[CentOS-devel] Upgrading libvirt and qemu to latest version

Sun Jan 20 12:25:39 UTC 2013
Peter Smith <peterfruits at gmail.com>

Thanks for the information, Johnny.

There is no such information on the Ceph website.  I got it from the
Ceph mailing list. You can have a look at this thread:
http://www.mail-archive.com/ceph-devel@vger.kernel.org/msg11769.html

It seems there are lots of work to securely upgrade a package. I
probably will not try this at the moment, then.


On Sun, Jan 20, 2013 at 4:33 PM, Johnny Hughes <johnny at centos.org> wrote:
> On 01/19/2013 08:12 PM, Peter Smith wrote:
>> Hi,
>>
>> I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2
>> qemu version because they are  recommended by Ceph. I am wondering
>> does CentOS kernel support upstream qemu well? And are there rpms for
>> theses version somewhere? or I have to build myself?
>
> ceph builds packages specifically for RHEL6/CentOS-6 ... I would think
> that if those use libvirt and kvm-qemu then they would also have to be
> rebuilt if you upgraded libvirt and kvm-qemu for EL6.
>
> I did not see anything in the ceph documentation that said you should
> upgrade those packages on CentOS-6 to use ceph.  Granted, I only spent
> 10 minutes in the documentation there, but nothing stood out to me.
>
> If you upgrade libvirt/kvm-qemu then you are also going to need to roll
> in security patches yourself when they come out.  You would need to
> research what branches of libvirt and qemu are going to get security
> updates and pick one of those branches.  Remember, Red Hat provides
> security support for the branches in EL6 ... but the upstream for
> libvirt may not provide security support for the 0.10.1 branch.
>
> Looking at the 0.10.1 branch libvirt.org, it is currently vulnerable to
> CVE-2012-4423, it might contain CVE-2012-3411, there are probably more.
>  It does not look like the 0.10.1 branch at libvirt.org gets security
> updates.  It also seems that 0.9.10 is in Fedora 17 and 0.10.2 is in
> Fedora 18 so there are no updates there for the 0.10.1 branch.  This
> would mean that you would need to rewrite those 2 patches and any other
> CVE that comes out to bring it into 0.10.1 as they are not doing that at
> libvirt.org ... at least on here:
>
> ftp://libvirt.org/libvirt/
>
> You would also need to figure out and rebuild any packages in the
> distribution that are built against libvirt-devel ... a cursory look
> shows these would need to be rebuilt if you rebuild libvirt:
>
> fence-virt-0.2.3-9.el6.src.rpm requires libvirt-devel
> libguestfs-1.16.19-1.el6.src.rpm requires libvirt-devel
> libvirt-cim-0.6.1-3.el6.src.rpm requires libvirt-devel >= 0.9.0
> libvirt-qmf-0.3.0-6.el6.src.rpm requires libvirt-devel >= 0.5.0
> libvirt-qpid-0.2.22-6.el6.src.rpm requires libvirt-devel >= 0.5.0
> ocaml-libvirt-0.6.1.0-6.2.el6.src.rpm requires libvirt-devel >= 0.2.1
> ocaml-libvirt-0.6.1.0-6.4.el6.src.rpm requires libvirt-devel >= 0.9.10-3
> perl-Sys-Virt-0.9.10-4.el6.src.rpm requires libvirt-devel >= 0.9.10
> virt-top-1.0.4-3.13.el6.src.rpm requires ocaml-libvirt-devel >= 0.6.1.0-6.4
> virt-v2v-0.8.7-6.el6.src.rpm requires perl(Sys::Virt)
> virt-viewer-0.5.2-9.el6.src.rpm requires libvirt-devel >= 0.9.7
>
> (There may be more, you would have to look at all those SRPMS and see if
> anything builds against them and also rebuild those too)
>
> You would also have to rebuild any packages from 3rd party repositories
> that were built against libvirt that you use.
>
> So, remember, it is not easy to go outside the distro and stay secure.
>
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
>