How do you keep your EC2's updated? (Amazon Linux 2)
How do install security updates on an Amazon Linux AMI EC2 instance? - Stack Overflow
Amazon Linux 2 - Yum Update -Y hangs?
For those using Amazon Linux in production, how do you deal with updates?
Videos
Hi all, i wonder how you keep your production ec2's updated with minimal downtime.
This is what i get on my ec2:
[ec2-user@ec2~]$ yum updateinfo Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Security: kernel-5.10.165-143.735.amzn2.x86_64 is an installed security update Security: kernel-5.10.130-118.517.amzn2.x86_64 is the currently running version updateinfo summary done
We used to get lots of information from our ubuntu ec2's - and i was wondering how we can get the same output with Amazon Linux 2
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1031-aws x86_64) 88 updates can be applied immediately. 15 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update
You can use the amazon-linux-extras repository to upgrade the kernel
First, run this command to get all available kernel versions
sudo amazon-linux-extras |grep kernel
you will see a response similar to this
_ kernel-5.4 available [ =stable ]
55 kernel-5.10=latest enabled [ =stable ]
62 kernel-5.15 available [ =stable ]
the kernel version marked as enabled is the one installed on your machine
to upgrade to the newer version (for example kernel-5.15), just run this command sudo amazon-linux-extras install kernel-5.15 -y
Now, you need to reboot the server with sudo reboot
After rebooting, run the command uname -r to make sure that the newer version is successfully installed
for more information, please refer to this link
Kernel live patches are available for Amazon Linux 2 with kernel version 4.14.165-131.185 or later. To check your kernel version, run the following command.
[root@actsupport ~]# yum list kernel
If you already have a supported kernel version, skip this step. If you do not have a supported kernel version, run the following commands to update the kernel to the latest version and to reboot the instance.
[root@actsupport ~]# sudo yum install -y kernel
[root@actsupport ~]# reboot
Install the yum plugin for Kernel Live Patching.
[root@actsupport ~]# yum install -y yum-plugin-kernel-livepatch
Enable the yum plugin for Kernel Live Patching.
[root@actsupport ~]# yum kernel-livepatch enable -y
This command also installs the latest version of the kernel live patch RPM from the configured repositories.
To confirm that the yum plugin for kernel live patching has installed successfully, run the following command.
[root@actsupport ~]# rpm -qa | grep kernel-livepatch
When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM.
Update and start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot.
[root@actsupport ~]# yum update kpatch-runtime
[root@actsupport ~]# systemctl enable kpatch.service
Configure the Amazon Linux 2 Kernel Live Patching repository, which contains the kernel live patches.
[root@actsupport ~]# amazon-linux-extras enable livepatch
As outlined in section Security Updates within Amazon Linux AMI Basics, Amazon Linux AMIs are configured to download and install security updates at launch time, i.e. If you do not need to preserve data or customizations on your running Amazon Linux AMI instances, you can simply relaunch new instances with the latest updated Amazon Linux AMI (see section Product Life Cycle for details).
This currently includes only Critical or Important security updates though, see the AWS team's response to Best practices for Amazon Linux image security updates:
The default on Amazon Linux AMI is to install any Critical or Important security updates on launch. This is a function of cloud-init and be modified in cloud.cfg on the box or by passing in user-data. This is why you see some security updates still available at launch.
Consequently, if you want to install all security updates or indeed need to preserve data or customizations on your running Amazon Linux AMI instances, you can maintain those instances through the Amazon Linux AMI yum repositories, i.e. you need to facilitate the regular Yum update mechanism as outlined for the yum-security plugin:
# yum update --security
Please note: This does not work if only security updates are selected, due to the fact that security updates are not properly flagged in centos and amazon linux. This may be a matter of Redhat making security a paid feature which, if I'm being frank, is bullshit. For this to work you must update the yum-cron config file to install all updates. This makes security updates less likely to run reliably which makes everyone less secure.
update_cmd = default
Amazon Linux runs updates when the host boots for the first time. If you plan to have hosts up long-term you may also want to enable automatic security updates. I recommend using yum-cron:
sudo yum install yum-cron
The config file is here: (you probably want to just run security updates)
/etc/yum/yum-cron.conf
You can then enable yum-cron like so:
sudo service yum-cron start
edit from a useful comment below: "If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update -y" in user data."
My recipe (/etc/cron.daily/dnf-updates):
#!/bin/bash
readonly V=$(/usr/bin/dnf check-release-update --latest-only --version-only 2>&1)
[ -n "$V" ] && /usr/bin/dnf upgrade --security --assumeyes --releasever=$V
Shortcut:
/usr/bin/dnf upgrade --security --assumeyes --releasever=latest
systemd timers replaced cron in AL2023, so ggrandes' answer did not work for me.
I was able to set up a systemd timer quite easily though.
First create /etc/systemd/system/dnf-security-upgrade.service with the following contents:
[Unit]
Description=Automatic security upgrades for dnf packages
[Service]
Type=oneshot
ExecStart=/usr/bin/dnf upgrade --security --assumeyes --releasever=latest
Then create /etc/systemd/system/dnf-security-upgrade.timer with the following contents:
[Unit]
Description=Timer for automatic security upgrades for dnf packages
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
Now, reload the systemd daemon with:
systemctl daemon-reload
Finally, run the following command to start the timer:
systemctl enable --now dnf-security-upgrade.timer