Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-7070

Security Problem: No kernel updates in stable repos since Sept. 2018

    Details

    • Type: Dev Task
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Fix Version/s: Vz7.0-Update9
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Virtuozzo Linux release 7.5

      Description

      Stable repos haven't received a kernel update since 3.10.0-862.11.6.vz7.64.7 which was built in August and released in September 2018.

      There have since been multiple security patches applied to the 3.10.0 kernel upstream and you guys have released ReadyKernel live patches, yet no actual kernel updates since September.

      If we were running CentOS 7 we would have these security patches already.

      I get that ReadyKernel is a premium feature, however you're doing the Linux world a disservice by ensuring everyone using Virtuozzo Linux 7 as an open source OS does not receive security patched kernel updates from the repos.

      I can think of two possible solutions to this:

      1. If you guys don't want to be spending time building patched kernels, then you really should just make ReadyKernel patches open to the public, or
      2. Simply release patched kernels to the repos like you have been for OpenVZ 6 on kernel 2.6.32

      7.8.0 (390) is the latest release showing: https://download.openvz.org/virtuozzo/releases/
      And the latest kernel is vzkernel-3.10.0-862.11.6.vz7.64.7.x86_64.rpm which is months behind in security patches: https://download.openvz.org/virtuozzo/releases/

        Activity

        Hide
        khorenko Konstantin Khorenko added a comment -

        There is just a simple point: we do publish those stable (and fully tested) kernels which we build for Virtuozzo. Yes, now we try to make full kernel releases more rare: don't get us wrong, we don't want to make life of OpenVZ users worse on purpose: the reason is simple - customers do not like to reboot nodes often. Just because of SLA i guess. Thus ReadyKernel helps us here: having security fixes without necessity to reboot. And yes, this convenience is for money.

        And we don't build "last stable kernel" + "fixes handled by ReadyKernel" as a single full kernel and don't test it and correspondingly cannot publish it as "fully tested stable kernel", sorry.

        Nevertheless nobody prohibits to use kernels from untested factory branch, they are updated nightly and quite stable except for moments of rebasing to new major RHEL kernel (like from RHEL7.5 to RHEL7.6). Surely it's a good idea to try a new kernel on a limited number of nodes first. Just in case.

        https://download.openvz.org/virtuozzo/factory/x86_64/os/Packages/v/

        Or just build latest stable kernels with additional security patches yourself.
        Sources are available, src rpms (read - spec) are available, dev mailing list is public.
        All in your hands.

        Show
        khorenko Konstantin Khorenko added a comment - There is just a simple point: we do publish those stable (and fully tested) kernels which we build for Virtuozzo. Yes, now we try to make full kernel releases more rare: don't get us wrong, we don't want to make life of OpenVZ users worse on purpose: the reason is simple - customers do not like to reboot nodes often. Just because of SLA i guess. Thus ReadyKernel helps us here: having security fixes without necessity to reboot. And yes, this convenience is for money. And we don't build "last stable kernel" + "fixes handled by ReadyKernel" as a single full kernel and don't test it and correspondingly cannot publish it as "fully tested stable kernel", sorry. Nevertheless nobody prohibits to use kernels from untested factory branch, they are updated nightly and quite stable except for moments of rebasing to new major RHEL kernel (like from RHEL7.5 to RHEL7.6). Surely it's a good idea to try a new kernel on a limited number of nodes first. Just in case. https://download.openvz.org/virtuozzo/factory/x86_64/os/Packages/v/ Or just build latest stable kernels with additional security patches yourself. Sources are available, src rpms (read - spec) are available, dev mailing list is public. All in your hands.

          People

          • Assignee:
            khorenko Konstantin Khorenko
            Reporter:
            websavers Websavers Inc
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1 hour
              1h
              Remaining:
              Remaining Estimate - 1 hour
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified