with an IC-Score greater than 80 and generates an error when a match is found. The following are some of the features of Applied Threat Intelligence.

  • Event-level enrichment: All telemetry in Chronicle is enriched with Google Threat Intelligence which is a combination of Mandiant and Virus Total, including all threat intelligence associations like campaigns and actors.

  • Sophisticated indicator matching: Curated out-of-the-box detections that deliver sophisticated indicator matching using augmented prioritization logic, noise reduction based on customer environment context, and other correlation techniques to maximize signal to noise.

  • Active breach alerting: Uses Mandiant's incident response intelligence to alert on potential active breaches delivering on our no patient 1 vision.

  • Curated behavioral detections for emerging threats: To protect against newly emerging risks and tactics, techniques, and procedures (TTPs), Applied Threat Intelligence uses real-time insights.

  • DIY detection engineering and response automation: Access to Fusion intelligence (formerly known as Mandiant Fusion) for the following.

    • Customer authoring of rules
    • Customer development of response playbooks
  • Curated views for Investigation and triage Insights: Applied Threat Intelligence provides curated views that show valuable associations between an indicator and threat actor, threat campaign, or malware, statistics about a threat observed in customer environments. These views are invaluable for all security operations workflows.

For more information about Applied Threat Intelligence, see Applied Threat Intelligence overview.

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Compute Engine
    • compute.googleapis.com/NetworkEdgeSecurityService
  • Database Migration
    • datamigration.googleapis.com/ConversionWorkspace
  • Redis
    • redis.googleapis.com/Cluster
Cloud Composer

In Cloud Composer versions from 2.1.0 to 2.6.4, task instances that succeeded in the past can be marked as FAILED in some cases. We recommend to upgrade to Cloud Composer version 2.6.5 or later where this issue is fixed. For more information, see the related known issue.

Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.16.2 (2024-03-20)

Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.28.0 (#1560) (d52e623)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#1563) (81aa3e6)
Cloud SQL for MySQL

Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in GA.

Cloud SQL for PostgreSQL

Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in GA.

Cloud SQL for SQL Server

You can now use Private Service Connect to connect to a Cloud SQL for SQL Server instance. This solution allows you to connect to the instance from multiple VPC networks that belong to different groups, teams, projects, or organizations.

Private Service Connect includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances.

All features are in GA.

Container Optimized OS

cos-beta-113-18244-1-7

Kernel Docker Containerd GPU Drivers
COS-6.1.77 v24.0.9 v1.7.10 v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

Updates to Major Packages:

Updated cos-gpu-installer to v2.2.0. Some key features of this update include:

  • Switched precompiled driver and signature location to COS build artifacts for M109.
  • This fixes a permissions issue in the GPU driver install directory with OSS drivers.
  • Added major version specification for GPU driver installation.

Update default and latest NVIDIA GPU drivers to v535.154.05.

Updated sys-apps/systemd to v254.9.

Updated docker-credential-gcr to v2.1.22.

Updated app-containers/docker-cli to v24.0.5.

Updated app-emulation/kubernetes to v1.29.1.

Updated app-containers/containerd to v1.7.10.

Updated app-containers/runc to v1.1.12.

Upgraded app-emulation/cloud-init to v23.4.3.

Upgraded app-admin/oslogin to v20231004.00.

Upgraded app-admin/google-osconfig-agent to v20240126.00.

Upgraded app-admin/google-guest-agent to v20240213.00.

Upgraded app-admin/google-guest-configs to v20240122.00.

Updated app-admin/sosreport to v4.6.1.

Updated latest GPU driver to v535.104.05.

Updated GPU drivers to v535.54.03 (R535 LTSB NVIDIA branch).

Upgraded app-containers/docker-credential-helpers to v0.8.1.

Runtime sysctl changes:

  • Added: net.ipv4.tcp_backlog_ack_defer: 1
  • Changed: fs.epoll.max_user_watches: 1809920 -> 1809474
  • Changed: fs.fanotify.max_user_marks: 67577 -> 67560
  • Changed: fs.file-max: 812606 -> 812400
  • Changed: fs.inotify.max_user_watches: 63456 -> 63441
  • Changed: kernel.threads-max: 63520 -> 63504
  • Changed: net.core.optmem_max: 20480 -> 131072
  • Changed: net.ipv4.tcp_mem: 94092 125456 188184 -> 94068 125424 188136
  • Changed: net.ipv4.udp_mem: 188184 250912 376368 -> 188136 250848 376272
  • Changed: net.ipv6.route.max_size: 4096 -> 2147483647
  • Changed: user.max_cgroup_namespaces: 31760 -> 31752
  • Changed: user.max_fanotify_marks: 67577 -> 67560
  • Changed: user.max_inotify_watches: 63456 -> 63441
  • Changed: user.max_ipc_namespaces: 31760 -> 31752
  • Changed: user.max_mnt_namespaces: 31760 -> 31752
  • Changed: user.max_net_namespaces: 31760 -> 31752
  • Changed: user.max_pid_namespaces: 31760 -> 31752
  • Changed: user.max_time_namespaces: 31760 -> 31752
  • Changed: user.max_user_namespaces: 31760 -> 31752
  • Changed: user.max_uts_namespaces: 31760 -> 31752
  • Changed: vm.lowmem_reserve_ratio: 256 256 32 0 -> 256 256 32 0 0
  • Added: net.netfilter.nf_flowtable_tcp_timeout: 30
  • Added: net.netfilter.nf_flowtable_udp_timeout: 30
  • Changed: fs.file-max: 812608 -> 812606
  • Added: net.ipv4.tcp_shrink_window: 0
  • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
  • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
  • Added: kernel.io_uring_disabled: 0
  • Changed: fs.file-max: 812619 -> 812608
  • Changed: kernel.threads-max: 63519 -> 63520
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd: 0 -> 3
  • Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent: 0 -> 3
  • Changed: user.max_cgroup_namespaces: 31759 -> 31760
  • Changed: user.max_ipc_namespaces: 31759 -> 31760
  • Changed: user.max_mnt_namespaces: 31759 -> 31760
  • Changed: user.max_net_namespaces: 31759 -> 31760
  • Changed: user.max_pid_namespaces: 31759 -> 31760
  • Changed: user.max_time_namespaces: 31759 -> 31760
  • Changed: user.max_user_namespaces: 31759 -> 31760
  • Changed: user.max_uts_namespaces: 31759 -> 31760
  • Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
  • Changed: fs.file-max: 812400 -> 812392
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: net.ipv4.tcp_mem: 94068 125424 188136 -> 94065 125423 188130
  • Changed: net.ipv4.udp_mem: 188136 250848 376272 -> 188133 250847 376266
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751
  • Changed: fs.file-max: 812620 -> 812619
  • Added: fs.overflowgid: 65534
  • Added: fs.overflowuid: 65534

New Features and Changes in the Linux Kernel:

Added additional option to existing kernel cmdline flag that moves protected stateful partition integrity tags to memory.

Fixed a kernel crash that occurred when running Postgres databases.

Enabled TDX Guest support in the Linux Kernel.

Updated the Linux kernel to v6.1.77.

New Features and Changes in the Image:

Changed default umask value for a user to 027.

Removed legacy logging agent (fluentd).

Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

Enhanced integrity-fs with disk resize and dm-clone.

Removed deprecated R525 NVIDIA GPU drivers.

Added support for dm-zero and dm-clone.

Sosreport now includes GPU Installer logs.

Fixed a performance issue that was observed in Postgres databases.

Fixed a container performance issue that occurred after running systemctl start cloud-audit-setup.

Updated NVIDIA GPU drivers.

Backported support for TCP RTO configuration in networkd.

Enable portmapper registration reporting for lsof. This also fixes an issue where lsof is missing from SOS reports.

Add compiler mitigations to mitigate memory corruption vulnerabilities.

Sequence named before nss-lookup.target.

Restore systemd-logind restart behavior when dbus restarts.

Fixed an issue where symlinks could not be moved.

Fixed an issue where IPv6 networking would fail under high CPU load.

Fixed an issue with NFS reconnects on GKE.

The get_metadata_value script will now retry if it experiences a connection error.

Enabled persistence mode with Nvidia GPU driver installation.

Fixed an issue in ip6tables where the -C option did not work correctly.

Simplified GPU driver installation by remounting driver installation path as executable from cos-extensions.

Added support for user.* xattr on tmpfs.

Added automatic generation of known modules list to image build process.

Include nvidia plugin into sosreport.

Added support for iSCSI targets and RAM block devices.

Fixed a time-to-login slowdown introduced by cloud-init changes.

CVE/Security Fixes:

Fixed CVE-2024-21626 in app-containers/runc.

Upgraded app-editors/vim to v9.0.2167 and app-editors/vim-core to v9.0.2167. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736, CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.

Updated dev-lang/go to v1.21.5. This fixes CVE-2023-45285 and CVE-2023-39326.

Upgraded dev-go/crypto to v0.17.0. This fixes CVE-2023-48795.

Upgraded sys-apps/dbus to v1.12.28. This fixes CVE-2023-34969.

Fixed CVE-2023-49083 in package dev-python/cryptography.

Fixed CVE-2023-6622, CVE-2023-5197, CVE-2023-42753, CVE-2023-4921, CVE-2023-4623, CVE-2023-4194, CVE-2024-23851, CVE-2024-26581 in the Linux kernel.

Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.

Updated dev-go/net to v0.17.0. This resolves CVE-2023-44487 and CVE-2023-39325.

Fixed CVE-2023-4911 in sys-libs/glibc.

Fixed CVE-2023-38039 in net-misc/curl.

Fixed CVE-2023-5345 and CVE-2023-42756 in COS kernel.

Fixed CVE-2023-32636, CVE-2023-29499, CVE-2023-32643, CVE-2023-32665, CVE-2023-32611 in glib and glib-utils.

Upgraded sys-fs/mdadm to v4.2. This resolves CVE-2023-28938 and CVE-2023-28736.

Fixed CVE-2023-4016 in sys-process/procps.

Updated dev-go/yaml to v3.0.1. This resolves CVE-2022-28948.

Fixed CVE-2022-40896 in pygments.

Fixed CVE-2023-24329 and CVE-2023-40217 in dev-lang/python.

Fixed ncurses upgrade to 6.4p20220423. This resolves CVE-2023-29491.

Upgraded dev-db/sqlite to v3.45.1-r1. This also fixes CVE-2023-7104.

Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549, CVE-2023-40551, CVE-2023-40547, and CVE-2023-40550 in sys-boot/shim.

Upgrade docker to v24.0.9. This fixes CVE-2024-24557.

Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.

Fixed CVE-2024-0684 in sys-apps/coreutils.

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853 and CVE-2023-38545.

Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.

Updated default GPU driver to v470.199.02 and latest GPU driver to v525.125.06. This resolves CVE-2023-25515 and CVE-2023-25516.

Updates for Minor Packages:

Upgraded dev-libs/nss to v3.97.

Upgraded net-libs/gnutls to v3.8.3.

Upgraded dev-python/jinja to v3.1.3.

Upgraded app-admin/node-problem-detector to v0.8.15.

Upgraded app-eselect/eselect-iptables to v20220320.

Upgraded sys-libs/libcap-ng to v0.8.4-r1.

Upgraded net-misc/rsync to v3.2.7-r4.

Upgraded dev-python/netifaces to v0.11.0-r2.

Upgraded net-libs/libtirpc to v1.3.4-r1.

Upgraded app-admin/sudo to v1.9.15_p5.

Upgraded app-misc/jq to v1.7.1.

Upgraded sys-apps/pv to v1.8.5.

Upgraded sys-process/lsof to v4.99.3.

Upgraded dev-util/bsdiff to v4.3.1-r42.

Updated net-misc/openssh to v9.6_p1-r1.

Upgraded sys-apps/less to v643-r1.

Upgraded chromeos-base/mojo_service_manager to v0.0.1-r271.

Upgraded net-misc/socat to v1.8.0.0.

Upgraded dev-python/jsonpatch to v1.33.

Upgraded dev-python/pyyaml to v6.0.1-r1.

Upgraded dev-lang/python-exec to v2.4.10.

Upgraded dev-python/six to v1.16.0-r1.

Upgraded dev-python/configobj to v5.0.8.

Upgraded dev-python/nose to v1.3.7_p20221026.

Upgraded dev-python/mock to v5.1.0.

Upgraded dev-python/pyserial to v3.5-r2.

Upgraded sys-apps/hwdata to v0.376.

Upgraded sys-fs/xfsprogs to v6.5.0.

Upgraded dev-python/pygobject to v3.46.0.

Upgraded sys-devel/libtool to v2.4.6-r7.

Upgraded dev-libs/double-conversion to v3.2.1.

Upgraded net-fs/cifs-utils to v7.0-r1, Upgraded sys-libs/talloc to v2.4.1.

Upgraded app-arch/unzip to v6.0_p27-r1.

Upgraded sys-apps/dmidecode to v3.5-r3.

Upgraded dev-util/gn to v2121.

Upgraded chromeos-base/chromeos-dbus-bindings to v0.0.1-r2787.

Updated dev-embedded/libftdi to v1.5-r5.

Upgraded sys-apps/coreutils to v9.4.

Upgraded sys-process/procps to v4.0.4.

Updated dev-go/go-tools to v0.11.1_p20230712.

Upgraded app-arch/pigz to v2.8.

Upgraded sys-block/thin-provisioning-tools to v0.9.0-r2.

Upgraded app-arch/tar to v1.35.

Upgraded app-arch/xz-utils to v5.4.6-r1.

Upgraded app-misc/ca-certificates to v20230311.3.97.

Upgraded net-dns/c-ares to v1.26.0.

Upgraded net-dns/libidn2 to v2.3.7.

Upgraded sys-apps/attr to v2.5.2-r1.

Upgraded sys-apps/ethtool to v6.7.

Upgraded sys-apps/file to v5.45-r4.

Upgraded sys-libs/libcap to v2.69-r1.

Upgraded sys-libs/timezone-data to v2024a.

Upgraded sys-libs/zlib to v1.3.1-r1.

Upgraded dev-libs/libusb to v1.0.27.

Upgraded dev-libs/expat to v2.6.0.

Upgraded sys-apps/acl to v2.3.2.

Updated gzip to v1.13.

Upgraded sys-auth/pambase to v20240128.

Upgraded net-misc/chrony to v4.5.

Upgraded app-containers/cni-plugins to v1.4.0.

Upgraded sys-apps/makedumpfile to v1.7.4.

Upgraded chromeos-base/system_api to v0.0.1-r5643.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2385.

Upgraded chromeos-base/hiberman-client to v0.0.1-r455.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2859.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r884.

Upgraded chromeos-base/vm_protos to v0.0.1-r552.

Upgraded chromeos-base/shill-client to v0.0.1-r4325.

Upgraded chromeos-base/minijail to v18-r135.

Upgraded chromeos-base/debugd-client to v0.0.1-r2641.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2722.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r601.

Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r226.

Upgraded dev-util/puffin to v1.0.0-r450.

Upgraded sys-fs/squashfs-tools to v4.6.1.

Upgraded sys-apps/sandbox to v2.29-r1.

Dialogflow

Dialogflow CX: The Override request-level speech model has been added to advanced speech settings. This can be used to override the speech model provided in a runtime API request.

Vertex AI Conversation data stores: Gemini-pro 1.0 is now officially in General Availability. The model includes optimized prompting, delivering enhanced results with minimal latency impact. Please note: prompt optimization is currently focused on English, with other languages to follow.

Vertex AI Conversation data stores: The text-bison-001 model and fine-tuned text-bison@001 options will be deprecated by Vertex AI on July 6th. Please transition as soon as possible to the default option or another model available in the settings.

Dialogflow CX: DTMF for telephony integrations is now available for preview.

Firestore in Datastore mode

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-ndb

2.3.1 (2024-03-16)

Bug Fixes
  • grpc: Fix large payload handling when using the emulator. (#975) (d9162ae)
  • Remove uses of six. #913 (#958) (e17129a)
  • Show a non-None error for core_exception.Unknown errors. (#968) (66e61cc)
Documentation
  • Document how to run system tests against the emulator. (#963) (47db5b9)
  • Note to use functools.wrap instead of utils.wrapping. (#966) (5e9f3d6)
  • Tell users of utils.wrapping to use functools.wraps (#967) (042645b)

Java

Changes for google-cloud-datastore

2.18.6 (2024-03-18)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.37.0 (#1355) (bcc5668)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.28.0 (#1372) (09db2a7)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.28.1 (#1373) (c6e63e5)
  • Update dependency com.google.errorprone:error_prone_core to v2.26.0 (#1361) (9442766)
  • Update dependency com.google.errorprone:error_prone_core to v2.26.1 (#1363) (05fe5bc)
  • Update dependency com.google.guava:guava-testlib to v33.1.0-jre (#1368) (0195345)
Secret Manager

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for secretmanager/apiv1

1.12.0 (2024-03-19)

Features
Sensitive Data Protection

From February 12 through 27, 2024, a bug caused Sensitive Data Protection to inaccurately set the free-text scores of certain data profiles to 0, where they should have been higher. This bug is now resolved. All affected data profiles have been reprofiled.

For more information about the discovery service, see Data profiles.

March 22, 2024

Artifact Registry

Effective March 22, 2024, Artifact Registry npm repositories enforce not including uppercase letters in package names in order to match npmjs naming rules. Packages with uppercase letters in their names pushed to Artifact Registry prior to this date aren't affected by this change unless you want to push them to a new repository.

BigQuery

The March 20, 2024 release notes announced the preview for user-defined aggregate functions, but user-defined aggregate functions are not yet supported.

Chronicle

Chronicle has added a new rule set to Cloud Threat Detections , called Serverless Threats, that detects activity associated with potential compromise or abuse of server-less resources in Google Cloud, such as Cloud Run and Cloud Functions.

Chronicle now supports direct ingestion and parsing of reCAPTCHA Enterprise logs from Google Cloud.

Cloud Run

Direct VPC egress (Preview) is now available in the following additional regions:

  • africa-south1
  • asia-south1
  • asia-southeast2
  • australia-southeast2
  • europe-central2
  • europe-west2
  • europe-west6
  • europe-west8
  • europe-west9
  • europe-west10
  • me-central1
  • me-central2
  • southamerica-west1
  • us-east5
  • us-west2
  • us-west3
  • us-west8

Cloud Run services can now connect to a Firestore database using integrations (Preview).

Cloud Run services can now connect to Vertex AI to access generative AI models using integrations (Preview).

Cloud Workstations

Support for GPUs is generally available (GA). For more information, see Available GPUs.

Cloud Workstations supports the following machine type:

  • a2-megagpu-16g

For more information, see Available machine types, REST workstationConfigs, or RPC google.cloud.workstations.v1beta GceInstance.

Compute Engine

Generally available: Disaster recovery with Persistent Disk Async Replication has been expanded to allow you to replicate data on a disk in one region to any other region within the same continent.

Also, the following performance and capacity enhancements are available:

  • Data replication change rate increased to 2 GiB/min from 250 MB/min.
  • Maximum provisioned disk size increased to 32 TB from 5 TB per disk.
  • The number of disks per project increased to 1000 from 100.
  • The number of disks per consistency group increased to 128 from 64.
Container Optimized OS

cos-dev-117-18269-0-0

Kernel Docker Containerd GPU Drivers
COS-6.1.79 v24.0.9 v1.7.10 v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

Upgraded app-admin/sosreport to v4.7.0.

Upgraded app-containers/docker-credential-helpers to v0.8.1.

Upgraded app-emulation/cloud-init to v23.4.3.

Upgraded app-admin/google-guest-agent to v20240213.00.

Upgraded app-admin/google-osconfig-agent to v20240126.00.

Upgraded sys-auth/pambase to v20240128.

Upgraded net-misc/chrony to v4.5.

Upgraded app-containers/cni-plugins to v1.4.0.

Updated sys-apps/systemd to v254.9.

Updated app-emulation/kubernetes to v1.29.1.

Updated docker-credential-gcr to v2.1.22.

Upgraded app-admin/google-guest-agent to v20240122.00.

Upgraded app-admin/google-guest-configs to v20240122.00.

Upgraded app-admin/google-osconfig-agent to v20240123.01.

Upgraded sys-apps/makedumpfile to v1.7.4.

Updated app-containers/runc to v1.1.12.

Updated app-emulation/cloud-init to v23.4.2.

Updated app-admin/sosreport to v4.6.1.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r602.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2723.

Upgraded chromeos-base/shill-client to v0.0.1-r4341.

Upgraded chromeos-base/system_api to v0.0.1-r5653.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r886.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2861.

Upgraded chromeos-base/hiberman-client to v0.0.1-r456.

Upgraded chromeos-base/minijail to v18-r136.

Upgraded chromeos-base/system_api to v0.0.1-r5643.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2385.

Upgraded chromeos-base/hiberman-client to v0.0.1-r455.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2859.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r884.

Upgraded chromeos-base/vm_protos to v0.0.1-r552.

Upgraded chromeos-base/shill-client to v0.0.1-r4325.

Upgraded chromeos-base/minijail to v18-r135.

Upgraded chromeos-base/debugd-client to v0.0.1-r2641.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2722.

Upgraded chromeos-base/chromeos-common-script to v0.0.1-r601.

Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r226.

Upgraded chromeos-base/debugd-client to v0.0.1-r2634.

Upgraded chromeos-base/session_manager-client to v0.0.1-r2721.

Upgraded chromeos-base/shill-client to v0.0.1-r4308.

Upgraded dev-util/puffin to v1.0.0-r450.

Upgraded chromeos-base/dlcservice-client to v0.0.1-r872.

Upgraded chromeos-base/update_engine-client to v0.0.1-r2369.

Upgraded chromeos-base/hiberman-client to v0.0.1-r446.

Upgraded sys-fs/squashfs-tools to v4.6.1.

Upgraded chromeos-base/power_manager-client to v0.0.1-r2849.

Upgraded sys-apps/sandbox to v2.29-r1.

Upgraded app-arch/xz-utils to v5.4.6-r1.

Upgraded app-misc/ca-certificates to v20230311.3.97.

Upgraded net-dns/c-ares to v1.26.0.

Upgraded net-dns/libidn2 to v2.3.7.

Upgraded sys-apps/attr to v2.5.2-r1.

Upgraded sys-apps/ethtool to v6.7.

Upgraded sys-apps/file to v5.45-r4.

Upgraded sys-libs/libcap to v2.69-r1.

Upgraded sys-libs/timezone-data to v2024a.

Upgraded sys-libs/zlib to v1.3.1-r1.

Upgraded dev-libs/libusb to v1.0.27.

Upgraded dev-libs/expat to v2.6.0.

Upgraded dev-db/sqlite to v3.45.1-r1.

Upgraded net-misc/curl to v8.5.0-r3.

Upgraded sys-apps/acl to v2.3.2.

Updated gzip to v1.13.

Updated cos-gpu-installer to v2.2.0.

Added automatic generation of known modules list to image build process.

Include nvidia plugin into sosreport.

Added support for iSCSI targets and RAM block devices.

Fixed a time-to-login slowdown introduced by cloud-init changes.

Upgrade docker to v24.0.9. This fixes CVE-2024-24557.

Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549 and CVE-2023-40550 in sys-boot/shim.

Fixed CVE-2023-40551 in sys-boot/shim.

Fixed CVE-2023-40547 in sys-boot/shim.

Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.

Fixed CVE-2024-0684 in sys-apps/coreutils.

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853.

Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.

Fixed CVE-2024-23851 in the Linux kernel.

Runtime sysctl changes:

  • Changed: fs.epoll.max_user_watches: 1809474 -> 1809452
  • Changed: fs.file-max: 812400 -> 812392
  • Changed: kernel.threads-max: 63504 -> 63503
  • Changed: net.ipv4.tcp_mem: 94068 125424 188136 -> 94065 125423 188130
  • Changed: net.ipv4.udp_mem: 188136 250848 376272 -> 188133 250847 376266
  • Changed: user.max_cgroup_namespaces: 31752 -> 31751
  • Changed: user.max_ipc_namespaces: 31752 -> 31751
  • Changed: user.max_mnt_namespaces: 31752 -> 31751
  • Changed: user.max_net_namespaces: 31752 -> 31751
  • Changed: user.max_pid_namespaces: 31752 -> 31751
  • Changed: user.max_time_namespaces: 31752 -> 31751
  • Changed: user.max_user_namespaces: 31752 -> 31751
  • Changed: user.max_uts_namespaces: 31752 -> 31751

Sensitive Data Protection

The discovery and inspection services, which support BigQuery, now support tables that contain columns with INTERVAL, RANGE<DATE>, RANGE<DATETIME>, and RANGE<TIMESTAMP> data types.

For more information about sensitive data discovery, see Data profiles.

For more information about sensitive data inspection for BigQuery, see Inspect a BigQuery table.

March 21, 2024

Anthos Config Management

The constraint template library includes a new template: K8sPSSRunAsNonRoot. For reference, see the Constraint template library.

Policy Controller bundles have been updated to the following versions: cis-gke-v1.4.0: 202402.0-preview, nist-sp-800-190: 202402.0, nist-sp-800-53-r5: 202402.0, pci-dss-v3.2.1: 202402.0, pss-baseline-v2022: 202402.0, pss-restricted-v2022: 202402.0. For reference, see Policy Controller bundles overview.

Fixed a regression introduced in 1.16.0 that limits the length of the Secret name referenced in the spec.git.secretRef.name field of the RootSync object.

Fixed a regression introduced in 1.17.0 that caused Config Sync to sometimes fail to pull the latest commit from a Git branch by upgrading git-sync (Config Sync dependency for pulling from git) from v4.1.0 to v4.2.1.

Backup and DR

Backup and DR Service 11.0.10.417 is now available to update your backup/recovery appliance. Refer to these instructions to update your appliance.

Backup and DR Service 11.0.10 includes an operating system upgrade from CentOS 7 to Rocky Linux 8. As CentOS 7 will reach its End of Life (EOL) on June 24, 2024, you must upgrade to 11.0.10 before the EOL date to continue receiving security updates.

To upgrade to 11.0.10, you should take a snapshot of the appliance's boot disk. If your backup/recovery appliance is on 11.0.5 or below, then you need to upgrade to 11.0.9 before successfully upgrading to 11.0.10. See 11.0.9 release notes to know how to back up the boot disk.

Backup and DR Service added support to access historical reports. Learn more.

BigQuery

You can now add Salesforce Data Cloud data to BigQuery. This feature is generally available (GA).

Incremental materialized views now support LEFT OUTER JOIN and UNION ALL. This feature is in preview.

Bigtable

You can now view Bigtable cost data with instance granularity in the Google Cloud Billing detailed export to BigQuery. For more information, see Structure of detailed cost data export.

Compute Engine

Generally available: In a managed instance group (MIG), you can set metadata and labels for all VMs in the group without the need to create a new instance template. For more information, see Override instance template properties with an all-instances configuration.

Generally available: In a managed instance group (MIG), you can turn off repairs to inspect failed and unhealthy VMs, to implement your own repair logic, or to monitor the application health without triggering repairs by MIG. For more information, see Turn off repairs in a MIG.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.96-debian10, 2.0.96-rocky8, 2.0.96-ubuntu18
  • 2.1.44-debian11, 2.1.44-rocky8, 2.1.44-ubuntu20, 2.1.44-ubuntu20-arm
  • 2.2.10-debian12, 2.2.10-rocky9, 2.2.10-ubuntu22
Google Distributed Cloud Virtual for Bare Metal

Release 1.28.300-gke.131

GKE on Bare Metal 1.28.300-gke.131 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.28.300-gke.131 runs on Kubernetes 1.28.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

Functionality changes:

  • Updated preflight checks to add a check for networking kernel modules.

  • Updated preflight checks to remove the check for iptables package availability.

  • Increased the default memory limit for node-exporter.

Fixes:

  • Fixed an issue with configuring a proxy for your cluster that required you to manually set HTTPS_PROXY and NO_PROXY environment variables on the admin workstation.

The following container image security vulnerabilities have been fixed in 1.28.300-gke.131:

Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

Release 1.15.11

GKE on Bare Metal 1.15.11 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.15.11 runs on Kubernetes 1.26.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

The following container image security vulnerabilities have been fixed in 1.15.11:

Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

Google Distributed Cloud Virtual for VMware

GKE on VMware 1.28.300-gke.123 is now available. To upgrade, see Upgrading GKE on VMware. GKE on VMware 1.28.300-gke.123 runs on Kubernetes v1.28.4-gke.1400.

If you are using a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

  • Increased the default memory limit for node-exporter.
  • Updated the AIS version to hybrid_identity_charon_20240228_0730_RC00.

The following issues are fixed in 1.28.300-gke.123:

  • Fixed the issue where the admin cluster backup did a retry on non-idempotent operations.
  • Fixed the known issue where the controlPlaneNodePort field defaulted to 30968 when the manualLB spec was empty.
  • Fixed the known issue that caused the preflight check to fail when the hostname wasn't in the IP block file.
  • Fixed the known issue that caused Kubelet to be flooded with logs stating that "/etc/kubernetes/manifests" does not exist on the worker nodes.

The following vulnerabilities are fixed in 1.28.300-gke.123:

Security Command Center

Security Command Center detectors are now mapped to the following additional compliance frameworks:

  • CIS Critical Security Controls v8
  • Cloud Controls Matrix v 4
  • HIPAA
  • ISO 27001 (2022)
  • NIST 800-53 (rev 5)
  • NIST Cybersecurity Framework (v 1.0)
  • PCI-DSS 4.0
  • SOC 2 (2017)
reCAPTCHA Enterprise

reCAPTCHA Enterprise platform logs are now available in Chronicle. Users can now view their reCAPTCHA assessment and annotation data in a structured and searchable data format in Chronicle. For more information, see Collect reCAPTCHA Enterprise logs.

March 20, 2024

AlloyDB for PostgreSQL

Updated the default major version of PostgreSQL compatibility for new AlloyDB clusters to PostgreSQL 15.

Bare Metal Solution

You can now create and manage VRFs for the networks in your Bare Metal Solution environment. This feature is generally available (GA).

BigQuery

The maximum notebook size has been increased from 10 MB to 20 MB. Notebooks are available in preview.

You can now view lists of all saved queries and all notebooks in your project. These features are available in preview.

Chronicle

There is no longer a limit on the number of feeds you can create for the same log type in Feed Management.

Chronicle SOAR

Release 6.2.52 is currently in Preview.

Case filter and URL now in a reciprocal relationship

In the Cases page, the filter and the URL now directly affect each other. Changing the filter changes the URL, and conversely, changing the URL changes the filter. You can take advantage of this feature by setting a filter for cases and putting the newly created URL in an external dashboard. Clicking on this link would then take you directly to the filtered case queue.

Incident Manager appearing in navigation even though user doesn"t have license (ID #49062139)

lastLoginTime returns wrong date for SAML users (ID #00278010)

Wrong error message returned for environment alias duplicates (ID #00271405)

Playbooks with async actions longer than 7 days can't be saved even though time set to 14 days in IDE (ID #00269032)

Clicking on events configuration opens the wrong mapping & modeling rules

Cloud Composer

The Logs in Cloud Logging only feature is gradually rolled out to all regions:

  • New Cloud Composer environments now save Airflow task logs only in Cloud Logging by default.
  • Existing environments are not changed. If you upgrade an existing environment, it keeps saving logs to the environment's bucket.
  • You can enable and disable saving logs to the environment's bucket for an existing environment.

Currently the feature is rolled out to the following regions: africa-south1, asia-east1, asia-east2, asia-northeast2, asia-south2, asia-southeast2, australia-southeast2, europe-central2, europe-southwest1, europe-west10, europe-west12, europe-west2, europe-west3, europe-west4, europe-west6, europe-west8, me-central1, me-central2, me-west1, northamerica-northeast2, southamerica-west1, us-east5, us-east7, us-south1, and us-west4.

Cloud Healthcare API

The Healthcare Natural Language API supports the following entity mention types in Preview:

  • Oncology
  • Social determinants of health (SDOH)
  • Protected health information (PHI)
Cloud Key Management Service

Certificate bundles for verifying attestations for Cloud HSM keys are deprecated. You can no longer download certificate bundles as of March 20, 2024.

Certificate bundles have been replaced by certificate chains. To learn how to use certificate chains to verify attestations for Cloud HSM keys, see Verifying the attestation manually.

Cloud Load Balancing

The Google Cloud Console has launched a new wizard experience to walk you through the process of selecting a new load balancer. The new wizard walks you through all the available options (internal or internet-facing, proxy or passthrough, global or regional) and guides you to the appropriate load balancer for your use-case.

Try out the new wizard in the Google Cloud Console at Create a load balancer.

Container Optimized OS

cos-105-17412-294-46

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v23.0.3 v1.7.10 v470.239.06(default),v535.161.07(latest)

Upgraded app-editors/vim to v9.0.2167, Upgraded app-editors/vim-core to v9.0.2167.

Fixed CVE-2024-0727 in dev-libs/openssl.

Updated app-editors/vim to 9.0.2167. This fixed CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2024-22667.

Fixed CVE-2023-52447 in the Linux kernel.

cos-101-17162-386-47

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v20.10.24 v1.6.28 v470.239.06(default),v535.161.07(latest)

Fixed CVE-2024-0727 in dev-libs/openssl.

Updated app-editors/vim to 9.0.2167. This fixed CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2024-22667.

Fixed CVE-2023-52447 in the Linux kernel.

cos-97-16919-450-34

Kernel Docker Containerd GPU Drivers
COS-5.10.208 v20.10.24 v1.6.21 v470.239.06(default),v535.161.07(latest)

Fixed CVE-2024-0727 in dev-libs/openssl.

Updated app-editors/vim to 9.0.2167. This fixed CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2024-22667.

Fixed CVE-2023-52447 in the Linux kernel.

cos-109-17800-147-38

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.9 v1.7.13 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Added support for iSCSI targets and RAM block devices.

Updated app-editors/vim to 9.0.2167. This fixed CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2024-22667.

Dataproc

Announcing the Preview release of Dataproc Serverless for Spark 1.2 runtime:

  • Spark 3.5.0
  • BigQuery Spark Connector 0.35.1
  • Cloud Storage Connector 3.0.0
  • Conda 23.11
  • Java 17
  • Python 3.12
  • R 4.3
  • Scala 2.12

New Dataproc Serverless for Spark runtime versions:

  • 1.1.55
  • 1.2.0-RC1
  • 2.0.63
  • 2.1.42
  • 2.2.0-RC15

Dataproc Serverless for Spark:

  • Upgraded Spark RAPIDS plugin to version 24.2.0 in the latest runtimes.
  • Upgraded Spark to version 3.3.4 in the latest 1.1 and 2.0 runtimes.
  • Backported SPARK-44198 in the latest 1.2 and 2.2 runtimes.
Google Cloud Architecture Center

(New guide) Design storage for AI and ML workloads in Google Cloud: Select the recommended storage options for your AI and ML workloads.

Google Kubernetes Engine

(2024-R08) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • The following versions are now available in the Stable channel:
  • Version 1.26.10-gke.1101000 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.24 to version 1.25.16-gke.1041000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.25 to version 1.25.16-gke.1041000 with this release.

Regular channel

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.26.13-gke.1144000
    • 1.27.9-gke.1092000
    • 1.28.5-gke.1217000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.14-gke.1006000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.14-gke.1006000 with this release.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1570000
    • 1.26.14-gke.1044000
    • 1.27.11-gke.1062000
    • 1.28.3-gke.1286000
    • 1.28.7-gke.1100000
    • 1.29.2-gke.1217000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1596000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1076000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1118000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.28.7-gke.1026000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.28.7-gke.1026000 with this release.

(2024-R08) Version updates

(2024-R08) Version updates

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.26.13-gke.1144000
    • 1.27.9-gke.1092000
    • 1.28.5-gke.1217000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.14-gke.1006000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.14-gke.1006000 with this release.

(2024-R08) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1570000
    • 1.26.14-gke.1044000
    • 1.27.11-gke.1062000
    • 1.28.3-gke.1286000
    • 1.28.7-gke.1100000
    • 1.29.2-gke.1217000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1596000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1076000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1118000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.28.7-gke.1026000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.28 to version 1.28.7-gke.1026000 with this release.

(2024-R08) Version updates

  • The following versions are now available in the Stable channel:
  • Version 1.26.10-gke.1101000 is no longer available in the Stable channel.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.24 to version 1.25.16-gke.1041000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.25 to version 1.25.16-gke.1041000 with this release.
Security Command Center

New misconfiguration detectors for AlloyDB for PostgreSQL clusters released to General Availability.

Security Health Analytics, a built-in service of Security Command Center, released new detectors to General Availability. The following detectors, which are available only with the Premium tier of Security Command Center, detect misconfigurations in AlloyDB for PostgreSQL clusters and instances:

  • ALLOYDB_AUTO_BACKUP_DISABLED: Automated backups are not enabled in AlloyDB for PostgreSQL cluster.
  • ALLOYDB_LOG_ERROR_VERBOSITY: Instance database flag log_error_verbosity for AlloyDB for PostgreSQL instance is not set to default or another less restrictive value.
  • ALLOYDB_LOG_MIN_ERROR_STATEMENT_SEVERITY: Instance database flag log_min_error_statement for AlloyDB for PostgreSQL instance is not set to ERROR or lower.
  • ALLOYDB_LOG_MIN_MESSAGES: Instance database flag log_min_messages for AlloyDB for PostgreSQL instance is not set to at minimum warning.

For more information, see SQL vulnerability findings.

Spanner

Leader-aware routing now dynamically routes read-write transactions to the leader region in Spanner multi-region instances, reducing latency and improving performance. For more information, see Leader-aware routing.

reCAPTCHA Enterprise

reCAPTCHA Enterprise Mobile SDK v18.5.0-beta02 is now available for Android and iOS.

This version contains changes to improve the performance and reliability of getClient() and execute().

March 19, 2024

AlloyDB for PostgreSQL

The Quotas documentation is updated to include additional guidance on setting the maximum number of concurrent connections for your database instance size.

App Hub

App Hub is generally available (GA).

Artifact Registry

Fixed the issue causing images copied to Artifact Registry from Container Registry with the automatic migration tool to fail to propagate their creation time to Artifact Registry. Artifact Registry creation time is set to the time the image was uploaded to Container Registry, and update time is set to the time the image is copied to Artifact Registry.

BigQuery

You can now create and run Spark stored procedures that are written in Python, Java, and Scala. You can also use the PySpark editor in BigQuery to create stored Python procedures for Apache Spark. This feature is now generally available (GA).

The minimum duration between scheduled queries has been reduced from 15 minutes to 5 minutes. This feature is generally available.

Bigtable

You can now create daily backups of your Bigtable table by enabling automated backup. This feature is available in Preview. For details, see Automated backup.

Blockchain Node Engine

On March 19, 2024, Blockchain Node Engine upgraded all mainnet Polygon nodes in preparation for the Napoli (PIP-33) Hardfork.

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • NetApp
    • netapp.googleapis.com/Backup
    • netapp.googleapis.com/BackupPolicy
    • netapp.googleapis.com/BackupVault
Cloud Composer

Airflow 2.7.3 is available in Cloud Composer images.

Fixed an issue where past Airflow task instances could be marked as failed in some cases.

Fixed an issue where Airflow task logs for the first try of a task might not be visible in Airflow UI.

BigQueryInsertJobOperator now correctly handles ephemeral tables created with tableDefinitions.

In BigQueryInsertJobOperator, fixed the handling of parsing errors during Lineage emission when the query is too long or deeply nested.

The apache-airflow-providers-google package is upgraded to version 10.16.0 in images with Airflow 2.6.3, and images with Airflow 2.7.3 have this version. For more information about changes, see the apache-airflow-providers-google changelog from version 10.15.0 to version 10.16.0.

The apache-airflow-providers-cncf-kubernetes package was upgraded to version 8.0.1 in images with Airflow 2.6.3, and images with Airflow 2.7.3 have this version.

Cloud Composer 2.6.5 images are available:

  • composer-2.6.5-airflow-2.7.3
  • composer-2.6.5-airflow-2.6.3 (default)
  • composer-2.6.5-airflow-2.5.3

Cloud Composer versions 2.1.10, 2.1.9, 1.20.10, and 1.20.9 have reached their end of full support period.

Cloud Run

You can now mount an NFS file share as a volume for Cloud Run services and jobs. (In Preview)

Cloud SQL for MySQL

Cloud SQL Enterprise Plus edition now supports the me-central2 (Dammam) region.

Cloud SQL for PostgreSQL

Cloud SQL Enterprise Plus edition now supports the me-central2 (Dammam) region.

Dialogflow

Dialogflow CX now provides the offers and deals prebuilt component.

Vertex AI Conversation data store tools now support filter and userMetadata example parameters.

Dialogflow CX request-scoped parameters now supports the $request.user-utterance parameter to reference the end-user utterance.

Eventarc

Eventarc support for creating triggers for direct events from Network Services is generally available (GA).

Google Kubernetes Engine

Cilium cluster-wide network policies are now generally available with the following GKE versions:

  • 1.28.6-gke.1095000 or later
  • 1.29.1-gke.1016000 or later

You can now control your GKE workloads' ingress and egress traffic cluster-wide, without being bound to a namespace for your network policies. This new capability is intended to streamline network policies for GKE platform administrators looking for a uniform way to apply policies across namespaces or application teams.

Cilium cluster-wide network policy is available in all GKE editions.

To learn more, read Control cluster-wide communication using network policies.

Workloads running on GKE clusters with COS-based nodes may experience DNS resolution issues. The likelihood of impact is low and not all clusters are impacted. The issue is resolved on the following minimal GKE node versions:

  • For 1.27: 1.27.11-gke.1118000
  • For 1.28: 1.28.7-gke.1100000
  • For 1.29: 1.29.2-gke.1217000

Clusters with a node version that is lower than 1.27.3-gke.1200 are not affected.

Spanner

Statistics for active partitioned data manipulation language (DML) queries are now generally available. You can get insights on active partitioned DMLs queries and their progress from statistics tables in your Spanner database. For more information, see Active partitioned DMLs statistics.

VPC Service Controls

Beta stage support for the following integration:

March 18, 2024

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigquery

7.5.1 (2024-03-14)

Bug Fixes
  • Add better documentation around usage of BigQueryTimestamp class and .timestamp method. (2b2c3e0)
  • BigQueryTimestamp should keep accepting floats #1339 (2b2c3e0)
  • Restores BigQueryTimestamp behavior to accept a numeric value in the constructor representing epoch-seconds. The affected 7.5.0 version would parse a numeric value as epoch-microseconds. (2b2c3e0)

Python

Changes for google-cloud-bigquery

3.19.0 (2024-03-11)

Features
Bug Fixes
  • Add google-auth as a direct dependency (713ce2c)
  • Augment universe_domain handling (#1837) (53c2cbf)
  • deps: Require google-api-core>=1.34.1, >=2.11.0 (713ce2c)
  • Supplementary fix to env-based universe resolution (#1844) (b818992)
  • Supplementary fix to env-based universe resolution (#1847) (6dff50f)

You can now undelete a dataset that is within your time travel window to recover it to the state that it was in when it was deleted. This feature is in preview.

These BigQuery features are now generally available (GA):

Text analysis configuration options for the following:

The following advanced processing functions:

You can now perform hierarchical forecasts in BigQuery ML time series models, which let you aggregate and roll up values for all time series in the model. This feature is generally available (GA).

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.36.0 (2024-03-13)

Features
Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-logging

3.10.0 (2024-03-13)

Features
  • Allow users to explicitly configure universe domain (#846) (e998a21)
Bug Fixes
  • Added placeholder kwargs to StructuredLogHandler (#845) (9bc0a37)
  • Allowed for a partial override of loggers that get excluded from setup_client (#831) (870c940)
  • Remove usage in including_default_value_fields to prepare for protobuf 5.x (#866) (66a534d)
  • Use value of cluster-location in GKE for tagging location (#830) (c15847c)
Documentation
  • Added documentation for Django/Flask integrations and dictConfig (#848) (c65ec92)
Cloud Monitoring

You can now use Duet AI for Developers to help you create a synthetic monitor. This feature is in Public Preview. For more information, see Create a synthetic monitor.

Cloud Storage

You can now use the GCS FUSE file cache feature, a client-based read cache that lets repeat file reads to be served from a faster cache storage of your choice. To learn more about caching, see GCS FUSE caching documentation.

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for storage/internal/apiv2

1.39.1 (2024-03-11)

Bug Fixes
  • storage: Add object validation case and test (#9521) (386bef3)

Java

Changes for google-cloud-storage

2.36.0 (2024-03-15)

Features
  • Add Custom Part Metadata Decorator to ParallelCompositeUploadConfig (#2434) (43b8006)
  • Add hierarchical namespace and folders features (#2445) (8074fff)
  • Add soft delete feature (#2403) (989f36f)
Bug Fixes
Dependencies
  • Update dependency com.google.apis:google-api-services-storage to v1-rev20240307-2.0.0 (#2442) (1352203)
  • Update dependency net.jqwik:jqwik to v1.8.4 (#2447) (110b80c)
  • Update gcr.io/cloud-devrel-public-resources/storage-testbench docker tag to v0.42.0 (#2441) (80745d4)
Cloud Tasks

The BufferTask method for creating tasks is now at General Availability (GA).

For tasks that have HTTP targets (as opposed to App Engine targets), the option to set routing for tasks at the queue level is now at General Availability (GA). If you set routing at the queue level, you do not have to set routing for each individual task. To learn more, see Configure routing.

Compute Engine

Generally available: The organization-wide patch status dashboard and organization-wide OS policy compliance reports in VM Manager are now generally available.

Config Controller

Config Controller now uses the following versions of its included products:

Container Registry

Container Registry is scheduled to be shut down and superseded by Artifact Registry on March 18, 2025. For more information and transition options, see Deprecations.

Dataflow

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for dataflow/apiv1beta3

0.9.6 (2024-03-14)

Bug Fixes
  • dataflow: Update protobuf dep to v1.33.0 (30b038d)
Deep Learning Containers

M118 release

  • Pytorch 2.1.0 with CUDA 12.1 and Python 3.10 container images are now available.
  • Pytorch 2.2.0 with CUDA 12.1 and Python 3.10 container images are now available.
Deep Learning VM Images

M118 release

  • Restored legacy gpu image families for TensorFlow 2.12 through 2.14, and for PyTorch 2.0.
  • Pytorch 2.1.0 with CUDA 12.1 and Python 3.10 VM images are now available.
  • Pytorch 2.2.0 with CUDA 12.1 and Python 3.10 VM images are now available.
  • R images (Experimental) updated to R 4.3.3.
  • Updated Nvidia drivers of older Deep Learning VM images to R535.
Dialogflow

The Dialogflow ES and Dialogflow CX us-dialogflow.googleapis.com endpoint and locations/us resource location, which served as aliases for global resources, will be discontinued on April 16, 2024. For more information, see the email announcement.

The following prebuilt components have been added to Dialogflow CX:

Secret Manager

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for secretmanager/apiv1

1.11.6 (2024-03-14)

Bug Fixes
  • secretmanager: Update protobuf dep to v1.33.0 (30b038d)
Vertex AI

Vector Search heuristics-based compaction

Vector Search uses heuristics-based metrics assess whether to trigger compaction. This prevents unnecessary compaction, and thus reduces cost. For general information about compaction, see Compaction.

Vertex AI Workbench

M118 release

The M118 release of Vertex AI Workbench user-managed notebooks includes the following:

  • Pytorch 2.1.0 with CUDA 12.1 and Python 3.10 user-managed notebooks instances are now available.
  • Pytorch 2.2.0 with CUDA 12.1 and Python 3.10 user-managed notebooks instances are now available.
  • Updated Nvidia drivers of older user-managed notebooks images to R535.

The M118 release of Vertex AI Workbench managed notebooks includes the following:

  • Updated Nvidia drivers to R535, which fixed a bug where the latest PyTorch 2.0 kernel didn't work due to outdated drivers.

M118 release

The M118 release of Vertex AI Workbench instances includes the following:

  • Updated Nvidia drivers to R535.

March 15, 2024

Access Approval

Access Approval supports Google Distributed Cloud Edge in the GA stage.

Access Transparency

Access Transparency supports the following services in the GA stage:

  • Google Distributed Cloud Edge
  • IAM workforce identity pools
AlloyDB for PostgreSQL

The Back up and restore AlloyDB Omni documentation is updated to include pgBackRest, an open-source solution included with the AlloyDB Omni Docker container.

Anthos Service Mesh

The rollout of managed Anthos Service Mesh version 1.17 to the stable channel has completed.

Anti Money Laundering AI

Improved the party de-registration process. You can now remove parties without prediction intent (that is, those parties not included in a create prediction results request) within a 45-day window following registration.

Artifact Registry

Artifact Registry remote repositories support basic authentication to user-defined and preset upstream sources for Docker, Maven, npm, and Python formats.

To create a remote repository using a preset or user-defined upstream source, see Create remote repositories. For more information on remote repository authentication, see Configure authentication to remote repositories.

Images copied to Artifact Registry from Container Registry with the automatic migration tool are failing to propagate their upload time to Artifact Registry, and instead have their upload time value set to zero, resulting in an upload time of early 1970. If you have cleanup policies that delete images based on upload time, this might mean all your copied images are deleted. We are actively working on a fix for this issue.

Carbon Footprint

Emissions reported for Google Kubernetes Engine (GKE) declined starting in February 2024. This change is a result of an update to Google's internal cost allocation, which determines how shared infrastructure costs are attributed to individual services. According to our methodology (Technical details - Electricity use), these internal costs are used to apportion electricity consumption and carbon emissions to services, so changes in cost apportionment result in corresponding changes to carbon apportionment and reporting for that service.

Chronicle

Chronicle has expanded Cloud Threat Detections to create a detection when findings from Security Command Center Event Threat Detections, Cloud Armor, Sensitive Actions Service, and Custom modules for Event Threat Detection are identified. These detections are available through the following rule sets: CDIR SCC Cloud IDS, CDIR SCC Cloud Armor, CDIR SCC Impact, CDIR SCC Enhanced Persistence, CDIR SCC Enhanced Defense Evasion, and CDIR SCC Custom Module.

Chronicle SOAR

Release 6.2.5.0 is now in General Availability.

Dataflow

You can now use worker utilization hints to tune horizontal autoscaling for streaming pipelines.

Added new autoscaling metrics:

  • Autoscaling rationale chart: explains the factors driving autoscaling decisions
  • Worker CPU utilization chart: shows current user worker CPU utilization and customer autoscaling hint value
  • Timer backlog per stage: shows an estimate of time needed to materialize the output for windows whose timer has expired
  • Parallel processing: the number of keys available for parallel processing
Datastream

Datastream now supports SQL Server as a source. The feature is in Preview. For more information, see Streamlining data integration with SQL Server source support in Datastream and the Datastream documentation.

Google Kubernetes Engine

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-1085

For more information, see the GCP-2024-018 security bulletin.

Identity and Access Management

You can use the iam.serviceAccountKeyExposure organization policy constraint to help manage leaked service account credentials.

Vertex AI Search and Conversation

Vertex AI Search: Sync from Google Drive (Preview with allowlist)

Connecting to Google Drive as a data source for Vertex AI Search is available as a Preview with allowlist feature. For more information, see Sync from Google Drive.

March 14, 2024

Apigee UI

On March 14, 2024 we released an updated version of the Apigee UI.

Bug ID Description
320739232 An issue was fixed where an incorrect error message was displayed after an API proxy or shared flow was undeployed.
Chronicle

The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

  • Akamai WAF (AKAMAI_WAF)
  • Alcatel Switch (ALCATEL_SWITCH)
  • Arcsight CEF (ARCSIGHT_CEF)
  • Auth0 (AUTH_ZERO)
  • AWS Cloudtrail (AWS_CLOUDTRAIL)
  • AWS Config (AWS_CONFIG)
  • AWS GuardDuty (GUARDDUTY)
  • Azure AD (AZURE_AD)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure App Service (AZURE_APP_SERVICE)
  • Azure Key Vault logging (AZURE_KEYVAULT_AUDIT)
  • BIND (BIND_DNS)
  • Blue Coat Proxy (BLUECOAT_WEBPROXY)
  • Box (BOX)
  • Chrome Management (N/A)
  • Cisco AMP (CISCO_AMP)
  • Cisco Umbrella DNS (UMBRELLA_DNS)
  • Cisco VPN (CISCO_VPN)
  • Citrix Netscaler (CITRIX_NETSCALER)
  • Cloud Audit Logs (N/A)
  • Cloudflare (CLOUDFLARE)
  • Cofense (COFENSE_TRIAGE)
  • Corelight (CORELIGHT)
  • CrowdStrike Falcon (CS_EDR)
  • CSV Custom IOC (CSV_CUSTOM_IOC)
  • Custom Application Access Logs (CUSTOM_APPLICATION_ACCESS)
  • Cybergatekeeper NAC (CYBERGATEKEEPER_NAC)
  • Extreme Wireless (EXTREME_WIRELESS)
  • F5 ASM (F5_ASM)
  • F5 BIGIP LTM (F5_BIGIP_LTM)
  • Falco IDS (FALCO_IDS)
  • FireEye (FIREEYE_ALERT)
  • FireEye ETP (FIREEYE_ETP)
  • ForgeRock Identity Cloud (FORGEROCK_IDENTITY_CLOUD)
  • FortiGate (FORTINET_FIREWALL)
  • GCP_APP_ENGINE (GCP_APP_ENGINE)
  • HP Procurve Switch (HP_PROCURVE)
  • IAM Context (N/A)
  • IBM DB2 (DB2_DB)
  • IBM Mainframe Storage (IBM_MAINFRAME_STORAGE)
  • IBM Security Access Manager (IBM_SAM)
  • Illumio Core (ILLUMIO_CORE)
  • Imperva (IMPERVA_WAF)
  • Infoblox (INFOBLOX)
  • JAMF CMDB (JAMF)
  • KerioControl Firewall (KERIOCONTROL)
  • Microsoft Azure Activity (AZURE_ACTIVITY)
  • Microsoft Azure Resource (AZURE_RESOURCE_LOGS)
  • Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
  • Microsoft Defender for Endpoint (MICROSOFT_DEFENDER_ENDPOINT)
  • Microsoft Exchange (EXCHANGE_MAIL)
  • Microsoft Graph Activity Logs (MICROSOFT_GRAPH_ACTIVITY_LOGS)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Microsoft IIS (IIS)
  • Microsoft System Center Endpoint Protection (MICROSOFT_SCEP)
  • Mobile Endpoint Security (LOOKOUT_MOBILE_ENDPOINT_SECURITY)
  • Mongo Database (MONGO_DB)
  • Netscout OCI (NETSCOUT_OCI)
  • Netskope (NETSKOPE_ALERT)
  • Netskope Web Proxy (NETSKOPE_WEBPROXY)
  • Network Policy Server (MICROSOFT_NPS)
  • Nutanix Prism (NUTANIX_PRISM)
  • Office 365 (OFFICE_365)
  • Okta (OKTA)
  • OpenCanary (OPENCANARY)
  • Ordr IoT (ORDR_IOT)
  • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Palo Alto Prisma Cloud (PAN_PRISMA_CLOUD)
  • PerimeterX Bot Protection (PERIMETERX_BOT_PROTECTION)
  • Phishlabs (PHISHLABS)
  • Proofpoint Sendmail Sentrion (PROOFPOINT_SENDMAIL_SENTRION)
  • Pulse Secure (PULSE_SECURE_VPN)
  • RH-ISAC (RH_ISAC_IOC)
  • SailPoint IAM (SAILPOINT_IAM)
  • Salesforce (SALESFORCE)
  • Sap Business Technology Platform (SAP_BTP)
  • Security Command Center Threat (N/A)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • Shibboleth IDP (SHIBBOLETH_IDP)
  • Sourcefire (SOURCEFIRE_IDS)
  • Splunk Attack Analyzer (SPLUNK_ATTACK_ANALYZER)
  • STIX Threat Intelligence (STIX)
  • Symantec CloudSOC CASB (SYMANTEC_CASB)
  • Symantec DLP (SYMANTEC_DLP)
  • Tanium Asset (TANIUM_ASSET)
  • Thinkst Canary (THINKST_CANARY)
  • Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
  • Vectra Detect (VECTRA_DETECT)
  • Vectra Stream (VECTRA_STREAM)
  • VeridiumID by Veridium (VERIDIUM_ID)
  • Wazuh (WAZUH)
  • Windows Defender ATP (WINDOWS_DEFENDER_ATP)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)
  • Windows Event (XML) (WINEVTLOG_XML)
  • Windows Local Administrator Password Solution (MICROSOFT_LAPS)
  • wiz.io (WIZ_IO)
  • Workspace Activities (WORKSPACE_ACTIVITY)
  • XAMS by Xiting (XITING_XAMS)
  • Zscaler CASB (ZSCALER_CASB)
  • Zscaler DLP (ZSCALER_DLP)
  • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)

The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

  • Aruba Switch (ARUBA_SWITCH)
  • Azure AD Password Protection (AZURE_AD_PASSWORD_PROTECTION)
  • Azure Front Door (AZURE_FRONT_DOOR)
  • Babelforce (BABELFORCE)
  • Cloudaware (CLOUDAWARE)
  • Coalition Control API (COALITION)
  • Crowdstrike Identity Protection Services (CS_IDP)
  • Cymulate (CYMULATE)
  • Dell ECS Enterprise Object Storage (DELL_ECS)
  • Google Cloud NGFW Enterprise (GCP_NGFW_ENTERPRISE)
  • Google Cloud Secure Web Proxy (GCP_SWP)
  • HaveIBeenPwned (HIBP)
  • HPE BladeSystem C7000 (HPE_BLADESYSTEM_C7000)
  • HP OpenView (HP_OPENVIEW)
  • IBM DS8000 Storage (IBM_DS8000)
  • IBM-i Operating System (IBM_I)
  • Multicom Switch (MULTICOM_SWITCH)
  • Nextthink Finder (NEXTTHINK_FINDER)
  • Palo Alto Cortex XDR Management Audit (PAN_XDR_MGMT_AUDIT)
  • PingIdentity Directory Server Logs (PING_DIRECTORY)
  • Prisma SD-WAN (PRISMA_SD_WAN)
  • Redhat Jboss (REDHAT_JBOSS)
  • SafeBreach (SAFEBREACH)
  • Scality Ring Audit (SCALITY_RING_AUDIT)
  • Sendsafely (SENDSAFELY)
  • Solace Pub Sub Cloud (SOLACE_AUDIT)
  • Sonicwall Secure Mobile Access (SONICWALL_SMA)
  • Sonrai Enterprise Cloud Security Solution (SONRAI)
  • Tenemos Journey Manager System Event Publisher (TENEMOS_MANAGER_SYSTEMEVENT)
  • TrueFort Platform (TRUEFORT)
  • Ubiquiti Accesspoint (UBIQUITI_ACCESSPOINT)
  • WithSecure Cloud Protection (WITHSECURE_CLOUD)
  • WithSecure Elements Connector (WITHSECURE_ELEMENTS)
  • YAMAHA ROUTER RTX1200 (YAMAHA_ROUTER)

For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

Cloud Composer

In Airflow 2.6.3 offered in Cloud Composer versions earlier than 2.6.2, task statuses can be deleted as a result of the #31179 Airflow issue. If you use Airflow 2.6.3, we recommend to upgrade to Cloud Composer version 2.6.2 or later where this issue is fixed.

Cloud Data Fusion

Salesforce plugin version 1.6.3 is available in Cloud Data Fusion versions 6.8.0 and later. The release includes the following changes:

  • Fixed an issue in the Salesforce sink plugin causing an unsupported type datetime error for DateTime type fields in the input schema. In this version, the Salesforce sink plugin supports datetime and decimal logical types (PLUGIN-1749).
  • Fixed an issue in all Salesforce plugins causing a pipeline to fail when using an OAuth macro because the oAuth macro value didn't get passed to the plugin as intended. In this version, all Salesforce plugins support an OAuth macro (PLUGIN-1767).
  • At the time of failure on the Salesforce sink side, if the Error handling property is set to the Fail on error option, the Salesforce job is aborted, which stops newer batches from being added to the job due to spark retry settings in CDAP (PLUGIN-1768).
  • To make debugging easier, additional debug logs and batch results in logs are available.
Cloud Run

Direct VPC egress now supports Cloud NAT with Public NAT IP addresses (in Preview).

Cloud SQL for SQL Server

A new maintenance version rollout is currently underway for all supported SQL Server versions.

If you have configured a maintenance window for your instance, then the updates will occur according to the timeframe that you set in the window. Otherwise, the updates will occur within the next few weeks. The new maintenance version is [SQL Server version].R20240216.01_RC00.

To learn how to check your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.95-debian10, 2.0.95-rocky8, 2.0.95-ubuntu18
  • 2.1.43-debian11, 2.1.43-rocky8, 2.1.43-ubuntu20, 2.1.43-ubuntu20-arm
  • 2.2.9-debian12, 2.2.9-rocky9, 2.2.9-ubuntu22

New Dataproc Serverless for Spark runtime versions:

  • 1.1.54
  • 2.0.62
  • 2.1.41
  • 2.2.0-RC14

Added the bigframes (BigQuery DataFrames) Python package in the Dataproc Serverless for Spark 2.1 runtime.

Google Cloud Architecture Center

Design an optimal storage strategy for your cloud workload: Added guidance about data transfer options.

Google Distributed Cloud Edge

This is a patch release of Google Distributed Cloud Edge (version 1.6.1).

The following new features have been introduced in this release of Distributed Cloud Edge:

  • Multi-rack deployments. Distributed Cloud Edge now supports aggregating the resources of multiple Distributed Cloud Edge Racks into a single zone. You can now create clusters that span nodes across multiple Distributed Cloud Edge Racks. A single multi-rack deployment supports one Distributed Cloud Edge Base Rack and up to 10 Distributed Cloud Edge Standalone Racks. For more information, see How Distributed Cloud Edge works.

  • Distributed Cloud Edge Base Rack. We are now shipping a new form factor of Distributed Cloud Edge Rack hardware, the Distributed Cloud Edge Base Rack. This form factor is a pair of existing Distributed Cloud Edge Standalone Rack hardware with the addition of four network switches that aggregate network traffic from up to 10 Distributed Cloud Edge Standalone Racks.

  • Prometheus integration. You can now use the Prometheus metrics solution to collect Distributed Cloud Edge metrics and workload metrics on local control plane clusters running in survivability mode. For more information, see Collect metrics with Prometheus.

  • Node labels. You can now assign unique labels to individual nodes when creating a node pool. For more information, see Create a node pool.

The following changes have been introduced in this release of Distributed Cloud Edge:

  • Cloud control plane clusters can no longer be created in subsequent releases of Distributed Cloud Edge. Distributed Cloud Edge version 1.6.1 is the last release of Distributed Cloud Edge in which you can create Cloud control plane clusters. Creation of cloud control plane clusters will be disabled in the next minor release of Distributed Cloud Edge. Existing cloud control plane clusters will continue to run workloads.

  • Release channel requirement for specifying cluster software versions. If you want to specify a Distributed Cloud Edge software version when creating a cluster, you must now set the cluster's release channel to NONE. If you do not specify a release channel or explicitly set it to REGULAR, the cluster automatically upgrades to the latest version of Distributed Cloud Edge software and specifying a software version is not possible.

This release of Distributed Cloud Edge contains the following known issues:

  • Nodes can get stuck in Ready,SchedulingDisabled state after applying configuration changes. Applying or deleting the NodeSystemConfigUpdate or SriovNetworkNodePolicy resources can result in a node that's stuck in the Ready, Scheduling Disabled state after it reboots. To resolve this issue, see Troubleshoot Distributed Cloud Edge.

  • Deleting clusters and node pools fails when a node is not ready. If a node in a cluster or node pool that you want to delete is in the NotReady state, the deletion can fail. Contact Google Support to remedy this condition.

  • Nodes using Symcloud Storage report the file system as read-only after reboot. When multiple nodes that use Symcloud Storage reboot at once in a cluster, they can incorrectly mark the file system as read-only. Contact Google Support to remedy this condition.

Google Distributed Cloud Edge management software has been updated.

Google Kubernetes Engine

A previous version of the GKE logging agent that rolled out in GKE version 1.28.7-gke.1100000 contained a security vulnerability. This version has been immediately removed.

VPC Service Controls

Preview stage support for the following integration:

March 13, 2024

AlloyDB for PostgreSQL

AlloyDB now supports continuous backup and recovery, and scheduled backups on secondary clusters. When you create a secondary cluster, any backup plans on the primary cluster are automatically copied to the new secondary cluster. For more information, see About cross-region replication.

Anti Money Laundering AI

Released a new v4 engine versions for the commercial line of business, with more reliable tuning performance, in particular for small datasets.

Apigee X

As of March 13, 2024, the conversion of Apigee API Management organizations with Pay-as-you-go pricing provisioned before October 1, 2023, to Pay-as-you-go organizations that use updated attributes for pricing is complete, with the exception of one organization that requires customer action.

The Apigee API Analytics add-on is enabled in converted organizations.The Analytics add-on can be disabled if it is not required. In addition, you can update your Pay-as-you-go environment types using the API.

For more information on the updated pricing and enhanced features now available for these organizations, see Pay-as-you-go (updated attributes) overview.

Updated pricing attributes will be reflected in March invoices. For billing questions related to this change, contact Google Cloud Billing support.

Chronicle SOAR

Release 6.2.51 is currently in Preview.

Jobs Enhancement

When updating an integration, the jobs will now be updated automatically. This does not apply to any legacy jobs that were created before October 2023.

The Marketplace integration will clearly identify the legacy jobs that are affected and provide instructions on how to proceed.

In addition, legacy jobs are now marked as such in the Jobs Scheduler page so that you can take action and resolve issues beforehand.

APIs now documented

The following APIs are not new, but with this Release are now formally documented in Swagger:

AddOrUpdateEnvironmentRecords

RemoveEnvironmentRecords

Searching for cases from the last week doesn't produce results (ID #00269819)

Email HTML Templates > Show Email Template not rendering styles (ID #00249556)

SDK call for create entity failure displays the wrong error message (ID #48950075)

Cloud Billing

You can now view granular Bigtable usage in the Cloud Billing Detailed export to BigQuery

You can now view granular Bigtable instance cost data in the Google Cloud Billing detailed export. Use the resource.global_name field in the export to view and filter your detailed Bigtable instance usage.

Review the schema of the Detailed cost data export.

You can now view granular Memorystore for Redis usage in the Cloud Billing Detailed export to BigQuery

You can now view granular Memorystore for Redis cost data in the Google Cloud Billing detailed export. Use the resource.global_name and resource.name fields in the export to view and filter your detailed Memorystore for Redis usage.

Review the schema of the Detailed cost data export.

Cloud Composer

All preview versions of Cloud Composer 2 are past their security notifications end date and are not supported. If your environment uses a preview version of Cloud Composer 2, then please upgrade this environment to a supported version or re-create it using the latest version of Cloud Composer 2.

If you see frequent scheduler restarts in your Airflow 2.6.3 environment and the [scheduler]job_heartbeat_sec Airflow configuration option is set to a non-default value, you can fix this issue either by upgrading to Cloud Composer version 2.6.4 or by removing this option's override, so that it uses the default value.

Cloud SQL for SQL Server

Cloud SQL now supports SQL Server Reporting Services (SSRS) on your instances. For more information, see Use SSRS for creating reports.

Compute Engine

Generally available: You can use SSH-in-browser to connect to TPU VMs. For more information, see Connecting to a Cloud TPU.

Dataform

The 3.0.0-beta.0 version of the open-source Dataform framework is available. This update introduces significant changes, including, but not limited to, the following:

  • Deprecation of dataform.json in favor of workflow_settings.yaml
  • Stateless package installation by @dataform/cli
  • Warehouse-agnostic compilation output

You don't need to take immediate action to update your Dataform code.

For more information, see the 3.0.0-beta.0 release on GitHub.

Looker

Looker 24.4 includes the following changes, features, and fixes.

Expected Looker (original) deployment start: Monday, March 18, 2024

Expected Looker (original) final deployment and download available: Thursday, March 28, 2024

Expected Looker (Google Cloud core) deployment start: Monday, March 18, 2024

Expected Looker (Google Cloud core) final deployment: Monday, April 1, 2024

Query IDs can no longer be used to fetch queries or create render tasks through the API. The Get All Running Queries API endpoint is now restricted to admins only. Query slugs that are generated by Looker will be 32 characters instead of 7.

Chrome is starting to deprecate third-party cookies as of January 2024. Because of Looker's dependency on third-party cookies to establish embed user sessions, this may impact your embed use case. For more information, see the Chrome is deprecating third-party cookies notice.

Previously, custom visualizations would not call the updateAsync function after the vis config is updated via the custom visualization API. Now, the function will be called. If a custom visualization is set up to update the vis config every time updateAsync is called, it could cause excessive refreshes.

If your custom visualization is fails to load after this update, double check your custom visualization code for unnecessary vis config updates. If you have a Looker (original) instance, you can also enable the Custom Vis Reliable Render Labs feature which causes Looker to suppress excess refresh behavior in custom visualizations.

The Performant Field Picker feature is now generally available.

When an instance has no projects, Looker will more prominently prompt users to create a model.

In the Create a model wizard, your selections are now saved even if you close steps without having completed the model creation process.

Adding a query slug to source queries in the merge query API response GET merge_queries/<merge_query_id> returns the query slug in addition to the ID.

The save_content permission now has two child permissions, save_dashboards and save_looks. These permissions let Looker admins exert finer control over the kinds of content that users can save.

Only users who have access to dashboard extensions will be shown the Add Extension tile.

Subtotals have been fixed for queries with order_by_field references in query streaming pathways. This feature now performs as expected.

An issue where embed secrets might have been visible to non-admin users has been fixed. This feature now performs as expected.

Looker now ignores all blank filter strings, including IS NOT.

An issue has been fixed that caused small decimals to be displayed in scientific notation even when formatting was disabled. This feature now performs as expected.

An issue has been fixed where the PDT Context Override toggle was improperly reflecting the ON state when it had been cleared prior. This feature now performs as expected.

Performant field picker sorting behavior has been fixed. This feature now performs as expected.

Downloading results from SQL Runner now only downloads the file and does not open the file in a new browser tab.

Filter expressions including user attributes and OR logical conditions were being incorrectly populated when generating SQL. This feature now performs as expected.

A change in the Snowflake dialect was ported to Kotlin to maintain parity. Snowflake column names with mixed cases are now properly quoted.

Filter suggestion requests have been reduced while the user is typing. Because normal typing will invoke fewer requests, the load on the server will be reduced.

An issue that caused single value change indicators to not render in Safari when dashboards scrolled has been fixed. This feature now performs as expected.

The LookML Validator no longer hangs on a connection that references a deleted or malformed user attribute. The Validator also surfaces a detailed error when the user tests the connection.

An issue has been fixed where extension documents would appear when hiding Looker document links was disabled. This feature now performs as expected.

Content Validator has added support for field replacement within custom measure filters (across Looks, dashboard elements, and merge queries).

Queries with order_by_field references and subtotals should render correctly in downloads / run_query APIs.

Looker should now correctly handle cases where the sorts query had an empty string or was entirely empty.

Previously, the All Results option was unavailable for schedules on Looks. This feature now performs as expected.

On the new Admin - Users page, Looker Support users were shown as having never logged in even for currently logged-in users. This issue has been fixed and this feature now performs as expected.

LookML-defined fields that are used in field filters will not be rejected from a set when the field requiring them is rejected from that set. This feature now performs as expected.

Previously, the Errors and Broken Content dashboard appeared twice in the admin panel. This feature now performs as expected.

A data validation message is now returned for waterfall charts when there are multiple measures and a hidden dimension.

Looker now shows a clearer warning message when a user attempts to download a query with dimension fill and All Results enabled.

Looker no longer imposes the Explore row limit of 5,000 on queries that are run using the run inline query API endpoint.

Previously, the lookml_model_explore API endpoint would return a 500 error in certain cases. This feature now performs as expected.

Errors about UI downloads are now more descriptive, similar to descriptive API error messages.

Internal encryption has been migrated from AES-128 to AES-GCM-256 encryption.

The Disallow Numeric Query IDs legacy feature has been added to let users opt in to or out of query API changes.

The Advanced Features for New Schedules Page Labs feature is now available. This lets you sort and filter the list of scheduled plans on the Admin - Schedules page.

Previously, when a dashboard was scheduled using PNG format and one of the tiles contained an empty note, the schedule would fail. This feature now works as expected.

The Export function has been re-enabled, which lets Looker admins export data from a Looker (original) instance for import into a Looker (Google Cloud core) instance.

Incorrect quoting in Snowflake views has been fixed.

IAM checks for ephemeral users were disabled as a result of rendering issues for users who were logged in with SAML in Looker (Google Cloud core).

Resource Manager

You can add tags at the time of creating folders and projects. These tags can be added as key-value pairs. For more information, see Add tags during folder creation and Add tags during project creation. This feature is currently in preview.

Storage Transfer Service

Support for transfers from cloud and on-premises Hadoop Distributed File System (HDFS) sources is now generally available (GA).

HDFS support allows for use cases such as migrating from on-premises storage to Cloud Storage, archiving data to free up on-premises storage space, replicating data to Google Cloud for business continuity, or transferring data to Google Cloud for analysis and processing.

See Transfer from HDFS to Cloud Storage for details.

March 12, 2024

AlloyDB for PostgreSQL

AlloyDB Language Connectors are now generally available (GA). These language connectors are libraries that provide automated mutual TLS connections, IAM-based authorization, and Automated IAM Authentication when connecting to an AlloyDB instance. For more information about language connectors, see AlloyDB Language Connectors overview.

Anti Money Laundering AI

Added a new metric to AML AI, providing insight into the importance of each feature family to an AML AI Model. This metric is available in new v4 engine versions. It allows you to:

  • Act on model monitoring outputs in the context of their importance to a model
  • Check the contribution of your Party Supplementary Data to a model
App Engine standard environment Go

You can't use the latest version of dev_appserver.py to locally run your applications for runtimes that reached end of support. To continue using an archived version of dev_appserver.py, see Use the local development server after runtimes reach the end of support.

App Engine standard environment Java

You can't use the latest version of dev_appserver.py to locally run your applications for runtimes that reached end of support. To continue using an archived version of dev_appserver.py, see Use the local development server after runtimes reach the end of support.

App Engine standard environment PHP

You can't use the latest version of dev_appserver.py to locally run your applications for runtimes that reached end of support. To continue using an archived version of dev_appserver.py, see Use the local development server after runtimes reach the end of support.

App Engine standard environment Python

You can't use the latest version of dev_appserver.py to locally run your applications for runtimes that reached end of support. To continue using an archived version of dev_appserver.py, see Use the local development server after runtimes reach the end of support.

Blockchain Node Engine

On March 12, 2024, Blockchain Node Engine upgraded all mainnet Ethereum nodes in preparation for the Dencun Hardfork.

Certificate Manager

Certificate Manager supports integration with regional external Application Load Balancers and regional internal Application Load Balancers. This feature is generally available (GA). For more information, see Certificate Manager overview.

Chronicle

Forwarder troubleshooting guide is now available to help you diagnose and resolve common issues that may arise while using the Chronicle Linux forwarder.

Cloud Composer

Fixed creation and upgrades in environments that have environment variables with special symbols.

Cloud Composer 2.6.4 images are available:

  • composer-2.6.4-airflow-2.6.3 (default)
  • composer-2.6.4-airflow-2.5.3

Cloud Composer versions 2.1.8 and 1.20.8 have reached their end of full support period.

Cloud Data Fusion

The Cloud Data Fusion version 6.9.2.3 patch revision is generally available (GA). 6.9.2.3 includes the following fixes:

  • Skipped running MetadataConsumerSubscriberService when Dataplex Data Lineage Integration is disabled (CDAP-20947).

  • Fixed an issue causing runtime arguments of pipeline triggers to not propagate to downstream pipelines (CDAP-20943).

  • Fixed an issue causing pipelines to fail in starting state when the system worker service is intermittently unavailable (CDAP-20956).

  • Fixed an issue causing pipelines to fail in starting state when the Compute Engine metadata server is intermittently unavailable (CDAP-20955).

Cloud Load Balancing

The global external Proxy Network Load Balancer is implemented on globally distributed GFEs and supports advanced traffic management capabilities. This load balancer can be configured to handle either TCP or SSL traffic by using either a target TCP proxy or a target SSL proxy respectively. Global external proxy Network Load Balancers support backends such as instance groups, hybrid NEGs, and Private Service Connect NEGs. For details, see the External proxy Network Load Balancer overview.

To set up a global external Proxy Network Load Balancer, see the following pages:

This capability is in General Availability.

Regional external Application Load Balancers and regional internal Application Load Balancers now support Certificate Manager certificates. For more information, see Certificates and Google Cloud load balancers.

This capability is in General Availability.

Cloud Storage

You can now view granular bucket-level cost data in the Cloud Billing Detailed data export.

Cloud Translation

For AutoML datasets, you can tag segment pairs when importing them through the Google Cloud console.

You can request document translations with multi-regional endpoints.

Compute Engine

Generally available: You can scale a single VM into a managed instance group (MIG), which is a group of VMs that you can manage as a single entity. A MIG can make your workload scalable and highly available using features like autoscaling, autohealing, regional (multiple zones) deployment, and automatic updating.

For more information, see Create a MIG from an existing VM.

Container Registry

New tooling is available to upgrade from Container Registry to Artifact Registry. For more information on the available tools, see Automate migration to Artifact Registry.

Dataform

Granting repository access to all authenticated users is available. For more information, see Grant public access to a repository.

Retail API

Vertex AI Search for retail: Renamed in the console and documentation

The Google Cloud console has been updated to show the current product name for Vertex AI Search for retail.

You might see the old names (Retail or Retail API) in some places—for example, in the documentation. Google is in the process of updating content to reflect the new branding.

Vertex AI Search and Conversation

Vertex AI Search: Vertex AI Search for healthcare (GA)

Vertex AI Search for healthcare is Generally available (GA). Healthcare search lets you query healthcare records stored in FHIR data stores. For more information, see Vertex AI Search. With healthcare search, you can:

Vertex AI Search: Specify a parser for unstructured content (Public preview)

You can control how documents are parsed when they are uploaded to Vertex AI Search. Parser specification is available in Public preview.

Vertex AI Search provides a digital parser (GA), an OCR parser for PDFs (Public preview), and a layout parser (Public Preview). During data store creation for generic search apps with unstructured data, you can set a default parser for the data store and an override parser for specific file types.

For more information, see Parse documents.

Vertex AI Search: Turn on document chunking (Public preview)

To use Vertex AI Search for retrieval-augmented generation (RAG) for LLMs, you can turn on document chunking when creating a data store. Document chunking is available in Public preview.

When document chunking is turned on, your documents are split into chunks when you ingest documents into your data store, and your search app can return chunks of data in search results instead of full documents. Using chunked data for RAG increases relevance for LLM answers and reduces computational load for LLMs. Document chunking is in Public preview. For more information, see Chunk documents for RAG.

Vertex AI Search: Connect ServiceNow as a data source (Private preview)

You can connect ServiceNow as a third-party data source for Vertex AI Search. For more information, see Connect a third-party data source.

March 11, 2024

Anthos Service Mesh

1.20.4-asm.0 is now available for in-cluster Anthos Service Mesh.

You can now download 1.20.4-asm.0 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.20.4 subject to the list of supported features. Anthos Service Mesh 1.20.4-asm.0 uses Envoy v1.28.1.

1.19.8-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.8-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.8 subject to the list of supported features. Anthos Service Mesh 1.19.8-asm.2 uses Envoy v1.27.3.

1.18.7-asm.11 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.7-asm.11 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.7-asm.11 subject to the list of supported features. Anthos Service Mesh 1.18.7-asm.11 uses Envoy v1.26.7.

There is a known issue where new installations of Managed Anthos Service Mesh in the rapid channel on GKE Autopilot clusters may fail. For affected versions and mitigation, see the GKE release note.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.38.1 (2024-03-07)

Dependencies
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.38.0 (#3159) (d6c65ab)
  • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.42.0 (#3160) (e31b5b7)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.27.0 (#3176) (b93e62e)
  • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.1 (#3153) (436f58c)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.1 (#3154) (b68ab42)
  • Update github/codeql-action action to v2.24.5 (#3165) (8ac7722)

Python

Changes for google-cloud-bigquery

3.18.0 (2024-02-29)

Features
  • Support nullable boolean and Int64 dtypes in insert_rows_from_dataframe (#1816) (ab0cf4c)
  • Support slot_ms in QueryPlanEntry (#1831) (d62cabb)
Bug Fixes
  • Keyword rendering and docstring improvements (#1829) (4dfb920)
Documentation
  • samples: Updates to urllib3 constraint for Python 3.7 (#1834) (b099c32)
  • Update client_query_w_named_params.py to use query_and_wait API (#1782) (89dfcb6)
Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.35.1 (2024-03-07)

Dependencies

2.35.0 (2024-03-05)

Features
  • Add authorized view bindings to Cloud Bigtable data APIs and messages (#2144) (ae89709)
Bug Fixes
  • Per-connection metrics issue when using a different Bigtable project (#2143) (8dbd680)
Cloud Billing

Tags data for Google Cloud Storage buckets is available in both the Standard usage cost export and the Detailed usage cost export.

To learn more about Tags, see Tags overview. To learn about using Tags in your cost data exported to BigQuery, see more about tags and query examples with tags.

Cloud Logging

You can now use SQL JOIN and UNION operators on the Log Analytics page to combine tables in multiple Google Cloud projects.

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.16.1 (2024-03-07)

Bug Fixes
  • deps: Update the Java code generator (gapic-generator-java) to 2.37.0 (#1553) (15b05fc)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.27.0 (#1552) (6c5464d)
Cloud TPU

Cloud TPU now supports TensorFlow 2.16.1. For more information see the TensorFlow 2.16.1 release notes.

Compute Engine

Generally available: Hyperdisk Balanced is available with C3 and H3 VMs. Hyperdisk Balanced is a good fit for a wide range of use cases such as LOB applications, web applications, and medium-tier databases that don't require the performance of Hyperdisk Extreme. For more information, see About Hyperdisk.

Container Optimized OS

cos-109-17800-147-33

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.9 v1.7.13 v535.161.07(default, latest),v470.239.06(R470 for compatibility with K80 GPUs)

Updated cos-gpu-installer to v2.2.1. Fixed cached driver installation error with network disabled. Added force-fallback flag, major version specification for GPU driver installation and fixed ordering of kernel module loading for nvidia-modeset and nvidia-drm

Updated NVIDIA GPU drivers to v470.239.06 and v535.161.07. This fixes CVE‑2024‑0074, CVE-2024-0075 and CVE-2022-42265.

cos-105-17412-294-40

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v23.0.3 v1.7.10 v470.239.06(default),v535.161.07(latest)

Updated cos-gpu-installer to v2.2.1. Fixed cached driver installation error with network disabled. Added force-fallback flag, major version specification for GPU driver installation and fixed ordering of kernel module loading for nvidia-modeset and nvidia-drm

Updated NVIDIA GPU drivers to v470.239.06 and v535.161.07. This fixes CVE‑2024‑0074, CVE-2024-0075 and CVE-2022-42265.

cos-101-17162-386-43

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v20.10.24 v1.6.28 v470.239.06(default),v535.161.07(latest)

Updated cos-gpu-installer to v2.2.1. Fixed cached driver installation error with network disabled. Added force-fallback flag, major version specification for GPU driver installation and fixed ordering of kernel module loading for nvidia-modeset and nvidia-drm

Updated NVIDIA GPU drivers to v470.239.06 and v535.161.07. This fixes CVE‑2024‑0074, CVE-2024-0075 and CVE-2022-42265.

cos-97-16919-450-30

Kernel Docker Containerd GPU Drivers
COS-5.10.208 v20.10.24 v1.6.21 v470.239.06(default),v535.161.07(latest)

Updated cos-gpu-installer to v2.2.1. Fixed cached driver installation error with network disabled. Added force-fallback flag, major version specification for GPU driver installation and fixed ordering of kernel module loading for nvidia-modeset and nvidia-drm

Updated NVIDIA GPU drivers to v470.239.06 and v535.161.07. This fixes CVE‑2024‑0074, CVE-2024-0075 and CVE-2022-42265.

Dataflow

You can now use committed use discounts (CUDs) with Dataflow streaming jobs. Committed use discounts provide discounted prices in exchange for your commitment to continuously use a certain amount of Dataflow compute resources for a year or longer.

Dataform

Dataform is available in the africa-south1 region. For more information, see Locations.

Dialogflow

From March 18 to April 15, 2024 (new dates for the same migration announced earlier), for certain language tag and speech setting combinations, the Dialogflow CX and Dialogflow ES traffic with audio will gradually route away from the classic Speech-to-Text models behind the command_and_search, default, phone_call, and video model identifiers to the new conformer-based speech models.

If your Dialogflow agents have audio traffic and use one of the following language tags: en, en-us, en-au, en-gb, en-in, de, es, es-es, es-us, fr, fr-ca, fr-fr, it, ja, nl, pt-br, read more about Dialogflow CX speech model migration and Dialogflow ES speech model migration.

Error Reporting

Error Reporting can now analyze logs routed by project sinks to different projects than the source project. For more information, see Route logs to supported destinations.

Google Cloud Deploy

Cloud Deploy support for deploy automation is now generally available.

Google Cloud VMware Engine

Google Cloud VMware Engine now leverages Cloud Logging to provide status updates about hardware health and VMware management components. The logs are available in Logs Explorer with the following log name:

  • projects/PROJECT_ID/logs/vmwareengine.googleapis.com%2Falerts

These logs are also available in the Google Cloud VMware Engine UI on the Dashboard in Logs.

Google Kubernetes Engine

Private clusters created on GKE versions 1.29.0-gke.1384000 and later use Private Service Connect (PSC) for nodes to privately communicate with the control plane. There is no price increase for using GKE private clusters running on PSC.

For private clusters created with a different GKE version, the clusters continue to use VPC Peering for node-to-control plane communication.

Secret Manager add-on for GKE is now available. With the add-on, you can access the secrets stored in Secret Manager as volumes mounted in Kubernetes Pods. The add-on is supported on Standard and Autopilot clusters versioned 1.29 and later. For more info, see Use Secret Manager add-on with GKE.

Opportunistic bursting and lower Pod minimums are now available on newly created GKE Autopilot clusters at version 1.29.2-gke.1060000 or later, and on existing clusters created at 1.26 or later that have been fully upgraded (including all nodes) to 1.29.2-gke.1060000 or later. To learn more, see Configure Pod bursting on GKE.

Spanner

Table renaming is now generally available. This feature lets you rename tables in place or safely swap names using synonyms. For more information, see Manage table names.

March 08, 2024

Chronicle SOAR

Release 6.2.49 is now in General Availability.

Dataflow

Streaming jobs created after March 7, 2024 automatically encrypt all user data with customer-managed encryption keys (CMEK). To enable this encryption for jobs created before March 7, 2024, drain or cancel the job, and then restart it.

Dataproc Metastore

Dataproc Metastore now supports scheduled backups. Backups can be scheduled to run at user-specified cron job intervals, including running daily, weekly, or monthly.

Google Kubernetes Engine

For GKE versions later than 1.29.1-gke.1760000, the NEG, Ingress, L4 internal load balancer with subsetting, and L4 RBS controllers will skip processing the nodes missing the topology.kubernetes.io/zone label until the zone information is ready. The load balancer controllers will no longer block sync operations when a node is introduced without the label.

Managed ASM installation and node scaling fails on GKE Autopilot clusters on versions between 1.28.6-gke.1095000 and 1.28.7-gke.1025000 and on versions between 1.29.1-gke.1016000 and 1.29.1-gke.1781000. To mitigate this issue, upgrade the cluster to version 1.28.7-gke.1026000 or later, or 1.29.2-gke.1060000 or later.

With 2024-R07, clusters created in the Rapid channel are defaulting to an affected version. To avoid creating a cluster on an affected version, manually specify version 1.28.7-gke.1026000 or later, or 1.29.2-gke.1060000 or later when creating clusters in the Rapid channel.

Recommender

Recommendation Hub is a centralized page on Google Cloud that helps you view all of your recommendations in one place. We recently made improvements to the page, including enabling organization and folder-view of recommendations, custom sorting and filtering of recommendations, and more. For more information, see documentation

Vertex AI

Vertex AI Feature Store

The following features of Vertex AI Feature Store are now available in Preview:

  • Integration of Vertex AI Feature Store with Dataplex: Online store instances, feature views, and feature groups are now automatically registered as data assets in Data Catalog, a Dataplex feature that catalogs metadata from these resources. You can use the metadata search capability of Dataplex to search for and view the metadata of these resources. For more information, see Search for resource metadata in Data Catalog.

  • **Service account configuration for feature views: **You can configure a feature view to use a dedicated service account. By default, every feature view uses the service account configured for your project. For more information, see Configure the service account for a feature view.

  • Multiple entity IDs for a feature view: While creating or updating a feature view, you can specify multiple entity ID columns. For more information, see Create a feature view.

March 07, 2024

Chronicle SOAR

Release 6.2.50 is currently in Preview.

In the Entity Explorer page, Case Distribution has been renamed to Alert Distribution.

This change makes the information easier to understand. (ID #48941723)

Docker hub login is not needed and as such this instruction has been removed from the platform. (ID #49611790)

Users with a single character in their last name are unable to login (ID #49008785)

Alerts are being grouped into cases after the time specified in the platform.

Inline CSS with styles and classes are not supported in Insights. Note that Scripts are not supported for security reasons. (ID #00273271)

Custom integration settings: existing script dependencies don't show up (ID #49703871)

Unable to create new playbook blocks (ID #00275270)

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • Cloud Configuration Manager API
    • config.googleapis.com/Deployment
Cloud Billing

Create your first budget with one click

You can now create your first budget and receive budget alerts in one step using the Create a budget alert panel on the Billing Overview page. The tool shows you recommended budget amounts based on your usage patterns, and you will receive alerts when your actual spend reaches 50%, 75%, 100%, and 150% of your selected budget. You can later edit these settings in the Manage budgets and alerts section.

Learn more about budgets.

Cloud Build

Cloud Build repositories (2nd gen) now supports integration with Bitbucket Cloud and Bitbucket Data Center. These features are generally available.

Cloud Logging

Log buckets in the africa-south1 region can now be upgraded to use Log Analytics. For more information, see Supported regions.

Cloud Monitoring

You can display events, such as the crash of a GKE pod, on your dashboards. This feature is now GA. This feature is available for dashboards managed by Cloud Monitoring, and for the observability dashboards managed by Compute Engine, Google Kubernetes Engine and Cloud Run.

Cloud Run

Charts on the metrics dashboard of Cloud Run services now display deployment events.

Container Optimized OS

cos-97-16919-450-26

Kernel Docker Containerd GPU Drivers
COS-5.10.208 v20.10.24 v1.6.21 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853.

Updated dev-libs/libxml2 to version 2.11.7. This fixes CVE-2024-25062.

Fixed CVE-2024-23851 in the Linux kernel.

Fixed CVE-2024-26581 in the Linux kernel.

Fixed CVE-2022-3566 in the Linux kernel.

Fixed CVE-2022-3567 in the Linux kernel.

Dataproc

New Dataproc Serverless for Spark runtime versions:

  • 1.1.53
  • 2.0.61
  • 2.1.40
  • 2.2.0-RC13

Dataproc Serverless for Spark: Upgraded Cloud Storage connector to 2.2.20 version in the latest 1.1, 2.0, and 2.1 runtimes.

Google Cloud VMware Engine

Beginning mid-March 2024, the VMware Engine operations team will upgrade VMware components to newer versions. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the upgrade and steps to prepare, see Latest service annoucements.

Google Kubernetes Engine

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3611

For more information, see the GCP-2024-017 security bulletin.

Starting in GKE 1.29.2-gke.1035000, you can configure Identity-Aware Proxy (IAP) with Google Managed OAuth Client for load balancers configured through GKE Ingress. To learn more, see Ingress configuration on Google Cloud.

(2024-R07) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.25 to version 1.26.11-gke.1055000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.26 to version 1.26.11-gke.1055000 with this release.

Regular channel

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.25.16-gke.1360000
    • 1.26.13-gke.1052000
    • 1.29.0-gke.1381000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1460000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.13-gke.1144000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.13-gke.1144000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.1-gke.1589017 with this release.

Rapid channel

  • Version 1.29.1-gke.1589017 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1537000
    • 1.26.14-gke.1006000
    • 1.27.11-gke.1018000
    • 1.28.6-gke.1456000
    • 1.29.0-gke.1381000
    • 1.29.1-gke.1589000
    • 1.29.2-gke.1060000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1570000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1044000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1062000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.11-gke.1062000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1589017 with this release.

You can now preload data or container images in new nodes to get fast workload deployment and auto scaling. This feature is available in Preview starting from GKE version 1.28.3-gke.1067000.

(2024-R07) Version updates

(2024-R07) Version updates

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.25.16-gke.1360000
    • 1.26.13-gke.1052000
    • 1.29.0-gke.1381000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1460000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.13-gke.1144000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.13-gke.1144000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.29 to version 1.29.1-gke.1589017 with this release.

(2024-R07) Version updates

  • Version 1.29.1-gke.1589017 is now the default version in the Rapid channel.
  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1537000
    • 1.26.14-gke.1006000
    • 1.27.11-gke.1018000
    • 1.28.6-gke.1456000
    • 1.29.0-gke.1381000
    • 1.29.1-gke.1589000
    • 1.29.2-gke.1060000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1570000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1044000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1062000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.11-gke.1062000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1589017 with this release.

(2024-R07) Version updates

  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.25 to version 1.26.11-gke.1055000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.26 to version 1.26.11-gke.1055000 with this release.
Secret Manager

For more information, see Use Secret Manager add-on with Google Kubernetes Engine.

Sensitive Data Protection

The discovery service of Sensitive Data Protection now supports Cloud SQL. You can run discovery at the organization, folder, or project level to generate data profiles of your Cloud SQL tables. Data profiles provide metrics and insights about the sensitivity and risk levels of your data to help you plan your data governance workflows.

To get started on profiling Cloud SQL data, see the following:

For more information about sensitive data discovery, see Data profiles.

VPC Service Controls

General availability support for the following integration:

Virtual Private Cloud

Internal ranges are available in General Availability. Internal ranges let you allocate blocks of private IP addresses in VPC networks and specify how those addresses can be used.

March 06, 2024

Access Approval

Access Approval supports Serverless VPC Access in the Preview stage.

Application Integration

Application Integration now supports config variables. Config variables let you to build CICD for your integration. This feature is in preview.

BigQuery

The INFORMATION_SCHEMA.WRITE_API_TIMELINE* views, containing per minute aggregated BigQuery Storage Write API ingestion statistics, are now generally available (GA).

Duet AI in BigQuery can now assist with Python code generation and code completion. This feature is in preview.

Channel Services

Partners selling Workspace can now use the BigQuery Export (Rebilling) feature to programmatically access their Workspace billing data. By setting up a BigQuery dataset and enabling the export, you can get billing data pushed to you as it becomes available, including Channel Service-specific identifiers, and any CRM IDs you may have configured for your customers.

You can use BigQuery to programmatically access your billing data, generate customer invoices, and perform Business Intelligence analysis. You can also create a Looker Studio Dashboard to provide cost management dashboards to your customers.

For Partners that sell both Google Cloud and Google Workspace, you can have all your billing data centralized with a unified BigQuery table schema.

Learn more in the following documentation:

Cloud Functions

Cloud Functions (1st gen) now supports custom service accounts for Cloud Build, at the Preview release level.

Container Optimized OS

cos-101-17162-386-37

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v20.10.24 v1.6.28 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Fixed CVE-2024-24557 in app-emulation/docker.

Fixed CVE-2024-23851 in the Linux kernel.

cos-109-17800-147-28

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.9 v1.7.13 v535.154.05 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Fixed CVE-2024-23851 in the Linux kernel.

cos-105-17412-294-36

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Fixed CVE-2024-23851 in the Linux kernel.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.94-debian10, 2.0.94-rocky8, 2.0.94-ubuntu18
  • 2.1.42-debian11, 2.1.42-rocky8, 2.1.42-ubuntu20, 2.1.42-ubuntu20-arm
  • 2.2.8-debian12, 2.2.8-rocky9, 2.2.8-ubuntu22

Dataproc on Compute Engine: Upgraded Cloud Storage connector version to 2.2.20 for 2.0 and 2.1 images.

Dataproc on Compute Engine: Mounted Java cacerts into containers by default when the Docker-on-YARN feature is enabled.

Dialogflow

Vertex AI Conversation now supports the Dialogflow CX Messenger integration for preview.

Eventarc

Eventarc support for creating triggers for direct Batch events is generally available (GA).

SAP on Google Cloud

Generally available: Guided Deployment Automation in Workload Manager for SAP

The Guided Deployment Automation tool in Workload Manager is generally available (GA). You can use this tool to configure and deploy supported SAP workloads directly from the Google Cloud console, or choose to generate and download the equivalent Terraform and Ansible code.

The GA launch adds support for custom OS images, Shared VPC configurations, and increased deployment customization.

For more information, see About Guided Deployment Automation.

Workload Manager

Generally Available: Workload Manager now supports deploying SAP workloads on Google Cloud. You can configure and deploy a SAP S/4HANA system using the Guided Deployment Automation tool in Workload Manager. For more information, see About Guided Deployment Automation.

reCAPTCHA Enterprise

reCAPTCHA Enterprise for WAF integration with Cloudflare is now available in Preview. For more information, see Integrate reCAPTCHA Enterprise for WAF with Cloudflare .

March 05, 2024

Anthos Attached Clusters

This release includes the following GKE attached clusters platform versions. Click on the following links to see the release notes associated with these patches:

Anthos clusters on AWS

You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:

Anthos clusters on Azure

You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:

Backup for GKE

Backup for GKE is now available in three new regions: africa-south1, europe-west10, and us-west8.

Cloud Composer

Cloud Composer 2.6.3 release was rolled back. If you have an environment that was created with a composer-2.6.3-airflow-* image, you can later upgrade it to a newer version.

Cloud Run

You can now apply minimum instance configuration at the service level (in Preview).

Cloud SQL for MySQL

You can now upgrade network architecture for your HA-enabled instances in a region, even if you have multiple instances in your network and region. For more information, see Upgrade an instance to the new network architecture.

Cloud SQL for PostgreSQL

You can now upgrade network architecture for your HA-enabled instances in a region, even if you have multiple instances in your network and region. For more information, see Upgrade an instance to the new network architecture.

Cloud SQL for SQL Server

You can now upgrade your Cloud SQL instances to use the new network architecture to get additional capabilities not available in the old network architecture. For more information, see Upgrade an instance to the new network architecture.

Dialogflow

Vertex AI Conversation generative agent creation with playbooks is now available for public preview. Try it by following the quickstart.

Firestore in Datastore mode

You can now use the Firestore emulator to test Firestore in Datastore mode behavior. Use gcloud emulators firestore start with --database-mode=datastore-mode.

Identity and Access Management

To improve performance, we've removed the ability to expand abbreviated permissions in the predefined roles table. You can still filter the predefined roles table based on the full list of permissions included in a role.

Vertex AI

Create an empty index with Vector Search

You can create an empty index in Vector Search for batch and for streaming. No embedding data is required at index creation time, which enables faster startup time. To learn more, see Manage indexes.

Vertex AI Search and Conversation

Vertex AI Search: Watch time duration objective for media recommendations apps

When you create a media recommendations app, you can select watch duration per session as a business objective. Optimizing for watch duration per session maximizes the duration of media consumption.

For more information, see Watch duration per session.

March 04, 2024

AlloyDB for PostgreSQL

You can now use Key Access Justifications when working with external CMEK keys. This lets you view and manage external key access requests.

Anthos Service Mesh

Managed Anthos Service Mesh 1.18 has completed its rollout in the rapid channel. See Managed Anthos Service Mesh release channels for more information.

Anti Money Laundering AI

AML AI has improved handling of supplementary risk indicators included in your datasets. This includes:

  • Release of new engine versions within both v003 and v004, improving usability of party supplementary data. You can now use letters, numbers, and underscores for the party supplementary data ID.
  • Addition of new data validations for party supplementary data IDs.

Save time and cost when adopting new EngineVersions:

  • For new engine versions, including versions in v003 and v004, you can now inherit hyperparameters from an existing engine config instead of re-tuning. This leads to quicker creation, and there are no additional costs for tuning.
  • All of your existing engine versions can be used as a source for inheriting hyperparameters.
  • See Configure an Engine to find out more about how this works.
Apigee Advanced API Security

On March 4, 2024 we released an updated version of Advanced API Security.

New conditions for security actions

You can now create security actions based on the following condition types (in addition to the condition types for Detection rules and IP addresses that were already available):

  • API keys
  • API products
  • Access tokens
  • Developers
  • Developer apps
  • User agents

These new conditions are not available with Apigee hybrid at this time.

See Create a security action to learn more.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/bigquery

7.5.0 (2024-02-21)

Features

You can now selectively refresh the metadata cache for BigLake tables by using the BQ.REFRESH_EXTERNAL_METADATA_CACHE system procedure. This feature is generally available (GA).

Cloud SQL for PostgreSQL

The new maintenance version listed in the February 7th entry for PostgreSQL extensions, flags, minor versions, extension versions, and plugin versions is [PostgreSQL version].R20240130.00_05.

Dataproc

Dataproc Serverless for Spark: Extended Spark metrics collected for a batch now include executor:resultSize, executor:shuffleBytesWritten, and executor:shuffleTotalBytesRead.

Firestore in Datastore mode

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-ndb

2.3.0 (2024-03-01)

Features
  • Add field information when raising validation errors. (#956) (17caf0b)
  • Add Python 3.12 (#949) (b5c8477)
  • Add support for google.cloud.ndb.version (#929) (42b3f01)
  • Add support for server side NOT_IN filter. (#957) (f0b0724)
  • Allow queries using server side IN. (#954) (2646cef)
  • Introduce compatibility with native namespace packages (#933) (ccae387)
  • Use server side != for queries. (#950) (106772f)
Bug Fixes
  • Compressed repeated to uncompressed property (#772) (dab9edf)
  • Repeated structured property containing blob property with legacy_data (#817) (#946) (455f860)
Documentation
Google Cloud Architecture Center Google Cloud Deploy

Cloud Deploy support for custom targets is now generally available.

Google Cloud Marketplace Partners

When you create a new private offer, or replace an existing private offer, you select a payment frequency for how your customer is charged. This can be monthly, quarterly, annually, or custom. For more information, visit Payment frequency for private offers.

Google Distributed Cloud Virtual for Bare Metal

Release 1.28.200-gke.118

GKE on Bare Metal 1.28.200-gke.118 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.28.200-gke.118 runs on Kubernetes 1.28.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

Fixes:

  • Fixed an issue where upgrades are blocked because cluster-operator can't delete stale, failing preflight check resources.

Fixes:

The following container image security vulnerabilities have been fixed in 1.28.200-gke.118:

Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

Release 1.15.10

GKE on Bare Metal 1.15.10 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.15.10 runs on Kubernetes 1.26.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

GKE on Bare Metal version 1.15.10 and later has been qualified on and supports Red Hat Enterprise Linux (RHEL) version 8.9.

Fixes:

The following container image security vulnerabilities have been fixed in 1.15.10:

Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

Google Kubernetes Engine

NVIDIA H100 (80 GB) GPUs are now available in GKE Autopilot mode in versions 1.28.6-gke.1369000 or later, and 1.29.1-gke.1575000 or later.

GPU workloads running in Autopilot mode can now be configured using the Accelerator Compute Class. This configuration supports resource reservations, Compute Engine committed use discounts, and a new pricing model in GKE versions 1.28.6-gke.1095000 and later, and 1.29.1-gke.1143000 and later.

(2024-R06) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

Regular channel

  • There are no new releases in the Regular release channel.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1460000
    • 1.26.13-gke.1144000
    • 1.27.10-gke.1207000
    • 1.28.6-gke.1369000
    • 1.29.1-gke.1575000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1537000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1006000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1018000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.11-gke.1018000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1589000 with this release.

(2024-R06) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1460000
    • 1.26.13-gke.1144000
    • 1.27.10-gke.1207000
    • 1.28.6-gke.1369000
    • 1.29.1-gke.1575000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1537000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.14-gke.1006000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.11-gke.1018000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.11-gke.1018000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1589000 with this release.

(2024-R06) Version updates

(2024-R06) Version updates

(2024-R06) Version updates

  • There are no new releases in the Regular release channel.
Migrate to Virtual Machines

Preview: Migrate to Virtual Machines lets you import a virtual disk image to a Compute Engine image. If you have virtual disk images with software and configurations that you need, you can save time by importing these virtual disk images to Compute Engine images, and use this image to create virtual machine instances or persistent disks.

Generally available: You can now use Customer-Managed Encryption Keys (CMEK) in Migrate to Virtual Machines to do the following:

  • Protect data stored by Migrate to Virtual Machines during the migration process.
  • Protect data of the migrated VMs created by clone and cut-over operations for all sources - AWS, Azure, and VMware.
Network Intelligence Center

Network Analyzer now includes an insight that gives a summary of the IP address utilization of all the Private Service Access ranges. This insight is also available in Recommender API. For more information, see PSA IP address utilization summary.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for pubsub/apiv1

1.36.2 (2024-02-28)

Bug Fixes
  • pubsub: Fix out of order issue when exactly once is enabled (#9472) (e89fd6c)
Documentation
  • pubsub: Small fix in Pub/Sub ingestion comments (a86aa8e)

Java

Changes for google-cloud-pubsub

1.127.0 (2024-02-28)

Features
  • Add an API method for reordering firewall policies (#1868) (2039f7e)
  • Add universe domain support for Java (#1904) (1e316d3)
  • Next release from main branch is 1.126.0 (#1933) (255d8bc)
Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.37.2 (#1918) (b8846f9)
  • Update dependency com.google.cloud:google-cloud-storage to v2.34.0 (#1917) (4a7d6b9)
  • Update dependency com.google.protobuf:protobuf-java-util to v3.25.3 (#1919) (4bf13bb)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.1 (#1923) (cd704bd)

Python

Changes for google-cloud-pubsub

2.19.7 (2024-02-24)

Bug Fixes
  • deps: Require google-api-core&gt;=1.34.1 (#1080) (1a5a134)
Sensitive Data Protection

A new detection model is available for the LOCATION infoType detector. The new model offers improved detection quality. You can try it out by setting InfoType.version to latest when including the LOCATION infoType in your InspectConfig.

You can still use the old model by setting InfoType.version to stable or leaving it unset when using the LOCATION infoType. In 30 days, the new model will be promoted to stable.

Spanner

Spanner now supports a new client library interface. The new interface leverages auto-generated admin clients instead of hand-written admin clients for improved efficiency and maintainability. While the older client library interface remains supported, all new Spanner admin features released after March 1, 2024 will be available exclusively through the new client library interface. All code samples in the Spanner documentation are updated to use the new client library interface. The older client interface code samples are archived in GitHub for Java, Node.js, Python, and PHP.

Vertex AI

Vertex AI Prediction

You can now use A3 machine types to serve predictions.

Workflows

An issue that allowed jumps in or out of parallel branches, parallel loops, and for loops is resolved. Only these jumps are allowed:

February 29, 2024

AlloyDB for PostgreSQL

AlloyDB AI is now generally available (GA).

AlloyDB Omni version 15.5.0 is now available. This version includes the following features and changes:

  • When installing AlloyDB Omni using its command-line tool, you can now specify the TCP port that the instance accepts connections on.
  • Automated failover for highly available (HA) Kubernetes-based clusters is available in Preview.
  • The following extensions are updated:
    • Updated pg_cron to version 1.6.
    • Updated pg_repack to version 1.5.0.
    • Updated pgfincore to version 1.3.1.
    • Updated pglogical to version 2.4.4.
    • Updated pgvector to version 0.5.1.
  • The following extensions are now included:
    • Added autoinc version 1.0.
    • Added insert_username version 1.0.
    • Added moddatetime version 1.0.
    • Added tcn version 1.0.
  • Updated core PostgreSQL compatibility to version 15.5.
  • Applied security fix CVE-2024-0985 from PostgreSQL.
  • Various bug fixes and performance improvements.

The return value of the embedding() function of google_ml_integration has changed. The embedding() function now returns an array of REAL values, and not a VECTOR value. This allows you to install and use the extension without the requirement of installing pgvector as well.

If you wrote application code that uses embedding() during the Preview of AlloyDB AI, then you might need to update it to add explicit casting from the REAL[] data type to the VECTOR data type. For more information, see Work with vector embeddings.

A revised quickstart helps you install and run AlloyDB Omni on a Debian or Ubuntu system using a handful of commands.

BigQuery

The following BigQuery cross-cloud features are now generally available (GA):

The consolidated SQL translator API combines the interactive and batch translator into a single workflow, improving the efficiency and stability of your translation jobs created using the API. This feature is available in preview.

Data Catalog

Data Catalog is now available in the Frankfurt (aws-eu-central-1), Sydney (aws-ap-southeast-2) and Washington (azure-westus2) regions. For more information on region and feature availability, see regions.

Dataproc

New Dataproc Serverless for Spark runtime versions:

  • 1.1.52
  • 2.0.60
  • 2.1.39
  • 2.2.0-RC12
Document AI

The Custom Extractor supports three levels of nesting so you can easily extract structured data from complex documents and tables (earnings reports, tax forms, invoices, resumes, etc.). Learn how to use three levels of nesting.

The Custom Extractor with generative AI is now available in the asia-southeast1 (Singapore) regions. For more information, see Custom processors.

See the model type, generative or custom, powering a Custom Extractor processor version by getting the model type from the processorVersions API.

Google Distributed Cloud Virtual for VMware

GKE on VMware 1.16.6-gke.40 is now available. To upgrade, see Upgrading GKE on VMware. GKE on VMware 1.16.6-gke.40 runs on Kubernetes v1.27.8-gke.1500.

If you are using a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

The following issues are fixed in1.16.6-gke.40:

  • Fixed the known issue that caused kubelet to be flooded with logs stating that /etc/kubernetes/manifests does not exist on the worker nodes.
  • Fixed the known issue that caused a preflight check to fail when the hostname isn't in the IP block file.
  • Fixed the manual load balancer issue where the IngressIP is overwritten with the Spec.LoadBalancerIP even if it is empty.
  • Fixed the known issue where a 1.15 user master machine encountered an unexpected recreation when the user cluster controller was upgraded to 1.16.

The following vulnerabilities are fixed in1.16.6-gke.40:

Memorystore for Redis

Added support for vector store and vector search capabilities (Preview). For more details, see About vector search.

Security Command Center

Security Command Center API v2 released to Preview

The Security Command Center API v2, which enables data residency control and includes the /locations/LOCATION field in resource names, is released to Preview.

For more information, see the REST reference Security Command Center API Overview.

Data residency for Security Command Center release to Preview

Security Command Center data residency control is released to Preview. Security Command Center supports the following data locations:

  • European Union (eu)
  • United States (us)
  • Global (global)

For more information, see Data residency.

Spanner

Spanner regional endpoint is now available in me-central2. You can use regional endpoints if your data location must be restricted and controlled to comply with regulatory requirements. For more information, see Global and regional service endpoints.

February 2024 Client libraries release note

A monthly digest of client library updates from across the Cloud SDK.

Go

Changes for spanner/admin/database/apiv1

1.56.0 (2024-01-30)

Features
  • spanner/admin/database: Add proto descriptors for proto and enum types in create/update/get database ddl requests (97d62c7)
  • spanner/spansql: Add support for CREATE VIEW with SQL SECURITY DEFINER (#8754) (5f156e8)
  • spanner: Add FLOAT32 enum to TypeCode (97d62c7)
  • spanner: Add max_commit_delay API (af2f8b4)
  • spanner: Add proto and enum types (00b9900)
  • spanner: Add SelectAll method to decode from Spanner iterator.Rows to golang struct (#9206) (802088f)

1.57.0 (2024-02-13)

Features
  • spanner: Add OpenTelemetry implementation (#9254) (fc51cc2)
  • spanner: Support max_commit_delay in Spanner transactions (#9299) (a8078f0)
Bug Fixes
  • spanner: Enable universe domain resolution options (fd1d569)
  • spanner: Internal test package should import local version (#9416) (f377281)
  • spanner: SelectAll struct fields match should be case-insensitive (#9417) (7ff5356)
  • spanner: Support time.Time and other custom types using SelectAll (#9382) (dc21234)
Documentation
  • spanner: Update the comment regarding eligible SQL shapes for PartitionQuery (e60a6ba)

Java

Changes for google-cloud-spanner

6.57.0 (2024-01-29)

Features
  • Add FLOAT32 enum to TypeCode (#2800) (383fea5)
  • Add support for Proto Columns (#2779) (30d37dd)
  • spanner: Add proto descriptors for proto and enum types in create/update/get database ddl requests (#2774) (4a906bf)
Bug Fixes
  • Remove google-cloud-spanner-executor from the BOM (#2844) (655000a)
Dependencies
  • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.22.0 (#2785) (f689f74)
  • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.23.0 (#2801) (95f064f)
Documentation

6.58.0 (2024-02-08)

Features
  • Open telemetry implementation (#2770) (244d6a8)
  • spanner: Support max_commit_delay in Spanner transactions (#2854) (e2b7ae6)
  • Support Directed Read in Connection API (#2855) (ee477c2)
Bug Fixes
Dependencies
  • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.24.0 (#2856) (968877e)

6.59.0 (2024-02-15)

Features
  • Support public methods to use autogenerated admin clients. (#2878) (53bcb3e)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.25.0 (#2888) (8e2da51)
Documentation
  • README for OpenTelemetry metrics and traces (#2880) (c8632f5)
  • Samples and tests for database Admin APIs. (#2775) (14ae01c)

6.60.0 (2024-02-21)

Features
  • Add an API method for reordering firewall policies (62319f0)
  • spanner: Add field for multiplexed session in spanner.proto (62319f0)
  • Update TransactionOptions to include new option exclude_txn_from_change_streams (#2853) (62319f0)
Bug Fixes
  • Add ensureDecoded to proto type (#2897) (e99b78c)
  • spanner: Fix write replace used by dataflow template and import export (#2901) (64b9042)
Dependencies
  • Update dependency com.google.cloud:google-cloud-trace to v2.36.0 (#2749) (51a348a)
Documentation
  • Update comments (62319f0)
  • Update the comment regarding eligible SQL shapes for PartitionQuery (62319f0)

6.60.1 (2024-02-23)

Dependencies
  • Update dependency com.google.cloud:google-cloud-monitoring to v3.37.0 (#2920) (a3441bb)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.0 (#2861) (a652c3b)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.1 (#2919) (8800a28)
  • Update dependency org.json:json to v20240205 (#2913) (277ed81)
  • Update dependency org.junit.vintage:junit-vintage-engine to v5.10.2 (#2868) (71a65ec)
  • Update opentelemetry.version to v1.35.0 (#2902) (3286eae)

Node.js

Changes for @google-cloud/spanner

7.3.0 (2024-02-08)

Features
Bug Fixes
  • deps: Update dependency google-gax to v4.1.0 (#1981) (2a36150)
  • deps: Update dependency google-gax to v4.2.0 (#1988) (005589a)
  • deps: Update dependency google-gax to v4.2.1 (#1989) (d2ae995)
  • deps: Update dependency google-gax to v4.3.0 (#1990) (e625753)

7.4.0 (2024-02-23)

Features
  • spanner: Add PG.OID support (#1948) (cf9df7a)
  • Untyped param types (#1869) (6ef44c3)
  • Update TransactionOptions to include new option exclude_txn_from_change_streams (#1998) (937a7a1)
Bug Fixes

Python

Changes for google-cloud-spanner

3.42.0 (2024-01-30)

Features
  • Add FLOAT32 enum to TypeCode (5b94dac)
  • Add max_commit_delay API (#1078) (ec87c08)
  • Add proto descriptors for proto and enum types in create/update/get database ddl requests (5b94dac)
  • Fixing and refactoring transaction retry logic in dbapi. Also adding interceptors support for testing (#1056) (6640888)
  • Implementation of run partition query (#1080) (f3b23b2)
Bug Fixes
  • Few fixes in DBAPI (#1085) (1ed5a47)
  • Small fix in description when metadata is not present in cursor's _result_set (#1088) (57643e6)
  • spanner: Add SpannerAsyncClient import to spanner_v1 package (#1086) (2d98b54)
Documentation
  • Samples and tests for auto-generated createDatabase and createInstance APIs. (#1065) (16c510e)
Vertex AI

Vector Search feature launch

Update streaming index metadata: With this launch, you can directly update restricts and numeric restricts of data points inside StreamUpdate indexes without the compaction cost of a full update. To learn more, see Update dynamic metadata.

reCAPTCHA Enterprise

reCAPTCHA Enterprise Mobile SDK v18.5.0-beta01 is now available for iOS.

This version contains the following changes:

  • The new minimum iOS version is iOS 12.
  • New exception type is added for devices without a network connection: NO_NETWORK_FOUND.

February 28, 2024

AlloyDB for PostgreSQL

AlloyDB now supports the use of Google Cloud tags on cluster and backup resources. Tags are key-value pairs you can apply to your resources for granular IAM permissions. To learn more, see Organize resources using tags. To use tags now, see Attach and manage tags on AlloyDB resources.

Anti Money Laundering AI

Added a new engine version page so you can keep track of the latest engine version releases.

Backup and DR

Backup and DR Service is now integrated with Cloud Monitoring. You can analyze metrics and set custom email alerts. Learn more.

Backup and DR Service has added a new reporting system based on the built-in Google Cloud services: Cloud Monitoring, Cloud Logging, and BigQuery. Learn more.

You can now view prebuilt reports in BigQuery. Learn more.

You can now view comprehensive job related reporting data through backup and recovery job logs in Cloud Logging. Learn more.

BigQuery

Materialized views can now reference logical views. This feature is in preview.

The ability to perform anomaly detection with BigQuery ML multivariate time series (ARIMA_PLUS_XREG) models is now in preview. This feature enables you to detect anomalies in historical time series data or in new data with multiple feature columns. Try this new feature by using the Perform anomaly detection with a multivariate time-series forecasting model tutorial.

The following statements are now generally available (GA) with billing enabled:

  • CREATE TABLE AS SELECT
  • CREATE TABLE IF NOT EXISTS AS SELECT
  • CREATE OR REPLACE TABLE AS SELECT
  • INSERT INTO SELECT

These statements let you filter data from files in Amazon S3 and Azure Blob Storage before transferring results into BigQuery tables.

Cloud Composer

Cloud Composer 2.6.3 release started on February 28, 2024. Get ready for upcoming changes and features as we roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet

(Cloud Composer 2 in select regions) Cloud Composer shows the account selection and consent screens when opening Airflow UI for an environment.

If you have the "Don't allow users to access any third-party apps" setting enabled in Google Workspace, then configure access to the "Apache Airflow in Cloud Composer" app in Google Workspace, so that your Google Workspace users can still access Airflow UI in Cloud Composer environments. For more information, see Allow access to Airflow UI in Google Workspace.

(Cloud Composer 2 in select regions) Reduced the propagation time of the revoked Cloud IAM permission that blocks access to Airflow UI.

In new environments with Airflow 2.6.3, the default values of the following Airflow configuration options are changed to provide more optimized Cloud Composer environments:

  • [scheduler]job_heartbeat_sec to 30
  • [scheduler]scheduler_heartbeat_sec to 15

Fixed a problem where the IAM policy of a custom environment's bucket is replaced when an environment is created.

The apache-airflow-providers-google package is upgraded to version 10.15.0 in images with Airflow 2.6.3. For more information about changes, see the apache-airflow-providers-google changelog from version 10.14.0 to version 10.15.0.

Cloud Composer 2.6.3 images are available:

  • composer-2.6.3-airflow-2.6.3 (default)
  • composer-2.6.3-airflow-2.5.3
Confidential Space

Data collaborators can now check if memory monitoring is enabled on a Confidential VM running a Confidential Space workload.

A new Confidential Space image (240200) is now available. This image provides support for data collaborators to add memory monitoring as part of their attestation assertions.

Dataproc

New Dataproc on Compute Engine subminor image versions:

  • 2.0.93-debian10, 2.0.93-rocky8, 2.0.93-ubuntu18
  • 2.1.41-debian11, 2.1.41-rocky8, 2.1.41-ubuntu20, 2.1.41-ubuntu20-arm
  • 2.2.7-debian12, 2.2.7-rocky9, 2.2.7-ubuntu22

Dataproc on Compute Engine: The new Secret Manager credential provider feature is available in the latest 2.1 image versions.

Dataproc on Compute Engine:

  • Upgraded Zookeeper to 3.8.3 for Dataproc 2.2.
  • Upgraded ORC for Hive to 1.15.13 for Dataproc 2.1.
  • Upgraded ORC for Spark to 1.7.10 for Dataproc 2.1.
  • Extended expiry for the internal Knox Gateway certificate from one year to five years from cluster creation for Dataproc images 2.0, 2.1, and 2.2.

Dataproc on Compute Engine: Fixed ZooKeeper startup failures in image 2.2 HA (High Availability) clusters that use fully qualified hostnames.

Deep Learning VM Images

M117 release

  • Added the CUDA version (CUDA 11.8) to the TensorFlow 2.12, 2.13, and 2.14 image names and image family names. For example, tf-2-12-gpu is renamed tf-2-12-cu118.
Google Cloud Architecture Center

(New guide) Configure networks for FedRAMP and DoD in Google Cloud: Provides configuration guidance to help you comply with design requirements for FedRAMP High and DoD IL2, IL4, and IL5 when you deploy Google Cloud networking policies.

(New guide) Infrastructure for a RAG-capable generative AI application using Vertex AI: Design infrastructure to run a generative AI application with retrieval-augmented generation (RAG) to help improve the factual accuracy and contextual relevance of LLM-generated content.

Google Cloud VMware Engine

Beginning on March 12, 2024, the VMware Engine operations team will perform essential maintenance of the network infrastructure to improve equipment robustness and apply security patches. Users affected by this upgrade will receive an email with planned maintenance dates and times.

For details about the upgrade and steps to prepare, see Service annoucements.

Google Kubernetes Engine

The Performance Compute Class, designed for running whole-machine CPU workloads, is available in Autopilot mode from versions 1.28.6-gke.1369000 and 1.29.1-gke.1575000 and later.

SAP on Google Cloud

Disk snapshot based backup and recovery for SAP HANA

From version 3.0, you can use the disk snapshot feature of Google Cloud's Agent for SAP to perform backup and recovery operations for SAP HANA systems running on Google Cloud.

For more information, see Disk snapshot based backup and recovery for SAP HANA.

Security Command Center

Virtual Machine Threat Detection, a built-in service of Security Command Center Premium, has launched a new detector, Defense Evasion: Rootkit, in Preview.

The detector monitors virtual machines and generates a finding if a combination of signals matching a known kernel-mode rootkit is present.

For more information, see Virtual Machine Threat Detection overview.

Vertex AI Search and Conversation

Vertex AI Search: Add metadata to your web index (Public preview)

If advanced website indexing is enabled in your data store, you can add metadata to the data store schema to enrich your indexing.

For more information, see Add metadata for advanced site indexing.

Vertex AI Search: Automatic web page refresh (Public preview)

With advanced website indexing, Vertex AI Search performs conditional, automatic refresh.

For more information, see Refresh web pages.

Vertex AI Search: Apply tuned search to some queries (Public preview)

You can specify whether you want a query to use the tuned search model or the non-tuned search model. This is particularly helpful for testing the difference between the two versions of the model.

Previously, the tuned search model was enabled (or disabled) for all queries against the data store.

For more information, see Test tuned search and use it for individual search queries.

Vertex AI Search: Access controlled data sources (Public preview)

Access control for BigQuery, Cloud Storage, and Confluence data is available in Public preview. This feature allows you to limit the data that users can view in your search app's results. Google uses your identity provider to identify the end user performing a search and determine if they have access to the documents that are returned as results. Google Identity and third-party identity provider federation are supported.

For more information, see Use data source access control.

Vertex AI Search: Blended search (Public preview)

Blended search, where multiple data stores can be connected to a single generic search app, is available in Public preview. This feature allows you to use one generic search app to search across multiple sources and types of data.

For more information, see About connecting multiple data stores.

Vertex AI Search: Search analytics (GA)

Search analytics are GA for global data stores. For data stores in US and EU multi-regions, viewing analytics is in Public Preview.

For more information, see View analytics.

Vertex AI Workbench

M117 release

The M117 release of Vertex AI Workbench instances includes the following:

  • Removed the Cloud Storage browser in the left side pane in favor of the existing Mount shared storage button.

February 27, 2024

AlloyDB for PostgreSQL

You can now use Automatic IAM Authentication with the AlloyDB Language Connectors (Preview) to connect to your cluster. For more information, see Connect using the AlloyDB Language Connectors.

BigQuery

You can now use time series and range functions to support time series analysis. This feature is in preview.

You can now use data manipulation language (DML) statements to efficiently delete entire partitions. If a DELETE statement targets all rows in a partition, then the entire partition is deleted without scanning bytes or consuming slots. This feature is now generally available (GA).

Cloud Healthcare API

A new release is available. This release may include some or all of the following: general performance improvements, bug fixes, and updates to the API reference documentation.

Colab Enterprise

VPC Service Controls has general availability support in Colab Enterprise.

For more information, see Use VPC Service Controls.

Container Optimized OS

cos-101-17162-386-33

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v20.10.24 v1.6.28 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Updated app-emulation/containerd to 1.6.28.

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853.

Updated dev-libs/libxml2 to 2.11.7. This fixes CVE-2024-25062.

Fixed CVE-2024-26581 in the Linux kernel.

Fixed CVE-2022-3566 in the Linux kernel.

Fixed CVE-2022-3567 in the Linux kernel.

Fixed CVE-2024-1086 in the Linux kernel.

cos-109-17800-147-22

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.9 v1.7.13 v535.154.05 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Upgraded Docker to v24.0.9. This fixes CVE-2024-24557.

Fixed CVE-2024-0684 in sys-apps/coreutils.

Fixed CVE-2024-26581 in the Linux kernel.

cos-105-17412-294-34

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Fixed CVE-2024-26581 in the Linux kernel.

Dataflow

Dataflow now supports at-least-once streaming mode. You can use this mode to achieve lower latency and reduced costs for workloads that can tolerate duplicate records. This feature is generally available (GA). For more information, see Set the pipeline streaming mode.

Google Cloud VMware Engine

Generally available: Purchasing commitments for VMware Engine nodes. For more information, see Purchasing commitments for node types.

Google Distributed Cloud Virtual for VMware

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

GKE on VMware 1.15.9-gke.20 is now available. To upgrade, see Upgrading GKE on VMware. GKE on VMware 1.15.9-gke.20 runs on Kubernetes v1.26.10-gke.2000.

If you are using a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

Sensitive Data Protection

An improvement was made in the way Sensitive Data Protection calculates the predicted infoType of the data that it profiles. The service now considers correlations between the detected infoTypes, where one infoType is a subset of another. For more information, see Predicted infoType.

For more information about data profiling, see Data profiles.

VPC Service Controls

General availability support for the following integration:

Preview stage support for the following integration:

February 26, 2024

Anthos clusters on AWS

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

For more information, see the GCP-2024-013 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

For more information, see the GCP-2024-011 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

For more information, see the GCP-2024-010 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

For more information, see the GCP-2024-004 security bulletin.

Anthos clusters on Azure

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

For more information, see the GCP-2024-013 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-6932

For more information, see the GCP-2024-011 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6931

For more information, see the GCP-2024-010 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

  • CVE-2023-6817

For more information, see the GCP-2024-004 security bulletin.

App Engine flexible environment Go

Go 1.22 is now available in preview.

App Engine flexible environment Java App Engine flexible environment PHP App Engine standard environment Go

Go 1.22 is now available in preview.

App Engine standard environment Java App Engine standard environment PHP BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigquery

2.38.0 (2024-02-22)

Features
  • Add MetadataCacheStatistics to Job QueryStatistics (#3133) (f3f387b)
Dependencies
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240211-2.0.0 (#3152) (e5d6888)
  • Update github/codeql-action action to v2.24.3 (#3148) (a0a7b01)
  • Update github/codeql-action action to v2.24.3 (#3150) (042fcf0)
  • Update github/codeql-action action to v2.24.4 (#3161) (531b1a0)

The BigQuery Data Transfer Service can now transfer data from the following data sources:

Transfers from these data sources are supported in preview.

The following SQL features are now generally available (GA):

The GROUP BY ALL clause, which groups rows by inferring grouping keys from the SELECT items, is now in preview.

Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.34.0 (2024-02-21)

Features
  • Add the export logic for per-connection error rate metric (#2121) (d053f2d)
  • Create the backbone of counting errors per connection each minute. (#2094) (7d27816)
Dependencies
  • Update actions/setup-java action to v4 (#2106) (a694296)
  • Update dependency com.google.cloud:gapic-libraries-bom to v1.30.0 (#2126) (f613bd0)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.25.0 (#2113) (ba1973e)
  • Update dependency com.google.truth.extensions:truth-proto-extension to v1.4.1 (#2119) (0a7ad66)
  • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.1 (#2122) (99ec284)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.1 (#2123) (12d961a)
Buildpacks

Starting in Go version 1.22 and later, you can no longer use GOPATH for installing dependencies. To manage dependencies, you use a go.mod file. For more information about Go versions, and managing dependencies for vendor directories, see GOPATH and Modules in Go documentation.

Cloud Asset Inventory

The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

  • GKE Hub
    • gkehub.googleapis.com/Fleet
    • gkehub.googleapis.com/Scope
    • gkehub.googleapis.com/Namespace
    • gkehub.googleapis.com/MembershipBinding
    • gkehub.googleapis.com/RBACRoleBinding
  • AI Platform
    • aiplatform.googleapis.com/NotebookRuntime
    • aiplatform.googleapis.com/NotebookRuntimeTemplate
Cloud Composer

Starting February 27, 2024, in the us-central1, europe-west1, europe-west2, europe-west3, europe-west6, us-east1, and us-east4 regions it is possible to create new Cloud Composer 1 environments only in projects that already have Cloud Composer 1 environments.

In all other existing or newly created projects in these regions, it is possible to create only Cloud Composer 2 environments. This change is a part of the preparation for Cloud Composer 1 end of support, as communicated earlier and described in the Versioning overview.

Cloud Functions

Cloud Functions now supports the PHP 8.3 and Java 21 runtimes at the General Availability release level for 2nd gen functions.

Cloud Functions now supports the Go 1.22 runtime at the Preview release level.

Cloud Logging

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-logging

3.16.0 (2024-02-20)

Features
  • Add an API method for reordering firewall policies (#1538) (9cd6b96)
Dependencies
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.25.0 (#1535) (7fde779)
  • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.0 (#1528) (b3e4f9b)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.0 (#1456) (f27713e)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.1 (#1542) (af784bc)
  • Update dependency org.junit.vintage:junit-vintage-engine to v5.10.2 (#1530) (20981dc)
Confidential VM

Live migration is now available on new Confidential VM instances that meet the following configuration criteria:

  • An N2D machine type with AMD EPYC Milan CPU platform

  • AMD SEV Confidential Computing technology

  • An operating system image that supports live migration

Dataform

Dataform is available in the us-south1 region. For more information, see Locations.

Eventarc

Eventarc is available in the us-west8 (Phoenix, Arizona, North America) region.

Google Distributed Cloud Virtual for VMware

GKE on VMware 1.28.200-gke.111 is now available. To upgrade, see Upgrading Anthos clusters on VMware. GKE on VMware 1.28.200-gke.111 runs on Kubernetes v1.28.4-gke.1400.

If you are using a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

The following issues are fixed in 1.28.200-gke.111:

  • Fixed the known issue that caused a preflight check to fail when the hostname isn't in the IP block file.
  • Fixed the known issue where the storage policy field is missing in the admin cluster configuration template.
  • Fixed the manual load balancer issue where the IngressIP is overwritten with the Spec.LoadBalancerIP even if it is empty.
  • Fixed the issue that preflight jobs might be stuck in the pending state.
  • Fixed the known issue where nfs-common is missing from the Ubuntu OS image.

The following vulnerabilities are fixed in 1.28.200-gke.111:

Google Kubernetes Engine

This note was updated on March 20, 2024. The links to the security bulletins related to CVE-2024-0193 and CVE-2023-3610 have been updated.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

For more information, see the GCP-2024-012 security bulletin.

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2023-3610

For more information, see the GCP-2024-013 security bulletin.

GKE now supports Gemma (2B, 7B), Google's new state-of-the-art open models. To learn more, refer to the following guides:

Deployment to GKE is also supported via Vertex AI Model Garden as part of our Hugging Face, Vertex AI, and GKE integration.

Migrate to Virtual Machines

Generally available: Migrate to Virtual Machines lets you migrate virtual machine (VM) disks to Persistent Disk volumes on Google Cloud. The migrated disks can be attached to a new VM during the migration process, or an existing VM after the migration is complete.

Policy Intelligence

The IAM recommender offers role recommendations for BigQuery datasets. Role recommendations help you reduce excess permissions by suggesting role changes based on actual permission usage. This feature is available in Preview.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Python

Changes for google-cloud-pubsub

2.19.6 (2024-02-23)

Bug Fixes

2.19.5 (2024-02-22)

Bug Fixes
Spanner

The following GoogleSQL JSON functions are now generally available (GA):

  • LAX_BOOL: Attempts to convert a JSON value to a SQL BOOL value.
  • LAX_FLOAT64: Attempts to convert a JSON value to a SQL FLOAT64 value.
  • LAX_INT64: Attempts to convert a JSON value to a SQL INT64 value.
  • LAX_STRING: Attempts to convert a JSON value to a SQL STRING value.
  • BOOL: Converts a JSON boolean to a SQL BOOL value.
  • FLOAT64: Converts a JSON number to a SQL FLOAT64 value.
  • INT64: Converts a JSON number to a SQL INT64 value.
  • STRING: Converts a JSON string to a SQL STRING value.
  • JSON_TYPE: Gets the JSON type of the outermost JSON value and converts the name of this type to a SQL STRING value.
Text-to-Speech

Studio voices are now GA.

Casual voices are now in preview.

Vertex AI

Ground Multimodal Models

Model grounding for gemini-pro is available in Preview. Use grounding to connect the gemini-pro model to unstructured text data stores in Vertex AI Search. Grounding lets models access and use the information in the data repositories to generate more enhanced and nuanced responses. For more information, see Ground multimodal models.

Vertex AI Search and Conversation

Vertex AI Search: Use Terraform to create search apps

You can use Terraform to create search apps for your Vertex AI Search.

For information, see Create a search app.

Virtual Private Cloud

The VPC documentation has been updated with a new page that describes which services in Google Cloud include support for IPv6. For more information, see IPv6 support in Google Cloud.

February 24, 2024

Google Distributed Cloud Virtual for VMware

The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

  • CVE-2024-0193

For more information, see the GCP-2024-013 security bulletin.

February 23, 2024

Application Integration

Application Integration now supports private triggers that enable you to break large flows into various subflows. This feature is in preview.

Chronicle

Chronicle now supports the timestamp.get_date() function. For more information and example usage, see YARA-L 2.0 language syntax.

Cloud Load Balancing

Global external Application Load Balancers now let you customize your own error responses when an HTTP error status code (4xx and 5xx) is generated. You can customize error responses for errors generated by both the load balancer and the backend instances. You can also customize error responses for error response codes that are generated when traffic is denied by Cloud Armor.

For more information, see the following pages:

This feature is available in Preview.

Google Kubernetes Engine

(2024-R05) Version updates

GKE cluster versions have been updated.

New versions available for upgrades and new clusters.

The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

No channel

Stable channel

  • There are no new releases in the Stable release channel.

Regular channel

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.25.16-gke.1268000
    • 1.26.12-gke.1111000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1360000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.13-gke.1052000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.13-gke.1052000 with this release.

Rapid channel

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1497000
    • 1.26.13-gke.1189000
    • 1.27.10-gke.1152000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1207000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1207000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1575000 with this release.

(2024-R05) Version updates

(2024-R05) Version updates

  • There are no new releases in the Stable release channel.

(2024-R05) Version updates

  • The following versions are now available in the Regular channel:
  • The following versions are no longer available in the Regular channel:
    • 1.25.16-gke.1268000
    • 1.26.12-gke.1111000
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1360000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.13-gke.1052000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.13-gke.1052000 with this release.

(2024-R05) Version updates

  • The following versions are now available in the Rapid channel:
  • The following versions are no longer available in the Rapid channel:
    • 1.25.16-gke.1497000
    • 1.26.13-gke.1189000
    • 1.27.10-gke.1152000
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1207000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1207000 with this release.
  • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1575000 with this release.
Transcoder API

You can now set an exact frame rate on the output video. For more information, see Frame rate conversion strategies.

February 22, 2024

Anthos Config Management

The constraint template library includes a new template: K8sRestrictAdmissionController. For reference, see the Constraint template library.

The constraint template library includes a new template: K8sCronJobAllowedRepos. For reference, see the Constraint template library.

Added the authentication type k8sserviceaccount for syncing from OCI images and Helm charts hosted in Artifact Registry. For more details, see Grant Config Sync read-only access to OCI and Grant Config Sync read-only access to Helm.

Simplified the steps to export metrics to Cloud Monitoring. For more details, see Configure Cloud Monitoring with Workload Identity.

Fixed the unrecognized label error in the otel-collector configuration that caused kustomize metrics to be rejected.

Batch

In the Google Cloud console, the Job list page has been updated to reduce latency. Although the console no longer summarizes the statuses of your jobs, you can filter based on job state when you view a list of your jobs.

Fixed the issue causing latency when listing jobs in projects that contain more than 10,000 jobs.

BigQuery

The following BigQuery text embedding features are now generally available (GA):

Certificate Manager

Certificate Manager supports the management of certificates independently in each project with separate authorization. You can also issue regional managed certificates with Certificate Manager. This is a public preview feature. For more information, see Certificate Manager overview.

Chronicle SOAR

Release 6.2.49 is currently in Preview.

In the IDE, using CrowdStrikeFalcon - Execute command and selecting scope as internal hosts and external hosts does not work (ID #00250316)

The following APIs have been deprecated and will be deleted in 6 months.

  • GET /api/external/v1/connectors/GetConnectorsData
  • POST /api/external/v1/connectors/DeleteConnector
  • POST /api/external/v1/connectors/AddOrUpdateConnector
  • POST /api/external/v1/connectors/UpdateConnectorFromIde
  • POST /api/external/v1/connectors/GetConnectorStatus

For each API above, there are one or more alternative endpoints that you can use as shown below:

Instead of
GET /api/external/v1/connectors/GetConnectorsData

Use one of the following:

  • GET /api/external/v1/connectors/template-cards
    Provides basic information per each accessible connector definition.

  • POST /api/external/v1/connectors/template
    Retrieves detailed information regarding a specific connector definition.

  • GET /api/external/v1/connectors/cards
    Provides basic information per each accessible connector.

  • GET /api/external/v1/connectors/{identifier}
    Retrieves detailed information regarding a specific connector instance.

Instead of
POST /api/external/v1/connectors/DeleteConnector
Use
DELETE /api/external/v1/connectors/{identifier}

Instead of
POST /api/external/v1/connectors/AddOrUpdateConnector
Use
POST /api/external/v1/connectors

Instead of
POST /api/external/v1/connectors/UpdateConnectorFromIde
Use
POST /api/external/v1/connectors/update-from-ide

Instead of
POST /api/external/v1/connectors/GetConnectorStatus
Use
GET /api/external/v1/connectors/{identifier}/statistics

Cloud Billing

Between February 13, 2024 and February 22, 2024, some SKU IDs for your support subscriptions have changed. Use the following table to check whether you're affected by this change. If you have reports or BigQuery queries that depend on these IDs, edit them to use the new SKU IDs.

Subscription Legacy SKU IDs New SKU IDs
Premium Base Tier 1: F08D-670F-E528

Base Tier 2: 3ADC-4232-8F2F

Base Tier 3: 768B-9B76-8BFA

Variable: E4F5-0256-E0EE

Base Tier 1: 5D14-41DF-B7BF

Base Tier 2: A73A-2FBD-A226

Base Tier 3: 7EFE-705D-1818

Variable: 5467-9D2D-5B98

TAM Additional Coverage:

Included: 39DA-470F-1873

Additional Coverage:

Tier 1: 1D0C-C18F-A3E9

Tier 2: A4ED-26C4-BE0A

Tier 3: 7625-C72D-58B1

Additional Coverage:

Included: FECC-20EE-2595

Additional Coverage:

Tier 1: 164C-4F75-934A

Tier 2: C9E4-CC90-085B

Tier 3: 0401-A11E-7A40

Enhanced

Base: D61B-E147-B8A6

Variable: 8D85-10F1-28B3

Base: 7F2E-344B-FBDD

Variable: 0D7A-4FBF-FA55

Gold

Base: 118A-4BF5-51E1

Base: 0AD0-476B-879E

Silver

Base: 5D8F-0D17-AAA2

Base: F5D2-4995-B3D7

Learn about reports that you can use to analyze your costs.

Cloud Composer

Fixed a problem where one DAG run could potentially delete task instances from other DAG runs if run_id was the same (backported #32684 from a later Airflow version).

Cloud Composer 2.6.2 images are available:

  • composer-2.6.2-airflow-2.6.3 (default)
  • composer-2.6.2-airflow-2.5.3
Cloud Workstations

Cloud Workstations supports Image Streaming, which provides faster workstations startup by reducing image pull time.

Dataproc

New Dataproc Serverless for Spark runtime versions:

  • 1.1.51
  • 2.0.59
  • 2.1.38
  • 2.2.0-RC11
Filestore

NFSv4.1 protocol support, integrated with Managed Service for Microsoft Active Directory, is now available in Preview for Filestore enterprise and zonal instances.

Looker Studio

Show field descriptions in table chart headers

You can now let report viewers access field descriptions in tooltips when the Show field descriptions option is enabled for table charts. Show field descriptions is automatically enabled for charts that are connected to a Looker or Search Ads 360 data source. Field descriptions are sourced from the Description column in the data source.​

Learn more about table chart header options.

Looker Studio release notes moving to Google Cloud

We're changing how we deliver product release notes. Beginning in a few weeks, Looker Studio release notes will be available solely on the Google Cloud release notes platform.

Cloud release notes offer enhanced features, such as RSS feed support and programmatic access using BigQuery. These features make it easier for customers to stay informed about feature updates. Additionally, Google Cloud customers will have the convenience of accessing updates for related products like Looker and BigQuery in a centralized location.

Release notes prior to this change are preserved in the historical release notes page.

Visit the Cloud Looker Studio release notes now.

Pub/Sub

If you have filtering enabled, the backlog metrics only include data from messages that match the filter. To learn more, see How filters affect backlog metrics.

Storage Transfer Service

Storage Transfer Service has added preview support for transferring managed folders between Cloud Storage buckets. Permissions on managed folders are copied between buckets when using this option.

See Transfer Cloud Storage managed folders for details.

February 21, 2024

Chronicle

Fixed an issue that prevents you from using the list, percentile, and percentile_distinct functions when you create a custom measure in your dashboard.

Chronicle SOAR

Remote Agents Release 1.4.9 is currently in Preview.

The Docker image to pull for this release is 1.4.9.2

Upgrade agents from 1.3.8 on RHEL not working as expected (ID #00243884)

Publisher memory usage issue (ID #00273756)

Compute Engine

Preview: With managed workload identities for Compute Engine, you can implement mutually authenticated and encrypted communications between any two Compute Engine VMs. Workload applications running on the configured VMs can use the X.509 credentials for per-VM mTLS. These mTLS certificates are automatically rotated and managed for you by Certificate Authority Service.

For more information, see Authenticate workloads to other workloads over mTLS.

Contact Center AI Platform

Version 3.11 is released

All release notes published on this date are part of version 3.11.

Cold chat transfer

Agents can do a "cold transfer" for a chat. With a cold chat transfer, the agent assigns a chat session to a new agent or a queue, and then immediately leaves the chat without waiting for the new agent to join. This helps agents efficiently transfer chats without being bound to them. For more information, see Transfer a Chat.

Support for partial response in Dialogflow

CCAI Platform supports the partial response option in Dialogflow. This is particularly useful when the virtual agent needs to call a webhook that will likely take a while to run. With partial response enabled, Dialogflow can immediately send an initial fulfillment message to the end-user, such as, "One moment while I look that up." This way, while the webhook runs and the final fulfillment message is generated, the end-user expects a short wait instead of assuming that there is a problem. For information about configuring this capability in Dialogflow, see Partial response for streaming API.

Added new response fields for indicating agent availability to the manager/api/v1/agents/current_status and apps/api/v1/wait_times APIs. These indicate the number of assigned agents, logged-in agents, available agents, and breakthrough agents.

Fixed an issue that prevented copying an IVR menu structure.

Fixed an issue where the automatic redirect to a PSTN number used a direct PSTN dial instead of the configured BYOC SIP dial settings.

Fixed an issue where the account ID in search results did not refresh after removing search input.

Fixed an issue preventing the editing of user permissions for Microsoft Teams users.

Updated virtual task assistants to support an unlimited number of data parameters.

Fixed an issue where the Contact Name displayed 'Chat User' instead of the end-user's name.

Fixed an issue where the Agent and Supervisor filters on the Agents page displayed as All undefined.

Fixed an issue where the file name was not visible when the user held the pointer over the compose-email pane.

Fixed the error message that displays when an administrator disables an email queue with an invalid IMAP connection.

Fixed an issue where holiday-hours messages didn't play when the support center or queues were outside of their hours of operation.

Dataflow

You can now use Gemma models in your Apache Beam inference pipelines. For more information, see Use Gemma open models with Dataflow.

Dataform

Support for VPC Service Controls is generally available (GA).

Google Kubernetes Engine

The GKE Stateful HA Operator is now available in GA starting in GKE versions 1.28.5-gke.1113000 and later, or 1.29.0-gke.1272000 and later. The GKE Stateful HA Operator is enabled in new Autopilot clusters and opt-in for new Standard clusters.

Immersive Stream for XR

Upgrade to Unreal Engine 5.3.

  • Cloud builder in ISXR Content now uses Unreal Engine version 5.3.2.
  • Only the latest version of the Template Project (3.0.0) is compatible with the latest builder in the Content.

Optimized the Unreal Template Project.

  • Simplified logic in blueprints.
  • Easier to use events for mode switching.
  • New demos for Session ID and AR Virtual Background.
  • Now you can integrate files from the template directly into your existing Unreal projects to work on Immersive Stream for XR in both 3D and AR modes.
Spanner

The OpenCensus libraries are archived. Spanner now supports OpenTelemetry, and we recommend all OpenCensus users to migrate to OpenTelemetry for your observability needs. For more information, see Examine latency in a Spanner component with OpenTelemetry.

VPC Service Controls

General availability support for the following integration:

Vertex AI

Gemma open models are available

Gemma models, a family of lightweight, open models built from the same research and technology used to create the Gemini models, are available to run on your hardware, mobile devices, or hosted services. To learn more, see Use Gemma open models and the Gemma Model Garden card.

reCAPTCHA Enterprise

reCAPTCHA Enterprise Mobile SDK v18.4.2 is now available for iOS.

This version contains fixes for the following stability issues:

reCAPTCHA Enterprise Mobile SDK v18.5.0-beta01 is now available for Android.

This version contains the following changes:

  • Support for Android API 19 is removed.
  • Dependency on OkHttp 4.11.0 is added.
  • New exception type is added for devices without a network connection: NO_NETWORK_FOUND.

February 20, 2024

AlloyDB for PostgreSQL

You can now configure instances to use 128 vCPUs and 864 GB of RAM per node.

Chronicle

Google has added Tokyo (Japan) as a new region for Chronicle customers. Chronicle can now store customer data in this region. This also adds a new regional endpoint for Chronicle APIs at https://asia-northeast1-backstory.googleapis.com.

Cloud Billing

US-based billing accounts only: In August 2023, Google Cloud Marketplace transitioned to the Agency model for marketplace services for US partners and US customers. As part of this change, the remittance information has changed on your Google Cloud invoices and in the Google Cloud console.

As part of this change, you can see the following information in your Cloud Billing tools:

Cloud Logging

You can now configure and save a Log Analytics chart directly in Monitoring. For more information, see Add charts generated from a Log Analytics query.

For information and recommendations about how to instrument your applications to collect metrics, logs, and traces, see the following documents:

Cloud Monitoring

For information and recommendations about how to instrument your applications to collect metrics, logs, and traces, see the following documents:

Cloud SQL for PostgreSQL

Cloud SQL Enterprise Plus edition now supports versions 12 and 13 of PostgreSQL. For more information, see Introduction to Cloud SQL editions.

Cloud Trace

For information and recommendations about how to instrument your applications to collect metrics, logs, and traces, see the following documents:

Container Optimized OS

cos-105-17412-294-29

Kernel Docker Containerd GPU Drivers
COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Fixed CVE-2024-24557 in app-emulation/docker.

Upgraded net-misc/curl to v8.6.0. This fixes CVE-2024-0853.

Updated dev-libs/libxml2 to v2.11.7. This fixes CVE-2024-25062.

Fixed CVE-2022-3566 in the Linux kernel.

Fixed CVE-2022-3567 in the Linux kernel.

cos-109-17800-147-15

Kernel Docker Containerd GPU Drivers
COS-6.1.75 v24.0.5 v1.7.13 v535.154.05 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

Updated app-containers/containerd to v1.7.13.

Upgraded net-misc/curl to v8.6.0. This fixes CVE-2024-0853.

Updated dev-libs/libxml2 to v2.11.7. This fixes CVE-2024-25062.

Deep Learning Containers

M117 release

  • Fixed an issue wherein the latest container had a deprecation-public-image tag. In this release and future releases, this tag will only be on the deprecated containers.
  • Fixed a problem wherein the user couldn't access the vulnerabilities result of each container.
Dialogflow

The previously announced migration from Standard NLU to Advanced NLU will no longer occur on March 1, 2024. For more information, see the email announcement

Dialogflow CX agents now default to advanced NLU.

Dialogflow CX channel-specific response messages are now available for the following integrations: Google Chat, LINE, Messenger from Meta, Workplace from Meta, Slack. See the integration documentation for details.

Google Distributed Cloud Virtual for Bare Metal

Release 1.16.6

GKE on Bare Metal 1.16.6 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.16.6 runs on Kubernetes 1.27.

If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

Fixes:

  • Fixed an issue where upgrades are blocked because cluster-operator can't delete stale, failing preflight check resources.

  • Cleaned up stale etcd-events membership to enhance control plane initialization reliability in the event of a node join failure.

Fixes:

The following container image security vulnerabilities have been fixed in 1.16.6:

Known issues:

For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

Google Kubernetes Engine

You can now use the GKE API to apply Resource Manager tags to your GKE nodes. GKE attaches these tags to the underlying Compute Engine VMs. You can use these tags to selectively enforce Cloud Firewall network firewall policies. This feature is generally available in GKE version 1.28 and later.

Kubernetes Engine best practice observability packages, including control plane logs, control plane metrics, and kube state metrics are now enabled by default for new managed GKE Enterprise clusters to ensure availability of necessary data when it's needed for troubleshooting or optimization. Control plane metrics and kube state metrics are included in GKE Enterprise Edition at no additional charge.

GKE now delivers insights and recommendations if your cluster's Certificate Authority (CA) is expired or will expire in the next 180 days. To learn more, see Find clusters with expiring or expired credentials.

A bug in the image streaming feature might cause containers to fail because of a missing file or files.

Containers running on a node with image streaming enabled on the following versions might fail to start or run with errors informing that certain files don't exist. The following are examples of such errors:

  • No such file or directory
  • Executable file not found in $PATH

The following GKE versions are impacted:

  • For 1.27: 1.27.10-gke.1077000 and later
  • For 1.28: All 1.28 versions
  • For 1.29: All 1.29 versions

GKE is working on fixing the issue. In the meantime, if you are impacted by this issue, please disable image streaming.

Security Command Center

Manual control of finding state deprecated for vulnerabilities and misconfigurations

Starting October 21, 2024, you will no longer be able to manually update the state of vulnerability or misconfiguration findings that are issued by Security Health Analytics or VM Manager. Security Command Center will return an error message on manual attempts to change the values of the state. Security Command Center will also begin preventing the manual creation of findings under the exact same name as a source that is automatically managed by Security Command Center in order to prevent the creation of findings that can never be resolved.

For more information, see Finding states.

Pane on Overview page that supports postures for Vertex AI released to Preview

A pane on the Overview page lets you monitor for vulnerabilities that were found by the Security Health Analytics custom modules that apply to Vertex AI, and lets you view any drift from the Vertex AI organization policies that are defined in a posture.

For more information, see Monitor posture drift.

February 19, 2024

Application Integration

Data masking in logs

You can now prevent sensitive data from appearing the integration execution logs. For more information, see Mask sensitive data in logs.

BigQuery

A weekly digest of client library updates from across the Cloud SDK.

Go

Changes for bigquery/storage/apiv1beta1

1.59.1 (2024-02-12)

Bug Fixes
  • bigquery: Align return time.Time values to UTC (#9411) (4ac005d)

Java

Changes for google-cloud-bigquery

2.37.2 (2024-02-14)

Dependencies
  • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.37.0 (#3132) (3a1efc2)
  • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240203-2.0.0 (#3126) (5e28419)
  • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.41.0 (#3135) (9ab79ec)
  • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.25.0 (#3140) (e61a7bc)
  • Update github/codeql-action action to v2.24.1 (#3139) (4b3a429)
Bigtable

A weekly digest of client library updates from across the Cloud SDK.

Java

Changes for google-cloud-bigtable

2.33.0 (2024-02-12)

Features
  • Define the metrics for collecting per connection error count. (#2088) (b212bbf)
Bug Fixes
  • Deflake backup integration tests due to deleteBackup timeouts (#2105) (0948da7)
  • Extend timeouts for deleting snapshots, backups and tables (#2108) (df1d307)
Dependencies
  • Autogen: Set packed = false on field_behavior extension (#2101) (7c438c6)
  • Update actions/setup-java action to v4 (#2099) (a6c7c77)
  • Update dependency com.google.cloud:gapic-libraries-bom to v1.29.0 (#2109) (ef88519)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.24.0 (#2085) (3851a5e)
  • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.0 (#2091) (2516a09)
  • Update protobuf to 25.2 in WORKSPACE (#2086) (3eafcee)
Chronicle SOAR

The following items have been added to Release Notes 6.2.48.

The AI Investigation widget is now available in Europe. For more information, refer to AI Investigation widget.

Timeout for automatic and manual python-run operations failing after 5 minutes even though it's defined for a longer time in the platform (ID #00243596, #00213817, #45379045, #48348087, #00245583. #00227758, #00250153)

Automatic actions/operations now run for up to the time defined in the platform (maximum of 20 minutes).

The 5 minute timeout still applies for the following manual operations:

  • Run manual action
  • Run connector once
  • IDE - Play Item
Chronicle Security Operations

The AI Investigation widget is now available in Europe. For more information, refer to AI Investigation widget.

Pub/Sub

A weekly digest of client library updates from across the Cloud SDK.

Node.js

Changes for @google-cloud/pubsub

4.3.2 (2024-02-13)

Bug Fixes
  • Update minimum google-gax versions for auth fixes (#1888) (08acade)

Java

Changes for google-cloud-pubsub

1.126.6 (2024-02-14)

Dependencies
  • Update dependency com.google.cloud:google-cloud-core to v2.33.0 (#1912) (9691c6f)
  • Update dependency com.google.cloud:sdk-platform-java-config to v3.25.0 (#1913) (9636c55)

1.126.5 (2024-02-12)

Dependencies
  • Update dependency com.google.cloud:google-cloud-bigquery to v2.37.1 (#1898) (fc0dc96)
  • Update dependency com.google.cloud:google-cloud-storage to v2.33.0 (#1900) (0efceb4)
  • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.0 (#1887) (2bfa5cc)
  • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.0 (#1888) (5017789)
  • Update dependency org.junit.vintage:junit-vintage-engine to v5.10.2 (#1891) (231ba51)
Workflows

The maximum number of concurrent workflow executions has increased from 3,000 to 5,000.

February 16, 2024

Anthos Config Management

Upgraded git-sync (Config Sync dependency for pulling from git) from v3.6.9 to v4.1.0 to pick up enhancements, such as improved efficiency and race condition fixes. This contains a breaking change that short commit SHA is no longer accepted in the spec.git.revision field of RootSync and RepoSync. If you want to sync from a Git commit, use a full commit SHA in the spec.git.revision field. For more details, please refer to Configuration for the Git repository. This release note was updated February 16, 2024 with a correction to the version number.

Backup and DR

Backup and DR Service 11.0.9.429 is now available to update your backup/recovery appliance. Refer to these instructions to update your appliance.

The upcoming 11.0.10 release includes an important OS change. If your backup appliance was originally installed as version 11.0.5 or older (before July 2023), then the 11.0.9 upgrade includes an additional automated procedure to prepare for the coming upgrade by making some adjustments to the backup appliance's boot disk partitions. This additional procedure takes about 30 minutes.

If the upgrade is disrupted, there is a chance that the backup/recovery appliance might become non-functional. To prepare for this risk, it is highly recommended that you take a snapshot of the backup appliance boot disk before upgrading the appliance to 11.0.9. If the backup appliance is not back online after the upgrade, contact the Backup and DR support team. Here is a brief guide for how to take the snapshot:

  1. In the Backup and DR management console, click Manage > Appliances and write down or screen-capture the appliance names.
  2. In the Google Cloud console of your workload project, click Compute Engine > VM instances.
  3. Identify the backup appliance VM instance with the same name as that shown in the Backup and DR management console.
  4. Take a snapshot of the backup appliance boot disk. If you need assistance taking the snapshot, contact the Backup and DR support team.
  5. Contact the Backup and DR support team if the appliance becomes non-functional after the upgrade. The support team will determine the best way to mitigate the problem.
    Caution: Do NOT try to restore the bootdisk from the snapshot without assistance from Support. Doing so may damage the appliance and make it unrecoverable.
  6. Delete the snapshot once you confirm that the appliance is online using version 11.0.9.

SAP HANA databases running in Compute Engine instances can now be backed up as Persistent Disk snapshots of the Compute Engine instance. For more information, see protect and recover an SAP HANA database running in a Compute Engine instance.

Backup and DR Service now supports Google Cloud VMware Engine Storage only nodes. Learn more.

Added basic connector support for the following OSes. See Support matrix.

  • RHEL 8.9
  • RHEL 9.3
  • Rocky Linux 8.9
  • Rocky Linux 9.3
  • Rocky Linux Optimized for Google Cloud 8.9
  • Rocky Linux Optimized for Google Cloud 9.3

Added Change Block Tracking (CBT) support for the following OSes. See Support matrix.

  • SLES 15 SP5
  • SLES for SAP 15 SP5
  • Chronicle SOAR

    Release 6.2.47 is now in General Availability.

    Dataproc

    Dataproc on Compute Engine: The internalIpOnly cluster configuration setting now defaults to true for clusters created with 2.2 image versions. Also see Create a Dataproc cluster with internal IP addresses only.

    Document AI

    Enterprise Document OCR version 2.0, pretrained-ocr-v2.0-2023-06-02, is now Generally Available and ready for production workloads.

    Please migrate OCR workloads to this new processor version.

    Google Cloud VMware Engine

    VMware Engine ve2-standard-128 node type is generally available in us-east4 region. For more information on the node type, see Node types. To use the node type in us-east4 region, contact your Google account team.

    Google Distributed Cloud Virtual for VMware

    The following vulnerability was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

    • CVE-2023-6932

    For more information, see the GCP-2024-011 security bulletin.

    Google Kubernetes Engine

    The following GKE versions might cause Ubuntu node pools to enter an unhealthy state. Don't create or upgrade your Ubuntu node pools using these versions:

    • 1.25.16-gke.1497000
    • 1.26.13-gke.1189000

    The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

    • CVE-2023-6932

    For more information, see the GCP-2024-011 security bulletin.

    Sensitive Data Protection

    The HTTP_USER_AGENT infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

    February 15, 2024

    BigQuery

    The following Generative AI features are now generally available (GA):

    After you run a query in the query editor, in the Chart tab, you can now see a visualization of your query results. This feature is generally available (GA).

    Chronicle

    The following supported default parsers have changed. Each is listed by product name and log_type value, if applicable.

    • A10 Load Balancer (A10_LOAD_BALANCER)
    • Anomali (ANOMALI_IOC)
    • Apache (APACHE)
    • Arcsight CEF (ARCSIGHT_CEF)
    • AWS CloudWatch (AWS_CLOUDWATCH)
    • AWS EC2 Hosts (AWS_EC2_HOSTS)
    • AWS EC2 Instances (AWS_EC2_INSTANCES)
    • AWS EC2 VPCs (AWS_EC2_VPCS)
    • Azure AD (AZURE_AD)
    • Azure AD Directory Audit (AZURE_AD_AUDIT)
    • Azure DevOps Audit (AZURE_DEVOPS)
    • Azure Firewall (AZURE_FIREWALL)
    • BIND (BIND_DNS)
    • BloxOne Threat Defense (BLOXONE)
    • Blue Coat Proxy (BLUECOAT_WEBPROXY)
    • Carbon Black (CB_EDR)
    • Cato Networks (CATO_NETWORKS)
    • CENSYS (CENSYS)
    • Check Point (CHECKPOINT_FIREWALL)
    • Chrome Management (N/A)
    • Cisco IronPort (CISCO_IRONPORT)
    • Cisco Meraki (CISCO_MERAKI)
    • Cisco Prime (CISCO_PRIME)
    • Cisco Secure Workload (CISCO_SECURE_WORKLOAD)
    • Citrix Netscaler (CITRIX_NETSCALER)
    • Cloud Audit Logs (N/A)
    • Cloud Load Balancing (GCP_LOADBALANCING)
    • Cloud Run (GCP_RUN)
    • Cloudflare (CLOUDFLARE)
    • CommVault Commcell (COMMVAULT_COMMCELL)
    • Compute Context (N/A)
    • Corelight (CORELIGHT)
    • CrowdStrike Detection Monitoring (CS_DETECTS)
    • CSV Custom IOC (CSV_CUSTOM_IOC)
    • Cybereason EDR (CYBEREASON_EDR)
    • Dataminr Alerts (DATAMINR_ALERT)
    • Elastic Windows Event Log Beats (ELASTIC_WINLOGBEAT)
    • F5 BIGIP LTM (F5_BIGIP_LTM)
    • FireEye ETP (FIREEYE_ETP)
    • Forescout NAC (FORESCOUT_NAC)
    • ForgeRock OpenAM (OPENAM)
    • IBM WebSEAL (IBM_WEBSEAL)
    • Imperva (IMPERVA_WAF)
    • Imperva Database (IMPERVA_DB)
    • Infoblox RPZ (INFOBLOX_RPZ)
    • ISC DHCP (ISC_DHCP)
    • Juniper (JUNIPER_FIREWALL)
    • Linux Sysmon (LINUX_SYSMON)
    • LogonBox (LOGONBOX)
    • ManageEngine ADAudit Plus (ADAUDIT_PLUS)
    • Micro Focus iManager (MICROFOCUS_IMANAGER)
    • Microsoft AD (WINDOWS_AD)
    • Microsoft ATA (MICROSOFT_ATA)
    • Microsoft Azure Activity (AZURE_ACTIVITY)
    • Microsoft Defender For Cloud (MICROSOFT_DEFENDER_CLOUD_ALERTS)
    • Microsoft Exchange (EXCHANGE_MAIL)
    • Microsoft IIS (IIS)
    • Netskope (NETSKOPE_ALERT)
    • Netskope CASB (NETSKOPE_CASB)
    • Ntopng (NTOPNG)
    • Office 365 (OFFICE_365)
    • OpenCanary (OPENCANARY)
    • OpenSSH (OPENSSH)
    • OSSEC (OSSEC)
    • Palo Alto Cortex XDR Alerts (CORTEX_XDR)
    • Palo Alto Networks Firewall (PAN_FIREWALL)
    • Palo Alto Panorama (PAN_PANORAMA)
    • Quest Active Directory (QUEST_AD)
    • Recordia (RECORDIA)
    • Sangfor Next Generation Firewall (SANGFOR_NGAF)
    • SAP SM20 (SAP_SM20)
    • Security Command Center Threat (N/A)
    • SEPPmail Secure Email (SEPPMAIL)
    • ServiceNow CMDB (SERVICENOW_CMDB)
    • Snare System Diagnostic Logs (SNARE_SOLUTIONS)
    • Solaris system (SOLARIS_SYSTEM)
    • STIX Threat Intelligence (STIX)
    • Symantec CloudSOC CASB (SYMANTEC_CASB)
    • Symantec Web Security Service (SYMANTEC_WSS)
    • Trend Micro Deep Security (TRENDMICRO_DEEP_SECURITY)
    • Veritas NetBackup (VERITAS_NETBACKUP)
    • VMware ESXi (VMWARE_ESX)
    • Watchguard EDR (WATCHGUARD_EDR)
    • WindChill (WINDCHILL)
    • Windows Defender AV (WINDOWS_DEFENDER_AV)
    • Windows DNS (WINDOWS_DNS)
    • Windows Event (WINEVTLOG)
    • Windows Event (XML) (WINEVTLOG_XML)
    • wiz.io (WIZ_IO)
    • Zeek JSON (BRO_JSON)
    • Zscaler (ZSCALER_WEBPROXY)
    • Zscaler CASB (ZSCALER_CASB)
    • Zscaler Internet Access Audit Logs (ZSCALER_INTERNET_ACCESS)
    • Zscaler Private Access (ZSCALER_ZPA)

    The following log types, without a default parser, were added. Each is listed by product name and log_type value, if applicable.

    • Arista Guardian For Network Identity (ARISTA_AGNI)
    • HPE Aruba Networking Central (ARUBA_CENTRAL)
    • Blackberry Workspaces (BLACKBERRY_WORKSPACES)
    • Barracuda CloudGen Firewall (BARRACUDA_CLOUDGEN_FIREWALL)
    • Blackberry Workspaces (BLACKBERRY_WORKSPACES)
    • Cisco EStreamer (CISCO_ESTREAMER)
    • Cyderes IOC (CYDERES_IOC)
    • Dataiku DSS Logging (DATAIKU_DSS_LOGS)
    • Edgecore Networks (EDGECORE_NETWORKS)
    • Fisglobal Quantum (FISGLOBAL_QUANTUM)
    • ForgeRock Identity Cloud (FORGEROCK_IDENTITY_CLOUD)
    • Forgerock OpenIdM (FORGEROCK_OPENIDM)
    • FS-ISAC IOC (FS_ISAC_IOC)
    • Genetec Audit (GENETEC_AUDIT)
    • HiBob (HIBOB)
    • Imperva Audit Trail (IMPERVA_AUDIT_TRAIL)
    • KerioControl Firewall (KERIOCONTROL)
    • Looker Audit (LOOKER_AUDIT)
    • Mobile Endpoint Security (LOOKOUT_MOBILE_ENDPOINT_SECURITY)
    • ManageEngine PAM360 (MANAGE_ENGINE_PAM360)
    • Melissa (MELISSA)
    • Microsoft CASB Files & Entities (MICROSOFT_CASB_CONTEXT)
    • Windows Local Administrator Password Solution (MICROSOFT_LAPS)
    • Network Policy Server (MICROSOFT_NPS)
    • Power BI Activity Log (MICROSOFT_POWERBI_ACTIVITY_LOG)
    • Nxlog Agent (NXLOG_AGENT)
    • Nxlog Fim (NXLOG_FIM)
    • Opus Codec (OPUS)
    • Oracle NetSuite (ORACLE_NETSUITE)
    • Pega Automation (PEGA)
    • Qualys Knowledgebase (QUALYS_KNOWLEDGEBASE)
    • RealiteQ (REALITEQ)
    • SAP Webdispatcher (SAP_WEBDISP)
    • Serpico (SERPICO)
    • Software House Ccure9000 (SOFTWARE_HOUSE_CCURE9000)
    • Spirion (SPIRION)
    • Spur data feeds (SPUR_FEEDS)
    • Swift (SWIFT)
    • Technitium DNS (TECHNITIUM_DNS)
    • Tetragon Ebpf Audit Logs (TETRAGON_EBPF_AUDIT_LOGS)
    • Trend Micro Email Security Advanced (TRENDMICRO_EMAIL_SECURITY)
    • Tridium Niagara Framework (TRIDIUM_NIAGARA_FRAMEWORK)
    • VeridiumID by Veridium (VERIDIUM_ID)
    • Wallarm Webhook Notifications (WALLARM_NOTIFICATIONS)
    • Winscp (WINSCP)
    • XAMS by Xiting (XITING_XAMS)

    For a list of supported log types and details about default parser changes, see Supported log types and default parsers.

    Chronicle SOAR

    Release 6.2.48 is currently in Preview.

    Playbook condition branch name field can now hold up to 150 characters (ID #48159735)

    Just-in-Time User Provisioning configuration not available in Okta configuration. (ID #49263630)

    IDE - creating an integration or manager with the same name as an existing one results in the wrong error message (ID #47233004)

    Save button not showing when adding lots of list items to the List type action parameter (ID #00266458)

    Cloud Composer

    Starting February 16, 2024, in the asia-east2, asia-northeast1, asia-northeast2, asia-northeast3, asia-south1, and australia-southeast1 regions it is possible to create new Cloud Composer 1 environments only in projects that already have Cloud Composer 1 environments.

    In all other existing or newly created projects in these regions, it is possible to create only Cloud Composer 2 environments. This change is a part of the preparation for Cloud Composer 1 end of support, as communicated earlier and described in the Versioning overview.

    The apache-airflow-providers-google package is upgraded to version 10.14.0 in images with Airflow 2.6.3. For more information about changes, see the apache-airflow-providers-google changelog from version 10.13.1 to version 10.14.0.

    Improved the reliability of syncing Airflow tasks logs to the environment bucket. This fix addresses the issue with storing Airflow task log files, which affected environments in some cases.

    Improved the environment component responsible for metrics reporting (composer-monitoring) to minimize the restarts of this component.

    Cloud Composer 2.6.1 images are available:

    • composer-2.6.1-airflow-2.6.3 (default)
    • composer-2.6.1-airflow-2.5.3

    Cloud Composer versions 2.1.6 and 1.20.6 have reached their end of full support period.

    Cloud Healthcare API

    A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

    Cloud Interconnect

    Partner Interconnect supports dual-stack IPv4 and IPv6 in Public Preview. For more information, see IPv6 support.

    Compute Engine

    Preview: You can now use SSH-in-browser to connect to VMs using security keys with OS Login. For more information, see Enable security keys with OS Login.

    Dataflow

    You can now use a turnkey transform to enrich streaming data in your Dataflow pipeline. When you enrich data, you augment the raw data from one source by adding related data from a second source. For more information, see Enrich streaming data.

    Dataform

    Dataform is available in the following regions:

    • asia-east2
    • asia-northeast3
    • asia-southeast2
    • europe-southwest1
    • europe-west12
    • me-central1
    • me-central2
    • northamerica-northeast
    • us-east4
    • us-east5
    • us-west2
    • us-west4

    For more information, see Locations.

    Dataproc

    New Dataproc Serverless for Spark runtime versions:

    • 1.1.50
    • 2.0.58
    • 2.1.37
    • 2.2.0-RC10

    Dataproc Serverless for Spark: Spark Lineage is available for Dataproc Serverless for Spark 1.1 runtime.

    Google Cloud Architecture Center

    Architecting disaster recovery for cloud infrastructure outages: Added information about zonal and regional resilience of Sole Tenant Nodes.

    Google Kubernetes Engine

    HorizontalPodAutoscaler (HPA) and VerticalPodAutoscaler (VPA) may stop autoscaling all workloads in a cluster if it contains misconfigured autoscaling/v2 HPA objects. The issue impacts clusters running earlier patch versions of GKE version 1.27 and 1.28 (for example, 1.27.3-gke.100).

    The fix is available in following cluster versions:

    • 1.27.5-gke.1300 and later
    • 1.28.1-gke.1400 and later
    • 1.29 and later

    We recommend that affected customers upgrade clusters to these versions to prevent HPA and VPA from misbehaving when there is at least one misconfigured HPA object.

    We recommend that affected customers correct misconfigured autoscaling/v2 HPA objects by making sure the fields in spec.metrics.resource.target match, for example:

    • When spec.metrics.resource.target.type is Utilization then target should be averageUtilization;
    • When spec.metrics.resource.target.type is AverageValue then target should be averageValue.

    For more details on how to configure autoscaling/v2 HPA objects, see the HorizontalPodAutoscaler Kubernetes documentation.

    Identity and Access Management

    Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. The feature is in Preview. Google Cloud provisions X.509 credentials, issued from Certificate Authority Service, that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication. For more information, see Managed workload identities overview.

    Sensitive Data Protection

    The BLOOD_TYPE infoType detector is available in all regions. For more information about all built-in infoTypes, see InfoType detector reference.

    Vertex AI

    The Vertex AI Gemini 1.0 Pro and Gemini 1.0 Pro Vision multimodal language models are available Generally Available (GA). They have also been made available in the following regions: europe-west1, europe-west2, europe-west3, europe-west4, and europe-west9.

    For more information, see the following topics:

    Vertex AI Search and Conversation

    Vertex AI Search: Stable Gemini Pro answer generation model

    gemini-pro@001/answer_gen/v1 is available as a stable, generally available model for answer generation. For information about all available models for answer generation, see Specify the summarization model.

    February 14, 2024

    Carbon Footprint

    Beginning with the release of January 2024 data, Google Cloud Carbon Footprint will adopt a biannual methodology refresh schedule, with updates planned for January and July data releases each year.

    For the January 2024 data release (in mid-February 2024), we have made the updates below and updated carbon model to version 10:

    Data accuracy:

    • Improve internal machine-level power readings for storage machines. Update allocation of energy from some machines, improving Bigtable data accuracy.
    • Further improve mapping between Google Cloud services and internal resource use, particularly for a few Networking SKUs.
    • Improve Google Cloud region defaults and coverage. location.location/location.region with former NULL values are defined as global, and we improved data for the europe multiregion.

    Corporate data input refresh:

    Service coverage:

    • Reintroduce App Engine and GKE Enterprise/GDC services (formerly Anthos/GDC-V), as internal data mappings have been improved.
    • Remove Looker, Apigee, Chronicle, and AppSheet from covered services of Carbon Footprint, due to potential mis-attribution of carbon to these services. We are actively investigating and working on the improvements. Once internal data mapping improves for a service, we plan to add it back.
    Cloud Interconnect

    Cloud Interconnect supports VLAN attachments with a maximum transmission unit (MTU) up to 8896 bytes. For more information, see Cloud Interconnect MTU and Maximum transmission unit.

    Cloud Translation

    Adaptive translation is Generally Available and adds Portuguese support, raises the limit for input and output characters, and decreases latency in the API and console.

    Cloud Workstations

    Cloud Workstations is available in the europe-west8 region (Milan, Italy, Europe). For more information, see Locations.

    Config Connector

    Config Connector version 1.113.0 is now available.

    Initial support for status.observedState in ContainerCluster, ContainerNodePool and RedisInstance.

    To encourage use of cnrm.cloud.google.com/state-into-spec: absent, you can now use status.observedState in ContainerCluster, ContainerNodePool and RedisInstance. Some important resource information (such as the certificate for connecting to a GKE cluster) is currently only available in spec, and we recommend instead reading this resource information from observedState if available. More fields may be added to observedStatein the future.

    Added support for ComputeNetworkFirewallPolicy (v1beta1) resource.

    Added support for TagsLocationTagBinding (v1alpha1) resource.

    Resource RunJob (CloudRun Job):

    • Added spec.template.vpcAccess.connectorRef field.
    Google Distributed Cloud Virtual for VMware

    The following vulnerability was discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes:

    • CVE-2023-6931

    For more information, see the GCP-2024-010 security bulletin.

    Google Kubernetes Engine

    The following vulnerabilities were discovered in the Linux kernel that can lead to a privilege escalation on Container-Optimized OS and Ubuntu nodes.

    • CVE-2023-6931

    For more information, see the GCP-2024-010 security bulletin.

    Looker

    Looker 24.2 includes the following changes, features, and fixes.

    Expected Looker (original) deployment start: Tuesday, February 20, 2024

    Expected Looker (original) final deployment and download available: Thursday, February 29, 2024

    Expected Looker (Google Cloud core) deployment start: Tuesday, February 20, 2024

    Expected Looker (Google Cloud core) final deployment: Tuesday, March 5, 2024

    Planned for Looker 24.4, the Allow Legacy Maps legacy feature will be disabled by default. When the Allow Legacy Maps legacy feature is disabled, any map visualization that uses the Map (Legacy) chart type will be converted to use the Google Maps chart type. This may be a breaking change for some customers who are still using Legacy Maps.

    Duplicate join names will throw a new model-level LookML error during validation.

    A new LookML warning is returned when the convert_tz parameter is used on a LookML field that is configured as type: date_raw. date_raw fields have never supported timezone conversion, so this LookML warning has been added to alert LookML developers.

    For projects that use the new LookML runtime, the LookML validator will now correctly show a model-level error when a join name is duplicated within an Explore. The error already existed for projects that use the legacy LookML runtime, so this update is just to bring the new LookML runtime behavior in line with the legacy LookML runtime.

    The Signed Embed URL generator can now include themes, current parameters, and external group IDs.

    The following permissions are now generally available to use in permission sets: manage_groups, manage_roles, manage_user_attributes, manage_embed_settings, manage_themes, manage_privatelabel.

    A new Dashboard Diagnostics System Activity dashboard is available for troubleshooting the performance of individual dashboards.

    The looker_internal_email_domain_allowlist user attribute is now generally available. This lets admins configure the Email Domain Allowlist for Scheduled Content feature on a per-group basis.

    Looker now supports self-service migration from Looker (original) instances to Looker (Google Cloud core) instances. Looker (original) instances must meet certain prerequisites, and you must have a Looker (Google Cloud core) instance into which you can import.

    Filters on yesno fields will no longer show the "is not" option.

    An XSS security issue in Grid code has been fixed.

    Size-by field rendering for scatter charts has been fixed. This feature now performs as expected.

    An issue where download and Explore options were showing up on drill modals for merged queries when the user did not have permission has been resolved. This feature now performs as expected.

    Previously, text truncation wasn't working properly on headers on small tiles. This feature now performs as expected.

    Waterfall charts now render all available columns as expected.

    BigQuery: Previously, if OAuth tokens were passed through as query parameters rather than in the authentication header, Looker would return the following error: "OAuth token was passed in the query parameter. Please send it in Authorization header instead."

    The BigQuery driver has been updated, so this error will no longer appear.

    The minimum Git command line version has been increased to 2.36.0+.

    The user interface of the Admin Settings - Schedules page has been updated.

    For instances with offline licenses: When an offline license expiration date is less than 14 days away, Looker admins will see a license expiration banner on all Looker pages.

    The Login Consent Configuration option causes a consent screen with a configurable message to be displayed to all users who attempt to sign in to the Looker instance.

    SAP on Google Cloud

    Google Cloud's Agent for SAP version 3.1

    Version 3.1 of Google Cloud's Agent for SAP is generally available (GA). This version introduces enhancements for discovering SAP system information and for the Backint feature of the agent.

    For more information, see What's new with Google Cloud's Agent for SAP.

    Security Command Center

    Support for VPC Service Controls released to General Availability

    You can now protect Security Command Center using VPC Service Controls perimeters. For more information, see VPC Service Controls supported products.

    February 13, 2024

    Cloud Asset Inventory

    The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

    • Cloud SQL
      • sqladmin.googleapis.com/Backup
    • Cloud Monitoring
      • monitoring.googleapis.com/NotificationChannel
      • monitoring.googleapis.com/Snooze
    • VPC Service Controls Policy
      • accesscontextmanager.googleapis.com/AuthorizedOrgsDesc
    Cloud Billing

    View granular cost data from Cloud Storage usage in Cloud Billing exports to BigQuery

    You can now view granular Cloud Storage bucket-level cost data in the Cloud Billing Detailed cost export. Use the resource.global_name field in the export to view and filter your detailed Cloud Storage bucket usage.

    Review the schema of the Detailed cost data export.

    Cloud Logging Cloud Run

    You can now set and override the deployment service account for Cloud Run integrations when creating, updating, or deleting integrations using the Google Cloud CLI.

    Cloud SQL for MySQL

    A new maintenance version rollout is currently underway for all supported MySQL versions.

    If you have configured a maintenance window for your instance, then the updates will occur according to the timeframe that you set in the window. Otherwise, the updates will occur within the next few weeks. The new maintenance version is [MySQL version].R20240207.00_00.

    To learn how to check your maintenance version, see Self-service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

    In the new maintenance version [MySQL version].R20240207.00_00, the default value of the performance_schema flag for all MySQL 8.0 instances with more than 15 GB of RAM will be set to on. Previously, the default of on for MySQL 8.0 only applied to 8.0.26 and later. This change applies to new and existing MySQL 8.0 instances. For more information about this flag, see supported flags.

    Compute Engine

    Generally available: The following quotas and metrics are now available to help you monitor the usage and limits for Compute Engine concurrent operation quotas:

    • Quotas for global concurrent operations (metric - compute.googleapis.com/global_concurrent_operations):
      • Concurrent global operations per project
      • Concurrent global operations per project operation type
    • Quotas for regional concurrent operations (metric: compute.googleapis.com/regional_concurrent_operations):
      • Concurrent regional operations per project
      • Concurrent regional operations per project operation type

    For more information, see Concurrent operation quotas.

    Dialogflow

    Dialogflow CX text-to-speech settings now have an option for custom voices.

    Google Cloud Armor

    The following new NTI feeds are now available:

    • iplist-vpn-providers
    • iplist-anon-proxies
    • iplist-crypto-miners

    For more information about Network Threat Intelligence, see the overview.

    Google Kubernetes Engine

    (2024-R04) Version updates

    GKE cluster versions have been updated.

    New versions available for upgrades and new clusters.

    The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

    No channel

    Stable channel

    • There are no new releases in the Stable release channel.

    Regular channel

    • The following versions are now available in the Regular channel:
    • The following versions are no longer available in the Regular channel:
      • 1.25.16-gke.1041000
      • 1.26.11-gke.1055000
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1268000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.12-gke.1111000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.12-gke.1111000 with this release.

    Rapid channel

    • The following versions are now available in the Rapid channel:
    • The following versions are no longer available in the Rapid channel:
      • 1.25.16-gke.1360000
      • 1.26.13-gke.1052000
      • 1.27.10-gke.1055000
      • 1.28.6-gke.1095000
      • 1.28.6-gke.1289000
      • 1.29.1-gke.1016000
      • 1.29.1-gke.1425000
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1460000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.13-gke.1144000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1152000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1152000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.0-gke.1381000 with this release.

    (2024-R04) Version updates

    (2024-R04) Version updates

    • There are no new releases in the Stable release channel.

    (2024-R04) Version updates

    • The following versions are now available in the Regular channel:
    • The following versions are no longer available in the Regular channel:
      • 1.25.16-gke.1041000
      • 1.26.11-gke.1055000
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.24 to version 1.25.16-gke.1268000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.12-gke.1111000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.12-gke.1111000 with this release.

    (2024-R04) Version updates

    • The following versions are now available in the Rapid channel:
    • The following versions are no longer available in the Rapid channel:
      • 1.25.16-gke.1360000
      • 1.26.13-gke.1052000
      • 1.27.10-gke.1055000
      • 1.28.6-gke.1095000
      • 1.28.6-gke.1289000
      • 1.29.1-gke.1016000
      • 1.29.1-gke.1425000
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1460000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.13-gke.1144000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1152000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1152000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.0-gke.1381000 with this release.
    Memorystore for Memcached

    Added new Memorystore for Memcached region: Johannesburg (africa-south1).

    February 12, 2024

    Apigee X

    On February 12, 2024, we released an updated version of Apigee (1-11-0-apigee-17).

    This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.

    Bug ID Description
    322389251 Security fix for apigee-ingress.
    This addresses the following vulnerabilities:
    Bug ID Description
    230082910 Fixed issue causing null values for system.timestamp and system.time.millisecond proxy variables.
    285592278 Fixed issue with deduction of recurring fees from prepaid balances.

    This note is incorrect; see entry for March 26, 2024.

    App Engine flexible environment PHP

    PHP 8.3 is now available in preview.

    App Engine standard environment PHP

    PHP 8.3 is now available in preview.

    Application Integration

    You can now also view the integration execution logs in Cloud Logging. For more information, see View logs in Cloud Logging.

    Bare Metal Solution

    You can now select the pod for your Bare Metal Solution resources through the Google Cloud console intake form. This feature is generally available (GA).

    BigQuery

    A weekly digest of client library updates from across the Cloud SDK.

    Node.js

    Changes for @google-cloud/bigquery

    7.4.0 (2024-02-06)

    Features
    Bug Fixes
    • Prefer usage of projectId from the Dataset (#1326) (9e85219)

    Go

    Changes for bigquery/storage/apiv1beta1

    1.59.0 (2024-02-06)

    Features
    • bigquery: Add ExportDataStatstics to QueryStatistics (#9371) (261c8d9)
    • bigquery: Switch all timestamp representations to int64 usec (#9368) (8c1fb7d)
    Bug Fixes
    • bigquery/storage/managedwriter: Resolve data races (#9360) (fa31ec0)
    • bigquery: Enable universe domain resolution options (fd1d569)
    • bigquery: Support more timestamp formats for query param (#9236) (cc98509), refs #9221

    Java

    Changes for google-cloud-bigquery

    2.37.1 (2024-02-06)

    Features
    Dependencies
    • Update actions/upload-artifact action to v4.3.1 (#3121) (3abdc70)
    • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240124-2.0.0 (#3104) (6eff68e)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.24.0 (#3109) (5ad778c)
    • Update dependency org.graalvm.buildtools:junit-platform-native to v0.10.0 (#3110) (3f8e8d1)
    • Update dependency org.graalvm.buildtools:native-maven-plugin to v0.10.0 (#3111) (2858e96)
    • Update dependency org.junit.vintage:junit-vintage-engine to v5.10.2 (#3119) (4b4fdd8)
    • Update github/codeql-action action to v2.23.2 (#3102) (2cc545e)
    • Update github/codeql-action action to v2.24.0 (#3114) (01f0405)

    Python

    Changes for google-cloud-bigquery

    3.17.2 (2024-01-30)

    Bug Fixes
    • Change load_table_from_json autodetect logic (#1804) (6249032)
    Documentation
    • Update to use API (#1781) (81563b0)
    • Update client_query_destination_table.py sample to use query_and_wait (#1783) (68ebbe1)
    • Update query_external_sheets_permanent_table.py to use query_and_wait API (#1778) (a7be88a)
    • Update sample for query_to_arrow to use query_and_wait API (#1776) (dbf10de)
    • Update the query destination table legacy file to use query_and_wait API (#1775) (ef89f9e)
    • Update to use query_and_wait in client_query_w_positional_params.py (#1786) (410f71e)
    • Update to use query_and_wait in samples/client_query_w_timestamp_params.py (#1785) (ba36948)
    • Update to_geodataframe to use query_and_wait functionality (#1800) (1298594)
    Bigtable

    A weekly digest of client library updates from across the Cloud SDK.

    Python

    Changes for google-cloud-bigtable

    2.23.0 (2024-02-07)

    Features
    • Add async data client preview (7088e39)
    • Adding feature flags for routing cookie and retry info (#905) (1859e67)
    Bug Fixes
    • Fix ValueError in test__validate_universe_domain (#929) (aa76a5a)
    Chronicle

    Risk Analytics

    Google has introduced Risk Analytics to Chronicle. Risk Analytics looks for patterns of risk across your enterprise, assigning risk scores to all entities and activities. These scores are surfaced in the Risk Analytics dashboard which lets you better understand risk in your environment by visualizing entity risk trends. The dashboard helps you to identify unusual behavior and the potential risk that entities pose to your enterprise. You can specify watchlists of entities you suspect of having greater risk. The watchlists let you more easily monitor risk within your environment.

    Risk Analytics also provides both predefined curated detections and YARA-L metric functions for authoring custom rules.

    Risk Analytics is available with Enterprise and Enterprise Plus licenses, or as an add-on to a SIEM standalone license.

    Cloud Functions

    Cloud Functions now supports the PHP 8.3 runtime at the Preview release level for 2nd gen functions.

    Cloud Logging

    A weekly digest of client library updates from across the Cloud SDK.

    Java

    Changes for google-cloud-logging

    3.15.17 (2024-02-07)

    Dependencies
    • Update dependency com.google.cloud:sdk-platform-java-config to v3.24.0 (#1526) (235f1aa)
    Documentation

    You can now display Log Analytics query results as a table in your Monitoring dashboards by selecting Table as the widget type.

    Cloud Monitoring

    You can now create a broken-link checker, which periodically validates the links contained in your website. This feature is GA. For more information, see Create a broken-link checker.

    Config Controller

    Config Controller now uses the following versions of its included products:

    Anthos Config Management v1.17.1, release notes

    Container Optimized OS

    cos-dev-113-18203-0-0

    Kernel Docker Containerd GPU Drivers
    COS-6.1.75 v24.0.5 v1.7.10 v535.154.05(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Update default and latest NVIDIA GPU drivers to 535.154.05.

    Upgraded chromeos-base/shill-client to v0.0.1-r4278.

    Upgraded chromeos-base/session_manager-client to v0.0.1-r2712.

    Upgraded chromeos-base/debugd-client to v0.0.1-r2628.

    Upgraded chromeos-base/google-breakpad to v2024.01.16.190249-r225.

    Upgraded chromeos-base/chromeos-common-script to v0.0.1-r597.

    Upgraded chromeos-base/dlcservice-client to v0.0.1-r871.

    Upgraded chromeos-base/hiberman-client to v0.0.1-r437.

    Upgraded chromeos-base/power_manager-client to v0.0.1-r2844.

    Upgraded chromeos-base/update_engine-client to v0.0.1-r2367.

    Upgraded chromeos-base/shill-client to v0.0.1-r4263.

    Upgraded dev-libs/nss to v3.97.

    Upgraded net-libs/gnutls to v3.8.3.

    Upgraded net-dns/c-ares to v1.25.0-r1.

    Upgraded sys-apps/attr to v2.5.2.

    Upgraded dev-python/jinja to v3.1.3.

    Updated the Linux kernel to v6.1.75.

    Changed default umask value for a user to 027.

    Updated cos-gpu-installer to v2.1.11. Added major version specification for GPU driver installation

    Removed legacy logging agent (fluentd).

    Upgraded app-admin/google-guest-agent to v20240109.00.

    Upgraded app-admin/google-guest-configs to v20240109.00.

    Upgraded app-admin/google-osconfig-agent to v20231219.00.

    Upgraded app-admin/node-problem-detector to v0.8.15.

    Upgraded app-eselect/eselect-iptables to v20220320.

    Upgraded sys-libs/libcap-ng to v0.8.4-r1.

    Upgraded net-misc/rsync to v3.2.7-r4.

    Upgraded net-misc/curl to v8.5.0-r2.

    Upgraded dev-python/netifaces to v0.11.0-r2.

    Fixed CVE-2024-21626 in app-containers/runc.

    Runtime sysctl changes:

    • Added: net.ipv4.tcp_backlog_ack_defer: 1
    • Changed: fs.epoll.max_user_watches: 1809920 -> 1809474
    • Changed: fs.fanotify.max_user_marks: 67577 -> 67560
    • Changed: fs.file-max: 812606 -> 812400
    • Changed: fs.inotify.max_user_watches: 63456 -> 63441
    • Changed: kernel.threads-max: 63520 -> 63504
    • Changed: net.core.optmem_max: 20480 -> 131072
    • Changed: net.ipv4.tcp_mem: 94092 125456 188184 -> 94068 125424 188136
    • Changed: net.ipv4.udp_mem: 188184 250912 376368 -> 188136 250848 376272
    • Changed: net.ipv6.route.max_size: 4096 -> 2147483647
    • Changed: user.max_cgroup_namespaces: 31760 -> 31752
    • Changed: user.max_fanotify_marks: 67577 -> 67560
    • Changed: user.max_inotify_watches: 63456 -> 63441
    • Changed: user.max_ipc_namespaces: 31760 -> 31752
    • Changed: user.max_mnt_namespaces: 31760 -> 31752
    • Changed: user.max_net_namespaces: 31760 -> 31752
    • Changed: user.max_pid_namespaces: 31760 -> 31752
    • Changed: user.max_time_namespaces: 31760 -> 31752
    • Changed: user.max_user_namespaces: 31760 -> 31752
    • Changed: user.max_uts_namespaces: 31760 -> 31752
    • Changed: vm.lowmem_reserve_ratio: 256 256 32 0 -> 256 256 32 0 0

    Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

    Enhanced integrity-fs with disk resize and dm-clone.

    Removed deprecated R525 NVIDIA GPU drivers.

    Added support for dm-zero and dm-clone.

    cos-109-17800-147-9

    Kernel Docker Containerd GPU Drivers
    COS-6.1.75 v24.0.5 v1.7.10 v535.154.05 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    This is an LTS Refresh Release.

    Update default NVIDIA GPU drivers to 535.154.05.

    Updated cos-gpu-installer to v2.1.10.

    Backported support for TCP RTO configuration in networkd.

    Fixed CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550 and CVE-2023-40551 in sys-boot/shim.

    Updated dev-libs/openssl to v3.0.13. This resolves CVE-2024-0727 and CVE-2023-6129.

    Fixed CVE-2024-1086 in the linux kernel.

    Runtime sysctl changes:

    • Added: net.ipv4.tcp_backlog_ack_defer: 1
    • Added: net.ipv4.tcp_shrink_window: 0
    • Changed: fs.file-max: 812608 -> 812605
    • Changed: net.core.optmem_max: 20480 -> 131072
    • Changed: net.ipv6.route.max_size: 4096 -> 2147483647
    • Changed: vm.lowmem_reserve_ratio: 256 256 32 0 -> 256 256 32 0 0

    Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

    cos-101-17162-386-22

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v20.10.24 v1.6.24 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Fixed CVE-2023-40546, CVE-2023-40547 CVE-2023-40548, CVE-2023-40549, CVE-2023-40550 and CVE-2023-40551 in sys-boot/shim.

    Fixed CVE-2023-5678 in dev-libs/openssl.

    Fixed CVE-2024-0567 and CVE-2024-0553 in net-libs/gnutls.

    Fixed CVE-2024-1085 and CVE-2023-46838 in the Linux kernel.

    Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

    cos-97-16919-450-16

    Kernel Docker Containerd GPU Drivers
    COS-5.10.208 v20.10.24 v1.6.21 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Fixed CVE-2023-40546, CVE-2023-40547, CVE-2023-40549 and CVE-2023-40551 in sys-boot/shim.

    Fixed CVE-2023-5678 in dev-libs/openssl.

    Fixed CVE-2024-0567 and CVE-2024-0553 in net-libs/gnutls.

    Fixed CVE-2024-1086 and CVE-2023-46838 in the linux kernel.

    Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

    cos-105-17412-294-23

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Fixed CVE-2023-40546, CVE-2023-40548, CVE-2023-40549 , CVE-2023-40551, CVE-2023-40547 and CVE-2023-40550 in sys-boot/shim.

    Fixed CVE-2023-5678 in dev-libs/openssl.

    Fixed CVE-2024-1085 , CVE-2024-1086 and CVE-2023-46838 in the Linux kernel.

    Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

    Dataflow

    Dataflow Streaming Engine now supports resource-based billing. When you enable resource-based billing with Streaming Engine, you're billed for the total resources consumed by your job.

    Dialogflow

    Two new Dialogflow CX prebuilt components are available: retail authentication and order status.

    Pub/Sub

    A weekly digest of client library updates from across the Cloud SDK.

    Node.js

    Changes for @google-cloud/pubsub

    4.3.1 (2024-02-08)

    Bug Fixes
    • Add option to disable emulator auth handling (temp fix) (#1861) (761cdc8)

    4.3.0 (2024-02-05)

    Features
    • Trusted Private Cloud support, use the universeDomain parameter (#1878) (d89fd1d)
    Bug Fixes

    Java

    Changes for google-cloud-pubsub

    1.126.4 (2024-02-09)

    Bug Fixes

    1.126.3 (2024-02-08)

    Dependencies
    • Update dependency com.google.cloud:google-cloud-core to v2.32.0 (#1885) (a2063cf)

    Python

    Changes for google-cloud-pubsub

    2.19.4 (2024-02-09)

    Bug Fixes
    • diregapic: S/bazel/bazelisk/ in DIREGAPIC build GitHub action (#1064) (d56ad12)

    2.19.3 (2024-02-08)

    Bug Fixes

    2.19.2 (2024-02-08)

    Bug Fixes
    • Unit test failures in https://github.com/googleapis/python-pubsu… (#1074) (3c6d128)
    Resource Manager

    February 11, 2024

    Security Command Center

    Exports of compliance reports will require new permissions

    On or after March 15, 2024, a new Identity and Access Management (IAM) permission will be required to export a compliance report from the Google Cloud console. If you use custom roles to control access to Google Cloud resources, you will need to add this new permission to your custom roles before that date to continue exporting compliance reports.

    For more information, see Export a compliance report.

    February 09, 2024

    AlloyDB for PostgreSQL

    You can now use public IP with the AlloyDB Language Connectors (Preview) to connect to your cluster. For more information, see Connect using the AlloyDB Language Connectors.

    Apigee hybrid

    hybrid v1.11.1-hotfix.1

    On February 9, 2024 we released an updated version of the Apigee hybrid software, v1.11.1-hotfix.1.

    This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.

    Bug ID Description
    324460830 Security fix for apigee-ingress.
    This addresses the following vulnerabilities:

    hybrid v1.10.4-hotfix.1

    On February 9, 2024 we released an updated version of the Apigee hybrid software, v1.10.4-hotfix.1.

    This release addresses the security concerns in GCP-2024-007 from Google Anthos Service Mesh.

    Bug ID Description
    324460830 Security fix for apigee-ingress.
    This addresses the following vulnerabilities:
    Chronicle SOAR

    Release 6.2.46 is now in General Availability.

    Cloud Composer

    Starting January 20, 2024, in the asia-southeast1, us-west3, and us-west4 regions it is possible to create new Cloud Composer 1 environments only in projects that already have Cloud Composer 1 environments.

    In all other existing or newly created projects in these regions, it is possible to create only Cloud Composer 2 environments. This change is a part of the preparation for Cloud Composer 1 end of support, as communicated earlier and described in the Versioning overview.

    Cloud SQL for MySQL

    Cloud SQL now automatically updates your read replicas when you perform self-service maintenance on the primary instance. For more information, see Self-service maintenance.

    Cloud SQL for PostgreSQL

    Cloud SQL now automatically updates your read replicas when you perform self-service maintenance on the primary instance. For more information, see Self-service maintenance.

    Cloud SQL for SQL Server

    Cloud SQL now automatically updates your read replicas when you perform self-service maintenance on the primary instance. For more information, see Self-service maintenance.

    Google Cloud Architecture Center

    From edge to mesh: Deploy service mesh applications through GKE Gateway: Switched from Ingress API to the more modern Gateway API. Updated relevant sections to reflect this change.

    Google Kubernetes Engine

    The following GKE versions fix a memory leak issue with the Google Cloud Storage FUSE CSI driver DaemonSet Pod:

    • 1.25.16-gke.1360000 and later
    • 1.26.13-gke.1052000 and later
    • 1.27.10-gke.1055000 and later
    • 1.28.6-gke.1095000 and later
    • 1.29.1-gke.1425000 and later
    Vertex AI

    Multimodal embeddings video support is Generally Available

    Embeddings for video data is now Generally available using the multimodal embedding model (multimodalembedding). For more information, see the product documentation.

    This features incurs pricing based on the mode you use. For more information, see pricing.

    February 08, 2024

    Anthos Service Mesh

    Google has ended support for in-cluster Anthos Service Mesh 1.17 following the official policy. Managed Anthos Service Mesh will continue to support 1.17 until 1.18 is promoted to the regular and stable channels. For more information, see Supported versions.

    1.17.8-asm.20 is now available for in-cluster Anthos Service Mesh.

    This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.

    While these CVE fixes have been backported to 1.17, you should upgrade to a supported version, 1.18 or later.

    1.20.3-asm.4 is now available for in-cluster Anthos Service Mesh.

    You can now download 1.20.3-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.20.3 subject to the list of supported features. Anthos Service Mesh 1.20.3-asm.4 uses Envoy v1.28.1.

    This release contains the fix for the security vulnerability listed in GCP-2024-007.

    After upgrading Anthos Service Mesh to version 1.20.3 for off-Google Cloud clusters, make sure to restart all Pods in order to trigger the re-injection of sidecars. Otherwise, the Anthos Service Mesh metric reports might become inconsistent between the old and new proxies in the cluster.

    Managed Anthos Service Mesh 1.20 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. See Select a managed Anthos Service Mesh release channel for more information.

    1.19.7-asm.3 is now available for in-cluster Anthos Service Mesh.

    This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.

    1.18.7-asm.4 is now available for in-cluster Anthos Service Mesh.

    This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.

    Apigee X

    On February 8, 2024 we released an updated version of the Apigee APIs.

    API support for update operations on KeyValueMap entries

    Starting with this release, the Apigee APIs support update operations for KeyValueMap entries. See the API reference page for REST Resource: organizations.environments.keyvaluemaps.entries for information.

    BigQuery

    Custom data masking is now generally available (GA). You can define custom masking routines for custom masking capabilities such as salt based hash. The feature is available on the Enterprise Plus edition.

    BigQuery now offers entity resolution. This feature lets users match records across datasets even when a common identifier is missing. It utilizes an identity provider for this process; BigQuery supports LiveRamp and provides a framework for other identity providers to offer similar services. This feature is generally available (GA).

    Chronicle SOAR

    Release 6.2.47 is currently in Preview.

    Email settings: customer configuration change

    In order to help with safe and secure communication, the Trust Certificate checkbox is scheduled to be deleted in April 2024 as it will be enabled automatically by default.

    Customers who currently do not have this checkbox enabled are advised to carry out the following procedure.

    • In the Email Settings > Customer Configuration tab, enable the Trust Certificate checkbox.
    • Save the settings.
    • Click Test to ensure the configuration works.
    • Perform an action which will trigger a test email notification.
    • If errors are shown, follow the instructions in the error message.

    Manual Action Menu - Group and Specific filters when chosen together lead to errors (ID #49013713)

    Custom SAML provider configuration error (ID #49125693)

    The placeholder CurrentUserRole that was removed from Release 6.2.45 is now supported.

    Cloud Composer

    The enabling and disabling functionality for the Logs in Cloud Logging only feature was temporarily rolled back.

    At the moment, it is not possible to enable or disable this feature, and your environment will keep its current configuration. If this feature is enabled, Cloud Composer will keep saving logs to Cloud Logging only. Newly created environments save logs to Cloud Logging only and the environment's bucket.

    We will announce when the issue is resolved.

    Cloud Logging

    You can now create log buckets in the africa-south1 region. For a complete list of supported regions, see Supported regions.

    Cloud SQL for MySQL

    Cloud SQL now supports near-zero downtime planned maintenance on HA-enabled Cloud SQL Enterprise Plus instances with all combinations of public IP connectivity.

    Cloud SQL for PostgreSQL

    Cloud SQL now supports near-zero downtime planned maintenance on HA-enabled Cloud SQL Enterprise Plus instances with all combinations of public IP connectivity.

    Compute Engine

    Generally available: Hyperdisk Throughput is available with the following VMs:

    • A3
    • C3
    • C3D
    • G2
    • H3
    • M3

    Hyperdisk Throughput support for Z3 VMs is also available in Preview.

    Also, the maximum number of Hyperdisk Throughput volumes you can attach to a VM has been increased. See Hyperdisk capacity limits per VM for more information.

    Hyperdisk volumes are durable network storage devices that your VMs can access, similar to Persistent Disk. Hyperdisk Throughput provides cost-effective and throughput-oriented storage with dynamically configurable capacity and throughput. For more information, see About Hyperdisk.

    Dataproc

    New Dataproc on Compute Engine subminor image versions:

    • 2.0.92-debian10, 2.0.92-rocky8, 2.0.92-ubuntu18
    • 2.1.40-debian11, 2.1.40-rocky8, 2.1.40-ubuntu20, 2.1.40-ubuntu20-arm
    • 2.2.6-debian12, 2.2.6-rocky9, 2.2.6-ubuntu22

    Dataproc on Compute Engine Ranger Cloud Storage enhancement:

    • Enabled downscoping
    • Added caching of tokens in local cache

    Both settings are configurable and can be enabled by customers: see Use Ranger with caching and downscoping .

    Dataproc on Compute Engine: The new Secret Manager credential provider feature is available in the latest 2.2 image versions.

    Dataproc on Compute Engine: Backported patch for HADOOP-18652.

    New Dataproc Serverless for Spark runtime versions:

    • 1.1.49
    • 2.0.57
    • 2.1.36
    • 2.2.0-RC9

    Dataproc Serverless for Spark: Backported patch for HADOOP-18652.

    Deep Learning VM Images

    M116 release

    • Added the CUDA version to the TensorFlow 2.15 image family name, for this release and future releases. For example, tf-2-15-gpu is renamed to tf-2-15-cu121.
    • Deprecated the tf-2-15-gpu image family in favor of tf-2-15-cu121.
    Google Cloud Architecture Center

    (New guide) Single-zone deployment on Compute Engine: Provides a reference architecture for a multi-tier application that runs on Compute Engine VMs in a single Google Cloud zone and describes the design factors to consider when you build a single-zone architecture.

    Google Kubernetes Engine

    (2024-R03) Version updates

    GKE cluster versions have been updated.

    New versions available for upgrades and new clusters.

    The following Kubernetes versions are now available for new clusters and for opt-in control plane upgrades and node upgrades for existing clusters. For more information on versioning and upgrades, see GKE versioning and support and Upgrades.

    No channel

    Stable channel

    • Version 1.27.7-gke.1121002 is now the default version in the Stable channel.
    • Version 1.28.3-gke.1286000 is now available in the Stable channel.
    • Version 1.27.3-gke.100 is no longer available in the Stable channel.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.27 to version 1.28.3-gke.1203001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.28.3-gke.1203001 with this release.

    Regular channel

    • Version 1.27.8-gke.1067004 is now the default version in the Regular channel.
    • The following versions are no longer available in the Regular channel:
      • 1.26.6-gke.1700
      • 1.27.3-gke.100
      • 1.28.3-gke.1118000
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.11-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.11-gke.1055000 with this release.

    Rapid channel

    • The following versions are now available in the Rapid channel:
    • The following versions are no longer available in the Rapid channel:
      • 1.25.16-gke.1268000
      • 1.26.12-gke.1111000
      • 1.27.9-gke.1092000
      • 1.28.5-gke.1217000
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1360000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.13-gke.1052000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1016000 with this release.

    (2024-R03) Version updates

    • The following versions are now available in the Rapid channel:
    • The following versions are no longer available in the Rapid channel:
      • 1.25.16-gke.1268000
      • 1.26.12-gke.1111000
      • 1.27.9-gke.1092000
      • 1.28.5-gke.1217000
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.24 to version 1.25.16-gke.1360000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.25 to version 1.26.13-gke.1052000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.26 to version 1.27.10-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.27 to version 1.27.10-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Rapid channel will be upgraded from version 1.29 to version 1.29.1-gke.1016000 with this release.

    (2024-R03) Version updates

    • Version 1.27.8-gke.1067004 is now the default version in the Regular channel.
    • The following versions are no longer available in the Regular channel:
      • 1.26.6-gke.1700
      • 1.27.3-gke.100
      • 1.28.3-gke.1118000
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.25 to version 1.26.11-gke.1055000 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Regular channel will be upgraded from version 1.26 to version 1.26.11-gke.1055000 with this release.

    (2024-R03) Version updates

    • Version 1.27.7-gke.1121002 is now the default version in the Stable channel.
    • Version 1.28.3-gke.1286000 is now available in the Stable channel.
    • Version 1.27.3-gke.100 is no longer available in the Stable channel.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.27 to version 1.28.3-gke.1203001 with this release.
    • Control planes and nodes with auto-upgrade enabled in the Stable channel will be upgraded from version 1.28 to version 1.28.3-gke.1203001 with this release.

    (2024-R03) Version updates

    Vertex AI Workbench

    M116 release

    The M116 release of Vertex AI Workbench user-managed notebooks includes the following:

    • Updated custom container user-managed notebooks to use NVIDIA driver version 535.104.05.
    • Fixed bugs in custom container user-managed notebooks where GPUs either wouldn't attach to the container properly, or detached after some time.

    The M116 release of Vertex AI Workbench managed notebooks includes the following:

    • Fixed a bug (present in versions M113 through M115) that prevented new local kernels from being usable.

    February 07, 2024

    Apigee Integrated Portal

    On February 07, 2024 we released an updated version of Apigee integrated portal.

    Bug ID Description
    323278335 A security issue was fixed.
    192987085 Fixed an issue where switching API spec pages in the public developer portal resulted in an error. Note, this issue was erroneously mentioned in the 12/7/23 release notes.
    BigQuery

    You can now view query plans to see details of SQL pushdowns in federated queries. This feature is now generally available.

    Cloud Healthcare API

    A release was made. Updates may include general performance improvements, bug fixes, and updates to the API reference documentation.

    Cloud Logging

    Log buckets in the following regions can now be upgraded to use Log Analytics:

    • europe-west10

    For more information, see Supported regions.

    Cloud SQL for PostgreSQL

    The rollout of the following extensions and flags is underway:

    Extensions

    • autoinc (version 1.0): provides functions for incrementing fields automatically. This trigger stores the next value of a sequence into an integer field.
    • bloom (version 1.0): provides a method to access indexes based on bloom filters. These filters are space-efficient data structures that you can use to test whether an element is a member of a set.
    • insert_username (version 1.0): provides functions for storing the current user's name into a text field. You can use this to track who last modified a row in a database table.
    • moddatetime (version 1.0): provides functions for storing the current time into a timestamp field. You can use this to track the last time that a row in a database table is modified.
    • pg_background (version 1.2): lets you run arbitrary commands in a background worker.
    • pg_squeeze (version 1.5): removes unused space from a table and lets you use an index to sort records or rows (tuples) of the table.
    • tcn (version 1.0): provides a trigger function that notifies listeners of changes to the content of database tables.

    Flags

    • cloudsql.enable_pg_squeeze: enables the pg_squeeze extension for Cloud SQL for PostgreSQL
    • squeeze.max_xlock_time: sets the time (in milliseconds) that the extension uses to finalize the processing for modifying a table
    • squeeze.worker_autostart: starts a background worker automatically
    • squeeze.worker_role: specifies the role for the background worker

    The rollout of the following minor versions, extension versions, and plugin versions is underway:

    Minor versions

    • 11.21 is upgraded to 11.22.
    • 12.16 is upgraded to 12.17.
    • 13.12 is upgraded to 13.13.
    • 14.9 is upgraded to 14.10.
    • 15.4 is upgraded to 15.5.

    Extension and plugin versions

    • ipr4 is upgraded from 2.4.1 to 2.4.2.
    • orafce is upgraded, as follows:
      • from 3.25.1 to 4.6.1 (for PostgreSQL versions 9.6 and 10)
      • from 4.6.1 to 4.7.0 (for PostgreSQL versions 11 and later)
    • pg_cron is upgraded from 1.5.2 to 1.6.0.
    • pgfincore is upgraded from 1.2.3 to 1.3.1.
    • pg_partman is upgraded from 4.7.3 to 4.7.4.
    • pg_repack is upgraded from 1.4.8 to 1.5.0.
    • pgTAP is upgraded from 1.2.0 to 1.3.0.
    • pgtt is upgraded from 2.9.0 to 3.0.
    • pg_wait_sampling is upgraded from 1.1.4 to 1.1.5.
    • PL/Proxy is upgraded from 2.10.0 to 2.11.0.
    • plv8 is upgraded from 3.1.4 to 3.2.0.
    • postgresql_hll is upgraded from 2.17 to 2.18.

    If you use a maintenance window, then the updates to the minor, extension, and plugin versions happen according to the timeframe that you set in the window. Otherwise, the updates occur within the next few weeks.

    The new maintenance version is [PostgreSQL version].R20240130.00_00. To learn how to check your maintenance version, see Self service maintenance. To find your maintenance window or to manage maintenance updates, see Find and set maintenance windows.

    Compute Engine

    When you purchase a resource-based commitment for GPUs, Local SSD disks, or both, you can attach any of your existing on-demand or auto-created future reservations to that commitment. By attaching existing reservations, you can reserve resources in advance and minimize resource unavailability issues when you purchase commitments for GPU or Local SSD disk resources.

    For more information, see Purchase commitments with attached reservations.

    Google Cloud Deploy

    Cloud Deploy now uses Skaffold 2.10 as the default Skaffold version for all target types.

    Spanner

    Made changes to the information schema to improve the accuracy of data type reporting.

    The information_schema.columns.spanner_type and information_schema.index_columns.spanner_type columns now include a limit value for the character varying(limit_value) and character varying(limit_value)[] types.

    Vertex AI

    The following models have been added to Model Garden:

    • Stable Diffusion XL LCM: The Latent Consistency Model (LCM) enhances text-to-image generation in Latent Diffusion Models by enabling faster and high-quality image creation with fewer steps.
    • LLaVA 1.5: Deploy LLaVA 1.5 models.
    • PyTorch-ZipNeRF: The Pytorch-ZipNeRF model is a state-of-the-art implementation of the ZipNeRF algorithm in the Pytorch framework, designed for efficient and accurate 3D reconstruction from 2D images.
    • LLaMA 2 (Quantized): A quantized version of Meta's Llama 2 models.
    • WizardLM: WizardLM is a large language model (LLM) developed by Microsoft, fine-tuned on complex instructions by adapting the Evol-Instruct method.
    • WizardCoder: WizardCoder is a large language model (LLM) developed by Microsoft, fine-tuned on complex instructions by adapting the Evol-Instruct method to the domain of code.
    • AutoGluon: With AutoGluon you can train and deploy high-accuracy machine learning and deep learning models for tabular data.
    • Lama (Large mask inpainting): Use Large Mask Inpainting with fast Fourier convolutions (FFCs), a high receptive field perceptual loss, and large training masks for resolution-robust image inpainting.

    The following changes have been made to Model Garden:

    • Added one-click tuning button, and dedicated deployment, tuning, quantization, and evaluation notebooks for Llama 2.
    • Added one-click deployment button for more than 20 models with pre-trained OSS artifacts, including Salesforce/blip-image-captioning-base and timbrooks/instruct-pix2pix.
    • Supported CodeLlaMA70b with notebooks and the one-click deployment button.
    • Added tuning notebooks for Mistral models.
    • Added serving notebooks for Stable Video Diffusion Img2Vid XT. These notebooks are used for research purposes.

    February 06, 2024

    AlloyDB for PostgreSQL

    AlloyDB for PostgreSQL is now available in europe-west10 (Berlin). For more information, see AlloyDB locations.

    Bare Metal Solution BigQuery

    Billing for Spark stored procedures begins on March 12, 2024. Until that date, Spark stored procedures are offered at no extra cost.

    Chronicle

    Chronicle requires a minimum Transport Layer Security (TLS) version of 1.2 to maintain security compliance. Ingestion routing connections that use lower TLS versions are automatically blocked. Upgrade any custom ingestion mechanisms to adhere to TLS 1.2 or higher.

    When the data ingestion rate for a tenant reaches a certain threshold, Chronicle controls the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source. The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly then there is no effect on the ingestion rate.

    Cloud SQL for MySQL

    Cloud SQL for MySQL now supports minor version 8.0.36. To upgrade your existing instance to the new version, see Upgrade the database minor version.

    Google Kubernetes Engine

    Clusters on control plane versions 1.26.6-gke.1900 and later might encounter intermittent connection establishment failures.

    The chances of failures are low and it doesn't affect all clusters. The failures should stop completely after a few days since the symptom onset.

    Alternatively, upgrade to the following versions instead, which are not affected by this issue:

    • 1.26.13-gke.1052000 and later.
    • 1.27.10-gke.1055000 and later.
    • 1.28.6-gke.1095000 and later.
    • 1.29.1-gke.1016000 and later.
    Resource Manager

    You can use the Google Cloud console with Policy Simulator for Organization Policy to test organization policies. This feature is available in Preview.

    Security Command Center

    New security posture service released to General Availability

    The new security posture service is released to General Availability. This service lets you create and deploy postures so that you can define the policies for your Google Cloud organization and monitor for drift.

    For more information, see Security posture overview.

    Mandiant analyst CVE ratings added to vulnerability findings

    The addition of CVE information, including ratings of the vulnerability by Mandiant Threat Intelligence analysts, to the details of Security Command Center vulnerability findings is released to Preview. You can now prioritize vulnerabilities based on the exploitability and impact ratings from Mandiant. For more information, see Prioritize vulnerability findings to reduce risk.

    Improvements to compliance standards support now available

    Improvements to the Security Command Center Compliance page in the Google Cloud console are released to General Availability. Your state of compliance with all supported standards is now presented more clearly and a new Compliance details page makes it easier to see failing controls. For more information, see Assess and report compliance.

    Prioritize high-value resources automatically by data sensitivity

    The optional integration of the Sensitive Data Protection discovery feature with the Security Command Center attack path simulation feature is released to Preview. If you use Sensitive Data Protection discovery, you can choose to have the priority value of supported high-value resources set automatically based on whether they contain medium-sensitivity or high-sensitivity data. For more information, see Set resource priority values automatically by data sensitivity.

    Attack exposure scores informed by Mandiant Threat Intelligence

    The inclusion of CVE exploitability ratings in the calculation of attack exposure scores for vulnerability findings is released to Preview. The ratings, which are provided by Mandiant Threat Intelligence analysts, enables Security Command Center attack path simulations to provide more accurate scores for prioritizing vulnerability findings. For more information, see Incorporation of CVE data.

    High-value resources now include attack exposure scores

    The calculation of attack exposure scores for high-value resources by the Security Command Center Attack Path Simulations feature is released to Preview. Use attack exposure scores on resources to proactively secure the resources that are the most valuable to your business. For more information, see Attack exposure scores.

    February 05, 2024

    Anthos clusters on AWS

    You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:

    Anthos clusters on Azure

    You can now launch clusters with the following Kubernetes versions. Click on the following links to see the release notes associated with these patches:

    Cloud Composer

    Data lineage is now generally available (GA) in Cloud Composer 2.

    Data lineage integration is now enabled by default in newly created environments with Cloud Composer version 2.1.2 and later, if Data Lineage API is enabled in the environment's project. Existing and upgraded environments keep their current configuration.

    Python 3.11 is available in environments with Airflow 2.6.3:

    • New environments with Airflow 2.6.3 use Python 3.11. Python 3.8 is no longer available in new environments with Airflow 2.6.3.

    • Existing environments with Airflow 2.6.3 switch to Python 3.11 when upgraded. Before upgrading, make sure that custom PyPI packages in your environment are compatible with Python 3.11.

    • New and upgraded environments with Airflow 2.5.3 keep using Python 3.8.

    • Cloud Composer versions earlier than 2.6.0 keep using Python 3.8.

    Airflow worker memory requirements in Python 3.11 are 10% higher compared to workers in Python 3.8. If you use custom settings for Airflow worker CPU and memory limits, then Airflow workers in your environment might enter the CrashLoopBackOff status and stop executing tasks, if resource consumption goes above the limit.

    If your environment is impacted, see the related known issue for possible solutions: Workers require more memory than in previous Airflow versions.

    The default worker_concurrency formula was adjusted in Airflow 2.6.3 and later versions to accommodate this change.

    (Available without upgrading) The default worker_concurrency in Airflow 2.6.3 and later versions is now calculated using a different formula. For more information, see Change worker concurrency.

    Connections to the Redis environment component are now additionally secured with a password. Improved the reliability of the environment component responsible for metrics reporting (airflow-monitoring).

    The apache-airflow-providers-google package is upgraded to version 10.13.1 in images with Airflow 2.6.3. For more information about changes, see the apache-airflow-providers-google changelog from version 10.12.0 to version 10.13.1.

    Cloud Composer 2.6.0 images are available:

    • composer-2.6.0-airflow-2.6.3 (default)
    • composer-2.6.0-airflow-2.5.3

    Cloud Composer versions 2.1.5 and 1.20.5 have reached their end of full support period.

    Cloud Composer 2.6.0 is a version with an extended upgrade timeline.

    Container Optimized OS

    cos-109-17800-66-81

    Kernel Docker Containerd GPU Drivers
    COS-6.1.58 v24.0.5 v1.7.10 v535.129.03(default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Update latest NVIDIA GPU driver to v535.154.05.

    Fixed CVE-2023-6531 in the Linux kernel.

    Fixed CVE-2024-0607 in the Linux kernel.

    cos-105-17412-294-13

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Update latest NVIDIA GPU driver to v535.154.05.

    Fixed CVE-2023-6915 in the Linux kernel.

    cos-97-16919-450-7

    Kernel Docker Containerd GPU Drivers
    COS-5.10.208 v20.10.24 v1.6.21 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Fixed CVE-2023-6915 in the Linux kernel.

    Updated cos-gpu-installer to v2.1.10.

    cos-101-17162-386-12

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v20.10.24 v1.6.24 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Fixed CVE-2023-6915 in the Linux kernel.

    Dataflow

    A weekly digest of client library updates from across the Cloud SDK.

    Go

    Changes for dataflow/apiv1beta3

    0.9.5 (2024-01-30)

    Bug Fixes
    • dataflow: Enable universe domain resolution options (fd1d569)
    Google Cloud Deploy

    Google Cloud Deploy is now available in the following regions:

    • me-central1 (Doha)
    • me-central2 (Dammam)
    • europe-west12 (Turin)
    • europe-west10 (Berlin)
    Pub/Sub

    A weekly digest of client library updates from across the Cloud SDK.

    Node.js

    Changes for @google-cloud/pubsub

    4.2.0 (2024-02-01)

    Features
    • Add enforce_in_transit fields and optional annotations (#1873) (09fc424)
    • Add schema revision samples (#1870) (044e149)
    Bug Fixes
    • deps: Update dependency @opentelemetry/semantic-conventions to ~1.20.0 (#1871) (2ee0dba)
    • deps: Update dependency @opentelemetry/semantic-conventions to ~1.21.0 (#1876) (0fe61a9)

    Go

    Changes for pubsub/apiv1

    1.36.1 (2024-01-30)

    Bug Fixes
    • pubsub: Enable universe domain resolution options (fd1d569)

    Python

    Changes for google-cloud-pubsub

    2.19.1 (2024-02-02)

    Documentation
    • samples: Swap writer and reader schema to correct places (265f410)
    Resource Manager

    With the secure-by-default organization policy enforcements, insecure posture is addressed with a bundle of organization policies that are enforced at the time of creation of an organization resource. Enforcement of these policies will apply to organizations created early in 2024, as the feature is gradually rolled out.

    Secret Manager

    A weekly digest of client library updates from across the Cloud SDK.

    Go

    Changes for secretmanager/apiv1

    1.11.5 (2024-01-30)

    Bug Fixes
    • secretmanager: Enable universe domain resolution options (fd1d569)
    Transcoder API

    You can now convert the input video in a transcoding job to a supported high dynamic range (HDR) format.

    Vertex AI

    Query an index from the Vector Search console

    Vector Search has launched an improved console experience for querying both private and public deployed indexes, now available in Preview. From the console, you can create an index and endpoint, deploy the index to the endpoint, and query the index for nearest neighbors. For more information, see Manage indexes.

    Virtual Private Cloud

    Support for IPv6 extension headers is available in General Availability.

    reCAPTCHA Enterprise

    reCAPTCHA Enterprise Mobile SDK v18.4.1 is now available for iOS.

    This version contains fixes for the following issues:

    February 04, 2024

    Chronicle SOAR

    In Release 6.2.45 we announced new placeholders. The placeholder CurrentUserRole has been removed and is not supported.

    February 02, 2024

    Apigee X

    On February 2, 2024, we released an updated version of Apigee.

    We modified or added these limits:

    • Changed the maximum API proxy endpoints per API proxy from 5 to 10
    • Specified the maximum API base paths per organization as 21,250

    See the Limits page for details.

    Cloud Asset Inventory

    The following resource types are now publicly available through the ExportAssets, ListAssets, BatchGetAssetsHistory, QueryAssets, Feed, and Search (SearchAllResources, SearchAllIamPolicies) APIs.

    • Live Stream API
      • livestream.googleapis.com/Asset
      • livestream.googleapis.com/Channel
      • livestream.googleapis.com/Input
      • livestream.googleapis.com/Pool
    Compute Engine

    Generally available: You can plan ahead for VM maintenance on C3, C3D, and Z3 Preview machine types by viewing their maintenance schedule notifications. For specific machine types within these families, you can also trigger VM maintenance ahead of schedule.

    Data Catalog

    Data Catalog is now available in Johannesburg (africa-south1). For more information on region and feature availability, see regions.

    Dataproc

    Dataproc on Compute Engine: Bucket ttl validation now also runs for buckets created by Dataproc.

    Dataproc on Compute Engine: Added a warning during cluster creation if the cluster Cloud Storage staging bucket is using the legacy fine-grained/ACL IAM configuration instead of the recommended Uniform bucket-level access controls.

    Dataproc Serverless for Spark: When dynamic allocation is enabled, the initial executor number is determined by max of spark.dynamicAllocation.initialExecutors and spark.executor.instances.

    Google Kubernetes Engine

    FQDN network policies are now generally available with the following GKE versions:

    • 1.26.4-gke.500 and later.
    • 1.27.1-gke.400 and later.
    • 1.28 and later.

    You can further control your GKE workloads' egress traffic to a public or private service or endpoint by using a network policy matching a fully-qualified domain name or a regular expression.

    FQDN Network Policy is only available and supported with GKE Enterprise.

    To learn more, read Control Pod egress traffic using FQDN network policies.

    reCAPTCHA Enterprise

    reCAPTCHA Enterprise mobile SDKs now support 11 levels of scores along with the reason codes. This enhancement requires a security review. To request access, contact our sales team.

    February 01, 2024

    Apigee X

    On February 1, 2024, we released an updated version of Apigee.

    With this release, Apigee API Management organizations with Pay-as-you-go pricing provisioned before October 1, 2023, will be converted to Pay-as-you-go organizations that use updated attributes for pricing.

    Prior to the conversion, these organizations were billed for API runtimes based on Apigee gateway node usage and the total number of API requests processed by Apigee analytics.

    Once converted, these organizations will be billed for the following:

    • Volume of API calls processed by a given proxy type
    • Usage of deployment environments (per hour per region)
    • Usage of additional deployment units (API proxies or shared flows)
    • Any additional add-on capabilities (Advanced API security, Monetization, Analytics)

    The conversion process is expected to last about 5 minutes and traffic will continue to be processed normally during this time. If proxy revision deployments are interrupted during this time frame, revisions can be deployed after conversion completes.

    The Apigee API Analytics add-on will be enabled by default in converted organizations.The Analytics add-on can be disabled after the pricing change if it is not required.

    For more information on the updated pricing and enhanced features now available for these organizations, see Pay-as-you-go (updated attributes) overview.

    Updated pricing attributes will be reflected in March invoices. For billing questions related to this change, contact Google Cloud Billing support.

    Batch

    You can configure custom status events, which describe important events for a job's runnables. By providing additional information about a job's progress, custom status events can help make a job easier to analyze and troubleshoot.

    For more information, see Configure custom status events to describe runnables and View a job's history through status events.

    You can write unstructured and structured task logs:

    • An unstructured task log lets you define a log's message.
    • A structured task log lets you define multiple details for a log such as the message, the severity, custom fields, and a custom status event.

    By allowing you to surface custom information in Cloud Logging, task logs can help make a job easier to analyze and troubleshoot.

    For more information, see Write task logs.

    You can run Batch jobs as a non-root user to meet workload or security requirements. For more information, see Create and run jobs as a non-root user.

    Bigtable

    The Bigtable Studio query builder is generally available (GA). The query builder lets you create and run queries and view the results directly from the Google Cloud console. For details, see Build queries in the console.

    Blockchain Node Engine

    On February 1, 2024, Blockchain Node Engine upgraded all Ethereum Holesky nodes in preparation for the Dencun Hardfork.

    Chronicle

    The following log types were added to the Chronicle feed management API to create AWS data feeds. These feeds can be used to get context on AWS resources such as EC2 instances and users in identity and access management (IAM). Each is listed by product name and log_type value, if applicable.

    • AWS EC2 Hosts (AWS_EC2_HOSTS)
    • AWS EC2 Instances (AWS_EC2_INSTANCES)
    • AWS EC2 VPCs (AWS_EC2_VPCS)
    • AWS Identity and Access Management (AWS_IAM)

    To view a list of log types that Chronicle supports for third-party APIs, see Configuration by log type.

    Chronicle SOAR

    Release 6.2.46 is now in Preview.

    New audit logs

    The platform now captures audit logs when a playbook folder is deleted. (ID 48557086)

    Mentioning users in a case is not working as expected. (ID #00180795)

    Cloud Healthcare API

    You can use the Google Cloud console to view DICOM store metrics.

    You can use the Google Cloud console to view HL7v2 store metrics.

    Cloud SQL for MySQL

    Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in Preview.

    For more information, see Connect to an instance using Private Service Connect.

    Cloud SQL for PostgreSQL

    Private Service Connect now includes support for cross-region read replicas. You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances. Both features are in Preview.

    For more information, see Connect to an instance using Private Service Connect.

    Cloud SQL for SQL Server

    You can now use Private Service Connect to connect to a Cloud SQL for SQL Server instance. This solution allows you to connect to the instance from multiple VPC networks that belong to different groups, teams, projects, or organizations.

    You can also choose an availability type (REGIONAL or ZONAL) for Private Service Connect-enabled instances.

    All features are in Preview. For more information, see Connect to an instance using Private Service Connect.

    Dataproc

    New Dataproc on Compute Engine subminor image versions:

    • 2.0.91-debian10, 2.0.91-rocky8, 2.0.91-ubuntu18
    • 2.1.39-debian11, 2.1.39-rocky8, 2.1.39-ubuntu20, 2.1.39-ubuntu20-arm
    • 2.2.5-debian12, 2.2.5-rocky9, 2.2.5-ubuntu22

    New Dataproc Serverless for Spark runtime versions:

    • 1.1.48
    • 2.0.56
    • 2.1.35
    • 2.2.0-RC8

    Dataproc on Compute Engine: Backported patches for HIVE-21214, HIVE-23154, HIVE-23354 and HIVE-23614.

    Google Distributed Cloud Virtual for Bare Metal

    Release 1.15.9

    GKE on Bare Metal 1.15.9 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.15.9 runs on Kubernetes 1.26.

    If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

    Known issues:

    For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

    Google Distributed Cloud Virtual for VMware

    GKE on VMware 1.15.8-gke.41 is now available. To upgrade, see Upgrading Anthos clusters on VMware. GKE on VMware 1.15.8-gke.41 runs on Kubernetes v1.26.10-gke.2000.

    If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on VMware.

    Upgraded etcd to v3.4.27-0-gke.1.

    The following issues are fixed in 1.15.8-gke.41:

    • Fixed Seesaw crashing on duplicated service IP.
    • Fixed a warning in the storage preflight check.

    The following vulnerabilities are fixed in 1.15.8-gke.41:

    Google Kubernetes Engine

    You can now encrypt Pod-to-Pod traffic between nodes in the same cluster or in a multi-cluster environment natively with GKE. Inter-node transparent encryption is now generally available, only with GKE Enterprise, for GKE clusters in the following versions:

    • 1.26.9-gke.1024000 and later.
    • 1.27.6-gke.1506000 and later.
    • 1.28.2-gke.1098000 and later.
    • 1.29 and later.

    To learn more, see Encrypt your data in-transit in GKE with user-managed encryption keys.

    A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node file system.

    For instructions and more details, see the GCP-2024-005 security bulletin.

    Identity-Aware Proxy

    Effective January 12, 2024, a BeyondCorp Enterprise license is no longer required to deploy internal applications with an internal load balancer when securing those applications with Identity-Aware Proxy. This provides a consistent experience when using Identity-Aware Proxy with all load balancers.

    Looker Studio

    Pro feature: Folders in team workspaces

    You can use folders and subfolders to organize assets (reports and data sources) in team workspaces.

    Learn more about using folders to organize assets in team workspaces.

    Sensitive Data Protection

    You can now configure your discovery scans to reprofile data when the inspection template changes. By default, inspection template changes do not cause the affected data to be reprofiled. For more information, see Frequency of data profile generation.

    January 31, 2024

    App Engine standard environment Java

    Java 8 has reached end of support on January 31, 2024. Your existing Java 8 applications will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Java.

    App Engine standard environment Python

    Python 2.7 has reached end of support on January 31, 2024. Your existing Python 2.7 applications will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Python.

    Artifact Registry

    Artifact Registry is available in the africa-south1 region (Johannesburg, South Africa).

    BigQuery

    The following information schema views display the history of configuration changes to the options of your organization and projects:

    This feature is now in preview.

    BigQuery now supports vector search and vector indexes. These features are in preview.

    You can use the VECTOR_SEARCH function to search embeddings in order to identify semantically similar entities.

    You can use vector indexes to make VECTOR_SEARCH more efficient, with the trade-off of returning more approximate results.

    Try the new vector search and vector index capabilities with the Search embeddings with vector search tutorial.

    Bigtable

    Bigtable is available in the africa-south1 (Johannesburg) region. For more information, see Bigtable locations.

    Chronicle

    The bi-weekly release of Chronicle parsers will change to a more frequent release schedule to allow for more testing before parser changes automatically take effect in Parser Management.

    Beginning on February 1, 2024, new parser updates will be released weekly as pending updates in Parser Management. Every 4 weeks beginning February 15, pending updates will automatically become active when these parser versions are promoted to default.

    Any Chronicle tenants with Parser Management disabled do not use the standard Parser Management release process, so weekly parser updates will automatically take effect.

    Chronicle SOAR

    Release 6.2.45 is scheduled to be in General Availability as of February 4th, 2024.

    Cloud Composer

    In the first half of February, 2024, Cloud Composer 2 environments with Airflow 2.6.3 will start using Python 3.11:

    • New and upgraded environments with Airflow 2.6.3 will switch to Python 3.11.
    • New and upgraded environments with Airflow 2.5.3 will still use Python 3.8.
    • Python 3.8 will no longer be available in new versions of Cloud Composer with Airflow 2.6.3 (and later versions of Airflow).
    • Existing environments with Airflow 2.6.3 will keep using Python 3.8 until they are upgraded.
    • Cloud Composer versions released before this change will keep using Python 3.8.
    Cloud Interconnect

    Dedicated Cloud Interconnect support is available in the following colocation facilities:

    • Teraco Johannesburg Campus, South Africa
    • Africa Data Centres, Johannesburg JHB2

    For more information, see the Locations table.

    Cloud Key Management Service

    Cloud KMS is available in the following region:

    • africa-south1

    For more information, see Cloud KMS locations.

    Cloud Logging

    Fixed a bug that caused the audit log associated with an API that performs both Data Access and Admin Activity operations to be classified as a Data Access log. These logs are now always classified as Admin Activity audit logs.

    Cloud Run

    The following new region is now available: africa-south1.

    Cloud SQL for MySQL

    Support for africa-south1 (Johannesburg) region.

    Cloud SQL for PostgreSQL

    Support for africa-south1 (Johannesburg) region.

    Cloud SQL for SQL Server

    Support for africa-south1 (Johannesburg) region.

    Cloud Storage

    Cloud Storage is now available in Johannesburg, South Africa (africa-south1 region).

    Cloud VPN

    Cloud VPN is now available in region africa-south1 (Johannesburg, South Africa).

    Pricing is available on the Cloud VPN pricing page.

    Compute Engine

    Preview: You can create GPU VMs in a MIG by using resize requests. Resize requests help you create VMs all at once and give you higher chances to obtain highly demanded resources such as GPUs.

    For more information, see About resize requests in a MIG.

    Generally available: Johannesburg, South Africa africa-south1-a,b,c has launched with E2, N2, N2D, and T2D general-purpose VMs in all three zones.

    Container Optimized OS

    cos-101-17162-386-11

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v20.10.24 v1.6.24 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Updated latest NVIDIA GPU driver to 535.154.05.

    Updated cos-gpu-installer to v2.1.10.

    Updated app-emulation/containerd to 1.6.24.

    Fixed CVE-2023-3164 in sys-apps/gawk.

    Fixed CVE-2024-22195 in dev-python/jinja.

    Fixed CVE-2024-21626 in app-emulation/runc.

    Fixed CVE-2024-0646 in the Linux kernel.

    Fixed CVE-2023-6040 in the Linux kernel.

    Runtime sysctl changes:

    • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
    • Changed: fs.file-max: 813032 -> 813030

    cos-105-17412-294-10

    Kernel Docker Containerd GPU Drivers
    COS-5.15.146 v23.0.3 v1.7.10 v470.223.02 (default),v535.129.03(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Updated cos-gpu-installer to v2.1.10.

    Backported support for TCP RTO configuration in networkd.

    Added kernel compatibility with iptables-nft.

    Fixed CVE-2024-22195 in dev-python/jinja.

    Fixed CVE-2024-21626 in app-emulation/runc.

    Fixed CVE-2024-0646 in the Linux kernel.

    Fixed CVE-2023-6040 in the Linux kernel.

    Runtime sysctl changes:

    • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
    • Added: net.netfilter.nf_flowtable_tcp_timeout: 30
    • Added: net.netfilter.nf_flowtable_udp_timeout: 30
    • Changed: fs.file-max: 813031 -> 813029

    cos-109-17800-66-78

    Kernel Docker Containerd GPU Drivers
    COS-6.1.58 v24.0.5 v1.7.10 v535.129.03(default, latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Added kernel compatibility with iptables-nft.

    Upgraded dev-python/jinja to v3.1.3. This resolves CVE-2024-22195.

    Fixed CVE-2024-21626 in app-containers/runc.

    Fixed CVE-2024-0646 in the Linux kernel.

    Fixed CVE-2023-6915 in the Linux kernel.

    Fixed CVE-2024-0565 in the Linux kernel.

    Fixed CVE-2024-0193 in the Linux kernel.

    Runtime sysctl changes:

    • Added: net.netfilter.nf_flowtable_tcp_timeout: 30
    • Added: net.netfilter.nf_flowtable_udp_timeout: 30

    cos-97-16919-450-6

    Kernel Docker Containerd GPU Drivers
    COS-5.10.208 v20.10.24 v1.6.21 v470.223.02 (default),v535.154.05(latest),v470.223.02(R470 for compatibility with K80 GPUs)

    Updated latest NVIDIA GPU driver to 535.154.05.

    Fixed CVE-2023-3164 in sys-apps/gawk.

    Fixed CVE-2024-22195 in dev-python/jinja.

    Fixed CVE-2024-21626 in app-emulation/runc.

    Runtime sysctl changes:

    • Added: net.ipv6.conf.all.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.default.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
    • Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
    • Changed: fs.file-max: 813422 -> 813419
    • Changed: net.ipv6.route.max_size: 4096 -> 2147483647

    Updated cos-gpu-installer to v2.1.10.

    Dataflow

    Dataflow is available in Johannesburg, South Africa (africa-south1).

    Dataproc

    Dataproc is now available in the africa-south1 region (Johannesburg, South Africa).

    The GitHub Ops Agent initialization action installs the Ops Agent on a Dataproc cluster, and provides metrics similar to the metrics that were enabled with the --metric-sources=monitoring-agent-defaults setting available for use with Dataproc images versions prior to version 2.2.

    Eventarc

    Eventarc is available in the africa-south1 (Johannesburg, South Africa) region.

    Google Cloud Architecture Center

    (New guide) Regional deployment on Compute Engine: Architect a multi-tier application that runs on Compute Engine VMs in multiple zones within a Google Cloud region.

    Google Distributed Cloud Virtual for Bare Metal

    Release 1.28.100-gke.146

    GKE on Bare Metal 1.28.100-gke.146 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.28.100-gke.146 runs on Kubernetes 1.28.

    If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

    Fixes:

    Fixed a rootless permission issue on file /var/lib/audit.log in 1.28.100, which might block control plane node upgrades.

    The following container image security vulnerabilities have been fixed in 1.28.100-gke.146:

    Known issues:

    For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

    Security bulletin (all minor versions)

    A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods might be able to gain full access to the node filesystem.

    For instructions and more details, see the GCP-2024-005 security bulletin.

    Google Distributed Cloud Virtual for VMware

    A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

    For instructions and more details, see the GCP-2024-005 security bulletin.

    Google Kubernetes Engine

    The africa-south1 region in Johannesburg, South Africa is now available.

    Managed Service for Microsoft Active Directory

    Managed Microsoft AD is available in the africa-south1 (Johannesburg) region. For more information, see Deploy domain controllers in additional regions.

    Memorystore for Redis

    Added new Memorystore for Redis region: Johannesburg (africa-south1).

    Pub/Sub

    Pub/Sub is available in Johannesburg, South Africa (africa-south1).

    Secret Manager

    Secret Manager is now available in the following region:

    • africa-south1

    For more information, see Secret Manager locations.

    Security Command Center

    Virtual Machine Threat Detection, a built-in service of Security Command Center, launched the Malware: Malicious file on disk (YARA) detector to Preview. This detector generates a finding if an executable file in a virtual machine matches known malware signatures.

    Sensitive Data Protection

    Sensitive Data Protection is now available in Johannesburg, South Africa (africa-south1 region).

    For more information, see Sensitive Data Protection locations.

    Spanner

    You can create Spanner regional instances in Johannesburg, South Africa (africa-south1).

    A monthly digest of client library updates from across the Cloud SDK.

    Go

    Changes for spanner/admin/database/apiv1

    1.55.0 (2024-01-08)

    Features

    Java

    Changes for google-cloud-spanner

    6.56.0 (2024-01-05)

    Features
    • Add autoscaling config in the instance to support autoscaling in systests (#2756) (99ae565)
    • Add support for Directed Read options (#2766) (26c6c63)
    • Update OwlBot.yaml file to pull autogenerated executor code (#2754) (20562d4)
    Dependencies
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.21.0 (#2772) (173f520)
    Documentation
    • Samples and tests for auto-generated createDatabase and createInstance APIs. (#2764) (74a586f)

    Node.js

    Changes for @google-cloud/spanner

    7.2.0 (2024-01-11)

    Features
    Bug Fixes
    • deps: Update dependency @google-cloud/precise-date to v4 (#1903) (7464c8b)
    • deps: Update dependency @types/stack-trace to v0.0.33 (#1952) (45ab751)
    • deps: Update dependency retry-request to v7 (#1934) (c575c80)

    Python

    Changes for google-cloud-spanner

    3.41.0 (2024-01-10)

    Features
    • Add BatchWrite API (#1011) (d0e4ffc)
    • Add PG.OID type cod annotation (#1023) (2d59dd0)
    • Add support for Directed Reads (#1000) (c4210b2)
    • Add support for Python 3.12 (#1040) (b28dc9b)
    • Batch Write API implementation and samples (#1027) (aa36b07)
    • Implementation for batch dml in dbapi (#1055) (7a92315)
    • Implementation for Begin and Rollback clientside statements (#1041) (15623cd)
    • Implementation for partitioned query in dbapi (#1067) (63daa8a)
    • Implementation of client side statements that return (#1046) (bb5fa1f)
    • Implementing client side statements in dbapi (starting with commit) (#1037) (eb41b0d)
    • Introduce compatibility with native namespace packages (#1036) (5d80ab0)
    • Return list of dictionaries for execute streaming sql (#1003) (b534a8a)
    • spanner: Add autoscaling config to the instance proto (#1022) (4d490cf)
    • spanner: Add directed_read_option in spanner.proto (#1030) (84d662b)
    Bug Fixes
    • Executing existing DDL statements on executemany statement execution (#1032) (07fbc45)
    • Fix for flaky test_read_timestamp_client_side_autocommit test (#1071) (0406ded)
    • Require google-cloud-core >= 1.4.4 (#1015) (a2f87b9)
    • Require proto-plus 1.22.2 for python 3.11 (#880) (7debe71)
    • Use retry_async instead of retry in async client (#1044) (1253ae4)
    Documentation
    Vertex AI Search and Conversation

    Vertex AI Search: CMEK for US and EU is GA

    Customer-managed encryption keys (CMEK) are available in the US and the EU as GA with allowlist.

    If you store your data in a US or EU multi-region data store, you can provide your own encryption key to protect your data at rest.

    For information, see Customer-managed encryption keys.

    Vertex AI Search: Check grounding in Preview with allowlist

    The CheckGrounding API determines how grounded a piece of text is in a given set of facts. Perfect grounding requires that every statement in the text can be attributed to one or more of the given facts. The API returns an overall score of 0 to 1, indicating how grounded the text is, along with citations to the appropriate given facts for each statement.

    See Check grounding.

    Vertex AI Search and Conversation: Use Terraform to create data stores

    You can use Terraform to create data stores for your Vertex AI Search and Conversation apps. The data stores are created empty; you then ingest the data through the console or an API call.

    For information, see, for example, Create a search data store.

    Vertex AI Search: Gemini Pro for search summaries

    You can now choose Gemini Pro as a model for generating search summaries.

    For more information, see Specify the summarization model.

    Vertex AI Search: Updates to autocomplete

    • Autocomplete is available for your search apps in the US and EU multi-regions as Public preview.

      See Configure autocomplete.

    • Autocomplete removes unsafe and offensive terms in eight languages in addition to English (en).

      For more information, see Autocomplete features.

    Virtual Private Cloud

    Private Service Connect interfaces are available in General Availability. Private Service Connect interfaces let service producers initiate connections to consumer VPC networks.

    For auto mode VPC networks, added a new subnet 10.218.0.0/20 for the Johannesburg africa-south1 region. For more information, see Auto mode IP ranges.

    Workflows

    Workflows is available in the following additional region: africa-south1 (Johannesburg, South Africa).

    Workload Manager

    Generally available: Workload Manager is now generally available (GA) for evaluating SQL Server workloads. For more information, see About Workload Manager Evaluation

    January 30, 2024

    App Engine standard environment Go

    Go 1.11 has reached end of support on January 30, 2024. Your existing Go 1.11 applications will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Go.

    Go 1.12, 1.13, 1.14, 1.15, 1.16, and 1.18 have reached end of support on January 30, 2024. Your existing applications using these versions will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Go.

    App Engine standard environment Node.js

    Node.js 10, 12, 14, and 16 have reached end of support on January 30, 2024. Your existing applications using these versions will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you upgrade to the latest supported version of Node.js.

    App Engine standard environment PHP

    PHP 5 has reached end of support on January 30, 2024. Your existing PHP 5 applications will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of PHP.

    PHP 7.2, 7.3, and 7.4 have reached end of support on January 30, 2024. Your existing applications using these versions will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of PHP.

    App Engine standard environment Python

    Python 3.7 has reached end of support on January 30, 2024. Your existing Python 3.7 applications will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you migrate to the latest supported version of Python.

    App Engine standard environment Ruby

    Ruby 2.5, 2.6, and 2.7 have reached end of support on January 30, 2024. Your existing applications using these versions will continue to run and receive traffic. However, App Engine might block re-deployments of applications that use runtimes after their end of support date. We recommend that you upgrade to the latest supported version of Ruby.

    Blockchain Node Engine

    On January 30, 2024, Blockchain Node Engine upgraded all Ethereum Sepolia nodes in preparation for the Dencun Hardfork.

    Cloud SQL for MySQL

    You can now use the MySQL Shell dumpInstance and loadDump utilities to export and import data for multiple files in parallel. For more information, see Export and import files in parallel.

    Cloud SQL for PostgreSQL

    You can now use the pg_dump and pg_restore utilities to export and import data for multiple files in parallel. For more information, see Export and import files in parallel.

    Cloud VPN

    Cloud VPN support for IPv6-only HA VPN gateways is in Preview. For more information, see IPv6 support.

    Compute Engine

    Generally available: Persistent Disk Asynchronous Replication is available between the following region pairs:

    • europe-west3 (Frankfurt, Germany) and europe-west8 (Milan, Italy)
    • europe-west3 (Frankfurt, Germany) and europe-west10 (Berlin, Germany)
    • us-east1 (Moncks Corner, South Carolina) and northamerica-northeast1 (Montréal, Québec)

    For the full list of available regions, see Supported region pairs.

    Preview: Z3 VMs, which offer the latest compute, networking, and storage innovations in one platform with a particular focus on high density, high performing Local SSD are now in Preview. For more information, see Storage-optimized machine family for Compute Engine.

    Generally available: Snapshot settings are centralized configuration parameters for all snapshots in a project. You can use snapshot settings to customize the default storage location for all future snapshots in your project. By enabling you to do this, snapshot settings remove the need for you to manually specify a storage location during each individual snapshot creation.

    For information about how to use snapshot settings and set your project's default snapshot storage location, see the snapshot settings documentation.

    Generally available: NVIDIA L4 GPUs are now available in the following additional region and zone:

    • Zurich, Switzerland (europe-west6-b)

    For more information about using GPUs on Compute Engine, see GPU platforms.

    Google Distributed Cloud Virtual for Bare Metal

    Release 1.16.5

    GKE on Bare Metal 1.16.5 is now available for download. To upgrade, see Upgrade clusters. GKE on Bare Metal 1.16.5 runs on Kubernetes 1.27.

    If you use a third-party storage vendor, check the GDCV Ready storage partners document to make sure the storage vendor has already passed the qualification for this release of GKE on Bare Metal.

    Known issues:

    For information about the latest known issues, see GKE on Bare Metal known issues in the Troubleshooting section.

    Spanner

    Cloud Spanner directed reads is now available in Preview. Directed reads provides the flexibility to route read-only transactions and single reads to a specific replica type or region in a multi-region instance configuration. For more information, see Directed reads.

    January 29, 2024

    AlloyDB for PostgreSQL

    AlloyDB Public IP is now available in Preview. You can configure an AlloyDB instance to have a public IP address and accept connections from authorized external IP addresses.

    Fixed the issue causing failed connections to certain AlloyDB instances when using Auth Proxy version 1.5.0.

    Anthos Service Mesh

    In February 2024, Managed Anthos Service Mesh will begin creating new Google Cloud backend resources that relate to upcoming control plane enhancements. These resources will have no impact on your traffic. The resources include but are not limited to the following:

    • HealthChecks
    • Gateways
    • Meshes
    • HTTPRoutes
    • TCPRoutes
    • TLSRoutes
    • TrafficPolicies
    • EndpointPolicies
    • ServerTLSPolicies
    • ClientTLSPolicies
    • HTTPFilters
    • TCPFilters
    • ServiceLbPolicies

    Managed Anthos Service Mesh 1.17 is rolling out in the stable channel. See Managed Anthos Service Mesh release channels for more information.

    BigQuery

    A weekly digest of client library updates from across the Cloud SDK.

    Java

    Changes for google-cloud-bigquery

    2.37.0 (2024-01-25)

    Features
    Dependencies
    • Update actions/upload-artifact action to v4.1.0 (#3071) (3fbb2bb)
    • Update actions/upload-artifact action to v4.2.0 (#3081) (af81354)
    • Update actions/upload-artifact action to v4.3.0 (#3091) (f4411b0)
    • Update arrow.version to v15 (#3084) (4d4cbae)
    • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.35.0 (#3066) (48cdaa8)
    • Update dependency com.google.api.grpc:proto-google-cloud-bigqueryconnection-v1 to v2.36.0 (#3093) (24456a3)
    • Update dependency com.google.apis:google-api-services-bigquery to v2-rev20240105-2.0.0 (#3073) (f371d67)
    • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.39.0 (#3067) (6ff4f04)
    • Update dependency com.google.cloud:google-cloud-datacatalog-bom to v1.40.0 (#3094) (110bcc5)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.22.0 (#3080) (a5b119c)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.23.0 (#3096) (0933b34)
    • Update dependency com.google.oauth-client:google-oauth-client-java6 to v1.35.0 (#3078) (2614df2)
    • Update dependency com.google.oauth-client:google-oauth-client-jetty to v1.35.0 (#3079) (f03c4fc)
    • Update github/codeql-action action to v2.23.0 (#3061) (0fbdfba)
    • Update github/codeql-action action to v2.23.1 (#3077) (e3f417c)

    Python

    Changes for google-cloud-bigquery

    3.17.1 (2024-01-24)

    Bug Fixes
    • Add pyarrow.large_strign to the _ARROW_SCALAR_IDS_TO_BQ map (#1796) (b402a6d)
    • Retry 'job exceeded rate limits' for DDL queries (#1794) (39f33b2)

    3.17.0 (2024-01-24)

    Features
    Bug Fixes
    • query_and_wait now retains unknown query configuration _properties (#1793) (4ba4342)
    • Raise ValueError in query_and_wait with wrong job_config type (4ba4342)
    Documentation
    • Remove unused query code sample (#1769) (1f96439)
    • Update snippets.py to use query_and_wait (#1773) (d90602d)
    • Update multiple samples to change query to query_and_wait (#1784) (d1161dd)
    • Update the query with no cache sample to use query_and_wait API (#1770) (955a4cd)
    • Updates query to query and wait in samples/desktopapp/user_credentials.py (#1787) (89f1299)

    You can now use tags on BigQuery tables to conditionally grant or deny access with Identity and Access Management (IAM) policies. This feature is in preview.

    Cloud console updates: You can now sort query results by column. Click Open sort menu next to the column name and select a sort order. This feature is generally available (GA).

    Bigtable

    A weekly digest of client library updates from across the Cloud SDK.

    Java

    Changes for google-cloud-bigtable

    2.32.0 (2024-01-25)

    Features
    • Append version to the client name in client-side metrics. (#2062) (9a0cdc8)
    Bug Fixes
    • Deps: Update the Java code generator (gapic-generator-java) to 2.32.0 (#2060) (c218ac3)
    Dependencies
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.23.0 (#2076) (5d1079c)
    • Update dependency com.google.truth.extensions:truth-proto-extension to v1.3.0 (#2058) (1622a9f)
    • Update shared dependencies (#2056) (f73ba40)
    Cloud Logging

    A weekly digest of client library updates from across the Cloud SDK.

    Java

    Changes for google-cloud-logging

    3.15.16 (2024-01-25)

    Bug Fixes
    • deps: Update the Java code generator (gapic-generator-java) to 2.32.0 (#1511) (e2f574c)
    • Enable v2.LogEntry Protobufs converter functions (#1509) (9ef4d90)
    Dependencies
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.22.0 (#1510) (b40e846)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.23.0 (#1518) (30ba9ed)
    Cloud Monitoring

    New event types for VM instances and for GKE Pods, Clusters, and Nodes, are now available to display on your dashboards. This feature is in Public Preview.

    Contact Center AI Platform

    All release notes published on this date are part of the 3.10 release.

    OAuth for Email Channel: Email channel authentication now supports Microsoft OAuth.

    Deltacast and Multicast, queue-level configuration: Admins can now designate a cast type (Multicast or Deltacast) at the queue level. The following updates are included:

    • Updated queue and global settings in the CCAP Platform Portal, featuring a dedicated Routing section to configure call or chat routing.
    • A new Deltacast Attempt Count setting that lets you configure how many times to attempt to Deltacast to a single agent before Multicasting.

    Chat translations: CCAI Platform now supports automatic translations in the Agent Chat Adapter. The end-user's message is automatically translated into the Agent Adapter's default language. Incoming messages are translated according to settings on the incoming queue. Responses from the agent are then automatically translated back into the end-user's language.

    Agent Call Adapter, answer button: The answer button has been updated to be more visible to agents.

    Email Chrome notification: CCAI Platform now offers Chrome push notifications to notify agents when they are assigned new emails.

    Pass CCAI Platform metadata to web chat Virtual Agent: You can now pass CCAIP metadata parameters to a Virtual Agent for web queues. For more information on adding a dynamic parameter see Pass Data Parameters.

    Fixed an issue that caused an agent to receive errors if they tried to send messages through the Blended SMS feature when custom messages were disabled.

    Fixed an issue where the Smart Actions menu wouldn't close if the agent was redacting the call.

    Fixed an issue where the displayed time of the participants joining the call was marked as invalid.

    Fixed an issue that caused some screens in the Agent Call Adapter to be displayed with a black background when the agent had dark mode activated in the Kustomer CRM.

    The search field for disposition codes is no longer case sensitive.

    Fixed an issue that prevented the use of the clipboard copy function while using a CRM in custom CRM view.

    Fixed an issue that caused a Dialogflow CX session to not last longer than 30 minutes.

    Fixed an issue where closing the participants' screen did not navigate the agent back to the call screen.

    Dataform Eventarc

    Eventarc support for creating triggers for direct events from Cloud Firestore is generally available (GA).

    Firestore

    Eventarc events and Firestore events for Cloud Functions (2nd gen) are now supported at the General Availability (GA) level.

    Firestore in Datastore mode

    Eventarc events and Firestore events for Cloud Functions (2nd gen) are now supported at the General Availability (GA) level.

    Immersive Stream for XR

    Mode and GPU class selection are available when creating new instances.

    • NVIDIA L4 GPUs are supported in certain regions.
    • 3D-only mode is available.
    Pub/Sub

    A weekly digest of client library updates from across the Cloud SDK.

    Go

    Changes for pubsub/apiv1

    1.36.0 (2024-01-26)

    Features
    • pubsub: Add ingestion_data_source_settings field to Topic (97d62c7)
    • pubsub: Add enforce_in_transit fields and optional annotations (97d62c7)
    Bug Fixes
    • pubsub: Move flow control release to callback completion (#9311) (2b6b0da)

    1.35.0 (2024-01-25)

    Features
    • pubsub: Support message filtering in pstest (#9015) (49231bf)

    Java

    Changes for google-cloud-pubsub

    1.126.2 (2024-01-26)

    Bug Fixes
    • deps: Update the Java code generator (gapic-generator-java) to 2.32.0 (#1875) (0aac3e4)
    Dependencies
    • Update dependency com.google.cloud:google-cloud-bigquery to v2.37.0 (#1878) (16dee8b)

    1.126.1 (2024-01-25)

    Dependencies
    • Update dependency com.google.cloud:google-cloud-bigquery to v2.36.0 (#1840) (8c5117d)
    • Update dependency com.google.cloud:google-cloud-core to v2.30.0 (#1853) (db36def)
    • Update dependency com.google.cloud:google-cloud-core to v2.31.0 (#1872) (06db9a0)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.22.0 (#1865) (f4c6f51)
    • Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.23.0 (#1873) (0d445f1)
    • Update dependency com.google.cloud:google-cloud-storage to v2.32.0 (#1857) (d673e55)
    • Update dependency com.google.cloud:google-cloud-storage to v2.32.1 (#1874) (adae8a4)
    • Update dependency com.google.protobuf:protobuf-java-util to v3.25.2 (#1858) (8fa6354)
    SAP on Google Cloud

    New SAP HANA certification: Hyperdisk Balanced usage with M3 machine types

    For running SAP HANA on Google Cloud, SAP has certified using Hyperdisk Balanced with M3 machine types.

    For more information, see:

    Vertex AI

    Vertex Prediction

    You can now customize more deployment parameters when uploading your models, such as shared memory allocation and custom startup and readiness probes. These parameters may be useful when deploying LLMs.

    For more information, see Deploy generative AI models, Custom container requirements for prediction, and ModelContainerSpec.