* * * READ ME * * * * * * Veritas Cluster Server 6.0 RP1 * * * * * * P-patch 2 * * * Patch Date: 2012-05-15 This document provides the following information: * PATCH NAME * PACKAGES AFFECTED BY THE PATCH * BASE PRODUCT VERSIONS FOR THE PATCH * OPERATING SYSTEMS SUPPORTED BY THE PATCH * INCIDENTS FIXED BY THE PATCH * INSTALLATION PRE-REQUISITES * INSTALLING THE PATCH * REMOVING THE PATCH PATCH NAME ---------- Veritas Cluster Server 6.0 RP1 P-patch 2 PACKAGES AFFECTED BY THE PATCH ------------------------------ VRTSvxfen BASE PRODUCT VERSIONS FOR THE PATCH ----------------------------------- * Veritas Cluster Server 6.0 * Veritas Storage Foundation for Oracle RAC 6.0 * Veritas Storage Foundation Cluster File System 6.0 * Veritas Storage Foundation High Availability 6.0 * Symantec VirtualStore 6.0 * Veritas Storage Foundation for Sybase ASE CE 6.0 OPERATING SYSTEMS SUPPORTED BY THE PATCH ---------------------------------------- RHEL6 x86-64 INCIDENTS FIXED BY THE PATCH ---------------------------- This patch fixes the following Symantec incidents: Patch ID: 6.0.001.200 * 2708639 (Tracking ID: 2708619) SYMPTOM: If you set the scsi3_disk_policy attribute to dmp, you cannot enable the Veritas fencing module (VxFEN). DESCRIPTION: When you set the scsi3_disk_policy attribute to dmp, the VxFEN module tries to use the dmp device path to access the coordination disks. The dmp device path refers to a disk partition. A recent kernel security fix prohibits the SCSI ioctl system call to disk partitions. As a result the VxFEN configuration fails. The recent kernel security fix that prohibits system calls to disk partitions is: 752375 - CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl RESOLUTION: Symantec has updated the VxFEN source code to pick up the dmp device path that contains the full disk name instead of a partition/slice. * 2768874 (Tracking ID: 2768871) SYMPTOM: In some RHEL5 and RHEL6 setups, fencing utility vxfentsthdw(1M) incorrectly reports the status of a SCSI disk as SCSI-3 PR non-compliant over the dmp path. If you specify the raw path of the disk, vxfentsthdw(1M) reports the disk status as SCSI-3 compliant. DESCRIPTION: This issue is caused by the following kernel security fix that prohibits the SCSI ioctl system call to disk partitions: 752375 - CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl Red Hat distributes the kernel security fix with the following kernel versions: o For RHEL5: Kernel version 2.6.18-274.18.1.el5 and above o For RHEL6: Kernel version 2.6.32-220.2.1.el6 and above The vxfentsthdw(1M) utility issues an IOCTL call to a partition/slice of the disk over a dmp path. The call fails due to the kernel security fix and the utility therefore reports SCSI-3 PR non-compliance. When you specify the raw path of the disk, the IOCTL call goes through, and the utility reports the correct compliance status of the SCSI disk. RESOLUTION: Symantec has updated the VxFEN source code to fix this issue. The code fix ensures that the vxfentsthdw(1M) utility, by default, uses the dmp device path that contains the full disk name, instead of the name of the partition/slice. INSTALLING THE PATCH -------------------- Perform the following steps on each cluster node, one node at a time: 1. Stop VCS: # hastop -local 2. Stop vxfen: # /etc/init.d/vxfen stop 3. Apply the patch: # rpm -Uvh VRTSvxfen-6.0.001.200-RP1P2_RHEL6.x86_64.rpm Verify that proper VRTSvxfen is installed: # rpm -qi VRTSvxfen Name : VRTSvxfen Relocations: (not relocatable) Version : 6.0.001.200 Vendor: Symantec Corporation Release : RP1P2_RHEL6 Build Date: Mon 30 Apr 2012 05:30:09 AM PDT Install Date: (not installed) Build Host: vcsbuildrhel6x8664 Group : Applications/System Source RPM: VRTSvxfen-6.0.001.200-RP1P2_RHEL6.src.rpm Size : 5433256 License: Symantec Proprietary Signature : (none) Packager : Enterprise_Support@symantec.com URL : http://www.symantec.com/business/support Summary : Veritas I/O Fencing by Symantec Description : Supported kernel(s): 2.6.32-71.el6.x86_64 Build Stamp : Veritas-6.0.001.200-RP1P2-2012-04-30_04.56.20 4. Start vxfen: # /etc/init.d/vxfen start 5. Start VCS: # hastart Alternatively, a patch installer could be used to install this patch automatically. Perform the following steps on each cluster node, one node at a time: 1. Run ./installVCS60RP1P2 REMOVING THE PATCH ------------------ Perform the following steps on each node one at a time: 1. Stop VCS: # hastop -local 2. Stop vxfen: # /etc/init.d/vxfen stop 3. Uninstall VRTSvxfen package: # rpm -ev VRTSvxfen 4. Install previous version of VRTSvxfen package. 5. Start vxfen: # /etc/init.d/vxfen start 6. Start VCS: # hastart SPECIAL INSTRUCTIONS -------------------- NONE OTHERS ------ NONE