Applying an XSA, reboot of guests required?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Applying an XSA, reboot of guests required?

John Naggets
Hi,

I was wondering when a new XSA (such as the recent Xen Security
Advisory 267) and newer OS packages are available for Linux, what is
the process?

In my case I am using Debian 9, so is an apt-get update followed by an
apt-get upgrade enough or do I need to restart xen? and do I need to
restart my Xen guests (all Debian 9 PV guests)?

Regards,
John

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying an XSA, reboot of guests required?

andy smith-10
Hello,

On Wed, Jun 20, 2018 at 09:57:07AM +0200, John Naggets wrote:
> In my case I am using Debian 9, so is an apt-get update followed by an
> apt-get upgrade enough or do I need to restart xen? and do I need to
> restart my Xen guests (all Debian 9 PV guests)?

Generally code in the hypervisor has changed so you need to reboot
into the new hypervisor. Unless you have used live patching.

Rebooting the hypervisor will obviously reboot dom0 and all other
domains, although you could suspend+restore them, or migrate them
away first.

If there are fixes in the guest kernels then those will come as
updated kernel packages and will obviously require a reboot of the
guest into the new kernel, unless they too have been live patched.

Note that a bunch of other XSAs come out of embargo on the 27th
June.

    https://xenbits.xen.org/xsa/

Cheers,
Andy

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying an XSA, reboot of guests required?

John Naggets
Thank you Andy for your answer that makes sense. I will wait next week
for the three other XSAs and reboot then...

Regards,
J.

On Wed, Jun 20, 2018 at 10:45 PM, Andy Smith <[hidden email]> wrote:

> Hello,
>
> On Wed, Jun 20, 2018 at 09:57:07AM +0200, John Naggets wrote:
>> In my case I am using Debian 9, so is an apt-get update followed by an
>> apt-get upgrade enough or do I need to restart xen? and do I need to
>> restart my Xen guests (all Debian 9 PV guests)?
>
> Generally code in the hypervisor has changed so you need to reboot
> into the new hypervisor. Unless you have used live patching.
>
> Rebooting the hypervisor will obviously reboot dom0 and all other
> domains, although you could suspend+restore them, or migrate them
> away first.
>
> If there are fixes in the guest kernels then those will come as
> updated kernel packages and will obviously require a reboot of the
> guest into the new kernel, unless they too have been live patched.
>
> Note that a bunch of other XSAs come out of embargo on the 27th
> June.
>
>     https://xenbits.xen.org/xsa/
>
> Cheers,
> Andy
>
> _______________________________________________
> Xen-users mailing list
> [hidden email]
> https://lists.xenproject.org/mailman/listinfo/xen-users

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users