virtualisation and amd and intel speculative execution security bugs
if you want to use amd and intel microcode updates that mitigate against “branch target injection” (aka meltdown and spectre) defects in their CPUs you may want to patch your host and enable hypervisor-assisted guest mitigation so virtual machine guests also function
- Hypervisor-Specific Mitigation
- Hypervisor-Assisted Guest Mitigation
- Operating System-Specific Mitigations
vmware player 3.x just does not work with a linux 3.2 kernel (such as that used by xubuntu 12.x) so try virtualbox 4.1 instead
# aptitude install virtualbox
The TurnKey Linux Hub (AWS console replacement) lets you bypass most of the security features of AWS enabling you get up and running on Amazon AWS much quicker.
Which HyperVisor do OVH VPS Cloud VMs use ? KVM, VMware or Xen ?
I dont know ! But the output of LSPCI suggests its VMware (Server) !
00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 01)
00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 01)
00:07.0 ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 08)
00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
00:07.7 System peripheral: VMware Virtual Machine Communication Interface (rev 10)
00:0f.0 VGA compatible controller: VMware SVGA II Adapter
00:10.0 SCSI storage controller: LSI Logic / Symbios Logic 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI (rev 01)
00:11.0 PCI bridge: VMware PCI bridge (rev 02)
00:15.0 PCI bridge: VMware PCI Express Root Port (rev 01)
00:18.7 PCI bridge: VMware PCI Express Root Port (rev 01)
02:00.0 Ethernet controller: Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) (rev 01)
Just in the process of moving all my web hosting to OVH VPS cloud VMs and thought it’d be useful to document how to turn a vanilla OVH VPS into a personal multi-site webhost !
- use OVH control panel to replace debian with centos
- add a user
- disable root ssh login
- restart sshd
- disable/uninstall unnessesary services such as smartmontools yum-updatesd
- yum check-update
- run system-config-security
- yum install redhat-lsb
- rpm install rpmforge-release
- yum install fail2ban
- replace sendmail with postfix (unless you like sendmail)
- install LAMP (inc httpd,mod_ssl and PHP 5.3.3)
- secure mysql (change root pwd and delete guest accounts & dbs)
- chkconfig httpd and mysqld on
- yum install perl-Crypt-SSLeay perl-Net-SSLeay
- yum install webalizer
- install webmin
- secure webmin (change user & port)
- install virtualmin
- enable https
- disable virtualhost mail handling (unless your not using goog apps)
- install rrdtools
- install webmin systemstats
- create virtual hosts
- scp public_html tgz and mysql sql dumps from old webhost
- untar tgz and mysql < sql
- change DNS ip addresses from old webhost to new webhost
- wait 1 min !
- check new site is running !
How can i ever tell ?
Q. is there a changelog for the microcode?
A. No, if Intel change their minds and release it we’ll post it here.
Q. what eratta are fixed with microcode version X?
A. see the first question….
just started to try bytemark kvm web hosting and its looking good so far
the bytemark kvm lets me reboot and choose between centos or ubuntu distros and the single core virtual cpu seems to be quicker than my old physical dual core atom !
if it keeps going well i might even finally replace vmware server with kvm on all my servers