dkg Posted January 7, 2018 Report Share Posted January 7, 2018 Any insights on Meltdown patches for containers? I assume they are vulnerable (Intel Xeon), and that there is nothing I can do to patch it myself. Link to comment Share on other sites More sharing options...
Oleg Vinichenko Posted January 8, 2018 Report Share Posted January 8, 2018 yes, there is a new kernel for the containers. Link to comment Share on other sites More sharing options...
dkg Posted January 8, 2018 Author Report Share Posted January 8, 2018 Is there something that I need to do? I don't seem to have a new kernel. $ uname -a Linux dkg 2.6.32-042stab123.3 #1 SMP Sun Jun 4 01:36:20 MDT 2017 x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux Link to comment Share on other sites More sharing options...
Oleg Vinichenko Posted January 8, 2018 Report Share Posted January 8, 2018 containers are sharing the host node kernel. Update has to be performed on that servers. Link to comment Share on other sites More sharing options...
znavko Posted January 8, 2018 Report Share Posted January 8, 2018 Hello! If you search info about how to update/upgrade the kernel, check your kernel info: version and producer # uname -r 4.14.2-1 # ls /boot System.map-debian-sources-x86_64-4.14.2-1 System.map-debian-sources-x86_64-4.8.15-1 System.map-genkernel-x86_64-4.14.2-1 early_ucode.cpio grub initramfs-debian-sources-x86_64-4.14.2-1 initramfs-debian-sources-x86_64-4.8.15-1 initramfs-genkernel-x86_64-4.14.2-1 kernel-debian-sources-x86_64-4.14.2-1 kernel-debian-sources-x86_64-4.8.15-1 kernel-genkernel-x86_64-4.14.2-1 lost+found memtest86.bin # ls -la /usr/src/linux lrwxrwxrwx 1 root root 27 янв 4 19:39 /usr/src/linux -> linux-debian-sources-4.14.2 The /usr/src/linux points to /usr/src/linux-debian-sources-4.14.2 and the /boot directory contains debian-sorces archives. This says I use debian-sources. Run these lines to upgrade the kernel # eix-sync # emere -auDN debian-sources This will download and compile debian-sources that has meltdown&spectre patch. Now this is linux-debian-sources-4.14.12-2. Directory /usr/src/linux-debian-sources-4.14.12-2 will appears. To check this run # ls /usr/src linux linux-debian-sources-4.14.12 linux-debian-sources-4.14.2 linux-debian-sources-4.8.15 Also need the iniramfs in /boot. To check this # ls /boot or # fdisk -l # mount /dev/sda1 /boot # ls /boot If there is new kernel, update grub and reboot # boot-update -v # reboot During booting grub will show you your new kernel version. But you will need to link /usr/src/linux to your new kernel for using it by default as described here https://www.funtoo.org/Funtoo_Linux_Kernels # cd /usr/src # rm linux # ln -s linux-debian-sources-4.14.12 linux Link to comment Share on other sites More sharing options...
dkg Posted January 8, 2018 Author Report Share Posted January 8, 2018 9 hours ago, Oleg Vinichenko said: containers are sharing the host node kernel. Update has to be performed on that servers. Hi. I understand that the containers share the kernel on the host, and that the host kernel needs to be updated. What I do not now, not being familiar with OpenVZ, is whether something additional needs to happen with the container, like rebooting it. However, I did reboot my container yesterday, and did not see an updated kernel. Any timeline on when the host kernels will get patched? I saw on the OpenVZ support forums that they released a new kernel. Link to comment Share on other sites More sharing options...
dkg Posted January 8, 2018 Author Report Share Posted January 8, 2018 6 hours ago, znavko said: Hello! If you search info about how to update/upgrade the kernel, check your kernel info: version and producer Hi. Perhaps you didn't notice this was posted in the Funtoo Hosting forum. I configure and compile my own kernels usually, but this is a completely different situation. :) Link to comment Share on other sites More sharing options...
pross Posted January 28, 2018 Report Share Posted January 28, 2018 Digital Ocean rolled out patches this week. I had to update all our servers with a new kernel provided by Debian will the same sort of thing happen here? Link to comment Share on other sites More sharing options...
dkg Posted January 28, 2018 Author Report Share Posted January 28, 2018 2 hours ago, pross said: Digital Ocean rolled out patches this week. I had to update all our servers with a new kernel provided by Debian will the same sort of thing happen here? When I checked my container last week, I found that it was running a patched kernel. Link to comment Share on other sites More sharing options...
pross Posted January 30, 2018 Report Share Posted January 30, 2018 On 28/01/2018 at 5:05 PM, dkg said: When I checked my container last week, I found that it was running a patched kernel. 2.6.32-042stab127.2 you are right! Link to comment Share on other sites More sharing options...
Funtoo Linux BDFL drobbins Posted February 5, 2018 Funtoo Linux BDFL Report Share Posted February 5, 2018 We are currently deploying our 2nd-generation compute infrastructure which runs on LXD and debian-sources-4.14.12-2, which provides some mitigation for the recent exploits. We are also running the latest Intel microcode and will continually update as new fixes become available. Link to comment Share on other sites More sharing options...
Recommended Posts