Mike Hanby
2010-Sep-21 18:05 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
Are there any plans to build new Lustre 1.8.4 patched kernel packages for EL5 kernel 2.6.18-194.11.4 This kernel has the patch that prevents the much talked about privilege escalation CVE-2010-3081: https://rhn.redhat.com/errata/RHSA-2010-0704.html Regards, Mike
Brian J. Murrell
2010-Sep-21 19:25 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
On Tue, 2010-09-21 at 13:05 -0500, Mike Hanby wrote:> Are there any plans to build new Lustre 1.8.4 patched kernel packages for EL5 kernel 2.6.18-194.11.4 > > This kernel has the patch that prevents the much talked about privilege escalation CVE-2010-3081: > https://rhn.redhat.com/errata/RHSA-2010-0704.htmlWithout commenting one way or the other about whether we will produce a 1.8.4.1 to deal with this kernel issue (because I don''t know), I''d ask do you have other (i.e. network) services or non-privileged user accounts on your Lustre servers? b. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part Url : http://lists.lustre.org/pipermail/lustre-discuss/attachments/20100921/5895ec40/attachment.bin
Kevin Van Maren
2010-Sep-21 19:35 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
https://bugzilla.lustre.org/show_bug.cgi?id=22514 Have you tried the 1.8.4 client on the stock kernel? Kevin Mike Hanby wrote:> Are there any plans to build new Lustre 1.8.4 patched kernel packages for EL5 kernel 2.6.18-194.11.4 > > This kernel has the patch that prevents the much talked about privilege escalation CVE-2010-3081: > https://rhn.redhat.com/errata/RHSA-2010-0704.html > > Regards, > > Mike > > > _______________________________________________ > Lustre-discuss mailing list > Lustre-discuss at lists.lustre.org > http://lists.lustre.org/mailman/listinfo/lustre-discuss >
Jason Hill
2010-Sep-21 19:41 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
Brian, While I agree with the question - some of us have user facing machines that we''ve chosen to use the patched lustre kernel on for clients -- we see a 50-300MB/s bump from using a patched client. Those machines are user facing and while we''ve put in a workaround, having a patched client + kernel that does not require the workaround is something we''d like to get to. So while I don''t think most of the coummunity would have user accounts on their lustre servers - the packages provided by Oracle are not solely used for server purposes. Yes, we could undertake building kernels ourselves. We''re working on an effort to do so - so don''t take this as me adding to the list of people who would like this done "real soon now", just another point of view. Thanks, -- -Jason ------------------------------------------------- // Jason J. Hill // // HPC Systems Administrator // // National Center for Computational Sciences // // Oak Ridge National Laboratory // // e-mail: hilljj at ornl.gov // // Phone: (865) 576-5867 // ------------------------------------------------- On Tue, Sep 21, 2010 at 03:25:01PM -0400, Brian J. Murrell wrote:> On Tue, 2010-09-21 at 13:05 -0500, Mike Hanby wrote: > > Are there any plans to build new Lustre 1.8.4 patched kernel packages for EL5 kernel 2.6.18-194.11.4 > > > > This kernel has the patch that prevents the much talked about privilege escalation CVE-2010-3081: > > https://rhn.redhat.com/errata/RHSA-2010-0704.html > > Without commenting one way or the other about whether we will produce a > 1.8.4.1 to deal with this kernel issue (because I don''t know), I''d ask > do you have other (i.e. network) services or non-privileged user > accounts on your Lustre servers? > > b. >Content-Description: ATT00001..txt> _______________________________________________ > Lustre-discuss mailing list > Lustre-discuss at lists.lustre.org > http://lists.lustre.org/mailman/listinfo/lustre-discuss
Mike Hanby
2010-Sep-21 20:04 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
Howdy Kevin, Jason, Brian, thanks for the link to bug 22514. We are currently running 1.8.1 and will be upgrading in the next several weeks once new hardware arrives, so I''m just getting an idea of the steps I''ll be taking during the install. Brian, no, we do not allow normal users to log into the Lustre servers. Good point. Thanks for the info, Mike -----Original Message----- From: Kevin Van Maren [mailto:kevin.van.maren at oracle.com] Sent: Tuesday, September 21, 2010 2:36 PM To: Mike Hanby Cc: lustre-discuss at lists.lustre.org Subject: Re: [Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4 https://bugzilla.lustre.org/show_bug.cgi?id=22514 Have you tried the 1.8.4 client on the stock kernel? Kevin Mike Hanby wrote:> Are there any plans to build new Lustre 1.8.4 patched kernel packages for EL5 kernel 2.6.18-194.11.4 > > This kernel has the patch that prevents the much talked about privilege escalation CVE-2010-3081: > https://rhn.redhat.com/errata/RHSA-2010-0704.html > > Regards, > > Mike > > > _______________________________________________ > Lustre-discuss mailing list > Lustre-discuss at lists.lustre.org > http://lists.lustre.org/mailman/listinfo/lustre-discuss >
Brian J. Murrell
2010-Sep-21 20:17 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
On Tue, 2010-09-21 at 15:04 -0500, Mike Hanby wrote:> > Brian, no, we do not allow normal users to log into the Lustre servers.Ahhhh. Then you exposure is minimal to nil as the vulnerability is indeed a local escalation only, not a remote one.> Good point.Yeah, just wanted to put it into perspective for all concerned. There is still the case that Jason points out though of running the patched kernel on the clients although in that case, we''d like to discover where the performance discrepancies are and correct those so that the patchless client is suitable for everyone.> Thanks for the info,NP. b. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part Url : http://lists.lustre.org/pipermail/lustre-discuss/attachments/20100921/9a25b9f8/attachment.bin
Jason Hill
2010-Sep-22 00:26 UTC
[Lustre-discuss] Lustre 1.8.4 with new kernel 2.6.18-194.11.4
Brian, I have not tested scenarios since we rolled out 1.6.5.1 clients to some of our clusters and data transfer nodes. We''re in the process of moving clients to 1.8 as we upgrade the OS (and potentially OFED) underneath those resources. Our patchless clients have OFED 1.3.1 with Lustre (1.6.5.1, 1.6.6, 1.6.7.2), on CentOS, or Scientific Linux 5.0, 5.1 or 5.2. Enough variance there for you? We''re working to get to a standard, but as you know it can be difficult. I''ll post results to a bugzilla when I test with CentOS 5.5 with OFED 1.5.X using patchless and patched clients...which I hope to do in the next few weeks. Thanks, -Jason On Tue, Sep 21, 2010 at 04:17:17PM -0400, Brian J. Murrell wrote:> There is still the case that Jason points out though of running the > patched kernel on the clients although in that case, we''d like to > discover where the performance discrepancies are and correct those so > that the patchless client is suitable for everyone. > > b. >