Kernel panic [message #33833] |
Thu, 13 November 2008 17:06 |
lorenzo_3
Messages: 3 Registered: November 2008
|
Junior Member |
|
|
Hi there,
I'm currently working for a webhoster, and we would like to integrate openvz in our networking arch.
We also would like to offers containers, for people who want ssh access.
My problem is that if someone exploit a local kernel panic exploit inside a Vz container, the whole box and all containers gets knocked out.
If our boxes, are located in a D.C, we wont be able to reboot it, until the D.C admin reboot manually the boxes.
This is actually a very big problem for us as security matter, and i would like to know if there's a way to solve this problem.
Thanks you for your time.
Regards
|
|
|
Re: Kernel panic [message #33834 is a reply to message #33833] |
Thu, 13 November 2008 17:44 |
khorenko
Messages: 533 Registered: January 2006 Location: Moscow, Russia
|
Senior Member |
|
|
Hello,
well, yes, as all Containers are running under one kernel on a Hardware Node, if someone trigger a kernel panic, all the Containers on this node will be affected. This is a "minus".
* but in fact not all exploits will work inside a Container, and this is a "plus".
* next thing - not in all cases you'll have to wait for a manual reboot:
- first and the most useful in the current situation: you can add "panic=N" kernel option to the bootloader config and the kernel will reboot the node automatically after "N" seconds after it got a panic. This option really works in the 99% cases when you get an oops.
- second: you can ask D.C to configure remote power control - simplest PDU or more intelligent separate card inserted to the server if possible - quite a widespread feature nowadays.
BTW, can you please share your experience - how many oopses due to exploits have you got for some period of time? (+ how many nodes there were total and how often did you upgrade kernels on them).
Thank you!
--
Konstantin
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
|