Meltdown + Spectre patches?
#1
Thu, 2018-01-04 22:20
iceshaft07
-
- Offline
- 2 months 3 weeks ago
- 2018-01-04
I wanted to know if there are patches required for MeltdDown / Spectre for Alpine Linux? How can I get them?
http://money.cnn.com/2018/01/04/technology/spectre-meltdown-cpu-flaws-explainer/index.html
https://pkgs.alpinelinux.org/packages?branch=edge&repo=main&name=linux-hardened
Wait for and install kernel 4.9.75. (https://lkml.org/lkml/2018/1/5/335)
update: Meltdown should be fixed in linux-vanilla 4.9.75 (https://pkgs.alpinelinux.org/package/edge/main/x86_64/linux-vanilla)
Ok.
So my docker container would look something like this?
FROM alpine:3.7
RUN apk add linux-vanilla
Thanks!
Docker runs on top of the host, which kernels' needs to be patched. Docker doesn't run a kernel itself.
So, technically your Docker image is not vulnerable, it's the host that is.
If you run Docker on Ubuntu, you need to patch the Ubuntu host, not the Alpine image. If you run on CoreOS, CentOS etc... same thing: patch the host!
Is this true that there will be no hardened kernel?
@templar: Alpine has decided to remove the linux-hardened version and has also switched the "vanilla" type to track the non-LTS upstream version so as to gain the full protection of the KPTI patch.
See this mailing list post for details:
http://lists.alpinelinux.org/alpine-devel/6022.html
The new linux-vanilla version uses most of the recommendations given by the Kernel Self Protection Project[1] and so is relatively "hardened" compared to most other distribution's kernels.
[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Thank you Head_on_a_Stick, I will have to subscribe to that list too to get recent news. Something like that could be also here too (posted already).