Release Notes: Milestone 69

Current Status

Image Family cos-69-lts
Deprecated After Dec 11, 2019
Kernel 4.14.145
Kubernetes v1.11.8
Docker v17.03.2

Changelog (vs Milestone 68)

cos-69-10895-385-0

Date: Oct 08, 2019
  • Upgraded the Linux kernel to 4.14.145.
  • Backported a kernel patch to ensure the cfs cgroup quota/period ratio always stays the same. This addresses a Kubernetes issue where the pod cgroup could be changed into an inconsistent state.

cos-69-10895-348-0

Date: Aug 30, 2019
  • Backported upstream writeback patches to fix a Docker hung issue.

cos-69-10895-329-0

Date: Aug 08, 2019
  • Upgraded the Linux kernel to v4.14.137. This resolves CVE-2019-1125.

cos-69-10895-299-0

Date: Jul 12, 2019
  • Fixed vulnerability in app-arch/bzip2 (CVE-2019-12900).
  • Updated kernel to version v4.14.132.
  • Fixed an issue introduced by NFLX-2019-001 fixes.

cos-69-10895-277-0

Date: Jun 19, 2019
  • Updated the Linux kernel to version 4.14.127 to resolve the NFLX-2019-001 TCP SACK vulnerabilities.

cos-69-10895-273-0

Date: Jun 17, 2019
  • Updated kernel to version v4.14.124.

cos-69-10895-255-0

Date: May 28, 2019
  • Upgraded curl to v7.64.1 to fix CVE-2018-16890.
  • Cherry-picked upstream patch https://patchwork.kernel.org/patch/10951403/ in kernel to fix a bug in lockd introduced by commit 01b79d20008d "lockd: Show pid of lockd for remote locks" in Linux kernel v4.14.105.
  • Rotated keys used by UEFI Secure Boot for signing and verifying the UEFI boot path.

cos-69-10895-242-0

Date: May 15, 2019
  • Merged Linux Stable Kernel 'v4.14.119' for resolving Microarchitectural Data Sampling (MDS) vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091).
  • Mitigated a mount hang issue in the Linux kernel.

cos-69-10895-211-0

Date: Apr 11, 2019
  • Fixed slow access to /sys/fs/cgroup/memory/memory.stat. This resolves kubelet performance degradation.

cos-69-10895-201-0

Date: Apr 01, 2019
  • Included perf tool in the image.
  • Included sosreport in the image.
  • Updated the built-in kubelet to 1.11.8.
  • Fixed an issue where Shielded VM integrity measurements weren't being logged properly.
  • Merged Linux Stable Kernel 'v4.14.106'.

cos-69-10895-172-0

Date: Feb 28, 2019
  • Enabled kernel.softlockup_all_cpu_backtrace. This was previously disabled to mitigate a kernel deadlock issue, which is now resolved.
  • Configured docker.service by setting RestartSecs=10 to always restart Docker after 10 seconds.

cos-69-10895-138-0

Date: Jan 24, 2019
  • Backported the fix for a deadlock issue in kernel panic.
  • Merged Linux Stable Kernel 'v4.14.91'.

cos-69-10895-123-0

Date: Jan 10, 2019
  • Set CONFIG_BLK_WBT_MQ=y to improve performance isolation on persistent disks. This fixes a bug where writes on a SSD persistent disk can affect performance on the Standard persistent boot disk.
  • Cherry-picked Ext4 commits that address FS inconsistencies caused by disruptions during NFS CREATE operation under certain conditions.
  • Merged Linux Stable Kernel 'v4.14.89'.

cos-69-10895-102-0

Date: Dec 20, 2018
  • Disabled auto update on shielded images. Images in cos-cloud are not impacted by this change.
  • Enabled the "metadata_csum" ext4 feature on the stateful partition. This also improves performance of boot-disk resize operation.
  • Apply IMA Policy only when cloud-audit-setup.service is explicitly run.

cos-69-10895-93-0

Date: Nov 16, 2018
  • Updated kernel to v4.14.79.
  • Fixed the bug that cloud-init can't write gzipped files.

cos-69-10895-91-0

Date: Oct 29, 2018
  • Fixed an issue where an interaction between IMA and NFS could cause deadlock.
  • Fixed a stackdriver-logging.service issue observed in Containers on Compute Engine.
  • PCID is now enabled by default when supported by the CPU platform.

cos-69-10895-85-0

Date: Oct 11, 2018
  • Reset softlockup_all_cpu_backtrace to '0' to avoid kernel deadlock on high CPU machines under certain circumstances.

cos-69-10895-71-0

Date: Oct 1, 2018
  • Removed userspace headers from kernel header artifact.

cos-69-10895-62-0

Date: Sept 18, 2018
  • Promoted to Stable channel.
  • Backport a fix to ensure that SCSI contributes to randomness when running rotational device. This addresses an issue where docker is slow to start because of low entropy on standard PDs since v4.14.63 merge.
  • Enabled CONFIG_RANDOM_TRUST_CPU to address entropy starvation on PD-SSD boot disks.
  • Upgraded OpenSSL to 1.0.2p.
  • Merged Linux stable version v4.14.65.
  • Backported the fix for a bug that write_files could handle for ASCII content, but not other content.
  • Backport fix for a kernel warning "WARNING: fs/overlayfs/readdir.c:393 ovl_iterate+0x25c/0x260 WARN_ON(!cache->refcount)".
  • Fix for Linux Kernel CVE-2018-12232.
  • Backport fixes for L1 Terminal Fault (L1TF) issue (CVE-2018-3615, CVE-2018-3620 and CVE-2018-3646).
  • Fixes for CVE-2018-5391.
  • Fixed a softlockup issue that occurred on single VCPU VMs when using FUSE filesystems.
  • Updated Kubernetes to v1.11.1
  • Fixes for CVE-2018-5390.
  • Increase default kernel.pid_max to 2^22.
  • Merged Linux stable version v4.14.54 into the kernel.
  • Removed SCSI CD-ROM support. This resolves CVE-2018-11506.
  • Upgraded built-in kubelet to v1.11.0
  • Updated docker-credential-gcr to 1.5.0
  • Updated BUG_REPORT_URL in /etc/os-release.
  • Enabled NFS debug configs in the kernel.
  • Enabled tcp_bbr kernel module for TCP congestion control.
  • Upgraded Git to version 2.16.4 to fix CVE 2018-11235.
  • Set --disable-legacy-registry Docker config to true by default.
  • Updated Kubernetes to 1.10.4.
  • Updated sshd_config to drop cbc based Ciphers.
  • Updated root CA certificates to match Mozilla NSS 3.36.1.
  • Updated OpenSSL to 1.0.2o.