10:24 a.m.
Hi,
besides the kernel and microcode updates are there also updates of ovirt-
engine and vdsm nessessary and if so, is there a timeline when the patches can
be expected?
If there are Patches nessessary will there also be updates for ovirt 4.1 or
only 4.2?
Thanks
Marcel
1:31 p.m.
On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke(a)1und1.de> wrote:
Hi,
besides the kernel and microcode updates are there also updates of ovirt-
engine and vdsm nessessary and if so, is there a timeline when the patches can
be expected?
If there are Patches nessessary will there also be updates for ovirt 4.1 or
only 4.2?
Looking at the relevant Red Hat announcement:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
It seems that no packages that are derived directly from oVirt were updated.
You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
that used to be distributed by oVirt, but these days its is shipped as
part of the CentOS VirtSIG repo.
AFAIK none of those components were released on CentOS yet, so if
you're running oVirt on CentOS you'll need to wait.
I suppose oVirt packages and install scripts will be updated over the
next few days to require the newer packages, but you do not need to
wait for those updates to patch your systems, you can probably patch
as soon as the updates are made available.
Once updates are available, a new node and engine-apppliance images
will probably also be built and released.
Please note that the above as mostly a rough estimate based on my
familiarity with the processes involved, I am not directly affiliated
with any of the teams handling the response to these CVEs.
--
Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
7:21 p.m.
On Thu, Jan 4, 2018 at 12:31 PM, Barak Korren <bkorren(a)redhat.com> wrote:
On 4 January 2018 at 09:24, Marcel Hanke
<marcel.hanke(a)1und1.de> wrote:
> Hi,
> besides the kernel and microcode updates are there also updates of ovirt-
> engine and vdsm nessessary and if so, is there a timeline when the
patches can
> be expected?
> If there are Patches nessessary will there also be updates for ovirt 4.1
or
> only 4.2?
Looking at the relevant Red Hat announcement:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
It seems that no packages that are derived directly from oVirt were
updated.
You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
that used to be distributed by oVirt, but these days its is shipped as
part of the CentOS VirtSIG repo.
AFAIK none of those components were released on CentOS yet, so if
you're running oVirt on CentOS you'll need to wait.
CentOS kernel, microcode_ctl and linux-firmware have been released.
See [1] for example. I'm sure others will follow.
Y.
[1]
https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html
I suppose oVirt packages and install scripts will be updated over the
next few days to require the newer packages, but you do not need to
wait for those updates to patch your systems, you can probably patch
as soon as the updates are made available.
Once updates are available, a new node and engine-apppliance images
will probably also be built and released.
Please note that the above as mostly a rough estimate based on my
familiarity with the processes involved, I am not directly affiliated
with any of the teams handling the response to these CVEs.
--
Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:16 a.m.
2018-01-04 17:21 GMT+01:00 Yaniv Kaul <ykaul(a)redhat.com>:
On Thu, Jan 4, 2018 at 12:31 PM, Barak Korren <bkorren(a)redhat.com> wrote:
> On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke(a)1und1.de> wrote:
> > Hi,
> > besides the kernel and microcode updates are there also updates of
> ovirt-
> > engine and vdsm nessessary and if so, is there a timeline when the
> patches can
> > be expected?
> > If there are Patches nessessary will there also be updates for ovirt
> 4.1 or
> > only 4.2?
>
> Looking at the relevant Red Hat announcement:
> https://access.redhat.com/security/vulnerabilities/speculativeexecution
>
> It seems that no packages that are derived directly from oVirt were
> updated.
> You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
> that used to be distributed by oVirt, but these days its is shipped as
> part of the CentOS VirtSIG repo.
>
> AFAIK none of those components were released on CentOS yet, so if
> you're running oVirt on CentOS you'll need to wait.
>
CentOS kernel, microcode_ctl and linux-firmware have been released.
See [1] for example. I'm sure others will follow.
Y.
[1] https://lists.centos.org/pipermail/centos-announce/
2018-January/022696.html
qemu-kvm-ev has also been tagged for release, will be in next batch or
earlier if I can find kbsing for manually push it.
> I suppose oVirt packages and install scripts will be updated over the
> next few days to require the newer packages, but you do not need to
> wait for those updates to patch your systems, you can probably patch
> as soon as the updates are made available.
>
> Once updates are available, a new node and engine-apppliance images
> will probably also be built and released.
>
> Please note that the above as mostly a rough estimate based on my
> familiarity with the processes involved, I am not directly affiliated
> with any of the teams handling the response to these CVEs.
>
> --
> Barak Korren
> RHV DevOps team , RHCE, RHCi
> Red Hat EMEA
> redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
SANDRO BONAZZOLA
ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
12:28 a.m.
--Apple-Mail=_78F19FC9-4529-459D-8AFF-F81CDA40E6C7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
On 4 Jan 2018, at 22:16, Sandro Bonazzola <sbonazzo(a)redhat.com>
wrote:
=20
=20
=20
2018-01-04 17:21 GMT+01:00 Yaniv Kaul <ykaul(a)redhat.com =
<mailto:ykaul@redhat.com>>:
=20
=20
On Thu, Jan 4, 2018 at 12:31 PM, Barak Korren <bkorren(a)redhat.com =
<mailto:bkorren@redhat.com>> wrote:
On 4 January 2018 at 09:24, Marcel Hanke <marcel.hanke(a)1und1.de =
<mailto:marcel.hanke@1und1.de>> wrote:
> Hi,
> besides the kernel and microcode updates are there also updates of =
ovirt-
> engine and vdsm nessessary and if so, is there a timeline when
the =
patches can
> be expected?
yes there are
right after the base OS is completely covered
> If there are Patches nessessary will there also be updates for
ovirt =
4.1 or
> only 4.2?
4.1 will be covered
=20
Looking at the relevant Red Hat announcement:
=
https://access.redhat.com/security/vulnerabilities/speculativeexecution =
<https://access.redhat.com/security/vulnerabilities/speculativeexecution>
=20
It seems that no packages that are derived directly from oVirt were =
updated.
they are, the page is updating as it progresses
You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -
that used to be distributed by oVirt, but these days its is shipped as
part of the CentOS VirtSIG repo.
=20
AFAIK none of those components were released on CentOS yet, so if
you're running oVirt on CentOS you'll need to wait.
=20
CentOS kernel, microcode_ctl and linux-firmware have been released.
See [1] for example. I'm sure others will follow.
Y.
=20
[1] =
https://lists.centos.org/pipermail/centos-announce/2018-January/022696.htm=
l =
<https://lists.centos.org/pipermail/centos-announce/2018-January/022696.ht=
ml>
=20
=20
qemu-kvm-ev has also been tagged for release, will be in next batch or =
earlier if
I can find kbsing for manually push it.
=20
=20
=20
=20
=20
I suppose oVirt packages and install scripts will be updated over the
next few days to require the newer packages, but you do not need to
wait for those updates to patch your systems, you can probably patch
as soon as the updates are made available.
I suggest to start with the kernel
But please do read up on the various variants and mitigations. You may =
not necessarily need all of them
Also, you may lack the right firmware/microcode updates from your CPU =
vendor at the moment. Red Hat's microcode package only contains those =
which were released by Intel/AMD so far.
Thanks,
michal
=20
Once updates are available, a new node and engine-apppliance images
will probably also be built and released.
=20
Please note that the above as mostly a rough estimate based on my
familiarity with the processes involved, I am not directly affiliated
with any of the teams handling the response to these CVEs.
=20
--
Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com <http://redhat.com/> | TRIED. TESTED. TRUSTED. | =
redhat.com/trusted <http://redhat.com/trusted>
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users>
>=20
>=20
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users>
=20
=20
=20
=20
--=20
SANDRO BONAZZOLA
ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R&D
Red Hat=C2=A0EMEA <https://www.redhat.com/>
<https://red.ht/sig>=09
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--Apple-Mail=_78F19FC9-4529-459D-8AFF-F81CDA40E6C7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type"
content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;"
class=3D""><br =
class=3D""><div><br class=3D""><blockquote
type=3D"cite" class=3D""><div =
class=3D"">On 4 Jan 2018, at 22:16, Sandro Bonazzola <<a =
href=3D"mailto:sbonazzo@redhat.com"
class=3D"">sbonazzo(a)redhat.com</a>&gt;=
wrote:</div><br class=3D"Apple-interchange-newline"><div
class=3D""><div =
dir=3D"ltr" class=3D""><br class=3D""><div
class=3D"gmail_extra"><br =
class=3D""><div class=3D"gmail_quote">2018-01-04 17:21
GMT+01:00 Yaniv =
Kaul <span dir=3D"ltr" class=3D""><<a
href=3D"mailto:ykaul@redhat.com" =
target=3D"_blank"
class=3D"">ykaul@redhat.com</a>></span>:<br =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr" =
class=3D""><br class=3D""><div
class=3D"gmail_extra"><br class=3D""><div =
class=3D"gmail_quote"><span class=3D"">On Thu, Jan 4, 2018 at
12:31 PM, =
Barak Korren <span dir=3D"ltr" class=3D""><<a =
href=3D"mailto:bkorren@redhat.com" target=3D"_blank" =
class=3D"">bkorren(a)redhat.com</a>&gt;</span> wrote:<br =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span =
class=3D"m_438005550949541432gmail-">On 4 January 2018 at 09:24, Marcel =
Hanke <<a href=3D"mailto:marcel.hanke@1und1.de"
target=3D"_blank" =
class=3D"">marcel.hanke(a)1und1.de</a>&gt; wrote:<br
class=3D"">
> Hi,<br class=3D"">
> besides the kernel and microcode updates are there also updates of =
ovirt-<br class=3D"">
> engine and vdsm nessessary and if so, is there a timeline when the =
patches can<br class=3D"">
> be expected?<br =
class=3D""></span></blockquote></span></div></div></div></blockquote></div=
</div></div></div></blockquote><div><br
class=3D""></div>yes there =
are</div><div>right
after the base OS is completely =
covered</div><div><br class=3D""><blockquote
type=3D"cite" class=3D""><div=
class=3D""><div dir=3D"ltr" class=3D""><div
class=3D"gmail_extra"><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote"
style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div
dir=3D"ltr" =
class=3D""><div class=3D"gmail_extra"><div
class=3D"gmail_quote"><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span =
class=3D"m_438005550949541432gmail-">
> If there are Patches nessessary will there also be updates for =
ovirt 4.1 or<br class=3D"">
> only 4.2?<br =
class=3D""></span></blockquote></span></div></div></div></blockquote></div=
</div></div></div></blockquote><div><br
class=3D""></div>4.1 will be =
covered</div><div><br class=3D""><blockquote
type=3D"cite" class=3D""><div=
class=3D""><div dir=3D"ltr" class=3D""><div
class=3D"gmail_extra"><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote"
style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div
dir=3D"ltr" =
class=3D""><div class=3D"gmail_extra"><div
class=3D"gmail_quote"><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span =
class=3D"m_438005550949541432gmail-">
<br class=3D"">
</span>Looking at the relevant Red Hat announcement:<br class=3D"">
<a =
href=3D"https://access.redhat.com/security/vulnerabilities/speculati...
ution" rel=3D"noreferrer" target=3D"_blank" =
class=3D"">https://access.redhat.com/secu<wbr =
class=3D"">rity/vulnerabilities/speculati<wbr =
class=3D"">veexecution</a><br class=3D"">
<br class=3D"">
It seems that no packages that are derived directly from oVirt were =
updated.<br =
class=3D""></blockquote></span></div></div></div></blockquote></div></div>=
</div></div></blockquote><div><br
class=3D""></div>they are, the page is =
updating as it progresses</div><div><br
class=3D""><blockquote =
type=3D"cite" class=3D""><div class=3D""><div
dir=3D"ltr" class=3D""><div =
class=3D"gmail_extra"><div
class=3D"gmail_quote"><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex"><div dir=3D"ltr"
class=3D""><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
You can see qemu-kvm-rhev there, which is quemu-kvm-ev in CentOS -<br =
class=3D"">
that used to be distributed by oVirt, but these days its is shipped =
as<br class=3D"">
part of the CentOS VirtSIG repo.<br class=3D"">
<br class=3D"">
AFAIK none of those components were released on CentOS yet, so if<br =
class=3D"">
you're running oVirt on CentOS you'll need to wait.<br =
class=3D""></blockquote><div class=3D""><br
class=3D""></div></span><div =
class=3D"">CentOS kernel, microcode_ctl and linux-firmware have been =
released.</div><div class=3D"">See [1] for example. I'm sure
others will =
follow.</div><div class=3D"">Y.</div><div
class=3D""><br =
class=3D""></div><div class=3D"">[1] <a =
href=3D"https://lists.centos.org/pipermail/centos-announce/2018-Janu...
2696.html" target=3D"_blank"
class=3D"">https://lists.centos.org/<wbr =
class=3D"">pipermail/centos-announce/<wbr =
class=3D"">2018-January/022696.html</a></div><span
class=3D""><div =
class=3D""> </div></span></div></div></div></blockquote><div
=
class=3D""><br class=3D""></div><div
class=3D"">qemu-kvm-ev has also =
been tagged for release, will be in next batch or earlier if I can find =
kbsing for manually push it.</div><div class=3D""><br =
class=3D""></div><div class=3D""><br
class=3D""></div><div class=3D""><br =
class=3D""></div><div
class=3D""> </div><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex"><div dir=3D"ltr"
class=3D""><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br class=3D"">
I suppose oVirt packages and install scripts will be updated over the<br =
class=3D"">
next few days to require the newer packages, but you do not need to<br =
class=3D"">
wait for those updates to patch your systems, you can probably patch<br =
class=3D"">
as soon as the updates are made available.<br =
class=3D""></blockquote></span></div></div></div></blockquote></div></div>=
</div></div></blockquote><div><br
class=3D""></div>I suggest to start =
with the kernel</div><div>But please do read up on the various variants =
and mitigations. You may not necessarily need all of =
them</div><div>Also, you may lack the right firmware/microcode updates =
from your CPU vendor at the moment. Red Hat's microcode package only =
contains those which were released by Intel/AMD so far.</div><div><br =
class=3D""></div><div>Thanks,</div><div>michal</div><div><br
=
class=3D""><blockquote type=3D"cite"
class=3D""><div class=3D""><div =
dir=3D"ltr" class=3D""><div
class=3D"gmail_extra"><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote"
style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div
dir=3D"ltr" =
class=3D""><div class=3D"gmail_extra"><div
class=3D"gmail_quote"><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br class=3D"">
Once updates are available, a new node and engine-apppliance images<br =
class=3D"">
will probably also be built and released.<br class=3D"">
<br class=3D"">
Please note that the above as mostly a rough estimate based on my<br =
class=3D"">
familiarity with the processes involved, I am not directly affiliated<br =
class=3D"">
with any of the teams handling the response to these CVEs.<br class=3D"">
<span class=3D"m_438005550949541432gmail-HOEnZb"><font
color=3D"#888888" =
class=3D""><br class=3D"">
--<br class=3D"">
Barak Korren<br class=3D"">
RHV DevOps team , RHCE, RHCi<br class=3D"">
Red Hat EMEA<br class=3D"">
<a href=3D"http://redhat.com/" rel=3D"noreferrer"
target=3D"_blank" =
class=3D"">redhat.com</a> | TRIED. TESTED. TRUSTED. | <a =
href=3D"http://redhat.com/trusted" rel=3D"noreferrer"
target=3D"_blank" =
class=3D"">redhat.com/trusted</a><br class=3D"">
</font></span><div
class=3D"m_438005550949541432gmail-HOEnZb"><div =
class=3D"m_438005550949541432gmail-h5">______________________________<wbr
=
class=3D"">_________________<br class=3D"">
Users mailing list<br class=3D"">
<a href=3D"mailto:Users@ovirt.org" target=3D"_blank" =
class=3D"">Users(a)ovirt.org</a><br class=3D"">
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">http://lists.ovirt.org/mailman<wbr =
class=3D"">/listinfo/users</a><br class=3D"">
</div></div></blockquote></span></div><br
class=3D""></div></div>
<br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
Users mailing list<br class=3D"">
<a href=3D"mailto:Users@ovirt.org"
class=3D"">Users(a)ovirt.org</a><br =
class=3D"">
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">http://lists.ovirt.org/<wbr =
class=3D"">mailman/listinfo/users</a><br class=3D"">
<br class=3D""></blockquote></div><br
class=3D""><br clear=3D"all" =
class=3D""><div class=3D""><br
class=3D""></div>-- <br class=3D""><div =
class=3D"gmail_signature"
data-smartmail=3D"gmail_signature"><div =
dir=3D"ltr" class=3D""><div class=3D""><div
dir=3D"ltr" class=3D""><div =
class=3D""><div dir=3D"ltr" class=3D""><div
class=3D""><div dir=3D"ltr" =
class=3D""><div class=3D""><div dir=3D"ltr"
class=3D""><div dir=3D"ltr" =
class=3D""><div dir=3D"ltr" class=3D""><div
dir=3D"ltr" class=3D""><div =
style=3D"font-family: overpass, sans-serif; font-weight: bold; margin: =
0px; padding: 0px; font-size: 14px; text-transform: uppercase;" =
class=3D""><span
class=3D"">SANDRO</span> <span =
class=3D"">BONAZZOLA</span></div><p style=3D"font-family:
overpass, =
sans-serif; font-size: 10px; margin: 0px 0px 4px; text-transform: =
uppercase;" class=3D""><span class=3D"">ASSOCIATE
MANAGER, SOFTWARE =
ENGINEERING, EMEA ENG VIRTUALIZATION R&D</span></p><div =
style=3D"font-family: overpass, sans-serif; margin: 0px; font-size: =
10px; color: rgb(153, 153, 153);" class=3D""><a =
href=3D"https://www.redhat.com/"
style=3D"color:rgb(0,136,206);margin:0px"=
target=3D"_blank" class=3D"">Red Hat <span =
class=3D"">EMEA</span></a></div><table
border=3D"0" style=3D"font-family: =
overpass, sans-serif; font-size: inherit;" class=3D""><tbody =
class=3D""><tr class=3D""><td width=3D"100px"
class=3D""><a =
href=3D"https://red.ht/sig" target=3D"_blank"
class=3D""><img =
src=3D"https://www.redhat.com/profiles/rh/themes/redhatdotcom/img/lo...
-hat-black.png" width=3D"90" height=3D"auto"
class=3D""></a></td><td =
style=3D"font-size:10px" class=3D""><div
class=3D""><a =
href=3D"https://redhat.com/trusted" =
style=3D"color:rgb(204,0,0);font-weight:bold" target=3D"_blank" =
class=3D"">TRIED. TESTED. =
TRUSTED.</a></div></td></tr></tbody></table><br =
class=3D""></div></div></div></div></div></div></div></div></div></div></d=
iv></div></div>
</div></div>
_______________________________________________<br class=3D"">Users =
mailing list<br class=3D""><a href=3D"mailto:Users@ovirt.org"
=
class=3D"">Users(a)ovirt.org</a><br =
class=3D"">http://lists.ovirt.org/mailman/listinfo/users<br =
class=3D""></div></blockquote></div><br
class=3D""></body></html>=
--Apple-Mail=_78F19FC9-4529-459D-8AFF-F81CDA40E6C7--
8:32 p.m.
Michal Skrivanek <michal.skrivanek(a)redhat.com> writes:
> If there are Patches nessessary will there also be
updates for
ovirt 4.1 or
> only 4.2?
4.1 will be covered
What about 4.0? Or will that not be covered because it depends on 7.3,
which also isn't covered??
Thanks,
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(a)MIT.EDU PGP key available
9:42 p.m.
On Mon, Jan 8, 2018 at 7:32 PM, Derek Atkins <warlord(a)mit.edu> wrote:
Michal Skrivanek <michal.skrivanek(a)redhat.com> writes:
> > If there are Patches nessessary will there also be updates
for
> ovirt 4.1 or
> > only 4.2?
>
> 4.1 will be covered
What about 4.0? Or will that not be covered because it depends on 7.3,
which also isn't covered??
It will not be covered because we have 4.1 and 4.2 out, both of which we
take care of.
Y.
Thanks,
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord(a)MIT.EDU PGP key available
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
5:33 p.m.
Yaniv Kaul <ykaul(a)redhat.com> writes:
On Mon, Jan 8, 2018 at 7:32 PM, Derek Atkins <warlord(a)mit.edu>
wrote:
Michal Skrivanek <michal.skrivanek(a)redhat.com> writes:
> > If there are Patches nessessary will there also be updates
for
> ovirt 4.1 or
> > only 4.2?
>
> 4.1 will be covered
What about 4.0? Or will that not be covered because it depends on 7.3,
which also isn't covered??
It will not be covered because we have 4.1 and 4.2 out, both of which we take
care of.
I was afraid of that. So I will need to upgrade to at least 7.4/4.1 to
get this fixed. I'll need to find some time to do that. :(
My users don't like having downtime.. and this is a single-host system.
Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
5:53 p.m.
On Thu, Jan 11, 2018 at 4:33 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Yaniv Kaul <ykaul(a)redhat.com> writes:
> On Mon, Jan 8, 2018 at 7:32 PM, Derek Atkins <warlord(a)mit.edu> wrote:
>
> Michal Skrivanek <michal.skrivanek(a)redhat.com> writes:
>
> > > If there are Patches nessessary will there also be
updates
> for
> > ovirt 4.1 or
> > > only 4.2?
> >
> > 4.1 will be covered
>
> What about 4.0? Or will that not be covered because it depends on
7.3,
> which also isn't covered??
>
> It will not be covered because we have 4.1 and 4.2 out, both of which we
take
> care of.
I was afraid of that. So I will need to upgrade to at least 7.4/4.1 to
get this fixed. I'll need to find some time to do that. :(
My users don't like having downtime.. and this is a single-host system.
No one likes downtime but I suspect this is one of those serious
vulnerabilities that you really really must be protected against.
That being said, before planning downtime, check your HW vendor for
firmware or Intel for microcode for the host first.
Without it, there's not a lot of protection anyway.
Note that there are 4 steps you need to take to be fully protected: CPU,
hypervisor, guests and guest CPU type - plan ahead!
Y.
> Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
6:32 p.m.
Hi,
On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
No one likes downtime but I suspect this is one of those serious
vulnerabilities that you really really must be protected against.
That being said, before planning downtime, check your HW vendor for
firmware or Intel for microcode for the host first.
Without it, there's not a lot of protection anyway.
Note that there are 4 steps you need to take to be fully protected: CPU,
hypervisor, guests and guest CPU type - plan ahead!
Y.
Is there a HOW-To written up somewhere on this? ;)
I built the hardware from scratch myself, so I can't go off to Dell or
someone for this. So which do I need, motherboard firmware or Intel
microcode? I suppose I need to go to the motherboard manufacturer
(Supermicro) to look for updated firmware? Do I also need to look at
Intel? Is this either-or or a "both" situation? Of course I have no idea
how to reflash new firmware onto this motherboard -- I don't have DOS.
As you can see, planning I can do. Execution is more challenging ;)
Thanks!
> > Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
6:49 p.m.
if you have recent supermicro you dont need to update the bios,
Some tests:
Crack test:
https://github.com/IAIK/meltdown
Check test:
https://github.com/speed47/spectre-meltdown-checker
the intel microcodes you can find here:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode...
good luck.
Arman.
On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Hi,
On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
> No one likes downtime but I suspect this is one of those serious
> vulnerabilities that you really really must be protected against.
> That being said, before planning downtime, check your HW vendor for
> firmware or Intel for microcode for the host first.
> Without it, there's not a lot of protection anyway.
> Note that there are 4 steps you need to take to be fully protected: CPU,
> hypervisor, guests and guest CPU type - plan ahead!
> Y.
Is there a HOW-To written up somewhere on this? ;)
I built the hardware from scratch myself, so I can't go off to Dell or
someone for this. So which do I need, motherboard firmware or Intel
microcode? I suppose I need to go to the motherboard manufacturer
(Supermicro) to look for updated firmware? Do I also need to look at
Intel? Is this either-or or a "both" situation? Of course I have no idea
how to reflash new firmware onto this motherboard -- I don't have DOS.
As you can see, planning I can do. Execution is more challenging ;)
Thanks!
>> > Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
6:28 p.m.
Arman,
Thanks for the info... And sorry for taking so long to reply. It's
been a busy weekend.
First, thank you for the links. Useful information.
However, could you define "recent"? My system is from Q3 2016. Is that
considered recent enough to not need a bios updte?
My /proc/cpuinfo reports:
model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
that the microcode_ctl package in my repo is dated Jan 4, which implies
it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like I
can just replace the intel-ucode files with those from the tgz, but I'm
not sure what, if anything, I need to do with the microcode.dat file in
the tgz?
Thanks,
-derek
Arman Khalatyan <arm2arm(a)gmail.com> writes:
if you have recent supermicro you dont need to update the bios,
Some tests:
Crack test:
https://github.com/IAIK/meltdown
Check test:
https://github.com/speed47/spectre-meltdown-checker
the intel microcodes you can find here:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode...
good luck.
Arman.
On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
> Hi,
>
> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>
>> No one likes downtime but I suspect this is one of those serious
>> vulnerabilities that you really really must be protected against.
>> That being said, before planning downtime, check your HW vendor for
>> firmware or Intel for microcode for the host first.
>> Without it, there's not a lot of protection anyway.
>> Note that there are 4 steps you need to take to be fully protected: CPU,
>> hypervisor, guests and guest CPU type - plan ahead!
>> Y.
>
> Is there a HOW-To written up somewhere on this? ;)
>
> I built the hardware from scratch myself, so I can't go off to Dell or
> someone for this. So which do I need, motherboard firmware or Intel
> microcode? I suppose I need to go to the motherboard manufacturer
> (Supermicro) to look for updated firmware? Do I also need to look at
> Intel? Is this either-or or a "both" situation? Of course I have no idea
> how to reflash new firmware onto this motherboard -- I don't have DOS.
>
> As you can see, planning I can do. Execution is more challenging ;)
>
> Thanks!
>
>>> > Y.
>
> -derek
>
> --
> Derek Atkins 617-623-3745
> derek(a)ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
7:05 p.m.
If you see that after the update of your OS dmesg shows RED alert in
the spectra check script in the second position then you should follow
the intel's read.me.
As in readme described on Centos 7.4:
rsync -Pa intel-ucode /lib/firmware/
On the recent kernels(>2.6.xx) the dd method does not work, dont do that.
To confirm that microcode loaded:
dmesg | grep micro
look for the release dates.
But I beleve that v4 should be already in the microcode_ctl package of
the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
were there)
I have a script to enable or disable the protection so you can see the
performance impact on your case:
https://arm2armcos.blogspot.de/2018/01/lustrefs-big-performance-hit-on-lf...
On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Arman,
Thanks for the info... And sorry for taking so long to reply. It's
been a busy weekend.
First, thank you for the links. Useful information.
However, could you define "recent"? My system is from Q3 2016. Is that
considered recent enough to not need a bios updte?
My /proc/cpuinfo reports:
model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
that the microcode_ctl package in my repo is dated Jan 4, which implies
it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like I
can just replace the intel-ucode files with those from the tgz, but I'm
not sure what, if anything, I need to do with the microcode.dat file in
the tgz?
Thanks,
-derek
Arman Khalatyan <arm2arm(a)gmail.com> writes:
> if you have recent supermicro you dont need to update the bios,
>
> Some tests:
> Crack test:
> https://github.com/IAIK/meltdown
>
> Check test:
> https://github.com/speed47/spectre-meltdown-checker
>
> the intel microcodes you can find here:
>
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode...
> good luck.
> Arman.
>
>
>
> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
>> Hi,
>>
>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>>
>>> No one likes downtime but I suspect this is one of those serious
>>> vulnerabilities that you really really must be protected against.
>>> That being said, before planning downtime, check your HW vendor for
>>> firmware or Intel for microcode for the host first.
>>> Without it, there's not a lot of protection anyway.
>>> Note that there are 4 steps you need to take to be fully protected: CPU,
>>> hypervisor, guests and guest CPU type - plan ahead!
>>> Y.
>>
>> Is there a HOW-To written up somewhere on this? ;)
>>
>> I built the hardware from scratch myself, so I can't go off to Dell or
>> someone for this. So which do I need, motherboard firmware or Intel
>> microcode? I suppose I need to go to the motherboard manufacturer
>> (Supermicro) to look for updated firmware? Do I also need to look at
>> Intel? Is this either-or or a "both" situation? Of course I have no
idea
>> how to reflash new firmware onto this motherboard -- I don't have DOS.
>>
>> As you can see, planning I can do. Execution is more challenging ;)
>>
>> Thanks!
>>
>>>> > Y.
>>
>> -derek
>>
>> --
>> Derek Atkins 617-623-3745
>> derek(a)ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
7:28 p.m.
Thanks.
I guess it still boils down to updating to 7.4. :(
In the short term, will Ovirt 4.0 continue to run in 7.4? Or MUST I
upgrade both the OS and ovirt simultaneously? My time is very short over
the next few weeks (I'm moving) so I'd like to get as much bang for the
buck with as little down time as possible. I can't spend 12 hours of my
time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
Thanks again!
-derek
On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
If you see that after the update of your OS dmesg shows RED alert in
the spectra check script in the second position then you should follow
the intel's read.me.
As in readme described on Centos 7.4:
rsync -Pa intel-ucode /lib/firmware/
On the recent kernels(>2.6.xx) the dd method does not work, dont do that.
To confirm that microcode loaded:
dmesg | grep micro
look for the release dates.
But I beleve that v4 should be already in the microcode_ctl package of
the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
were there)
I have a script to enable or disable the protection so you can see the
performance impact on your case:
https://arm2armcos.blogspot.de/2018/01/lustrefs-big-performance-hit-on-lf...
On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
> Arman,
>
> Thanks for the info... And sorry for taking so long to reply. It's
> been a busy weekend.
>
> First, thank you for the links. Useful information.
>
> However, could you define "recent"? My system is from Q3 2016. Is that
> considered recent enough to not need a bios updte?
>
> My /proc/cpuinfo reports:
> model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>
> I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
> that the microcode_ctl package in my repo is dated Jan 4, which implies
> it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like I
> can just replace the intel-ucode files with those from the tgz, but I'm
> not sure what, if anything, I need to do with the microcode.dat file in
> the tgz?
>
> Thanks,
>
> -derek
>
> Arman Khalatyan <arm2arm(a)gmail.com> writes:
>
>> if you have recent supermicro you dont need to update the bios,
>>
>> Some tests:
>> Crack test:
>> https://github.com/IAIK/meltdown
>>
>> Check test:
>> https://github.com/speed47/spectre-meltdown-checker
>>
>> the intel microcodes you can find here:
>>
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode...
>> good luck.
>> Arman.
>>
>>
>>
>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
>>> Hi,
>>>
>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>>>
>>>> No one likes downtime but I suspect this is one of those serious
>>>> vulnerabilities that you really really must be protected against.
>>>> That being said, before planning downtime, check your HW vendor for
>>>> firmware or Intel for microcode for the host first.
>>>> Without it, there's not a lot of protection anyway.
>>>> Note that there are 4 steps you need to take to be fully protected:
>>>> CPU,
>>>> hypervisor, guests and guest CPU type - plan ahead!
>>>> Y.
>>>
>>> Is there a HOW-To written up somewhere on this? ;)
>>>
>>> I built the hardware from scratch myself, so I can't go off to Dell or
>>> someone for this. So which do I need, motherboard firmware or Intel
>>> microcode? I suppose I need to go to the motherboard manufacturer
>>> (Supermicro) to look for updated firmware? Do I also need to look at
>>> Intel? Is this either-or or a "both" situation? Of course I have
no
>>> idea
>>> how to reflash new firmware onto this motherboard -- I don't have DOS.
>>>
>>> As you can see, planning I can do. Execution is more challenging ;)
>>>
>>> Thanks!
>>>
>>>>> > Y.
>>>
>>> -derek
>>>
>>> --
>>> Derek Atkins 617-623-3745
>>> derek(a)ihtfp.com www.ihtfp.com
>>> Computer and Internet Security Consultant
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
> --
> Derek Atkins 617-623-3745
> derek(a)ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
9:10 p.m.
On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Thanks.
I guess it still boils down to updating to 7.4. :(
In the short term, will Ovirt 4.0 continue to run in 7.4? Or MUST I
We don't know, but I would assume NO. Every minor release of EL required
some small adjustments to expected and unexpected changes in the platform.
We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
4.0 works with it.
Y.
upgrade both the OS and ovirt simultaneously? My time is very short
over
the next few weeks (I'm moving) so I'd like to get as much bang for the
buck with as little down time as possible. I can't spend 12 hours of my
time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
Thanks again!
-derek
On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
> If you see that after the update of your OS dmesg shows RED alert in
> the spectra check script in the second position then you should follow
> the intel's read.me.
> As in readme described on Centos 7.4:
> rsync -Pa intel-ucode /lib/firmware/
> On the recent kernels(>2.6.xx) the dd method does not work, dont do that.
> To confirm that microcode loaded:
> dmesg | grep micro
> look for the release dates.
> But I beleve that v4 should be already in the microcode_ctl package of
> the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
> were there)
> I have a script to enable or disable the protection so you can see the
> performance impact on your case:
> https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
performance-hit-on-lfs.html
>
>
>
> On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
>> Arman,
>>
>> Thanks for the info... And sorry for taking so long to reply. It's
>> been a busy weekend.
>>
>> First, thank you for the links. Useful information.
>>
>> However, could you define "recent"? My system is from Q3 2016. Is
that
>> considered recent enough to not need a bios updte?
>>
>> My /proc/cpuinfo reports:
>> model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>>
>> I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
>> that the microcode_ctl package in my repo is dated Jan 4, which implies
>> it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like I
>> can just replace the intel-ucode files with those from the tgz, but I'm
>> not sure what, if anything, I need to do with the microcode.dat file in
>> the tgz?
>>
>> Thanks,
>>
>> -derek
>>
>> Arman Khalatyan <arm2arm(a)gmail.com> writes:
>>
>>> if you have recent supermicro you dont need to update the bios,
>>>
>>> Some tests:
>>> Crack test:
>>> https://github.com/IAIK/meltdown
>>>
>>> Check test:
>>> https://github.com/speed47/spectre-meltdown-checker
>>>
>>> the intel microcodes you can find here:
>>> https://downloadcenter.intel.com/download/27431/Linux-
Processor-Microcode-Data-File?product=41447
>>> good luck.
>>> Arman.
>>>
>>>
>>>
>>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com>
wrote:
>>>> Hi,
>>>>
>>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>>>>
>>>>> No one likes downtime but I suspect this is one of those serious
>>>>> vulnerabilities that you really really must be protected against.
>>>>> That being said, before planning downtime, check your HW vendor for
>>>>> firmware or Intel for microcode for the host first.
>>>>> Without it, there's not a lot of protection anyway.
>>>>> Note that there are 4 steps you need to take to be fully protected:
>>>>> CPU,
>>>>> hypervisor, guests and guest CPU type - plan ahead!
>>>>> Y.
>>>>
>>>> Is there a HOW-To written up somewhere on this? ;)
>>>>
>>>> I built the hardware from scratch myself, so I can't go off to Dell
or
>>>> someone for this. So which do I need, motherboard firmware or Intel
>>>> microcode? I suppose I need to go to the motherboard manufacturer
>>>> (Supermicro) to look for updated firmware? Do I also need to look at
>>>> Intel? Is this either-or or a "both" situation? Of course I
have no
>>>> idea
>>>> how to reflash new firmware onto this motherboard -- I don't have
DOS.
>>>>
>>>> As you can see, planning I can do. Execution is more challenging ;)
>>>>
>>>> Thanks!
>>>>
>>>>>> > Y.
>>>>
>>>> -derek
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek(a)ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek(a)ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
9:31 p.m.
Thanks.
I guess that means I need to upgrade both OS and Ovirt simultaneously.
And if I recall correctly I need to upgrade my hosted engine first and
then upgrade the host? (This is a single-host hosted-engine setup).
I've never actually upgraded an ovirt release beyond point releases (I
started with 4.0, and currently run 4.0.6). I did upgrade from 7.2 to
7.3, which was relatively straightforward. My plan is to follow the
instructions at https://www.ovirt.org/release/4.1.0/ -- will the
engine-setup also wind up pulling in the OS update? I suppose I can run a
yum update after running engine-setup?
Thanks,
-derek
On Mon, January 15, 2018 1:10 pm, Yaniv Kaul wrote:
On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <derek(a)ihtfp.com>
wrote:
> Thanks.
>
> I guess it still boils down to updating to 7.4. :(
>
> In the short term, will Ovirt 4.0 continue to run in 7.4? Or MUST I
>
We don't know, but I would assume NO. Every minor release of EL required
some small adjustments to expected and unexpected changes in the platform.
We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
4.0 works with it.
Y.
> upgrade both the OS and ovirt simultaneously? My time is very short
> over
> the next few weeks (I'm moving) so I'd like to get as much bang for the
> buck with as little down time as possible. I can't spend 12 hours of my
> time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
>
> Thanks again!
>
> -derek
>
> On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
> > If you see that after the update of your OS dmesg shows RED alert in
> > the spectra check script in the second position then you should follow
> > the intel's read.me.
> > As in readme described on Centos 7.4:
> > rsync -Pa intel-ucode /lib/firmware/
> > On the recent kernels(>2.6.xx) the dd method does not work, dont do
> that.
> > To confirm that microcode loaded:
> > dmesg | grep micro
> > look for the release dates.
> > But I beleve that v4 should be already in the microcode_ctl package of
> > the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
> > were there)
> > I have a script to enable or disable the protection so you can see the
> > performance impact on your case:
> > https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
> performance-hit-on-lfs.html
> >
> >
> >
> > On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
> >> Arman,
> >>
> >> Thanks for the info... And sorry for taking so long to reply. It's
> >> been a busy weekend.
> >>
> >> First, thank you for the links. Useful information.
> >>
> >> However, could you define "recent"? My system is from Q3 2016.
Is
> that
> >> considered recent enough to not need a bios updte?
> >>
> >> My /proc/cpuinfo reports:
> >> model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
> >>
> >> I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
> >> that the microcode_ctl package in my repo is dated Jan 4, which
> implies
> >> it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like
> I
> >> can just replace the intel-ucode files with those from the tgz, but
> I'm
> >> not sure what, if anything, I need to do with the microcode.dat file
> in
> >> the tgz?
> >>
> >> Thanks,
> >>
> >> -derek
> >>
> >> Arman Khalatyan <arm2arm(a)gmail.com> writes:
> >>
> >>> if you have recent supermicro you dont need to update the bios,
> >>>
> >>> Some tests:
> >>> Crack test:
> >>> https://github.com/IAIK/meltdown
> >>>
> >>> Check test:
> >>> https://github.com/speed47/spectre-meltdown-checker
> >>>
> >>> the intel microcodes you can find here:
> >>> https://downloadcenter.intel.com/download/27431/Linux-
> Processor-Microcode-Data-File?product=41447
> >>> good luck.
> >>> Arman.
> >>>
> >>>
> >>>
> >>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com>
> wrote:
> >>>> Hi,
> >>>>
> >>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
> >>>>
> >>>>> No one likes downtime but I suspect this is one of those
serious
> >>>>> vulnerabilities that you really really must be protected
against.
> >>>>> That being said, before planning downtime, check your HW vendor
> for
> >>>>> firmware or Intel for microcode for the host first.
> >>>>> Without it, there's not a lot of protection anyway.
> >>>>> Note that there are 4 steps you need to take to be fully
> protected:
> >>>>> CPU,
> >>>>> hypervisor, guests and guest CPU type - plan ahead!
> >>>>> Y.
> >>>>
> >>>> Is there a HOW-To written up somewhere on this? ;)
> >>>>
> >>>> I built the hardware from scratch myself, so I can't go off to
Dell
> or
> >>>> someone for this. So which do I need, motherboard firmware or
> Intel
> >>>> microcode? I suppose I need to go to the motherboard manufacturer
> >>>> (Supermicro) to look for updated firmware? Do I also need to look
> at
> >>>> Intel? Is this either-or or a "both" situation? Of
course I have
> no
> >>>> idea
> >>>> how to reflash new firmware onto this motherboard -- I don't
have
> DOS.
> >>>>
> >>>> As you can see, planning I can do. Execution is more challenging
> ;)
> >>>>
> >>>> Thanks!
> >>>>
> >>>>>> > Y.
> >>>>
> >>>> -derek
> >>>>
> >>>> --
> >>>> Derek Atkins 617-623-3745
> >>>> derek(a)ihtfp.com www.ihtfp.com
> >>>> Computer and Internet Security Consultant
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users(a)ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>>
> >>
> >> --
> >> Derek Atkins 617-623-3745
> >> derek(a)ihtfp.com www.ihtfp.com
> >> Computer and Internet Security Consultant
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek(a)ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
6:51 p.m.
Hi,
I upgraded to EL7.4 / oVirt 4.1.8 last night.
I must say it was easier than expected, so kudos to all the devs.
I did have a few hiccups along the way, mostly of my own making.
The one main hiccup is that the ovirt-40-dependencies package links to a
CentOS repo that no longer exists, and that caused lots of pain. I had to
manually disable two repos to get the upgrade to work.
Note: Nowhere in the docs does it say to remove the ovirt-release40
package, either before OR after the upgrade!
Having said that, my ovirt host now reports:
# bash spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux
3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
STATUS: NOT VULNERABLE (106 opcodes found, which is >= 70,
heuristic
to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: YES
* The SPEC_CTRL CPUID feature bit is set: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: YES
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Do I need to enabke IBRS for User space?
If so, how would that be done?
Thanks!
-derek
On Mon, January 15, 2018 1:10 pm, Yaniv Kaul wrote:
On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <derek(a)ihtfp.com>
wrote:
> Thanks.
>
> I guess it still boils down to updating to 7.4. :(
>
> In the short term, will Ovirt 4.0 continue to run in 7.4? Or MUST I
>
We don't know, but I would assume NO. Every minor release of EL required
some small adjustments to expected and unexpected changes in the platform.
We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
4.0 works with it.
Y.
> upgrade both the OS and ovirt simultaneously? My time is very short
> over
> the next few weeks (I'm moving) so I'd like to get as much bang for the
> buck with as little down time as possible. I can't spend 12 hours of my
> time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
>
> Thanks again!
>
> -derek
>
> On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
> > If you see that after the update of your OS dmesg shows RED alert in
> > the spectra check script in the second position then you should follow
> > the intel's read.me.
> > As in readme described on Centos 7.4:
> > rsync -Pa intel-ucode /lib/firmware/
> > On the recent kernels(>2.6.xx) the dd method does not work, dont do
> that.
> > To confirm that microcode loaded:
> > dmesg | grep micro
> > look for the release dates.
> > But I beleve that v4 should be already in the microcode_ctl package of
> > the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
> > were there)
> > I have a script to enable or disable the protection so you can see the
> > performance impact on your case:
> > https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
> performance-hit-on-lfs.html
> >
> >
> >
> > On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
> >> Arman,
> >>
> >> Thanks for the info... And sorry for taking so long to reply. It's
> >> been a busy weekend.
> >>
> >> First, thank you for the links. Useful information.
> >>
> >> However, could you define "recent"? My system is from Q3 2016.
Is
> that
> >> considered recent enough to not need a bios updte?
> >>
> >> My /proc/cpuinfo reports:
> >> model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
> >>
> >> I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
> >> that the microcode_ctl package in my repo is dated Jan 4, which
> implies
> >> it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like
> I
> >> can just replace the intel-ucode files with those from the tgz, but
> I'm
> >> not sure what, if anything, I need to do with the microcode.dat file
> in
> >> the tgz?
> >>
> >> Thanks,
> >>
> >> -derek
> >>
> >> Arman Khalatyan <arm2arm(a)gmail.com> writes:
> >>
> >>> if you have recent supermicro you dont need to update the bios,
> >>>
> >>> Some tests:
> >>> Crack test:
> >>> https://github.com/IAIK/meltdown
> >>>
> >>> Check test:
> >>> https://github.com/speed47/spectre-meltdown-checker
> >>>
> >>> the intel microcodes you can find here:
> >>> https://downloadcenter.intel.com/download/27431/Linux-
> Processor-Microcode-Data-File?product=41447
> >>> good luck.
> >>> Arman.
> >>>
> >>>
> >>>
> >>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek(a)ihtfp.com>
> wrote:
> >>>> Hi,
> >>>>
> >>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
> >>>>
> >>>>> No one likes downtime but I suspect this is one of those
serious
> >>>>> vulnerabilities that you really really must be protected
against.
> >>>>> That being said, before planning downtime, check your HW vendor
> for
> >>>>> firmware or Intel for microcode for the host first.
> >>>>> Without it, there's not a lot of protection anyway.
> >>>>> Note that there are 4 steps you need to take to be fully
> protected:
> >>>>> CPU,
> >>>>> hypervisor, guests and guest CPU type - plan ahead!
> >>>>> Y.
> >>>>
> >>>> Is there a HOW-To written up somewhere on this? ;)
> >>>>
> >>>> I built the hardware from scratch myself, so I can't go off to
Dell
> or
> >>>> someone for this. So which do I need, motherboard firmware or
> Intel
> >>>> microcode? I suppose I need to go to the motherboard manufacturer
> >>>> (Supermicro) to look for updated firmware? Do I also need to look
> at
> >>>> Intel? Is this either-or or a "both" situation? Of
course I have
> no
> >>>> idea
> >>>> how to reflash new firmware onto this motherboard -- I don't
have
> DOS.
> >>>>
> >>>> As you can see, planning I can do. Execution is more challenging
> ;)
> >>>>
> >>>> Thanks!
> >>>>
> >>>>>> > Y.
> >>>>
> >>>> -derek
> >>>>
> >>>> --
> >>>> Derek Atkins 617-623-3745
> >>>> derek(a)ihtfp.com www.ihtfp.com
> >>>> Computer and Internet Security Consultant
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users(a)ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>>
> >>
> >> --
> >> Derek Atkins 617-623-3745
> >> derek(a)ihtfp.com www.ihtfp.com
> >> Computer and Internet Security Consultant
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek(a)ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
6:50 p.m.
On Thu, Jan 11, 2018 at 5:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Hi,
On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
> No one likes downtime but I suspect this is one of those serious
> vulnerabilities that you really really must be protected against.
> That being said, before planning downtime, check your HW vendor for
> firmware or Intel for microcode for the host first.
> Without it, there's not a lot of protection anyway.
> Note that there are 4 steps you need to take to be fully protected: CPU,
> hypervisor, guests and guest CPU type - plan ahead!
> Y.
Is there a HOW-To written up somewhere on this? ;)
Not for oVirt specifically right now. We'll blog about it once we release
additional improvements to detect if you are protected - right from oVirt
UI (in 4.2.1).
I built the hardware from scratch myself, so I can't go off to Dell or
someone for this. So which do I need, motherboard firmware or Intel
microcode? I suppose I need to go to the motherboard manufacturer
(Supermicro) to look for updated firmware? Do I also need to look at
Intel? Is this either-or or a "both" situation? Of course I have no idea
how to reflash new firmware onto this motherboard -- I don't have DOS.
You could get it from Intel, via their microcode_ctl package. When they
release for your CPU is a different manner.
See[1] for some good pointers.
Y.
[1]
https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_an...
As you can see, planning I can do. Execution is more challenging ;)
Thanks!
>> > Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
2502
days inactive
2514
days old
17 comments
8 participants
participants (8)
-
Arman Khalatyan -
Barak Korren -
Derek Atkins -
Derek Atkins -
Marcel Hanke -
Michal Skrivanek -
Sandro Bonazzola -
Yaniv Kaul