Container-Optimized OS Release Notes: Milestone 85

Updated the default Nvidia driver version to v450.203.03.

Moved the toolchain source from gs://chromiumos-sdk to gs://cos-sdk.

Updated toolbox to v20220722.

This is an LTS Refresh Release.

Updated cos-gpu-installer to fetch the COS toolchain from gs://cos-tools instead of gs://chromiumos-sdk.

Added pci=clearmsi option for kdump stackdriver.

Updated the Linux kernel to v5.4.203.

Updated toolbox to v20220630.

Runtime sysctl changes:

• Changed: kernel.random.poolsize: 4096 -> 256
• Changed: kernel.random.write_wakeup_threshold: 896 -> 256
• Deleted: kernel.random.read_wakeup_threshold: 64

Fixed a bug in KTD LSM xattr handling.

Fixed an issue that prevented large cloud-configs (~256KB) from working properly.

This is an LTS Refresh Release.

Updated default GPU driver version to v450.172.01.

Updated containerd to v1.4.13.

Updated the Linux kernel to v5.4.188.

Added command cos-extensions list -- --gpu-installer to show the default cos-gpu-installer.

Upgraded cos-gpu-installer-v2 to v2.0.17 in cos-extensions. Refined error message for installing latest driver. Preinstalled dependencies are now detected separately.

Increased number of vCPUs support from 256 to 512.

Fixed get_status API in device policy manager.

Fixed an issue in containerd where layer hashes were sometimes computed incorrectly for large self-hosted containers.

This is an LTS Refresh Release.

Runtime sysctl changes:

• Changed: fs.epoll.max_user_watches: 1669181 -> 1669140
• Changed: fs.file-max: 814782 -> 814766
• Changed: kernel.threads-max: 63674 -> 63672
• Changed: net.ipv4.tcp_mem: 94323 125765 188646 -> 94320 125762 188640
• Changed: net.ipv4.udp_mem: 188646 251530 377292 -> 188643 251525 377286
• Changed: user.max_cgroup_namespaces: 31837 -> 31836
• Changed: user.max_ipc_namespaces: 31837 -> 31836
• Changed: user.max_mnt_namespaces: 31837 -> 31836
• Changed: user.max_net_namespaces: 31837 -> 31836
• Changed: user.max_pid_namespaces: 31837 -> 31836
• Changed: user.max_user_namespaces: 31837 -> 31836
• Changed: user.max_uts_namespaces: 31837 -> 31836

Fixed a kernel crash issue in Container Threat Detection.

Fixed UUID parsing in kernel crash dump collection.

Enabled cos-extensions to fetch artifacts with geo-redundancy when installing GPU driver.

This is an LTS Refresh Release.

Created kernel config file under /boot directory.

Updated the built-in kubectl/kubelet to v1.18.20.

Fixed an issue where GPU drivers wouldn't load due to being incorrectly linked.

Fixed cleanup context of teardownPodNetwork.

Added the cos.enable_ipv6 kernel command line option that enables IPv6 configuration. This option does not disable IPv4 configuration; COS always configures IPv4 by default.

Fixed an issue where enabling both IPv6 and IPv4 configuration on IPv4-exclusive networks resulted in slow boot times.

This is an LTS Refresh Release.

Updated containerd to v1.4.6.

Updated the built-in kubelet to v1.18.17.

Updated the Linux kernel to v5.4.129.

Upgraded the default GPU driver version to 450.119.04.

Upgraded tar to 1.34.

Upgraded sqlite to 3.34.1.

Fixed a memory leak in the GVE kernel driver.

Fixed a low network bandwidth issue in the Linux kernel.

Fixed a network regression on single-core systems when using the GVE network interface.

Fixed a network regression when using the GVE network interface.

Fixed CPU usage for workloads with heavy page cache usage.

Fixed an out-of-bounds write issue in the Linux kernel.

This is LTS Refresh Release.

Updated the Linux kernel to v5.4.109.

Updated the built-in kubectl/kubelet to v1.18.15.

Upgraded docker to v19.03.15

Added cos-package-info.json file containing the installed packages as well as packages used during build time of COS image.

Fixed an issue where firewall initialization would fail because ip6tables was not waiting to claim the xtables lock.

Fixed 32 x truesize under-estimation for tiny skbs in the Linux kernel.

This is LTS Refresh Release.

Updated the Linux kernel to upstream/v5.4.89.

Added support for the bpf_get_netns_cookie eBPF helper.

Updated cos-gpu-installer to v2.0.3 in cos-extensions. Fixed an issue in which installing GPU drivers was failing due to loading GPU kernel modules in incorrect order.

Fixed an authenication error when using go-dbus to connect systemd.

Updated Docker to v19.03.14.

Updated the built-in kubectl/kubelet to v1.18.13.

Updated containerd to v1.4.3.

Fixed an issue where sshd is restarted every minute if no oslogin users are returned by the metadata server.

cloud-init starts after network-online because cloud-init does not configure network for COS on GCP.

Backported INIT_STACK_ALL_ZERO to replace INIT_STACK_ALL.

Added PPP loadable modules back, which were removed in cos-rc-85-13310-1019-0.

Moved Docker's "registry-mirrors" configuration to the dockerd command line to address Kubernetes cluster provisioning errors.

Moved the configuration of Docker's "registry-mirrors" option from the dockerd command line to /etc/docker/daemon.json. This should allow users to configure a custom registry mirror, which can be useful when responding to recent Docker Hub free tier changes.

Upgraded kernel to upstream 5.4.

Improved eBPF debug and tracing functionality by enabling:
Compressed kernel headers
BTF (BPF Type Format) debug info.

Improved security by enabling more Kernel Self Protection Project (KSPP) settings:
Incorporate lockdown LSM.
Enable Clang's stack initialization.

Added XFS in preview mode.

Added NVMe userspace utilities support sys-apps/nvm-cli.

Added file system ACL userspace utilities sys-apps/acl.

Added FUSE userspace utilities support sys-fs/fuse.

Added cos-extensions userspace utilities support app-admin/extensions-manager.

Added nfs utils packages.

Added ext4 block bitmap prefetching feature.

Made chrony the default NTP client.

Made Python3 the default Python interpreter.

Reduced user home directory permissions to 750.

Disabled hung_on_panic by default.

Enforced kernel module signature verification by default.

Added the cos-extensions-manager package.

Removed the metrics daemon.

Backported upstream patch 'perf_event: support for LSM and SELinux check'.

Enabled utmp in systemd to allow creation of utmp files.

Upgraded KTD to its beta.

Upgraded gVNIC driver to v1.1.0.

Upgraded Nvidia GPU driver support to 450.51.06.

Upgraded containerd to v1.4.1.

Upgraded docker to v19.03.9.

Upgraded the built-in kubectl/kubelet to v1.18.9.

Upgraded docker-credential-gcr to v2.0.2.

Upgraded cloud-init to v19.4.

Upgraded node-problem-detector to v0.8.1.

Upgraded cos-toolbox to 20200715-00.

Upgraded oslogin to v20200507.00.

Upgraded compute-image-packages to v20191210.

Upgraded dump-capture-kernel to 4.19.

Upgraded makedumpfile to v1.6.7.

Upgraded Konlet to v0.11.0.

Upgraded runc to v1.1.0-rc10.

Upgraded openssl to 1.1.0l.

Updated toolbox base container image to include security patches.

Fixed a kernel bug where eBPF programs can cause softlockups.

Removed size limit on /etc/ to fix cluster creation failure because of large number of addons.

Fixed a bug that caused OS login to use excessive amounts of memory.

Updated e2fsprogs to fix partition resize issue.

Enabled utmp in systemd to allow creation of utmp files.

Made dioread_nolock non-default.

Increased kdump memory reservation to 256M for 8G-16G instances.

Added rsync back into the image, which was removed in cos-dev-77-12293-0-0.

Added mount exec option to /var/lib/containerd.