Issue date: 2014-10-28
1. What's Included in This Update
This update includes a new Virtuozzo Containers for Linux 4.7 kernel (2.6.32-042stab094.7) based on the Red Hat Enterprise Linux 6.5 kernel (2.6.32-431.29.2.el6). The new kernel introduces stability and security fixes.
2. Bug Fixes
A vulnerability in the RHEL6-based kernel discovered during internal security audit could allow access to the host filesystem from inside a Container. Only the kernels from 2.6.32-042stab057.1 to 2.6.32-042stab093.5 are affected. Kernel update is highly recommended. (#PSBM-29594)
The inactive memory reclaimer algorithm had been corrected in order to avoid possible process "freezes" up to several seconds in case there is still plenty free RAM available. (#PSBM-28058)
The "xt_string" netfilter kernel module could fail to load automatically if requested from inside a Container. (#PSBM-28358)
Network traffic from Containers with configured traffic shaping could be delayed significantly after massive outgoing traffic from the parent Hardware Node. This could happen if the BANDWIDTH parameter set for Hardware Node's physical interfaces was lower than their actual bandwidth. (#PSBM-28459)
CPU usage could be reported incorrectly inside a Container by "top" in case the Container had the CPULIMIT parameter set to less than the number or virtual CPUs assigned to the Container, multiplied by 100. (#PSBM-28500)
Several system controls like "net.ipv4.conf.XXX.disable_policy" were not preserved during Container online migration. (#PSBM-28501, OVZ#2965)
High disk I/O inside Containers could lead to a hard lockup of the Hardware Node. (#PSBM-28680)
Locking primitives usage had been corrected in the code which dumps connection tracking structures in order to avoid possible kernel panics on Container checkpointing operation. (#PSBM-28841)
Under certain circumstances, network connections in a Container could malfunction for several minutes in case the Container belongs to a private network and is migrated online to another Hardware Node. (#PSBM-28881)
A memory leak could be triggered by a wrong path in the "fs inotify" code. (#PSBM-28969, OVZ#3068)
The "systemd-212" package failed to work inside a Container due to the absence of the CLOCK_BOOTTIME feature. The "systemd-212" package is used by default in Arch Linux based Containers. (#PSBM-29019, OVZ#2937)
A race between a Container checkpointing operation and entering a Container with "vzctl enter" could lead to a kernel panic. (#PSBM-29067, OVZ#2895)
Under certain conditions, backing up a VZFS-based Container could lead to a freeze of the filesystem hosting the Container private area and blocking of the I/O operations to that filesystem. (#PSBM-29171)
- A memory leak in the IPv4 protocol could delay Container restart. (#PSBM-29405, OVZ#2672)
3. Obtaining the Update
You can download and install the update using the vzup2date utility included in the Virtuozzo Containers for Linux 4.7 distribution set.
Copyright (c) 1999-2014 Parallels IP Holdings GmbH and its affiliates. All rights reserved.