On Thursday 23 February 2017, Carlos E. R. wrote:
> On 2017-02-23 13:46, Ruediger Meier wrote:
> > On Thursday 23 February 2017, Carlos E. R. wrote:
> >> El 2017-02-22 a las 11:37 +0100, Ruediger Meier escribi├│:
> >>> ... and it happened again. They upgraded 42.3 to texlive-2016 and
> >>> it breaks again. Evergreen is still needed.
> >>
> >> That will be solved eventually, I hope.
> >>
> >> What worries me is that we got 2 kernel updates in a month.
> >> Several updates this month that require a reboot (systemd,
> >> apparmor...). Not good for server uptime.
> >
> > You DO NOT NEED to reboot after kernel update. Nowadays the old
> > kernel should be still installed in parallel so module loading
> > still works without reboot.
>
> If I do that, then I would simply not apply the update at all. Far
> easier and more stable.


Hm, I never care about updates. I get them automatically everyday and
reboot whenever I want. I think that's more simple. Regarding stability
I don't think it makes any difference whether you install a kernel
update 5 minutes or 5 months before reboot.

BTW very often even the "non-reboot" updates require manually
restarting affected programs. Otherwise you would still use the
old versions too.

For example, below you see all the programs which are still using
vulnerable openssl. The fact that it's still running the old kernel
is my smallest problem ;)

glaukos:~ # uptime
 14:10pm  up 14 days 20:26,  1 user,  load average: 3.34, 3.32, 3.32

glaukos:~ # rpm -qa --last | head
mariadb-10.0.29-18.1.x86_64                   Tue 21 Feb 2017 01:00:13 AM CET
mariadb-errormessages-10.0.29-18.1.x86_64     Tue 21 Feb 2017 01:00:11 AM CET
mariadb-client-10.0.29-18.1.x86_64            Tue 21 Feb 2017 01:00:11 AM CET
openssl-1.0.2j-4.1.x86_64                     Tue 21 Feb 2017 01:00:10 AM CET
libmysqlclient18-10.0.29-18.1.x86_64          Tue 21 Feb 2017 01:00:10 AM CET
expat-2.1.0-19.1.x86_64                       Tue 21 Feb 2017 01:00:10 AM CET
libseccomp2-2.3.1-3.1.x86_64                  Tue 21 Feb 2017 01:00:09 AM CET
libopenssl1_0_0-1.0.2j-4.1.x86_64             Tue 21 Feb 2017 01:00:09 AM CET
libexpat1-2.1.0-19.1.x86_64                   Tue 21 Feb 2017 01:00:09 AM CET
kernel-default-4.4.46-11.1.x86_64             Wed 15 Feb 2017 01:00:13 AM CET

glaukos:~ # uname -r
4.4.36-8-default

glaukos:~ # zypper ps
The following running processes use deleted files:

PID   | PPID | UID  | User       | Command     | Service | Files
------+------+------+------------+-------------+---------+------------------------------------
1     | 0    | 0    | root       | systemd     |         | 
/usr/lib64/libseccomp.so.2.3.0
      |      |      |            |             |         | 
/lib64/libapparmor.so.1.3.0
1077  | 0    | 0    | root       | systemd     |         | 
/usr/lib64/libseccomp.so.2.3.0
      |      |      |            |             |         | 
/lib64/libapparmor.so.1.3.0
1152  | 1    | 499  | messagebus | dbus-daemon | dbus    | 
/usr/lib64/libexpat.so.1.6.0
1635  | 1    | 492  | nagios     | nrpe        | nrpe    | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
1636  | 1    | 0    | root       | sshd        | sshd    | 
/lib64/libcrypto.so.1.0.0
1721  | 1    | 44   | named      | named       | named   | 
/lib64/libcrypto.so.1.0.0
      |      |      |            |             |         | 
/usr/lib64/libmysqlclient.so.18.0.0
      |      |      |            |             |         | 
/usr/lib64/libxml2.so.2.9.4
      |      |      |            |             |         | 
/lib64/libssl.so.1.0.0
1743  | 1    | 0    | root       | nmbd        | nmb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
1807  | 1    | 0    | root       | smbd        | smb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
1808  | 1807 | 0    | root       | smbd        | smb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
1809  | 1807 | 0    | root       | smbd        | smb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
1855  | 1807 | 0    | root       | smbd        | smb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0
2889  | 1    | 1000 | rudi       | systemd     |         | 
/usr/lib64/libseccomp.so.2.3.0
      |      |      |            |             |         | 
/lib64/libapparmor.so.1.3.0
2893  | 0    | 1000 | rudi       | systemd     |         | 
/usr/lib64/libseccomp.so.2.3.0
      |      |      |            |             |         | 
/lib64/libapparmor.so.1.3.0
14248 | 1807 | 0    | root       | smbd        | smb     | 
/lib64/libssl.so.1.0.0
      |      |      |            |             |         | 
/lib64/libcrypto.so.1.0.0



You see I should restart at least named, smb, sshd and nrpe to be safe
against remote attackers.

cu,
Rudi
_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to