Well it works with Ceph Giant here, I did not upgrade to CentOS7.1 though,
and I had ceph client installed before updating qemu.
I did that, installed qemu from 7.1 and it didnt break my conf. I was able
to restart old VMs and deploy new ones.
No need to re-compile qemu-kvm anymore \o/
Yeh, I can't find anything to prove the hosts are not vulnerable anymore, I
think I'll just give it sometime for now...
Rgards,
Cynthia
2015-06-04 17:50 GMT+02:00 Fox, Kevin M <kevin....@pnnl.gov>:
> I was curious because we're running giant and built a custom qemu too. I
> just rebuilt a patched one to cover Venom, but want to switch to stock 7.1
> qemu at some point if it supports Ceph Giant.
>
> I'm not aware of any check that actually tests the vulnerability. Just
> checks package versions.
>
> Thanks,
> Kevin
>
> ------------------------------
> *From:* Cynthia Lopes [clsacrame...@gmail.com]
> *Sent:* Thursday, June 04, 2015 8:05 AM
> *To:* Fox, Kevin M
> *Cc:* Steve Gordon; OpenStack Operations Mailing List
>
> *Subject:* Re: [Openstack-operators] Venom vulnerability
>
> Hi,
>
> I dit not update my ceph client. The version before and after is:
>
> # ceph -v
> ceph version 0.87 (c51c8f9d80fa4e0168aa52685b8de40e42758578)
>
>
> Apart from checking my qemu-kvm version and having shutdown/up my
> instances, any ideas on how to validate that my host is no longer
> vulnerable?
>
> Regards,
> Cynthia
>
>
> 2015-06-04 16:59 GMT+02:00 Fox, Kevin M <kevin....@pnnl.gov>:
>
>> For the record, what version of ceph are you using before and after?
>>
>> Thanks,
>> Kevin
>>
>> ------------------------------
>> *From:* Cynthia Lopes
>> *Sent:* Thursday, June 04, 2015 1:27:53 AM
>> *To:* Steve Gordon
>> *Cc:* OpenStack Operations Mailing List
>> *Subject:* Re: [Openstack-operators] Venom vulnerability
>>
>> Hi guys,
>>
>> Just for feedback and if somebody else has compute nodes on CentOS 7.0,
>> IceHouse and uses Ceph.
>>
>>
>>
>> ----------------------------------------------------------
>> What I did that worked for me:
>> ----------------------------------------------------------
>>
>>
>>
>> #Remove all QEMU and Livirt related RPMs. I had recompiled QEMU for RBD
>> and Libvirt that I had was not compatible with the patched QEMU.
>> #This removes openstack-nova-compute and so on, be careful...
>> yum remove -y `rpm -qa | grep qemu`
>> yum remove -y `rpm -qa | grep libvirt`
>>
>> #I updated base and update centos repositories to gether from most up
>> to date versions. I have local repositories, so the commands should be
>> adapted...
>> sed -i "s|/centos7|/centos7.1|g" CentOS-Base7.repo
>> sed -i "s|/centos7update|/centos7.1update|g" CentOS-Base7.repo
>>
>> #I had to do an update...
>> yum clean all
>> yum -y update #check problem only with ceph... I had some dependencies
>> problems with the ceph packages. But just Ceph
>>
>> yum -y update --skip-broken #but ignoring them worked just fine
>>
>> cd /etc/yum.repos.d/
>> #The update added all these repos on my yum.repos.d so I deleted
>> (because I use local repositories)
>> rm -f CentOS-Base.repo CentOS-Debuginfo.repo CentOS-fasttrack.repo
>> CentOS-Sources.repo CentOS-Vault.repo
>>
>> #Then I re-installed QEMU and Libvirt with CentOS7.1 repositories (base
>> and update)
>> yum -y install kvm qemu-kvm python-virtinst libvirt libvirt-python
>> virt-manager libguestfs-tools
>> service libvirtd start
>>
>> #I use puppet to configure my host, so I just re-run it to re-install
>> nova-compute and re-configure
>> puppet agent -t #so replace this with your procedure for configure your
>> compute node
>>
>> service openstack-nova-compute status #chek nova-compute is running...
>>
>> #I had a console.log file in the instances directory that became owned
>> by root. So be sure to have everything owned by nova
>> chown -R nova:nova /var/lib/nova/
>>
>> #Of course, at this moment all my instances were shutoff, so just
>> restart them...
>>
>>
>> source keystonerc* #credentials
>>
>> vms=`nova list --all-tenants --minimal --host $host | grep -v ID | grep
>> -v "+-" | awk '{print $2}'` #guest vms ids on the host...
>>
>> for vm in $vms ; do nova start $vm; done #start vms...
>>
>>
>>
>>
>> --------------------------------------------------------
>> Hope this might be useful for someone...
>>
>> Regards,
>> Cynthia Lopes do Sacramento
>>
>> 2015-06-03 2:35 GMT+02:00 Steve Gordon <sgor...@redhat.com>:
>>
>>> ----- Original Message -----
>>> > From: "Erik McCormick" <emccorm...@cirrusseven.com>
>>> > To: "Tim Bell" <tim.b...@cern.ch>
>>> >
>>> > On Tue, Jun 2, 2015 at 5:34 AM, Tim Bell <tim.b...@cern.ch> wrote:
>>> >
>>> > > I had understood that CentOS 7.1 qemu-kvm has RBD support built-in.
>>> It
>>> > > was not there on 7.0 but http://tracker.ceph.com/issues/10480
>>> implies it
>>> > > is in 7.1.
>>> > >
>>> > >
>>> > >
>>> > > You could check on the centos mailing lists to be sure.
>>> > >
>>> > >
>>> > >
>>> > > Tim
>>> > >
>>> > >
>>> > It's about time! Thanks for the pointer Tim.
>>> >
>>> > Cynthia, If for some reason it's not in the Centos ones yet, I've been
>>> > using the RHEV SRPMs and building the packages. You don't have to mess
>>> with
>>> > the spec or anything. Just run them through rpmbuild and push them out.
>>> >
>>> >
>>> http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHEV/SRPMS/
>>> >
>>> > -Erik
>>>
>>> FWIW equivalents builds for use with oVirt, RDO, etc. are being created
>>> under the auspices of the CentOS Virt SIG:
>>>
>>>
>>> http://cbs.centos.org/repos/virt7-kvm-common-testing/x86_64/os/Packages/
>>>
>>> Thanks,
>>>
>>> Steve
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators@lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>
>>
>
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
