-
Xen security updates pushed to everyone (7.6 yesterday, 7.5 today).
Blog post: https://xcp-ng.org/blog/2019/03/12/xcp-ng-security-bulletin-vulnerabilities-pv-guests/ -
I'm getting an error
Running transaction test Transaction check error: installing package xen-dom0-tools-4.7.6-6.4.1.xcpng.x86_64 needs 1 inodes on the /var/log filesystem
-
@codedmind This is probably related to a bug in the openvswitch package and log rotation. We sent a newsletter about it a few days ago: https://mailchi.mp/7ed52f9a2151/important-noticeopenvswitch-issue
-
Humm ok... but i cannot update... yes i have that version.. but as i cannot up date how can i solve it?
-
@codedmind when it got to the point that you ran out of inodes in
/var/log
, you need to remove some files before you can update.find /var/log -name ovsdb-server.log.*.gz -delete
should work (untested, try without-delete
first). Else look at the other threads that covered the subject. -
Ok thanks!
-
Does the openvswitch bug cause the local storage to fill up, or just the log file?
Would this openvwswitch potential lead our XCP server to crash? -
Local storage is not touched. Only the /var/log partition, or the / partition if you have no /var/log partition. In the latter case, I suppose this could hang or crash the server. In the former case, it prevents some new tasks to be performed, but we haven't had reports of crashing servers at this stage.
-
since this is unlikely the cause of our crash, where would you suggest we look to determine why our xcp servers crashed a few days ago?
-
I suggest opening a dedicated thread with as much information as possible.
-
As a starting point, see https://github.com/xcp-ng/xcp/wiki/Logfiles and look for whatever happened by the time of the crashes, if logging was still operational at that moment.
-
For XCP-ng 7.6 only
New security update for the latest Intel CPU vulnerabilities:
http://xenbits.xen.org/xsa/advisory-297.html
Install it with:
yum update --enablerepo='xcp-ng-updates_testing' microcode_ctl-2.1-26.xs5.x86_64 xen-dom0-libs-4.7.6-6.5.1.xcpng.x86_64 xen-dom0-tools-4.7.6-6.5.1.xcpng.x86_64 xen-hypervisor-4.7.6-6.5.1.xcpng.x86_64 xen-libs-4.7.6-6.5.1.xcpng.x86_64 xen-tools-4.7.6-6.5.1.xcpng.x86_64
There's nothing fancy in the way the updates were built so no breakage is expected, but we still need feedback from early-adopters before we push them to everyone.
Reboot required.
Downgrade if needed with:
yum downgrade microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools
What to test:
- basic functions of the hypervisor, VMs...
Read the advisory carefully: installing the updates is not enough. There are other steps to be taken for complete protection.
Citrix announcement: https://support.citrix.com/article/CTX251995
-
@stormi said in Updates announcements and testing:
yum update --enablerepo='xcp-ng-updates_testing' microcode_ctl-2.1-26.xs5.x86_64 xen-dom0-libs-4.7.6-6.5.1.xcpng.x86_64 xen-dom0-tools-4.7.6-6.5.1.xcpng.x86_64 xen-hypervisor-4.7.6-6.5.1.xcpng.x86_64 xen-libs-4.7.6-6.5.1.xcpng.x86_64 xen-tools-4.7.6-6.5.1.xcpng.x86_64
Should the pool master be updated first? Or it doesn't matter for there updates?
-
@Ultra2D Yes, always the pool master first.
-
@Ultra2D Technically, some updates could be installed in any order, but it's safer and simpler to consider that master is always updated first.
-
@stormi Sure, but I'd rather test on a pool member first if trying as an early adopter .
-
@Ultra2D For this update, I think you could try with a slave first, since it's only an update of xen (and microcode_ctl), so I don't expect incompatibilities in pool management. But I wouldn't guarantee that cross-host operations such as migrations would work fine.
-
@stormi I'll try it on a master, no worries. But not on a Friday.
-
@stormi installed just now all latest patches from updates testing via
yum
on my testbox at work
--> server bootet fine
--> VMs bootet (Debian 9, Ubuntu 18.04, all PVHVM) -
Upping this thread in the hope for more test results.