Patching a Xen PV environment

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Patching a Xen PV environment

Christopher Myers

Hi everyone,


Just to make sure, when installing OS patches on a PV Xen environment, do you basically patch the Dom0 first and then patch the DomU's?


I've googled this on and off occasionally, but all I can really find are threads related to patching the Xen software itself, not the proper way to install OS patches to the environment and guest VMs.


Just for giggles, last night I did an "apt-get upgrade" on a DomU before running it on the Dom0 (without actually installing the patches on the DomU) to compare the patch list before and after installing them on the Dom0. Before installing patches on the Dom0, there were a number of updates listed for the DomU, and after patching the Dom0, there weren't any. So my assumption is that in that particular case, patching the Dom0 pushed patches to the DomU as well.


I guess to that end -- are the only patches that would be needed on a DomU for software that's not installed on the Dom0? Or is there a line drawn in the sand somewhere that says "these patches will be pushed to the DomU's, but these won't?"


I'm perfectly capable of reading the proverbial manual too, if anyone can point me in the right direction on where to find it 😉


(If it makes any difference, my environment is Debian Stretch.)


Chris


_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: Patching a Xen PV environment

Simon Hobson-3
Bear in mind that I'm only a user, I really don't follow all the deeply technical details. Stands ready to be corrected ...


Christopher Myers <[hidden email]> wrote:

> Just to make sure, when installing OS patches on a PV Xen environment, do you basically patch the Dom0 first and then patch the DomU's?

To a large extent, it doesn't matter. Dom0 and the DomUs are separate systems - and need to be patched separately. One thing you DO needs to do is to make sure that each DomU boots from the correct images, more about this below ...

> Just for giggles, last night I did an "apt-get upgrade" on a DomU before running it on the Dom0 (without actually installing the patches on the DomU) to compare the patch list before and after installing them on the Dom0. Before installing patches on the Dom0, there were a number of updates listed for the DomU, and after patching the Dom0, there weren't any. So my assumption is that in that particular case, patching the Dom0 pushed patches to the DomU as well.

Ordinarily patching Dom0 should not have affected DomU. However there are ways of having stuff in Dom0 affect a DomU - for example, by sharing a kernel and intird image in Dom0's /boot. Another would be if you had some sort of shared root filesystem - eg "/" on NFS ?

So I've always just treated Dom0 and each DomU as a separate system - updating them separately as downtime has permitted. With the proviso that for those DomUs where I could not get pygrub to work, I needed to copy any upgraded/updated kernel image and initrd to the Dom0 (and update the config accordingly if the names had changed, eg DomU kernel update.)


_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users