Hi,
I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2 qemu version because they are recommended by Ceph. I am wondering does CentOS kernel support upstream qemu well? And are there rpms for theses version somewhere? or I have to build myself?
Thanks. Peter
On 01/19/2013 08:12 PM, Peter Smith wrote:
Hi,
I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2 qemu version because they are recommended by Ceph. I am wondering does CentOS kernel support upstream qemu well? And are there rpms for theses version somewhere? or I have to build myself?
ceph builds packages specifically for RHEL6/CentOS-6 ... I would think that if those use libvirt and kvm-qemu then they would also have to be rebuilt if you upgraded libvirt and kvm-qemu for EL6.
I did not see anything in the ceph documentation that said you should upgrade those packages on CentOS-6 to use ceph. Granted, I only spent 10 minutes in the documentation there, but nothing stood out to me.
If you upgrade libvirt/kvm-qemu then you are also going to need to roll in security patches yourself when they come out. You would need to research what branches of libvirt and qemu are going to get security updates and pick one of those branches. Remember, Red Hat provides security support for the branches in EL6 ... but the upstream for libvirt may not provide security support for the 0.10.1 branch.
Looking at the 0.10.1 branch libvirt.org, it is currently vulnerable to CVE-2012-4423, it might contain CVE-2012-3411, there are probably more. It does not look like the 0.10.1 branch at libvirt.org gets security updates. It also seems that 0.9.10 is in Fedora 17 and 0.10.2 is in Fedora 18 so there are no updates there for the 0.10.1 branch. This would mean that you would need to rewrite those 2 patches and any other CVE that comes out to bring it into 0.10.1 as they are not doing that at libvirt.org ... at least on here:
ftp://libvirt.org/libvirt/
You would also need to figure out and rebuild any packages in the distribution that are built against libvirt-devel ... a cursory look shows these would need to be rebuilt if you rebuild libvirt:
fence-virt-0.2.3-9.el6.src.rpm requires libvirt-devel libguestfs-1.16.19-1.el6.src.rpm requires libvirt-devel libvirt-cim-0.6.1-3.el6.src.rpm requires libvirt-devel >= 0.9.0 libvirt-qmf-0.3.0-6.el6.src.rpm requires libvirt-devel >= 0.5.0 libvirt-qpid-0.2.22-6.el6.src.rpm requires libvirt-devel >= 0.5.0 ocaml-libvirt-0.6.1.0-6.2.el6.src.rpm requires libvirt-devel >= 0.2.1 ocaml-libvirt-0.6.1.0-6.4.el6.src.rpm requires libvirt-devel >= 0.9.10-3 perl-Sys-Virt-0.9.10-4.el6.src.rpm requires libvirt-devel >= 0.9.10 virt-top-1.0.4-3.13.el6.src.rpm requires ocaml-libvirt-devel >= 0.6.1.0-6.4 virt-v2v-0.8.7-6.el6.src.rpm requires perl(Sys::Virt) virt-viewer-0.5.2-9.el6.src.rpm requires libvirt-devel >= 0.9.7
(There may be more, you would have to look at all those SRPMS and see if anything builds against them and also rebuild those too)
You would also have to rebuild any packages from 3rd party repositories that were built against libvirt that you use.
So, remember, it is not easy to go outside the distro and stay secure.
Thanks for the information, Johnny.
There is no such information on the Ceph website. I got it from the Ceph mailing list. You can have a look at this thread: http://www.mail-archive.com/ceph-devel@vger.kernel.org/msg11769.html
It seems there are lots of work to securely upgrade a package. I probably will not try this at the moment, then.
On Sun, Jan 20, 2013 at 4:33 PM, Johnny Hughes johnny@centos.org wrote:
On 01/19/2013 08:12 PM, Peter Smith wrote:
Hi,
I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2 qemu version because they are recommended by Ceph. I am wondering does CentOS kernel support upstream qemu well? And are there rpms for theses version somewhere? or I have to build myself?
ceph builds packages specifically for RHEL6/CentOS-6 ... I would think that if those use libvirt and kvm-qemu then they would also have to be rebuilt if you upgraded libvirt and kvm-qemu for EL6.
I did not see anything in the ceph documentation that said you should upgrade those packages on CentOS-6 to use ceph. Granted, I only spent 10 minutes in the documentation there, but nothing stood out to me.
If you upgrade libvirt/kvm-qemu then you are also going to need to roll in security patches yourself when they come out. You would need to research what branches of libvirt and qemu are going to get security updates and pick one of those branches. Remember, Red Hat provides security support for the branches in EL6 ... but the upstream for libvirt may not provide security support for the 0.10.1 branch.
Looking at the 0.10.1 branch libvirt.org, it is currently vulnerable to CVE-2012-4423, it might contain CVE-2012-3411, there are probably more. It does not look like the 0.10.1 branch at libvirt.org gets security updates. It also seems that 0.9.10 is in Fedora 17 and 0.10.2 is in Fedora 18 so there are no updates there for the 0.10.1 branch. This would mean that you would need to rewrite those 2 patches and any other CVE that comes out to bring it into 0.10.1 as they are not doing that at libvirt.org ... at least on here:
ftp://libvirt.org/libvirt/
You would also need to figure out and rebuild any packages in the distribution that are built against libvirt-devel ... a cursory look shows these would need to be rebuilt if you rebuild libvirt:
fence-virt-0.2.3-9.el6.src.rpm requires libvirt-devel libguestfs-1.16.19-1.el6.src.rpm requires libvirt-devel libvirt-cim-0.6.1-3.el6.src.rpm requires libvirt-devel >= 0.9.0 libvirt-qmf-0.3.0-6.el6.src.rpm requires libvirt-devel >= 0.5.0 libvirt-qpid-0.2.22-6.el6.src.rpm requires libvirt-devel >= 0.5.0 ocaml-libvirt-0.6.1.0-6.2.el6.src.rpm requires libvirt-devel >= 0.2.1 ocaml-libvirt-0.6.1.0-6.4.el6.src.rpm requires libvirt-devel >= 0.9.10-3 perl-Sys-Virt-0.9.10-4.el6.src.rpm requires libvirt-devel >= 0.9.10 virt-top-1.0.4-3.13.el6.src.rpm requires ocaml-libvirt-devel >= 0.6.1.0-6.4 virt-v2v-0.8.7-6.el6.src.rpm requires perl(Sys::Virt) virt-viewer-0.5.2-9.el6.src.rpm requires libvirt-devel >= 0.9.7
(There may be more, you would have to look at all those SRPMS and see if anything builds against them and also rebuild those too)
You would also have to rebuild any packages from 3rd party repositories that were built against libvirt that you use.
So, remember, it is not easy to go outside the distro and stay secure.
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
On 20.01.2013 12:25, Peter Smith wrote:
Thanks for the information, Johnny.
There is no such information on the Ceph website. I got it from the Ceph mailing list. You can have a look at this thread: http://www.mail-archive.com/ceph-devel@vger.kernel.org/msg11769.html
It seems there are lots of work to securely upgrade a package. I probably will not try this at the moment, then.
Besides all the security issues, I have found the EL6 libvirt+qemu-kvm combo the most stable and arguably the most performant, I would not want to change it.