4

I manage some EC2 instances running Amazon Linux (not sure what version), which need security patches.

A lot of software was patched well, but we have stuck on the kernel upgrade. We are unable to use the latest kernel version as we preferred. What have we done?

  1. Get the latest kernel version from the Amazon repository by executing yum update. The system reports that we have got the newest kernel version as we expected and nothing's to be updated anymore.
  2. After we got the latest kernel version, we restarted EC2 by clicking reboot on the EC2 console. After EC2s was restarted, we have checked the EC2's kernel version with the command uname -r. It reports that we still use the same kernel version, not the latest kernel version as we expect.

What is the point that we have missed? Please help.

Tim
  • 30,383
  • 6
  • 47
  • 77

2 Answers2

0

Kernel live patches are available for Amazon Linux 2 with kernel version 4.14.165-131.185 or later. To check your kernel version, run the following command.

[root@actsupport ~]# yum list kernel If you already have a supported kernel version, skip this step. If you do not have a supported kernel version, run the following commands to update the kernel to the latest version and to reboot the instance.

sudo yum install -y kernel
[root@actsupport ~]#

reboot Install the yum plugin for Kernel Live Patching.

[root@actsupport ~]#    yum install -y yum-plugin-kernel-livepatch

Enable the yum plugin for Kernel Live Patching.

[root@actsupport ~]#    yum kernel-livepatch enable -y

This command also installs the latest version of the kernel live patch RPM from the configured repositories.

To confirm that the yum plugin for kernel live patching has installed successfully, run the following command.

[root@actsupport ~]# rpm -qa | grep kernel-livepatch

When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabled, this command returns a list that includes the initial empty kernel live patch RPM.

Update and start the kpatch service. This service loads all of the kernel live patches upon initialization or at boot.

[root@actsupport ~]#   yum update kpatch-runtime
[root@actsupport ~]#   systemctl enable kpatch.service

Configure the Amazon Linux 2 Kernel Live Patching repository, which contains the kernel live patches.

[root@actsupport ~]#    amazon-linux-extras enable livepatch
Ryan
  • 107
  • 4
0

You can use the amazon-linux-extras repository to upgrade the kernel

First, run this command to get all available kernel versions sudo amazon-linux-extras |grep kernel

you will see a response similar to this

  _  kernel-5.4               available    [ =stable ]
 55  kernel-5.10=latest       enabled      [ =stable ]
 62  kernel-5.15              available    [ =stable ]

the kernel version marked as enabled is the one installed on your machine

to upgrade to the newer version (for example kernel-5.15), just run this command sudo amazon-linux-extras install kernel-5.15 -y

Now, you need to reboot the server with sudo reboot

After rebooting, run the command uname -r to make sure that the newer version is successfully installed

for more information, please refer to this link