OpenVZ Forum


Home » General » Support » vzkernel-3.10.0-x releases stopped since Sept?
vzkernel-3.10.0-x releases stopped since Sept? [message #53463] Fri, 30 November 2018 19:22 Go to next message
websavers is currently offline  websavers
Messages: 15
Registered: March 2018
Location: Halifax, NS
Junior Member
From: 170.10.225*
Hey OpenVZ devs... where are the security patched kernels for OpenVZ 7?

We get regular email alerts about security patches to both OpenVZ 6 and 7, yet only the OpenVZ 6 kernels have been released in the repos since September, despite multiple patches having been developed for the OpenVZ 7 kernel.

It's one thing to block the open source community's access to the ReadyKernel patches (even though many of us would surely pay for a KernelCare-like licensing structure for this feature), but a whole other, much more serious, thing to not even release security-patched kernel versions...

What's going on here?

And while we're on the topic, shouldn't these OpenVZ 7 kernel updates that never actually get compiled and released to the repos be set up with an RSS feed on openvz.org like the OpenVZ 6 kernel updates are?
Re: vzkernel-3.10.0-x releases stopped since Sept? [message #53464 is a reply to message #53463] Mon, 03 December 2018 15:03 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 493
Registered: January 2006
Location: Moscow, Russia
Senior Member
From: *virtuozzo.com
Answered to the part about rare stable kernel updates at https://bugs.openvz.org/browse/OVZ-7070

websavers wrote on Fri, 30 November 2018 22:22
And while we're on the topic, shouldn't these OpenVZ 7 kernel updates that never actually get compiled and released to the repos be set up with an RSS feed on openvz.org like the OpenVZ 6 kernel updates are?


Those tags are compiled and put into factory repo (nightly)
https://download.openvz.org/virtuozzo/factory/x86_64/os/Packages/v/
but they are not fully tested - there could be several builds a day, surely they don't pass full QA cycle - thus they are not marked stable and not put to stable repo.


If you problem is solved - please, report it!
It's even more important than reporting the problem itself...
Re: vzkernel-3.10.0-x releases stopped since Sept? [message #53465 is a reply to message #53464] Mon, 03 December 2018 15:13 Go to previous messageGo to next message
websavers is currently offline  websavers
Messages: 15
Registered: March 2018
Location: Halifax, NS
Junior Member
From: 170.10.225*
So you're essentially saying:

1. The Virtuozzo devs only care about the security of OpenVZ 6 because you're stuck patching it still, and
2. The Virtuozzo devs think it's acceptable to leave their kernel vulnerable on countless OpenVZ 7 systems because the people that are using it should be paying you for a full Virtuozzo license if they want security.

That's pretty absurd. If I were running KVM on a CentOS 7 box, I would receive kernel patches as they are released by the CentOS 7 development team. At bare minimum Virtuozzo 7 should get a similar kernel patch/release cycle as CentOS 7 to apply the upstream kernel patches, even if that doesn't include OpenVZ 7 specific patches.

All that this policy does is serve to push people away from OpenVZ 7 to alternate platforms that don't treat security so poorly, which means your team's possibility of upgrading OpenVZ 7 users to a full Virtuozzo 7 license gets even slimmer. Why would you want to encourage that?

[Updated on: Mon, 03 December 2018 15:14]

Report message to a moderator

Re: vzkernel-3.10.0-x releases stopped since Sept? [message #53466 is a reply to message #53465] Mon, 03 December 2018 16:10 Go to previous messageGo to next message
khorenko is currently offline  khorenko
Messages: 493
Registered: January 2006
Location: Moscow, Russia
Senior Member
From: *virtuozzo.com
i'm essentially saying that Virtuozzo devs work on Virtuozzo - payed version - and do as much as they can to make OpenVZ users happy, but with no additional devs/QA efforts (which are unpayed, sorry).
And building stable kernels + readykernel patches - are efforts, it cannot be automated.
And TESTING them are BIG efforts, because tests do fail and QA (humans!) have to investigate issues.

Quote:
2. The Virtuozzo devs think it's acceptable to leave their kernel vulnerable on countless OpenVZ 7 systems because the people that are using it should be paying you for a full Virtuozzo license if they want security.

Surely not. i personally just think that people who use OpenVZ (and want to save their money) are quite experienced (otherwise how do they run business without support?).
And if so, they can build kernels with security fixes themselves. This is a payment for saving money.

And again - this is my personal opinion only,
and people who make business decisions might have different ones.


If you problem is solved - please, report it!
It's even more important than reporting the problem itself...
Re: vzkernel-3.10.0-x releases stopped since Sept? [message #53467 is a reply to message #53466] Mon, 03 December 2018 19:58 Go to previous messageGo to next message
TomvB is currently offline  TomvB
Messages: 26
Registered: July 2017
Location: -Root-
Junior Member
From: *worldstream.nl
There are also community users who use this technology for different projects..

Virtuozzo only gets positive name recognition by tackling this and publishing stable releases, including security updates. The use of OpenVZ and therefore also Virtuozzo will only decrease, while the product is good and powerful!
Compare it with the competitors. OpenVZ integration/support has been removed from many products.

I think that more priority should be given to OVZ7. Still the best solution for containers and I do not intend to use LXC or Proxmox Embarassed
Re: vzkernel-3.10.0-x releases stopped since Sept? [message #53468 is a reply to message #53466] Wed, 05 December 2018 22:55 Go to previous message
devnull is currently offline  devnull
Messages: 9
Registered: May 2012
Junior Member
From: 178.162.204*
Hello. Smile

Please forgive my bad English, I am French...

Quote:
And if so, they can build kernels with security fixes themselves. This is a payment for saving money.


Seems legit! (and fair IMHO)

Just one question, is there somewhere a guide (even a short note would be fine) to build a kernel - marked as stable - plus security fixes?

Have a nice day!
Previous Topic: Weird IPv6 Native
Next Topic: Bug reports should go to bugs.openvz.org
Goto Forum:
  


Current Time: Thu Dec 13 01:14:54 GMT 2018