Okay, I figured out that dom0 is actually some sort of CentOS, and it has Yum. The only question remaining is where I can find compatible packages to install for XCP 1.0. I''d be interested in stuff like acpid, smartd... Daniel 2011/9/16 József Dániel <daniel.jozsef@gmail.com>:> Hello, > > I was wondering what is the easiest way to get my XCP box to honor > ACPI shutdowns. It''s a SOHO server, so time to time it''d be super > handy to just push the power button, and have the system shut down > cleanly. > (BTW I wonder what XCP does to VMs on shutdown by default... Sends > them an ACPI shutdown signal, or just powers them off?) > > Is there some sort of package management to install acpid? Or is there > a config setting somewhere to do the above? > > Daniel >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
It is CentOS. The yum cent repos are configured just not enabled. yum --enablerepo=base install acpid smartd should work. ________________________________________ From: xen-users-bounces@lists.xensource.com [xen-users-bounces@lists.xensource.com] on behalf of József Dániel [daniel.jozsef@gmail.com] Sent: Saturday, September 17, 2011 11:03 AM To: xen-users@lists.xensource.com Subject: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown) Okay, I figured out that dom0 is actually some sort of CentOS, and it has Yum. The only question remaining is where I can find compatible packages to install for XCP 1.0. I''d be interested in stuff like acpid, smartd... Daniel 2011/9/16 József Dániel <daniel.jozsef@gmail.com>:> Hello, > > I was wondering what is the easiest way to get my XCP box to honor > ACPI shutdowns. It''s a SOHO server, so time to time it''d be super > handy to just push the power button, and have the system shut down > cleanly. > (BTW I wonder what XCP does to VMs on shutdown by default... Sends > them an ACPI shutdown signal, or just powers them off?) > > Is there some sort of package management to install acpid? Or is there > a config setting somewhere to do the above? > > Daniel >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
József Dániel
2011-Oct-24 21:32 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
Hello, This did work after deleting the Citrix repo, but now it wants to upgrade more than 100 packages, which does not necessarily sound like a good idea. Should I just go ahead as it''s just security updates, or would it throw my installation into chaos? I am very unfamiliar with CentOS versioning policy. Is it something like Debian (good) or something like Gentoo (bad)? :D If it''s bad, how can I freeze the system version to a known safe point, while being able to install packages? D On Sat, Sep 17, 2011 at 8:39 PM, Joseph Hom <jhom@softlayer.com> wrote:> It is CentOS. The yum cent repos are configured just not enabled. > > yum --enablerepo=base install acpid smartd should work. > ________________________________________ > From: xen-users-bounces@lists.xensource.com [ > xen-users-bounces@lists.xensource.com] on behalf of József Dániel [ > daniel.jozsef@gmail.com] > Sent: Saturday, September 17, 2011 11:03 AM > To: xen-users@lists.xensource.com > Subject: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown) > > Okay, I figured out that dom0 is actually some sort of CentOS, and it > has Yum. The only question remaining is where I can find compatible > packages to install for XCP 1.0. > > I''d be interested in stuff like acpid, smartd... > > Daniel > > 2011/9/16 József Dániel <daniel.jozsef@gmail.com>: > > Hello, > > > > I was wondering what is the easiest way to get my XCP box to honor > > ACPI shutdowns. It''s a SOHO server, so time to time it''d be super > > handy to just push the power button, and have the system shut down > > cleanly. > > (BTW I wonder what XCP does to VMs on shutdown by default... Sends > > them an ACPI shutdown signal, or just powers them off?) > > > > Is there some sort of package management to install acpid? Or is there > > a config setting somewhere to do the above? > > > > Daniel > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
George Shuklin
2011-Oct-25 14:45 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
Grant McWilliams
2011-Oct-26 05:33 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin <george.shuklin@gmail.com>wrote:> NEVER upgrade XCP by CentOS packages. > > You will break it beyond repair level. Reason is simple: XCP shipped with > patched packages, and replacing them with non-patched will cause grave > damage. And worst is damage is not instant - you will continue to operate, > but found ''something got wrong'' later. > > The most important is lvm2 package, which is patched to allow shared > storage usage (--master option). Default LVM2 will trash metadata on LVM SR > (LVM and LVMoISCSI SM) at some moment. > > Other (i''m not sure) is udev package, and may be few more. > >Why aren''t those packages masked in the repo configs like the kernel is? Having a server OS with no upgrade path is a very bad idea. Zero day exploit? How about zero month or zero year exploit? I''d like to hope that this gets changed at some point. Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2011-Oct-26 05:38 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On Wed, Oct 26, 2011 at 12:33 PM, Grant McWilliams <grantmasterflash@gmail.com> wrote:> On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin <george.shuklin@gmail.com> > wrote: >> >> NEVER upgrade XCP by CentOS packages.> Why aren''t those packages masked in the repo configs like the kernel is?Probably because the repos are disabled in the first place.> > Having a server OS with no upgrade path is a very bad idea. Zero day > exploit? How about zero month or zero year exploit? I''d like to hope that > this gets changed at some point.How would you "upgrade" (for example) XenServer? Or a vmware vsphere node? IMHO the same methods and policy should also apply to xcp. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
George Shuklin
2011-Oct-26 08:36 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
Grant McWilliams
2011-Oct-26 16:57 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On Tue, Oct 25, 2011 at 10:38 PM, Fajar A. Nugraha <list@fajar.net> wrote:> On Wed, Oct 26, 2011 at 12:33 PM, Grant McWilliams > <grantmasterflash@gmail.com> wrote: > > On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin < > george.shuklin@gmail.com> > > wrote: > >> > >> NEVER upgrade XCP by CentOS packages. > > > Why aren''t those packages masked in the repo configs like the kernel is? > > Probably because the repos are disabled in the first place. >They''re disabled because Citrix doesn''t want to support XCP. They provide updates to Xenserver.> > > > > Having a server OS with no upgrade path is a very bad idea. Zero day > > exploit? How about zero month or zero year exploit? I''d like to hope that > > this gets changed at some point. > > How would you "upgrade" (for example) XenServer? Or a vmware vsphere > node? IMHO the same methods and policy should also apply to xcp. > >The exact same way you''d upgrade ANY other server on the planet. And yes those same methods should be applied to XCP. You can currently upgrade but you have to pull all your nodes down, put in a CD (my nodes don''t even have optical disks, why would they?) and upgrade via a CD. That means the only time you get any security updates is once every 6 months or a year and only when you can physically access the nodes.> -- > Fajar > >Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Grant McWilliams
2011-Oct-26 17:04 UTC
Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On Wed, Oct 26, 2011 at 1:36 AM, George Shuklin <george.shuklin@gmail.com>wrote:> Citrix provides updates for XenServer, but not for XCP. > > But in any way, exposing management interface to unprotected network is bad > idea. If you have no managed interface available from internet, you have > very few vulnerable for remote attack components: kernel, openvswitch... > thats all. > > Idea behind XCP is well-protected internal network with management > interface, unencrypted storage traffic, migration traffic, XCP own > synchronization traffic and separate (by VLAN or by different physical > interface) network for clients with internet access. > > >Then why does Citrix provide updates for XenServer? Let''s face it, the real reason is Citrix doesn''t want to provide repos for XCP and I understand that but saying it''s bad practice to provide updates to XCP and then do it for XenServer is flawed logic. For those of us who are using XCP in production we need an update system. Perhaps it will be the yum to redhat''s RHN but still it''s needed. Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Andrew Wells
2011-Oct-26 17:19 UTC
Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
---------- Forwarded message ---------- From: Andrew Wells <agwells0714@gmail.com> Date: Wed, Oct 26, 2011 at 1:19 PM Subject: Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown) To: Grant McWilliams <grantmasterflash@gmail.com> people pay for xenserver, maybe the community should set up and provide a xcp update repo, and why not use centos repos for updating packages (exclude kernel updates for sure), they are not using a special ssh package or anything and centos rpms are redhat rpms in reality. On Wed, Oct 26, 2011 at 1:04 PM, Grant McWilliams < grantmasterflash@gmail.com> wrote:> On Wed, Oct 26, 2011 at 1:36 AM, George Shuklin <george.shuklin@gmail.com>wrote: > >> Citrix provides updates for XenServer, but not for XCP. >> >> But in any way, exposing management interface to unprotected network is >> bad idea. If you have no managed interface available from internet, you have >> very few vulnerable for remote attack components: kernel, openvswitch... >> thats all. >> >> Idea behind XCP is well-protected internal network with management >> interface, unencrypted storage traffic, migration traffic, XCP own >> synchronization traffic and separate (by VLAN or by different physical >> interface) network for clients with internet access. >> >> >> > Then why does Citrix provide updates for XenServer? > > Let''s face it, the real reason is Citrix doesn''t want to provide repos for > XCP and I understand that but saying it''s bad practice to provide updates to > XCP and then do it for XenServer is flawed logic. > > For those of us who are using XCP in production we need an update system. > Perhaps it will be the yum to redhat''s RHN but still it''s needed. > > > > Grant McWilliams > http://grantmcwilliams.com/ > > Some people, when confronted with a problem, think "I know, I''ll use > Windows." > Now they have two problems. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
brooks@netgate.net
2011-Oct-27 01:20 UTC
Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
Great points from everyone concerning the topic of XCP security updates. To summarize: 1. The XCP project currently provides no update repo. 2. Protect your management network via an non-public routable address space and you greatly reduce your dom0 attack surface to the kernel and open vSwitch. While that''s true, I don''t think that hiding from security problems is the answer. 3. Do not use the CentOS 5 repo to update XCP dom0. Some packages (lvm2, etc.) have been modified to work with Xenserver/XCP. The XCP 1.1 source iso lists the following packages under the "guest-packages-dom0" directory: biosdevname-0.2.4-1.xs651.src.rpm device-mapper-multipath-0.4.7-34.xs651.src.rpm dhcp-3.0.5-23.el5.xs651.src.rpm directfb-1.0.1-xs651.src.rpm e2fsprogs-1.39-23.xs651.src.rpm ethtool-6+20090306-651.src.rpm fbi-1.31-xs651.src.rpm firmware-651-1.src.rpm kexec-tools-2.0.0-651.49.src.rpm lvm2-2.02.56-8.xs651.src.rpm md3000-rdac-09.03.0C00.0437-651.src.rpm md3000-rdac-tools-09.03.0C00.0437-651.src.rpm mercurial-0.9-0.src.rpm mkinitrd-5.1.19.6-61.xs651.src.rpm net-snmp-5.3.2.2-9.xs651.src.rpm open-iscsi-2.0.871-0.20.3.xs651.src.rpm pam-0.99.6.2-6.xs651.src.rpm PyPAM-0.4.2-3.xs651.src.rpm python-simplejson-2.0.9-3.1.xs651.src.rpm SDL-1.2.10-8.xs651.src.rpm splashy-0.3.9-xs651.src.rpm ssmtp-2.61-8.fc6.src.rpm stunnel-4.15-2.el5.1.xs651.src.rpm udhcp-r15050-651.src.rpm vastsky-2.1-3.src.rpm vhostmd-0.4-xs651.src.rpm vncsnapshot-1.2a-xs651.src.rpm xenserver-logos-1.0-xs651.src.rpm xenserver-lsb-3.1-12.3.EL.xs.src.rpm That''s not a perfect list. I compared that list with a base CentOS 5.7 repo and found these to be unique to the above list: PyPAM biosdevname directfb fbi firmware md3000-rdac md3000-rdac-tools mercurial open-iscsi splashy ssmtp udhcp-r15050 vastsky vhostmd vncsnapshot xenserver-logos xenserver-lsb For completness here''s the list of packages that appear to have been modified since they are list in both the CentOS and XCP lists: SDL device-mapper-multipath dhcp e2fsprogs ethtool kexec-tools lvm2 mkinitrd net-snmp pam python-simplejson stunnel Add in the kernel, hypervisor, vswitch, and assorted utilities and you should be able to come up with a list of packages unique to XCP that could be used to build an exclude list if you wanted to pull updates from a CentOS 5 repo. It''s a great topic and I''d like to keep the discussion alive. I''d also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Grant McWilliams
2011-Oct-27 02:08 UTC
Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On Wed, Oct 26, 2011 at 6:20 PM, <brooks@netgate.net> wrote:> > Great points from everyone concerning the topic of XCP security updates. To > summarize: > > 1. The XCP project currently provides no update repo. > > 2. Protect your management network via an non-public routable address > space and you greatly reduce your dom0 attack surface to the kernel > and open vSwitch. While that''s true, I don''t think that hiding > from security problems is the answer. >Agreed. I don''t want an exploited DomU trying to find exploits in openvswitch or the hypervisor.> 3. Do not use the CentOS 5 repo to update XCP dom0. > > Some packages (lvm2, etc.) have been modified to work with > Xenserver/XCP. The XCP 1.1 source iso lists the following packages > under the "guest-packages-dom0" directory: > > biosdevname-0.2.4-1.xs651.src.**rpm > device-mapper-multipath-0.4.7-**34.xs651.src.rpm > dhcp-3.0.5-23.el5.xs651.src.**rpm > directfb-1.0.1-xs651.src.rpm > e2fsprogs-1.39-23.xs651.src.**rpm > ethtool-6+20090306-651.src.rpm > fbi-1.31-xs651.src.rpm > firmware-651-1.src.rpm > kexec-tools-2.0.0-651.49.src.**rpm > lvm2-2.02.56-8.xs651.src.rpm > md3000-rdac-09.03.0C00.0437-**651.src.rpm > md3000-rdac-tools-09.03.0C00.**0437-651.src.rpm > mercurial-0.9-0.src.rpm > mkinitrd-5.1.19.6-61.xs651.**src.rpm > net-snmp-5.3.2.2-9.xs651.src.**rpm > open-iscsi-2.0.871-0.20.3.**xs651.src.rpm > pam-0.99.6.2-6.xs651.src.rpm > PyPAM-0.4.2-3.xs651.src.rpm > python-simplejson-2.0.9-3.1.**xs651.src.rpm > SDL-1.2.10-8.xs651.src.rpm > splashy-0.3.9-xs651.src.rpm > ssmtp-2.61-8.fc6.src.rpm > stunnel-4.15-2.el5.1.xs651.**src.rpm > udhcp-r15050-651.src.rpm > vastsky-2.1-3.src.rpm > vhostmd-0.4-xs651.src.rpm > vncsnapshot-1.2a-xs651.src.rpm > xenserver-logos-1.0-xs651.src.**rpm > xenserver-lsb-3.1-12.3.EL.xs.**src.rpm > > That''s not a perfect list. I compared that list with a base > CentOS 5.7 repo and found these to be unique to the above list: > > PyPAM > biosdevname > directfb > fbi > firmware > md3000-rdac > md3000-rdac-tools > mercurial > open-iscsi > splashy > ssmtp > udhcp-r15050 > vastsky > vhostmd > vncsnapshot > xenserver-logos > xenserver-lsb > > For completness here''s the list of packages that appear to have > been modified since they are list in both the CentOS and XCP lists: > > SDL > device-mapper-multipath > dhcp > e2fsprogs > ethtool > kexec-tools > lvm2 > mkinitrd > net-snmp > pam > python-simplejson > stunnel > > Add in the kernel, hypervisor, vswitch, and assorted utilities and > you should be able to come up with a list of packages unique to XCP > that could be used to build an exclude list if you wanted to pull > updates from a CentOS 5 repo. > > It''s a great topic and I''d like to keep the discussion alive. I''d also > like to hear from Mike given his insight and understanding of the project. > Ideally I think we would all like to see a Citrix sponsored XCP updates > repository. > > >Ideally yes the folks that know the most about it would be the best at putting together a repo. I also think that this shouldn''t be a complete CentOS repo since the XCP hosts are not supposed to be complete Linux servers in any way. Keep it small, keep it solid, keep it secure. There are packages that could be considered optional too that won''t get installed on every host that could be in the repo in case one needs them. Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I''ll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Joseph Hom
2011-Oct-28 16:28 UTC
RE: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
On XenServer Citrix does include a repo for updates: [citrix] name=XenServer 6.0.0 updates mirrorlist=http://updates.vmd.citrix.com/XenServer/6.0.0/domain0/mirrorlist #baseurl=http://updates.vmd.citrix.com/XenServer/6.0.0/domain0/ gpgcheck=1 gpgkey=http://updates.vmd.citrix.com/XenServer/RPM-GPG-KEY-6.0.0 enabled=1 and it’s enabled by default. I’ve never seen any updates posted ever since I was introduced to XenServer back in 4.1. I think they left this in for legacy purposes and use service pack/hotfixes for patching. Maybe take a queue and setup XCP specific repo for updates and disable the CentOS repos by default? Or at least build a proper excludes for the CentOS repos. From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Grant McWilliams Sent: Wednesday, October 26, 2011 9:08 PM To: brooks@netgate.net Cc: mike.mcclurg@citrix.com; Andrew Wells; xen-users Subject: Re: Fwd: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown) On Wed, Oct 26, 2011 at 6:20 PM, <brooks@netgate.net<mailto:brooks@netgate.net>> wrote: Great points from everyone concerning the topic of XCP security updates. To summarize: 1. The XCP project currently provides no update repo. 2. Protect your management network via an non-public routable address space and you greatly reduce your dom0 attack surface to the kernel and open vSwitch. While that's true, I don't think that hiding from security problems is the answer. Agreed. I don't want an exploited DomU trying to find exploits in openvswitch or the hypervisor. 3. Do not use the CentOS 5 repo to update XCP dom0. Some packages (lvm2, etc.) have been modified to work with Xenserver/XCP. The XCP 1.1 source iso lists the following packages under the "guest-packages-dom0" directory: biosdevname-0.2.4-1.xs651.src.rpm device-mapper-multipath-0.4.7-34.xs651.src.rpm dhcp-3.0.5-23.el5.xs651.src.rpm directfb-1.0.1-xs651.src.rpm e2fsprogs-1.39-23.xs651.src.rpm ethtool-6+20090306-651.src.rpm fbi-1.31-xs651.src.rpm firmware-651-1.src.rpm kexec-tools-2.0.0-651.49.src.rpm lvm2-2.02.56-8.xs651.src.rpm md3000-rdac-09.03.0C00.0437-651.src.rpm md3000-rdac-tools-09.03.0C00.0437-651.src.rpm mercurial-0.9-0.src.rpm mkinitrd-5.1.19.6-61.xs651.src.rpm net-snmp-5.3.2.2-9.xs651.src.rpm open-iscsi-2.0.871-0.20.3.xs651.src.rpm pam-0.99.6.2-6.xs651.src.rpm PyPAM-0.4.2-3.xs651.src.rpm python-simplejson-2.0.9-3.1.xs651.src.rpm SDL-1.2.10-8.xs651.src.rpm splashy-0.3.9-xs651.src.rpm ssmtp-2.61-8.fc6.src.rpm stunnel-4.15-2.el5.1.xs651.src.rpm udhcp-r15050-651.src.rpm vastsky-2.1-3.src.rpm vhostmd-0.4-xs651.src.rpm vncsnapshot-1.2a-xs651.src.rpm xenserver-logos-1.0-xs651.src.rpm xenserver-lsb-3.1-12.3.EL.xs.src.rpm That's not a perfect list. I compared that list with a base CentOS 5.7 repo and found these to be unique to the above list: PyPAM biosdevname directfb fbi firmware md3000-rdac md3000-rdac-tools mercurial open-iscsi splashy ssmtp udhcp-r15050 vastsky vhostmd vncsnapshot xenserver-logos xenserver-lsb For completness here's the list of packages that appear to have been modified since they are list in both the CentOS and XCP lists: SDL device-mapper-multipath dhcp e2fsprogs ethtool kexec-tools lvm2 mkinitrd net-snmp pam python-simplejson stunnel Add in the kernel, hypervisor, vswitch, and assorted utilities and you should be able to come up with a list of packages unique to XCP that could be used to build an exclude list if you wanted to pull updates from a CentOS 5 repo. It's a great topic and I'd like to keep the discussion alive. I'd also like to hear from Mike given his insight and understanding of the project. Ideally I think we would all like to see a Citrix sponsored XCP updates repository. Ideally yes the folks that know the most about it would be the best at putting together a repo. I also think that this shouldn't be a complete CentOS repo since the XCP hosts are not supposed to be complete Linux servers in any way. Keep it small, keep it solid, keep it secure. There are packages that could be considered optional too that won't get installed on every host that could be in the repo in case one needs them. Grant McWilliams http://grantmcwilliams.com/ Some people, when confronted with a problem, think "I know, I'll use Windows." Now they have two problems. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users