Re: [tor-relays] Linux kernel vulnerability
Rebooting also makes sure updates are applied correctly. If a shared library updates, the old version is still in use until whatever program using it stops, and the new version is loaded on the next run. On Oct 23, 2016 10:07 PM, "Duncan Guthrie"wrote: > Hi folks, > > I think this is a very extreme and unnecessary solution. While it is good > to keep relays up, this may be unreliable. It is good to perform > maintenance regularly, and reboots are often best. > Also, it appears to be proprietary technology. I would not advise > proprietary technology on a Tor relay as it opens up a whole other can of > worms, who controls the software etc. > Can people really not afford to reboot once a month or similar? Uptime is > good but the only reliable way to apply kernel updates has always been > reboots. Restarting also can apply updates to certain system services as > well, if I am correct. > > -- D > > On 23 October 2016 09:42:38 BST, Jonathan Baker-Bates < > jonat...@bakerbates.com> wrote: >> >> I know some people using this for applying kernel updates without >> rebooting, but don't know how good it is: >> >> https://www.cloudlinux.com/all-products/product-overview/kernelcare >> >> >> >> On 23 October 2016 at 09:16, nusenu wrote: >> >>> > Second, you will reduce the uptime and stability of >>> > your relay, thus it will lose consensus weight if you reboot the >>> machine >>> > once a day. >>> >>> >>> Unattended-Upgrade::Automatic-Reboot "true"; >>> >>> Does not reboot your machine "once a day", it reboots when a new kernel >>> requires a reboot. Which on Debian stable / Ubuntu LTS is far from being >>> a daily event. >>> And the frequency of reboots actually should not differ compared to >>> manual reboots. >>> >>> >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>> >>> >> -- >> >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Linux kernel vulnerability
Hi folks, I think this is a very extreme and unnecessary solution. While it is good to keep relays up, this may be unreliable. It is good to perform maintenance regularly, and reboots are often best. Also, it appears to be proprietary technology. I would not advise proprietary technology on a Tor relay as it opens up a whole other can of worms, who controls the software etc. Can people really not afford to reboot once a month or similar? Uptime is good but the only reliable way to apply kernel updates has always been reboots. Restarting also can apply updates to certain system services as well, if I am correct. -- D On 23 October 2016 09:42:38 BST, Jonathan Baker-Bateswrote: >I know some people using this for applying kernel updates without >rebooting, but don't know how good it is: > >https://www.cloudlinux.com/all-products/product-overview/kernelcare > > > >On 23 October 2016 at 09:16, nusenu wrote: > >> > Second, you will reduce the uptime and stability of >> > your relay, thus it will lose consensus weight if you reboot the >machine >> > once a day. >> >> >> Unattended-Upgrade::Automatic-Reboot "true"; >> >> Does not reboot your machine "once a day", it reboots when a new >kernel >> requires a reboot. Which on Debian stable / Ubuntu LTS is far from >being >> a daily event. >> And the frequency of reboots actually should not differ compared to >> manual reboots. >> >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> > > > > >___ >tor-relays mailing list >tor-relays@lists.torproject.org >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Linux kernel vulnerability
> Would it be acceptable to configure unattended-upgrades to automatically > reboot the system when required? I already have it configured to check for > and install all updates to Ubuntu and Tor once a day, but I still need to > manually reboot to apply kernel upgrades. I think Unattended-Upgrade::Automatic-Reboot "true"; is a good practice for (lazy) tor servers operators to keep running patched kernels automatically, since automation usually reduces the time until the system is patched (and if necessary rebooted) - even if the operator does not follow security announce mailing lists. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Linux kernel vulnerability
I don't know if it's possible to load a new kernel without rebooting... But I think people who doesn't want to reboot because feared of a bad reboot, loose SSH or anything else... If OS's teams are updating a system for security, I prefer a bad reboot (backups are done before!) than a system with a lot of security holes, sick of botnets or sending spams every seconds, a Tor relay controlled by bad hands... :s On other servers (debian/raspbian) I usually use "apticron", it sends everyday mails to root or another ad...@domain.com, with summary about updates available for the host. > but I still need to manually reboot to apply kernel upgrades. -- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CentOS 7 Packages
> I have one relay on CentOS 6 and one on CentOS 7. The one running CentOS 7 > hasn't had the 0.2.8.8 update yet and so is still running 0.2.8.7. The one > running CentOS 6 has had the latest update. by "latest update" you mean 0.2.8.9? Where do you get your tor packages from? If you got tor v0.2.8.9 on CentOS 6 before 2016-10-22 20:50:29 (UTC) than your package source is not epel(-testing). > Is there a problem with getting CentOS 7 packages out? > > How much of a problem is this? Both now and in the future? It usually takes about a week to get a new release into the epel-testing repo and another 2 weeks for the epel (stable) repo. If you want to get the current latest tor release (0.2.8.9) now you can temporarily enable the epel-testing repo - if you don't want to enable it generally: yum install --enablerepo=epel-testing tor https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-2f6f1435ed https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f0f6483aa7 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays