Recommendations Related to Meltdown and Spectre

At Mesosphere, we take security seriously. In light of the recently announced speculative execution vulnerabilities (commonly referred to as Meltdown and Spectre), we recommend upgrading the operating system on your DC/OS nodes to a version that includes mitigations for these attacks.

A couple things to keep in mind:

  1. As you would in the case of any DC/OS upgrade, start with master nodes before upgrading agent nodes. When upgrading your masters, do so in a rolling fashion, and verify the master health after each upgrade. After master health has been verified, proceed to the next master node.
  2. Tasks running on DC/OS agents will restart after the OS is upgraded and the host rebooted. If your tasks aren't constrained to resources on the specific agent (e.g., persistent volumes), you can ensure those tasks are rescheduled prior to upgrade by shutting down the agent (sudo sh -c 'systemctl kill -s SIGUSR1 dcos-mesos-slave && systemctl kill stop dcos-mesos-slave') before beginning the OS upgrade. You can read more about how to gracefully shut down an agent here, and how unreachable tasks are handled here.

As you may have read, the patch can result in degraded performance in certain applications. We will update this article once we have results specific to DC/OS components and services in the coming days.

Below are links to the patched versions of supported Linux distributions and instructions by the vendors

  • https://access.redhat.com/articles/3307751
  • https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
  • https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
  • https://support.microsoft.com/en-us/help/4073235/cloud-protections-speculative-execution-side-channel-vulnerabilities
Have more questions? Submit a request

Comments

Powered by Zendesk