[Users] Need help with hanging servers

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Tue Jul 6 21:02:55 EDT 2010


On 06.07.2010 22:28, Brian Moon wrote:
> Bleh, ok, looks like we installed the new sources but did not reboot
> into the new kernel. So, we are still on 2.6.18. Based on this post
> http://community.livejournal.com/openvz/31703.html we should probably
> go ahead and move to .32.

The optimal way forward to install the system from scratch with the
latest vendor kernel (to get a secure system before you actually turn on
networking), then move to the 2.6.27 OpenVZ kernel which should be
stable and reasonably secure. An alternative would be to pick a vendor
kernel with OpenVZ patches. I think such kernels are distributed by OpenVZ.
Basically, if we assume the crashes are a security problem, an attacker
might already have partial/full control over your production servers,
and you should consider all passwords, user data and container contents
to be compromised.

> Our dev server is on 2.6.27 for sure. Of course, it is a completely
> different workload and does not have these issues. That could mean
> something and it could not.

If the dev server runs reliably for you, it makes a lot of sense to
clone its configuration for your production servers. If you're lucky,
the production servers will suddenly be stable. I strongly advise you to
make sure you're running the latest available kernel for any given
release. If you watch vendor security updates, and you notice they talk
about a security bug, and the vendor release happened after the last
OpenVZ update for your chosen kernel with the same version, please check
that the OpenVZ kernel you're using is still maintained.

About 2.6.32: I don't know if picking that kernel version is a good
idea. It is still marked as experimental.

Regards,
Carl-Daniel

-- 
http://www.hailfinger.org/



More information about the Users mailing list