vicidial.org

[simonc]

Hi Gardo,

Any way to update the kernel without affecting the vicidal , asterisk functionallity?

I have been able to update all centos outdated packages except the kernel. I tried it on a test server and it brakes dahdi , and extensions do not work.

Any help would be appreciated.

[williamconley]

After kernel updates, you must recompile the asterisk packages. Look at the "scratch install" instructions which download, compile, and install these packages ... you can skip the download, but you must recompile and reinstall them. There have also been several posts during which gardo has posted explicit instructions on this process.

However: continually updating your system is (IMHO) a bureaucratic time-wasting exercise. Once your Vicidial system is online and working, the only thing that should be upgraded is the Vicidial application (to gain new features or fix bugs). You'll not "gain" anything by updating/upgrading the OS upon which Vicidial runs. The purpose of the Vicidial system is to make calls according to the applications/scripts/data in Vicidial. Updating the OS has Zero impact on this mission. The only exception is if you are experiencing problems with said OS that require fixing. If you aren't, then you can expect that upgrading will eventually CAUSE problems that have to be fixed. LOL

[simonc]

Thank you for your input. Since everything is stable at the moment, i will leave it under the goautodial pre-compiled kernel.
Other than that, everything is working perfectly.

[gers55]

I have been running on a custom kernel with no major issues. Did you try

Code: Select all

depmod -a

and restart after loading kernel or alternatively do a start/stop on the server after loading kernel.

[williamconley]

running on a custom kernel isn't a problem. but it generally requires recompiling dahdi, among other things. so "chancing it" to get the new kernel (or see if it'll work) ... accomplishes what, exactly? LOL (Vicidial does not "run better" on a new kernel, the old one isn't rusty or anything ...).

I generally recommend kernel updates and other OS updates for those with nothing better to do than continually update their operating systems ... but that's just me.

[gardo]

You can safely update to the latest kernel. You just need to recompile DAHDI with 3 simple steps:

# cd /usr/src/dahdi
# make
# make install

Restart or reboot your server to make sure everything is working. Alternately you can just stop Asterisk and reload DAHDI then start Asterisk again.

No need to recompile anything else.

[williamconley]

And what is gained by this again? (latest kernel sounds cool, but ... why?)

[gardo]

Mostly security updates and other fixes.

[williamconley]

I'd love to hear what "security updates" are involved. LOL

IPtables supplies security, and the iptables schema is set by a restore command.

Apache is the other basic vulnerability, and the websites are generally what is vulnerable. And updating the kernel generally does not update apache.

If iptables is set to whitelist mode, I sincerely doubt a kernel update will have ANY impact on security. I can't speak to "other fixes", but security ... not likely.

But it will take time, and create a headache if recompiling fails or if one of the installed packages is not compatible with the new kernel (which has happened, if you update the kernel often enough).

[DomeDan]

http://lwn.net/Alerts/openSUSE/

openSUSE security alerts
Recent openSUSE security alerts
(596 alerts total)
ID Package Date
openSUSE-SU-2012:0845-1 accountservice 2012-07-06
openSUSE-SU-2012:0826-1 php5 2012-07-04
openSUSE-SU-2012:0827-1 opera 2012-07-04
openSUSE-SU-2012:0828-1 java 2012-07-04
openSUSE-SU-2012:0829-1 tiff 2012-07-04
openSUSE-SU-2012:0830-1 python-crypto 2012-07-04
openSUSE-SU-2012:0831-1 viewvc 2012-07-04
openSUSE-SU-2012:0832-1 kvm 2012-07-04
openSUSE-SU-2012:0833-1 clamav 2012-07-04
openSUSE-SU-2012:0834-1 krb5 2012-07-04
openSUSE-SU-2012:0835-1 puppet 2012-07-04
openSUSE-SU-2012:0812-1 kernel 2012-07-03
openSUSE-SU-2012:0813-1 chromium, v8 2012-07-03
openSUSE-SU-2012:0809-1 socat 2012-07-02
openSUSE-SU-2012:0799-1 kernel 2012-06-28
openSUSE-SU-2012:0787-1 python-httplib2 2012-06-25
openSUSE-SU-2012:0781-1 kernel 2012-06-22
openSUSE-SU-2012:0759-1 libvpx 2012-06-19
openSUSE-SU-2012:0760-1 mozilla 2012-06-19
openSUSE-SU-2012:0755-1 python-tornado 2012-06-18

3 of the latest 20 security updates is to the kernel.

we can check http://lwn.net/Search/DoSearch and search for "opensuse kernel"

openSUSE security update to kernel
([Security] Posted Jul 3, 2012 17:22 UTC (Tue) by ris)
openSUSE has released a security update to kernel

openSUSE security update to kernel
([Security] Posted Jun 28, 2012 19:11 UTC (Thu) by n8willis)
openSUSE has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted Jun 26, 2012 16:37 UTC (Tue) by ris)
SUSE has released a security update to Linux kernel

openSUSE security update to kernel
([Security] Posted Jun 22, 2012 18:22 UTC (Fri) by n8willis)
openSUSE has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted Jun 20, 2012 16:54 UTC (Wed) by ris)
SUSE has released a security update to Linux kernel

SUSE security update to Xen
([Security] Posted Jun 13, 2012 16:20 UTC (Wed) by ris)
SUSE has released a security update to Xen

SUSE security update to kernel
([Security] Posted Jun 4, 2012 15:32 UTC (Mon) by ris)
SUSE has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted May 14, 2012 16:35 UTC (Mon) by ris)
SUSE has released a security update to Linux kernel

SUSE security update to kernel
([Security] Posted Apr 26, 2012 18:42 UTC (Thu) by jake)
SUSE has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted Apr 24, 2012 16:11 UTC (Tue) by ris)
SUSE has released a security update to Linux kernel

openSUSE security update to kernel
([Security] Posted Apr 20, 2012 16:39 UTC (Fri) by ris)
openSUSE has released a security update to kernel

SUSE security update to Real Time Linux Kernel
([Security] Posted Mar 14, 2012 17:31 UTC (Wed) by corbet)
SUSE has released a security update to Real Time Linux Kernel

kernel: memory corruption
([Security] Posted Feb 9, 2012 20:35 UTC (Thu) by jake)
From the openSUSE advisory: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

kernel: denial of service
([Security] Posted Feb 9, 2012 20:34 UTC (Thu) by jake)
From the openSUSE advisory: CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed.

openSUSE security update to kernel
([Security] Posted Feb 9, 2012 20:33 UTC (Thu) by jake)
openSUSE has released a security update to kernel

openSUSE security update to kernel
([Security] Posted Feb 9, 2012 20:31 UTC (Thu) by jake)
openSUSE has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted Feb 7, 2012 18:21 UTC (Tue) by ris)
SUSE has released a security update to Linux kernel

SUSE security update to kernel
([Security] Posted Feb 6, 2012 18:44 UTC (Mon) by ris)
SUSE has released a security update to kernel

Oracle security update to kernel
([Security] Posted Jan 26, 2012 19:53 UTC (Thu) by jake)
Oracle has released a security update to kernel

SUSE security update to Linux kernel
([Security] Posted Dec 14, 2011 18:32 UTC (Wed) by corbet)
SUSE has released a security update to Linux kernel

Edit: oh yeah we're on the GoAutoDial forum, but this can be applied to centOS too just look at http://lwn.net/Alerts/CentOS/ instead

[williamconley]

Interesting. Two "local network" security flaws fixed. Necessary if you have bad guys on your local network. Both avoided by NOT having a bad guy on your local network and using IPTables whitelist security. The rest are "just updates" that do not mention what they do.

Hopefully none of them introduce a flaw or update a package to something incompatible with any php/perl/asterisk dependencies.

I still like "lock it down, and leave it alone".

[simonc]

I will try to replicate my current setup on a new Goautodial server and test from there.

Last time i tried that i had to recompile dahdi as gardo mentionned. However, the conferences were screwed up , and the server would kernel panic after thousands of lines of meetme. something( forgot the line exactly )

[williamconley]

the vicidial backup system is very helpful for porting your configuration from one server to the next.

it is actually quite normal to back up just the database, install a "fresh" system (vicibox,goautodial, either will do regardless of which you had previous). then restore the database and upgrade the database. then you'll have the newest system and your data will match it.