<div dir="ltr">Privet Igor<div><br></div><div>This will be the upgrade logic. Let me know if you find any flaw in it.</div><div><br></div><div><div><span class="" style="white-space:pre">        </span>TMPCFG=$(mktemp)</div><div><span class="" style="white-space:pre">        </span>if ! grep VE_PRIVATE /etc/vz/vz.conf > $TMPCFG ; then</div><div><span class="" style="white-space:pre">        </span> echo "#Missing VE_PRIVATE assuming default" > $TMPCFG</div><div><span class="" style="white-space:pre">        </span> echo 'VE_PRIVATE=/vz/private/$VEID' >> $TMPCFG</div><div><span class="" style="white-space:pre">        </span>fi</div><div><span class="" style="white-space:pre">        </span>#cat $TMPCFG</div><div><span class="" style="white-space:pre">        </span>for CF in /etc/vz/conf/*.conf ; do</div><div><span class="" style="white-space:pre">        </span> if ! grep VE_LAYOUT "$CF" > /dev/null ; then</div><div><span class="" style="white-space:pre">                </span>VEID=$(basename "$CF" | sed 's/\.conf$//;')</div><div><span class="" style="white-space:pre">                </span>X=simfs</div><div><span class="" style="white-space:pre">                </span>if [ -e "${VE_PRIVATE}/root.hdd/DiskDescriptor.xml" ] ; then</div><div><span class="" style="white-space:pre">                </span> X=ploop</div><div><span class="" style="white-space:pre">                </span>fi</div><div><span class="" style="white-space:pre">                </span>. $TMPCFG</div><div><span class="" style="white-space:pre">                </span>echo "Securing CT configuration $CF by adding VE_LAYOUT=$X"</div><div><span class="" style="white-space:pre">                </span>echo "" >> $CF</div><div><span class="" style="white-space:pre">                </span>echo "# Upgrade `date`: Securing CT config by adding VE_LAYOUT=$X" >> $CF</div><div><span class="" style="white-space:pre">                </span>echo "VE_LAYOUT=$X" >> $CF</div><div><span class="" style="white-space:pre">        </span> fi</div><div><span class="" style="white-space:pre">        </span>done</div><div><span class="" style="white-space:pre">        </span>rm -f $TMPCFG</div><div><span class="" style="white-space:pre">        </span></div></div><div><span style="white-space:pre">Best regards,</span></div><div><span style="white-space:pre"><br></span></div><div><span style="white-space:pre">// Ola</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 4, 2015 at 9:36 AM, Igor Bazhitov <span dir="ltr"><<a href="mailto:ibazhitov@odin.com" target="_blank">ibazhitov@odin.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, Ola.<br>
<span class=""><br>
> It does not matter really. Both ways will do.<br>
<br>
</span>All 4 patches for vzctl-4.8 are attached.<br>
<span class=""><br>
> However I have a question. As I understand the config is changed at<br>
> creation or start.<br>
<br>
</span>Yes.<br>
<span class=""><br>
> Should it be changed at upgrade time too to make sure<br>
> the next start is safe? Or is it changed before it is a security hazard?<br>
<br>
</span>Well, it definitely would be better to add correct VE_LAYOUT values to<br>
all CT configs during vzctl upgrade, since there could be a large time<br>
gap between vzctl upgrade and existing CTs (re)start. But in this case<br>
you'll need to implement the CT layout detection logic inside the<br>
upgrade script. The logic is simple: if there is a<br>
"root.hdd/DiskDescriptor.xml" file inside the CT's private directory<br>
(e.g. /vz/private/100) then we have "ploop" layout, otherwise - "simfs"<br>
layout.<br>
<br>
WBR, Igor Bazhitov.<br>
<span class=""><br>
03.09.2015 21:31, Ola Lundqvist writes:<br>
> Hi Igor<br>
><br>
> It does not matter really. Both ways will do.<br>
><br>
> However I have a question. As I understand the config is changed at<br>
> creation or start. Should it be changed at upgrade time too to make sure<br>
> the next start is safe? Or is it changed before it is a security hazard?<br>
><br>
> /Ola<br>
><br>
> Sent from a phone<br>
><br>
> Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <<a href="mailto:ibazhitov@odin.com">ibazhitov@odin.com</a><br>
</span>> <mailto:<a href="mailto:ibazhitov@odin.com">ibazhitov@odin.com</a>>>:<br>
<span class="">><br>
> Hi, Ola.<br>
><br>
> There are 4 patches in the original fix - 2 of them making various<br>
> preparations and the other 2 do the actual fix. Do you need them ported<br>
> to vzctl-4.8 as is, or as one big cumulative patch?<br>
><br>
> WBR, Igor Bazhitov.<br>
><br>
> 01.09.2015 00:22, Ola Lundqvist writes:<br>
> > Privet Kir and Igor<br>
> ><br>
> > Sources and patches here:<br>
> > <a href="ftp://ftp.debian.org/debian/pool/main/v/vzctl/" rel="noreferrer" target="_blank">ftp://ftp.debian.org/debian/pool/main/v/vzctl/</a><br>
> ><br>
> > Source is named .orig.tar.gz<br>
> > and the patches are either in .diff.gz or packaged in .debian.tar.gz<br>
> ><br>
> > I think we should at least backport 4.8 (current stable) and then<br>
> maybe<br>
> > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip<br>
> that.<br>
> ><br>
> > Thanks in advance<br>
> ><br>
> > // Ola<br>
> ><br>
> > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <<a href="mailto:kir@odin.com">kir@odin.com</a><br>
> <mailto:<a href="mailto:kir@odin.com">kir@odin.com</a>><br>
</span><span class="">> > <mailto:<a href="mailto:kir@odin.com">kir@odin.com</a> <mailto:<a href="mailto:kir@odin.com">kir@odin.com</a>>>> wrote:<br>
> ><br>
> ><br>
> ><br>
> > On 08/31/2015 12:15 PM, Ola Lundqvist wrote:<br>
> >> I was. :-) Thanks!<br>
> >><br>
> >> Will look into this shortly. Will also look into backporting<br>
> the fix.<br>
> ><br>
> > Ola,<br>
> ><br>
> > I think Igor (in Cc) will be able to provide the fix backported,<br>
> > just let us know which version do you have in Debian (and a link<br>
> > to sources, as I guess you have some patches in there, too).<br>
> ><br>
> > Kir.<br>
> ><br>
> ><br>
> >><br>
> >> // Ola<br>
> >><br>
> >> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin<br>
> <<a href="mailto:kir@openvz.org">kir@openvz.org</a> <mailto:<a href="mailto:kir@openvz.org">kir@openvz.org</a>><br>
</span><span class="">> >> <mailto:<a href="mailto:kir@openvz.org">kir@openvz.org</a> <mailto:<a href="mailto:kir@openvz.org">kir@openvz.org</a>>>> wrote:<br>
> >><br>
> >><br>
> >><br>
> >> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:<br>
> >><br>
> >> Hi<br>
> >><br>
> >> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:<br>
> >><br>
> >> Hi again<br>
> >><br>
> >> Also I can not find where to download the software<br>
> >> (neither binaries nor<br>
> >> sources). Is it only available in git?<br>
> >><br>
> >> It is not so difficult to find sources.<br>
> >> We have one git repo for openvz sources -<br>
> >> <a href="http://src.openvz.org" rel="noreferrer" target="_blank">src.openvz.org</a> <<a href="http://src.openvz.org" rel="noreferrer" target="_blank">http://src.openvz.org</a>><br>
> <<a href="http://src.openvz.org" rel="noreferrer" target="_blank">http://src.openvz.org</a>>.<br>
> >> vzctl sources are here<br>
> >> <a href="https://src.openvz.org/projects/OVZL/repos/vzctl/browse" rel="noreferrer" target="_blank">https://src.openvz.org/projects/OVZL/repos/vzctl/browse</a><br>
> >><br>
> >><br>
> >> Ola is probably asking about the source tarball. It's here:<br>
> >><br>
> <a href="http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2" rel="noreferrer" target="_blank">http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2</a><br>
> >><br>
> >><br>
> >><br>
> >><br>
> >><br>
> >> Cheers<br>
> >><br>
> >> // Ola<br>
> >><br>
> >> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist<br>
> >> <<mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>><br>
</span>> >> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>>><br>
<span class="">> wrote:<br>
> >><br>
> >> Hi Sergey<br>
> >><br>
> >> How serious should we consider this problem?<br>
> >> Should I ask the Debian<br>
> >> security team (Debian do not accept new<br>
> revisions,<br>
> >> just backports for<br>
> >> security fixes to their stable releases) to<br>
> >> backport this correction to the<br>
> >> current vzctl stable package?<br>
> >><br>
> >> In the meantime I'll build this 4.9.4 for debian<br>
> >> unstable and also upload<br>
> >> to the openvz download directory. First testing<br>
> >> and then after a few days<br>
> >> to the wheezy and jessie stable targets.<br>
> >><br>
> >> Regards,<br>
> >><br>
> >> // Ola<br>
> >><br>
> >><br>
> >><br>
> >> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov<br>
> >> <<a href="mailto:sergeyb@openvz.org">sergeyb@openvz.org</a><br>
</span>> <mailto:<a href="mailto:sergeyb@openvz.org">sergeyb@openvz.org</a>> <mailto:<a href="mailto:sergeyb@openvz.org">sergeyb@openvz.org</a><br>
<div><div class="h5">> <mailto:<a href="mailto:sergeyb@openvz.org">sergeyb@openvz.org</a>>>><br>
> >> wrote:<br>
> >><br>
> >> OpenVZ project has released a new vzctl<br>
> update<br>
> >> for legacy OpenVZ.<br>
> >> Read below for more information. Everybody is<br>
> >> advised to upgrade.<br>
> >><br>
> >> Changes<br>
> >> =======<br>
> >> * store VE layout to VE config on start<br>
> >> * store VE layout in VE config during create<br>
> >> and convert<br>
> >><br>
> >> See full changelog here:<br>
> >><br>
> <a href="https://src.openvz.org/projects/OVZL/repos/vzctl/commits" rel="noreferrer" target="_blank">https://src.openvz.org/projects/OVZL/repos/vzctl/commits</a><br>
> >><br>
> >> Download<br>
> >> ========<br>
> >> <a href="http://wiki.openvz.org/Download/vzctl/4.9.4" rel="noreferrer" target="_blank">http://wiki.openvz.org/Download/vzctl/4.9.4</a><br>
> >><br>
> >><br>
> >> Thanks<br>
> >> ======<br>
> >> OpenVZ project would like to thank the<br>
> >> RACK911LABS for discovering this<br>
> >> bug and<br>
> >> providing the attack scenario.<br>
> >><br>
> >><br>
> >> Bug reporting<br>
> >> =============<br>
> >> Please report all bugs found to<br>
> >><br>
> <<a href="https://bugs.openvz.org/" rel="noreferrer" target="_blank">https://bugs.openvz.org/</a>><a href="https://bugs.openvz.org/" rel="noreferrer" target="_blank">https://bugs.openvz.org/</a><br>
> >><br>
> >><br>
> >> Other sources of info on updates<br>
> >> ================================<br>
> >> See <a href="http://planet.openvz.org/" rel="noreferrer" target="_blank">http://planet.openvz.org/</a> to view all the<br>
> >> news (including updates)<br>
> >> online.<br>
> >> There you can also find RSS/Atom feed links.<br>
> >><br>
> >><br>
> >> Regards,<br>
> >> OpenVZ team<br>
> >><br>
> _______________________________________________<br>
> >> Announce mailing list<br>
> >> <a href="mailto:Announce@openvz.org">Announce@openvz.org</a><br>
</div></div>> <mailto:<a href="mailto:Announce@openvz.org">Announce@openvz.org</a>> <mailto:<a href="mailto:Announce@openvz.org">Announce@openvz.org</a><br>
<span class="">> <mailto:<a href="mailto:Announce@openvz.org">Announce@openvz.org</a>>><br>
> >><br>
> <a href="https://lists.openvz.org/mailman/listinfo/announce" rel="noreferrer" target="_blank">https://lists.openvz.org/mailman/listinfo/announce</a><br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> --- Inguza Technology AB --- MSc in Information<br>
> >> Technology ----<br>
> >> / <a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>><br>
</span>> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><br>
<span class="">> >> Annebergsslingan 37 \<br>
> >> | <a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
</span>> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>>><br>
<span class="">> >> 654 65 KARLSTAD |<br>
> >> | <a href="http://inguza.com/" rel="noreferrer" target="_blank">http://inguza.com/</a> Mobile: +46<br>
> >> (0)70-332 1551<br>
> <tel:%2B46%20%280%2970-332%201551> |<br>
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1<br>
> >> B1CF 0FE5 3DD9 /<br>
> >><br>
> >><br>
> ---------------------------------------------------------------<br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> --- Inguza Technology AB --- MSc in Information<br>
> >> Technology ----<br>
> >> / <a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>><br>
</span>> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><br>
<span class="">> >> Annebergsslingan 37 \<br>
> >> | <a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
</span>> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>>><br>
<span class="">> >> 654 65 KARLSTAD |<br>
> >> | <a href="http://inguza.com/" rel="noreferrer" target="_blank">http://inguza.com/</a> Mobile: +46<br>
> >> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |<br>
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF<br>
> >> 0FE5 3DD9 /<br>
> >><br>
> >><br>
> ---------------------------------------------------------------<br>
> >><br>
> >><br>
> >><br>
> >><br>
> >><br>
> >> --<br>
> >> --- Inguza Technology AB --- MSc in Information Technology ----<br>
> >> / <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
</span><span class="">> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>><br>
</span>> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><br>
<span class="">> >> Annebergsslingan 37 \<br>
> >> | <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>>><a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
</span>> >> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>>><br>
<span class="">> 654 65 KARLSTAD<br>
> >> |<br>
> >> | <<a href="http://inguza.com/" rel="noreferrer" target="_blank">http://inguza.com/</a>><a href="http://inguza.com/" rel="noreferrer" target="_blank">http://inguza.com/</a> Mobile:<br>
> >> <a href="tel:%2B46%20%280%2970-332%201551" value="+46703321551">+46 (0)70-332 1551</a> <tel:%2B46%20%280%2970-332%201551><br>
</span><span class="">> <tel:%2B46%20%280%2970-332%201551> |<br>
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
> >> ---------------------------------------------------------------<br>
> >><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > --- Inguza Technology AB --- MSc in Information Technology ----<br>
</span>> > / <a href="mailto:ola@inguza.com">ola@inguza.com</a> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
<span class="">> <mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a>>><br>
> > Annebergsslingan 37 \<br>
> > | <a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
</span>> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a> <mailto:<a href="mailto:opal@debian.org">opal@debian.org</a>>><br>
<div class="HOEnZb"><div class="h5">> 654 65<br>
> > KARLSTAD |<br>
> > | <a href="http://inguza.com/" rel="noreferrer" target="_blank">http://inguza.com/</a> Mobile: <a href="tel:%2B46%20%280%2970-332%201551" value="+46703321551">+46 (0)70-332 1551</a><br>
> <tel:%2B46%20%280%2970-332%201551> |<br>
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
> > ---------------------------------------------------------------<br>
> ><br>
><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div><font face="courier new, monospace" size="1"> --- Inguza Technology AB --- MSc in Information Technology ----</font></div><div><font face="courier new, monospace" size="1">/ <a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a> Annebergsslingan 37 \</font></div><div><font face="courier new, monospace" size="1">| <a href="mailto:opal@debian.org" target="_blank">opal@debian.org</a> 654 65 KARLSTAD |</font></div><div><font face="courier new, monospace" size="1">| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: +46 (0)70-332 1551 |</font></div><div><font face="courier new, monospace" size="1">\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /</font></div><div><font face="courier new, monospace" size="1"> ---------------------------------------------------------------</font></div></div><div><br></div></div></div>
</div>