[gpfsug-discuss] gpfs 4.2.3.6 stops workingwithkernel3.10.0-862.2.3.el7

Stephen Ulmer ulmer at ulmer.org
Wed May 16 03:22:48 BST 2018


There isn’t a flaw in that argument, but where the security experts are concerned there is no argument.

Apparently this time Red Hat just told all of their RHEL 7.4 customers to upgrade to RHEL 7.5, rather than back-porting the security patches. So this time the retirement to upgrade distributions is much worse than normal.

-- 
Stephen



> On May 15, 2018, at 5:46 PM, Marc A Kaplan <makaplan at us.ibm.com> wrote:
> 
> Kevin, that seems to be a good point.  
> 
> IF you have dedicated hardware to acting only as a storage and/or file server, THEN neither meltdown nor spectre should not be a worry.   
> 
> BECAUSE meltdown and spectre are just about an adversarial process spying on another process or kernel memory.  IF we're not letting any potential adversary run her code on our file server, what's the exposure?
>   
> NOW, let the security experts tell us where the flaw is in this argument...
> 
> 
> 
> From:        "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
> To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Date:        05/15/2018 06:12 PM
> Subject:        Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working        withkernel        3.10.0-862.2.3.el7
> Sent by:        gpfsug-discuss-bounces at spectrumscale.org
> 
> 
> 
> All, 
> 
> I have to kind of agree with Andrew … it seems that there is a broad range of takes on kernel upgrades … everything from “install the latest kernel the day it comes out” to “stick with this kernel, we know it works.”
> 
> Related to that, let me throw out this question … what about those who haven’t upgraded their kernel in a while at least because they’re concerned with the negative performance impacts of the meltdown / spectre patches???  So let’s just say a customer has upgraded the non-GPFS servers in their cluster, but they’ve left their NSD servers unpatched (I’m talking about the kernel only here; all other updates are applied) due to the aforementioned performance concerns … as long as they restrict access (i.e. who can log in) and use appropriate host-based firewall rules, is their some risk that they should be aware of?
> 
> Discuss.  Thanks!
> 
> Kevin
> 
> On May 15, 2018, at 4:45 PM, Andrew Beattie <abeattie at au1.ibm.com <mailto:abeattie at au1.ibm.com>> wrote:
> 
> this thread is mildly amusing, given we regularly get customers asking why we are dropping support for versions of linux
> that they "just can't move off"
>  
>  
> Andrew Beattie
> Software Defined Storage  - IT Specialist
> Phone: 614-2133-7927
> E-mail: abeattie at au1.ibm.com <mailto:abeattie at au1.ibm.com>
>  
>  
> ----- Original message -----
> From: Stijn De Weirdt <stijn.deweirdt at ugent.be <mailto:stijn.deweirdt at ugent.be>>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> To: gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel 3.10.0-862.2.3.el7
> Date: Wed, May 16, 2018 5:35 AM
>  
> so this means running out-of-date kernels for at least another month? oh
> boy...
> 
> i hope this is not some new trend in gpfs support. othwerwise all RHEL
> based sites will have to start adding EUS as default cost to run gpfs
> with basic security compliance.
> 
> stijn
> 
> 
> On 05/15/2018 09:02 PM, Felipe Knop wrote:
> > All,
> >
> > Validation of RHEL 7.5 on Scale is currently under way, and we are
> > currently targeting mid June to release the PTFs on 4.2.3 and 5.0 which
> > will include the corresponding fix.
> >
> > Regards,
> >
> >   Felipe
> >
> > ----
> > Felipe Knop                                     knop at us.ibm.com <mailto:knop at us.ibm.com>
> > GPFS Development and Security
> > IBM Systems
> > IBM Building 008
> > 2455 South Rd, Poughkeepsie, NY 12601
> > (845) 433-9314  T/L 293-9314
> >
> >
> >
> >
> >
> > From: Ryan Novosielski <novosirj at rutgers.edu <mailto:novosirj at rutgers.edu>>
> > To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> > Date: 05/15/2018 12:56 PM
> > Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel
> >             3.10.0-862.2.3.el7
> > Sent by: gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> >
> >
> >
> > I know these dates can move, but any vague idea of a timeframe target for
> > release (this quarter, next quarter, etc.)?
> >
> > Thanks!
> >
> > --
> > ____
> > || \\UTGERS,
> > |---------------------------*O*---------------------------
> > ||_// the State  |         Ryan Novosielski - novosirj at rutgers.edu <mailto:novosirj at rutgers.edu>
> > || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
> > ||  \\    of NJ  | Office of Advanced Research Computing - MSB
> > C630, Newark
> >      `'
> >
> >> On May 14, 2018, at 9:30 AM, Felipe Knop <knop at us.ibm.com <mailto:knop at us.ibm.com>> wrote:
> >>
> >> All,
> >>
> >> Support for RHEL 7.5 and kernel level 3.10.0-862 in Spectrum Scale is
> > planned for upcoming PTFs on 4.2.3 and 5.0. Since code changes are needed
> > in Scale to support this kernel level, upgrading to one of those upcoming
> > PTFs will be required in order to run with that kernel.
> >>
> >> Regards,
> >>
> >> Felipe
> >>
> >> ----
> >> Felipe Knop  knop at us.ibm.com <mailto:knop at us.ibm.com>
> >> GPFS Development and Security
> >> IBM Systems
> >> IBM Building 008
> >> 2455 South Rd, Poughkeepsie, NY 12601
> >> (845) 433-9314 T/L 293-9314
> >>
> >>
> >>
> >> <graycol.gif>Andi Rhod Christiansen ---05/14/2018 08:15:25 AM---You are
> > welcome. I see your concern but as long as IBM has not released spectrum
> > scale for 7.5 that
> >>
> >> From:  Andi Rhod Christiansen <arc at b4restore.com <mailto:arc at b4restore.com>>
> >> To:  gpfsug main discussion list <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> >> Date:  05/14/2018 08:15 AM
> >> Subject:  Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> > 3.10.0-862.2.3.el7
> >> Sent by:  gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> >>
> >>
> >>
> >>
> >> You are welcome.
> >>
> >> I see your concern but as long as IBM has not released spectrum scale for
> > 7.5 that is their only solution, in regards to them caring about security I
> > would say yes they do care, but from their point of view either they tell
> > the customer to upgrade as soon as red hat releases new versions and
> > forcing the customer to be down until they have a new release or they tell
> > them to stay on supported level to a new release is ready.
> >>
> >> they should release a version supporting the new kernel soon, IBM told me
> > when I asked that they are "currently testing and have a support date soon"
> >>
> >> Best regards.
> >>
> >>
> >> -----Oprindelig meddelelse-----
> >> Fra: gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> > <gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>> På vegne af z.han at imperial.ac.uk <mailto:z.han at imperial.ac.uk>
> >> Sendt: 14. maj 2018 13:59
> >> Til: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> >> Emne: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> > 3.10.0-862.2.3.el7
> >>
> >> Thanks. Does IBM care about security, one would ask? In this case I'd
> > choose to use the new kernel for my virtualization over gpfs ... sigh
> >>
> >>
> >> https://access.redhat.com/errata/RHSA-2018:1318 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Ferrata%2FRHSA-2018%3A1318&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613513903&sdata=L2H1ME5Wa9iKpMRr%2FbQ8WKiEKVTcikrs7vQRuXBtBOw%3D&reserved=0>
> >>
> >> Kernel: KVM: error in exception handling leads to wrong debug stack value
> > (CVE-2018-1087)
> >>
> >> Kernel: error in exception handling leads to DoS (CVE-2018-8897)
> >> Kernel: ipsec: xfrm: use-after-free leading to potential privilege
> > escalation (CVE-2017-16939)
> >>
> >> kernel: Out-of-bounds write via userland offsets in ebt_entry struct in
> > netfilter/ebtables.c (CVE-2018-1068)
> >>
> >> ...
> >>
> >>
> >> On Mon, 14 May 2018, Andi Rhod Christiansen wrote:
> >>> Date: Mon, 14 May 2018 11:10:18 +0000
> >>> From: Andi Rhod Christiansen <arc at b4restore.com <mailto:arc at b4restore.com>>
> >>> Reply-To: gpfsug main discussion list
> >>> <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> >>> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> >>> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> >>>     3.10.0-862.2.3.el7
> >>>
> >>> Hi,
> >>>
> >>> Yes, kernel 3.10.0-862.2.3.el7 is not supported yet as it is RHEL 7.5
> >>> and latest support is 7.4. You have to revert back to 3.10.0-693 😊
> >>>
> >>> I just had the same issue
> >>>
> >>> Revert to previous working kernel at redhat 7.4 release which is
> > 3.10.9.693. Make sure kernel-headers and kernel-devel are also at this
> > level.
> >>>
> >>>
> >>> Best regards
> >>> Andi R. Christiansen
> >>>
> >>> -----Oprindelig meddelelse-----
> >>> Fra: gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> >>> <gpfsug-discuss-bounces at spectrumscale.org <mailto:gpfsug-discuss-bounces at spectrumscale.org>> På vegne af
> >>> z.han at imperial.ac.uk <mailto:z.han at imperial.ac.uk>
> >>> Sendt: 14. maj 2018 12:33
> >>> Til: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org <mailto:gpfsug-discuss at spectrumscale.org>>
> >>> Emne: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> >>> 3.10.0-862.2.3.el7
> >>>
> >>> Dear All,
> >>>
> >>> Any one has the same problem?
> >>>
> >>> /usr/bin/make -C /usr/src/kernels/3.10.0-862.2.3.el7.x86_64 ARCH=x86_64
> > M=/usr/lpp/mmfs/src/gpl-linux CONFIGDIR=/usr/lpp/mmfs/src/config  ; \ if
> > [ $? -ne 0 ]; then \
> >>> exit 1;\
> >>> fi
> >>> make[2]: Entering directory
> > `/usr/src/kernels/3.10.0-862.2.3.el7.x86_64'
> >>>   LD      /usr/lpp/mmfs/src/gpl-linux/built-in.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracelin.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev-ksyms.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/ktrccalls.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/relaytrc.o
> >>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/mmfsmod.o
> >>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/mmfs26.o
> >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.o
> >>> In file included from /usr/lpp/mmfs/src/gpl-linux/dir.c:63:0,
> >>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles.c:58,
> >>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.c:55:
> >>> /usr/lpp/mmfs/src/gpl-linux/inode.c: In function ʽprintInodeʼ:
> >>> /usr/lpp/mmfs/src/gpl-linux/trcid.h:1208:57: error: ʽstruct inodeʼ has
> > no member named ʽi_wb_listʼ
> >>>      _TRACE6D(_HOOKWORD(TRCID_PRINTINODE_8), (Int64)(&(iP->i_wb_list)),
> > (Int64)(iP->i_wb_list.next), (Int64)(iP->i_wb_list.prev), (Int64)(&(iP->
> > i_lru)), (Int64)(iP->i_lru.next), (Int64)(iP->i_lru.prev));
> >>>                                                          ^ ......
> >>> _______________________________________________
> >>> gpfsug-discuss mailing list
> >>> gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> >>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613513903&sdata=E%2FsurH4Wuw9g9gIWsSWfl1jWqfJCP0GZ4EXfEHfmJ0s%3D&reserved=0>
> >> _______________________________________________
> >> gpfsug-discuss mailing list
> >> gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> >> http://gpfsug.org/mailman/listinfo/gpfsug-discuss <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613523916&sdata=hVbBltH7eU%2BWm9mrytAGsLRAZLEHCr4ZHQmKT0eHawg%3D&reserved=0>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> gpfsug-discuss mailing list
> >> gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> >>
> > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cnovosirj%40rutgers.edu%7C78d95c4d4db84a37453408d5b99eeb7d%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C1%7C636619014583822500&sdata=MDYseJ9NFu1C1UVFKHpQIfcwuhM5qJrVYzpJkB70yCM%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cnovosirj%40rutgers.edu%7C78d95c4d4db84a37453408d5b99eeb7d%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C1%7C636619014583822500&sdata=MDYseJ9NFu1C1UVFKHpQIfcwuhM5qJrVYzpJkB70yCM%3D&reserved=0>
> >
> >
> > [attachment "signature.asc" deleted by Felipe Knop/Poughkeepsie/IBM]
> > _______________________________________________
> > gpfsug-discuss mailing list
> > gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> > http://gpfsug.org/mailman/listinfo/gpfsug-discuss <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613533917&sdata=NgBMmxOuTMsbRhtp5OjbkMT%2FWlgnuzNU%2B4ZzJCLlFLg%3D&reserved=0>
> >
> >
> >
> >
> >
> > _______________________________________________
> > gpfsug-discuss mailing list
> > gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> > http://gpfsug.org/mailman/listinfo/gpfsug-discuss <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613533917&sdata=NgBMmxOuTMsbRhtp5OjbkMT%2FWlgnuzNU%2B4ZzJCLlFLg%3D&reserved=0>
> >
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613543921&sdata=P5D0y0AjzsrOubCJ9421OWlg8FKPlr5NceSfhkJ524E%3D&reserved=0>
> 
>  
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org <http://spectrumscale.org/>
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613553935&sdata=qyLoxKzFv5mUr9XEGMcsEZIhqXjyKu0YzlQ6yiDSslw%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613553935&sdata=qyLoxKzFv5mUr9XEGMcsEZIhqXjyKu0YzlQ6yiDSslw%3D&reserved=0>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss <http://gpfsug.org/mailman/listinfo/gpfsug-discuss>
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180515/b44d906f/attachment-0002.htm>


More information about the gpfsug-discuss mailing list