CloudLinux OS Blog

CloudLinux 6 kernel updated

CloudLinux 6 kernel updated

Update [Jan 10, 2018 12:30pm PT]

Our team is still fighting Meltdown/Spectre bugs. Please follow our CEO's blogpost for more updates. In that blogpost, we’ve previously suggested migrating to CloudLinux 6 Hybrid kernel for those clients with CloudLinux 6 kernel who were facing issues on Xen PV. However, it looks like none of the CloudLinux kernels start on Xen PV (including CL6, CL6h and CL7 kernels). It is still not entirely clear what causes the issue and quite likely the bug might have been brought with the RHEL patches.
We apologise for the inconvenience. Our team is restless and we put all the efforts to deliver the fix ASAP. We encourage you to wait until the solution is found. As an alternative you can migrate from Xen PV to Xen HVM, we haven’t had any complaints about the last one.

Update [Jan 9, 2018 6:52am PT]

We have released to beta an updated and more stable CL6 kernel 2.6.32-896.16.1.lve1.4.50 which might help with issues like unstable work of disk quotas. However this kernel will not resolve the issues that affect users of CentOS/RHEL kernels neither the issues when VM in Xen hypervisor is unable to start (which seems like a problem of CVE fix itself).

Update command:

yum clean all --enablerepo=cloudlinux-updates-testing && yum install kernel-2.6.32-896.16.1.lve1.4.50.el6 --enablerepo=cloudlinux-updates-testing

 

Original post:

New updated CloudLinux 6 kernel version 2.6.32-896.16.1.lve1.4.49 with patches for Meldown and Spectre vulnerabilities is available for download from our production repository.

Changelog:

  • added patches for Meltdown and Spectre attacks (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754);
  • KMODLVE-142: resync stats before returning IO usage;
  • KMODLVE-140: fix panic with module loading;
  • KMODLVE-139: add ability to set debug level in load time;
  • KMODLVE-138: properly check lve_cgroup_kernel_open return value;
  • KMODLVE-134: code cleanup for better test coverage;
  • KMODLVE-131: improve failure IDs handling;
  • KMODLVE-127: lvp_lve_move implementation.

To update a kernel, please run the following command:

yum clean all && yum update kernel-firmware && yum install kernel-2.6.32-896.16.1.lve1.4.49.el6

Topic: CloudLinux OS Blog , Tags: #hybrid, #CVE, #spectre, #meltdown, #kernel-cl6,

5111 people viewed this

Comments (19)

 
by Guest - Guest / Saturday, 06 January 2018 18:54

Looks kinda unstable - 6 out of 6 (different) servers had severe problems - needed a hard-reset to be able to boot the previous kernel version.

Looks kinda unstable - 6 out of 6 (different) servers had severe problems - needed a hard-reset to be able to boot the previous kernel version.
by Guest - Alex / Saturday, 06 January 2018 22:03

Softlayer is reporting servers are not booting back up after this update. Could you look into this please?

Softlayer is reporting servers are not booting back up after this update. Could you look into this please?
by Inga Vakulenko / Tuesday, 09 January 2018 15:46

Hi Alex,

we've released a new beta kernel CLoudLinux 6 and we will keep updating this post. Please see if it might be helpful in your case. If not, I'd recommend you to contact our Support Team [email protected] with more details. The will have a deeper look at the issue you're facing.

Thank you

Hi Alex, we've released a new beta kernel CLoudLinux 6 and we will keep updating this post. Please see if it might be helpful in your case. If not, I'd recommend you to contact our Support Team [email protected] with more details. The will have a deeper look at the issue you're facing. Thank you
by Guest - Robin / Sunday, 07 January 2018 01:54

We have read-only filesystems sometimes with this new kernel.

We have read-only filesystems sometimes with this new kernel.
by Guest - Guest / Sunday, 07 January 2018 06:28

I have KernelCare - when would my Kernel be updated automatically and how can I confirm it has been updated? Also, will the KernelCare update be subject to the same stability issues being described here by others?

I have KernelCare - when would my Kernel be updated automatically and how can I confirm it has been updated? Also, will the KernelCare update be subject to the same stability issues being described here by others?
by Guest - Alexander Zavhorodnii / Wednesday, 10 January 2018 11:18

Hello, yes, the kernel will be updated automatically when a patch is ready. You can check what patches have been applied with the command:
kcarectl --patch-info

We providing status updates about patch development in this blog post:
https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux

We are testing our patches carefully, that's one of the reasons for the patch delay. There should be no issues caused by patch itself, but may be some caused by the nature of fix, like the problems with running JVM's on new kernels.

Hello, yes, the kernel will be updated automatically when a patch is ready. You can check what patches have been applied with the command: kcarectl --patch-info We providing status updates about patch development in this blog post: https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux We are testing our patches carefully, that's one of the reasons for the patch delay. There should be no issues caused by patch itself, but may be some caused by the nature of fix, like the problems with running JVM's on new kernels.
by Guest - Jeff / Sunday, 07 January 2018 11:17

I span up a test server from an image of my live server and ran: yum update -y

Some warnings in the output about missing files but the upgrade supposedly went OK. Oddly the server reported nothing needed restarting. I tried to reboot. Crash.

I span up a test server from an image of my live server and ran: yum update -y Some warnings in the output about missing files but the upgrade supposedly went OK. Oddly the server reported nothing needed restarting. I tried to reboot. Crash.
by Guest - local / Sunday, 07 January 2018 22:09

I tested after the update cl6 ops Spectre Variant 2 is not protected ( > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)



[[email protected] spectre-meltdown-checker-master]# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.08

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60)
> STATUS: NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

I tested after the update cl6 ops Spectre Variant 2 is not protected ( > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability) [[email protected] spectre-meltdown-checker-master]# ./spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.08 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60) > STATUS: NOT VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: NO * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpolines: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: YES > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
by Guest - Mike / Sunday, 07 January 2018 22:23

Can somebody from CL provide further update on this?

Can somebody from CL provide further update on this?
by Inga Vakulenko / Tuesday, 09 January 2018 15:35

Hello Mike,

We've released a new beta kernel that is supposed to be more stable and might help with the issues like unstable work of disk quotas. We will keep updating this post.

Thank you

Hello Mike, We've released a new beta kernel that is supposed to be more stable and might help with the issues like unstable work of disk quotas. We will keep updating this post. Thank you
by Guest - chris / Monday, 08 January 2018 05:32

yes, CL pls update? we have servers that shows PTI is not enabled.

# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.09

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60)
> STATUS: NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

yes, CL pls update? we have servers that shows PTI is not enabled. # ./spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.09 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60) > STATUS: NOT VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpolines: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: NO > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
by Guest - Lucas Rolff / Monday, 08 January 2018 08:34

> yes, CL pls update? we have servers that shows PTI is not enabled.

The detection script is wrong for PTI, it is enabled:

/sys/kernel/debug/x86/pti_enabled

> yes, CL pls update? we have servers that shows PTI is not enabled. The detection script is wrong for PTI, it is enabled: /sys/kernel/debug/x86/pti_enabled
by Inga Vakulenko / Tuesday, 09 January 2018 15:25

Hi Chris,

we've released a new beta kernel that is supposed to be more stable. We will keep updating this post. Regarding your case, is kernel running with 'nopti' option? Please, could you also provide an output for cat /sys/kernel/debug/x86/pti_enabled

Hi Chris, we've released a new beta kernel that is supposed to be more stable. We will keep updating this post. Regarding your case, is kernel running with 'nopti' option? Please, could you also provide an output for cat /sys/kernel/debug/x86/pti_enabled
by Guest - Lucas R / Monday, 08 January 2018 08:35

Everyone that faces kernel issues, please create a ticket at [email protected] - this way they can actually see the amount of people that might face issues with kernels - thus a fix will be out faster.

Leaving a comment on a blog, might not always be the best idea ;)

Everyone that faces kernel issues, please create a ticket at [email protected] - this way they can actually see the amount of people that might face issues with kernels - thus a fix will be out faster. Leaving a comment on a blog, might not always be the best idea ;)
by Guest - Alexandre / Monday, 08 January 2018 19:32

We are aware of the issues with CL 6 kernels and are working on the solution. You can find the current progress in the following blog post: https://cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux
(we keep updating it)

Thank you for your patience and understanding.

We are aware of the issues with CL 6 kernels and are working on the solution. You can find the current progress in the following blog post: https://cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux (we keep updating it) Thank you for your patience and understanding.
by Guest - Mike / Tuesday, 09 January 2018 11:16

I have now updated all my cloulinux 7 servers and did not face any problems. But after i was reading the comments here, I decided to wait for my cloulinux 6 servers. Is it a good idea to install the hybrid kernel when we use r1soft? Was reading somewhere r1soft is not working with the hybrid kernel.

I have now updated all my cloulinux 7 servers and did not face any problems. But after i was reading the comments here, I decided to wait for my cloulinux 6 servers. Is it a good idea to install the hybrid kernel when we use r1soft? Was reading somewhere r1soft is not working with the hybrid kernel.
by Guest - edie etoile / Tuesday, 09 January 2018 18:05

We are running 6 hybrid with r1soft just fine. Though, you'll need to make sure kernel-devel

# yum install kernel-devel-`uname -r` --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing


and as normal:

# r1soft-setup --get-module

# service cdp-agent restart

We are running 6 hybrid with r1soft just fine. Though, you'll need to make sure kernel-devel [quote]# yum install kernel-devel-`uname -r` --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing[/quote] and as normal: [quote]# r1soft-setup --get-module # service cdp-agent restart[/quote]
by Guest - Brandon / Wednesday, 17 January 2018 09:56

Do you consider the patch stable enough to proceed with applying it now? The comments seem rather worrying

Do you consider the patch stable enough to proceed with applying it now? The comments seem rather worrying
by Guest - Alexandre / Monday, 22 January 2018 08:21

Brandon,

Please find the update on CL6 kernels at https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-1-6

Brandon, Please find the update on CL6 kernels at https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-1-6

Leave your comment

Guest, Thursday, 13 December 2018

Captcha Image