On 06.07.2010 22:28, Brian Moon wrote: > Bleh, ok, looks like we installed the new sources but did not reboot > into the new kernel. So, we are still on 2.6.18. Based on this post > http://community.livejournal.com/openvz/31703.html we should probably > go ahead and move to .32.
The optimal way forward to install the system from scratch with the latest vendor kernel (to get a secure system before you actually turn on networking), then move to the 2.6.27 OpenVZ kernel which should be stable and reasonably secure. An alternative would be to pick a vendor kernel with OpenVZ patches. I think such kernels are distributed by OpenVZ. Basically, if we assume the crashes are a security problem, an attacker might already have partial/full control over your production servers, and you should consider all passwords, user data and container contents to be compromised. > Our dev server is on 2.6.27 for sure. Of course, it is a completely > different workload and does not have these issues. That could mean > something and it could not. If the dev server runs reliably for you, it makes a lot of sense to clone its configuration for your production servers. If you're lucky, the production servers will suddenly be stable. I strongly advise you to make sure you're running the latest available kernel for any given release. If you watch vendor security updates, and you notice they talk about a security bug, and the vendor release happened after the last OpenVZ update for your chosen kernel with the same version, please check that the OpenVZ kernel you're using is still maintained. About 2.6.32: I don't know if picking that kernel version is a good idea. It is still marked as experimental. Regards, Carl-Daniel -- http://www.hailfinger.org/ _______________________________________________ Users mailing list [email protected] https://openvz.org/mailman/listinfo/users
