March 5, 2024 [GDC 1.12.1]
- Google Distributed Cloud air-gapped 1.12.1 is now available.
See the product overview to learn about the features of Google Distributed Cloud air-gapped.
Updated Canonical Ubuntu OS image version to 20240214 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
- CVE-2017-16516
- CVE-2020-14394
- CVE-2020-19726
- CVE-2020-24165
- CVE-2020-28493
- CVE-2021-3638
- CVE-2021-46174
- CVE-2022-1725
- CVE-2022-1771
- CVE-2022-1897
- CVE-2022-2000
- CVE-2022-24795
- CVE-2022-35205
- CVE-2022-44840
- CVE-2022-45703
- CVE-2022-47007
- CVE-2022-47008
- CVE-2022-47010
- CVE-2022-47011
- CVE-2023-0340
- CVE-2023-1544
- CVE-2023-23931
- CVE-2023-2861
- CVE-2023-2953
- CVE-2023-31085
- CVE-2023-3180
- CVE-2023-33460
- CVE-2023-3354
- CVE-2023-4408
- CVE-2023-4641
- CVE-2023-5517
- CVE-2023-6228
- CVE-2023-6277
- CVE-2023-6516
- CVE-2023-6915
- CVE-2023-22995
- CVE-2023-37453
- CVE-2023-39189
- CVE-2023-39192
- CVE-2023-39193
- CVE-2023-39804
- CVE-2023-42754
- CVE-2023-43040
- CVE-2023-45871
- CVE-2023-46218
- CVE-2023-46246
- CVE-2023-50387
- CVE-2023-4806
- CVE-2023-4813
- CVE-2023-48231
- CVE-2023-48233
- CVE-2023-48234
- CVE-2023-48235
- CVE-2023-48236
- CVE-2023-48237
- CVE-2023-48733
- CVE-2023-48795
- CVE-2023-50782
- CVE-2023-50868
- CVE-2023-51779
- CVE-2023-51781
- CVE-2023-51782
- CVE-2023-52356
- CVE-2023-5088
- CVE-2023-51764
- CVE-2023-5178
- CVE-2023-5717
- CVE-2023-6004
- CVE-2023-6040
- CVE-2023-6606
- CVE-2023-6918
- CVE-2023-6931
- CVE-2023-6932
- CVE-2023-7104
- CVE-2024-0553
- CVE-2024-0565
- CVE-2024-22195
- CVE-2024-22365
- CVE-2024-24806
Updated Rocky Linux image version to 20240131 to apply the latest security patches and important updates. To take advantage of the bug and security vulnerability fixes, you must upgrade all nodes with each release. The following security vulnerabilities are fixed:
The following container image security vulnerabilities are fixed:
- CVE-2022-2586
- CVE-2023-1829
- CVE-2023-1380
- CVE-2023-0286
- CVE-2023-0461
- CVE-2023-32233
- CVE-2022-0492
- CVE-2022-24407
- CVE-2023-1281
- CVE-2022-42703
- CVE-2022-34918
- CVE-2022-29581
- CVE-2022-21499
- CVE-2023-31436
- CVE-2022-3515
- CVE-2023-30456
- CVE-2022-32250
- CVE-2022-0001
- CVE-2022-0002
- CVE-2022-43945
- CVE-2022-2588
- CVE-2022-0778
- CVE-2022-23960
- CVE-2022-42896
- CVE-2022-2509
- CVE-2022-1016
- CVE-2021-3999
- CVE-2022-26373
- CVE-2022-3116
- CVE-2022-47673
- CVE-2022-20421
- CVE-2022-1516
- CVE-2022-3028
- CVE-2022-20423
- CVE-2022-1664
- CVE-2022-2318
- CVE-2022-1204
- CVE-2022-21123
- CVE-2021-4159
- CVE-2022-1353
- CVE-2022-47929
- CVE-2022-3586
- CVE-2022-2964
- CVE-2022-36946
- CVE-2022-32296
- CVE-2022-22942
- CVE-2022-0812
- CVE-2022-3643
- CVE-2022-3239
- CVE-2023-1095
- CVE-2022-3521
- CVE-2022-3564
- CVE-2022-1679
- CVE-2021-4083
- CVE-2022-43750
- CVE-2022-0435
- CVE-2022-24958
- CVE-2022-23039
- CVE-2022-2526
- CVE-2023-2162
- CVE-2022-3567
- CVE-2023-0266
- CVE-2021-28715
- CVE-2023-0215
- CVE-2021-4149
- CVE-2022-3111
- CVE-2021-45469
- CVE-2021-3923
- CVE-2022-3424
- CVE-2022-1304
- CVE-2023-31484
- CVE-2022-4304
- CVE-2022-3821
- CVE-2022-20369
- CVE-2022-25258
- CVE-2022-23040
- CVE-2022-1734
- CVE-2022-20566
- CVE-2022-3524
- CVE-2022-3640
- CVE-2022-2068
- CVE-2021-39685
- CVE-2022-25375
- CVE-2022-1462
- CVE-2023-25585
- CVE-2021-33655
- CVE-2022-2978
- CVE-2022-1199
- CVE-2022-2977
- CVE-2021-39698
- CVE-2022-41916
- CVE-2022-29900
- CVE-2021-4197
- CVE-2022-3646
- CVE-2022-2097
- CVE-2020-36516
- CVE-2022-1012
- CVE-2022-3628
- CVE-2022-2991
- CVE-2022-3061
- CVE-2021-3506
- CVE-2021-39711
- CVE-2022-20154
- CVE-2022-40768
- CVE-2022-21125
- CVE-2022-26966
- CVE-2022-29155
- CVE-2022-1419
- CVE-2022-23038
- CVE-2022-0487
- CVE-2018-16860
- CVE-2022-26365
- CVE-2022-33741
- CVE-2023-2513
- CVE-2023-1073
- CVE-2022-26490
- CVE-2018-25032
- CVE-2022-20572
- CVE-2021-45095
- CVE-2022-1205
- CVE-2021-4202
- CVE-2023-26545
- CVE-2022-40307
- CVE-2022-3545
- CVE-2022-47696
- CVE-2022-45934
- CVE-2022-42898
- CVE-2021-33656
- CVE-2022-48303
- CVE-2023-25588
- CVE-2022-4450
- CVE-2021-22600
- CVE-2022-42329
- CVE-2021-28714
- CVE-2023-2650
- CVE-2022-42895
- CVE-2020-35525
- CVE-2022-28389
- CVE-2023-0394
- CVE-2023-0458
- CVE-2022-20009
- CVE-2021-4155
- CVE-2023-0459
- CVE-2022-2663
- CVE-2022-41858
- CVE-2022-45142
- CVE-2022-3437
- CVE-2022-1011
- CVE-2022-37434
- CVE-2022-47629
- CVE-2022-3566
- CVE-2022-3649
- CVE-2022-2639
- CVE-2022-23036
- CVE-2022-20422
- CVE-2022-2153
- CVE-2022-20368
- CVE-2022-33742
- CVE-2023-1074
- CVE-2022-0330
- CVE-2022-29901
- CVE-2020-16156
- CVE-2021-43975
- CVE-2022-42328
- CVE-2022-35737
- CVE-2022-2503
- CVE-2022-33740
- CVE-2023-23559
- CVE-2022-23491
- CVE-2022-24448
- CVE-2022-30594
- CVE-2022-39188
- CVE-2021-44733
- CVE-2022-36879
- CVE-2023-25584
- CVE-2021-26401
- CVE-2022-4095
- CVE-2022-21166
- CVE-2023-29491
- CVE-2022-38533
- CVE-2022-1652
- CVE-2022-27666
- CVE-2022-28390
- CVE-2023-28328
- CVE-2022-3629
- CVE-2023-23455
- CVE-2022-44640
- CVE-2022-1271
- CVE-2022-33981
- CVE-2022-1292
- CVE-2022-28388
- CVE-2022-1048
- CVE-2022-33744
- CVE-2022-23042
- CVE-2022-36280
- CVE-2022-23037
- CVE-2021-44758
- CVE-2023-32269
- CVE-2022-34903
- CVE-2023-24540
- CVE-2023-24538
- CVE-2023-29405
- CVE-2023-29404
- CVE-2023-29402
- CVE-2023-29403
- CVE-2023-45287
- CVE-2023-29400
- CVE-2023-39323
- CVE-2023-45285
- CVE-2023-24537
- CVE-2022-41724
- CVE-2023-2253
- CVE-2023-44487
- CVE-2023-28840
- CVE-2023-24536
- CVE-2022-41725
- CVE-2023-24539
- CVE-2023-24534
- CVE-2023-39325
- CVE-2022-41723
- CVE-2023-29409
- CVE-2023-48795
- CVE-2023-24532
- CVE-2023-29406
- CVE-2023-39326
- CVE-2023-28842
- CVE-2023-39318
- CVE-2023-3978
- CVE-2023-39319
- CVE-2023-28841
- CVE-2024-20952
- CVE-2024-20918
- CVE-2024-20932
- GHSA-m425-mq94-257g
- GHSA-jq35-85cj-fj4p
Backup and restore:
- An issue prevents volume backups to org buckets.
- The backup route to orgs fails.
Cluster management:
- User clusters with Kubernetes version 1.27.x might have node pools that fail to initialize.
Istio:
-
Pods in the
ImagePullBackOff
state with theBack-off pulling image "auto"
event.
File and block storage:
-
When upgrading from 1.11.1 to 1.12.1,
file-netapp-trident
subcomponent rollout might fail.
Hardware security module:
- A rotatable secret for hardware security modules is in an unknown state.
Logging:
-
When upgrading from 1.11.1 to 1.12.1,
ValidatingWebhookConfigurations
,MutatingWebhookConfigurations
, andMonitoringRules
deployed by the Log component might fail to upgrade. -
The
cortex-ingester
pod shows anOOMKilled
status. - After enabling logs export to an external SIEM destination, the forwarded logs don't contain any Kubernetes API server logs.
Monitoring:
-
Configuring the ServiceNow webhook results in Lifecycle Management (LCM) re-reconciling and reverting the changes made to the
ConfigMap
objectmon-alertmanager-servicenow-webhook-backend
and theSecret
objectmon-alertmanager-servicenow-webhook-backend
in themon-system
namespace. - When upgrading from 1.11.x to 1.12.1, Cortex bucket deletion might fail.
- Audit logs and operational logs are not collected.
- The metrics storage class is incorrectly defined in the configuration.
-
The
mon-prober-backend-prometheus-config
ConfigMap gets reset to include no probe jobs, and alertMON-A0001
is triggered.
Networking:
- GDC experiences issues with VM and container updates, termination, and scheduling.
- The preinstall script fails on several switches.
- Upgrading from 1.11 to 1.12.1 fails due to an unsuccessful generation of the
hairpinlink
custom resource.
Node platform:
- When upgrading from 1.11.x to 1.12.1, a switch image download pod might get stuck in the
ErrImagePull
state. - When upgrading from 1.11.x to 1.12.1, the host firewall blocks the switch image downloading.
NTP server:
- The NTP relay server pod crashes after restarting.
- The NTP relay job pod crashes after restarting.
Physical servers:
- When upgrading from 1.11.x to 1.12.1,
NodeUpgrade
contains multiple versions for the same hardware model, blocking firmware upgrade verification. - When installing a server manually, the server installation might get stuck.
- The servers are stuck in the provisioning state.
- A
NodePool
has a server in unknown state during creation.
System artifact registry:
- Harbor crash loops after an ABM upgrade.
Upgrade:
- When upgrading from 1.11.x to 1.12.1, node upgrade gets stuck with the
MaintenanceModeHealthCheckReady
undrain error. - When upgrading from 1.11.x to 1.12.1, a cluster node might not exit the maintenance mode due to a health check failure for
registy_mirror
. - OS in-place node upgrade might stop responding.
- When upgrading from HW2.0 and Ubuntu, the node upgrade incorrectly displays RockyLinux.
Vertex AI:
-
The
MonitoringTarget
shows aNot Ready
status when user clusters are being created, causing pre-trained APIs to continually show anEnabling
state in the user interface.
VM manager:
- When upgrading from 1.11.x to 1.12.x, a VM might not be ready due to too many pods.
- VMRuntime might not be ready due to network-controller-manager installation failure.
Billing:
- Fixed the issue causing the patch upgrade to fail with the upgrade check.
- Fixed the issue causing the creation of multiple
billing-storage-init-job
objects.
Firewall:
- Fixed the issue with blocked traffic to object storage from the bootstrapper, caused by a
deny
policy configured on port8082
.
Monitoring:
- Fixed the issue of not collecting metrics from the user clusters, affecting the user VM clusters but not the system cluster.
- Fixed the issue of primary Prometheus sending metrics to Cortex tenant across cluster boundaries.
Operations Suite Infrastructure Core Services (OIC):
- Fixed the issue with Desired State Configuration (DSC) return incorrect results and fail to update resources.
- Fixed the issue where Microsoft System Center Configuration Manager (SCCM) deployment doesn't finish successfully and requires manual intervention to fix.
VM Backup and Restore:
- Fixed an issue where role-based access control (RBAC) and schema settings in the VM manager was stopping users from starting VM backup and restore processes.
Add-on Manager:
- The Google Distributed Cloud version is updated to 1.28.100-gke.150 to apply the latest security patches and important updates.
Operations Suite Infrastructure Core Services (OIC):
Google Distributed Cloud air-gapped 1.12.1 added instructions for partners to prepare OIC artifacts excluded from the release.
Security Information and Event Management (SIEM):
Splunk Enterprise and Splunk Universal Forwarder are upgraded to version 9.1.3.
Version update:
The Debian-based image version is updated to bookworm-v1.0.1-gke.1.