Archived Content

The following content is from an older version of this website, and may not display correctly.

Several public cloud providers have announced they will have to take parts of their infrastructure offline, following the discovery of critical vulnerabilities in the open source Xen hypervisor.

IBM’s SoftLayer has become the latest to publish a maintenance schedule, with server updates taking place until 10 March, when details about the software flaws will be released to the public. It follows similar announcements from AWS, Linode and Rackspace.

All of the major cloud providers relying on Xen are expected to take their servers offline at some point to fix the issue. The situation closely resembles the rush to patch Xen in September 2014 – back then, IBM was criticized for delaying the update process and putting its customers at risk.

Panda - the mascot of the Xen project
Panda - the mascot of the Xen project – Xen Project

Learning process

On Monday, IBM sent an email to its cloud customers, in which it apologized for the upcoming SoftLayer downtime. It said the update will apply to “portion of services that host portal-provisioned virtual server instances” – but didn’t reveal how many virtual machines will be affected.

Amazon initially said that it will have to restart around 10 percent of all EC2 instances, making each unavailable for a few minutes. It later revised this estimate, saying that 99.9 percent of servers will receive a live-update and avoid a reboot.

“We can also now assure you that all newly launched instances will land on updated capacity, which means for the less than 0.1 percent of total EC2 instances that require a reboot, you can proactively re-launch these instances in order to avoid the assigned reboot timing,” added the company.

Rackspace said it will take offline a portion of its First and Next Generation Cloud Servers – however maintenance will be staggered across multiple regions, so customers have the option to shift their workloads around the world to avoid downtime.

“We understand that any downtime impacts your business and we do not make this decision lightly,” said the company in a statement.

Linode will spread the maintenance across seven days, with each instance unavailable for up to two hours.

There is currently no information on whether patching will affect the Verizon Cloud. In January 2015, the whole service went offline for almost 40 hours, causing outrage among its customers. Verizon later explained that such a long maintenance window was necessary to enable non-disruptive updates in the future.

“Virtually all maintenance and upgrades to Verizon Cloud will now happen in the background with no impact to customers,” it promised at the time.