wiki:HowTo/ManageCustomImages

Managing GENI Custom Images

GENI users have the ability to create image snapshots known as "custom images", this feature is available to facilitate the running of experiments, but as is usual with any OS image there are associated administrative tasks that must take place, such as:

  • Monitoring security alerts and installing required updates to block security attacks.
  • Cleaning up bad, duplicate, or old images on GENI racks.

This page outlines some guidelines on how image maintainers can find when there are new attacks and take appropriate steps. Also covered are maintenance guidelines/procedures for cleaning up obsoleted and bad images. See the

Security Alerts

GENI custom image maintainers should subscribe to appropriate operating system security mailing lists to get alerts for the OS used to create the custom images. The goal is to find out about software vulnerabilities, find a resolution and apply the resolution to the appropriate custom image. This administrative function was initially owned by the GPO and it now outlined here for maintainers.

Security Alerts Sources

In GENI there are mostly CentOS or Ubuntu custom images. Both of these OS have security notices available at:

Additionally, you may subscribe or review the Ubuntu and CentOS security mail lists. These lists are very low traffic and fairly easy to digest:

Ubuntu list ubuntu-security-announce@lists.ubuntu.com
to subscribe https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
to review threads https://lists.ubuntu.com/archives/ubuntu-security-announce/
CentOS list centos-announce@centos.org
to subscribe https://lists.centos.org/mailman/listinfo/centos-announce
to review threads https://lists.centos.org/pipermail/centos-announce/

As an example vulnerability announcement, here are the emails from Ubuntu and CentOS Security lists regarding the libc vulnerability announced on in February 2016. Of note, these emails are only sent after a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, slashdot, or other news sites, will cover it. In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers. As was the case with this libc bug in February.

So how do we confirm that are images are affected if there is no patch immediately available? There will probably be an article on slashdot or other news outlets. From there they might link to a vendor's page.

If you interested in an ongoing vulnerability that you can reference, see here, where you can click on diagnose and download a script download, to see if you are affected, or maybe some mitigation steps.

Once you identified a package that is affected, you need to check if you have that package installed and compare it to the affected versions. Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called libc6, and the CentOS is called glibc and to address the vulnerability the following instructions were given:

CentOS: # yum info glibc
Ubuntu: # dpkg -s lib6

Managing Images

To be listed in this section are the tools that will be used to identify obsolete images, this is currently an effort in progress.

Last modified 3 years ago Last modified on 06/14/16 13:06:52