infrastructure icon indicating copy to clipboard operation
infrastructure copied to clipboard
verified publisher icon adoptium

update/security: Upgrade kernel on scaleway machines

Open luhenry opened this issue 1 year ago • 1 comments

With the recent GhostWrite attack, we need to update the kernels on our RISC-V machines hosted at Scaleway. The steps are documented at https://www.scaleway.com/en/docs/bare-metal/elastic-metal/reference-content/elastic-metal-rv1-guidelines/#update-the-kernel

That kernel update will also allow to disable completely the support for vector on these machines, both for security reasons (as it's the source of the attack in question), but also because the vector instructions available on this machines implement an unratified version of the Vector spec (not 1.0.0).

cc @sxa

luhenry avatar Aug 20 '24 15:08 luhenry

To reiterate, in the scaleway console the Eclipse Adoptium user is not able to access the more info page of the test-rise machines to be able to boot them into rescue mode. Awaiting the required permissions

Haroon-Khel avatar Aug 27 '24 11:08 Haroon-Khel

Upgrade process has not been successful, so we should look at reprovisioning and re-running ansible on the machines instead of upgrading the existing ones.

sxa avatar Nov 13 '24 17:11 sxa

Ive set up https://ci.adoptium.net/computer/test-rise-ubuntu2404-riscv64-1X/ as the first reprovisioned node.

root@test-rise-ubuntu2404-riscv64-1X:~# uname -r
5.10.113-scw1

Old node:

root@test-rise-ubuntu2404-riscv64-7:~# uname -r
5.10.113+

Haroon-Khel avatar Jan 06 '25 11:01 Haroon-Khel

The test-ubuntu2404 machines have been reinstalled. Their kernels have been upgraded to 5.10.113-scw1

Haroon-Khel avatar Jan 08 '25 17:01 Haroon-Khel

Closing this as the kernel upgrades have been done, all thats left is to update the inventory file https://github.com/adoptium/infrastructure/pull/3859

Haroon-Khel avatar Jan 13 '25 16:01 Haroon-Khel