Meltdown patches

[dkg]

Any insights on Meltdown patches for containers?  I assume they are vulnerable (Intel Xeon), and that there is nothing I can do to patch it myself.

[Oleg Vinichenko]

yes, there is a new kernel for the containers.

[dkg]

Is there something that I need to do?  I don't seem to have a new kernel.

$ uname -a
Linux dkg 2.6.32-042stab123.3 #1 SMP Sun Jun 4 01:36:20 MDT 2017 x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux

 

[Oleg Vinichenko]

containers are sharing the host node kernel. Update has to be performed on that servers.

[znavko]

Hello! If you search info about how to update/upgrade the kernel, check your kernel info: version and producer

# uname -r
4.14.2-1
# ls /boot
System.map-debian-sources-x86_64-4.14.2-1
System.map-debian-sources-x86_64-4.8.15-1
System.map-genkernel-x86_64-4.14.2-1
early_ucode.cpio
grub
initramfs-debian-sources-x86_64-4.14.2-1
initramfs-debian-sources-x86_64-4.8.15-1
initramfs-genkernel-x86_64-4.14.2-1
kernel-debian-sources-x86_64-4.14.2-1
kernel-debian-sources-x86_64-4.8.15-1
kernel-genkernel-x86_64-4.14.2-1
lost+found
memtest86.bin

# ls -la /usr/src/linux
lrwxrwxrwx 1 root root 27 янв  4 19:39 /usr/src/linux -> linux-debian-sources-4.14.2

The /usr/src/linux  points to /usr/src/linux-debian-sources-4.14.2 and the /boot directory contains debian-sorces archives. This says I use debian-sources.

Run these lines to upgrade the kernel

# eix-sync
# emere -auDN debian-sources

This will download and compile debian-sources that has meltdown&spectre  patch. Now this is linux-debian-sources-4.14.12-2. Directory /usr/src/linux-debian-sources-4.14.12-2 will appears. To check this run

# ls /usr/src
linux  linux-debian-sources-4.14.12  linux-debian-sources-4.14.2  linux-debian-sources-4.8.15

Also need the iniramfs in /boot. To check this

# ls /boot

or
# fdisk -l
# mount /dev/sda1 /boot
# ls /boot

If there is new kernel, update grub and reboot

# boot-update -v
# reboot

During booting grub will show you your new kernel version. But you will need to link /usr/src/linux to your new kernel for using it by default as described here https://www.funtoo.org/Funtoo_Linux_Kernels

# cd /usr/src
# rm linux
# ln -s linux-debian-sources-4.14.12 linux

 

[dkg]

9 hours ago, Oleg Vinichenko said:

containers are sharing the host node kernel. Update has to be performed on that servers.

Hi.  I understand that the containers share the kernel on the host, and that the host kernel needs to be updated.  What I do not now, not being familiar with OpenVZ, is whether something additional needs to happen with the container, like rebooting it.  However, I did reboot my container yesterday, and did not see an updated kernel.  Any timeline on when the host kernels will get patched?  I saw on the OpenVZ support forums that they released a new kernel.

[dkg]

6 hours ago, znavko said:

Hello! If you search info about how to update/upgrade the kernel, check your kernel info: version and producer

Hi.  Perhaps you didn't notice this was posted in the Funtoo Hosting forum.  I configure and compile my own kernels usually, but this is a completely different situation. :)

[pross]

Digital Ocean rolled out patches this week.

I had to update all our servers with a new kernel provided by Debian will the same sort of thing happen here?

[dkg]

2 hours ago, pross said:

Digital Ocean rolled out patches this week.

I had to update all our servers with a new kernel provided by Debian will the same sort of thing happen here?

When I checked my container last week, I found that it was running a patched kernel.

[pross]

On 28/01/2018 at 5:05 PM, dkg said:

When I checked my container last week, I found that it was running a patched kernel.

2.6.32-042stab127.2 you are right!

[drobbins]

We are currently deploying our 2nd-generation compute infrastructure which runs on LXD and debian-sources-4.14.12-2, which provides some mitigation for the recent exploits. We are also running the latest Intel microcode and will continually update as new fixes become available.