Hello,
I am still new to xen, and was just wondering how people handle
updating their kernels for xen. More specifically for those that build
their kernels from source. Are there patches available or do you have
to recompile your kernels whenever and exploit is found?
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
On 7/17/06, Matt Ouellette <mfo62786@thecsl.org> wrote:> Hello, > I am still new to xen, and was just wondering how people handle > updating their kernels for xen.I install a new version and adjust my grub config.> More specifically for those that build > their kernels from source. Are there patches available or do you have > to recompile your kernels whenever and exploit is found?You mean binary patches? Why do you think it''s open _source_? So yes, you have to use the binary packages, or compile each new version, each new source patch. Additionally, the xen patches are always made against a specific kernel version. That means, if in kernel 2.6.16 an issue is found, you most probably have to wait until the xen developers release a xen patch version for the new, fixed, upstream kernel. Henning _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Henning Sprang wrote:> On 7/17/06, Matt Ouellette <mfo62786@thecsl.org> wrote: >> Hello, >> I am still new to xen, and was just wondering how people handle >> updating their kernels for xen. > > I install a new version and adjust my grub config. > >> More specifically for those that build >> their kernels from source. Are there patches available or do you have >> to recompile your kernels whenever and exploit is found? > > You mean binary patches? Why do you think it''s open _source_? > > So yes, you have to use the binary packages, or compile each new > version, each new source patch. Additionally, the xen patches are > always made against a specific kernel version. That means, if in > kernel 2.6.16 an issue is found, you most probably have to wait until > the xen developers release a xen patch version for the new, fixed, > upstream kernel. > > HenningThank you for your response. A couple of other questions, maybe I just worry too much, but how long does it usually take the xen developers to release a patch for a fixed kernel when an issue is found? Also, where would a good place to get patches from be? Are there any that are more reliable or quicker with updates than others? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 7/19/06, Matt Ouellette <mfo62786@thecsl.org> wrote:> Thank you for your response. A couple of other questions, maybe I just > worry too much, but how long does it usually take the xen developers to > release a patch for a fixed kernel when an issue is found? Also, where > would a good place to get patches from be?xen and security updates and fixes is an interesting topic, didn''t worry about that too much yet because I currebtly don''t run any public services on xen. New xen versions (which are releases of xen hypervisor, utils, and a patched linux kernel) come to the xensource or the .uk download locations, I guess nearly at the same time. At least, on dom0 you shouldn''t run any services anyway but xen. But there''s more to think of, for sure. Henning _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Jul 19, 2006 at 11:38:46AM +0200, Henning Sprang wrote:> So yes, you have to use the binary packages, or compile each new > version, each new source patch. Additionally, the xen patches are > always made against a specific kernel version. That means, if in > kernel 2.6.16 an issue is found, you most probably have to wait until > the xen developers release a xen patch version for the new, fixed, > upstream kernel.I''m using the Xen kernel patch from hg9628 (actually what''s in http://svn.debian.org/wsvn/pkg-xen/trunk/patches/linux-2.6.16-xen.patch.gz?op=log&rev=0&sc=0&isdir=0) with 2.6.16.27 and so far haven''t had any problems (the patch applies with one or two line offsets but otherwise cleanly). I suspect that there aren''t any guarantees, but that the patches will generally continue to work across new -stable releases. It would be good to have some official word on compatibility and if there is a preferred method of tracking upstream security updates. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
An interesting question about how linux kernel security updates get into xen and how and how fast xen users can expect security problems in linux will also be fixed in the linux kernels from xensource. As it seems nobody from xensource or the xen developer community reads xen-users, so I forward it here: ---------- Forwarded message ---------- From: Dominic Hargreaves <dom@earth.li> Date: Jul 20, 2006 9:41 AM Subject: Re: [Xen-users] updating kernel To: xen-users@lists.xensource.com On Wed, Jul 19, 2006 at 11:38:46AM +0200, Henning Sprang wrote:> So yes, you have to use the binary packages, or compile each new > version, each new source patch. Additionally, the xen patches are > always made against a specific kernel version. That means, if in > kernel 2.6.16 an issue is found, you most probably have to wait until > the xen developers release a xen patch version for the new, fixed, > upstream kernel.I''m using the Xen kernel patch from hg9628 (actually what''s in http://svn.debian.org/wsvn/pkg-xen/trunk/patches/linux-2.6.16-xen.patch.gz?op=log&rev=0&sc=0&isdir=0) with 2.6.16.27 and so far haven''t had any problems (the patch applies with one or two line offsets but otherwise cleanly). I suspect that there aren''t any guarantees, but that the patches will generally continue to work across new -stable releases. It would be good to have some official word on compatibility and if there is a preferred method of tracking upstream security updates. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 7/20/06, Dominic Hargreaves <dom@earth.li> wrote:> [...] > I suspect that there aren''t any guarantees, but that the patches will > generally continue to work across new -stable releases. It would be good > to have some official word on compatibility and if there is a preferred > method of tracking upstream security updates.Forwarded this question to xen-devel in the hope somebody might read and reply to it.. Henning _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Matt Ouellette wrote:> Henning Sprang wrote: > >> On 7/17/06, Matt Ouellette <mfo62786@thecsl.org> wrote: >> >>> Hello, >>> I am still new to xen, and was just wondering how people handle >>> updating their kernels for xen. >>> >> I install a new version and adjust my grub config. >> >> >>> More specifically for those that build >>> their kernels from source. Are there patches available or do you have >>> to recompile your kernels whenever and exploit is found? >>> >> You mean binary patches? Why do you think it''s open _source_? >> >> So yes, you have to use the binary packages, or compile each new >> version, each new source patch. Additionally, the xen patches are >> always made against a specific kernel version. That means, if in >> kernel 2.6.16 an issue is found, you most probably have to wait until >> the xen developers release a xen patch version for the new, fixed, >> upstream kernel. >> >> Henning >> > Thank you for your response. A couple of other questions, maybe I just > worry too much, but how long does it usually take the xen developers to > release a patch for a fixed kernel when an issue is found? Also, where > would a good place to get patches from be? Are there any that are more > reliable or quicker with updates than others? > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >Sorry to keep asking about the same topic, but I have one more question regarding security updates for xen kernels. Is there a mailing list or anything out there that I can sign up for to be notified when an exploit or other security problem is found in a xen kernel. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 7/28/06, Matt Ouellette <mfo62786@thecsl.org> wrote:> [...] > Sorry to keep asking about the same topic, but I have one more question > regarding security updates for xen kernels.Security is quite interesting, isn''t it?!> Is there a mailing list or > anything out there that I can sign up for to be notified when an exploit > or other security problem is found in a xen kernel. >Not that I know of. Too sad that the xen developers seem not to feel any need to reply on this question I asked them. They seem too busy counting money from their deals with MS - no time to shed a light on their developing processes and security handling. Henning _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Henning Sprang wrote:> On 7/28/06, Matt Ouellette <mfo62786@thecsl.org> wrote: >> [...] >> Sorry to keep asking about the same topic, but I have one more question >> regarding security updates for xen kernels. > > Security is quite interesting, isn''t it?! > >> Is there a mailing list or >> anything out there that I can sign up for to be notified when an exploit >> or other security problem is found in a xen kernel. >> > > Not that I know of. > > Too sad that the xen developers seem not to feel any need to reply on > this question I asked them. They seem too busy counting money from > their deals with MS - no time to shed a light on their developing > processes and security handling. > > Henning(what deal?) I am too concerned by security. Before moving to production I would like to know how xen developers will handle the update of the xen-kernel patch. Will there be a sort of ''universal'' xen patch for the vanilla kernel, so user may patch himself a known exploits free kernel ? thx. kfx _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Binaries never work for weird/obscure machine configurations... so building from source is the norm for using Xen, rather than just for plugging exploits/compatibilities. Regards, KK On 7/18/06, Matt Ouellette <mfo62786@thecsl.org> wrote:> Hello, > I am still new to xen, and was just wondering how people handle > updating their kernels for xen. More specifically for those that build > their kernels from source. Are there patches available or do you have > to recompile your kernels whenever and exploit is found? > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users