jon yeargers Posted May 27, 2019 Posted May 27, 2019 I spent some time today reading about Spectre and how to update my Xen hosts.. and then started wondering about the base OS underneath. Do I still need to run `yum update` on my xen hosts periodically? Probably a dumb question.
Tobias Kreidl Posted May 28, 2019 Posted May 28, 2019 Installing anything other than official Citrix hotfixes an lead to breaking the terms of support. Yum won't work out-of-the-box to get any CentOS updates, anyway. -=Tobias
Alan Lantz Posted May 28, 2019 Posted May 28, 2019 Nope, for the underlying XenServer you upgrade to the next version if a hotfix doesn't address it. --Alan--
jon yeargers Posted May 28, 2019 Author Posted May 28, 2019 Does that include OEM software like OMSA?
Alan Lantz Posted May 28, 2019 Posted May 28, 2019 I would think something like OMSA technically breaks the official Citrix support as well. If it came down to it with Dom0 issues they could make you uninstall it before troubleshooting. --Alan--
Tobias Kreidl Posted May 28, 2019 Posted May 28, 2019 1 hour ago, Alan Lantz said: I would think something like OMSA technically breaks the official Citrix support as well. If it came down to it with Dom0 issues they could make you uninstall it before troubleshooting. --Alan-- Yes, you really want to be careful about doing anything that might void your support contract (if you have one) or breaking something, regardless of whether you have support or not. -=Tobias
jon yeargers Posted May 29, 2019 Author Posted May 29, 2019 Gah. My xen hosts are terribly behind on firmware updates and I was hoping to use OMSA to start catching up. How about snmp? Can I install that?
Olivier Lambert Posted May 29, 2019 Posted May 29, 2019 This is an interesting question, that we also encountered in XCP-ng, which doesn't use "packs" update but `yum` directly. For Citrix Hypervisor, you are using "Updates" which are basically ISO file, containing signed RPMs by Citrix. So you don't have a Yum repo like for CentOS or Red Hat distro. Here is what we choose to tell for XCP-ng (which is NOT XenServer/CH but it's reasonable advice anyway) * If your needed package is available on CentOS and doesn't have any dependency, and doesn't interfere with kernel it might work without any issue * NEVER enable a whole repository because this will break your install * if you are pretty sure the package is without any risk, you can enable the repo ONLY during the yum command, eg yum install packagename --enablerepo='epel' Again, that's the advice we gave on XCP-ng, in the meantime we are working to embed/put a repo for very low risk packages, like htop and similar ones.
Alan Lantz Posted May 29, 2019 Posted May 29, 2019 SNMP is already a part of the base XenServer so using SNMP shouldn't be an issue. I have 3rd party management software on my XenServers, no issues ever. But I just use it for monitoring, not pushing out firmware. --Alan--
Tobias Kreidl Posted May 29, 2019 Posted May 29, 2019 Only issue with SNMP is the need to probably unblock port 161 on the XS firewall side (possibly also 162 if SNMPTRAP is also used). I just query the hosts, and don't put any of the monitoring software on them, so it's just a read-only access from the outside. -=Tobias
Tobias Kreidl Posted May 29, 2019 Posted May 29, 2019 9 hours ago, Olivier Lambert said: This is an interesting question, that we also encountered in XCP-ng, which doesn't use "packs" update but `yum` directly. For Citrix Hypervisor, you are using "Updates" which are basically ISO file, containing signed RPMs by Citrix. So you don't have a Yum repo like for CentOS or Red Hat distro. Here is what we choose to tell for XCP-ng (which is NOT XenServer/CH but it's reasonable advice anyway) * If your needed package is available on CentOS and doesn't have any dependency, and doesn't interfere with kernel it might work without any issue * NEVER enable a whole repository because this will break your install * if you are pretty sure the package is without any risk, you can enable the repo ONLY during the yum command, eg yum install packagename --enablerepo='epel' Again, that's the advice we gave on XCP-ng, in the meantime we are working to embed/put a repo for very low risk packages, like htop and similar ones. If you're on a private net or behind various firewalls, it take a bit more to get around those hurdles. See for example: https://www.mycugc.org/blogs/cugc-blogs/2017/02/21/direct-updating-of-modern-dell-server-and-peripher -=Tobias
Alan Lantz Posted May 30, 2019 Posted May 30, 2019 Yep, this should work for allowing SNMP through the firewall. iptables -N SNMP-Input iptables -I INPUT -j SNMP-Input iptables -A SNMP-Input -p udp --dport 161 -j ACCEPT /sbin/service iptables save --Alan--
Tobias Kreidl Posted May 30, 2019 Posted May 30, 2019 There's also an equivalent TCP service on that same port number for SNMP, but it's not so commonly used. Check what you are running and add accordingly for TCP, should that be necessary. -=Tobias
Question
jon yeargers
I spent some time today reading about Spectre and how to update my Xen hosts.. and then started wondering about the base OS underneath. Do I still need to run `yum update` on my xen hosts periodically?
Probably a dumb question.
12 answers to this question
Recommended Posts
Archived
This topic is now archived and is closed to further replies.