We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
Is kernel update enough to mitigate security vulnerabilities in OnApp?
Environment
CloudBoot compute resources
Answer
No, kernel update is not enough. Due to the increasing number of speculative execution attacks on Intel processors, we highly recommend running CPU microcode update from Control Panel on every CloudBoot compute resource.
To update the microcode during each boot, perform the following from Control Panel:
1. Install iucode_tool utility (EPEL repo):
yum install iucode-tool
2. Get the latest microcode:
# git clone https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
3. Prepare early initrd image:
# iucode_tool -S --write-earlyfw=/boot/intel-ucode.img ./Intel-Linux-Processor-Microcode-Data-Files/intel-ucode/ iucode_tool: system has processor(s) with signature 0x000106a5 iucode_tool: Writing selected microcodes to: /boot/intel-ucode.img
4. Copy image into tftp-boot directory on Control Panel:
cp intel-ucode.img /tftpboot/
5. Edit pxelinux configuration used to boot particular host (for example - /tftpboot/pxelinux.cfg/01-00-50-56-9f-0e-3a):
default centos6-ramdisk-kvm
label centos6-ramdisk-kvm
kernel images/centos6/ramdisk-kvm/vmlinuz
append initrd=intel-ucode.img,images/centos6/ramdisk-kvm/initrd.img NFSNODEID=00-50-56-9f-0e-3a NFSROOT=10.63.0.20:/tftpboot/export/centos6/kvm CFGROOT=10.63.0.20:/tftpboot/images/centos5/diskless/snapshot ADDTOBRIDGE=mgt pcie_aspm=off selinux=0 cgroup_disable=memory NTPSERVER=10.63.0.20
6. Reboot the CloudBoot compute resource host.