[gpfsug-discuss] gpfs 4.2.3.6 stops workingwithkernel3.10.0-862.2.3.el7

Marc A Kaplan makaplan at us.ibm.com
Tue May 15 23:46:18 BST 2018


Kevin, that seems to be a good point. 

IF you have dedicated hardware to acting only as a storage and/or file 
server, THEN neither meltdown nor spectre should not be a worry. 

BECAUSE meltdown and spectre are just about an adversarial process spying 
on another process or kernel memory.  IF we're not letting any potential 
adversary run her code on our file server, what's the exposure?
 
NOW, let the security experts tell us where the flaw is in this 
argument...



From:   "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   05/15/2018 06:12 PM
Subject:        Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel 
3.10.0-862.2.3.el7
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



All, 

I have to kind of agree with Andrew … it seems that there is a broad range 
of takes on kernel upgrades … everything from “install the latest kernel 
the day it comes out” to “stick with this kernel, we know it works.”

Related to that, let me throw out this question … what about those who 
haven’t upgraded their kernel in a while at least because they’re 
concerned with the negative performance impacts of the meltdown / spectre 
patches???  So let’s just say a customer has upgraded the non-GPFS servers 
in their cluster, but they’ve left their NSD servers unpatched (I’m 
talking about the kernel only here; all other updates are applied) due to 
the aforementioned performance concerns … as long as they restrict access 
(i.e. who can log in) and use appropriate host-based firewall rules, is 
their some risk that they should be aware of?

Discuss.  Thanks!

Kevin

On May 15, 2018, at 4:45 PM, Andrew Beattie <abeattie at au1.ibm.com> wrote:

this thread is mildly amusing, given we regularly get customers asking why 
we are dropping support for versions of linux
that they "just can't move off"
 
 
Andrew Beattie
Software Defined Storage  - IT Specialist
Phone: 614-2133-7927
E-mail: abeattie at au1.ibm.com
 
 
----- Original message -----
From: Stijn De Weirdt <stijn.deweirdt at ugent.be>
Sent by: gpfsug-discuss-bounces at spectrumscale.org
To: gpfsug-discuss at spectrumscale.org
Cc:
Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel 
3.10.0-862.2.3.el7
Date: Wed, May 16, 2018 5:35 AM
 
so this means running out-of-date kernels for at least another month? oh
boy...

i hope this is not some new trend in gpfs support. othwerwise all RHEL
based sites will have to start adding EUS as default cost to run gpfs
with basic security compliance.

stijn


On 05/15/2018 09:02 PM, Felipe Knop wrote:
> All,
>
> Validation of RHEL 7.5 on Scale is currently under way, and we are
> currently targeting mid June to release the PTFs on 4.2.3 and 5.0 which
> will include the corresponding fix.
>
> Regards,
>
>   Felipe
>
> ----
> Felipe Knop                                     knop at us.ibm.com
> GPFS Development and Security
> IBM Systems
> IBM Building 008
> 2455 South Rd, Poughkeepsie, NY 12601
> (845) 433-9314  T/L 293-9314
>
>
>
>
>
> From: Ryan Novosielski <novosirj at rutgers.edu>
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Date: 05/15/2018 12:56 PM
> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel
>             3.10.0-862.2.3.el7
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
>
>
>
> I know these dates can move, but any vague idea of a timeframe target 
for
> release (this quarter, next quarter, etc.)?
>
> Thanks!
>
> --
> ____
> || \\UTGERS,
> |---------------------------*O*---------------------------
> ||_// the State  |         Ryan Novosielski - novosirj at rutgers.edu
> || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS 
Campus
> ||  \\    of NJ  | Office of Advanced Research Computing - MSB
> C630, Newark
>      `'
>
>> On May 14, 2018, at 9:30 AM, Felipe Knop <knop at us.ibm.com> wrote:
>>
>> All,
>>
>> Support for RHEL 7.5 and kernel level 3.10.0-862 in Spectrum Scale is
> planned for upcoming PTFs on 4.2.3 and 5.0. Since code changes are 
needed
> in Scale to support this kernel level, upgrading to one of those 
upcoming
> PTFs will be required in order to run with that kernel.
>>
>> Regards,
>>
>> Felipe
>>
>> ----
>> Felipe Knop  knop at us.ibm.com
>> GPFS Development and Security
>> IBM Systems
>> IBM Building 008
>> 2455 South Rd, Poughkeepsie, NY 12601
>> (845) 433-9314 T/L 293-9314
>>
>>
>>
>> <graycol.gif>Andi Rhod Christiansen ---05/14/2018 08:15:25 AM---You are
> welcome. I see your concern but as long as IBM has not released spectrum
> scale for 7.5 that
>>
>> From:  Andi Rhod Christiansen <arc at b4restore.com>
>> To:  gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
>> Date:  05/14/2018 08:15 AM
>> Subject:  Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> 3.10.0-862.2.3.el7
>> Sent by:  gpfsug-discuss-bounces at spectrumscale.org
>>
>>
>>
>>
>> You are welcome.
>>
>> I see your concern but as long as IBM has not released spectrum scale 
for
> 7.5 that is their only solution, in regards to them caring about 
security I
> would say yes they do care, but from their point of view either they 
tell
> the customer to upgrade as soon as red hat releases new versions and
> forcing the customer to be down until they have a new release or they 
tell
> them to stay on supported level to a new release is ready.
>>
>> they should release a version supporting the new kernel soon, IBM told 
me
> when I asked that they are "currently testing and have a support date 
soon"
>>
>> Best regards.
>>
>>
>> -----Oprindelig meddelelse-----
>> Fra: gpfsug-discuss-bounces at spectrumscale.org
> <gpfsug-discuss-bounces at spectrumscale.org> På vegne af 
z.han at imperial.ac.uk
>> Sendt: 14. maj 2018 13:59
>> Til: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
>> Emne: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
> 3.10.0-862.2.3.el7
>>
>> Thanks. Does IBM care about security, one would ask? In this case I'd
> choose to use the new kernel for my virtualization over gpfs ... sigh
>>
>>
>> https://access.redhat.com/errata/RHSA-2018:1318
>>
>> Kernel: KVM: error in exception handling leads to wrong debug stack 
value
> (CVE-2018-1087)
>>
>> Kernel: error in exception handling leads to DoS (CVE-2018-8897)
>> Kernel: ipsec: xfrm: use-after-free leading to potential privilege
> escalation (CVE-2017-16939)
>>
>> kernel: Out-of-bounds write via userland offsets in ebt_entry struct in
> netfilter/ebtables.c (CVE-2018-1068)
>>
>> ...
>>
>>
>> On Mon, 14 May 2018, Andi Rhod Christiansen wrote:
>>> Date: Mon, 14 May 2018 11:10:18 +0000
>>> From: Andi Rhod Christiansen <arc at b4restore.com>
>>> Reply-To: gpfsug main discussion list
>>> <gpfsug-discuss at spectrumscale.org>
>>> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
>>> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>>>     3.10.0-862.2.3.el7
>>>
>>> Hi,
>>>
>>> Yes, kernel 3.10.0-862.2.3.el7 is not supported yet as it is RHEL 7.5
>>> and latest support is 7.4. You have to revert back to 3.10.0-693 😊
>>>
>>> I just had the same issue
>>>
>>> Revert to previous working kernel at redhat 7.4 release which is
> 3.10.9.693. Make sure kernel-headers and kernel-devel are also at this
> level.
>>>
>>>
>>> Best regards
>>> Andi R. Christiansen
>>>
>>> -----Oprindelig meddelelse-----
>>> Fra: gpfsug-discuss-bounces at spectrumscale.org
>>> <gpfsug-discuss-bounces at spectrumscale.org> På vegne af
>>> z.han at imperial.ac.uk
>>> Sendt: 14. maj 2018 12:33
>>> Til: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
>>> Emne: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>>> 3.10.0-862.2.3.el7
>>>
>>> Dear All,
>>>
>>> Any one has the same problem?
>>>
>>> /usr/bin/make -C /usr/src/kernels/3.10.0-862.2.3.el7.x86_64 
ARCH=x86_64
> M=/usr/lpp/mmfs/src/gpl-linux CONFIGDIR=/usr/lpp/mmfs/src/config  ; \ if
> [ $? -ne 0 ]; then \
>>> exit 1;\
>>> fi
>>> make[2]: Entering directory
> `/usr/src/kernels/3.10.0-862.2.3.el7.x86_64'
>>>   LD      /usr/lpp/mmfs/src/gpl-linux/built-in.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracelin.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev-ksyms.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/ktrccalls.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/relaytrc.o
>>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/mmfsmod.o
>>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/mmfs26.o
>>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.o
>>> In file included from /usr/lpp/mmfs/src/gpl-linux/dir.c:63:0,
>>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles.c:58,
>>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.c:55:
>>> /usr/lpp/mmfs/src/gpl-linux/inode.c: In function ʽprintInodeʼ:
>>> /usr/lpp/mmfs/src/gpl-linux/trcid.h:1208:57: error: ʽstruct inodeʼ has
> no member named ʽi_wb_listʼ
>>>      _TRACE6D(_HOOKWORD(TRCID_PRINTINODE_8), 
(Int64)(&(iP->i_wb_list)),
> (Int64)(iP->i_wb_list.next), (Int64)(iP->i_wb_list.prev), (Int64)(&(iP->
> i_lru)), (Int64)(iP->i_lru.next), (Int64)(iP->i_lru.prev));
>>>                                                          ^ ......
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at spectrumscale.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at spectrumscale.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>>
>>
>>
>>
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at spectrumscale.org
>>
> 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cnovosirj%40rutgers.edu%7C78d95c4d4db84a37453408d5b99eeb7d%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C1%7C636619014583822500&sdata=MDYseJ9NFu1C1UVFKHpQIfcwuhM5qJrVYzpJkB70yCM%3D&reserved=0

>
>
> [attachment "signature.asc" deleted by Felipe Knop/Poughkeepsie/IBM]
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
 
 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613553935&sdata=qyLoxKzFv5mUr9XEGMcsEZIhqXjyKu0YzlQ6yiDSslw%3D&reserved=0
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180515/0e9d9368/attachment.htm>


More information about the gpfsug-discuss mailing list