Product update: Virtuozzo 7.0 Update 9 (7.0.9-534)

Issue date: 2019-03-05

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-013

1. Overview

The Update 9 for Virtuozzo 7.0 provides new features as well as security, stability, and usability bug fixes.

2. Security Fixes

  • [Important] An integer overflow flaw was found in create_elf_tables(). An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. (CVE-2018-14634, PSBM-88914)

  • [Important] It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system. (CVE-2018-18559, PSBM-89677)

  • [Moderate] The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service. (CVE-2018-14646, PSBM-90076)

3. New Features

  • SR-IOV and PCI Passthrough support. Starting from this update, you can assign a host device to a virtual machine so that the device is automatically connected to the VM when you connect the device to the hardware node or start the VM. This method, also known as passthrough, allows host devices to appear and behave as if they were physically attached to the guest operating system. Virtuozzo supports assigning PCI devices (physical NICs) and SR-IOV devices (virtual NICs). (PSBM-61363)

  • Optimized container migration between Virtuozzo 7 hosts. (PSBM-46704, PSBM-66535)

  • Support for hot plugging of VM network interfaces. Network interfaces can now be added to both running and stopped VMs. (PSBM-51854)

  • Ability to configure QCOW2 cache size via libvirt. (PSBM-67894)

  • Support for SUSE Linux Enterprise Server 15 (x64) in containers. (PSBM-87229)

  • Support for Microsoft Windows Server 2019 guest OS in virtual machines. (PSBM-89362)

4. Bug Fixes

  • Containers with NFS client inside could fail to migrate due to a CRIU issue. (PSBM-68738)

  • Container with an NFS server inside could fail to start due to ploop lockup. (PSBM-80869)

  • CPU limits could be reset by ‘systemctl daemon-reload’. (PSBM-80961)

  • Non-existent Virtuozzo Storage disks could remain in VM config after migration and prevent creating backups of said VM. (PSBM-81638)

  • After updating to Virtuozzo 7.0.7, a VM could fail to start with an error about incompatible CPU features. (PSBM-85513)

  • In rare cases, two virtual machines could get the same MAC addresses. (PSBM-86986)

  • Container could fail to start with the error “order:7 allocation failure in ip_set_net_init()”. (PSBM-87338)

  • journald would crash on start after updating to Virtuozzo 7.0.8 (PSBM-88489)

  • Migration of a container running SLES could fail and hang due to a CRIU issue. (PSBM-88499)

  • Container restore operations could take a very long time due to an nbd client issue. (PSBM-89191)

  • Unable to migrate Windows 2008 VMs with EFI to a Virtuozzo 7 host. (PSBM-89267)

  • After migrating to Virtuozzo 7, nodes could use up swap entirely due to huge usage of tcache which should have been shrunk instead. (PSBM-89403)

  • The default action triggered by stopping of vz.service (e.g., node reboot) was to suspend VEs, which could take a very long time and thus cause problems on nodes with lots of containers. The default action has been changed to stop VEs. (PSBM-89623)

  • Processes in a VM could fail to access a disk on Virtuozzo Storage due to stuck fast path requests. (PSBM-90163)

  • Other fixes. (PSBM-65642, PSBM-73001, PSBM-76790, PSBM-78956, PSBM-80024, PSBM-82512, PSBM-85318, PSBM-85381, PSBM-86637, PSBM-86655, PSBM-87062, PSBM-87099, PSBM-87281, PSBM-87357, PSBM-87360, PSBM-87536, PSBM-87556, PSBM-87593, PSBM-87642, PSBM-87670, PSBM-88142, PSBM-88176, PSBM-88417, PSBM-88558, PSBM-88577, PSBM-88578, PSBM-88724, PSBM-88809, PSBM-88818, PSBM-89055, PSBM-89136, PSBM-89210, PSBM-89215, PSBM-89221, PSBM-89265, PSBM-89290, PSBM-89342, PSBM-89609, PSBM-89651, PSBM-89714, PSBM-89839, PSBM-89866, PSBM-89882, PSBM-89891, PSBM-89931, PSBM-89938, PSBM-89961, PSBM-90055, PSBM-90099, PSBM-90148, PSBM-90150, PSBM-90174, PSBM-90270, PSBM-90317, PSBM-90360, PSBM-90430, PSBM-90471, PSBM-91340)

5. Installing the Update

Install the update by running ‘yum update’. Starting with this update, the fast path feature is enabled by default. If you want to enable fast path, reboot the node to the new kernel delivered in this update. If you want to keep fast path disabled, set ‘kdirect.enable=0’ in ‘/etc/vstorage/vstorage-mount.conf’ and reboot the node to the desired kernel.

The JSON file with the list of new and updated packages is available at