New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
>
in numbers .. i dont think so.
I canceled all my VZ6 boxes because I can't trust its security given there's no patches.
Nothing deadly out yet, but when there is there won't be a patch.
Anyone selling OpenVZ 6 today or have not started migrations to KVM or OpenVZ 7 should be avoided.
Well, you can run it, for sure, but if something spawns outside, you better hide.
Reminds me, when I ran snycthing on OVZ 6, it crashed the entire node on boot, gg.
Best to avoid any providers offering OVZ6 - if they haven't moved to OVZ7 or KVM/XEN yet then I would question their service (security/updates/support etc).
OpenVZ 6 is EOL, and shouldn't be used in production.
https://wiki.openvz.org/Releases
There are still providers who sell vps resource pools that are still on OVZ 6. Should they be avoided?
Yes.
Do you want to put your data on an unpatched server?
A simple fact that you had to ask this makes me a really sad @Panda(Jord).
I know a stupid question @Panda(Jord). I figured the answer was stay away. Don't know why I asked in the first place. Reckon I'm just having one of those days! Ugh!!!!
ps. Sorry I made you sad @Panda(Jord)!
no it is not secured at all you should try some other host
Congrats on your first comment
I wouldn't use ovz6 for anything other than testing..
deleted
Nonsense.
I'll reword that then.
"Why would you choose a host using unsupported software for multi tenant virtualization?"
Hosts selling OpenVZ 6 today are deliberately risking their customers data. Hosts who haven't started their migration yet are risking a rushed migration or their customers data - when a major vulnerability comes out.
It is dangerous. Hosts still on OpenVZ 6 without migrations in progress are doing it for two possible reasons: saving a small amount of $ on shuffling hardware, and time. Skimping on either on something like this isn't a mark of a good host.
There are still people using OVZ 5 nodes without problems.
These security discussions are always kind of cringey to read imo. 99% of the comments are just people saying stuff they have 0 understanding of because anyone can tell you things are not secure. If it's connected to the internet it will never be secure. That doesn't really answer the question.
Another annoying thing lazy google commandos do is post some security vulnerability they found by spending 5 seconds doing a search without really inderstanding the implications. Again, it's not based on any sort of expertise or deep understanding.
And of course you have the reasoning "why even take a chance" as justification. Again, doesn't answer the question of if something is secure and/or how secure and is one of the laziest responses possible, most likely coming from someone who is too lazy to take the time to understand any of it themselves.
You are ALWAYS taking a chance just by connecting something to the internet. I am not claiming to be an expert but I my approach is quite different and based on what I have read from a cross-section of actual security experts who truly understand what 'security' means. I am running old stuff a lot of people will tell you not to run because there are dragons and scary stuff booga booga. The difference is that I took the time to understand the implications, assessed the risk based on my usage profile, and in many cases implemented my own security fixes as needed. So I don't live in fear of the unknown like a lot of people because I took the time and put in the effort to understand.
Excluding conjecture, what is your reason to suggest a multi tenant environment using unsupported virtualization is safe enough to sell today?
We aren't talking about what you run in your lab, we're talking about actual sales to actual customers.
I don't have to explain anything. Since you want to know perhaps you can explain your particular usage scenario. I didn't even mention anything about selling anything.
Neither of those matter when the scenario being discussed is selling VPS to customers.
I didn't mention anything about selling anything. What I do and what you do may be completely different things.
This whole thread is about providers selling VPS using OpenVZ 6. If you didn't pick up on that you might want to go back and re-read the whole thing.
Specifical> @jackb said:
I could have sworn the OP said "is it still safe". My bad.
It's ok to be wrong sometimes.
To which I replied:
2.6.32 kernel has already been EOL upstream since March 2016: https://lkml.org/lkml/2016/3/12/78. Some fixes have been backported by RedHat but I don't think there's any guarantee that they all have. I think 3.10 (which OpenVZ7 uses) is also EOL now too though, lol. RHEL still backport some fixes, which I guess is what they're relying on.
They are most likely using kernelcare, which still keeps them up to date.
Interesting... I didn't realise Kernelcare still patches EOL'd kernel versions.
Still... Linux 2.6 is literally the same age as Windows XP. Even with newer security patches, it's still missing a lot of features of newer kernel versions.
Irrelevant.
What is the question? Seems to me the question is "what can we do to make things as secure as possible?"
...which you possess? Though later you say you don't, so...
I'm happy to admit that I am not a security pro. But I know enough that using unpatchable, out of date software is a mistake. This is because I don't know the code perfectly. If I knew the code backwards and forward, that would be a different story. But in this case I don't, no one does, and you certainly don't either.
Bullshit. You're arguing that unless someone has read all of /usr/src and knows it perfectly to the point that they can guarantee to themselves that there's no security bugs, they're "too lazy to take the time".
LOL...so you are maintaining OVZ 5 or 6 with your own security patches?
We're not talking about some wordpress theme that you've touched up when there's a timthumb bug.
Your attitude is nonsensical. You're too studly to upgrade but you're not an expert. But you've implemented your own security fixes and done your own analysis because you're an expert. Booga booga indeed.
Who are these "actual security experts" who'd advise running out of date, unpatchable software? All the ones I've read advise keeping your shit patched up. Where do you think best practices like that come from? Answer: actual security experts.
Ironically, doing the work of upgrading systems to OVZ 7 sounds a lot less lazy to me than "assessing the risk based on my usage profile" and saying you don't need to upgrade.
Yes, following similar logic people are using here, OVZ 7 is also already obsolete in a lot of ways and they should all immediately cancel their servers and move to KVM or whatever. This is what I would call perpetual software upgrade rat race logic and how newer versions are supposedly always better because....bigger number.
I guess there is an Alpha or Beta kernel for OVZ 8 or whatever they decide to call it, which presumably will be based on CE8, but they haven't said anything about a roadmap for that.
I am really sour on OVZ in general right now because they never created an upgrade path from OVZ 6 to OVZ 7. I am not talking about migration path. I am talking in place upgrade of existing servers. It would have been entirely possible to create an upgrade script for that. By doing so they could have retained a lot of existing users/potential customers, like me, if they did that. I doubt they will have an in-place upgrade path from 7 to 8 either.
Not sure about KVM on CE6 but pretty sure if you are running KVM on CE7 you will be able to do an in place update to CE8.