KVM Meltdown/Spectre Outage

Resolved Posted by Michael Keller on January 12, 2018
Outage start Wednesday, January 17, 2018 8 a.m.
Expected end Wednesday, January 17, 2018 6 p.m.

Dear Chameleon Users,

2018-01-17 UPDATE: The maintenance has been completed.  Thank you again for your patience and understanding as we not only gave you late notice, but also had to reschedule on short notice as well.

With these updates we have secure the hosts that KVM instances run on from both the Spectre and Meltdown exploits.  However, this does not protect against your instances being exploited by either of these.  You will need to follow the guidelines from the developers of the Linux distribution you are using to do so.

Finally, you will need to restart any previously running containers and if in doing so you notice any issues, please do not hesitate in opening up a ticket with us so that we can investigate further.

UPDATE: Due to sever weather, the University of Texas is closed today.  We are postponing this outage to tomorrow, January 17th, 2018.  Thank you.

    As you most likely heard, last week there were two exploits announced that take advantage of vulnerabilities in a host’s processor.  Meltdown, which affects Intel and ARM based CPUs and Spectre, which affects Intel, AMD, and ARM CPUs.

    Thankfully, even though on our KVM based deployment of OpenStack on Chameleon we use Intel processors, one instance hosted there would not be able to gain access to a data on another using either of these exploits.  KVM, the hypervisor running your instances on the physical host, has not been named as one of the ones that is affected by these attacks.

    Our underlying hosts however, are still exploitable, as are your individual instances should a bad actor gain access to them.  In order to protect our underlying hosts from attackers that may be using the Meltdown exploit we will be needing to take downtime on January 16th, 2018, beginning at 8:00 AM CST to apply the necessary patches.

    During this downtime your instances will not be available and will need to be restarted once it is completed.  We understand and apologize for the short notice and inconvenience that this will cause.

    Lastly, these patches will not be also applied to your instances.  You will need to apply the patches to your instances on your own and we recommend you do so quickly.  These can be applied by updating the Linux kernel running on your instance to the latest version.