OpenVZ Forum


Home » General » Support » Kernel panic
Kernel panic [message #33833] Thu, 13 November 2008 17:06 Go to next message
lorenzo_3 is currently offline  lorenzo_3
Messages: 3
Registered: November 2008
Junior Member
Hi there,

I'm currently working for a webhoster, and we would like to integrate openvz in our networking arch.

We also would like to offers containers, for people who want ssh access.
My problem is that if someone exploit a local kernel panic exploit inside a Vz container, the whole box and all containers gets knocked out.
If our boxes, are located in a D.C, we wont be able to reboot it, until the D.C admin reboot manually the boxes.
This is actually a very big problem for us as security matter, and i would like to know if there's a way to solve this problem.

Thanks you for your time.

Regards

Report message to a moderator

Re: Kernel panic [message #33834 is a reply to message #33833] Thu, 13 November 2008 17:44 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
Senior Member
Hello,

well, yes, as all Containers are running under one kernel on a Hardware Node, if someone trigger a kernel panic, all the Containers on this node will be affected. This is a "minus".

* but in fact not all exploits will work inside a Container, and this is a "plus". Smile
* next thing - not in all cases you'll have to wait for a manual reboot:

- first and the most useful in the current situation: you can add "panic=N" kernel option to the bootloader config and the kernel will reboot the node automatically after "N" seconds after it got a panic. This option really works in the 99% cases when you get an oops.
- second: you can ask D.C to configure remote power control - simplest PDU or more intelligent separate card inserted to the server if possible - quite a widespread feature nowadays.

BTW, can you please share your experience - how many oopses due to exploits have you got for some period of time? (+ how many nodes there were total and how often did you upgrade kernels on them).

Thank you!

--
Konstantin

If your problem is solved - please, report it!
It's even more important than reporting the problem itself...

Report message to a moderator

Re: Kernel panic [message #33836 is a reply to message #33834] Thu, 13 November 2008 18:01 Go to previous messageGo to next message
lorenzo_3 is currently offline  lorenzo_3
Messages: 3
Registered: November 2008
Junior Member
finist wrote on Thu, 13 November 2008 12:44

Hello,
BTW, can you please share your experience - how many oopses due to exploits have you got for some period of time? (+ how many nodes there were total and how often did you upgrade kernels on them).

Thank you!


Thanks you very much for your fast answer, the exploit is public
and there's actually no patch for the moment (hxxp://www.securityfocus.com/bid/32154)
This exploit call a panic instantly, and no login is done in dmesg/syslog/messages on the container and on the
main box.


Regards

Report message to a moderator

Re: Kernel panic [message #33839 is a reply to message #33836] Thu, 13 November 2008 19:22 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member
So, have you tried running it inside an OpenVZ container? What are your results? Which kernels are affected and which are not?

Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Kernel panic [message #33840 is a reply to message #33839] Thu, 13 November 2008 19:39 Go to previous messageGo to next message
lorenzo_3 is currently offline  lorenzo_3
Messages: 3
Registered: November 2008
Junior Member
kir wrote on Thu, 13 November 2008 14:22

So, have you tried running it inside an OpenVZ container? What are your results?


Yes, and the whole box get smashed in less than a second, plus you need to reboot manually the box.


Quote:

Which kernels are affected and which are not?


For the moment all, according to securityfocus, you can see it by clicking the link i've submitted in my previous post.

Also i tryed this exploit on 2 openvz kernel version :
-2.6.18
-2.6.24

And on a normal ubuntu box fully updated
2.6.27-7


Regards

Report message to a moderator

Re: Kernel panic [message #33844 is a reply to message #33836] Fri, 14 November 2008 06:29 Go to previous message
khorenko is currently offline  khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
Senior Member
Quote:

Thanks you very much for your fast answer, the exploit is public
and there's actually no patch for the moment


https://bugzilla.redhat.com/show_bug.cgi?id=470201

We're working on fixing that. Smile

--
Konstantin

If your problem is solved - please, report it!
It's even more important than reporting the problem itself...

Report message to a moderator

Previous Topic: NFS + vzctl stop = full server hang up :(
Next Topic: Quota Help
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sat Sep 07 22:19:13 GMT 2024

Total time taken to generate the page: 0.05852 seconds
Powered by FUDforum Powered by Virtuozzo Containers