[CentOS-devel] Upgrading libvirt and qemu to latest version

Johnny Hughes johnny at centos.org
Sun Jan 20 08:33:58 UTC 2013


On 01/19/2013 08:12 PM, Peter Smith wrote:
> Hi,
> 
> I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2
> qemu version because they are  recommended by Ceph. I am wondering
> does CentOS kernel support upstream qemu well? And are there rpms for
> theses version somewhere? or I have to build myself?

ceph builds packages specifically for RHEL6/CentOS-6 ... I would think
that if those use libvirt and kvm-qemu then they would also have to be
rebuilt if you upgraded libvirt and kvm-qemu for EL6.

I did not see anything in the ceph documentation that said you should
upgrade those packages on CentOS-6 to use ceph.  Granted, I only spent
10 minutes in the documentation there, but nothing stood out to me.

If you upgrade libvirt/kvm-qemu then you are also going to need to roll
in security patches yourself when they come out.  You would need to
research what branches of libvirt and qemu are going to get security
updates and pick one of those branches.  Remember, Red Hat provides
security support for the branches in EL6 ... but the upstream for
libvirt may not provide security support for the 0.10.1 branch.

Looking at the 0.10.1 branch libvirt.org, it is currently vulnerable to
CVE-2012-4423, it might contain CVE-2012-3411, there are probably more.
 It does not look like the 0.10.1 branch at libvirt.org gets security
updates.  It also seems that 0.9.10 is in Fedora 17 and 0.10.2 is in
Fedora 18 so there are no updates there for the 0.10.1 branch.  This
would mean that you would need to rewrite those 2 patches and any other
CVE that comes out to bring it into 0.10.1 as they are not doing that at
libvirt.org ... at least on here:

ftp://libvirt.org/libvirt/

You would also need to figure out and rebuild any packages in the
distribution that are built against libvirt-devel ... a cursory look
shows these would need to be rebuilt if you rebuild libvirt:

fence-virt-0.2.3-9.el6.src.rpm requires libvirt-devel
libguestfs-1.16.19-1.el6.src.rpm requires libvirt-devel
libvirt-cim-0.6.1-3.el6.src.rpm requires libvirt-devel >= 0.9.0
libvirt-qmf-0.3.0-6.el6.src.rpm requires libvirt-devel >= 0.5.0
libvirt-qpid-0.2.22-6.el6.src.rpm requires libvirt-devel >= 0.5.0
ocaml-libvirt-0.6.1.0-6.2.el6.src.rpm requires libvirt-devel >= 0.2.1
ocaml-libvirt-0.6.1.0-6.4.el6.src.rpm requires libvirt-devel >= 0.9.10-3
perl-Sys-Virt-0.9.10-4.el6.src.rpm requires libvirt-devel >= 0.9.10
virt-top-1.0.4-3.13.el6.src.rpm requires ocaml-libvirt-devel >= 0.6.1.0-6.4
virt-v2v-0.8.7-6.el6.src.rpm requires perl(Sys::Virt)
virt-viewer-0.5.2-9.el6.src.rpm requires libvirt-devel >= 0.9.7

(There may be more, you would have to look at all those SRPMS and see if
anything builds against them and also rebuild those too)

You would also have to rebuild any packages from 3rd party repositories
that were built against libvirt that you use.

So, remember, it is not easy to go outside the distro and stay secure.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos-devel/attachments/20130120/a83af7b7/attachment.bin 


More information about the CentOS-devel mailing list