1

I've got a bunch of client's virtual machines running by various providers who use Xen paravirtualisation. Almost all of these are Debian or Debian based systems.

I rely on APT pretty heavily to track what security updates need doing, but with a paravirtualised system, the kernel that's actually running is typically not the one that APT installs, even after a reboot. Actually updating the kernel generally involves messing about with a control panel or API. Unfortunately the providers tend not to do very well at informing me when I'm using an old kernel.

Is there a tool that I can use within a VPS to monitor what kernel version is actually running (e.g. uname -a), and some online source of security info, and let me know when there's a security issue I need to address?

I'm not sure quite how this should work, given that a huge proportion of the kernel security issues tend to be in drivers, many of which would not be applicable, but maybe someone has done the thinking here to come up with a good strategy?

mc0e
  • 5,786
  • 17
  • 31
  • 2
    For KVM/Xen/VMWare/VirtualBox the kernel running in the container is the one installed by apt. For OpenVZ/LXC/etc it is not. Paravirtualised is when the drivers in the container interface with an optimized software interface instead of emulated real hardware provided by the host. – Brian Dec 08 '15 at 15:18
  • @Brian Depends on Xen version. Originally it was paravirtualized and it's still in use. – Sami Kuhmonen Dec 08 '15 at 15:48
  • @Brian: For Xen as run by digitalocean and rimuhosting, the kernel is controlled by control panel or API, and not by APT. Xen supports other modes of virtualisation also. https://en.wikipedia.org/wiki/Xen#Types_of_virtualization – mc0e Dec 09 '15 at 16:53
  • The issue isn't really about the virtualisation, but rather about how to script checking of security issues associated with the running kernel. – mc0e Dec 10 '15 at 19:00

0 Answers0