you can disable it by adding "pti=off" to grub config..Dear @fabian , what do you think about degradate of performance with new patch? It is critical for db like postgresql... I think we need an choise for enable it.
not many details are known yet. we will provide patched kernels for 4.4 and 5.1 as soon as final patches are available. 3.4 is EOL, there haven't been any updates for quite a while, and there won't be any updates now either.
Well, Debian supports wheezy till May 2018. Ubuntu 12.04 is till April 2017 though. Its a little irrelevant in this topic check https://forum.proxmox.com/threads/understanding-proxmox-3-4-eol-and-4-0.25079 for more detailed info and https://forum.proxmox.com/threads/proxmox-ve-3-4-support-lifecycle.26205/ and https://forum.proxmox.com/threads/proxmox-ve-support-lifecycle.35755/#post-177492
If updates from 3 to 4 and 4 to 5 where flawless i wouldn't keep one cluster still in PVE 3.
PVE 4 is ending soon also...
I dont expect that we will get kernel patch for PVE 3.
Well, would ask to reconsider as RedHat provides updates and OpenVZ is certainly spinning their update-machine, it would be a nice move to repackage this kernel for 3.4 ad those still in need.
well, at least they seem to work on patching https://virtuozzo.com/virtuozzo-addresses-intel-bug-questions/OpenVZ needed a special kernel. So it is not sure it will get patches for this flaw. It is a bit like Xen, where no patches are yet available.
kvm and lxc are maintained inside the standard Linux kernel, so will benefit from vanilla kernel patches.
If I am not wrong, PVE 3.4 is based on the ovz rhel kernel so, when ovz team releases the patched kernel, would be nice and a responsible from the Proxmox team to help us to keep our 3.4 installations secure, even if it is EOL.OpenVZ needed a special kernel. So it is not sure it will get patches for this flaw. It is a bit like Xen, where no patches are yet available.
kvm and lxc are maintained inside the standard Linux kernel, so will benefit from vanilla kernel patches.
dpkg -i pve-kernel-2.6.32-49-pve_2.6.32-188_amd64.deb
I have compiled a kernel for Proxmox 3.x myself as I still have many OpenVZ nodes running.
The kernel has been tested and so far works fine for me.
You can download it at: https://git.vnetso.com/henryspanka/pve-kernel-2.6.32/tags/v2.6.32-49-pve_2.6.32-188
Feel free to check the source code and compile yourself if you don't trust me
Install with and then reboot:
Code:dpkg -i pve-kernel-2.6.32-49-pve_2.6.32-188_amd64.deb
Yes correct, however in a hosting environment (VMs, Webspace, etc.) you can not control what applications users run on their servers and they can exploit this to read memory from other virtual machines or the host.Must a attacker not first have access to your network and has special rights ? Until what level do a firewall protect against Meltdown and Spectre ? What about Snort IDS , OSSEC systems ? Just some thoughts.
Meltdown indeed only has an impact on containers and not Virtual Machines. However with Spectre it's possible to read host memory from within a VM (Type 2) so full virtualisation is not a full workaround and only mitigates the Meltdown bug.Its seems that the problem has impact on containers, not directly full virtualization machines Read this: Source: https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/
many hosting or cloud providers do not have an abstraction layer for virtual memory. In such environments, which typically use containers, such as Docker or OpenVZ, the kernel is shared among all guests. Thus, the isolation between guests can simply be
circumvented with Meltdown, fully exposing the data of all other guests on the same host. For these providers,changing their infrastructure to full virtualization or us- ing software workarounds.
Yes correct, however in a hosting environment (VMs, Webspace, etc.) you can not control what applications users run on their servers and they can exploit this to read memory from other virtual machines or the host.
Yes i see your point here. Something to be aware of.
Meltdown indeed only has an impact on containers and not Virtual Machines. However with Spectre it's possible to read host memory from within a VM (Type 2) so full virtualisation is not a full workaround and only mitigates the Meltdown bug.
For more information for VMs see: https://www.qemu.org/2018/01/04/spectre/
Yes i did see the article:
Patching the host kernel is sufficient to block attacks from guests to the host. On the other hand, in order to protect the guest kernel from a malicious userspace, updates are also needed to the guest kernel and, depending on the processor architecture, to QEMU.
So some thoughts,
You could as a workaround, also update the guests kernel. Later the
host, as it needs a reboot. Just a temporary solution. And also move some containers into that KVM. So you have the host isolated from the treat. And of course always protect the host with a firewall. Just to have some things separated. Just like a submarine has chambers. So in case one get flooded. You can shutdown one unit.