Article ID: 8528, created on May 17, 2010, last review on May 2, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

Synopsis:         New Parallels Virtuozzo Containers 4.0 kernel provides a
                           number of important stability fixes and security updates as
                           well as introduces a new feature.
Issue date:       2010-05-12
Product:            Parallels Virtuozzo Containers 4.0
Keywords:        'stability fixes' 'security updates' 'NFSd virtualization'
                           'bridges virtualization' 'IO scheduler'


This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab069.5

Copyright © 1999-2010 Parallels Holdings, Ltd. and its affiliates. All rights


1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List



The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the new Red Hat Enterprise (RHEL) 5 kernel (2.6.18-194.3.1.el5). The
updated kernel includes a number of important security and stability fixes from
the RHEL kernel. It also adds support for using NFSd and bridges in Containers
and provides some improvements in the IO scheduler implementation.



The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-194.3.1.el5 Red Hat kernel):

- A race condition was found in the mac80211 implementation, a framework
  used for writing drivers for wireless devices. An attacker could trigger
  this flaw by sending a Delete Block ACK (DELBA) packet to a target system,
  resulting in a remote denial of service.
  Note: This issue only affected users on 802.11n networks, and that also use
  the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important)

- A flaw was found in the gfs2_lock() implementation. The GFS2 locking code
  could skip the lock operation for files that have the S_ISGID bit
  (set-group-ID on execution) in their mode set. A local, unprivileged user
  on a system that has a GFS2 file system mounted could use this flaw to
  cause a kernel panic. (CVE-2010-0727, Moderate)

- A divide-by-zero flaw was found in the ext4 file system code. A local
  attacker could use this flaw to cause a denial of service by mounting a
  specially-crafted ext4 file system. (CVE-2009-4307, Low)

- A flaw was found in the Unidirectional Lightweight Encapsulation (ULE)
  implementation. A remote attacker could send a specially-crafted ISO
  MPEG-2 Transport Stream (TS) frame to a target system, resulting in an
  infinite loop (denial of service). (CVE-2010-1086, Important)

- On AMD64 systems, it was discovered that the kernel did not ensure the
  ELF interpreter was available before making a call to the SET_PERSONALITY
  macro. A local attacker could use this flaw to cause a denial of service by
  running a 32-bit application that attempts to execute a 64-bit application.
  (CVE-2010-0307, Moderate)

- A flaw was found in the kernel connector implementation. A local,
  unprivileged user could trigger this flaw by sending an arbitrary number
  of notification requests using specially-crafted netlink messages,
  resulting in a denial of service. (CVE-2010-0410, Moderate)

- A divide-by-zero flaw was found in the azx_position_ok() function in the
  driver for Intel High Definition Audio, snd-hda-intel. A local,
  unprivileged user could trigger this flaw to cause a kernel crash (denial
  of service). (CVE-2010-1085, Moderate)

The updated Parallels Virtuozzo Containers 4.0 kernel also includes fixes for
the following issues:

- The fnic driver flushed the Rx queue instead of the Tx queue after fabric
  login. This could cause crashes in some cases. (BZ#580829)

- On some systems, "kernel unaligned access" warnings were logged to the dmesg
  log. (BZ#580832)

- The error "Northbridge Error, node 1, core: -1 K8 ECC error" could occur on
  systems using the amd64_edac driver. (BZ#580836)

- In rare circumstances, when using kdump and booting a kernel with
  "crashkernel=128M@16M", the kdump kernel did not boot after a crash.

- TLB page table entry flushing was done incorrectly on IBM System z,
  possibly causing crashes, subtle data inconsistency, or other issues.

- iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3.

- Fixed the floating point state corruption after a signal. (BZ#580841)

- In certain circumstances, under heavy load, certain network interface
  cards using the bnx2 driver and configured to use MSI-X, could stop
  processing interrupts, and then network connectivity would cease.

- cnic parts resets could cause a deadlock when the bnx2 device was
  enslaved in a bonding device and that device had an associated VLAN.

- AMD Magny-Cours systems panicked when booting a 32-bit kernel.

This update also includes fixes for the following Virtuozzo issues:

- IO scheduler should be improved to show a better fairness and performance
  in certain circumstances.

- Posix CPU timers could stop working after migration.

- The IPv6 netfilter ULOG rule could save the information in logs on the
  Hardware Node instead of saving it inside Containers.

The new kernel also introduces the following features:

- The ability to use kernel NFS servers inside Containers. To allow a Container
  to host an NFS server, you need to turn on the "nfsd" feature with the vzctl

- The ability to create and manage bridge devices inside Containers.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.


The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

 #469043: Unsynced VZFS inode's mode after updating ACL attributes.

 #469152: Adding veth interfaces screws up udevsettle.

 #469576: ip6tables rule logs are saved at the Hardware Node level.

 #473302: Bonding in 802.3ad mode does not work with kernels > 64.7.

 #474699: ITIMER_VIRTUAL & ITIMER_PROF timers stop work after migration.

 #457443: Errors after changing the CPU affinity for migration threads.

 #465930: Failed backups with ATI may leave Containers in "locked" state.



You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.



To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab069.5.i686.rpm \
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new



Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:

- Enterprise:

- Enterprise with the 4GB split feature disabled:

x86_64 kernels:

- SMP:



35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF