All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Friendly reminder to those purchasing OpenVZ VPS servers
lowendizen
Member
Make sure that your provider stays on top of security updates. I was recently provisioned a VPS with this kernel:
2.6.32-32-pve #1 SMP Thu Aug 21 08:50:19 CEST 2014 x86_64
This kernel is highly exploitable, if the provider uses simfs (most do, this one did) you can very easily break out of the chroot and read/write other users' files with 6 shell commands. This particular exploit was fixed by OpenVZ on June 15, 2015.
OpenVZ has a very very thin layer of isolation between users: providers like it because they can easily over-provision CPU, Disk, and RAM to maximize ROI. All guests on the same host share the same kernel, so each guest's security is very dependent on the security practices (or in this case, the lack thereof) of the host.
Rule of thumb: if the kernel hasn't been updated in over a year, stay away.
Comments
Is the provider correcting the issue?
Are you sure the provider didn't use live patching (kernelcare/ksplice/etc)? I would be very surprised if a provider is actually using such an old kernel.
The provider is correcting the issue. I verified that the system was vulnerable.
I dont think kernelcare patches proxmox kernels which that seems to be so it is indeed out of date.
You cant just assume by a version number though, it is fairly standard these days for hosts to use kernelcare on ovz host nodes and as a client you wont see the actual version, just the version from the last actual reboot of the host node.
That's a valid point, which is why I made sure that the system was vulnerable before posting this.
But that raises a good question: How can you, an OpenVZ VPS Provider, prove to me, a prospective client, that your kernel is up-to-date if you use kernelcare or equivalent? I know that on the host you can use /usr/bin/kcare-uname, but my understanding is that there's no way to tell from within a container.
You'll have to use providers that you trust. As you noted the patched kernel version isn't exposed to containers, so you're relying on your providers word.
Fair enough, I understand that there's a certain level of trust required to allow a provider to host your files on their hardware, regardless of whether it's KVM or OpenVZ.
As an update to the original post, the provider has responded quickly to update their kernel and my host is now no longer vulnerable to that particular exploit.
I can give you an output from cli but I could fake that, bottom line here being if you don't trust me, pay more and use KVM or get a dedi
Essentially, and I really don't mean for this to offend you, if you ask I will tell you but I don't feel the need to provide proof in advance.
There should be simply page like WHMCS to check if server have valid Kernel Care so client may trust provider.
The host could have a valid licence but might not have applied the latest security patch, so there still isn't a guarantee to the end user that the kernel is secured.
I'd hope most hosts have automatic kernelcare updates disabled and roll them on a dev/testing box before applying live -- so it would be possible they didn't apply the update. Unattended kernel panics aren't fun for anyone.
How about you simply don't "purchase OpenVZ servers" if you care about things such as security? Get a KVM or dedi, if you can't afford $2.5 or $5 for a KVM, then stop being such a clown posting "friendly reminders" to forums, and get a job.
I'm not gonna beat around the bush, here's what I heard:
Host doesn't pay attention to security issues and only fixes them on request, rebooting nodes at the request of users.
Yeah if that's me buying, I'm out.
I bet if he named the host nobody would be surprised.
Well as someone who's pretty new around here (and to hosting in general). It would be nice to get a heads up
Kernelcare does patch proxmox kernels. We use it.
You learn something every day.
Please explain.
I have never had a security issue on OVZ physical servers such as jailbreak.
Do you think KVM automatically makes you more secure? Do you remember the QEMU jailbreak vulnerability a year or two ago? You couldn't just fix it with a patch either. You had to reboot the physical server.
What would be even better is....if everyone just moved to KVM :-)
I find it funny someone gives people who might not be aware a tiny little PSA, and someone has the audacity to call him a clown? If you're getting that upset, maybe take a breather outside.
That seemed unnecessarily rude. What forum is this? LowEndTalk? Isn't this a forum dedicated to cheap VMs?
I'm going to say Yes to this question. Not that you can't easily make an insecure KVM box, but with KVM I know what kernel is in use and its patching status, plus I can run any OS I desire.
You do not know what kernel is in use on the node so what is your point? Not even sure if you can see what version of qemu-kvm is in use on the node. The whole reason for this thread is that the user can see that on OVZ. So you actually have more information. Just not necessarily accurate because of the possibility they are using kernelcare.
LXD is also a good replacement for OpenVZ built on cgroups and namespaces paired with AppArmor. Unfortunately Canonical sucks at marketing, so industry support is very little as of now.
Fair enough - you could argue either way. Neither is "really" secure because the host controls the ultimate kernel, the server, etc.
Any provider not using KernelCare at this point should definitely re-evaluate their business plan and budget in the $3/month per node. It's a life saver and worth it, more often than not they'll have a security patch before the kernel maintainers have an official patch for large 0-day exploits.