Re: [tor-relays] Linux kernel vulnerability

2016-10-23 Thread Tristan 
Rebooting also makes sure updates are applied correctly. If a shared
library updates, the old version is still in use until whatever program
using it stops, and the new version is loaded on the next run.

On Oct 23, 2016 10:07 PM, "Duncan Guthrie"  wrote:

> Hi folks,
>
> I think this is a very extreme and unnecessary solution. While it is good
> to keep relays up, this may be unreliable. It is good to perform
> maintenance regularly, and reboots are often best.
> Also, it appears to be proprietary technology. I would not advise
> proprietary technology on a Tor relay as it opens up a whole other can of
> worms, who controls the software etc.
> Can people really not afford to reboot once a month or similar? Uptime is
> good but the only reliable way to apply kernel updates has always been
> reboots. Restarting also can apply updates to certain system services as
> well, if I am correct.
>
> -- D
>
> On 23 October 2016 09:42:38 BST, Jonathan Baker-Bates <
> jonat...@bakerbates.com> wrote:
>>
>> I know some people using this for applying kernel updates without
>> rebooting, but don't know how good it is:
>>
>> https://www.cloudlinux.com/all-products/product-overview/kernelcare
>>
>>
>>
>> On 23 October 2016 at 09:16, nusenu  wrote:
>>
>>> > Second, you will reduce the uptime and stability of
>>> > your relay, thus it will lose consensus weight if you reboot the
>>> machine
>>> > once a day.
>>>
>>>
>>> Unattended-Upgrade::Automatic-Reboot "true";
>>>
>>> Does not reboot your machine "once a day", it reboots when a new kernel
>>> requires a reboot. Which on Debian stable / Ubuntu LTS is far from being
>>> a daily event.
>>> And the frequency of reboots actually should not differ compared to
>>> manual reboots.
>>>
>>>
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>>
>> --
>>
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Linux kernel vulnerability

2016-10-23 Thread Duncan Guthrie 
Hi folks,

I think this is a very extreme and unnecessary solution. While it is good to 
keep relays up, this may be unreliable. It is good to perform maintenance 
regularly, and reboots are often best.
Also, it appears to be proprietary technology. I would not advise proprietary 
technology on a Tor relay as it opens up a whole other can of worms, who 
controls the software etc.
Can people really not afford to reboot once a month or similar? Uptime is good 
but the only reliable way to apply kernel updates has always been reboots. 
Restarting also can apply updates to certain system services as well, if I am 
correct.

-- D

On 23 October 2016 09:42:38 BST, Jonathan Baker-Bates  
wrote:
>I know some people using this for applying kernel updates without
>rebooting, but don't know how good it is:
>
>https://www.cloudlinux.com/all-products/product-overview/kernelcare
>
>
>
>On 23 October 2016 at 09:16, nusenu  wrote:
>
>> > Second, you will reduce the uptime and stability of
>> > your relay, thus it will lose consensus weight if you reboot the
>machine
>> > once a day.
>>
>>
>> Unattended-Upgrade::Automatic-Reboot "true";
>>
>> Does not reboot your machine "once a day", it reboots when a new
>kernel
>> requires a reboot. Which on Debian stable / Ubuntu LTS is far from
>being
>> a daily event.
>> And the frequency of reboots actually should not differ compared to
>> manual reboots.
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>
>
>
>
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Linux kernel vulnerability

2016-10-23 Thread nusenu 
> Would it be acceptable to configure unattended-upgrades to automatically
> reboot the system when required? I already have it configured to check for
> and install all updates to Ubuntu and Tor once a day, but I still need to
> manually reboot to apply kernel upgrades.

I think

Unattended-Upgrade::Automatic-Reboot "true";

is a good practice for (lazy) tor servers operators to keep running
patched kernels automatically, since automation usually reduces the time
until the system is patched (and if necessary rebooted) - even if the
operator does not follow security announce mailing lists.



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Linux kernel vulnerability

2016-10-23 Thread Petrusko 
I don't know if it's possible to load a new kernel without rebooting...

But I think people who doesn't want to reboot because feared of a bad
reboot, loose SSH or anything else... If OS's teams are updating a
system for security, I prefer a bad reboot (backups are done before!)
than a system with a lot of security holes, sick of botnets or sending
spams every seconds, a Tor relay controlled by bad hands... :s

On other servers (debian/raspbian) I usually use "apticron", it sends
everyday mails to root or another ad...@domain.com, with summary about
updates available for the host.

> but I still need to manually reboot to apply kernel upgrades.

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] CentOS 7 Packages

2016-10-23 Thread nusenu 
> I have one relay on CentOS 6 and one on CentOS 7.  The one running CentOS 7
> hasn't had the 0.2.8.8 update yet and so is still running 0.2.8.7.  The one
> running CentOS 6 has had the latest update.

by "latest update" you mean 0.2.8.9?

Where do you get your tor packages from?

If you got tor v0.2.8.9 on CentOS 6 before
2016-10-22 20:50:29 (UTC)
than your package source is not epel(-testing).


> Is there a problem with getting CentOS 7 packages out?
> 
> How much of a problem is this?  Both now and in the future?


It usually takes about a week to get a new release into the epel-testing
repo and another 2 weeks for the epel (stable) repo.

If you want to get the current latest tor release (0.2.8.9) now you can
temporarily enable the epel-testing repo - if you don't want to enable
it generally:

yum install --enablerepo=epel-testing tor



https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-2f6f1435ed
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f0f6483aa7



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays