Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is OpenVZ 6 still secure?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is OpenVZ 6 still secure?

Been noticing there are some providers still using OVZ6. Is it still ... safe... to use on production? versus OVZ7

This thread is not for discussing KVM superiority. We all know it is better.

«1

Comments

  • Hxxx said: This thread is not for discussing KVM superiority. We all know it is better.

    >
    in numbers .. i dont think so.

  • yoursunnyyoursunny Member, IPv6 Advocate

    I canceled all my VZ6 boxes because I can't trust its security given there's no patches.

    Thanked by 1Hxxx
  • jackbjackb Member, Host Rep
    edited January 2020

    @Hxxx said:
    Been noticing there are some providers still using OVZ6. Is it still ... safe... to use on production? versus OVZ7

    This thread is not for discussing KVM superiority. We all know it is better.

    Nothing deadly out yet, but when there is there won't be a patch.

    Anyone selling OpenVZ 6 today or have not started migrations to KVM or OpenVZ 7 should be avoided.

    Thanked by 1Hxxx
  • NeoonNeoon Community Contributor, Veteran

    Well, you can run it, for sure, but if something spawns outside, you better hide.
    Reminds me, when I ran snycthing on OVZ 6, it crashed the entire node on boot, gg.

  • HostMediaHostMedia Member, Patron Provider

    Best to avoid any providers offering OVZ6 - if they haven't moved to OVZ7 or KVM/XEN yet then I would question their service (security/updates/support etc).

  • OpenVZ 6 is EOL, and shouldn't be used in production.

    https://wiki.openvz.org/Releases

  • There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?

  • DPDP Administrator, The Domain Guy

    @geekyhillbilly said:
    There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?

    Yes.

  • @geekyhillbilly said:
    There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?

    Do you want to put your data on an unpatched server?

  • deankdeank Member, Troll
    edited January 2020

    @geekyhillbilly said:
    There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?

    A simple fact that you had to ask this makes me a really sad @Panda(Jord).

  • @deank said:

    @geekyhillbilly said:
    There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?

    A simple fact that you had to ask this makes me a really sad @Panda(Jord).

    I know a stupid question @Panda(Jord). I figured the answer was stay away. Don't know why I asked in the first place. Reckon I'm just having one of those days! Ugh!!!!

    ps. Sorry I made you sad @Panda(Jord)!

  • no it is not secured at all you should try some other host

  • @faizan190 said:
    no it is not secured at all you should try some other host

    Congrats on your first comment

  • I wouldn't use ovz6 for anything other than testing..

  • Daniel15Daniel15 Veteran
    edited January 2020

    deleted

  • @jackb said:

    @Hxxx said:
    Been noticing there are some providers still using OVZ6. Is it still ... safe... to use on production? versus OVZ7

    This thread is not for discussing KVM superiority. We all know it is better.

    Nothing deadly out yet, but when there is there won't be a patch.

    Anyone selling OpenVZ 6 today or have not started migrations to KVM or OpenVZ 7 should be avoided.

    Nonsense.

  • jackbjackb Member, Host Rep
    edited January 2020

    @LosPollosHermanos said:
    Nonsense.

    I'll reword that then.

    "Why would you choose a host using unsupported software for multi tenant virtualization?"

    Hosts selling OpenVZ 6 today are deliberately risking their customers data. Hosts who haven't started their migration yet are risking a rushed migration or their customers data - when a major vulnerability comes out.

    It is dangerous. Hosts still on OpenVZ 6 without migrations in progress are doing it for two possible reasons: saving a small amount of $ on shuffling hardware, and time. Skimping on either on something like this isn't a mark of a good host.

    Thanked by 2Daniel15 maverickp
  • edited January 2020

    There are still people using OVZ 5 nodes without problems.

    These security discussions are always kind of cringey to read imo. 99% of the comments are just people saying stuff they have 0 understanding of because anyone can tell you things are not secure. If it's connected to the internet it will never be secure. That doesn't really answer the question.

    Another annoying thing lazy google commandos do is post some security vulnerability they found by spending 5 seconds doing a search without really inderstanding the implications. Again, it's not based on any sort of expertise or deep understanding.

    And of course you have the reasoning "why even take a chance" as justification. Again, doesn't answer the question of if something is secure and/or how secure and is one of the laziest responses possible, most likely coming from someone who is too lazy to take the time to understand any of it themselves.

    You are ALWAYS taking a chance just by connecting something to the internet. I am not claiming to be an expert but I my approach is quite different and based on what I have read from a cross-section of actual security experts who truly understand what 'security' means. I am running old stuff a lot of people will tell you not to run because there are dragons and scary stuff booga booga. The difference is that I took the time to understand the implications, assessed the risk based on my usage profile, and in many cases implemented my own security fixes as needed. So I don't live in fear of the unknown like a lot of people because I took the time and put in the effort to understand.

  • jackbjackb Member, Host Rep
    edited January 2020

    @LosPollosHermanos said:
    There are still people using OVZ 5 nodes without problems.

    These security discussions are always kind of cringey to read imo. 99% of the comments are just people saying stuff they have 0 understanding of because anyone can tell you things are not secure. If it's connected to the internet it will never be secure.

    That doesn't really answer the question. Oh and you will always be able to google and find some security vulnerability. So that's the other thing the google commandos wannabe security experts do to try prove their point. Again, it's not based on any sort of expertise or deep understanding.

    Excluding conjecture, what is your reason to suggest a multi tenant environment using unsupported virtualization is safe enough to sell today?

    We aren't talking about what you run in your lab, we're talking about actual sales to actual customers.

    Thanked by 2maverickp Ouji
  • edited January 2020

    @jackb said:

    @LosPollosHermanos said:
    There are still people using OVZ 5 nodes without problems.

    These security discussions are always kind of cringey to read imo. 99% of the comments are just people saying stuff they have 0 understanding of because anyone can tell you things are not secure. If it's connected to the internet it will never be secure.

    That doesn't really answer the question. Oh and you will always be able to google and find some security vulnerability. So that's the other thing the google commandos wannabe security experts do to try prove their point. Again, it's not based on any sort of expertise or deep understanding.

    Excluding conjecture, what is your reason to suggest a multi tenant environment using unsupported virtualization is safe enough to sell today?

    I don't have to explain anything. Since you want to know perhaps you can explain your particular usage scenario. I didn't even mention anything about selling anything.

  • jackbjackb Member, Host Rep

    @LosPollosHermanos said:
    That is like asking, why did you cross the road. You didn't even bother to ask me my reason for crossing the road which is most like completely different than your reason to cross the road, which you also did not explain.

    Neither of those matter when the scenario being discussed is selling VPS to customers.

    Thanked by 1Ouji
  • edited January 2020

    @jackb said:

    @LosPollosHermanos said:
    That is like asking, why did you cross the road. You didn't even bother to ask me my reason for crossing the road which is most like completely different than your reason to cross the road, which you also did not explain.

    Neither of those matter when the scenario being discussed is selling VPS to customers.

    I didn't mention anything about selling anything. What I do and what you do may be completely different things.

  • jackbjackb Member, Host Rep

    @LosPollosHermanos said:
    I don't have to explain anything. Since you want to know perhaps you can explain your particular usage scenario. I didn't even mention anything about selling anything.

    This whole thread is about providers selling VPS using OpenVZ 6. If you didn't pick up on that you might want to go back and re-read the whole thing.

    Thanked by 1Ouji
  • edited January 2020

    @yoursunny said:
    I canceled all my VZ6 boxes because I can't trust its security given there's no patches.

    Specifical> @jackb said:

    @LosPollosHermanos said:
    I don't have to explain anything. Since you want to know perhaps you can explain your particular usage scenario. I didn't even mention anything about selling anything.

    This whole thread is about providers selling VPS using OpenVZ 6. If you didn't pick up on that you might want to go back and re-read the whole thing.

    I could have sworn the OP said "is it still safe". My bad.

  • jackbjackb Member, Host Rep
    edited January 2020

    @LosPollosHermanos said:
    I could have sworn the OP said "is it still safe". My bad.

    It's ok to be wrong sometimes.

    @Hxxx said:
    Been noticing there are some providers still using OVZ6. Is it still ... safe... to use on production

    To which I replied:

    @jackb said:
    Nothing deadly out yet, but when there is there won't be a patch

  • Daniel15Daniel15 Veteran
    edited January 2020

    2.6.32 kernel has already been EOL upstream since March 2016: https://lkml.org/lkml/2016/3/12/78. Some fixes have been backported by RedHat but I don't think there's any guarantee that they all have. I think 3.10 (which OpenVZ7 uses) is also EOL now too though, lol. RHEL still backport some fixes, which I guess is what they're relying on.

  • NeoonNeoon Community Contributor, Veteran

    @Daniel15 said:
    2.6.32 kernel has already been EOL upstream since March 2016: https://lkml.org/lkml/2016/3/12/78. Some fixes have been backported by RedHat but I don't think there's any guarantee that they all have. I think 3.10 (which OpenVZ7 uses) is also EOL now too though, lol. RHEL still backport some fixes, which I guess is what they're relying on.

    They are most likely using kernelcare, which still keeps them up to date.

  • Neoon said: They are most likely using kernelcare, which still keeps them up to date.

    Interesting... I didn't realise Kernelcare still patches EOL'd kernel versions.

    Still... Linux 2.6 is literally the same age as Windows XP. Even with newer security patches, it's still missing a lot of features of newer kernel versions.

  • raindog308raindog308 Administrator, Veteran

    LosPollosHermanos said: There are still people using OVZ 5 nodes without problems.

    Irrelevant.

    These security discussions are always kind of cringey to read imo. 99% of the comments are just people saying stuff they have 0 understanding of because anyone can tell you things are not secure. If it's connected to the internet it will never be secure. That doesn't really answer the question.

    What is the question? Seems to me the question is "what can we do to make things as secure as possible?"

    Another annoying thing lazy google commandos do is post some security vulnerability they found by spending 5 seconds doing a search without really inderstanding the implications. Again, it's not based on any sort of expertise or deep understanding.

    ...which you possess? Though later you say you don't, so...

    I'm happy to admit that I am not a security pro. But I know enough that using unpatchable, out of date software is a mistake. This is because I don't know the code perfectly. If I knew the code backwards and forward, that would be a different story. But in this case I don't, no one does, and you certainly don't either.

    And of course you have the reasoning "why even take a chance" as justification. Again, doesn't answer the question of if something is secure and/or how secure and is one of the laziest responses possible, most likely coming from someone who is too lazy to take the time to understand any of it themselves.

    Bullshit. You're arguing that unless someone has read all of /usr/src and knows it perfectly to the point that they can guarantee to themselves that there's no security bugs, they're "too lazy to take the time".

    You are ALWAYS taking a chance just by connecting something to the internet. I am not claiming to be an expert but I my approach is quite different and based on what I have read from a cross-section of actual security experts who truly understand what 'security' means. I am running old stuff a lot of people will tell you not to run because there are dragons and scary stuff booga booga. The difference is that I took the time to understand the implications, assessed the risk based on my usage profile, and in many cases implemented my own security fixes as needed. So I don't live in fear of the unknown like a lot of people because I took the time and put in the effort to understand.

    LOL...so you are maintaining OVZ 5 or 6 with your own security patches?

    We're not talking about some wordpress theme that you've touched up when there's a timthumb bug.

    Your attitude is nonsensical. You're too studly to upgrade but you're not an expert. But you've implemented your own security fixes and done your own analysis because you're an expert. Booga booga indeed.

    Who are these "actual security experts" who'd advise running out of date, unpatchable software? All the ones I've read advise keeping your shit patched up. Where do you think best practices like that come from? Answer: actual security experts.

    Ironically, doing the work of upgrading systems to OVZ 7 sounds a lot less lazy to me than "assessing the risk based on my usage profile" and saying you don't need to upgrade.

  • edited January 2020

    @Hxxx said:
    Been noticing there are some providers still using OVZ6. Is it still ... safe... to use on production

    @Daniel15 said:
    2.6.32 kernel has already been EOL upstream since March 2016: https://lkml.org/lkml/2016/3/12/78. Some fixes have been backported by RedHat but I don't think there's any guarantee that they all have. I think 3.10 (which OpenVZ7 uses) is also EOL now too though, lol. RHEL still backport some fixes, which I guess is what they're relying on.

    Yes, following similar logic people are using here, OVZ 7 is also already obsolete in a lot of ways and they should all immediately cancel their servers and move to KVM or whatever. This is what I would call perpetual software upgrade rat race logic and how newer versions are supposedly always better because....bigger number.

    I guess there is an Alpha or Beta kernel for OVZ 8 or whatever they decide to call it, which presumably will be based on CE8, but they haven't said anything about a roadmap for that.

    I am really sour on OVZ in general right now because they never created an upgrade path from OVZ 6 to OVZ 7. I am not talking about migration path. I am talking in place upgrade of existing servers. It would have been entirely possible to create an upgrade script for that. By doing so they could have retained a lot of existing users/potential customers, like me, if they did that. I doubt they will have an in-place upgrade path from 7 to 8 either.

    Not sure about KVM on CE6 but pretty sure if you are running KVM on CE7 you will be able to do an in place update to CE8.

Sign In or Register to comment.