CentOS - May 2015 - VirtIO drivers and CentOS 5.4(Final)

On 5/6/2015 1:18 PM, Leon Fauster wrote:
> Am 06.05.2015 um 09:33 schrieb Jatin Davey <jashokda at cisco.com>:
>> My guest is a CentOS 5.4 VM:
>
> Best practice: update to the latest OS version:
>
> # cat /etc/redhat-release
> CentOS release 5.11 (Final)
>
>
>
>> [root at localhost ~]# uname -a
>> Linux localhost 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009
x86_64 x86_64 x86_64 GNU/Linux
>> [root at localhost ~]# cat /etc/*release
>> CentOS release 5.4 (Final)
>>
>> I wanted to know if the virtio drivers on this guest are stable.
>
> Latest kernel package is stable:
>
> # rpm -q kernel
> kernel-2.6.18-404.el5
>
>
>
>> The reason for asking this question is that i found this link:
>>
>> http://wiki.libvirt.org/page/Virtio
>>
>> which states that in order to use the virtio drivers i need to be using
the kernel >=2.6.25 ,
>> but i am using the kernel version 2.6.18 in my guest VM. I am actually
able to use the virtio
>> drivers in my VM even with this kernel version and hence i wanted to
know if they are stable to be used.
>>
>> Did red hat backport these drivers to CentOS 5.4 ? If yes , Can you
please point me to any bug to
>> track this backport activity or any announcement of this backport task
?  I need that to show to my
>> team so that we can release note this information as part of releasing
our product.
>>
>> Appreciate your help in this regard.
>
> # rpm -q kernel --changelog | grep -i virtio | grep -i backp
> - [virtio] console: Backport driver for RHEL 5.6 (Amit Shah) [620037]
>
>
> --
> LF
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
Thanks Leon,

I cannot upgrade the OS in the guest as it is being used in production 
environments and customers would not be comfortable with the entire OS 
upgrade.

This is the output that i get when i check about the backporting of the 
virtio drivers.

***********************
[root at localhost ~]# rpm -q kernel --changelog | grep virtio
- [xen] virtio: do not statically allocate root device (Mark McLoughlin 
) [501468]
- [xen] virtio: add PCI device release function (Mark McLoughlin ) [501468]
- [net] virtio_net: mergeable receive buffers (Mark McLoughlin ) [473120]
- [net] virtio_net: jumbo frame support (Mark McLoughlin ) [473114]
- [xen] virtio_net: some relatively minor fixes (Mark McLoughlin ) [468034]
- [xen] virtio: include headers in kernel-headers package (Eduardo 
Pereira Habkost ) [446214]
- [xen] virtio: add PV network and block drivers for KVM (Mark 
McLoughlin ) [446214]
*************************

Do you think if i am safe to keep using the virtio drivers within the 
same kernel ?

Thanks
Jatin

On 05/06/2015 03:04 AM, Jatin Davey wrote:
> On 5/6/2015 1:18 PM, Leon Fauster wrote:
>> Am 06.05.2015 um 09:33 schrieb Jatin Davey <jashokda at
cisco.com>:
>>> My guest is a CentOS 5.4 VM:
>>
>> Best practice: update to the latest OS version:
>>
>> # cat /etc/redhat-release
>> CentOS release 5.11 (Final)
>>
>>
>>
>>> [root at localhost ~]# uname -a
>>> Linux localhost 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009
>>> x86_64 x86_64 x86_64 GNU/Linux
>>> [root at localhost ~]# cat /etc/*release
>>> CentOS release 5.4 (Final)
>>>
>>> I wanted to know if the virtio drivers on this guest are stable.
>>
>> Latest kernel package is stable:
>>
>> # rpm -q kernel
>> kernel-2.6.18-404.el5
>>
>>
>>
>>> The reason for asking this question is that i found this link:
>>>
>>> http://wiki.libvirt.org/page/Virtio
>>>
>>> which states that in order to use the virtio drivers i need to be
>>> using the kernel >=2.6.25 ,
>>> but i am using the kernel version 2.6.18 in my guest VM. I am
>>> actually able to use the virtio
>>> drivers in my VM even with this kernel version and hence i wanted
to
>>> know if they are stable to be used.
>>>
>>> Did red hat backport these drivers to CentOS 5.4 ? If yes , Can you
>>> please point me to any bug to
>>> track this backport activity or any announcement of this backport
>>> task ?  I need that to show to my
>>> team so that we can release note this information as part of
>>> releasing our product.
>>>
>>> Appreciate your help in this regard.
>>
>> # rpm -q kernel --changelog | grep -i virtio | grep -i backp
>> - [virtio] console: Backport driver for RHEL 5.6 (Amit Shah) [620037]
>>
>>
>> -- 
>> LF
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Thanks Leon,
> 
> I cannot upgrade the OS in the guest as it is being used in production
> environments and customers would not be comfortable with the entire OS
> upgrade.
> 
> This is the output that i get when i check about the backporting of the
> virtio drivers.
> 
> ***********************
> [root at localhost ~]# rpm -q kernel --changelog | grep virtio
> - [xen] virtio: do not statically allocate root device (Mark McLoughlin
> ) [501468]
> - [xen] virtio: add PCI device release function (Mark McLoughlin ) [501468]
> - [net] virtio_net: mergeable receive buffers (Mark McLoughlin ) [473120]
> - [net] virtio_net: jumbo frame support (Mark McLoughlin ) [473114]
> - [xen] virtio_net: some relatively minor fixes (Mark McLoughlin ) [468034]
> - [xen] virtio: include headers in kernel-headers package (Eduardo
> Pereira Habkost ) [446214]
> - [xen] virtio: add PV network and block drivers for KVM (Mark
> McLoughlin ) [446214]
> *************************
> 
> Do you think if i am safe to keep using the virtio drivers within the
> same kernel ?
> 
> Thanks
> Jatin
So they are comfortable not maintaining security?

If you look at this page .. that install is susceptible to every issue
on that page since page 75 (if the other components are also at the same
level as that kernel):

https://rhn.redhat.com/errata/rhel-server-errata.html

There are literally 75 pages of updates at 25 updates per page or about
1875 updates to CentOS-5 that are unapplied.

Of those updates, 23 pages (or 575 updates) are security updates.

Just these two alone are worth upgrading for:

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

https://isc.sans.edu/forums/diary/Samba+vulnerability+Remote+Code+Execution+CVE20150240/19373/

You have several hundred more Critical or Important security updates
outstanding.  If that box touches the Internet in any way, it is likely
compromised.  Just in the last 6 months there are 21 Important or
Critical updates.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150506/e9812e37/attachment-0001.sig>

> You have several hundred more Critical or Important security updates
> outstanding.  If that box touches the Internet in any way, it is likely
> compromised.  Just in the last 6 months there are 21 Important or
> Critical updates.
 That is an important qualifier: *If* that box touches the Internet in any way.
 Although one might add that attacks on the LAN can be nastier since there
 usually is local access.

 While I'm all for keeping machines current, there are production
environments
 where upgrading is a huge pain or outright impossible. Where any upgrades need
 to undergo a rigorous QA process. Where an outdated  environment including
 equally outdated production tools needs to be maintained, on the chance e.g.
 that a customer return requires reworking an old part. I would consider it
 part of list etiquette to not second-guess those who for one reason or another
 make a conscious decision to stick to a particular environent.

 I will no doubt be told that CentOS 5.4 = CentOS 5.11 = CentOS 5, ie. the
 same OS, but this is not strictly true. For example, it would appear that
 autofs breakage and performance loss is at a minimum in 5.4.

 There :)