[Beowulf] RHEL7 kernel update for L1TF vulnerability breaks RDMA

John Hearns hearnsj at googlemail.com
Sat Aug 18 22:11:16 PDT 2018


Rather more seriously, this is a topic which is well worth discussing,
What are best practices on patching HPC systems?
Perhaps we need a separate thread here.

I will throw in one thought, which I honestly do not want to see happening.
I recently took a trip to Bletchley Park in the UK. On display there was an
IBM punch card machine and sample punch cards Back in the day one prepared
a 'job deck' which was collected by an operator in a metal hopper then
wheeled off to the mainframe. You did not ever touch the mainframe. So
effectively an air gapped system. A system like that would in these days
kill productivity.
However should there be 'virus checking' of executables  before they are
run on compute nodes.
One of the advantages lauded for Linux systems is of course that anti-virus
programs are not needed.

Also I should ask - in the jargon of anti-virus is there a 'signature' for
any of these exploit codes? One would guess that bad actors copy the
example codes already published and use these almost in a cut and paste
fashion. So the signature would be tight loops repeatedly reading or
writing to the same memory locations. Can that be distinguished from
innocent code?










On Sun, 19 Aug 2018 at 05:59, John Hearns <hearnsj at googlemail.com> wrote:

>
> *To patch, or not to patch, that is the question:* Whether 'tis nobler in
> the mind to suffer
> The loops and branches of speculative execution,
> Or to take arms against a sea of exploits
> And by opposing end them. To die—to sleep,
> No more; and by a sleep to say we end
> The heart-ache and the thousand natural shocks
> That HPC is heir to: 'tis a consummation
> Devoutly to be wish'd. To die, to sleep
>
> On Sun, 19 Aug 2018 at 02:31, Chris Samuel <chris at csamuel.org> wrote:
>
>> On Sunday, 19 August 2018 5:19:07 AM AEST Jeff Johnson wrote:
>>
>> > With the spate of security flaws over the past year and the impacts
>> their
>> > fixes have on performance and functionality it might be worthwhile to
>> just
>> > run airgapped.
>>
>> For me none of the HPC systems I've been involved with here in Australia
>> would
>> have had that option.  Virtually all have external users and/or reliance
>> on
>> external data for some of the work they are used for (and the sysadmins
>> don't
>> usually have control over the projects & people who get to use them).
>>
>> All the best,
>> Chris
>> --
>>  Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC
>>
>>
>>
>> _______________________________________________
>> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
>> To change your subscription (digest mode or unsubscribe) visit
>> http://www.beowulf.org/mailman/listinfo/beowulf
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20180819/6f418074/attachment.html>


More information about the Beowulf mailing list