Problem with latest kernel?
Re: Problem with latest kernel?
The "nopti" flag doesn't appear to make any difference, I can't believe RH isn't going to fix it until the next point release.
For the time being I've built a 4.9.75 kernel which seems to work fine on CentOS 6 and CentOS 7 Xen PV guests. I would share it but it's not RPM packaged. Hopefully Johnny will soon build this officially for CentOS-Virt then you have the option of running that kernel inside guests.
I did notice this on boot, which is something that needs fixing in Xen itself..
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:226 note_page+0x328/0x330
x86/mm: Found insecure W+X mapping at address ffff880000000000/0xffff880000000000
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.75 #1
0000000000000000 ffffffff8171f04c 0000000000000000 ffffc9000038fda8
0000000000000000 ffffc9000038fda8 ffffc9000038fd98 ffffffff810dbc9e
ffffc9000038fdc8 000000e281125abc 0000000000000023 ffffc9000038fec8
Call Trace:
[<ffffffff8171f04c>] ? dump_stack+0x60/0x94
[<ffffffff810dbc9e>] ? __warn+0xfe/0x120
[<ffffffff810dbd79>] ? warn_slowpath_fmt+0x49/0x50
[<ffffffff81065e98>] ? note_page+0x328/0x330
[<ffffffff81065fea>] ? walk_pmd_level+0x14a/0x1d0
[<ffffffff810662b4>] ? ptdump_walk_pgd_level_core+0x244/0x2a0
[<ffffffff81c81190>] ? rest_init+0x80/0x80
[<ffffffff81c811ba>] ? kernel_init+0x2a/0x100
[<ffffffff81c87751>] ? ret_from_fork+0x41/0x50
---[ end trace 9e7031a081fed20d ]---
For the time being I've built a 4.9.75 kernel which seems to work fine on CentOS 6 and CentOS 7 Xen PV guests. I would share it but it's not RPM packaged. Hopefully Johnny will soon build this officially for CentOS-Virt then you have the option of running that kernel inside guests.
I did notice this on boot, which is something that needs fixing in Xen itself..
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:226 note_page+0x328/0x330
x86/mm: Found insecure W+X mapping at address ffff880000000000/0xffff880000000000
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.75 #1
0000000000000000 ffffffff8171f04c 0000000000000000 ffffc9000038fda8
0000000000000000 ffffc9000038fda8 ffffc9000038fd98 ffffffff810dbc9e
ffffc9000038fdc8 000000e281125abc 0000000000000023 ffffc9000038fec8
Call Trace:
[<ffffffff8171f04c>] ? dump_stack+0x60/0x94
[<ffffffff810dbc9e>] ? __warn+0xfe/0x120
[<ffffffff810dbd79>] ? warn_slowpath_fmt+0x49/0x50
[<ffffffff81065e98>] ? note_page+0x328/0x330
[<ffffffff81065fea>] ? walk_pmd_level+0x14a/0x1d0
[<ffffffff810662b4>] ? ptdump_walk_pgd_level_core+0x244/0x2a0
[<ffffffff81c81190>] ? rest_init+0x80/0x80
[<ffffffff81c811ba>] ? kernel_init+0x2a/0x100
[<ffffffff81c87751>] ? ret_from_fork+0x41/0x50
---[ end trace 9e7031a081fed20d ]---
Re: Problem with latest kernel?
I just updated 2 Atom systems.
One of them went funky after yum update ran fine. (I was able to request a reboot -- but then had to hard power cycle. That machines is ok)
The other system seems to lock up on step 7/8 of the update doing cleanup -- I had to power cycle...
The system came back up complaining about an unclean shutdown and /dev/sdc needing FSCK (the /boot).
So I ran FSCK which seemed to not need a lot.
Rebooted -- grub.conf is gone putting me into the grub shell. Now I need help. EDIT: I fixed by hand booting a rescue disk. Crisis averted.
I'll post in another thread -- but thought I'd mention it happening here..
-Ben
One of them went funky after yum update ran fine. (I was able to request a reboot -- but then had to hard power cycle. That machines is ok)
The other system seems to lock up on step 7/8 of the update doing cleanup -- I had to power cycle...
The system came back up complaining about an unclean shutdown and /dev/sdc needing FSCK (the /boot).
So I ran FSCK which seemed to not need a lot.
Rebooted -- grub.conf is gone putting me into the grub shell. Now I need help. EDIT: I fixed by hand booting a rescue disk. Crisis averted.
I'll post in another thread -- but thought I'd mention it happening here..
-Ben
Last edited by bkamen on 2018/01/11 09:53:40, edited 1 time in total.
Re: Problem with latest kernel?
According to the Xen Project Spectre/Meltdown FAQ:
So it seems as if there is no additional security risk (at least for the guest) to not run the new fixed kernel with kpti on xen 64-bit PV.Interestingly, guest kernels running in 64-bit PV mode are not vulnerable to attack using SP3, because 64-bit PV guests already run in a KPTI-like mode.
Re: Problem with latest kernel?
Frankly, this is very bad.
This will put people off using CentOS and Red Hat. How can one recommend Red Hat/CentOS over other distributions after this debacle?
I realize that CentOS relies on volunteers, but someone at Red Hat should be wondering how secure their job is right now.
Some time ago, I vowed to use KVM or XEN when buying a virtual private server, because the update between versions of CentOS 6.x broke it when using OpenVZ (the network scripts did not work). Perhaps Ubuntu is the answer?
This will put people off using CentOS and Red Hat. How can one recommend Red Hat/CentOS over other distributions after this debacle?
I realize that CentOS relies on volunteers, but someone at Red Hat should be wondering how secure their job is right now.
Some time ago, I vowed to use KVM or XEN when buying a virtual private server, because the update between versions of CentOS 6.x broke it when using OpenVZ (the network scripts did not work). Perhaps Ubuntu is the answer?
-
- Posts: 1
- Joined: 2018/01/07 07:35:08
Re: Problem with latest kernel?
Can some one post the grub menu kernel line after the update??
Along with it mode of virtualisation you used in your host will also help.
I think I have a fix for this. Need those detail to confirm the fix
Along with it mode of virtualisation you used in your host will also help.
I think I have a fix for this. Need those detail to confirm the fix
Keep trying with Open Eyes & Mind. Every problem has a solution for sure!!!
Re: Problem with latest kernel?
Grub entry:
title CentOS (2.6.32-696.18.7.el6.x86_64)
root (hd0)
kernel /boot/vmlinuz-2.6.32-696.18.7.el6.x86_64 root=LABEL=centos_root ro crashkernel=auto LANG=en_US.UTF-8 KEYTABLE=us
initrd /boot/initramfs-2.6.32-696.18.7.el6.x86_64.img
This is on a 64-bit PV guest (CentOS 6.9) running in AWS.
title CentOS (2.6.32-696.18.7.el6.x86_64)
root (hd0)
kernel /boot/vmlinuz-2.6.32-696.18.7.el6.x86_64 root=LABEL=centos_root ro crashkernel=auto LANG=en_US.UTF-8 KEYTABLE=us
initrd /boot/initramfs-2.6.32-696.18.7.el6.x86_64.img
This is on a 64-bit PV guest (CentOS 6.9) running in AWS.
Re: Problem with latest kernel?
Similar here:
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.18.7.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.18.7.el6.x86_64 ro root=UUID=xxxxxxxxxxx rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=it_IT.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc console=hvc0 KEYTABLE=it crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-696.18.7.el6.x86_64.img
Centos 6.9 PV, Xenserver 7.1, on premises infrastructure.
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.18.7.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.18.7.el6.x86_64 ro root=UUID=xxxxxxxxxxx rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=it_IT.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc console=hvc0 KEYTABLE=it crashkernel=auto rhgb quiet
initrd /initramfs-2.6.32-696.18.7.el6.x86_64.img
Centos 6.9 PV, Xenserver 7.1, on premises infrastructure.
Re: Problem with latest kernel?
The problem should be fixed in the latest kernel update 2.6.32-696.20.1.el6.
Changelog entry [2.6.32-696.20.1.el6]:
[x86] pti/mm: Fix XEN PV boot failure (Waiman Long) [1519799 1519802] {CVE-2017-5754}
Changelog entry [2.6.32-696.20.1.el6]:
[x86] pti/mm: Fix XEN PV boot failure (Waiman Long) [1519799 1519802] {CVE-2017-5754}
CentOS Forum FAQ