7022514: Security Vulnerability: “Meltdown” and “Spectre” – Hypervisor Information.

TID 7022512 for additional information on microcode update requirements.)

In addition to an updated kernel, KVM environments require updated QEMU and libvirt packages which mitigate Spectre by passing new branch prediction related CPU flags to virtual machines. These new CPU features may be automatically provided to libvirt managed guests (if not overridden through custom CPU configurations), but will require manual command line additions if calling qemu directly. (For additional background, see QEMU 2.11.1 and making use of Spectre/Meltdown mitigation for KVM guests.

Meltdown mitigation in Xen environments is available through updated Xen hypervisor packages which restrict mappings of hypervisor memory to specific regions while 64-bit PV guests run. This approach (patching the hypervisor) mitigates Meltdown with no changes required within 64-bit PV guests. In-machine Meltdown mitigation for 32-bit PV guests does require an updated kernel within the guest.

Spectre v2 mitigation in Xen environments is available through updated Xen hypervisor packages which both utilize branch prediction control, and pass support for branch prediction control to guests (through CPU flags). Patching the hypervisor is sufficient to restrict guests from exploiting Spectre v2 to attack the host (and other guests). However, guests require an updated kernel to prevent the vulnerability within the virtual machine itself.

Spectre v1 is currently a theoretical vulnerability under Xen.

Development efforts are ongoing, and patches will be released as the risks are identified and mitigated.

Additional Note :

SUSE advises to upgrade all SLE based virtual machines, also when they are deployed on virtualisation platforms other than Xen/KVM detailed here.

Additional Information

Additional steps and reading

Another method of mitigating Meltdown is to convert existing 64-bit Xen PV guests to HVM guests. The steps required for this process are described in the SUSE Virtualization Best Practices Guide


Windows guests:

Windows guests run in HVM mode and therefore cannot exploit the variant 3 (“Meltdown”) vulnerability to gain access to hypervisor address space. However, KVM hosts must be patched to prevent Windows guests from using variants 1 and 2 (“Spectre”) against the hypervisor.

Windows guests themselves should also be patched to prevent in-guest exploits using any of the possible variants. (Contact Microsoft to obtain patches specific to the version of Windows in use.) SUSE’s Virtual Machine Driver Pack (VMDP) paravirtual drivers do not play a role in either mitigating or contributing to these vulnerabilities.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Did this document solve your problem? Provide Feedback

Related:

  • No Related Posts

Import OS layer fails in App Layering, “Windows is hibernated, refused to mount.”

You get a “hibernated” failure trying to import a Gold VM in Unidesk 4. This likely applies only to Windows 10. Your error looks like this:

Failed to duplicate layer. Please ensure that you have sufficient space remaining in Unidesk local storage and retry this operation. Command = “/usr/sbin/ntfslabel /dev/nbd1279p1 UDiskP8B000CV0R1″ StdOut=”” StdErr=”Windows is hibernated, refused to mount.

Failed to mount ‘/dev/nbd1279p1’: Operation not permitted

The NTFS partition is hibernated. Please resume Windows and turned it

off properly, so mounting could be done safely.” ExitCode = 1

Specifically, note how it talks about being “hibernated” even though you properly shut down the VM. Windows 10, in an effort to be helpful, sometimes hibernates instead of shutting down properly, leaving the boot disk in a specific state that NTFS3G won’t touch.

In this case, the user should power on the Gold image again and run following command to simply turn off hibernation:

powercfg -h off

With hibernation disabled, Windows will have to shut down properly, allowing us to import. Try to import it again.

Related:

  • No Related Posts

Despite challenges, mainframe use is still central to large enterprises

mainframe

Mainframes are still vital to many larger businesses and a new report from Syncsort highlights some key trends including the mainframe’s role in strategic projects.

The results show the mainframe remains strategic to businesses, with 57 percent of respondents saying it will continue to be the main hub for business-critical applications this year. It will run revenue-generating services for 43 percent. Cost control is a priority though, 51 percent say they plan to cut IT costs by optimizing mainframe resources.

Top challenges include reducing general processor CPU usage and related costs (70 percent), meeting security and compliance requirements (63 percent) and meeting SLAs (55 percent). To improve performance and save money, 56 percent of respondents are leveraging their investment in zIIP (IBM z Integrated Information Processor) engines while 44 percent are increasing their DB2 performance.

Integrating mainframe data with modern analytics tools is a top priority for 44 percent of respondents. 23 percent say they already use big data tools (like Splunk and Hadoop) to monitor mainframe and other enterprise data together in a single dashboard.

Security remains a major concern and 54 percent of respondents rank monitoring SMF (System Management Facilities) and log file data as most important for security on the mainframe, followed closely by having an audit trail of SMF data (53 percent) and regularly auditing and reviewing incident response (52 percent).

Mainframe organizations continue to find tracking their data a challenge with 53 percent saying they lack full visibility into their data movement, compared with 61 percent last year. While the downward trend is encouraging, this remains an area of risk that needs to be addressed to ensure security and compliance initiatives are met.

“It’s clear that traditional data environments, including mainframe and IBM i, remain central to large enterprises’ business,” says David Hodgson, chief product officer at Syncsort. “Our annual State of the Mainframe research confirms what we are seeing across our more than 7,000 customers worldwide: while many are turning to big data analytics platforms to meet compliance and security requirements, they continue to successfully use the mainframe and IBM i to run revenue-generating services, requiring them to optimize their data infrastructure to improve performance and control costs.”

It’s clear from the study that mainframe environments continue to get investment. In fact, 32 percent of respondents report increased spending for developing new mainframe applications compared with just 24 percent last year, and another 32 percent report increased investment in mainframe data analytics.

You can find out more in the full 2018 State of the Mainframe report on the Syncsort website.

Photo Credit:Timofeev Vladimir/Shutterstock

Related:

  • No Related Posts

Restricted access of NetWorker 9.1 client to server attributes

root@nwserver # nsradmin -p nsrexec

NetWorker administration program.

Use the “help” command for help, “visual” for full-screen mode.

nsradmin>. NSRLA

Current query set

nsradmin> show administrator

nsradmin> update administrator: “administrator@nwserver“, “root”, “root@nwserver“, “user=root,host=nwserver“, “user=root,host=nwclient, “root@nwclient

administrator: administrator@nwserver,

root, root@nwserver,

user=root,host=nwserver“,

user=root,host=nwclient“,

root@nwclient;

Update? yes

updated resource id 3.0.33.222.0.0.0.0.92.184.125.90.10.255.83.229(11)

nsradmin>

nsradmin>. NSR system port ranges

Current query set

nsradmin> print

type: NSR system port ranges;

service ports: 7937-7938, 8201-8307;

connection ports: 0-0;

administrator: “isroot,host=localhost”;

nsradmin> update administrator: “isroot,host=localhost”, “user=root,host=nwclient“, “root@nwclient

administrator: “isroot,host=localhost”,

“user=root,host=nwclient“,

root@nwclient;

Update? yes

updated resource id 8.0.33.222.0.0.0.0.92.184.125.90.10.255.83.229(6)

nsradmin>

nsradmin> exit

Related:

  • No Related Posts

Error: The Citrix Desktop Service was refused a connection to the delivery controller ” (IP Address ‘xxx.xxx.xxx.xxx’)

Try to determine which files are taking up disk space. on Identity disk

For access to the junction linked to the Identity Disk volume at C:Program FilesCitrixPvsVmServicePersistedData, you will need to execute the command prompt under the context of the Local System account via PsExec tool

The PsExec tool is available for download at this location

http://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Follow these steps to access the Identity disk volume on the VDA:

1. Open elevated command prompt <Run as administrator>

2. execute the command under the context of the Local System account via PsExec:

PSEXEC -i -s cmd.exe

This it to access to the junction linked to the Identity Disk volume

3. Navigate to the root of the junction “PersistedData”, and execute the following command:

DIR /O:S /S > C:{location}Out.txt

4. Open out.txt using Notepad or text editor

5. Check the files taking up the disk space.

6. Move the unwanted files to an alternate location or delete them

Note: You may see .gpf files which shouldn’t be deleted. BrokerAgent.exe writes changed farm policies to %ProgramData%CitrixPvsAgentLocallyPersistedDataBrokerAgentInfo<GUID>.gpf. BrokerAgent.exe then triggers a policy evaluation via CitrixCseClient.dll.

Related:

  • No Related Posts

Can’t import Gold VM into App Layering, it says “The virtual machine template cannot have any attached disks.”

When you’re creating a Connector for vSphere, XenServer and Nutanix AHV, there’s an optional field for VM Template. This is not for your gold. This is so we can create temporary machines in the future for layer editing; or create permanent machines if you want to publish an Image straight to the hypervisor. Basically, any time we want to make a machine for any purpose, we’ll clone that template. Because we’ll supply our own disks after the fact, that template needs to have no disks of its own.

It’s optional, but it’s worth doing for consistency’s sake, so you might in fact clone your Gold VM (if it’s configured in the same way you expect your end-user machines will be), delete the disks from the clone, and convert that to be a template for us. Or (in vSphere) you can ignore it for now, and some day in the future, give us a template to use by editing the Connector. If you don’t specify a template in vSphere, we will create a machine when we need one with a default of 8 CPUs and 4GB – or something enormous like that.

The part where you actually import the Gold VM comes well after that. Create the Connector, specifying the VM Template if required, and close that process after you’ve saved. The next tab in the wizard back in the Management Console web page will then use that Connector to talk to your hypervisor and get a list of proper VMs (not templates), which you can use to pick the VM that you want us to import. That VM should indeed have its boot disk still attached, and should not be the Template VM you configured before.

Related:

  • No Related Posts

Re: Avamar backup “stuck/hung” on last directory?

Has anyone ever seen an Avamar file system backup get “stuck/hung” on the last directory of the last drive of the client file system?

FWIW, I checked and this is not a “new” directory, and it has backed up successfully before – in fact, this particular group has backed up successfully without issue other than it taking longer than other clients (one, because it has 25 million files, and two, because its performance is half of the other file system clients for some still unknown reason).

All comments/feedback appreciated – thanks.

Related:

  • No Related Posts

Avamar backup “stuck/hung” on last directory?

Has anyone ever seen an Avamar file system backup get “stuck/hung” on the last directory of the last drive of the client file system?

FWIW, I checked and this is not a “new” directory, and it has backed up successfully before – in fact, this particular group has backed up successfully without issue other than it taking longer than other clients (one, because it has 25 million files, and two, because its performance is half of the other file system clients for some still unknown reason).

All comments/feedback appreciated – thanks.

Related:

  • No Related Posts