1 / 24

Update On Scientific Linux

Connie Sieh csieh@fnal.gov Pat Riehecky riehecky@fnal.gov. Update On Scientific Linux. Hepix Fall 2012 Oct 16, 2012. Scientific Linux. Presentation Overview The last six months What we are currently working on What we see in the future Topics for conversation.

tatiana-blackwell
Télécharger la présentation

Update On Scientific Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Connie Sieh csieh@fnal.gov Pat Riehecky riehecky@fnal.gov Update OnScientific Linux Hepix Fall 2012 Oct 16, 2012

  2. Scientific Linux • Presentation Overview • The last six months • What we are currently working on • What we see in the future • Topics for conversation

  3. Scientific LinuxThe Past Six Months • The following statistics were gathered from ftp.scientificlinux.org log files • These numbers are a minimum. • We know that the real numbers are higher. • The values we have are based on yum downloads of security errata • We currently have 80 public mirrors. • These statistics do not represent any of the mirror sites.

  4. Scientific LinuxThe Past Seven Months

  5. Scientific LinuxThe Past Six Months • S.L. 6.3 released – Aug 2012 • For i386 and x86_64 • Programs changed since SL 6.2 • Openafs, yum-autoupdate • livecd-tools, liveusb-creator • Programs added with SL 6.3 • Repositories: rpmfusion

  6. Scientific LinuxThe Past Six Months • SL Live 6.3 released – Aug 2012 • Web site is at www.livecd.ethz.ch • For i386 and x86_64 • CD, DVD, mini-CD • Uses anaconda to install to a hard drive • Liveusb-creator makes it trivial to create a LiveUSB from the CD/DVD images. • LiveCD-tools makes it easier for people to create their own LiveCD

  7. Scientific LinuxThe Past Six Months • SL 4.9 • End of Life February 2012 • ftp.scientificlinux.org 4.x tree's are in the “obsolete” area as of April 2012 • There are known, un-patched security problems

  8. Scientific LinuxThe Past Six Months • Security updates continually released for all supported versions • Fastbugs updates consistently released weekly for latest versions of SL5 and SL6

  9. Scientific LinuxPresent Challenges • Errata dependencies aren't so simple • Upstream packaging inconsistencies • Xorg security update for SL6 • ABI changed, but the rpm didn't note this! • Out of date packages from previous point releases • libproxy-mozjs • requires firefox-3.6 from 6.2 or earlier • repoclosure found this for 6.3 • libvirt-qpid • requires qpid-0.12 from 6.2 or earlier • repoclosure found this for 6.3 • Complex inter-dependencies • virt-viewer requires qpid-xxx, which requires libvirt-yyy, which requires spice-zzz • repoclosure finds these and problems can be resolved before public release

  10. Scientific LinuxPresent Challenges • More complex problems exist • There is no way repoclosure can help with 'conflicts'. There isn't a predefined solution for most conflicts. • RPM 'provides' sometimes change in unexpected ways. Old packages then prevent the installation of new ones. You have qpid-0.12 and libvirt-qpid-0.2 but there is a new version of qpid with different provides. There is no new version of libvirt-qpid looking for the new provides. What is the right response? Don't patch? Remove libvirt-qpid? qpid-0.12 qpid-0.14 libvirt-qpid-0.2

  11. Scientific LinuxPresent Challenges Surprise for 6.1 and 6.2 But not required for 6.0

  12. Scientific LinuxPresent Challenges • OpenAFS and SL6.3 • There is an issue with the AFS cache • Read/Write may fail, hang, or be very slow. • If your cache is on EXT4 and was in use on a previous kernel (before 2.6.32-279.el6) and your system is 32-bit. If you update to a kernel >= 2.6.32-279.el6 you may be affected.

  13. Scientific LinuxPresent Challenges • OpenAFS and SL6.3 • On SL6 OpenAFS is implemented with a kmod • The goal was to avoid rebuilding OpenAFS with each new kernel (see SL5) • Signatures are generated from the kernel functions to help identify when they have changed • Not so helpful when the internal logic changes but the function call/return values didn't

  14. Scientific LinuxPresent Challenges • OpenAFS and SL6.3 • Current theories • With 6.3, upstream has switched the inodes to 64bit for all arches, rather than just x86_64 • The OpenAFS cache seems to be caching by inode, not filename • This means searches never return a valid inode on the filesystem because the 32bit value is not a 64bit value • Rebuilding the OpenAFS cache in /var/cache/afs always fixes this

  15. Scientific LinuxFuture • OpenAFS and SL6.3 • Current plans: • The SL OpenAFS packager (Stephan Wiesand) is at the European AFS and Kerberos Conference. • One proposal is a more restrictive use of kmods • Having them require >= a specified kernel version might help.

  16. Scientific LinuxWhat we see in the future • SL updateinfo.xml is in ALPHA right now • This provides metadata for yum-plugin-security • Provides for easy CVE search • Provides a description of the update, typically with reasons for applying the update • Allows filtering based on severity • It is currently in 6rolling • Currently only security errata • See example on next slide • Roll out plan still a ways off, testing is not completed

  17. Scientific LinuxWhat we see in the future ]# yum info-sec ============================================== Security ERRATA Important: openjpeg on SL6.x i386/x86_64 ============================================== Update ID : SLSA-2012:1283-01 Release : Scientific Linux Type : security Status : final Issued : 2012-09-17 Bugs : 842918 - openjpeg: heap-based buffer overflow CVEs : CVE-2012-3535 Description : OpenJPEG is an open source library for reading and writing image : files in JPEG 2000 format. It was found that OpenJPEG failed to : sanity-check an image header field before using it. A remote attacker : could provide a specially-crafted image file that could cause an : application linked against OpenJPEG to crash or, possibly, execute : arbitrary code. (CVE-2012-3535). All running applications : using OpenJPEG must be restarted for the update to take effect. Severity : important

  18. Scientific LinuxWhat we see in the future • Continue to have security updates for all releases of SL 5 and 6. • Continue to have fastbug updates for only the latest releases of SL 5 and 6. • Note TUV extension of Lifetime from 7 to 10 years • Scientific Linux plans to follow this too

  19. Scientific LinuxWhat we see in the future • Red Hat Developer Toolset • Newer compilers • Can be installed in parallel with existing compilers • Power users can have the latest gcc/g++ if they want to use it • Existing compilers will function as normal • Invoked via 'scl' (software collections) • Alpha planned for the future. • Watch scientific-linux-devel

  20. Scientific LinuxDiscussion topics • RHEL 5.9 is in Private Beta (Sept 21, 2012) • Should we treat it more like SL6? • Don't automatically integrate fastbugs or security errata into the main tree • Packages would be available as always, but in the security/fastbugs repo where they belong • Original reasoning no longer applies, anaconda can do this for us now.

  21. Scientific LinuxDiscussion topics • SL 5.9 and 6.4 • Should the default repos point to 5x and 6x instead of the point releases? • Pros: • You are much less likely to experience errata install problems. • Cons: • If you expect to remain at a point release you must do something extra.

  22. Scientific LinuxDiscussion topics • SL 7? • Coming perhaps in 2013? • Default to 7x rather than 7.0, 7.1, et al. ? • Point releases? • Yes contains lots of long term maintenance concerns, and possible errata issues • No is different than we've done things before • Discuss on scientific-linux-devel • And not right now so I can have a record of ideas and Connie can see them.

  23. Scientific LinuxDiscussion / Questions • Discussion • Other Questions?

  24. Scientific LinuxReferences • http://www.scientificlinux.org/ • http://www.scientificlinux.org/download/mirrors • http://www.livecd.ethz.ch/ • https://www.redhat.com/licenses/ • https://www.redhat.com/licenses/rhel_us_appendix1.pdf • https://access.redhat.com/knowledge/docs/en-US/ Red_Hat_Developer_Toolset/1/pdf/User_Guide/ Red_Hat_Developer_Toolset-1-User_Guide-en-US.pdf

More Related