このコンテンツは選択した言語では利用できません。
4.79. kexec-tools
An updated kexec-tools package that adds one enhancement is now available for Red Hat Enterprise Linux 5.
The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.
Enhancement
- BZ#772164
- Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.7 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64 Hypervisor with an Intel CPU is the only supported implementation. Note that the dump target must be specified in the /etc/kdump.conf file.
All users of kexec-tools are advised to upgrade to this updated package, which adds this enhancement.
An updated kexec-tools package that resolves three security issues, fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kexec-tools package contains the
/sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.
Security Fixes
- CVE-2011-3588
- Kdump used the
SSH(Secure Shell)StrictHostKeyChecking=nooption when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in thevmcoredumps. - CVE-2011-3589
- The mkdumprd utility created
initrdfiles with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. - CVE-2011-3590
- The mkdumprd utility included unneeded sensitive files (such as all files from the
/root/.ssh/directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak wheninitrdfiles were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in/etc/kdump.confare included in the initrd. The default is the key generated when running theservice kdump propagatecommand,/root/.ssh/kdump_id_rsa.
Red Hat would like to thank Kevan Carstensen for reporting these issues.
Bug Fixes
- BZ#678308
- On certain hardware, the kexec kernel incorrectly attempted to use a reserved memory range, and failed to boot with an error. This update adapts the underlying source code to determine the size of a backup region dynamically. As a result,
kexecno longer attempts to use the reserved memory range, and boots as expected. - BZ#682359
- The
mkdumprdutility lacked proper support for using VLAN devices over a bond interface. Consequently, the network could not be correctly set up in the kexec kernel and Kdump failed to capture a core dump. This update modifiesmkdumprdso it now provides full support for configuring VLAN devices over a bond interface. Kdump now successfully dumps thevmcorefile to a remote machine in such a scenario. - BZ#759006
- A bug in the
mkdumprdcaused Kdump to be unable to bring up a network interface card (NIC) if a NIC configuration file, such as/etc/sysconfig/network-scripts/ifcfg-eth0, did not contain a default gateway. When sending thevmcorefile over a network using theSSHorNFSprotocol, any attempt to bring the NIC up failed with the following error:ifup: option with empty value "gateway"
Consequently, the connection to the remote machine could not be established and Kdump failed to dump thevmcorefile. With this update, mkdumprd performs a check whether the default gateway is specified and thus avoids adding an empty gateway into the/etc/kdump.conffile. Thevmcorefile is now successfully dumped to a remote machine. - BZ#760844
- A bug in
mkdumprdcaused Kdump to be unable to bring up a bridge device when its slave device was renamed in the kexec kernel. When sending thevmcorefile over a bridged network, any attempt to bring the bridge device up failed with a similar error:ifup: Ignoring unknown interface eth2
Consequently, the connection to the remote machine could not be established and Kdump failed to dump thevmcorefile. This update modifiesmkdumprdto search for the correct slave device names in NIC configuration files instead of using the old names. Kdump over a bridged network now works as expected. - BZ#761048
- Certain storage devices, such as HP Smart Array 5i controllers using the
CCISSdriver, are known to be non-resettable in the kexec kernel. Therefore, when such a device was selected as a dump target, any attempt to dump a core file on it caused the kexec kernel to become unresponsive. This update modifiesmkdumprdto check whether the target device is resettable. If the target device is non-resettable, then Kdump will not start and the kexec kernel no longer hangs under these circumstances. - BZ#761336
- The
mkdumprdutility was unable to handle errors returned by themakedumpfilecommand if the command was piped with other commands. Therefore, when sending a core dump file over a network using the SSH protocol andmakedumpfilefailed, the system rebooted immediately instead of dropping to the shell. This update allowsmkdumprdto catch return codes of piped commands so that Kdump now fails right after amakedumpfilefailure and the system drops correctly to the shell. - BZ#765702
- The
mkdumprdutility did not properly handle renaming of NIC devices in the kexec kernel. Therefore, when sending a core dump using a VLAN device over a bond interface, Kdump displayed various error messages related to VLAN device names. This update modifiesmkdumprdso it now works with VLAN device names correctly. - BZ#781907
- The
mkdumprdutility did not handle NFS unmount failures correctly. Therefore, when dumping a core over theNFSprotocol and a test attempt to unmount an NFS export failed,mkdumprdremoved all files from this NFS export. This update correctsmkdumprdso that it only removes empty NFS exports and no data loss occurs under these circumstances.
Enhancements
- BZ#668706
- The
mkdumprdutility lacked support for theXFSfile system, and therefore Kdump failed to capture the vmcore dump file on XFS file systems. This update backports support for theXFSfile system from Red Hat Enterprise Linux 6 so Kdump now creates core dumps onXFSfile systems as expected. - BZ#690678
- This update adds a new option for the
mkdumprdutility,blacklist. This option allowsmkdumprdto prevent specified kernel modules from being loaded into the kexec kernel. - BZ#715531
- With this update, the
mkdumprdutility supports static route configuration so that Kdump is now able to dump thevmcorefile to a remote machine over a network with static routing. - BZ#719384
- The
mkdumprdutility has been modified to recognize and supportiSCSIdevices so that iSCSI devices can now be specified as a dump target. - BZ#743217
- Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.8 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64
Hypervisorwith an Intel CPU is the only supported implementation. Note that the dump target must be specified in the/etc/kdump.conffile.
All users of kexec-tools are advised to upgrade to this updated package, which resolves these security issues, fixes these bugs and adds these enhancements.
