*answered* Current kernel version [message #33902] |
Wed, 19 November 2008 10:49  |
goik
Messages: 1 Registered: November 2008
|
Junior Member |
|
|
We are using CentOS 5.2 (Aka Rhel 5.2) and are currently evaluation Virtuozzo.
The problem is that the current ovzkernel-2.6.18-92.1.13.el5.028stab059.3 is based on kernel-2.6.18-92.1.13.el5.src.rpm.
In the meantime Centos has released two newer kernel versions namely 2.6.18-92.1.17 and 2.6.18-92.1.18.
My problem is: These updated kernel packages may contain security relevant fixes. And using openvz may result in compromising all guest systems by running an outdated kernel.
Now I tried to apply the openvz patches myself. But even patching kernel-2.6.18-92.1.18's spec file itself with the context diff from kernel-2.6.18-92.1.13 to ovzkernel-2.6.18-92.1.13... yields 3 failed hunks. And I'm quite pessimistic regarding patching the kernel sources itself.
So my questions are:
1. Are there security considerations?
2. Do more recent kernel packages exist or is there a well defined path to create recent Centos/Rhel openvz kernel packages myself?
Regards, Martin
[Updated on: Wed, 19 November 2008 11:52] by Moderator Report message to a moderator
|
|
|
Re: Current kernel version [message #33903 is a reply to message #33902] |
Wed, 19 November 2008 11:38  |
khorenko
Messages: 533 Registered: January 2006 Location: Moscow, Russia
|
Senior Member |
|
|
Hi Martin,
first of all
Quote: | We are using CentOS 5.2 (Aka Rhel 5.2) and are currently evaluation Virtuozzo.
|
As you are talking about OVZ kernels i assume that you evaluate OVZ, not the Parallels Virtuozzo Containers (PVC). Just note - they are not the same and in particular in kernel update priorities - you can guess which of them has higher priority. 
But this does not mean that things are so bad. Yes, sometimes we delay or even skip RHEL kernel updates and do not migrate PVC and OVZ kernels on them. You've faced yourself that migration across RHEL kernels is not an easy task and after each migration serious testing have to be done to make sure the new kernel works fine. This takes a lot of resources and thus if we consider an update not so important from OVZ point of view - we may delay/skip it.
One more note - sometimes we just take important patches from next RHEL kernel update and backport them into our existing OVZ kernel based on previous RHEL kernel. This allows us to have all important fixes in current OVZ kernel but to to spend too much time for complete migration.
Btw, recently here was a thread about publicly available exploit - this is a REAL security problem and the kernel immune for it will be released soon, but again it will be based on the same 2.6.18-92.1.13 RHEL kernel.
So,
Quote: | 1. Are there security considerations?
|
Surely we attentively track security issues and keep them fixed in our kernels.
Quote: | 2. Do more recent kernel packages exist
|
No, but there will be released one more kernel soon, but again based on 2.6.18-92.1.13 RHEL kernel.
Quote: | or is there a well defined path to create recent Centos/Rhel openvz kernel packages myself?
|
May be for OVZ user it might be easier to take OVZ kernel and try to apply RHEL patches that appeared in the next kernel update. But in any case - very non-trivial task.
--
Konstantin
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|