Product update: Virtuozzo 7.0 Update 5 (7.0.5-593)

Issue date: 2017-08-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-066

1. Overview

The Update 5 for Virtuozzo 7.0 provides new features, security fixes as well as stability and usability bug fixes.

2. Security Fixes

  • [Moderate] A vulnerability was found in the signal handling in the Linux kernel. A local unprivileged user could cause a kernel crash (general protection fault) in the cleanup_timers() function by using the rt_tgsigqueueinfo() system call with a specially crafted set of arguments. (PSBM-67221)

  • [Moderate] A privileged user inside a container could cause a kernel crash by triggering a GPF in rt6_device_match by executing specially crafted code. (PSBM-66197)

  • [Moderate] If the sctp module was loaded on the host, a privileged user inside a container could cause a kernel crash by triggering a NULL pointer dererefence in the sctp_endpoint_destroy() function with a specially crafted sequence of system calls. (PSBM-65826)

  • [Moderate] A privileged user inside a container could cause a kernel crash by triggering a BUG_ON in the unregister_netdevice_many() function with a specially crafted sequence of system calls. (PSBM-65345)

  • [Moderate] A vulnerability was found in the implementation of setsockopt() operations in the Linux kernel. A privileged user inside a container could cause a DoS attack on the host (kernel deadlock in ip_ra_control() function) using a specially crafted sequence of system calls. (PSBM-64752)

  • [Moderate] If the sctp module was loaded on the host, a privileged user inside a container could make sctp listen on a socket in an inappropriate state, causing a kernel crash (use-after-free in sctp_wait_for_sndbuf()). (PSBM-64050)

  • [Moderate] A privileged user inside a container could cause a kernel crash by triggering a GPF in irq_bypass_unregister_consumer by executing specially crafted code. (PSBM-58996)

3. New Features

  • Online migration of containers with NFS shares inside. Containers with NFS client inside can be migrated if they do not use remote file locking and over-mounted NFS file systems. Note that the migration of local file locks is supported only for the NFS version 3 since it has native support of such locks.

  • Docker Swarm support in containers. Virtuozzo supports running Docker in swarm mode inside containers. Swarm mode is enabled by either creating a swarm or joining an existing swarm.

  • Reboot notifications after automatic guest tools update in Windows guests. Windows virtual machines need to be restarted to complete the update of guest tools. On every such update, administrators inside these VMs receive a reboot notification upon login or immediately if they are logged in.

  • Improved CPU topology configuration for Virtuozzo VMs. Now you can specify both the number of CPU sockets and CPU cores per socket.

  • Up to 50% faster Virtuozzo installation.

  • Ability to set I/O limits for backup and migration operations. Backup and migration of containers and virtual machines can generate a high I/O load on the server, thus reducing the performance of other virtual environments or the server itself. You can avoid such situations by setting I/O limits for these operations.

  • Support for online compacting of virtual machines on Virtuozzo Storage in replication mode (by means of the FALLOC_FL_PUNCH_HOLE flag).

  • Improved container behavior in case of underlying storage (filesystem) errors. Now containers can be forcibly stopped if a filesystem error occurs. This feature can be enabled by setting ‘ON_VE_FSERROR’ to ‘stop’ in ‘/etc/vz/vz.conf’.

  • Improved performance for NFS version 3 servers running on Virtuozzo 7 hosts.

  • Support for the ‘ipt_owner’ module in containers.

  • Alerts in Virtuozzo Storage GUI. It is now possible to get useful notifications about potential issues and misconfigurations (license alerts, cluster nodes alerts, network alerts, and cluster services health). The system monitors cluster configuration, health of cluster services, network links, and disk health. Critical Alerts are exported via SNMP.

  • Audit of actions in Virtuozzo Storage GUI. It is now possible to get a log of all user actions in GUI: (configure, change, create).

  • Virtuozzo Storage S3 geo-replication (beta). Virtuozzo Storage can now store and keep up-to-date replicas of data in multiple geographically distributed datacenters with S3 clusters based on Virtuozzo Storage. Geo-replication works in the Active-Active mode. NOTE: S3 geo-replication requires either HTTP-only setup (evaluation) or HTTPS on both datacenters with real certificates obtained from well-known certificate authorities. Setups with self-signed certificates will require manual configuration.

  • Virtuozzo Storage monitoring via SNMP and integration with ZABBIX. It is now possible to get monitoring counters (space, health, license, IOPS, throughput, disk load, etc.) via SNMP version 2. Management node HA, if enabled, makes this feature highly available as well.

  • Role-based user model in Virtuozzo Storage. Security and control is improved with role-based user access, increasing flexibility without risking cluster security.

  • LDAP and Active Directory support in Virtuozzo Storage. Admins and users can now authenticate in storage clusters using their LDAP/AD credentials.

  • Erasure coding mode 1+2 in Virtuozzo Storage. This new encoding mode is meant for small clusters that have insufficient nodes for other erasure coding modes but will grow in the future. As redundancy type cannot be changed once chosen (from replication to erasure coding or vice versa), this mode allows one to choose erasure coding even if their cluster is smaller than recommended. Once the cluster grows, more beneficial redundancy modes can be chosen.

  • Renewal of Acronis Backup Gateway certificates in Virtuozzo Storage. It is now possible to renew expired backup certificates via GUI.

  • SSL on GUI by default for new Virtuozzo Storage installations.

  • Other improvements in Virtuozzo Storage. Better stability, object storage scalability, security, processing of batch operations (assign/release) for disks.

4. Bug Fixes

  • Container could become unresponsive for minutes at a time if kmem usage was close to container’s limit. (PSBM-68644)

  • Container restore could fail due to CRIU segmentation fault. (PSBM-68062)

  • Container with named in chroot could not be suspended. (PSBM-67723)

  • The prlctl set command did not allow setting shortened IPv6 addresses. (PSBM-67559)

  • VMs could crash during QEMU live update. (PSBM-67322)

  • Creating VLAN interface from installer could produce a non-functional VLAN adapter. (PSBM-67278)

  • VLAN-related options were moved from VLAN ifcfg to ifcfg-br during installation, resulting in broken network. (PSBM-67183)

  • Docker Swarm running in a container could potentially lead to node crash. (PSBM-67086)

  • QCOW2 images leaked space on hosts over Virtuozzo Storage. (PSBM-66545)

  • TCP window scaling was not working in Virtuozzo 7 containers, reducing the maximum network speed. (PSBM-66468)

  • Container .ve.xml not regenerated during migration from Virtuozzo 6 to 7 prevented shaman from relocating such containers correctly in case of node failure. (PSBM-66074)

  • Unsuitable nodes could be chosen for VE relocation during failover. (PSBM-64920)

  • Virtuozzo 7 host could crash due to TCache-related issues. (PSBM-64727)

  • Anaconda installer mistakenly created software RAID from Virtuozzo Storage chunk server drives. (PSBM-61126)

  • The parameter net.ipv4.ip_nonlocal_bind was not available in Virtuozzo 7 containers. (PSBM-60975)

  • Other fixes. (PSBM-68767, PSBM-68756, PSBM-68242, PSBM-68052, PSBM-68015, PSBM-67942, PSBM-67869, PSBM-67377, PSBM-67300, PSBM-67076, PSBM-66545, PSBM-66537, PSBM-65565, PSBM-65225, PSBM-64984, PSBM-63214, PSBM-62635, PSBM-62459, PSBM-62212, PSBM-61558, PSBM-60148, PSBM-58574)

5. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-066.json.