From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From ykohut at onapp.com Mon Jul 1 08:07:02 2019 From: ykohut at onapp.com (Yuriy Kohut) Date: Mon, 1 Jul 2019 11:07:02 +0300 Subject: [CentOS-virt] Are XSA-289, XSA-274/CVE-2018-14678 fixed ? In-Reply-To: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> References: <7acfb930-71a6-eb7a-8644-31416174b7a4@steadfast.net> Message-ID: <65D7AE62-4EF7-42AA-9CEC-A194B6B4A3A0@onapp.com> Hello Kevin, Thank you in advance for the reply. Will mark XSA-274 as fixed for us. > On Jun 28, 2019, at 6:47 PM, Kevin Stange wrote: > > Looks like this never got a response from anyone. > > On 6/25/19 10:15 AM, Yuriy Kohut wrote: >> Hello, >> >> Are XSA-289 and XSA-274/CVE-2018-14678 fixed with Xen recent 4.8, 4.10 and kernel 4.9.177 packages ? > > XSA-289 is a tricky subject. In the end, it was effectively decided > that these patches were not recommended until they were reviewed again > and XSA-289 has no official list of flaws or fixes as a result. The > main mitigation action suggested is to disable SMT on the CPU if possible. > > XSA-274 was patched into Linux 4.9 almost a year ago: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=987156381c5f875d75ef1f7cc29994d82f646dad > > That's 4.9.124, so yes, 4.9.177 has it. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > kevin at steadfast.net | www.steadfast.net From oleksandr.panchuk at onapp.com Mon Jul 1 11:37:25 2019 From: oleksandr.panchuk at onapp.com (Oleksandr Panchuk) Date: Mon, 1 Jul 2019 14:37:25 +0300 Subject: [CentOS-virt] live migration issues after libvirtd restart Message-ID: Hi, All There is following issue in latest libvirt-4.5.0-10.el7_6.12 package, which could prevent live VM migrations with web sockets enabled, when libvirtd were restarted prior to migration. Environment: # uname -a Linux inv-cp1-hv3-centos7 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # rpm -qa | grep libvirt-4 libvirt-4.5.0-10.el7_6.12.x86_64 # rpm -qa | grep qemu-kvm qemu-kvm-common-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.5.1.x86_64 qemu-kvm-tools-ev-2.12.0-18.el7_6.5.1.x86_64 Repro steps: 1. start VM with following screen configuration: 2. check VM XML (migratable): #virsh dumpxml 1 > | grep vnc 3. restart libvirtd # systemctl restart libvirtd.service 4. check VM XML config again #virsh dumpxml 1 > | grep vnc 5. try to migrate this VM to hypervisor with already running VM and you will get following error error: internal error: Failed to reserve port 5700 It happens when on destination hypervisor there is VM running with web socket port 5700. This issue was fixed since libvirt-4.6.0 release. I've retested it with libvirt-4.9.0 and libvirt-5.0.0 from http://mirror.centos.org/centos/7/virt/x86_64/libvirt-latest/ repo. And it actually fixed here. Interesting to know when newer version of libvirt(at least 4.6.0 of 4.5.0 with fix) will be available in official centos updates repo? Thanks a lot, Oleksandr -------------- next part -------------- An HTML attachment was scrubbed... URL: