FreeNAS 11.1 uses a pre-built rancheros image to implement its "DockerVm" function, but it is not user upgradeable as recognised in bug #27484 report. This is supposedily fixed for release in FreeNAS 11.1-U1, but the fix looks to have hardcoded booting a new rancheros pre-built image with the kernel/initrd for v.1.1.2. So the issue remains, what happens as newer rancheros versions are released?
Why would you deploy a solution for a linux VM which is not user upgradeable and no user action can be taken on the usual security advisories? And just to prove the point along comes "Meltdown".
24 Hrs, before the CRD, rancher labs have released ranchros v.1.1.3 today which bumps the kernel to 4.9.75 in repsonse to CVE-2017-5754 (Meltdown) (see: https://github.com/rancher/os/releases)
I believe the issue stems from the limitations of booting rancheros from grub-bhyve. The rancheros img (or iso) does not use grub, it use syslinux. But grub-bhyve can boot the rancherso image by using a grub.cfg that makes direct referrence to the kernel and initrd used in the rancheros image. The user can upgrade the rancheros from within the vm but this has no affect on re-boot as the grub.cfg is fixed to point to the old version's kernel & initrd.
If rancheros versions < 1.1.3 are now inherently insecure, should anyone be using it at all right now?
Why would you deploy a solution for a linux VM which is not user upgradeable and no user action can be taken on the usual security advisories? And just to prove the point along comes "Meltdown".
24 Hrs, before the CRD, rancher labs have released ranchros v.1.1.3 today which bumps the kernel to 4.9.75 in repsonse to CVE-2017-5754 (Meltdown) (see: https://github.com/rancher/os/releases)
I believe the issue stems from the limitations of booting rancheros from grub-bhyve. The rancheros img (or iso) does not use grub, it use syslinux. But grub-bhyve can boot the rancherso image by using a grub.cfg that makes direct referrence to the kernel and initrd used in the rancheros image. The user can upgrade the rancheros from within the vm but this has no affect on re-boot as the grub.cfg is fixed to point to the old version's kernel & initrd.
If rancheros versions < 1.1.3 are now inherently insecure, should anyone be using it at all right now?