[gpfsug-discuss] gpfs 4.2.3.6 stops workingwithkernel3.10.0-862.2.3.el7

Aaron Knister aaron.s.knister at nasa.gov
Wed May 16 02:03:36 BST 2018


The one thing that comes to mind is if you're able to affect some 
unprivileged process on the NSD servers. Let's say there's a daemon that 
listens on a port but runs as an unprivileged user in which a 
vulnerability appears (lets say a 0-day remote code execution bug). One 
might be tempted to ignore that vulnerability for one reason or another 
but you couple that with something like meltdown/spectre and in *theory* 
you could do something like sniff ssh key material and get yourself on 
the box. In principle I agree with your argument but I've find that when 
one accepts and justifies a particular risk it can become easy to 
remember which vulnerability risks you've accepted and end up more 
exposed than one may realize.

Still, the above scenario is low risk (but potentially very high 
impact), though :)

-Aaron

On 5/15/18 6:46 PM, Marc A Kaplan wrote:
> Kevin, that seems to be a good point.
> 
> IF you have dedicated hardware to acting only as a storage and/or file 
> server, THEN neither meltdown nor spectre should not be a worry.
> 
> BECAUSE meltdown and spectre are just about an adversarial process 
> spying on another process or kernel memory.  IF we're not letting any 
> potential adversary run her code on our file server, what's the exposure?
> 
> NOW, let the security experts tell us where the flaw is in this argument...
> 
> 
> 
> From: "Buterbaugh, Kevin L" <Kevin.Buterbaugh at Vanderbilt.Edu>
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Date: 05/15/2018 06:12 PM
> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working       
>   withkernel        3.10.0-862.2.3.el7
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> ------------------------------------------------------------------------
> 
> 
> 
> All,
> 
> I have to kind of agree with Andrew … it seems that there is a broad 
> range of takes on kernel upgrades … everything from “install the latest 
> kernel the day it comes out” to “stick with this kernel, we know it works.”
> 
> Related to that, let me throw out this question … what about those who 
> haven’t upgraded their kernel in a while at least because they’re 
> concerned with the negative performance impacts of the meltdown / 
> spectre patches???  So let’s just say a customer has upgraded the 
> non-GPFS servers in their cluster, but they’ve left their NSD servers 
> unpatched (I’m talking about the kernel only here; all other updates are 
> applied) due to the aforementioned performance concerns … as long as 
> they restrict access (i.e. who can log in) and use appropriate 
> host-based firewall rules, is their some risk that they should be aware of?
> 
> Discuss.  Thanks!
> 
> Kevin
> 
> On May 15, 2018, at 4:45 PM, Andrew Beattie <_abeattie at au1.ibm.com_ 
> <mailto:abeattie at au1.ibm.com>> wrote:
> 
> this thread is mildly amusing, given we regularly get customers asking 
> why we are dropping support for versions of linux
> that they "just can't move off"
> 
> 
> *Andrew Beattie*
> *Software Defined Storage  - IT Specialist*
> *Phone: *614-2133-7927
> *E-mail: *_abeattie at au1.ibm.com_ <mailto:abeattie at au1.ibm.com>
> 
> 
> ----- Original message -----
> From: Stijn De Weirdt <_stijn.deweirdt at ugent.be_ 
> <mailto:stijn.deweirdt at ugent.be>>
> Sent by: _gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>
> To: _gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel 
> 3.10.0-862.2.3.el7
> Date: Wed, May 16, 2018 5:35 AM
> 
> so this means running out-of-date kernels for at least another month? oh
> boy...
> 
> i hope this is not some new trend in gpfs support. othwerwise all RHEL
> based sites will have to start adding EUS as default cost to run gpfs
> with basic security compliance.
> 
> stijn
> 
> 
> On 05/15/2018 09:02 PM, Felipe Knop wrote:
>  > All,
>  >
>  > Validation of RHEL 7.5 on Scale is currently under way, and we are
>  > currently targeting mid June to release the PTFs on 4.2.3 and 5.0 which
>  > will include the corresponding fix.
>  >
>  > Regards,
>  >
>  >   Felipe
>  >
>  > ----
>  > Felipe Knop _knop at us.ibm.com_ <mailto:knop at us.ibm.com>
>  > GPFS Development and Security
>  > IBM Systems
>  > IBM Building 008
>  > 2455 South Rd, Poughkeepsie, NY 12601
>  > (845) 433-9314  T/L 293-9314
>  >
>  >
>  >
>  >
>  >
>  > From: Ryan Novosielski <_novosirj at rutgers.edu_ 
> <mailto:novosirj at rutgers.edu>>
>  > To: gpfsug main discussion list <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  > Date: 05/15/2018 12:56 PM
>  > Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working withkernel
>  >             3.10.0-862.2.3.el7
>  > Sent by: _gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>
>  >
>  >
>  >
>  > I know these dates can move, but any vague idea of a timeframe target for
>  > release (this quarter, next quarter, etc.)?
>  >
>  > Thanks!
>  >
>  > --
>  > ____
>  > || \\UTGERS,
>  > |---------------------------*O*---------------------------
>  > ||_// the State  |         Ryan Novosielski - _novosirj at rutgers.edu_ 
> <mailto:novosirj at rutgers.edu>
>  > || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS 
> Campus
>  > ||  \\    of NJ  | Office of Advanced Research Computing - MSB
>  > C630, Newark
>  >      `'
>  >
>  >> On May 14, 2018, at 9:30 AM, Felipe Knop <_knop at us.ibm.com_ 
> <mailto:knop at us.ibm.com>> wrote:
>  >>
>  >> All,
>  >>
>  >> Support for RHEL 7.5 and kernel level 3.10.0-862 in Spectrum Scale is
>  > planned for upcoming PTFs on 4.2.3 and 5.0. Since code changes are needed
>  > in Scale to support this kernel level, upgrading to one of those upcoming
>  > PTFs will be required in order to run with that kernel.
>  >>
>  >> Regards,
>  >>
>  >> Felipe
>  >>
>  >> ----
>  >> Felipe Knop _knop at us.ibm.com_ <mailto:knop at us.ibm.com>
>  >> GPFS Development and Security
>  >> IBM Systems
>  >> IBM Building 008
>  >> 2455 South Rd, Poughkeepsie, NY 12601
>  >> (845) 433-9314 T/L 293-9314
>  >>
>  >>
>  >>
>  >> <graycol.gif>Andi Rhod Christiansen ---05/14/2018 08:15:25 AM---You are
>  > welcome. I see your concern but as long as IBM has not released spectrum
>  > scale for 7.5 that
>  >>
>  >> From:  Andi Rhod Christiansen <_arc at b4restore.com_ 
> <mailto:arc at b4restore.com>>
>  >> To:  gpfsug main discussion list <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  >> Date:  05/14/2018 08:15 AM
>  >> Subject:  Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>  > 3.10.0-862.2.3.el7
>  >> Sent by: _gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>
>  >>
>  >>
>  >>
>  >>
>  >> You are welcome.
>  >>
>  >> I see your concern but as long as IBM has not released spectrum 
> scale for
>  > 7.5 that is their only solution, in regards to them caring about 
> security I
>  > would say yes they do care, but from their point of view either they tell
>  > the customer to upgrade as soon as red hat releases new versions and
>  > forcing the customer to be down until they have a new release or they 
> tell
>  > them to stay on supported level to a new release is ready.
>  >>
>  >> they should release a version supporting the new kernel soon, IBM 
> told me
>  > when I asked that they are "currently testing and have a support date 
> soon"
>  >>
>  >> Best regards.
>  >>
>  >>
>  >> -----Oprindelig meddelelse-----
>  >> Fra: _gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>
>  > <_gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>> På vegne af 
> _z.han at imperial.ac.uk_ <mailto:z.han at imperial.ac.uk>
>  >> Sendt: 14. maj 2018 13:59
>  >> Til: gpfsug main discussion list <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  >> Emne: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>  > 3.10.0-862.2.3.el7
>  >>
>  >> Thanks. Does IBM care about security, one would ask? In this case I'd
>  > choose to use the new kernel for my virtualization over gpfs ... sigh
>  >>
>  >>
>  >> _https://access.redhat.com/errata/RHSA-2018:1318_ 
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Ferrata%2FRHSA-2018%3A1318&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613513903&sdata=L2H1ME5Wa9iKpMRr%2FbQ8WKiEKVTcikrs7vQRuXBtBOw%3D&reserved=0>
>  >>
>  >> Kernel: KVM: error in exception handling leads to wrong debug stack 
> value
>  > (CVE-2018-1087)
>  >>
>  >> Kernel: error in exception handling leads to DoS (CVE-2018-8897)
>  >> Kernel: ipsec: xfrm: use-after-free leading to potential privilege
>  > escalation (CVE-2017-16939)
>  >>
>  >> kernel: Out-of-bounds write via userland offsets in ebt_entry struct in
>  > netfilter/ebtables.c (CVE-2018-1068)
>  >>
>  >> ...
>  >>
>  >>
>  >> On Mon, 14 May 2018, Andi Rhod Christiansen wrote:
>  >>> Date: Mon, 14 May 2018 11:10:18 +0000
>  >>> From: Andi Rhod Christiansen <_arc at b4restore.com_ 
> <mailto:arc at b4restore.com>>
>  >>> Reply-To: gpfsug main discussion list
>  >>> <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  >>> To: gpfsug main discussion list <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  >>> Subject: Re: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>  >>>     3.10.0-862.2.3.el7
>  >>>
>  >>> Hi,
>  >>>
>  >>> Yes, kernel 3.10.0-862.2.3.el7 is not supported yet as it is RHEL 7.5
>  >>> and latest support is 7.4. You have to revert back to 3.10.0-693 😊
>  >>>
>  >>> I just had the same issue
>  >>>
>  >>> Revert to previous working kernel at redhat 7.4 release which is
>  > 3.10.9.693. Make sure kernel-headers and kernel-devel are also at this
>  > level.
>  >>>
>  >>>
>  >>> Best regards
>  >>> Andi R. Christiansen
>  >>>
>  >>> -----Oprindelig meddelelse-----
>  >>> Fra: _gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>
>  >>> <_gpfsug-discuss-bounces at spectrumscale.org_ 
> <mailto:gpfsug-discuss-bounces at spectrumscale.org>> På vegne af
>  >>> _z.han at imperial.ac.uk_ <mailto:z.han at imperial.ac.uk>
>  >>> Sendt: 14. maj 2018 12:33
>  >>> Til: gpfsug main discussion list 
> <_gpfsug-discuss at spectrumscale.org_ 
> <mailto:gpfsug-discuss at spectrumscale.org>>
>  >>> Emne: [gpfsug-discuss] gpfs 4.2.3.6 stops working with kernel
>  >>> 3.10.0-862.2.3.el7
>  >>>
>  >>> Dear All,
>  >>>
>  >>> Any one has the same problem?
>  >>>
>  >>> /usr/bin/make -C /usr/src/kernels/3.10.0-862.2.3.el7.x86_64 ARCH=x86_64
>  > M=/usr/lpp/mmfs/src/gpl-linux CONFIGDIR=/usr/lpp/mmfs/src/config  ; \ if
>  > [ $? -ne 0 ]; then \
>  >>> exit 1;\
>  >>> fi
>  >>> make[2]: Entering directory
>  > `/usr/src/kernels/3.10.0-862.2.3.el7.x86_64'
>  >>>   LD      /usr/lpp/mmfs/src/gpl-linux/built-in.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracelin.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev-ksyms.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/ktrccalls.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/relaytrc.o
>  >>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/tracedev.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/mmfsmod.o
>  >>>   LD [M]  /usr/lpp/mmfs/src/gpl-linux/mmfs26.o
>  >>>   CC [M]  /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.o
>  >>> In file included from /usr/lpp/mmfs/src/gpl-linux/dir.c:63:0,
>  >>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles.c:58,
>  >>>                  from /usr/lpp/mmfs/src/gpl-linux/cfiles_cust.c:55:
>  >>> /usr/lpp/mmfs/src/gpl-linux/inode.c: In function ʽprintInodeʼ:
>  >>> /usr/lpp/mmfs/src/gpl-linux/trcid.h:1208:57: error: ʽstruct inodeʼ has
>  > no member named ʽi_wb_listʼ
>  >>>      _TRACE6D(_HOOKWORD(TRCID_PRINTINODE_8), (Int64)(&(iP->i_wb_list)),
>  > (Int64)(iP->i_wb_list.next), (Int64)(iP->i_wb_list.prev), (Int64)(&(iP->
>  > i_lru)), (Int64)(iP->i_lru.next), (Int64)(iP->i_lru.prev));
>  >>>                  ^ ......
>  >>> _______________________________________________
>  >>> gpfsug-discuss mailing list
>  >>> gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>
>  >>> _http://gpfsug.org/mailman/listinfo/gpfsug-discuss_ 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613513903&sdata=E%2FsurH4Wuw9g9gIWsSWfl1jWqfJCP0GZ4EXfEHfmJ0s%3D&reserved=0>
>  >> _______________________________________________
>  >> gpfsug-discuss mailing list
>  >> gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>
>  >> _http://gpfsug.org/mailman/listinfo/gpfsug-discuss_ 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613523916&sdata=hVbBltH7eU%2BWm9mrytAGsLRAZLEHCr4ZHQmKT0eHawg%3D&reserved=0>
>  >>
>  >>
>  >>
>  >>
>  >> _______________________________________________
>  >> gpfsug-discuss mailing list
>  >> gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>
>  >>
>  > 
> _https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7Cnovosirj%40rutgers.edu%7C78d95c4d4db84a37453408d5b99eeb7d%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C1%7C636619014583822500&sdata=MDYseJ9NFu1C1UVFKHpQIfcwuhM5qJrVYzpJkB70yCM%3D&reserved=0_
>  >
>  >
>  > [attachment "signature.asc" deleted by Felipe Knop/Poughkeepsie/IBM]
>  > _______________________________________________
>  > gpfsug-discuss mailing list
>  > gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>
>  > _http://gpfsug.org/mailman/listinfo/gpfsug-discuss_ 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613533917&sdata=NgBMmxOuTMsbRhtp5OjbkMT%2FWlgnuzNU%2B4ZzJCLlFLg%3D&reserved=0>
>  >
>  >
>  >
>  >
>  >
>  > _______________________________________________
>  > gpfsug-discuss mailing list
>  > gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>
>  > _http://gpfsug.org/mailman/listinfo/gpfsug-discuss_ 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613533917&sdata=NgBMmxOuTMsbRhtp5OjbkMT%2FWlgnuzNU%2B4ZzJCLlFLg%3D&reserved=0>
>  >
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>_
> __http://gpfsug.org/mailman/listinfo/gpfsug-discuss_ 
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613543921&sdata=P5D0y0AjzsrOubCJ9421OWlg8FKPlr5NceSfhkJ524E%3D&reserved=0>
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at _spectrumscale.org_ <http://spectrumscale.org>_
> __https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgpfsug.org%2Fmailman%2Flistinfo%2Fgpfsug-discuss&data=02%7C01%7CKevin.Buterbaugh%40vanderbilt.edu%7C9de921b6a0484477f7bd08d5baad3f4e%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636620175613553935&sdata=qyLoxKzFv5mUr9XEGMcsEZIhqXjyKu0YzlQ6yiDSslw%3D&reserved=0_
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 

-- 
Aaron Knister
NASA Center for Climate Simulation (Code 606.2)
Goddard Space Flight Center
(301) 286-2776



More information about the gpfsug-discuss mailing list