[Triumf-linux-managers] Re: nfs problem in SL5 latest kernels

[Kelvin Raywood]

For those running SL-5.

RedHat, and hence SL, have release a security update to the kernel for 
RHEL-5 (SL-5).

https://rhn.redhat.com/errata/RHSA-2008-0154.html

This kernel still has the nfs problem described below and the problems 
it fixes are irrelevant to most TRIUMF users.  To be certain, you should 
check the link yourself.  At this stage I request that SL-5 users do not 
boot with this kernel but stick with one of the kernels that does not 
have the nfs client problem (see below).

The CentOS developers have indicated that they will be releasing a 
special patched version of the latest kernel so when it's available I'll 
put it in the TRIUMF rpm repository.

The nfs problem has generated quite a few comments on the RedHat 
bug-tracking site. See

https://bugzilla.redhat.com/show_bug.cgi?id=321111

Note that security problems in the kernel are almost never remotely 
exploitable but are confined to privilege escalation or denial of service.

Kel Raywood
TRIUMF Network and Computing Services

On Feb 22, 2008 I wrote:
> This post refers to SL-5 installations only.  If you are running Sl-4 or 
> some other Linux distribution, then you will not have the issue 
> described here.
> 
> RedHat recently introduced some changes that into the kernel that 
> seriously degrades the performance of nfs v3 clients and causes them to 
> really hammer an nfs server.
> 
> ScientificLinux and CentOS rebuild the RedHat kernels, so this problem 
> is also present in the latest kernels of those distros; kernels 
> 2.6.18-53.1.6 and 2.6.18-53.1.13.
> 
> See
> http://listserv.fnal.gov/scripts/wa.exe?A2=ind0801&L=scientific-linux-devel&T=0&P=5427 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=431092
> http://lists.centos.org/pipermail/centos/2008-January/093336.html
> 
> Kernel packages based on 2.6.18-53.1.13 but with a patch to fix the nfs 
> problem were built by one of the main CentOS developers.  The patch came 
> from a RH engineer who backported it from their RHEL-5.2 test kernel. 
> These kernels are compatible with SL.
> 
> We normally encourage people to stick with the standard kernels but this 
> case warrants a depature from that position. The standard TRIUMF 
> kickstart-install sets up several nfs mounts including /triumfcs/linux, 
> /triumfcs/mirror and /triumfcs/trshare.  Thus, SL-5 workstations running 
> one of the problem kernels can inadvertently seriously impact the 
> performance of the central servers.  Also, many TRIUMF groups do nfs 
> mounting between their workstations; especially those that are part of 
> NIS clusters.
> 
> Therefore,  I have added the patched kernel packages to the TRIUMF rpm 
> repository so that people who have installed SL-5 from my kickstarts 
> will get them with their next "yum update".
> 
> So if you are running SL-5, please check your kernel version with
> "uname -r".
> 
> 2.6.18-53.1.4 or earlier: you do not have the nfs problem, but those 
> kernels do have the vmsplice privilege-escalation bug.
> 
> 2.6.18-53.1.6:  This kernel has the nfs and vmsplice bugs
> 
> 2.6.18-53.1.13: vmsplice-bug fixed but still has nfs problem.
> 
> 2.6.18-53.1.13.el5.bz321111:  This is that patched kernel that has both 
> problems fixed.
> 
> If you are running a kernel with the nfs problem then **please update 
> and reboot as soon as possible**.  If you are running a kernel with only 
> the vmsplice bug, then your decision to update and reboot should be 
> based upon the risk of one of your users escalating their priviliges to 
> root.
> 
> Note also, in a standard SL installation, including those performed with 
> the TRIUMF kickstarts, the kernel is not upgraded by the automatic 
> nightly update procedure.  It requires you to manually run "yum update" 
> and the reboot.
> 
> -- 
> Kel Raywood
> TRIUMF Network & Computing Services