amuck-landowner

OpenVZ vuln

drmike

drmike

100% Tier-1 Gogent
Thanks for this... OpenVZ users better get to patching, this is an ugly one.

What a day today...
 
Francisco

Francisco

Company Lube
Verified Provider
Yup.

Already working on that.

I'm going to likely migrate us to ploop soon.

I have other reasons for wanting to go to ploop but this just adds to them.

Francisco
 
Francisco

Francisco

Company Lube
Verified Provider
Aldryic's just pushing the files now and reboots will start rolling in a bit. A mass email is coming up after that.

I'm going back to my LXC research, that's for sure.

Francisco
 
Oliver

Oliver

Member
Verified Provider
One other host and I have found an issue where iptables rules are probably changed after rebooting into the new kernel. As a result if you have SSHD running and iptables with default policy DROP even if you have a rule allowing SSH in on whatever port you won't have this rule after reboot.

The containers will still start up again but you won't have any SSH access to the node.

Keep this in mind and make sure you have KVM access or whatever else handy!
 
Last edited by a moderator:
Oliver

Oliver

Member
Verified Provider
Can some other host who has applied the new kernel and rebooted successfully advise if their iptables rules are all gone or changed in any way?
 
W

willie

Active Member
Francisco said:
Aldryic's just pushing the files now and reboots will start rolling in a bit. A mass email is coming up after that.


I'm going back to my LXC research, that's for sure.


Francisco
Click to expand...
Last I knew, LXC doesn't try to isolate containers against deliberate breakout attempts the way OpenVZ does.  It's more intended to run a lot of basically cooperating application instances with separate IP addresses, configurations, etc.  Docker is about the same way and apparently this OpenVZ vulnerability is related to a Docker breakout discovered a few days ago.  One of the Docker guys responded that Docker didn't claim to protect against that sort of exploit.  See:

https://news.ycombinator.com/item?id=7910117
 
Oliver

Oliver

Member
Verified Provider
OK not sure if it's iptables related then. I must have some other issue... Will update again if it's relevant to others.
 
KuJoe

KuJoe

Well-Known Member
Verified Provider
We're having some issues with one of our nodes but it's not related to the kernel. All of the other nodes are working properly after the kernel update and confirmed iptables is looking good (although we can't unload one iptables module on some nodes but better than having a module you can't enable).
 
M

mtwiscool

New Member
We had 2 issues:


Iptables nat got disabled so I had to reenabled that.


Grub got reset so it was booting into non openvz so I had to change that back.


All on my phone as I was not on the computer when it was released.
 
T

TheTalentedMrColo

New Member
Oliver said:
One other host and I have found an issue where iptables rules are probably changed after rebooting into the new kernel. As a result if you have SSHD running and iptables with default policy DROP even if you have a rule allowing SSH in on whatever port you won't have this rule after reboot.

The containers will still start up again but you won't have any SSH access to the node.

Keep this in mind and make sure you have KVM access or whatever else handy!
Click to expand...
Is this in addition to problems people were having with the 4.7 release from April?
 
Oliver

Oliver

Member
Verified Provider
I think I had some isolated issue unrelated to the actual upgrade. Sorry for the confusion. It occurred on 3 nodes of mine that had been running for a long time where I suspect some other issue just came up after the reboot and I mistakenly linked it to the kernel upgrade...
 
You must log in or register to reply here.
Top
amuck-landowner