Article ID: 5519, created on Aug 4, 2008, last review on May 10, 2014

  • Applies to:
  • Virtuozzo containers for Linux


Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides
                   security updates, driver updates, and some other important
Issue date:        2008-07-28
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          security updates, driver updates, stability fixes

This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab057.2.

(c) Parallels, 2008. All rights reserved.



1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List



The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-92.1.1.el5). The updated kernel includes a
number of security updates, driver updates, and important stability fixes.



The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities which were fixed in 2.6.18-53.1.21.el5 -
2.6.18-92.1.1.el5 Red Hat kernels:

  - Race condition in the ptrace and utrace support in the Linux kernel allowed
    local users to cause a denial of service (kernel crash) via a long series of
    PTRACE_ATTACH ptrace calls to another user's process.
    (CVE-2008-2365, Important)

  - On AMD64 architectures, the possibility of a kernel crash was discovered by
    testing the Linux kernel process-trace ability. This could allow a local
    unprivileged user to cause a denial of service (kernel crash).
    (CVE-2008-1615, Important)

  - On 64-bit architectures, the possibility of a timer-expiration value
    overflow was found in the Linux kernel high-resolution timers functionality,
    hrtimer. This could allow a local unprivileged user to set a large interval
    value, forcing the timer expiry value to become negative, causing a denial
    of service (kernel hang). (CVE-2007-6712, Important)

  - The possibility of a kernel crash was found in the Linux kernel IPsec
    protocol implementation, due to an improper handling of fragmented ESP
    packets. When an attacker controlling an intermediate router fragmented
    these packets into very small pieces, it would cause a kernel crash on the
    receiving node during the packets reassembly. (CVE-2007-6282, Important)

  - A potential denial of service attack was discovered in the Linux kernel PWC
    USB video driver. A local unprivileged user could use this flaw to bring the
    kernel USB subsystem into the busy-waiting state, causing a denial of
    service. (CVE-2007-5093, Low)

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following

  - [ia64]: Suspending a Container could fail due to an incorrect handling of
    the execve() error code on the ia64 architecture.

  - [CPT]: An online migration could fail if a process inside a Container being
    migrated used inotify events on a symlink. The online migration of such a
    Container could terminate numerous processes on the source Node (by means of
    the SIGTERM signal) and fail with the following message:
    "CPT ERR: ffff81004a07a000,1024 :rst_inotify: -22".

  - [CPT]: Requests for opening a socket could be restored incorrectly during
    the online migration.

  - [CPT]: UDP sockets could be bound to a wrong port after the online

  - [CPT]: A kernel crash could happen during an online migration if the
    Container being migrated contained a process that had a big file (>2Gb)
    opened for write only and that file had been already deleted from the

  - The CPU time could be distributed unfairly (not according to the CPUUNITS
    parameters) in case the Hardware Node ran a few Containers only.

  - Modern ccNUMA AMD servers could run with degraded performance due to
    architecture-specific latencies.

  - The modification time of memory mapped files was not updated in time, which
    could lead to skipping such files during an incremental backup. This issue
    concerned particularly the Containers running the IBM DB2 software.

  - The xinetd service failed to start inside a SLES-based Container due to the
    inability to check the status of a /proc/<PID>/exe entry for a zombie
    process. The failure was accompanied with the following message:
    "Starting INET services. (xinetd)startproc: cannot stat /proc/1432/exe:
     Permission denied                                                  failed".

  - An application could fail to allocate memory due to an incorrect heap rlimit
    calculation in case the randomize_va_space sysctl was enabled.

  - [ppc64]: A kernel crash could occur on a Container start due to a missed
    page table entry memory allocation check.

  - The /proc/user_beancounters permissions were shown incorrectly as
    "r--r--r--" for a file that was readable by the root user only.

  - The sys.ipv4.conf.default sysctl did not have any affect inside a Container.

  - A kernel crash could occur if a Container was started before the conntrack
    modules were loaded and 'iptstate' was executed inside the Container.

  - /proc/stat reported the non-virtualized btime (boot time), which sometimes
    confused the tools that used that value to calculate process times.

  - Chkrootkit produced false alerts about "hidden" processes inside a

  - The vzlist utility did not work in case the venet module was not loaded.

  - /var/log/cron inside a Container contained the following audit error
    "crond[18233]: System error
     crond[18233]: CRON (root) ERROR: failed to open PAM security session:
                   Connection refused
     crond[18233]: CRON (root) ERROR: cannot set security context".

  - Writing data in parallel into several memory mapped files located on an NFS
    partition could result in data corruption.

  - An unsuccessful attempt to stop a Container could lead to a socket leakage
    followed by never-ending messages:
    "unregister_netdevice: waiting for lo to become free. Usage count = 3".

  - [SLM]: Locked pages were accounted twice by the SLM code.

  - [SLM]: The "--meminfo=none" vzctl option did not disable the Container's
    memory information virtualization in case the SLM modules were loaded.
    Disabling memory information virtualization is useful for Containers running
    Oracle software as the latter checks for swap presence.

  - I/O priorities did not work well if all the Containers ran each only one
    process that actively used the disk subsystem.

  - There could appear processes consuming 100% of the CPU if the "tcpsndbuf"
    limit was exceeded. The processes broke busy loops if a signal was sent to
    them, for example, if there was an attempt to strace the process.

  - The traffic accounting statistics could not be reset without a Hardware Node

  - The kernel.vzprivrange and kernel.ve_allow_kthreads sysctl's could be
    invisible in the /proc/sys/kernel/ directory in case someone accessed
    /proc/sys/kernel before Virtuozzo Containers 4.0 started.

  - The I/O statistics available via /proc/bc/CTID/ioacct could report more
    "read" bytes than were actually read by the Container.

  - The quota tools inside a 32-bit Container based on old templates (e.g.
    redhat-as3) and running on a 64-bit Hardware Node could report incorrect

  - [NFS]: A directory listing on an NFS partition took an extremely long time
    to complete in case there were other processes writing to the same

  - A kernel crash could happen in do_uncharge_dcache() while turning on the
    precise dcache accounting.

  - Some applications could crash inside a Container based on the RedHat 7.3
    template because they were not aware of the kernel address space
    randomization feature. The kernel.randomize_va_space sysctl has been
    virtualized to providing the ability to switch off this feature for affected

Besides, the new Virtuozzo Containers 4.0 kernel includes the following

  - The kernel has been re-based on the 2.6.18-92.1.1.el5 Red Hat kernel.

  - [CPT]: The checkpointing code has been enhanced to support an iterative
    online migration of shared memory.

  - [CPT]: A check for the required iptables modules being loaded on the
    destination Node has been added to the migration code along with a proper
    error message. Before this enhancement, the online migration failed for lack
    of certain iptables modules with the following message:
    "CPT ERR: ffff810020153000,250 :iptables-restore exited with 1".

  - [CPT]: A check for 'slm_dmprst' being loaded on both the source and
    destination Nodes has been added to the migration code along with a proper
    error message. Before this enhancement, the online migration failed for lack
    of this module with the following message:
    "vzctl : Can't undump: Channel number out of range".

  - The binfmt_misc capability has been virtualized, which allows to install Sun
    Java 1.6.0 without the failure of the postinstall script to configure the
    binfmt_misc wrapper inside a Container.

  - The sysfs 'mem' class and some of its devices (null, zero, full, random,
    urandom) has been virtualized, which allows to run 'udevd' inside a
    Container based on the Ubuntu 8.04 template.

  - An empty /proc/devices file has been added to a Container to avoid
    /sbin/MAKEDEV's warning: "can't read /proc/devices".

  - The NFSv2 support has been disabled in favor of NFSv3.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.



The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #99018:  [ia64]: execve() returns positive error codes on ia64 arch.

- #96464:  [CPT]: inotify on symlinks should be restored after online migration.

- #95113:  [CPT]: open socket requests are not restored correctly after an
           online migration.

- #99542:  [CPT]: temporary files should be created with O_LARGEFILE flag during
           checkpointing and restore process.

- #93544:  CPUUNITS parameter influence is very weak in case only a few
           Containers are on the Hardware Node.

- #98868:  Modern ccNUMA AMD servers do not perform as expected.

- #82009:  The kernel mistakenly returns -EACCESS on accessing a
           /proc/<pid>/<any> symlink for a zombie process instead of -ENOENT.

- #99599:  binfmt_misc capability should be virtualized.

- #114887: /proc/stat reports non-virtualized btime.

- #99897:  'udevd' does not start inside a Container based on Ubuntu 8.04.

- #112588: Asynchronous audit netlink message handling produces errors during
           PAM authorization.

- #114565: Data corruption on mmaped file over NFS filesystem.

- #75822:  Raw sockets leak leads to unregister_netdevice() failure.

- #114720: NFSv2 support should be disabled.

- #114684: [SLM]: locked pages are accounted twice.

- #111516: [SLM]: "--meminfo=none" vzctl option does not work if SLM is enabled.

- #98276:  I/O priorities do not work well for single readers.

- #112103: An endless loop is possible while waiting for TCPSNDBUF memory if
           timeout is not specified.

- #111468: A memory leak in venet_acct_set_base() leads to inability to reset
           traffic network statistics.

- #112482: "kernel.vzprivrange" and "kernel.ve_allow_kthreads" are invisible
           in /proc/sys/kernel/.

- #111808: Value too high for "read" bytes in I/O accounting statistics.

- #95952:  [CPT]: diagnostics in case of iptables-restore failure should be

- #114312: [CPT]: A check if 'slm_dmprst' module is loaded should be added.

- #115752: Quota v2 (old) structures are not 32bit emulation aware.

- #116274: [NFS]: nfs_getattr() hang during heavy write workloads.

- #116095: A kernel crash in do_uncharge_dcache().

- #114847: /sbin/MAKEDEV: warning: can't read /proc/devices.

- #115336: kernel.randomize_va_space sysctl should be virtualized.

The following OpenVZ bugs have been fixed:

- #784: [CPT]: UDP sockets can be restored incorrectly after online migration.

- #491: Incorrent heap rlimit calculation caused by a bug in exec shield code.

- #680: [ppc64]: The return code from do_pte_alloc() is not checked.

- #782: /proc/user_bean_counters permissions should be reported as "r--------".

- #826: Sysctl "sys.ipv4.conf.default" does not work inside a Container.

- #788: An oops in netlink conntrack module if conntrack modules were loaded
        after the Container start.

- #828: /proc/stat reports non-virtualized btime.

- #736: getpriority() syscall should not work with 'real' pids if called from
        inside a Container.

- #394: /proc/vz/veinfo should be available even if 'venet' module is not



You can get this kernel update in one of the following ways:

- You can download and install the update by using the vzup2date utility
  included in the Parallels Virtuozzo Containers 4.0 distribution set.

- You can download the update from



To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab057.2.i686.rpm \
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new



Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:

- Enterprise:

- Enterprise with the 4GB split feature disabled:

x86_64 kernels:

- SMP:

ia64 kernel:



The following references have been used in this document:









e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF