Blog

Login Register

Governor-MySQL, MySQL and MariaDB packages moved to stable

Governor-MySQL 1.0-83, MySQL and MariaDB packages moved from Beta to Updates repository.

Changelog:

Governor-MySQL 1.0-83

  • Fixed conflict with compat-MySQL51-shared;
  • Fixed conflict with compat-MySQL50-shared.
To update run:

yum update governor-mysql

To install, follow: http://docs.cloudlinux.com/index.html?installation3.html

Updated MySQL(5.0.96, 5.1.73, 5.5.41, 5.6.22) and MariaDB(5.5.40, 10.0.15, 10.1.2) packages moved from Beta to Updates repository.

Beta: mod_lsapi 0.1-95

mod_lsapi 0.1-95 is available from our updates-testing repository.

Changelog:

mod_lsapi 0.1-95
  • Client get_body enhancements;
  • Backends won't be killed on APACHE2_4 restart;
  • Selfstarter kill detection added;
  • Config merge for VirtualHosts bugfix;
  • lsapi_selfstarter option removed;
  • lsapi_backend_children changed to 80;
  • Starter pid log output added;
  • sulsphp_log location for DA changed;
  • selfstarter mode always enabled;
  • Log request_rec on send_request error;
  • lsapi_do_request redesign;
  • lsphp response code used;
  • PHP error pages displayed;
  • Fatal error log processed correctly;
  • Fix 500 Internal server error on 200 Ok page;
  • 30x codes processing added.
To update
cPanel:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ yum update cpanel-mod-lsapi --enablerepo=cloudlinux-updates-testing

DirectAdmin:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build mod_lsapi

RPM based:
$yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$yum update mod_lsapi --enablerepo=cloudlinux-updates-testing

More info:
http://docs.cloudlinux.com/index.html?installation_mod_lsapi.html

Beta: Governor-MySQL updated

Governor-MySQL 1.0-80 is available from our updates-testing repository.

Changelog:

Governor-MySQL 1.0-80

  • Added fix for MariaDB 10.0-devel package (error appeared on cPanel EasyApache rebuild);
  • Added detection of mysql55w.
To update run:

$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

To install, follow: http://docs.cloudlinux.com/index.html?installation3.html

Alt-PHP updated

Updates for alt-php are moved to our production channels.

Changelog:
To update run:

yum groupupdate alt-php

Beta: lvemanager updated

New updates for our LVE Manager (version 0.8-1.47.15) are available from our beta repository.

Changelog:

lvemanager 0.8-1.47.15

  • LVEMAN-258: CPU resources were limited for your site message, even when CPU limit was not hit.
To update run:

yum update lvemanager --enablerepo=cloudlinux-updates-testing

Bugfix release: OptimumCache 0.2-16

New version of OptimumCache 0.2-16 with usability improvements is available.

Changelog:

OptimumCache 0.2-16

‘occtl --mark-dir…’ and ‘occtl --check...’ commands are now queued as background jobs via ‘batch’ to minimize workload. That is because atd/batch pops out a command from the queue for execution only when system load average coefficient drops below certain value. To see what have been queued, standard atd commands can be used: ‘atq -q b’ and ‘at -c <job id>’.

A fix was added to prevent flooding client syslog with 'Csum differ for ...Write collision' message.

To update run:

# yum update optimumcache --enablerepo=cloudlinux-updates-testing

New CL5 kernel with fix for CVE-2014-9322

New kernel 2.6.18-498.el5.lve0.8.80 is available for CloudLinux 5.x

Changelog:
  • Fix for CVE-2014-9322
To update:
$ yum install kernel-2.6.18-498.el5.lve0.8.80

If you use KernelCare - patch will be ready in production by tomorrow morning. If you want to test the patch now, you can do it by running:
$ kcarectl --update --test

CL6 / Hybrid kernel update 2.6.32-531.29.2.lve1.3.11.1 fixes CVE-2014-9322

New kernel for CL6/Hybrid available for stable channel. The kernel fixes local privilege escalation vulnerability CVE-2014-9322. Everyone is recommended to update.

Changelog:
  • Fix for CVE-2014-9322
  • Fix in memory management should improve NFS performance
To update CL6 servers run:
$ yum install kernel-2.6.32-531.29.2.lve1.3.11.1.el6

To update hybrid servers run:
$ yum install kernel-2.6.32-531.29.2.lve1.3.11.1.el5h

KernelCare patch that fixes CVE-2014-9322 issue had been released. If you would like to get KernelCare subscription, you can order it from your cln.cloudlinux.com account

KernelCare local privilege escalation patch for PCS/OpenVZ/CL6/CL5h/CentOS6/RHEL6 CVE-2014-9322

This update includes patch for CVE-2014-9322 vulnerability. I am sorry about unusual delay with this patch. This patch was the most complex patch we have seen so far. It was in assembler code, while most patches are in C. It was altering how interrupt handlers work. It is highly unusual, and there were no such security patches in the past 3 years. We had to add special handing to our patch generation software to accommodate for that, and it took as significant amount of time to get there. While we started more then 24 hours before (4 days ago) any vendors released updated kernels, it is only now that we have a working patch. From now on we should be able to handle such patches with ease.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.



You can manually update the server by running:
# /usr/bin/kcarectl --update


CVEs: CVE-2014-9322 CVE-2014-6410 CVE-2012-6657 CVE-2014-5471, CVE-2014-5472


Details:
  • CVE-2014-9322 x86: local privesc due to bad_iret and paranoid entry incompatibility
    A flaw was found in the way the kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system.
  • CVE-2012-6657 net: guard tcp_set_keepalive against crash
    It was found that the kernel's networking implementation did not correctly handle the setting of the keepalive socket option on raw sockets. A local user able to create a raw socket could use this flaw to crash the system.
  • CVE-2014-5471 isofs: unbound recursion when processing relocated directories
    It was found that the parse_rock_ridge_inode_internal() function of the kernel's ISOFS implementation did not correctly check relocated directories when processing Rock Ridge child link (CL) tags. An attacker with physical access to the system could use a specially crafted ISO image to crash the system or, potentially, escalate their privileges on the system.
  • CVE-2014-5472 isofs: unbound recursion when processing relocated directories
    It was found that the parse_rock_ridge_inode_internal() function of the kernel's ISOFS implementation did not correctly check relocated directories when processing Rock Ridge child link (CL) tags. An attacker with physical access to the system could use a specially crafted ISO image to crash the system or, potentially, escalate their privileges on the system.

  • CVE-2014-6410 udf: Avoid infinite loop when processing indirect ICBs
    A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's Universal Disk Format (UDF) file system implementation processed indirect Information Control Blocks (ICBs). An attacker with physical access to the system could use a specially crafted UDF image to crash the system.

KernelCare CVE-2014-9322 patch

Update: The patch has been released on Dec 18, 2014 at 1pm ET. You can read more about it here: http://www.cloudlinux.com/blog/clnews/kernelcare-local-privilege-escalation-patch-for-pcsopenvzcl6cl5hcentos.php

We have received numerous requests for CVE-2014-9322 patch. Right now we are running burn in tests that should finish in a few hours. This patch was the most complex patch so far. It was in assembler code, while most patches are in C, and it was altering how interrupt handlers work. It is highly unusual, and there were no such security patches in the past 3 years. We had to add special handing to our patch generation software to accommodate for that, and it took as significant amount of time to get there. While we started more then 24 hours before (4 days ago) any vendors released updated kernels, it is only now that we have a working patch. From now on we should be able to handle such patches with ease.

If you want to test the patch now, please, run (there is a slight chance of crash, as it burn in tests are yet to finish):
$ kcarectl --update --test

Or wait -- and within next 2-6 hours your system should get updated.

Bugfix release: OptimumCache 0.2-15

New version of OptimumCache 0.2-15 comes out with performance fixes and usability improvements.

Changelog:

OptimumCache 0.2-15

‘occtl --mark-dir…’ and ‘occtl --check...’ commands are now limited in resource consumption, thanks to LVE. Default limits are: 5MB/s for IO and 50% of one CPU core. To override those, one can edit appropriate settings in /etc/sysconfig/optimumcache:

# occtl --mark-dir or --check operations IO limit, MB/s, default is 5 MB/s
# OCCTL_LVE_IO_LIMIT=5

# occtl --mark-dir or --check operations %cpu limit, default is 50% of one CPU core
# OCCTL_LVE_SPEED_LIMIT=50

# Lve ID to associate limits with
# LVEID=5

To ignore these limits, just supply the command with switch ‘--no-lve-limits’ like:

occtl --mark-dir /home --recursive --no-lve-limits

Due to the limits, these command execution time will be scaled appropriately. Thus, the optimal way of spawning it will be via ‘nohup’:

nohup occtl --mark-dir /home --recursive &

To update run:

# yum update optimumcache --enablerepo=cloudlinux-updates-testing

Beta: Alt-PHP updated

New updates for Alt-PHP are available for beta channel.

Changelog:
  • alt-php*-ioncube-loader updated to 4.7.2;
  • alt-php*-phalcon updated to 1.3.4;
  • add PEAR packages: Net_Socket, Auth_SASL, Net_SMTP 44 & alt-php 51.
To update run:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

Bugfix release: OptimumCache 0.2-14

New version of OptimumCache 0.2-14 is available from our updates-testing repository. New OptimumCache is a bugfix release to address stability and memory consumption issues that were detected on some deploys.

Changelog:

OptimumCache 0.2-14
  • fixed up excessive memory usage for ‘occtl --check’ and really big ‘/home/’, ‘/home1/’, ‘/home2’... directory. Memory consumption will not grow during the tool invocation;
  • cannot create ploop image on first install problem fixed;
  • crash due to signal SIGBUS caught problem fixed;
  • added skipmask to ignore files under /home2, /home3 etc.
The mask to exclude from cache all hidden files was added:

# occtl --list-skip-mask
idtagregex
----------------------------------
1all_dot_files/\...*
2cpanel ^/home/cPanelInstall
3cpanel ^/home/cpeasyapache
4cpanel ^/home/aquota
5cpanel ^/home/jailshell
6cpanel ^/home/[^/]+/mail$
7cpanel ^/home/[^/]+/mail/.*
8cpanel ^/home/[^/]+/logs$
9cpanel ^/home/[^/]+/logs/.*
10cpanel ^/home/[^/]+/\.cpanel$
11cpanel ^/home/[^/]+/\.cpanel/.*
12cpanel ^/home/[^/]+/\.cagefs
13cpanel ^/home/[^/]+/\.cagefs/.*
14cpanel ^/home/virtfs
15cpanel ^/home/virtfs/.*
16home_special^/home/\..+
17quota^/home/quota.user$
To update run:

# yum update optimumcache --enablerepo=cloudlinux-updates-testing

Beta: MySQL-Governor 1.0-78 with MariaDB 10.1.1

New version of MySQL Governor with MariaDB support is available from our beta repository. New version adds new MariaDB 5.5.40 support:

Changelog:
  • added support for MariaDB 10.1;
  • fixed error with iolimit for CL5;
  • added reseting of statistics on restrict;
  • fixed dbuser map file for DA error;
  • updated MariaDB55 up to 5.5.40.
To update

$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

To install, follow: http://docs.cloudlinux.com/index.html?installation3.html

To switch to MariaDB 10.1
$ /usr/share/lve/dbgovernor/db-select-mysql --mysql-version=mariadb101
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install-beta

Updated MariaDB packages up to 5.5.40 with fix for decreasing LA when used huge MyISAM tables. For installation new MariaDB 5.5.40 use such commands:

$ /usr/share/lve/dbgovernor/db-select-mysql --mysql-version=mariadb55
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install-beta

KernelCare support for Debian 7 added

Debian 7 (64bit) was added to the list of supported Linux distributions.
We now support:
RHEL/CentOS 5, 6 & 7
CloudLinux 5, 6, 5hybrid
Debian 6, 7

We plan to add Ubuntu support in the next few weeks.

Beta: CL6/Hybrid kernel 2.6.32-531.29.2.lve1.3.11

New beta kernel for CL6/Hybrid is available. This kernel fixes an issue with memory manager that should significantly improve NFS performance on systems with large number of LVEs.

Changelog:
To install new kernel run:

To update CL6 servers:
yum install kernel-2.6.32-531.29.2.lve1.3.11.el6 lve-kmod-1.3-11.el6 --enablerepo=cloudlinux-updates-testing

To update Hybrid servers:
yum install kernel-2.6.32-531.29.2.lve1.3.11.el5h lve-kmod-1.3-11.el5h --enablerepo=cloudlinux-hybrid-testing

Beta: lvemanager updated

New updates for our LVE Manager (version 0.8-1.47.12) are available from our beta repository.

Changelog:

LVE Manager 0.8-1.47.12

  • LVEMAN-278: icon added for "Selectl PHP Version" option in Paper Lantern theme on new installation of CPanel 11.46;
  • LVEMAN-275: "Select PHP Version" option is available on new installation of CPanel 11.46;
To update run:

yum update lvemanager --enablerepo=cloudlinux-updates-testing

Beta: liblve updated

New update for liblve (version 1.3-1.4) is available from our beta repository. The fix solves the problem of creating unnecessary extra threads on CloudLinux 5.

Changelog:

liblve 1.3-1.4
  • Fix creation of unnecessary threads on CL5.
To update run:
$ yum update lve liblve liblve-devel --enablerepo=cloudlinux-updates-testing

File Cache with OptimumCache


OptimumCache (beta version currently) is a component which handles duplicate files in the way that they are loaded just once from filesystem cache. By doing that, system bypasses disk IO, significantly improving the speed of reading that file, while lowering load on the hard disk.

OptimumCache can run with ploop or without. Ploop is a disk block device that is mounted as /var/cache/optimumcache image file. Ploop is not available in kernel version under lve 1.2.55, thus OptimumCache can work without ploop on older version kernel. In this case cache files get directly
into /var/cache/optimumcache/.

Ploop image file /var/share/optimumcache/optimumcache.image is mounted in /var/cache/optimumcache/, so the directory structure remains the same. The main advantage of ploop is that you can set it's size which won't be exceeded.

Usualy 'occtl --mark-dir /home --recursive' process takes a long time, as the major task is to go through all the files in specified directory and subdirectories, check sha1sum of each of them and set the necessery attribute.

E.g.:

# sha1sum /home/cltest3/public_html/i.php
3dd4d2639a035a9c311b50bced7b711655360351 /home/cltest3/public_html/i.php

# getfattr -d -m pfcache /home/cltest3/public_html/i.php
trusted.pfcache="3dd4d2639a035a9c311b50bced7b711655360351"

sha1 hash is used here to place file in cache directory, in the example above it will be placed in
/var/cache/optimumcache/3d/d4d2639a035a9c311b50bced7b711655360351

(where the first two symbols mean directory and the next goes file name).

Files with the same content get the same sha1sum:

# sha1sum i.php
3dd4d2639a035a9c311b50bced7b711655360351 i.php

# cat i.php
<? phpinfo() ?>

# sha1sum m.php
3dd4d2639a035a9c311b50bced7b711655360351 m.php

which means that finally both will lead to the same cached file:

# cat /var/cache/optimumcache/3d/d4d2639a035a9c311b50bced7b711655360351
<? phpinfo() ?>



In OptimumCache v0.2 the automark is used. Its attribute is set in the directory so as the file is changed or the new file is created, the needed attribute will be automatically assigned to it. To check if automark works in the directory run:

# getfattr -d -m pfcache /home/cltest3/public_html/
trusted.pfcache="auto"

There is a list of directories that do not work with mark/automark, you can check it via occtl --list-skip-mask. These are quote files, cPanel service files, user mail files.

To check cache use statistics run:

# optimumcache stat /home/
csums: 29576 (38.5%)
fetched uncached cached
inodes: 76907 25416 51491 (67.0%)
size: 4171982 2751344 1420638 (34.1%)
RAM: 701648 85872 615776 (87.8%)

where:

csums is number of unique files (control sums), 38,5% - their percentage from total files count (in /home);
fetched - number of records marked;
uncached - number of items not cached;
cached - number of items cached (with percentage).

Lower value of csums means higher amount of similar files, which means better performance.

Note: On live systems it is unlikely possible to reach percentage lower than 25% due to different files/CMS used, number of content uploaded by customers, number of emails in mailboxes, etc.

Find all the necessery information on OptimumCache here http://docs.cloudlinux.com/index.html?optimumcache.html

Beta: mod_lsapi 0.1-85

New beta version of mod_lsapi (0.1-85) is now available from our updates-testing repository.

Changelog:
  • added creation of after_apache_make_install hook if not exists (cPanel rebuild issue);
  • added mod_lsapi rebuild to after_apache_make_install hook (cPanel rebuild issue);
  • 302 Moved Temporarily instead of 302 Found;
  • chrome 302 issue fix;
  • tmpfile and tmpnam removed (security issue).
To update run:

cPanel:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ yum update cpanel-mod-lsapi --enablerepo=cloudlinux-updates-testing

DirectAdmin:
$ yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build mod_lsapi

RPM based:
$yum update liblsapi liblsapi-devel --enablerepo=cloudlinux-updates-testing
$yum update mod_lsapi --enablerepo=cloudlinux-updates-testing

More info:
http://docs.cloudlinux.com/index.html?installation_mod_lsapi.html

Alt-php updated

New release of alt-php had been uploaded to production channels.

Changelog:

To update run:

$ yum groupupdate alt-php

Bugfix release: OptimumCache 0.2-10

New version of OptimumCache 0.2-10 is available from our updates-testing repository. New OptimumCache is a bugfix release to address performance issues mainly that were detected on some deploys.

What is included in this release?

Fix for high CPU consumption issue

At some deploys, where number of inodes for mount point, that was added for caching, reached almost 2M, OptimumCache used to take 1 CPU core busy with 100% load, from time to time, with timeout of 5s between usage peaks.

How to check number of inodes:

# df -i /home
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/mapper/sys3msT-root
52148272 1995531 28089086 7% /

At the very start OptimumCache may once again splash with 100% CPU core consumption for a number of seconds. Though, very soon those splashes will become rare, due to adaptive timeout, which will adjust itself to server load.

High IO fix

Eliminates superflows fsync() calls in OptimumCache operations. To activate this fix in existing installation, flag NOIMMSYNC=1 has to be manually set in /etc/syscoconfig/optimumcache.

To ensure that this parameter is set ON in the config, set LOGLEVEL=2 and execute ‘service optimumcache restart’. You will see something like this:

optimumcache[1770]: Hash-size: 100000000 min-size: 0 max-size: 18446744071562067968
optimumcache[1770]: Count: 0 Timeout: 5
optimumcache[1770]: Max Timeout: 160 Adaptive Timeout Mul/Div: 2/4
optimumcache[1770]: Iolimit: 0 iopslimit: 0
optimumcache[1770]: No immediate fsync: Yes
optimumcache[1771]: Starting OptimumCache monitor

To update run:

# yum update optimumcache --enablerepo=cloudlinux-updates-testing

Beta: OptimumCache updated

OptimumCache 0.2-9 released to updates-testing repository.

Changelog:

OptimumCache 0.2-9

  • workaround problem when unable to stop optimumcache on SIGTERM;
  • adaptive timeout to address problem of extensive CPU usage for FS with big inodes count (>2M);
  • fix for crash in 'optimumcache mount', when optimumcache_store line length exceeds 1024 stack buffer limit.
To update run:

# yum update optimumcache --enablerepo=cloudlinux-updates-testing
if IO Wait is high on the server, then add NOIMMSYNC=1 to /etc/sysconfig/optimumcach and restart optimumcache

To install run:
# yum update optimumcache --enablerepo=cloudlinux-updates-testing

More information at: http://docs.cloudlinux.com/index.html?optimumcache.html

Beta: Alt-PHP updated

New updates for Alt-PHP are available for beta channel.

Changelog:

alt-php 44 & alt-php 51

  • build with memory-limit option;
alt-php


To update run:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

CL6/Hybrid kernel 2.6.32-531.23.3.lve1.3.6

New kernel for CL6/Hybrid available for stable channel. The kernel provides major updates and set of new features over lve-1.2. As such the version was increased to lve 1.3.x.

Changelog:
  • high precision CPU limits (precision of 1% of a core speed is possible);
  • IOPS limit support;
  • LVE/CageFS support by process name;
  • fixes for the issue with off by 1 load average introduced in previous beta kernel.
Put loadavg thread into interruptible sleep

To update CL6 servers run:
$ yum install kernel-2.6.32-531.23.3.lve1.3.6.el6 kmod-lve-1.3-6.el6

To update hybrid servers run:
$ yum install kernel-2.6.32-531.23.3.lve1.3.6.el5h kmod-lve-1.3-6.el5h

Pages: Prev. | 1 | ... | 4 | 5 | 6 | 7 | 8 | ... | 29 | Next