Getting Started: Deploying and Configuring Oracle Autonomous Linux on Oracle Cloud Infrastructure

Version 11

    Introduction

     

    Oracle Autonomous Linux executes automatic patch updates and tuning—without human interaction—improving IT staff productivity, security, and availability. It is available with Oracle Linux Premier Support at no cost to Oracle Cloud customers. Oracle Autonomous Linux is based on Oracle Linux, which is binary-compatible with Red Hat Enterprise Linux, allowing IBM Red Hat customers to immediately start using the service with current applications on Oracle Cloud Infrastructure (OCI).

     

    This document will guide you through the deployment of Oracle Autonomous Linux on Oracle Cloud Infrastructure, including setting up notifications to keep you notified of autonomous actions performed.

     

    Deploying Oracle Autonomous Linux on OCI

     

    Installation Requirements

     

    • Oracle Autonomous Linux is available for deployment on Oracle Cloud Infrastructure. You will need an Oracle Cloud Infrastructure account.
    • Oracle Autonomous Linux can be deployed on OCI compute resources (bare metal and virtual machine shapes) and on Oracle Cloud Always Free Tier compute (VM.Standard.E2.1.Micro shape).
    • Oracle Autonomous Linux updates leverage Oracle Ksplice for zero-downtime kernel and key user space patching. Ksplice update requires Internet access. For Internet access on OCI, add and configure the NAT Gateway or Internet Gateway to your OCI Virtual Cloud Network (VCN). Note that a NAT Gateway or an Internet Gateway is required in order to allow Ksplice to receive updates, even if a Service Gateway is already configured.

     

    Configuring OCI Notifications

     

    The Oracle Cloud Infrastructure Notifications service can be configured to receive email, PagerDuty, or Slack status messages from your instance when Ksplice and/or yum updates have been applied or when certain known exploit attempts has been detected by Ksplice. Before you create the new instance, it is recommended to configure notifications for Autonomous Linux. The following outlines how to set up notifications:

     

    In the OCI console main drop-down menu, under Solutions and Platform, select Application Integration -> Notifications.

    You will need to create a topic. A topic is a communication channel for sending OCI messages to its subscriptions. A topic can have zero, one, or multiple subscriptions that are notified whenever a message is published to a topic.

     

    In this example we will simply name the topic Autonomous.

    al-create-topic.png

    Once the topic is created, you will need to subscribe to it. In this example, the subscription PROTOCOL is Email. Choose the topic from the drop-down menu and fill in the email address that should receive notifications for the topic. You can add more than one email address.

     

    After you have created the subscription, the email(s) specified will receive a confirmation email. Follow the instructions in the email(s) to authorize the receipt of notifications for the email address(es).

    ai-email-subscription.png

    For later steps when creating the Autonomous Linux instance, you will need the topic OCID that was generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.

     

    Configuring an Instance for Notifications

     

    In order to configure your Autonomous Linux instances for notifications you can either create a dynamic group and have the instance added to the topic automatically, or you can choose to register the instance manually after its creation.

     

    Below are the steps for both approaches.

     

    Automatic Notification Registration with Dynamic Groups and cloud-init

     

    With an OCI dynamic group, you can associate instances with certain policies. You can create a dynamic group by specifying a compartment and a policy for that group that instructs all instances in that compartment to be automatically subscribed to your topic during cloud initialization using cloud-init.

     

    From the main menu, under Governance and Administration, select Identity -> Dynamic Groups to create a new group.

    In this example, for the group Autonomous-Group, configure it to match all instances in a particular compartment (autonomous-linux-compartment) by providing the following rule using the OCID of your compartment):

     

    ALL {instance.compartment.id = 'ocid1.compartment.oc1..xxxaaaaaiydkxepmxy45zu436zvbn7vrcfscwjwe7xekw43upf2qpn4zvlma'}

    autonomous linux group screenshot-1.jpg

     

    Once the group is created, specify a policy that connects the dynamic group with your topic. From the main menu, under Governance and Administration, select Identity -> Policies to create a new policy.

     

    Define the policy to allow registration of the dynamic group Autonomous-Group defined earlier to register all instances in the compartment autonomous-linux-compartment. Specify the rule providing the name of the dynamic group and compartment as follows:

     

    Allow dynamic-group Autonomous-Group to use ons-topics in compartment autonomous-linux-compartment where request.permission='ONS_TOPIC_PUBLISH'

    al-policy.png

    You can now proceed to the next section on Launching an Oracle Autonomous Linux Instance.

     

    Launching an Oracle Autonomous Linux Instance

     

    to launch an Oracle Autonomous Linux instance, navigate from the Main Menu to Compute -> Instances, and click on Create Instance. Alternatively, from the OCI home page, under Quick Actions, click on Create a VM Instance.

    On the Create Compute Instance page, click on Change Image Source.

     

    Change image source-1.png

     

    This takes you to the OCI Image Catalog.  Select Oracle Autonomous Linux under Platform Images, and click Select Image.

     

     

    This will take you back to the Create Compute Instance page:

      • Specify the instance configuration parameters including the Availability Domain, Instance Type, Compute Shape, network information, SSH key, and other relevant details.
      • Scroll down and click on Advanced Options.
        • Select the Compartment for your instance.
        • Select Paste cloud-init script. You will need the topic OCID generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.                    

                   #!/bin/bash

                   al-config -T ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq <-replace with topic OCID

    ai-cloud-init.png

    Click on Create to deploy the image. The Autonomous Linux image will be provisioned and automatically started.

     

    Manually Registering an Instance with a Notification Topic (Optional)

     

    An alternate method to register an instance with a notification topic is to manually register an instance after its creation by connecting to it with SSH and performing the the following tasks.

     

    Obtain an API Key

     

    You can skip this step if you already have an API key registered. Otherwise generate an API key with the following instructions (instructions) and upload the new API key to User Settings -> API Keys in the OCI Console

     

    mkdir ~/.oci
    openssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048
    openssl genrsa -out ~/.oci/oci_api_key.pem 2048 # no passphrase
    chmod go-rwx ~/.oci/oci_api_key.pem
    openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
    
    

     

    Commands to Configure Instance for Notifications

     

    Once the instance is up, copy the API key to your instance and SSH into it.

     

    $ scp ~/.oci/oci_api_key.pem opc@<Public IP of your instance>:
    

     

    You need to get your Tenancy OCID under Administration -> Tenancy Details and your User OCID under User Settings. Then ssh into the instance and set it up for your tenancy and user by providing the api key. Replace the correct values for your own tenancy and user OCIDs

     

    [opc@autonomous-linux ~]$ sudo al-config \
         -u ocid1.user.oc1..xxxaaaaacawrvomnea7lwgjd56ahne3crjnv4lpwb675dog77q75glac7cta \
         -t ocid1.tenancy.oc1..xxxaaaaaqeq4bzhikdf3brmhqb667jg4xvtcp4t2io5exogs2oupk4x3w2ya \
         -k ./oci_api_key.pem 
    Configured OCI CLI profile.
    Please delete ./oci_api_key.pem
    

     

    After configuration of the instance for the tenancy, you can register the instance for your topic. Use the topic OCID you copied earlier.

     

    [opc@autonomous-linux ~]$ sudo al-config -T ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq
    Configured OCI notification service topic OCID.
    Publishing message 'AL: Notification enabled on instance autonomous-linux'
    Published message 'AL: Notification enabled on instance autonomous-linux'
    

     

    You will now receive email notifications when the Autonomous Linux instance receives updates. Here is an example of such an e-mail:

     

    +------------------------------------------------------------------------+

    |  Summary (Wed Oct 30 20:42:07 GMT 2019)                                |

    +------------------------------------------------------------------------+

    Ksplice updates installed: no

    Yum updates installed: no

    Uptime: 20:42:07 up 7 days,  2:11,  0 users,  load average: 0.00, 0.00, 0.00

    +------------------------------------------------------------------------+

    |  Ksplice upgrade report                                                |

    +------------------------------------------------------------------------+

    Running 'ksplice -y all upgrade'.

    Updating on-disk packages for new processes

    Loaded plugins: langpacks, ulninfo

    No packages marked for update

    Nothing to do.

    Nothing to be done.

    Your kernel is fully up to date.

    Effective kernel version is 4.14.35-1902.6.6.el7uek

    +------------------------------------------------------------------------+

    |  Yum upgrade report                                                    |

    +------------------------------------------------------------------------+

    Running 'yum-cron' with update cmd: default.

    +------------------------------------------------------------------------+

    |  Ksplice updates status                                                |

    +------------------------------------------------------------------------+

    Running 'ksplice all show'.

    Ksplice user-space updates:

    No Ksplice user-space updates installed

     

    Ksplice kernel updates:

    Installed updates:

    [1rw4f14x] Known exploit detection.

    [eexuzyat] Known exploit detection for CVE-2017-7308.

    [bum1jlug] Known exploit detection for CVE-2018-14634.

    [p31wiydb] KPTI enablement for Ksplice.

    [oql5q0mj] Known exploit detection for CVE-2018-18445.

    [mi2zbfso] Ksplice support for Intel VMX KVM patching.

    [ob2ewq0l] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.

    [fy1cbq79] Information leak in mlx5 Infiniband driver.

    [4e9tjq41] CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

    [cekayf8k] Resource leak when deleting FIB nexthop exception.

    [rdeboz7n] CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

    [3mf3ni0u] NULL pointer dereference in Reliable Datagram Socket binding.

    [3rn9edej] NULL pointer dereference in Xen network device error handling.

    [oe2jk3nj] Guest kernel crash in AMD VM Spectre v4 mitigation.

    [lqsoaazr] Information leak in Reliable Datagram Sockets IPv6 message info.

    [pm096u5d] CVE-2019-15666: Denial-of-service in network transformation policy removal.

    [f4gncqwi] Network device resource leak in Infiniband device destruction.

     

    Effective kernel version is 4.14.35-1902.6.6.el7uek

    --

    You are receiving notifications as a subscriber to the topic: Autonomous (Topic OCID: ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq). To stop receiving notifications from this topic, unsubscribe.

    Please do not reply directly to this email. If you have any questions or comments regarding this email, contact your administrator.

     

    Connecting to the Instance

     

    Once the instance launches, you can connect to it using SSH. For detailed instructions, please see Accessing Your Instance.

    Use the following information to connect to the instance:

      • User: opc
      • IP Address: public IP address of the instance
      • id_rsa:  path to the SSH-2 RSA private key file

    For example:

    $ ssh –i id_rsa opc@<IP Address>

    Running Administrative Commands

    You can use sudo to run commands.

    For example, to show instance metadata, including region, compartment and IP address run:

    $ sudo oci-metadata

    Configuring the Auto-Update Time

     

    Oracle Autonomous Linux performs auto-updates on a daily basis, if updates are available. Patches are automatically updated at a specific random time generated by Autonomous Linux within a given update window. The update time window is specified as a 0-24 hour window, where for example, 13 is 1 PM, and 24 is 12 AM.

     

    The default update time window is 4 hours and starts 2 hours from the first boot time of the instance. For example, if the Autonomous Linux instance boot time was 14:10 or 2:10 PM, or 14:55 or 2:55 PM, the default update window for both these cases is 16-20, or 4 PM-8 PM. The daily update time is then randomly generated between 4 PM to 8 PM.  Auto-updates will then be performed at the same generated time every day.

     

    The al-config utility allows you to configure the daily auto-update window so you can control the time window in which an auto-update is performed daily.

     

    Use the al-config utility as follows:

     

    •   al-config -w [time window]
    •   al-config -s
    •   Options:
      •   -w [time window] Time window string format: <start_hour>-<end_hour>

            <start_hour> and <end_hour> must be integers between 0 and 23. This time window specifies the acceptable time interval in which the daily updates can run.

                      Minimum window is 2 hours, maximum window is 6 hours.

      •   -s Show current auto update time window and update time.

     

    Examples:

     

    • Configure update time window and update time:

     

    $ sudo al-config -w 23-4
    Configured daily auto update time window(24-hour): 23-4
    Configured daily auto update time(24-hour): 02:18
    Created cron job file /etc/cron.d/al-update.

     

    • Show the current update time window and update time:

     

        $ sudo al-config -s

    Current daily auto update time window(24-hour): 23-4
    Current daily auto update time(24-hour): 02:18      

     

    This command can be used to show when an update is scheduled to occur each day. You can check the Autonomous Linux log located at /var/log/al.log, or set up notifications to let you know when an update has occurred.

     

    More Information