[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Yum repo for XCP (ex: XCP acpi shutdown)

Citrix provides updates for XenServer, but not for XCP.

But in any way, exposing management interface to unprotected network is bad idea. If you have no managed interface available from internet, you have very few vulnerable for remote attack components: kernel, openvswitch... thats all.

Idea behind XCP is well-protected internal network with management interface, unencrypted storage traffic, migration traffic, XCP own synchronization traffic and separate (by VLAN or by different physical interface) network for clients with internet access.

On 26.10.2011 09:33, Grant McWilliams wrote:
On Tue, Oct 25, 2011 at 7:45 AM, George Shuklin <george.shuklin@xxxxxxxxx> wrote:
NEVER upgrade XCP by CentOS packages.

You will break it beyond repair level. Reason is simple: XCP shipped with patched packages, and replacing them with non-patched will cause grave damage. And worst is damage is not instant - you will continue to operate, but found 'something got wrong' later.

The most important is lvm2 package, which is patched to allow shared storage usage (--master option). Default LVM2 will trash metadata on LVM SR (LVM and LVMoISCSI SM) at some moment.

Other (i'm not sure) is udev package, and may be few more.

Why aren't those packages masked in the repo configs like the kernel is?

Having a server OS with no upgrade path is a very bad idea. Zero day exploit? How about zero month or zero year exploit? I'd like to hope that this gets changed at some point.

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.