Upgrade to 4.14 Kernel, Meltdown, and Spectre
[Last edited: 28 March 2018, 15:30 CEST]
In response to the Meltdown and Spectre security issues, we decided to bring forward the update of the CernVM Linux kernel which was originally planned for later this year. We observed that our currently used 4.1 kernel, even though still in maintenance, does not receive the necessary level of attention. The 4.14 kernel contains all the latest patches and is planned to be supported for the next 5 years. As of CernVM kernel 4.14.18-9, patches against Meltdown and Spectre variant 2 (through "retpoline"), as well as an initial mitigation against Spectre variant 1 ("user pointer sanitation") are available. This can be checked in /sys/devices/system/cpu/vulnerabilities.
Implications of the 4.14 Kernel
- At this point, the CernVM 4.14 kernel comes without the AFS kernel modules. Given the general fade-out of AFS, we didn't give priority to getting them in. Unless there is a critical case where AFS is needed in CernVM, we plan to remove AFS support from CernVM alongside the kernel upgrade.
- The VMware guest additions in CernVM 3 need to be updated. That requires a lockstep update of the kernel and the user-land (detailed instructions will follow).
- The VirtualBox guest additions in CernVM 3 and in CernVM 4 need to be updated. That requires a lockstep update of the kernel and the user-land (detailed instructions will follow). For CernVM 3, the new VirtualBox guest additions require an update of the X11 server, too. Therefore, for CernVM 3 the update will be a feature update from version 3.6 to version 3.7.
New images are available in CERN OpenStack as of 12 February 2018. Cloud and batch images are available as of 13 February 2018.
Updates for interactive CernVM 4 are available as of 20 February 2018. CernVM 3.7 is available as od 28 March 2018, completing the kernel upgrade campaign for interactive CernVM 3 VMs. Please update in lockstep:
cernvm-update -a cernvm-update -k reboot