Hi Chris, Thanks for starting the discussion here.
We're pretty much in the same boat (no changes made yet), as: 1. we're still running some RHEL 6.x based clusters, with x < 9, meaning no patches for neither the kernel nor glibc, 2. those kernel+glibc patches seem to just be "mitigations" and don't solve the underlying problem anyway (cf.https://access.redhat.com/security/vulnerabilities/stackguard#magicdomid15) As far as I understand this, the real fix will be to recompile all of your binaries using a properly working implementation of -fstack-check in gcc (which doesn't exist yet). So in terms of timeline, that means GCC needs to be fixed, system applications need to be recompiled, distribution need to repackage and distribute them, and then all the userland applications need to be recompiled. It's a multi-year process. So we're not really sure how to approach this, as recompiling everything seems really like the utopian dream of somebody who never managed any shared system. Plus, as you mentioned, even the mitigations are not innocuous, and may change applications' behavior. That sounds like a big bowl of mess right now. Oh, and containers... Cheers, -- Kilian _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
