Netezza systems N2001 and N3001 run on RedHat 6. Ordinarily bug fixes and security patches are provided for each version of an operating system. However, RHEL6 reached end of support in November 2020 and IBM has never provided official updates to be able to move Netezza to RHEL7. Even if they did, it wouldn’t be a solution for most customers because RHEL7 reached end of support in July 2024. Bug fixes and security patches are currently only available for RHEL8 and above.
So, now we’re at the stage where vulnerabilities will not be fixed on the Netezza platform. There are workarounds. You can manually compile the code and apply patches. Be that as it may it would fall back on whoever’s manually compiling and applying it, not IBM.
The Impact of Not Receiving RHEL6 Security Patches
It’s a real problem for security teams to not receive patches to known vulnerabilities. Even if the perceived risk is low or there is a workaround. One recent example is CVE-2016-6515 (a problem with the auth_password function in OpenSSH) which is fixed in RHEL7 but not in RHEL6.
As we discussed recently in our Sweating your Netezza Asset blog, the vulnerability issue may be the main impediment to running your Netezza appliances ad-infinitum. Even if the business continues to get a lot of value from the system.
We’ve been chewing over what to do about this for ages. With a modern Linux operating system, you’re continuously patching vulnerabilities. So, what we needed was a way to break out of this loop that we were stuck in.
Our Solution to the Problem
Happily, we have found a solution. Because upgrading RedHat on Netezza is not an option, instead we found a way of running NPS code in a Virtual Machine (VM) and in so doing hide it behind all possible firewalls. The only port you need to open is the one used by ODBC/JDBC for running SQL queries – 5480. Accordingly, you effectively fortify your appliance. We can install NPS on any Enterprise Linux flavour up to EL 9.5.
We have also installed the new OS and VM on new SSD drives, thus preserving the original RAID array, as a rollback option. As you can imagine, we are seeing significant performance gains on host-bound activity because of upgrading to SSD storage. Furthermore, it’s also possible to upgrade the RAM on the Netezza hosts to deploy other VMs, such as nzPortal or our own Smart Management Frameworks Database Replication, Access Control, and/or System Management modules.
The beauty of this approach is:
- It requires no changes to the hardware or OS configurations
- It’s fast to deploy with virtually no downtime
- The OS does not have to be limited to RedHat anymore and can be any other flavour preferred by your organisation.
- It’s a reversible solution, with an option to revert to the previous OS, so it carries virtually no risk.
Only two periods of downtime are required:
- To install new SSD drives – 30 mins downtime
- To copy OS data from active host into the VM – 2 hours downtime
Virtualising the NPS Host affords us a much smarter way to administer all your Netezza / CP4D appliances and is included with our Netezza Support Plus Managed tier.
If you’d like to hear more, why not give us a shout.
