[Users] Openwall Linux (OWL) switches to OpenVZ kernel

Sun Nov 29 02:42:15 EST 2009

On Fri, Nov 27, 2009 at 02:47:34PM +0000, Scott Dowdle wrote:
> I just noticed this:
> 
> http://www.openwall.com/Owl/
> 
> I haven't used Openwall myself but I'm guessing someone from Openwall might be on this mailing list.  If so, please introduce yourself.

Well, yes, someone else from Openwall forwarded your message to me, so I
have joined specifically to provide an "authoritative" response to you.
I am leading the project.  If you'd like a more complete introduction, you
can check out my bio here - http://openwall.info/wiki/people/solar/bio

> What kernel version/branch are you guys using?

We use the "rhel5" branch.  As Thorsten has correctly pointed out
(thanks!), our snapshots released on November 23 use
128.2.1.el5.028stab064.8 with some additional changes by us.  OpenVZ's
164.2.1.el5.028stab066.7 was not yet released on the 23rd, so we could
not use it yet (although we knew it was about to be released).

Speaking of the "additional changes by us", they include some ports of
RHEL security fixes beyond 128.2.1 (July), effectively up to 128.7.1
(August), some more security fixes (that did not get into Red Hat's
128.7.1 yet), as well as non-security stuff such as the default size of
tmpfs fix/change that is now also implemented in 028stab066.7.  Our
changes also include stuff that was neither pulled from anywhere nor
accepted by any of the upstreams yet - this includes a change to allow
us to run klogd as non-root, a change to allow for booting off degraded
software RAID even when the RAID device is configured on the kernel's
command-line, and reversal of Red Hat's change of default for
panic_on_oops (after a brief discussion with them regarding their
rationale).  Overall, our patch is tiny - just a few simple but
important changes.

So, in a sense (especially as it relates to security fixes), the kernel
on our 11/23 ISOs is half way from 128.2.1.el5.028stab064.8 to
164.2.1.el5.028stab066.7.

Indeed, we're planning on updating to 164.2.1.el5.028stab066.7 (again
with additional changes), likely in December.  The 11/23 ISO snapshots
are the very first ones including OpenVZ integration, so we focused on
reaching this major milestone and moving forward rather than on making
sure we include all relevant patches into the kernel right away (which
would result in us duplicating the effort of OpenVZ folks on their
028stab066 release, which they were working on at the time).

I hope this response helps, and I hope I did not make it too detailed. ;-)

Some additional links:

The 11/23 announcement:
http://www.openwall.com/lists/announce/2009/11/23/1

Getting started with Owl's OpenVZ support:
http://openwall.info/wiki/Owl/usage-examples/OpenVZ/getting-started

(probably too basic for this list's members, although our support of
containers even while CD/DVD-booted could be of use for demonstrating
or trying out OpenVZ features)

Some recent Q & A about Owl and the kernel in Russian:

http://www.opennet.ru/opennews/art.shtml?num=24395

(unfortunately, Google translates the above page incorrectly, in some
cases reversing the meaning, so I only recommend it for those who can
read Russian natively)

Thank you for your interest in our stuff.  We'd appreciate feedback.

Alexander