WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

To: Grant McWilliams <grantmasterflash@xxxxxxxxx>
Subject: Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)
From: George Shuklin <george.shuklin@xxxxxxxxx>
Date: Wed, 26 Oct 2011 12:36:09 +0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 26 Oct 2011 01:37:09 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=qG22DNPPWZogpDUx5n0HC5ebOA6dCofNTCKJ2IMXgz8=; b=nHdLhaCVtAZPKaPSoGtL88gunhoo+nFRpZDStwt5gGETd+XBWQ7hrf6K7R6iQyiEeZ gz+6fRXIqKQrkS/jq1PD0syn4Ga23SXodlfhoKFTbnGweaF8DJxWD/agtx0fTDSR2r8b KWT1pRfCaJvQEAuiYbk0WGic+H7vQX1ru7050=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAGnmK4ybB8tbyyyhxXZ6dvBmGpVbQvCZ4KTHhJbMSU9i+JuAMQ@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <CAK5Eu=uRLu17+FTBZdqSUgbKUo4p1QHj1YFBWhy0f5F7Xb_9sg@xxxxxxxxxxxxxx> <602C5EB92F9AFB4D89D11B9F5B7F1355160FF2F3@xxxxxxxxxxxxxxxxxxxxxxxxx> <CAK5Eu=uH8xG52nRJVO7MaBH9sjzzMRNNQVX0Wc4bCHORj9BqPQ@xxxxxxxxxxxxxx> <4EA6CB8B.2020709@xxxxxxxxx> <CAGnmK4ybB8tbyyyhxXZ6dvBmGpVbQvCZ4KTHhJbMSU9i+JuAMQ@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
Citrix provides updates for XenServer, but not for XCP.

But in any way, exposing management interface to unprotected network is bad idea. If you have no managed interface available from internet, you have very few vulnerable for remote attack components: kernel, openvswitch... thats all.

Idea behind XCP is well-protected internal network with management interface, unencrypted storage traffic, migration traffic, XCP own synchronization traffic and separate (by VLAN or by different physical interface) network for clients with internet access.


On 26.10.2011 09:33, Grant McWilliams wrote:
On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin <george.shuklin@xxxxxxxxx> wrote:
NEVER upgrade XCP by CentOS packages.

You will break it beyond repair level. Reason is simple: XCP shipped with patched packages, and replacing them with non-patched will cause grave damage. And worst is damage is not instant - you will continue to operate, but found 'something got wrong' later.

The most important is lvm2 package, which is patched to allow shared storage usage (--master option). Default LVM2 will trash metadata on LVM SR (LVM and LVMoISCSI SM) at some moment.

Other (i'm not sure) is udev package, and may be few more.


Why aren't those packages masked in the repo configs like the kernel is?

Having a server OS with no upgrade path is a very bad idea. Zero day exploit? How about zero month or zero year exploit? I'd like to hope that this gets changed at some point.


Grant McWilliams
http://grantmcwilliams.com/

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users