Worked it out - AWS Elastic Beanstalk in all their wisdom append a "-$guid" to the YUM repo list on an instance, which must be stuck in their CDN as was returning an out of date package list. I have resolved via:
sed 's/-$guid//g' /etc/yum.repos.d/amzn2-core.repo -i
Answer from Phil Peters on Stack Overflowamazon linux 2 yum missing update (AWS Security Center) - Stack Overflow
How do you keep your EC2's updated? (Amazon Linux 2)
How do install security updates on an Amazon Linux AMI EC2 instance? - Stack Overflow
EC2 YUM --security check-update
Worked it out - AWS Elastic Beanstalk in all their wisdom append a "-$guid" to the YUM repo list on an instance, which must be stuck in their CDN as was returning an out of date package list. I have resolved via:
sed 's/-$guid//g' /etc/yum.repos.d/amzn2-core.repo -i
AWS security advisory Link mention that we have to do "yum update httpd". If it still does not work I would say we have to update yum repo.
Hi all, i wonder how you keep your production ec2's updated with minimal downtime.
This is what i get on my ec2:
[ec2-user@ec2~]$ yum updateinfo Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Security: kernel-5.10.165-143.735.amzn2.x86_64 is an installed security update Security: kernel-5.10.130-118.517.amzn2.x86_64 is the currently running version updateinfo summary done
We used to get lots of information from our ubuntu ec2's - and i was wondering how we can get the same output with Amazon Linux 2
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1031-aws x86_64) 88 updates can be applied immediately. 15 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update
As outlined in section Security Updates within Amazon Linux AMI Basics, Amazon Linux AMIs are configured to download and install security updates at launch time, i.e. If you do not need to preserve data or customizations on your running Amazon Linux AMI instances, you can simply relaunch new instances with the latest updated Amazon Linux AMI (see section Product Life Cycle for details).
This currently includes only Critical or Important security updates though, see the AWS team's response to Best practices for Amazon Linux image security updates:
The default on Amazon Linux AMI is to install any Critical or Important security updates on launch. This is a function of cloud-init and be modified in cloud.cfg on the box or by passing in user-data. This is why you see some security updates still available at launch.
Consequently, if you want to install all security updates or indeed need to preserve data or customizations on your running Amazon Linux AMI instances, you can maintain those instances through the Amazon Linux AMI yum repositories, i.e. you need to facilitate the regular Yum update mechanism as outlined for the yum-security plugin:
# yum update --security
Please note: This does not work if only security updates are selected, due to the fact that security updates are not properly flagged in centos and amazon linux. This may be a matter of Redhat making security a paid feature which, if I'm being frank, is bullshit. For this to work you must update the yum-cron config file to install all updates. This makes security updates less likely to run reliably which makes everyone less secure.
update_cmd = default
Amazon Linux runs updates when the host boots for the first time. If you plan to have hosts up long-term you may also want to enable automatic security updates. I recommend using yum-cron:
sudo yum install yum-cron
The config file is here: (you probably want to just run security updates)
/etc/yum/yum-cron.conf
You can then enable yum-cron like so:
sudo service yum-cron start
edit from a useful comment below: "If you're creating/destroying instances with an auto-scaling group, etc, the command should be something like "sudo yum update -y" in user data."
You can use the amazon-linux-extras repository to upgrade the kernel
First, run this command to get all available kernel versions
sudo amazon-linux-extras |grep kernel
you will see a response similar to this
_ kernel-5.4 available [ =stable ]
55 kernel-5.10=latest enabled [ =stable ]
62 kernel-5.15 available [ =stable ]
the kernel version marked as enabled is the one installed on your machine
to upgrade to the newer version (for example kernel-5.15), just run this command sudo amazon-linux-extras install kernel-5.15 -y
Now, you need to reboot the server with sudo reboot
After rebooting, run the command uname -r to make sure that the newer version is successfully installed
for more information, please refer to this link
Kernel live patches are available for Amazon Linux 2 with kernel version 4.14.165-131.185 or later. To check your kernel version, run the following command.
[root@actsupport ~]# yum list kernel
If you already have a supported kernel version, skip this step. If you do not have a supported kernel version, run the following commands to update the kernel to the latest version and to reboot the instance.
[root@actsupport ~]# sudo yum install -y kernel
[root@actsupport ~]# reboot
Install the yum plugin for Kernel Live Patching.
[root@actsupport ~]# yum install -y yum-plugin-kernel-livepatch
Enable the yum plugin for Kernel Live Patching.
[root@actsupport ~]# yum kernel-livepatch enable -y
This command also installs the latest version of the kernel live patch RPM from the configured repositories.
To confirm that the yum plugin for kernel live patching has installed successfully, run the following command.
[root@actsupport ~]# rpm -qa | grep kernel-livepatch
When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM.
Update and start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot.
[root@actsupport ~]# yum update kpatch-runtime
[root@actsupport ~]# systemctl enable kpatch.service
Configure the Amazon Linux 2 Kernel Live Patching repository, which contains the kernel live patches.
[root@actsupport ~]# amazon-linux-extras enable livepatch
Hello Reddit.
I'm trying to launch an EC2 instance in Northern Virginia using the following bash script
#!/bin/bash
yum update -y
however it does not update, and it locks the yum process so I cannot do anything after that. This used to work fine in Linux 1. Any ideas? I'm quite new to this so apologies for the noob question!