Description of problem:
Today, yet another rowhammer style attack paper went out, explaining
https://arxiv.org/pdf/1710.00551.pdf (there is a link to the various papers)
While this is not a new attack, and I guess a rather complex one to mount, we should mitigate the risk by moving the download server and the ansible deployment in the cage. I heard about people using rowhammer to flip some bits to bypass pam verification (no paper or conference have been published yet afaik, so i wasn't able to evaluate the praticality).
While rackspace is using ECC (or so do I hope, that's what lshw report) and that's mitigating the attack to be a denial of service only, I would sleep better at night if we moved the 2 servers out of rackspace and in the cage in case improvements to the attack do get published.
The rest of the VM are not as critical as theses 2, even if the freeipa server should also be moved.
I am already in the process of moving salt-master since some weeks, I just need to finish the move.
The website redirect issues need to take higher priority than this. That's causing an existing user impact, this can come after that ticket's resolved.
https://bugzilla.redhat.com/show_bug.cgi?id=1490994 is the ticket.
I think these can be worked in parallel. Let's test Michael's solution for the redirect issue. For who and how, unfortunately we don't yet have in place rules of engagement around the WordPress instance.
I'll start an email to discuss admin on the WP instance.
In the other ticket we can resolve who tests what, where, and get that whole thing taken care of.
For security concerns, it seems prudent to take care of them ASAP, also considering that Michael's involvement in the other bug is lightweight in providing us regexp solutions to test. Would you be OK with working these in parallel?
From what I see from the initial comments, I think this is something that could be looked at later this week.
Let's get the current redirects sorted out first, and then we can move to moving the download server.
So the move of salt-master is done, I am fixing the last stuffs and will then take the old VM offline. (and open bug for the issue I did see)
So, the article I mention in 1st comment is out now:
I also asked to Rackspace about KSM usage.
So Rackspace do not use KSM according to support, and according to ex-rackspace folk I reached, they did tested and it was not good enough in practice.
So I just need to move the download server now, but that's less urgent (until the next rowhammer-like issue)
Updating the bug so it's just the download server. What's the plan here? We need to move off Rackspace before shutdown (That's when the free tier ends).
Do we plan to move download server into the cage or do we want to put it on another cloud vendor?
During which shutdown, you mean "christmas shutdown", and I thought we did already ended the free tier a while ago ?
Correct on 'Christmas Shutdown'.
We've been in a grace period with Rackspace, but we need to turn everything off from that space by December 21st. The grace period expires at the end of December.
This is now complete.