ESXI更新到6.7后CVE-2018-3646警告的处理 – 安安

ESXI更新到6.7后CVE-2018-3646警告的处理 – 安安

现象

ESXI更新到6.7之后,vcenter控制台会默认有如下提示

esx.problem.hyperthreading.unmitigated

打开ESXI控制台,提示如下

该主机可能容易受到 CVE-2018-3646 中所描述问题的影响,有关详细信息和 VMware 建议,请参阅 https://kb.vmware.com/s/article/55636

原因

VMware 在更新VMSA-2018-0020后新增了一个针对CVE-2018-3646漏洞修复状态的提示,如果此漏洞未修复,则会有如上的提示。

关于CVE-2018-3646

CVE-2018-3646主要是intel处理器芯片级的漏洞,可能造成虚拟化层面的信息泄露,具体可参看intel官方的公告
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

vmware官方说明如下

https://kb.vmware.com/s/article/55806

https://kb.vmware.com/s/article/57374

禁用此提示方法

由于此漏洞属于芯片级漏洞,更新固件会造成较大的性能损失,在私有云环境下,此漏洞的影响范围可控,我们可以选择禁用此提示,暂缓漏洞的修复

禁用的方法如下:

  • 在vcenter中选中ESXI主机,打开配置>高级系统设置
  • 点击编辑,筛选UserVars.SuppressHyperthreadWarning
  • UserVars.SuppressHyperthreadWarning的值由0改为1

更改实时生效,不需要重启之类的操作

最后更新于 2019-01-08 02:40:20 并被添加「esxi CVE-2018-3646 esx.problem.hyperthreading.unmitigated」标签,已有 2010 位童鞋阅读过。

本站使用「署名 4.0 国际」创作共享协议,可自由转载、引用,但需署名作者且注明文章出处

相关文章

环境准备

  • 操作系统:Centos 7 1810
  • 安装方式:YUM
  • 配置epel的YUM源

安装cobbler

yum install cobbler cobbler-web pykickstart httpd dhcp tftp-server

启动httpd、tftp、cobblerd服务,并设置为开机启动

systemctl start cobblerd  systemctl start httpd  systemctl start tftp  #设置相关服务开机启动  systemctl enable cobblerd  systemctl enable httpd  systemctl enable tftp  systemctl enable rsyncd

配置cobbler

执行cobbler check命令检查cobbler设置

这里可能会报如下错误

httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback:  Traceback (most recent call last):    File "/usr/lib/python2.7/site-packages/cobbler/cli.py", line 251, in check_setup      s.ping()    File "/usr/lib64/python2.7/xmlrpclib.py", line 1233, in __call__      return self.__send(self.__name, args)    File "/usr/lib64/python2.7/xmlrpclib.py", line 1591, in __request      verbose=self.__verbose    File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request      return self.single_request(host, handler, request_body, verbose)    File "/usr/lib64/python2.7/xmlrpclib.py", line 1321, in single_request      response.msg,  ProtocolError: <ProtocolError for 127.0.0.1:80/cobbler_api: 503 Service Unavailable>

根据提示,可以确定是selinux引起的问题,可以将selinux关掉或者执行如下操作

setsebool -P httpd_can_network_connect true

这里建议关掉selinux,如果不想关的话,则参考如下链接的设置方法

https://github.com/cobbler/cobbler/wiki/Selinux

再次执行cobbler check命令检查,输出信息如下

The following are potential configuration items that you may want to fix:    1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work.  This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.  2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.  3 : SELinux is enabled. Please review the following wiki page for details on ensuring cobbler works correctly in your SELinux environment:      https://github.com/cobbler/cobbler/wiki/Selinux  4 : change 'disable' to 'no' in /etc/xinetd.d/tftp  5 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.  6 : debmirror package is not installed, it will be required to manage debian deployments and repositories  7 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one  8 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them    Restart cobblerd and then run 'cobbler sync' to apply changes.

下面我们便依据以上检查出的问题逐项进行修复及配置

  1. 修改配置文件/etc/cobbler/settings (问题1、2)
#更改监听IP。  sed -i 's/server: 127.0.0.1/server: 172.25.68.8/' /etc/cobbler/settings    #next_server,用Cobbler管理DHCP需要修改此项。  sed -i 's/next_server: 127.0.0.1/next_server: 172.25.68.8/' /etc/cobbler/settings    #用Cobbler管理DHCP。  sed -i 's/manage_dhcp: 0/manage_dhcp: 1/' /etc/cobbler/settings    #防止循环装系统。  sed -i 's/pxe_just_once: 0/pxe_just_once: 1/' /etc/cobbler/settings
  1. 关闭或设置selinux(问题3)
#临时关闭selinux  setenforce 0    #永久关闭selinux  sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
  1. 修改tftp相关设置(问题4)
    编辑配置文件/etc/xinetd.d/tftp,如果里面是disable=yes的话,需要修改为disable=no

  2. 同步cobbler设置(问题5)
    执行如下命令,从github上同步cobbler需要用到的一些引导文件及加载项

    cobbler get-loaders
  3. 安装debian系统相关支持(问题6)

    yum -y install debmirror
  4. 修改默认密码(问题7)
    这里设置的密码是使用cobbler默认安装的操作系统的密码,用如下命令生成,其中random-phrase-here为干扰码,可以自行设置,your-password-here为自己设置的密码,执行完成后,用生成的值将/etc/cobbler/settingsdefault_password_crypted的值替换掉即可。

    openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'"
  5. 安装fence相关设备支持(问题8)

    yum -y install fence-agents

再次重启cobblerd服务并执行cobbler check进行配置项检查

检查还有如下的报错

The following are potential configuration items that you may want to fix:    1 : comment out 'dists' on /etc/debmirror.conf for proper debian support  2 : comment out 'arches' on /etc/debmirror.conf for proper debian support    Restart cobblerd and then run 'cobbler sync' to apply changes.

解决办法:将/etc/debmirror.conf配置文件中包含@dists@arches的两行注释掉即可
再次检查已经没有报错

DHCP的配置

由于上文中已经配置由cobbler管理DHCP,因此,DHCP的配置就应该使用cobbler的模板来生成,我们直接修改/etc/cobbler/dhcp.template文件即可,这里需要注意的一点就是DHCP的配置必须要有一段包含本子网的配置,否则DHCP会报错。

新增的网段直接复制subnet相关的配置就行

Cobbler命令行的使用

Cobbler Web的使用

上文中已经安装过cobbler-web了,因此,只要启动httpd服务,cobbler web服务便可以使用了。

新版的cobbler web界面需要用HTTPS来访问,访问地址是https://ip/cobbler_web
但是,我们在访问的时候,发现服务器报500错误,经过检查httpd的日志,发现报错如下:

[Thu Jan 24 16:01:25.739471 2019] [:error] [pid 5466] [remote 172.25.120.32:96] mod_wsgi (pid=5466): Exception occurred processing WSGI script '/usr/share/cobbler/web/cobbler.wsgi'.  [Thu Jan 24 16:01:25.739567 2019] [:error] [pid 5466] [remote 172.25.120.32:96] Traceback (most recent call last):  [Thu Jan 24 16:01:25.739618 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/share/cobbler/web/cobbler.wsgi", line 26, in application  [Thu Jan 24 16:01:25.739687 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     _application = get_wsgi_application()  [Thu Jan 24 16:01:25.739719 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib/python2.7/site-packages/django/core/wsgi.py", line 13, in get_wsgi_application  [Thu Jan 24 16:01:25.739753 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     django.setup(set_prefix=False)  [Thu Jan 24 16:01:25.739768 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib/python2.7/site-packages/django/__init__.py", line 22, in setup  [Thu Jan 24 16:01:25.739791 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)  [Thu Jan 24 16:01:25.739804 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 56, in __getattr__  [Thu Jan 24 16:01:25.739826 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     self._setup(name)  [Thu Jan 24 16:01:25.739843 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 41, in _setup  [Thu Jan 24 16:01:25.739907 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     self._wrapped = Settings(settings_module)  [Thu Jan 24 16:01:25.739933 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 110, in __init__  [Thu Jan 24 16:01:25.739955 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     mod = importlib.import_module(self.SETTINGS_MODULE)  [Thu Jan 24 16:01:25.739968 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module  [Thu Jan 24 16:01:25.739990 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     __import__(name)  [Thu Jan 24 16:01:25.740032 2019] [:error] [pid 5466] [remote 172.25.120.32:96]   File "/usr/share/cobbler/web/settings.py", line 89, in <module>  [Thu Jan 24 16:01:25.740062 2019] [:error] [pid 5466] [remote 172.25.120.32:96]     from django.conf.global_settings import TEMPLATE_CONTEXT_PROCESSORS  [Thu Jan 24 16:01:25.740298 2019] [:error] [pid 5466] [remote 172.25.120.32:96] ImportError: cannot import name TEMPLATE_CONTEXT_PROCESSORS

这个报错是由于centos 7默认安装的python-django版本过高,cobbler还存在一些bug未修复,因此,我们需要将djaogo框架降到低版本。

首先,查询当前系统安装的django版本

rpm -qa |grep django

然后卸载

rpm -e python2-django-1.11.18-1.el7.noarch --nodeps

安装较低版本的django

yum -y install python2-django16

重启httpd服务

systemctl restart httpd

自定义的kickstart文件

最后更新于 2019-01-24 08:35:05 并被添加「openssl var set localhost selinux server network host cobbler etc settings the」标签,已有 342 位童鞋阅读过。

本站使用「署名 4.0 国际」创作共享协议,可自由转载、引用,但需署名作者且注明文章出处

相关文章

现象

在应用比较高频通过 rsyslog 打印日志时,发现部分日志丢失,message 里面有如下报错

Feb 26 10:03:55 mirrors rsyslogd-2177: imuxsock begins to drop messages from pid 85417 due to rate-limiting
Feb 26 10:03:57 mirrors rsyslogd-2177: imuxsock lost 82 messages from pid 85417 due to rate-limiting

原因

从rsyslog的5.7.1版本开始,新增了一个称为速率限制的功能,默认如果一个PID在5秒内输出超过200条消息,那么超过200条之后的消息将被丢弃。

解决方案

  • 增大速率限制上限
    修改 rsyslog 配置文件,新增以下行

    $SystemLogRateLimitInterval 10  $SystemLogRateLimitBurst 500

    以上配置表示

  • 关闭速率限制

    $IMUXSockRateLimitInterval 0  $SystemLogRateLimitInterval 0

最后更新于 2019-02-26 08:16:41 并被添加「pid rsyslog mirrors due imuxsock」标签,已有 320 位童鞋阅读过。

本站使用「署名 4.0 国际」创作共享协议,可自由转载、引用,但需署名作者且注明文章出处