CloudLinux OS Blog - CloudLinux 6 kernel updated
CloudLinux OS Blog

CloudLinux 6 kernel updated

CloudLinux 6 kernel updated

Update [Jan 10, 2018 12:30pm PT]

Our team is still fighting Meltdown/Spectre bugs. Please follow our CEO's blogpost for more updates. In that blogpost, we’ve previously suggested migrating to CloudLinux 6 Hybrid kernel for those clients with CloudLinux 6 kernel who were facing issues on Xen PV. However, it looks like none of the CloudLinux kernels start on Xen PV (including CL6, CL6h and CL7 kernels). It is still not entirely clear what causes the issue and quite likely the bug might have been brought with the RHEL patches.
We apologise for the inconvenience. Our team is restless and we put all the efforts to deliver the fix ASAP. We encourage you to wait until the solution is found. As an alternative you can migrate from Xen PV to Xen HVM, we haven’t had any complaints about the last one.

Update [Jan 9, 2018 6:52am PT]

We have released to beta an updated and more stable CL6 kernel 2.6.32-896.16.1.lve1.4.50 which might help with issues like unstable work of disk quotas. However this kernel will not resolve the issues that affect users of CentOS/RHEL kernels neither the issues when VM in Xen hypervisor is unable to start (which seems like a problem of CVE fix itself).

Update command:

yum clean all --enablerepo=cloudlinux-updates-testing && yum install kernel-2.6.32-896.16.1.lve1.4.50.el6 --enablerepo=cloudlinux-updates-testing

 

Original post:

New updated CloudLinux 6 kernel version 2.6.32-896.16.1.lve1.4.49 with patches for Meldown and Spectre vulnerabilities is available for download from our production repository.

Changelog:

  • added patches for Meltdown and Spectre attacks (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754);
  • KMODLVE-142: resync stats before returning IO usage;
  • KMODLVE-140: fix panic with module loading;
  • KMODLVE-139: add ability to set debug level in load time;
  • KMODLVE-138: properly check lve_cgroup_kernel_open return value;
  • KMODLVE-134: code cleanup for better test coverage;
  • KMODLVE-131: improve failure IDs handling;
  • KMODLVE-127: lvp_lve_move implementation.

To update a kernel, please run the following command:

yum clean all && yum update kernel-firmware && yum install kernel-2.6.32-896.16.1.lve1.4.49.el6
PHP for EasyApache 4 updated
Beta: CloudLinux 7 and CloudLinux 6 Hybrid kernel ...
 

Comments 19

Guest - Guest on Saturday, 06 January 2018 18:54

Looks kinda unstable - 6 out of 6 (different) servers had severe problems - needed a hard-reset to be able to boot the previous kernel version.

Looks kinda unstable - 6 out of 6 (different) servers had severe problems - needed a hard-reset to be able to boot the previous kernel version.
Guest - Alex on Saturday, 06 January 2018 22:03

Softlayer is reporting servers are not booting back up after this update. Could you look into this please?

Softlayer is reporting servers are not booting back up after this update. Could you look into this please?
Inga Vakulenko on Tuesday, 09 January 2018 15:46

Hi Alex,

we've released a new beta kernel CLoudLinux 6 and we will keep updating this post. Please see if it might be helpful in your case. If not, I'd recommend you to contact our Support Team [email protected] with more details. The will have a deeper look at the issue you're facing.

Thank you

Hi Alex, we've released a new beta kernel CLoudLinux 6 and we will keep updating this post. Please see if it might be helpful in your case. If not, I'd recommend you to contact our Support Team [email protected] with more details. The will have a deeper look at the issue you're facing. Thank you
Guest - Robin on Sunday, 07 January 2018 01:54

We have read-only filesystems sometimes with this new kernel.

We have read-only filesystems sometimes with this new kernel.
Guest - Guest on Sunday, 07 January 2018 06:28

I have KernelCare - when would my Kernel be updated automatically and how can I confirm it has been updated? Also, will the KernelCare update be subject to the same stability issues being described here by others?

I have KernelCare - when would my Kernel be updated automatically and how can I confirm it has been updated? Also, will the KernelCare update be subject to the same stability issues being described here by others?
Guest - Alexander Zavhorodnii on Wednesday, 10 January 2018 11:18

Hello, yes, the kernel will be updated automatically when a patch is ready. You can check what patches have been applied with the command:
kcarectl --patch-info

We providing status updates about patch development in this blog post:
https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux

We are testing our patches carefully, that's one of the reasons for the patch delay. There should be no issues caused by patch itself, but may be some caused by the nature of fix, like the problems with running JVM's on new kernels.

Hello, yes, the kernel will be updated automatically when a patch is ready. You can check what patches have been applied with the command: kcarectl --patch-info We providing status updates about patch development in this blog post: https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux We are testing our patches carefully, that's one of the reasons for the patch delay. There should be no issues caused by patch itself, but may be some caused by the nature of fix, like the problems with running JVM's on new kernels.
Guest - Jeff on Sunday, 07 January 2018 11:17

I span up a test server from an image of my live server and ran: yum update -y

Some warnings in the output about missing files but the upgrade supposedly went OK. Oddly the server reported nothing needed restarting. I tried to reboot. Crash.

I span up a test server from an image of my live server and ran: yum update -y Some warnings in the output about missing files but the upgrade supposedly went OK. Oddly the server reported nothing needed restarting. I tried to reboot. Crash.
Guest - local on Sunday, 07 January 2018 22:09

I tested after the update cl6 ops Spectre Variant 2 is not protected ( > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)



[[email protected] spectre-meltdown-checker-master]# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.08

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60)
> STATUS: NOT VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

I tested after the update cl6 ops Spectre Variant 2 is not protected ( > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability) [[email protected] spectre-meltdown-checker-master]# ./spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.08 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: YES (84 opcodes found, which is >= 60) > STATUS: NOT VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: NO * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpolines: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: YES > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Guest - Mike on Sunday, 07 January 2018 22:23

Can somebody from CL provide further update on this?

Can somebody from CL provide further update on this?
Inga Vakulenko on Tuesday, 09 January 2018 15:35

Hello Mike,

We've released a new beta kernel that is supposed to be more stable and might help with the issues like unstable work of disk quotas. We will keep updating this post.

Thank you

Hello Mike, We've released a new beta kernel that is supposed to be more stable and might help with the issues like unstable work of disk quotas. We will keep updating this post. Thank you
Already Registered? Login Here
Guest
Tuesday, 18 June 2019

Captcha Image