Hi Wei, Sounds good.
Maybe we should add the fist option to ssvm and csvm too. Option #1 Disable selective acknowledgments system wide for all newly established TCP connections. # echo 0 > /proc/sys/net/ipv4/tcp_sack or # sysctl -w net.ipv4.tcp_sack=0 ... Sven Von meinem iPhone gesendet __ Sven Vogel Teamlead Platform EWERK RZ GmbH Bruhl 24, D-04109 Leipzig P +49 341 42649 - 11 F +49 341 42649 - 18 s.vo...@ewerk.com www.ewerk.com Geschaftsfuhrer: Dr. Erik Wende, Hendrik Schubert, Frank Richter Registergericht: Leipzig HRB 17023 Zertifiziert nach: ISO/IEC 27001:2013 DIN EN ISO 9001:2015 DIN ISO/IEC 20000-1:2011 EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/> Auskunfte und Angebote per Mail sind freibleibend und unverbindlich. Disclaimer Privacy: Der Inhalt dieser E-Mail (einschlieslich etwaiger beigefugter Dateien) ist vertraulich und nur fur den Empfanger bestimmt. Sollten Sie nicht der bestimmungsgemase Empfanger sein, ist Ihnen jegliche Offenlegung, Vervielfaltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverzuglich den Absender und loschen Sie die E-Mail (einschlieslich etwaiger beigefugter Dateien) von Ihrem System. Vielen Dank. The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you. Am 18.06.2019 um 20:33 schrieb Wei ZHOU <ustcweiz...@gmail.com<mailto:ustcweiz...@gmail.com>>: Hi Rohit, Do we need to change default iptable tables for cpvm and ssvm ? # iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP # ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP (see https://access.redhat.com/security/vulnerabilities/tcpsack) -Wei Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> 于2019年6月18日周二 上午11:57写道: All, Due to recently disclosed and fixed tcp/SACK vulnerability and other security issues (refer https://www.debian.org/security/2019/dsa-4465), I've rebuilt and synced new 4.11.3.0 systemvmtemplates which has linux 4.9.168-1+deb9u3 (2019-06-16): http://download.cloudstack.org/systemvm/testing/4.11.3-rc http://packages.shapeblue.com/testing/systemvm/41130rc1 Kindly continue testing 4.11.3.0 RC1 using above systemvmtemplates. Thanks. Build log for reference: http://download.cloudstack.org/systemvm/testing/4.11.3-rc/build.log Regards, Rohit Yadav Software Architect, ShapeBlue https://www.shapeblue.com ________________________________ From: Riepl, Gregor (SWISS TXT) <gregor.ri...@swisstxt.ch<mailto:gregor.ri...@swisstxt.ch>> Sent: Friday, June 14, 2019 7:45:58 PM To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>; us...@cloudstack.apache.org<mailto:us...@cloudstack.apache.org> Subject: Re: [VOTE] 4.11.3.0 RC1 +1 Based on: - Packages from http://packages.shapeblue.com/testing/41130rc1/ and http://packages.shapeblue.com/testing/systemvm/41130rc1/ - Upgrade of our test cloud from 4.11.2 to 4.11.3 worked without problems (aside from the mentioned template issue) - Our internal smoke test stack ran successfully The only thing I'm a bit unhappy about is the backported ostype API fix: https://github.com/apache/cloudstack/pull/3066 Since this is a breaking API change, I don't think it should be included in a minor release, even if it fixes an API bug. It triggers an error in Packer, which we use to create templates. However, a fix was already commited and will be in the next Packer release, so I'm ok'ing it: https://github.com/hashicorp/packer/pull/7694 rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com> Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue
