Thanks for the information, Johnny. There is no such information on the Ceph website. I got it from the Ceph mailing list. You can have a look at this thread: http://www.mail-archive.com/ceph-devel@vger.kernel.org/msg11769.html It seems there are lots of work to securely upgrade a package. I probably will not try this at the moment, then. On Sun, Jan 20, 2013 at 4:33 PM, Johnny Hughes <johnny at centos.org> wrote: > On 01/19/2013 08:12 PM, Peter Smith wrote: >> Hi, >> >> I am considering upgrading the libvirt to v0.10.1 and qemu-kvm to v1.2 >> qemu version because they are recommended by Ceph. I am wondering >> does CentOS kernel support upstream qemu well? And are there rpms for >> theses version somewhere? or I have to build myself? > > ceph builds packages specifically for RHEL6/CentOS-6 ... I would think > that if those use libvirt and kvm-qemu then they would also have to be > rebuilt if you upgraded libvirt and kvm-qemu for EL6. > > I did not see anything in the ceph documentation that said you should > upgrade those packages on CentOS-6 to use ceph. Granted, I only spent > 10 minutes in the documentation there, but nothing stood out to me. > > If you upgrade libvirt/kvm-qemu then you are also going to need to roll > in security patches yourself when they come out. You would need to > research what branches of libvirt and qemu are going to get security > updates and pick one of those branches. Remember, Red Hat provides > security support for the branches in EL6 ... but the upstream for > libvirt may not provide security support for the 0.10.1 branch. > > Looking at the 0.10.1 branch libvirt.org, it is currently vulnerable to > CVE-2012-4423, it might contain CVE-2012-3411, there are probably more. > It does not look like the 0.10.1 branch at libvirt.org gets security > updates. It also seems that 0.9.10 is in Fedora 17 and 0.10.2 is in > Fedora 18 so there are no updates there for the 0.10.1 branch. This > would mean that you would need to rewrite those 2 patches and any other > CVE that comes out to bring it into 0.10.1 as they are not doing that at > libvirt.org ... at least on here: > > ftp://libvirt.org/libvirt/ > > You would also need to figure out and rebuild any packages in the > distribution that are built against libvirt-devel ... a cursory look > shows these would need to be rebuilt if you rebuild libvirt: > > fence-virt-0.2.3-9.el6.src.rpm requires libvirt-devel > libguestfs-1.16.19-1.el6.src.rpm requires libvirt-devel > libvirt-cim-0.6.1-3.el6.src.rpm requires libvirt-devel >= 0.9.0 > libvirt-qmf-0.3.0-6.el6.src.rpm requires libvirt-devel >= 0.5.0 > libvirt-qpid-0.2.22-6.el6.src.rpm requires libvirt-devel >= 0.5.0 > ocaml-libvirt-0.6.1.0-6.2.el6.src.rpm requires libvirt-devel >= 0.2.1 > ocaml-libvirt-0.6.1.0-6.4.el6.src.rpm requires libvirt-devel >= 0.9.10-3 > perl-Sys-Virt-0.9.10-4.el6.src.rpm requires libvirt-devel >= 0.9.10 > virt-top-1.0.4-3.13.el6.src.rpm requires ocaml-libvirt-devel >= 0.6.1.0-6.4 > virt-v2v-0.8.7-6.el6.src.rpm requires perl(Sys::Virt) > virt-viewer-0.5.2-9.el6.src.rpm requires libvirt-devel >= 0.9.7 > > (There may be more, you would have to look at all those SRPMS and see if > anything builds against them and also rebuild those too) > > You would also have to rebuild any packages from 3rd party repositories > that were built against libvirt that you use. > > So, remember, it is not easy to go outside the distro and stay secure. > > > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > http://lists.centos.org/mailman/listinfo/centos-devel >