Video recording and production done by OpenStack Foundation.
Over the past 18 months there have been several security vulnerabilities discovered in the Xen kernel, which powers some of the largest public cloud OpenStack implementations. How do you address a security vulnerability in a timely manner for your customers whilest minimizing the impact as much as possible? What do you do when this happens again 6 months later? On the Rackspace public cloud team we had to tackle this problem. This talk will aim to address how we addressed the first (XSA-108), and what we learned to make subsequent issues (XSA-123, VENOM, etc.) easer to handle. As well as what we are currently working on to make the process even more graceful moving forward.
We used a combination of tools, driven by Ansible, to apply the fixes in a timely manner for our customers. Ultimately this is a simple patch and reboot procedure, however operating at this scale provides unique challenges that have to be accounted for.