Re: [Openstack-operators] Venom vulnerability

On 06/04/2015 08:50 AM, Fox, Kevin M wrote: > I'm not aware of any check that actually tests the vulnerability. Just checks > package versions. Hi, On the compute host you can check the process age using "ps aux". The START column for every qemu-system-* process should be more recent than the d

Re: [Openstack-operators] Venom vulnerability

ynthia Lopes [clsacrame...@gmail.com] > *Sent:* Thursday, June 04, 2015 8:05 AM > *To:* Fox, Kevin M > *Cc:* Steve Gordon; OpenStack Operations Mailing List > > *Subject:* Re: [Openstack-operators] Venom vulnerability > > Hi, > > I dit not update

Re: [Openstack-operators] Venom vulnerability

a Lopes [clsacrame...@gmail.com<mailto:clsacrame...@gmail.com>] Sent: Thursday, June 04, 2015 8:05 AM To: Fox, Kevin M Cc: Steve Gordon; OpenStack Operations Mailing List Subject: Re: [Openstack-operators] Venom vulnerability Hi, I dit not update my ceph client. The version before and a

Re: [Openstack-operators] Venom vulnerability

e versions. Thanks, Kevin From: Cynthia Lopes [clsacrame...@gmail.com] Sent: Thursday, June 04, 2015 8:05 AM To: Fox, Kevin M Cc: Steve Gordon; OpenStack Operations Mailing List Subject: Re: [Openstack-operators] Venom vulnerability Hi, I dit not update my ceph c

Re: [Openstack-operators] Venom vulnerability

gt; *Cc:* OpenStack Operations Mailing List > *Subject:* Re: [Openstack-operators] Venom vulnerability > > Hi guys, > > Just for feedback and if somebody else has compute nodes on CentOS 7.0, > IceHouse and uses Ceph. > > > > --

Re: [Openstack-operators] Venom vulnerability

For the record, what version of ceph are you using before and after? Thanks, Kevin From: Cynthia Lopes Sent: Thursday, June 04, 2015 1:27:53 AM To: Steve Gordon Cc: OpenStack Operations Mailing List Subject: Re: [Openstack-operators] Venom vulnerability Hi guys

Re: [Openstack-operators] Venom vulnerability

Hi guys, Just for feedback and if somebody else has compute nodes on CentOS 7.0, IceHouse and uses Ceph. -- What I did that worked for me: -- #Remove all QEMU and Livirt related RP

Re: [Openstack-operators] Venom vulnerability

- Original Message - > From: "Erik McCormick" > To: "Tim Bell" > > On Tue, Jun 2, 2015 at 5:34 AM, Tim Bell wrote: > > > I had understood that CentOS 7.1 qemu-kvm has RBD support built-in. It > > was not there on 7.0 but http://tracker.ceph.com/issues/10480 implies it > > is in 7.1. >

Re: [Openstack-operators] Venom vulnerability

//ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHEV/SRPMS/ > > -Erik > >> >> >> *From:* Cynthia Lopes [mailto:clsacrame...@gmail.com] >> *Sent:* 02 June 2015 10:57 >> *To:* Sławek Kapłoński >> *Cc:* openstack-operators@lists.openstack.org >&g

Re: [Openstack-operators] Venom vulnerability

names are different). Tim From: Cynthia Lopes [mailto:clsacrame...@gmail.com] Sent: 02 June 2015 18:30 To: Erik McCormick Cc: Tim Bell; Sławek Kapłoński; openstack-operators@lists.openstack.org Subject: Re: [Openstack-operators] Venom vulnerability Hi, Tim and Erik, thanks for the links! I saw the

Re: [Openstack-operators] Venom vulnerability

and push them out. http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHEV/SRPMS/ -Erik > > > *From:* Cynthia Lopes [mailto:clsacrame...@gmail.com] > *Sent:* 02 June 2015 10:57 > *To:* Sławek Kapłoński > *Cc:* openstack-operators@lists.openstack.org > *Subject:*

Re: [Openstack-operators] Venom vulnerability

: Sławek Kapłoński Cc: openstack-operators@lists.openstack.org Subject: Re: [Openstack-operators] Venom vulnerability Hi guys, I had to recompile qemu-kvm on CentOS7 to enable RBD and be able to use CEPH. Now, what is the best to update for venom vulnerability? Has anyone already recompiled the

Re: [Openstack-operators] Venom vulnerability

Hi guys, I had to recompile qemu-kvm on CentOS7 to enable RBD and be able to use CEPH. Now, what is the best to update for venom vulnerability? Has anyone already recompiled the patched sources and put it in a repository, or the only way is to get the knew sources and recompile again ? In http://v

Re: [Openstack-operators] Venom vulnerability

Hello, Ok, thx for explanations :) Yep, I know that best is to restart qemu process but this makes that I can now sleep littlebit more peacefully :) -- Best regards / Pozdrawiam Sławek Kapłoński sla...@kaplonski.pl On Thu, May 14, 2015 at 05:38:56PM -0400, Favyen Bastani wrote: > On 05/14/2015

Re: [Openstack-operators] Venom vulnerability

On 05/14/2015 05:23 PM, Sławek Kapłoński wrote: > Hello, > > So if I understand You correct, it is not so dangeorus if I'm using > ibvirt with apparmor and this libvirt is adding apparmor rules for > every qemu process, yes? > > You should certainly verify that apparmor rules are enabled for th

Re: [Openstack-operators] Venom vulnerability

Hello, So if I understand You correct, it is not so dangeorus if I'm using ibvirt with apparmor and this libvirt is adding apparmor rules for every qemu process, yes? -- Best regards / Pozdrawiam Sławek Kapłoński sla...@kaplonski.pl On Wed, May 13, 2015 at 04:01:05PM +0100, Daniel P. Berrange w

Re: [Openstack-operators] Venom vulnerability

;> >> To: "Daniel P. Berrange" >> >>mailto:berra...@redhat.com>> >> >> Cc: Matt Van Winkle >> >>mailto:mvanw...@rackspace.com>>, >> >>"openstack-operators@lists.openstack.org> openstack-operators@lists >>

Re: [Openstack-operators] Venom vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Basil On 14/05/15 16:04, Basil Baby wrote: > I can see the patch for CVE-2015-3456 updated to qemu-kvm package > on Precise - Icehouse branch. > https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/icehouse-s taging/+build/7425816 > >

Re: [Openstack-operators] Venom vulnerability

t; >> Cc: Matt Van Winkle > >>mailto:mvanw...@rackspace.com>>, > >>"openstack-operators@lists.openstack.org openstack-operators@lists > >>.openstack.org>" > >> openstack-operators@lists > >>.openstack.org>> > >

Re: [Openstack-operators] Venom vulnerability

anw...@rackspace.com>>, >>"openstack-operators@lists.openstack.org<mailto:openstack-operators@lists >>.openstack.org>" >>mailto:openstack-operators@lists >>.openstack.org>> >> Subject: Re: [Openstack-operators] Venom vulnerability >> >&g

Re: [Openstack-operators] Venom vulnerability

13, 2015 10:29 AM > To: "Daniel P. Berrange" mailto:berra...@redhat.com>> > Cc: Matt Van Winkle mailto:mvanw...@rackspace.com>>, > "openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>" > > mailto:openst

Re: [Openstack-operators] Venom vulnerability

errange" > Cc: Matt Van Winkle , " > openstack-operators@lists.openstack.org" < > openstack-operators@lists.openstack.org> > Subject: Re: [Openstack-operators] Venom vulnerability > >honestly that seems like a very useful feature to ask for... > specifica

Re: [Openstack-operators] Venom vulnerability

ck.org<mailto:openstack-operators@lists.openstack.org>" mailto:openstack-operators@lists.openstack.org>> Subject: Re: [Openstack-operators] Venom vulnerability honestly that seems like a very useful feature to ask for... specifically for upgrading qemu. -matt On Wed, May 13,

Re: [Openstack-operators] Venom vulnerability

Hi Tim, et al, We (Time Warner Cable) will be doing a live-migration (L-M) of all instances one the QEMU package is upgraded. That will start new QEMU instances on the target host allowing us to vacate the source host. We may roll in a kernel upgrade due to another security vulnerability at the sa

Re: [Openstack-operators] Venom vulnerability

honestly that seems like a very useful feature to ask for... specifically for upgrading qemu. -matt On Wed, May 13, 2015 at 11:19 AM, Daniel P. Berrange wrote: > On Wed, May 13, 2015 at 03:08:47PM +, Matt Van Winkle wrote: > > So far, your assessment is spot on from what we've seen. A migr

Re: [Openstack-operators] Venom vulnerability

On Wed, May 13, 2015 at 03:08:47PM +, Matt Van Winkle wrote: > So far, your assessment is spot on from what we've seen. A migration > (if you have live migrate that's even better) should net the same result > for QEMU. Some have floated the idea of live migrate within the same > host. I don'

Re: [Openstack-operators] Venom vulnerability

thing. Thanks! Matt From: Tim Bell mailto:tim.b...@cern.ch>> Date: Wednesday, May 13, 2015 9:31 AM To: "openstack-operators@lists.openstack.org<mailto:openstack-operators@lists.openstack.org>" mailto:openstack-operators@lists.openstack.org>> Subject: [Openstack-opera

Re: [Openstack-operators] Venom vulnerability

On Wed, May 13, 2015 at 02:31:26PM +, Tim Bell wrote: > > Looking through the details of the Venom vulnerability, > https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/, it > would appear that the QEMU processes need to be restarted. > > Our understanding is thus that a soft rebo

Re: [Openstack-operators] Venom vulnerability

Hello, Looking through the details of the Venom vulnerability, > https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/, it > would appear that the QEMU processes need to be restarted. > > > > Our understanding is thus that a soft reboot of the VM is not sufficient > but a hard one wo

[Openstack-operators] Venom vulnerability

Looking through the details of the Venom vulnerability, https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/, it would appear that the QEMU processes need to be restarted. Our understanding is thus that a soft reboot of the VM is not sufficient but a hard one would be OK. Some qu