Xen users - Sep 2011 - Yum repo for XCP (ex: XCP acpi shutdown)

Okay, I figured out that dom0 is actually some sort of CentOS, and it
has Yum. The only question remaining is where I can find compatible
packages to install for XCP 1.0.

I''d be interested in stuff like acpid, smartd...

Daniel

2011/9/16 József Dániel <daniel.jozsef@gmail.com>:
> Hello,
>
> I was wondering what is the easiest way to get my XCP box to honor
> ACPI shutdowns. It''s a SOHO server, so time to time it''d
be super
> handy to just push the power button, and have the system shut down
> cleanly.
> (BTW I wonder what XCP does to VMs on shutdown by default... Sends
> them an ACPI shutdown signal, or just powers them off?)
>
> Is there some sort of package management to install acpid? Or is there
> a config setting somewhere to do the above?
>
> Daniel
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

It is CentOS. The yum cent repos are configured just not enabled. 

yum --enablerepo=base install acpid smartd should work.
________________________________________
From: xen-users-bounces@lists.xensource.com
[xen-users-bounces@lists.xensource.com] on behalf of József Dániel
[daniel.jozsef@gmail.com]
Sent: Saturday, September 17, 2011 11:03 AM
To: xen-users@lists.xensource.com
Subject: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

Okay, I figured out that dom0 is actually some sort of CentOS, and it
has Yum. The only question remaining is where I can find compatible
packages to install for XCP 1.0.

I''d be interested in stuff like acpid, smartd...

Daniel

2011/9/16 József Dániel <daniel.jozsef@gmail.com>:
> Hello,
>
> I was wondering what is the easiest way to get my XCP box to honor
> ACPI shutdowns. It''s a SOHO server, so time to time it''d
be super
> handy to just push the power button, and have the system shut down
> cleanly.
> (BTW I wonder what XCP does to VMs on shutdown by default... Sends
> them an ACPI shutdown signal, or just powers them off?)
>
> Is there some sort of package management to install acpid? Or is there
> a config setting somewhere to do the above?
>
> Daniel
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hello,

This did work after deleting the Citrix repo, but now it wants to upgrade
more than 100 packages, which does not necessarily sound like a good idea.

Should I just go ahead as it''s just security updates, or would it throw
my
installation into chaos? I am very unfamiliar with CentOS versioning policy.
Is it something like Debian (good) or something like Gentoo (bad)? :D
If it''s bad, how can I freeze the system version to a known safe point,
while being able to install packages?

D

On Sat, Sep 17, 2011 at 8:39 PM, Joseph Hom <jhom@softlayer.com> wrote:
> It is CentOS. The yum cent repos are configured just not enabled.
>
> yum --enablerepo=base install acpid smartd should work.
> ________________________________________
> From: xen-users-bounces@lists.xensource.com [
> xen-users-bounces@lists.xensource.com] on behalf of József Dániel [
> daniel.jozsef@gmail.com]
> Sent: Saturday, September 17, 2011 11:03 AM
> To: xen-users@lists.xensource.com
> Subject: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
>
> Okay, I figured out that dom0 is actually some sort of CentOS, and it
> has Yum. The only question remaining is where I can find compatible
> packages to install for XCP 1.0.
>
> I''d be interested in stuff like acpid, smartd...
>
> Daniel
>
> 2011/9/16 József Dániel <daniel.jozsef@gmail.com>:
> > Hello,
> >
> > I was wondering what is the easiest way to get my XCP box to honor
> > ACPI shutdowns. It''s a SOHO server, so time to time
it''d be super
> > handy to just push the power button, and have the system shut down
> > cleanly.
> > (BTW I wonder what XCP does to VMs on shutdown by default... Sends
> > them an ACPI shutdown signal, or just powers them off?)
> >
> > Is there some sort of package management to install acpid? Or is there
> > a config setting somewhere to do the above?
> >
> > Daniel
> >
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin
<george.shuklin@gmail.com>wrote:
>  NEVER upgrade XCP by CentOS packages.
>
> You will break it beyond repair level. Reason is simple: XCP shipped with
> patched packages, and replacing them with non-patched will cause grave
> damage. And worst is damage is not instant - you will continue to operate,
> but found ''something got wrong'' later.
>
> The most important is lvm2 package, which is patched to allow shared
> storage usage (--master option). Default LVM2 will trash metadata on LVM SR
> (LVM and LVMoISCSI SM) at some moment.
>
> Other (i''m not sure) is udev package, and may be few more.
>
>
Why aren''t those packages masked in the repo configs like the kernel
is?

Having a server OS with no upgrade path is a very bad idea. Zero day
exploit? How about zero month or zero year exploit? I''d like to hope
that
this gets changed at some point.


Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I''ll
use
Windows."
Now they have two problems.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Oct 26, 2011 at 12:33 PM, Grant McWilliams
<grantmasterflash@gmail.com> wrote:
> On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin
<george.shuklin@gmail.com>
> wrote:
>>
>> NEVER upgrade XCP by CentOS packages.
> Why aren''t those packages masked in the repo configs like the
kernel is?
Probably because the repos are disabled in the first place.
>
> Having a server OS with no upgrade path is a very bad idea. Zero day
> exploit? How about zero month or zero year exploit? I''d like to
hope that
> this gets changed at some point.
How would you "upgrade" (for example) XenServer? Or a vmware vsphere
node? IMHO the same methods and policy should also apply to xcp.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Oct 25, 2011 at 10:38 PM, Fajar A. Nugraha <list@fajar.net> wrote:
> On Wed, Oct 26, 2011 at 12:33 PM, Grant McWilliams
> <grantmasterflash@gmail.com> wrote:
> > On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin <
> george.shuklin@gmail.com>
> > wrote:
> >>
> >> NEVER upgrade XCP by CentOS packages.
>
> > Why aren''t those packages masked in the repo configs like the
kernel is?
>
> Probably because the repos are disabled in the first place.
>
They''re disabled because Citrix doesn''t want to support XCP.
They provide
updates to Xenserver.
>
> >
> > Having a server OS with no upgrade path is a very bad idea. Zero day
> > exploit? How about zero month or zero year exploit? I''d like
to hope that
> > this gets changed at some point.
>
> How would you "upgrade" (for example) XenServer? Or a vmware
vsphere
> node? IMHO the same methods and policy should also apply to xcp.
>
>
The exact same way you''d upgrade ANY other server on the planet. And
yes
those same methods should be applied to XCP.  You can currently upgrade but
you have to pull all your nodes down, put in a CD (my nodes don''t even
have
optical disks, why would they?) and upgrade via a CD. That means the only
time you get any security updates is once every 6 months or a year and only
when you can physically access the nodes.

> --
> Fajar
>
>
Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I''ll
use
Windows."
Now they have two problems.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Oct 26, 2011 at 1:36 AM, George Shuklin
<george.shuklin@gmail.com>wrote:
>  Citrix provides updates for XenServer, but not for XCP.
>
> But in any way, exposing management interface to unprotected network is bad
> idea. If you have no managed interface available from internet, you have
> very few vulnerable for remote attack components: kernel, openvswitch...
> thats all.
>
> Idea behind XCP is well-protected internal network with management
> interface, unencrypted storage traffic, migration traffic, XCP own
> synchronization traffic and separate (by VLAN or by different physical
> interface) network for clients with internet access.
>
>
>
Then why does Citrix provide updates for XenServer?

Let''s face it, the real reason is Citrix doesn''t want to
provide repos for
XCP and I understand that but saying it''s bad practice to provide
updates to
XCP and then do it for XenServer is flawed logic.

For those of us who are using XCP in production we need an update system.
Perhaps it will be the yum to redhat''s RHN but still it''s
needed.


Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I''ll
use
Windows."
Now they have two problems.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

---------- Forwarded message ----------
From: Andrew Wells <agwells0714@gmail.com>
Date: Wed, Oct 26, 2011 at 1:19 PM
Subject: Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
To: Grant McWilliams <grantmasterflash@gmail.com>


people pay for xenserver,

maybe the community should set up and provide a xcp update repo,

and why not use centos repos for updating packages (exclude kernel updates
for sure), they are not using a special ssh package or anything

and centos rpms are redhat rpms in reality.

On Wed, Oct 26, 2011 at 1:04 PM, Grant McWilliams <
grantmasterflash@gmail.com> wrote:
> On Wed, Oct 26, 2011 at 1:36 AM, George Shuklin
<george.shuklin@gmail.com>wrote:
>
>>  Citrix provides updates for XenServer, but not for XCP.
>>
>> But in any way, exposing management interface to unprotected network is
>> bad idea. If you have no managed interface available from internet, you
have
>> very few vulnerable for remote attack components: kernel,
openvswitch...
>> thats all.
>>
>> Idea behind XCP is well-protected internal network with management
>> interface, unencrypted storage traffic, migration traffic, XCP own
>> synchronization traffic and separate (by VLAN or by different physical
>> interface) network for clients with internet access.
>>
>>
>>
> Then why does Citrix provide updates for XenServer?
>
> Let''s face it, the real reason is Citrix doesn''t want to
provide repos for
> XCP and I understand that but saying it''s bad practice to provide
updates to
> XCP and then do it for XenServer is flawed logic.
>
> For those of us who are using XCP in production we need an update system.
> Perhaps it will be the yum to redhat''s RHN but still it''s
needed.
>
>
>
> Grant McWilliams
> http://grantmcwilliams.com/
>
> Some people, when confronted with a problem, think "I know,
I''ll use
> Windows."
> Now they have two problems.
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Great points from everyone concerning the topic of XCP security updates. 
To summarize:

     1. The XCP project currently provides no update repo.

     2. Protect your management network via an non-public routable address
        space and you greatly reduce your dom0 attack surface to the kernel
        and open vSwitch.  While that''s true, I don''t think
that hiding
        from security problems is the answer.

     3. Do not use the CentOS 5 repo to update XCP dom0.

        Some packages (lvm2, etc.) have been modified to work with
        Xenserver/XCP.  The XCP 1.1 source iso lists the following packages
        under the "guest-packages-dom0" directory:

        biosdevname-0.2.4-1.xs651.src.rpm
        device-mapper-multipath-0.4.7-34.xs651.src.rpm
        dhcp-3.0.5-23.el5.xs651.src.rpm
        directfb-1.0.1-xs651.src.rpm
        e2fsprogs-1.39-23.xs651.src.rpm
        ethtool-6+20090306-651.src.rpm
        fbi-1.31-xs651.src.rpm
        firmware-651-1.src.rpm
        kexec-tools-2.0.0-651.49.src.rpm
        lvm2-2.02.56-8.xs651.src.rpm
        md3000-rdac-09.03.0C00.0437-651.src.rpm
        md3000-rdac-tools-09.03.0C00.0437-651.src.rpm
        mercurial-0.9-0.src.rpm
        mkinitrd-5.1.19.6-61.xs651.src.rpm
        net-snmp-5.3.2.2-9.xs651.src.rpm
        open-iscsi-2.0.871-0.20.3.xs651.src.rpm
        pam-0.99.6.2-6.xs651.src.rpm
        PyPAM-0.4.2-3.xs651.src.rpm
        python-simplejson-2.0.9-3.1.xs651.src.rpm
        SDL-1.2.10-8.xs651.src.rpm
        splashy-0.3.9-xs651.src.rpm
        ssmtp-2.61-8.fc6.src.rpm
        stunnel-4.15-2.el5.1.xs651.src.rpm
        udhcp-r15050-651.src.rpm
        vastsky-2.1-3.src.rpm
        vhostmd-0.4-xs651.src.rpm
        vncsnapshot-1.2a-xs651.src.rpm
        xenserver-logos-1.0-xs651.src.rpm
        xenserver-lsb-3.1-12.3.EL.xs.src.rpm

        That''s not a perfect list.  I compared that list with a base
        CentOS 5.7 repo and found these to be unique to the above list:

        PyPAM
        biosdevname
        directfb
        fbi
        firmware
        md3000-rdac
        md3000-rdac-tools
        mercurial
        open-iscsi
        splashy
        ssmtp
        udhcp-r15050
        vastsky
        vhostmd
        vncsnapshot
        xenserver-logos
        xenserver-lsb

        For completness here''s the list of packages that appear to have
        been modified since they are list in both the CentOS and XCP lists:

        SDL
        device-mapper-multipath
        dhcp
        e2fsprogs
        ethtool
        kexec-tools
        lvm2
        mkinitrd
        net-snmp
        pam
        python-simplejson
        stunnel

        Add in the kernel, hypervisor, vswitch, and assorted utilities and
        you should be able to come up with a list of packages unique to XCP
        that could be used to build an exclude list if you wanted to pull
        updates from a CentOS 5 repo.

It''s a great topic and I''d like to keep the discussion alive. 
I''d also
like to hear from Mike given his insight and understanding of the project. 
Ideally I think we would all like to see a Citrix sponsored XCP updates 
repository.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Oct 26, 2011 at 6:20 PM, <brooks@netgate.net> wrote:
>
> Great points from everyone concerning the topic of XCP security updates. To
> summarize:
>
>    1. The XCP project currently provides no update repo.
>
>    2. Protect your management network via an non-public routable address
>       space and you greatly reduce your dom0 attack surface to the kernel
>       and open vSwitch.  While that''s true, I don''t think
that hiding
>       from security problems is the answer.
>
Agreed. I don''t want an exploited DomU trying to find exploits in
openvswitch or the hypervisor.


>    3. Do not use the CentOS 5 repo to update XCP dom0.
>
>       Some packages (lvm2, etc.) have been modified to work with
>       Xenserver/XCP.  The XCP 1.1 source iso lists the following packages
>       under the "guest-packages-dom0" directory:
>
>       biosdevname-0.2.4-1.xs651.src.**rpm
>       device-mapper-multipath-0.4.7-**34.xs651.src.rpm
>       dhcp-3.0.5-23.el5.xs651.src.**rpm
>       directfb-1.0.1-xs651.src.rpm
>       e2fsprogs-1.39-23.xs651.src.**rpm
>       ethtool-6+20090306-651.src.rpm
>       fbi-1.31-xs651.src.rpm
>       firmware-651-1.src.rpm
>       kexec-tools-2.0.0-651.49.src.**rpm
>       lvm2-2.02.56-8.xs651.src.rpm
>       md3000-rdac-09.03.0C00.0437-**651.src.rpm
>       md3000-rdac-tools-09.03.0C00.**0437-651.src.rpm
>       mercurial-0.9-0.src.rpm
>       mkinitrd-5.1.19.6-61.xs651.**src.rpm
>       net-snmp-5.3.2.2-9.xs651.src.**rpm
>       open-iscsi-2.0.871-0.20.3.**xs651.src.rpm
>       pam-0.99.6.2-6.xs651.src.rpm
>       PyPAM-0.4.2-3.xs651.src.rpm
>       python-simplejson-2.0.9-3.1.**xs651.src.rpm
>       SDL-1.2.10-8.xs651.src.rpm
>       splashy-0.3.9-xs651.src.rpm
>       ssmtp-2.61-8.fc6.src.rpm
>       stunnel-4.15-2.el5.1.xs651.**src.rpm
>       udhcp-r15050-651.src.rpm
>       vastsky-2.1-3.src.rpm
>       vhostmd-0.4-xs651.src.rpm
>       vncsnapshot-1.2a-xs651.src.rpm
>       xenserver-logos-1.0-xs651.src.**rpm
>       xenserver-lsb-3.1-12.3.EL.xs.**src.rpm
>
>       That''s not a perfect list.  I compared that list with a base
>       CentOS 5.7 repo and found these to be unique to the above list:
>
>       PyPAM
>       biosdevname
>       directfb
>       fbi
>       firmware
>       md3000-rdac
>       md3000-rdac-tools
>       mercurial
>       open-iscsi
>       splashy
>       ssmtp
>       udhcp-r15050
>       vastsky
>       vhostmd
>       vncsnapshot
>       xenserver-logos
>       xenserver-lsb
>
>       For completness here''s the list of packages that appear to
have
>       been modified since they are list in both the CentOS and XCP lists:
>
>       SDL
>       device-mapper-multipath
>       dhcp
>       e2fsprogs
>       ethtool
>       kexec-tools
>       lvm2
>       mkinitrd
>       net-snmp
>       pam
>       python-simplejson
>       stunnel
>
>       Add in the kernel, hypervisor, vswitch, and assorted utilities and
>       you should be able to come up with a list of packages unique to XCP
>       that could be used to build an exclude list if you wanted to pull
>       updates from a CentOS 5 repo.
>
> It''s a great topic and I''d like to keep the discussion
alive.  I''d also
> like to hear from Mike given his insight and understanding of the project.
> Ideally I think we would all like to see a Citrix sponsored XCP updates
> repository.
>
>
>
Ideally yes the folks that know the most about it would be the best at
putting together a repo. I also think that this shouldn''t be a complete
CentOS repo since the XCP hosts are not supposed to be complete Linux
servers in any way. Keep it small, keep it solid, keep it secure. There are
packages that could be considered optional too that won''t get installed
on
every host that could be in the repo in case one needs them.

Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I''ll
use
Windows."
Now they have two problems.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On XenServer Citrix does include a repo for updates:

[citrix]
name=XenServer 6.0.0 updates
mirrorlist=http://updates.vmd.citrix.com/XenServer/6.0.0/domain0/mirrorlist
#baseurl=http://updates.vmd.citrix.com/XenServer/6.0.0/domain0/
gpgcheck=1
gpgkey=http://updates.vmd.citrix.com/XenServer/RPM-GPG-KEY-6.0.0
enabled=1

and it’s enabled by default. I’ve never seen any updates posted ever since I was
introduced to XenServer back in 4.1. I think they left this in for legacy
purposes and use service pack/hotfixes for patching.

Maybe take a queue and setup XCP specific repo for updates and disable the
CentOS repos by default? Or at least build a proper excludes for the CentOS
repos.

From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Grant McWilliams
Sent: Wednesday, October 26, 2011 9:08 PM
To: brooks@netgate.net
Cc: mike.mcclurg@citrix.com; Andrew Wells; xen-users
Subject: Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

On Wed, Oct 26, 2011 at 6:20 PM,
<brooks@netgate.net<mailto:brooks@netgate.net>> wrote:

Great points from everyone concerning the topic of XCP security updates. To
summarize:

   1. The XCP project currently provides no update repo.

   2. Protect your management network via an non-public routable address
      space and you greatly reduce your dom0 attack surface to the kernel
      and open vSwitch.  While that's true, I don't think that hiding
      from security problems is the answer.

Agreed. I don't want an exploited DomU trying to find exploits in
openvswitch or the hypervisor.


   3. Do not use the CentOS 5 repo to update XCP dom0.

      Some packages (lvm2, etc.) have been modified to work with
      Xenserver/XCP.  The XCP 1.1 source iso lists the following packages
      under the "guest-packages-dom0" directory:

      biosdevname-0.2.4-1.xs651.src.rpm
      device-mapper-multipath-0.4.7-34.xs651.src.rpm
      dhcp-3.0.5-23.el5.xs651.src.rpm
      directfb-1.0.1-xs651.src.rpm
      e2fsprogs-1.39-23.xs651.src.rpm
      ethtool-6+20090306-651.src.rpm
      fbi-1.31-xs651.src.rpm
      firmware-651-1.src.rpm
      kexec-tools-2.0.0-651.49.src.rpm
      lvm2-2.02.56-8.xs651.src.rpm
      md3000-rdac-09.03.0C00.0437-651.src.rpm
      md3000-rdac-tools-09.03.0C00.0437-651.src.rpm
      mercurial-0.9-0.src.rpm
      mkinitrd-5.1.19.6-61.xs651.src.rpm
      net-snmp-5.3.2.2-9.xs651.src.rpm
      open-iscsi-2.0.871-0.20.3.xs651.src.rpm
      pam-0.99.6.2-6.xs651.src.rpm
      PyPAM-0.4.2-3.xs651.src.rpm
      python-simplejson-2.0.9-3.1.xs651.src.rpm
      SDL-1.2.10-8.xs651.src.rpm
      splashy-0.3.9-xs651.src.rpm
      ssmtp-2.61-8.fc6.src.rpm
      stunnel-4.15-2.el5.1.xs651.src.rpm
      udhcp-r15050-651.src.rpm
      vastsky-2.1-3.src.rpm
      vhostmd-0.4-xs651.src.rpm
      vncsnapshot-1.2a-xs651.src.rpm
      xenserver-logos-1.0-xs651.src.rpm
      xenserver-lsb-3.1-12.3.EL.xs.src.rpm

      That's not a perfect list.  I compared that list with a base
      CentOS 5.7 repo and found these to be unique to the above list:

      PyPAM
      biosdevname
      directfb
      fbi
      firmware
      md3000-rdac
      md3000-rdac-tools
      mercurial
      open-iscsi
      splashy
      ssmtp
      udhcp-r15050
      vastsky
      vhostmd
      vncsnapshot
      xenserver-logos
      xenserver-lsb

      For completness here's the list of packages that appear to have
      been modified since they are list in both the CentOS and XCP lists:

      SDL
      device-mapper-multipath
      dhcp
      e2fsprogs
      ethtool
      kexec-tools
      lvm2
      mkinitrd
      net-snmp
      pam
      python-simplejson
      stunnel

      Add in the kernel, hypervisor, vswitch, and assorted utilities and
      you should be able to come up with a list of packages unique to XCP
      that could be used to build an exclude list if you wanted to pull
      updates from a CentOS 5 repo.

It's a great topic and I'd like to keep the discussion alive.  I'd
also like to hear from Mike given his insight and understanding of the project.
Ideally I think we would all like to see a Citrix sponsored XCP updates
repository.


Ideally yes the folks that know the most about it would be the best at putting
together a repo. I also think that this shouldn't be a complete CentOS repo
since the XCP hosts are not supposed to be complete Linux servers in any way.
Keep it small, keep it solid, keep it secure. There are packages that could be
considered optional too that won't get installed on every host that could be
in the repo in case one needs them.

Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I'll use
Windows."
Now they have two problems.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users