Container-Optimized OS Release Notes: Milestone 97

cos-97-16919-450-41

Fixed bug in google-guest-agent service enablement.

Fixed CVE-2023-52439 in the Linux kernel.

Fixed CVE-2023-52434 in the Linux kernel.

Fixed CVE-2023-52435 in the Linux kernel.

Fixed CVE-2024-26589 in the Linux kernel.

Fixed CVE-2024-26585 in the Linux kernel.

Fixed CVE-2023-52443 in the Linux kernel.

cos-97-16919-450-34

Fixed CVE-2023-52447 in the Linux kernel.

Fixed CVE-2024-0727 in dev-libs/openssl.

Updated app-editors/vim to 9.0.2167. This fixed CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2024-22667.

cos-97-16919-450-30

Updated NVIDIA GPU drivers to v470.239.06 and v535.161.07. This fixes CVE-2024-0074, CVE-2024-0075 and CVE-2022-42265.

Updated cos-gpu-installer to v2.2.1. Fixed cached driver installation error with network disabled. Added force-fallback flag, major version specification for GPU driver installation and fixed ordering of kernel module loading for nvidia-modeset and nvidia-drm

cos-97-16919-450-26

Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853.

Fixed CVE-2024-26581 in the Linux kernel.

Fixed CVE-2024-23851 in the Linux kernel.

Updated dev-libs/libxml2 to version 2.11.7. This fixes CVE-2024-25062.

Fixed CVE-2022-3566 in the Linux kernel.

Fixed CVE-2022-3567 in the Linux kernel.

cos-97-16919-450-16

Fixed CVE-2023-40546, CVE-2023-40547, CVE-2023-40549 and CVE-2023-40551 in sys-boot/shim.

Fixed CVE-2024-0567 and CVE-2024-0553 in net-libs/gnutls.

Fixed CVE-2024-1086 and CVE-2023-46838 in the linux kernel.

Fixed CVE-2023-5678 in dev-libs/openssl.

Fragmented nvidia-drivers and nvidia-drivers-open pkg into separate packages per major version.

cos-97-16919-450-7

Updated cos-gpu-installer to v2.1.10.

Fixed CVE-2023-6915 in the Linux kernel.

cos-97-16919-450-6

This is an LTS Refresh release.

Runtime sysctl changes:

• Added: net.ipv6.conf.all.accept_ra_min_lft: 0
• Added: net.ipv6.conf.default.accept_ra_min_lft: 0
• Added: net.ipv6.conf.docker0.accept_ra_min_lft: 0
• Added: net.ipv6.conf.eth0.accept_ra_min_lft: 0
• Added: net.ipv6.conf.lo.accept_ra_min_lft: 0
• Changed: fs.file-max: 813422 -> 813419
• Changed: net.ipv6.route.max_size: 4096 -> 2147483647

Updated latest NVIDIA GPU driver to 535.154.05.

Fixed CVE-2024-21626 in app-emulation/runc.

Fixed CVE-2023-3164 in sys-apps/gawk.

Fixed CVE-2024-22195 in dev-python/jinja.

Updated cos-gpu-installer to v2.1.10.

cos-97-16919-404-34

Upgraded dev-db/sqlite to v3.44.2-r2. This fixes CVE-2023-7104.

Fixed CVE-2023-48795 in net-misc/openssh.

cos-97-16919-404-33

Upgraded sys-apps/dbus to v1.12.28. This fixes CVE-2023-34969, CVE-2022-42012, CVE-2022-42011 and CVE-2022-42010.

Fixed CVE-2023-51385 in net-misc/openssh.

cos-97-16919-404-31

Updated net-misc/curl to v8.5.0. This resolves CVE-2023-46218.

Fixed CVE-2023-6932 in the Linux kernel.

Updated docker-credential-gcr to v2.1.21.

Fixed CVE-2023-6931 in the Linux kernel.

cos-97-16919-404-26

Fixed a container performance issue that occurred after running systemctl start cloud-audit-setup.

cos-97-16919-404-21

Fixed CVE-2023-46862 in the Linux kernel.

cos-97-16919-404-19

Updated NVIDIA GPU drivers. This resolves CVE-2023-31022.

Updated dev-libs/libxml2 to v2.11.5. This resolves CVE-2023-45322.

cos-97-16919-404-17

Fixed CVE-2023-46813 in the Linux kernel.

Updated app-editors/vim,app-editors/vim-core to v9.0.2092. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736, CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.

Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.

cos-97-16919-404-17

Fixed CVE-2023-46813 in the Linux kernel.

Updated net-libs/nghttp2 to v1.57.0. This resolves CVE-2023-44487 and CVE-2023-35945.

Updated app-editors/vim,app-editors/vim-core to v9.0.2092. This resolves CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4736 CVE-2023-4738, CVE-2023-4750, CVE-2023-4752, CVE-2023-4781 CVE-2023-5344, CVE-2023-5441, CVE-2023-5535.

cos-97-16919-404-13

Fixed CVE-2023-5717 in the Linux kernel.

Fixed CVE-2023-42754 in the Linux kernel.

Updated google-guest-configs to 20230929.00.

Fixed CVE-2023-45863 in the Linux kernel.

cos-97-16919-404-9

Updated latest NVIDIA GPU drivers to v535.104.12.

Enable portmapper registration reporting for lsof. This also fixes an issue where lsof is missing from SOS reports.

cos-97-16919-404-4

This is an LTS Refresh Release.

Fix CVE-2023-42756 in COS kernel.

Upgraded net-misc/curl to version 8.4.0. This resolves CVE-2023-38545.

Runtime sysctl changes:

• Added: net.ipv4.tcp_migrate_req: 0
• Changed: fs.file-max: 813432 -> 813422
• Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd: 0 -> 3
• Changed: net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent: 0 -> 3

cos-97-16919-353-53

Fixed CVE-2023-38039 in net-misc/curl.

Updated cos-gpu-installer to v2.1.9.

Fixed CVE-2023-42753 in the Linux Kernel.

cos-97-16919-353-53

Upgraded cos-gpu-installer to v2.1.9.

Fixed CVE-2023-42753 in the Linux Kernel.

Fixed CVE-2023-38039 in net-misc/curl.

cos-97-16919-353-50

Fixed CVE-2023-4921 in the Linux kernel.

Fixed CVE-2023-4623 in the Linux kernel.

Fixed an issue where IPv6 networking would fail under high CPU load.

cos-97-16919-353-46

Fixed CVE-2023-4622 in the linux kernel.

cos-97-16919-353-44

Fixed problem with NFS reconnects when using DPv2 in kube-proxy-free mode.

Updated latest GPU driver to v535.104.05.

Changed error handling in get_metadata_value script to retry if connection error happens during instance metadata check.

Fixed the following CVEs in sys-libs/binutils-libs: CVE-2022-47007 CVE-2022-47008, CVE-2022-47010, CVE-2022-47011, CVE-2022-48063, CVE-2022-48064, CVE-2022-48065.

Updated cos-gpu-installer to v2.1.7. Switched precompiled driver and signature location to COS build artifacts.

cos-97-16919-353-31

Runtime sysctl changes:

• Added: kernel.io_uring_disabled: 0

Updated xz-utils to 5.2.9. This resolves CVE-2020-22916.

Enabled trusted IMA certificate loading from /etc/ima/pubkey.x509.

Enabled persistence mode with Nvidia GPU driver installation.

Fixed CVE-2023-4128 in the Linux kernel.

Upgraded sys-fs/mdadm to v4.2. This resolves CVE-2023-28938 and CVE-2023-28736.

Upgraded sys-process/procps to 3.3.17. This fixed CVE-2018-1121 and CVE-2023-4016.

cos-97-16919-353-23

Updated dev-libs/openssl to v1.1.1v. This resolves CVE-2023-3817.

Simplified GPU driver installation by remounting the driver installation path as executable from cos-extensions.

Upgrade app-misc/jq to v1.7_pre20201109-r1. This fixes CVE-2016-4074.

Fixed CVE-2023-4147 in the Linux kernel.

Fixed CVE-2023-4194 in the Linux kernel.

cos-97-16919-353-15

Fixed CVE-2022-40896 in dev-python/pygments.

Fixed CVE-2023-4004, CVE-2023-3777, CVE-2023-3776, CVE-2023-1206 and CVE-2023-3611 in the Linux kernel.

Fixed CVE-2022-28737 in sys-boot/shim.

Fixed CVE-2023-38408 in net-misc/openssh.

Fixed CVE-2023-32001 in net-misc/curl.

cos-97-16919-353-4

Fixed CVE-2023-35001 in the Linux kernel.

Fixed CVE-2023-31248 in the Linux kernel.

This is an LTS Refresh Release.

cos-97-16919-353-1

Runtime sysctl changes:

• Changed: net.core.bpf_jit_limit: 264241152 -> 528482304

Updated open-vm-tools to v12.2.5. This resolves CVE-2023-20867.

Updated containerd to v1.6.21

Updated default GPU driver to v470.199.02 and latest GPU driver to v525.125.06. This resolves CVE-2023-25515 and CVE-2023-25516.

Fixed CVE-2023-3609 in the Linux kernel.

Updated app-admin/google-osconfig-agent to v20230222.00.

Updated app-emulation/docker and app-emulation/docker-cli to v20.10.24.

cos-97-16919-294-51

Fixed CVE-2023-3090 in the Linux kernel.

Fixed CVE-2023-31486 in perl.

cos-97-16919-294-48

Upgraded sys-apps/file to v5.43-r1 to fix CVE-2019-18218.

Fixed CVE-2023-3268 in the Linux kernel.

cos-97-16919-294-44

Updated google-guest-configs to v20230526.00.

Fixed CVE-2023-34256 in the Linux kernel.

Updated toolbox to v20230615.

Fix CVE-2023-1972 in binutils.

cos-97-16919-294-35

Updated dev-libs/openssl to v1.1.1u. This resolves CVE-2023-2650.

Fixed CVE-2023-2124 in the Linux kernel.

Fixed CVE-2022-4269 in the Linux kernel.

Updated net-misc/curl to v8.1.0-r1. This resolves CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, and CVE-2023-28322.

cos-97-16919-294-28

Updated ncurses to v6.4p20220423. This resolves CVE-2023-29491.

cos-97-16919-294-27

Fixed CVE-2023-28842 in docker.

cos-97-16919-294-23

Updated app-emulation/cloud-init to 23.1.2 which fixes CVE-2023-1786.

Updated app-editors/vim, app-editors/vim-core to v9.0.1562. This resolves CVE-2023-2609, CVE-2023-2610, CVE-2023-2426.

Fixed CVE-2022-36109 in app-emulation/docker.

cos-97-16919-294-15

Updated app-emulation/docker to v20.10.14. This resolves CVE-2023-28840, CVE-2023-28841, CVE-2023-28842, CVE-2022-36109, CVE-2022-27652.

Updated dev-libs/libxml2 to v2.10.4. This resolves CVE-2023-28484.

cos-97-16919-294-12

Updated ncurses to v6.4p20220423. This resolves CVE-2023-29491.

Fixed an issue where chronyd does not restart after failure, resulting in the system time being out of sync.

Fallback to installing compatible drivers when installer is invoked for certain GPU devices and incompatible drivers.

Upgraded net-misc/curl to v8.0.1. This resolves CVE-2023-27534.

Fixed an issue where pstore is not cleaned at boot time if COS metrics are disabled.

This is an LTS Refresh Release.

Updated google-guest-agent to v20230330.00.

Updated containerd to v1.6.20.

Updated the Linux kernel to v5.10.176.

Added support for L4 GPU in cos-gpu-installer and fixed cached driver installation for prebuilt driver modules.

Enabled INET_DIAG_DESTROY kernel configuration.

Runtime sysctl changes:

• Added: kernel.oops_limit: 10000
• Added: kernel.warn_limit: 0
• Changed: net.netfilter.nf_conntrack_sctp_timeout_established: 432000 -> 210
• Deleted: net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked: 210

Removed CONFIG_NET_CLS_TCINDEX kernel config entry.

Fixed a use-after-free issue in net/sched in the Linux kernel.

Updated app-emulation/containerd to v1.6.18. This resolves CVE-2023-25173 and CVE-2023-25153.

Update containerd to v1.6.15

Updated cos-gpu-installer to v2.0.31. This adds support for gsp_tu10x.bin and gsp_ad10x.bin gsp firmware files and removes the container dependency on python2.

Upgraded Nvidia latest drivers from v510.108.03 to v525.60.13.

This is an LTS Refresh Release.

Updated containerd to v1.6.9.

Updated lvm2 to v2.03.14.

Updated the Linux kernel to v5.10.161.

Fixed no CNI info for pod sandbox on restart in app-emulation/containerd.

Updated curl to v7.86.0.

Set ManageForeignRoutes and ManageForeignRoutingPolicyRules to no in case cos.disable_systemd_route_mgmt is present in the kernel command line.

Runtime sysctl changes:

• Changed: fs.file-max: 813432 -> 813431

This is an LTS Refresh Release.

Enabled FANOTIFY_ACCESS_PERMISSIONS configuration in kernel.

Upgraded docker-credential-gcr to v2.1.5.

Updated the built-in kubectl/kubelet to v1.23.10.

Updated the Linux kernel to v5.10.147.

Updated stackdriver logging agent to v1.9.8.

Updated toolbox to v20220630.

Do not configure VM when opting out of a particular CIS benchmark.

Fixed an issue related to IP leakage in containerd.

Fixed an issue where the image may fail to boot boot due to mok out of resources error in the shim.

Updated Google OS Config Agent(aka VMManager) to v20220801.00.

Updated cos-gpu-installer to v2.0.27. This resolves the issue where multiple installers can be started in the same VM.

Upgraded the GPU driver version in the "latest" track to v510.47.03.

Updated cos-gpu-installer to v2.0.26. This resolves the compatibility issue with K80 GPU devices. When an incompatible driver version (R510+) is chosen in an instance with K80 GPU, the installer will automatically fall back to an available R470 driver version.

Fixed an issue causing zero verifier for FILE_SYNC and DATA_SYNC WRITEs.

Fixed a scenario of high contention state of the system in case filesystem is almost full and processes is trying to write content.

Fixed memory leak in the seccomp subsystem.

Fixed kdump on NVME disks.

Fixed issues in cos-gpu-installer where nvidia-peermem.ko was not installed and where driver signatures were included in the cached build tools.

Enable IOMMU_SUPPORT and IRQ_REMAP kernel configurations.

Updated default and latest Nvidia drivers to v470.141.03.

Updated toolbox to v20220722.

Moved the toolchain source from gs://chromiumos-sdk to gs://cos-sdk.

Fixed the bug in toolbox where long project name/container image tag can fail to run the toolbox container.

This is an LTS Refresh Release.

Updated cos-gpu-installer to fetch the COS toolchain from gs://cos-tools instead of gs://chromiumos-sdk.

Added pci=clearmsi option for kdump stackdriver.

Updated the Linux Kernel to v5.10.123.

Backported upstream patch to fix the issue where systemd affects BFQ IO setup.

Runtime sysctl changes:

• Changed: kernel.random.poolsize: 4096 -> 256
• Changed: kernel.random.write_wakeup_threshold: 896 -> 256

Fixed a Linux kernel write IOPS regression with nfsd.

Fixed the toolbox creation issue when service account is not available.

Fixed a bug in KTD LSM xattr handling.

Fixed an issue that prevented large cloud-configs (~256KB) from working properly.

Made /var/lib/chrony owned by chrony user.

Make CIS-Scanner show results for passing benchmarks.

Increased number of vCPUs support from 256 to 512.

Fixed the issue where kubelet fails on startup by adding cgroup-driver=systemd flag to kubelet.

This is an LTS Refresh release.

Updated app-admin/localtoast(cis_scanner) to v1.1.4.3.

Updated the Linux kernel to v5.10.107.

Added an option to cos-extensions for populating and resetting a cache of GPU driver dependencies.

Updated google-guest-configs to v20220211.00.

Updated CIS Scanner to v1.1.4.3.

Fixed a warning related to IPv4 parsing error in cloud-init.

Added get_status API in device policy manager.

Updated CIS Scanner to v1.1.4.2.

Fixed an issue in systemd to consider primary network interface configured only after non-link-local IPv4 address is available.

Enabled disk_setup module in cloud-init.

Enabled cgroup v2 and provided command-line interface to change cgroup versions.

Added CIS scanner (app-admin/localtoast) v1.1.4.1.

Renamed cos-alphabet-compliance to cis-compliance. cis-compliance will only install scripts needed to make the VM Level 2 CIS compliant.

Added the support to export logs of the cis-level1, cis-level2 and cis-compliance-scanner systemd services via stackdriver logging.

Added command "cos-extensions list -- --gpu-installer" to show the default cos-gpu-installer.

Enabled CONFIG_BFQ_GROUP_IOSCHED kernel configuration.

Set NVMe IO timeout to 4294967295

Fixed an issue in the Linux Kernel where I/Os would sometimes fail on SEV-enabled machines due to a full swiotlb buffer.

Fixed an issue related to shim exiting during system shutdown.

Enabled XDP support in the Linux Kernel.

Add LZ4 compression support in kernel.

Enable ipip and fou kernel modules.

Made XFRM statistics available at /proc/net/xfrm_stat.

Added SEV live migration support to the Linux kernel.

Added dev-libs/userspace-rcu package.

Auto-updates will now only occur within a single milestone. Upgrading your VMs to a new COS milestone will now require you to recreate your VMs.

Added Google Guest Configs package.

Added lsof package.

Enabled virtual console.

Enabled configuring NTP server using cloud-init.

Added support for NFSv4 Kerberos authentication.

Enabled IBLOCK and FILEIO iSCSI backing stores in the Linux kernel.

Disabled VDSO on ARM by default.

Enabled ipv4 and ipv6 in sshd.

Updated containerd to v1.6.0.

Updated the Linux kernel to v5.10.101.

Upgraded sys-fs/e2fsprogs to v1.46.4.

Upgraded sys-libs/e2fsprogs-libs to v1.46.4.

Upgraded sys-fs/xfsprogs to v5.14.2.

Updated app-admin/sosreport to v4.2.

Upgraded runc to v1.1.0.

Updated the built-in kubectl/kubelet to v1.23.3.

Updated oslogin to v20220113.00.

Updated docker-cli to v20.10.12.

Updated docker to v20.10.12.

Updated Linux Audit (sys-process/audit) to v3.0.6.

Updated sys-apps/shadow to v4.11.1.

Upgraded Google OS Config Agent(aka VMManager) to v20220107.00.

Updated UEFI shim to v15.4.

Updated the makedumpfile package to v1.7.0.

Updated the stackdriver logging agent to v1.9.4.

Updated the default toolbox container to v20211027.

Upgraded app-admin/google-guest-agent to v20220104.00.

Updated cloud-init to v21.4.

Updated systemd to v249.6.

Updated docker-credential-gcr to v2.1.0.

Updated ChromeOS base to ChromeOS version 14283.0.0.

Upgraded net-dns/c-ares to v1.17.2.

Updated node-problem-detector to v0.8.10.

Updated nanopb to v0.4.5 in KTD.

Runtime sysctl changes:

• Changed: net.ipv6.conf.all.forwarding: 1 -> 0
• Changed: net.ipv6.conf.default.forwarding: 1 -> 0
• Changed: net.ipv6.conf.docker0.forwarding: 1 -> 0
• Changed: net.ipv6.conf.eth0.forwarding: 1 -> 0
• Changed: net.ipv6.conf.lo.forwarding: 1 -> 0
• Changed: kernel.bootloader_type: 114 -> 6
• Changed: kernel.bootloader_version: 2 -> 38
• Changed: kernel.core_pattern: |/sbin/crash_reporter --user=%P:%s:%u:%g:%f -> |/bin/false
• Changed: kernel.core_pipe_limit: 4 -> 0
• Changed: kernel.threads-max: 63623 -> 63574
• Changed: net.ipv4.conf.all.log_martians: 0 -> 1
• Changed: net.ipv4.conf.default.log_martians: 0 -> 1
• Changed: net.ipv4.conf.docker0.log_martians: 0 -> 1
• Changed: net.ipv4.conf.eth0.log_martians: 0 -> 1
• Changed: user.max_cgroup_namespaces: 31811 -> 31787
• Changed: user.max_ipc_namespaces: 31811 -> 31787
• Changed: user.max_mnt_namespaces: 31811 -> 31787
• Changed: user.max_net_namespaces: 31811 -> 31787
• Changed: user.max_pid_namespaces: 31811 -> 31787
• Changed: user.max_time_namespaces: 31811 -> 31787
• Changed: user.max_user_namespaces: 31811 -> 31787
• Changed: user.max_uts_namespaces: 31811 -> 31787
• Added: dev.cdrom.autoclose: 1
• Added: dev.cdrom.autoeject: 0
• Added: dev.cdrom.check_media: 0
• Added: dev.cdrom.debug: 0
• Added: dev.cdrom.lock: 1
• Changed: fs.epoll.max_user_watches: 1667911 -> 1667891
• Changed: fs.file-max: 814101 -> 814087
• Changed: net.ipv4.tcp_mem: 94251 125668 188502 -> 94248 125667 188496
• Changed: net.ipv4.udp_mem: 188502 251336 377004 -> 188499 251335 376998

Fixed segmentation fault in ebtables.

Modified stackdriver logging default config to support multiple time formats which fixed bug of dropped logs in some conditions.

Updated toolbox script to use nspawn share system env var.

update cri-tools to v1.23.0.

Fixed a bug that created excessive warning logs on missing attrs.tag from container logs.

Updated cos-gpu-installer-v2 to v2.0.17 in cos-extensions.

Changed default file permissions used by stackdriver logging agent to not be world readable.