Forum Stats

  • 3,770,203 Users
  • 2,253,081 Discussions
  • 7,875,363 Comments

Discussions

Getting Started: Deploying and Configuring Oracle Autonomous Linux on Oracle Cloud Infrastructure

Introduction

Oracle Autonomous Linux executes automatic patch updates and tuning—without human interaction—improving IT staff productivity, security, and availability. It is available with Oracle Linux Premier Support at no cost to Oracle Cloud customers. Oracle Autonomous Linux is based on Oracle Linux, which is binary-compatible with Red Hat Enterprise Linux, allowing IBM Red Hat customers to immediately start using the service with current applications on Oracle Cloud Infrastructure (OCI).

This document will guide you through the deployment of Oracle Autonomous Linux on Oracle Cloud Infrastructure, including setting up notifications to keep you notified of autonomous actions performed.

Deploying Oracle Autonomous Linux on OCI

Installation Requirements

  • Oracle Autonomous Linux is available for deployment on Oracle Cloud Infrastructure. You will need an Oracle Cloud Infrastructure account.
  • Oracle Autonomous Linux can be deployed on OCI compute resources (bare metal and virtual machine shapes) and on Oracle Cloud Always Free Tier compute (VM.Standard.E2.1.Micro shape).
  • Oracle Autonomous Linux updates leverage Oracle Ksplice for zero-downtime kernel and key user space patching. Ksplice update requires Internet access. For Internet access on OCI, add and configure the NAT Gateway or Internet Gateway to your OCI Virtual Cloud Network (VCN). Note that a NAT Gateway or an Internet Gateway is required in order to allow Ksplice to receive updates, even if a Service Gateway is already configured.

Configuring OCI Notifications

The Oracle Cloud Infrastructure Notifications service can be configured to receive email, PagerDuty, or Slack status messages from your instance when Ksplice and/or yum updates have been applied or when certain known exploit attempts has been detected by Ksplice. Before you create the new instance, it is recommended to configure notifications for Autonomous Linux. The following outlines how to set up notifications:

In the OCI console main drop-down menu, under Solutions and Platform, select Application Integration -> Notifications.

pastedImage_3.png

You will need to create a topic. A topic is a communication channel for sending OCI messages to its subscriptions. A topic can have zero, one, or multiple subscriptions that are notified whenever a message is published to a topic.

In this example we will simply name the topic Autonomous.

al-create-topic.png

Once the topic is created, you will need to subscribe to it. In this example, the subscription PROTOCOL is Email. Choose the topic from the drop-down menu and fill in the email address that should receive notifications for the topic. You can add more than one email address.

After you have created the subscription, the email(s) specified will receive a confirmation email. Follow the instructions in the email(s) to authorize the receipt of notifications for the email address(es).

ai-email-subscription.png

For later steps when creating the Autonomous Linux instance, you will need the topic OCID that was generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.

Configuring an Instance for Notifications

In order to configure your Autonomous Linux instances for notifications you can either create a dynamic group and have the instance added to the topic automatically, or you can choose to register the instance manually after its creation.

Below are the steps for both approaches.

Automatic Notification Registration with Dynamic Groups and cloud-init

With an OCI dynamic group, you can associate instances with certain policies. You can create a dynamic group by specifying a compartment and a policy for that group that instructs all instances in that compartment to be automatically subscribed to your topic during cloud initialization using cloud-init.

From the main menu, under Governance and Administration, select Identity -> Dynamic Groups to create a new group.

pastedImage_11.png

In this example, for the group Autonomous-Group, configure it to match all instances in a particular compartment (autonomous-linux-compartment) by providing the following rule using the OCID of your compartment):

ALL {instance.compartment.id = 'ocid1.compartment.oc1..xxxaaaaaiydkxepmxy45zu436zvbn7vrcfscwjwe7xekw43upf2qpn4zvlma'}

autonomous linux group screenshot-1.jpg

Once the group is created, specify a policy that connects the dynamic group with your topic. From the main menu, under Governance and Administration, select Identity -> Policies to create a new policy.

pastedImage_6.png

Define the policy to allow registration of the dynamic group Autonomous-Group defined earlier to register all instances in the compartment autonomous-linux-compartment. Specify the rule providing the name of the dynamic group and compartment as follows:

Allow dynamic-group Autonomous-Group to use ons-topics in compartment autonomous-linux-compartment where request.permission='ONS_TOPIC_PUBLISH'

al-policy.png

You can now proceed to the next section on Launching an Oracle Autonomous Linux Instance.

Launching an Oracle Autonomous Linux Instance

to launch an Oracle Autonomous Linux instance, navigate from the Main Menu to Compute -> Instances, and click on Create Instance. Alternatively, from the OCI home page, under Quick Actions, click on Create a VM Instance.

pastedImage_0.png

On the Create Compute Instance page, click on Change Image Source.

Change image source-1.png

This takes you to the OCI Image Catalog.  Select Oracle Autonomous Linux under Platform Images, and click Select Image.

pastedImage_0.png

This will take you back to the Create Compute Instance page:

    • Specify the instance configuration parameters including the Availability Domain, Instance Type, Compute Shape, network information, SSH key, and other relevant details.
    • Scroll down and click on Advanced Options.
      • Select the Compartment for your instance.
      • Select Paste cloud-init script. You will need the topic OCID generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.                    

               #!/bin/bash

               al-config -T ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq <-replace with topic OCID

ai-cloud-init.png

Click on Create to deploy the image. The Autonomous Linux image will be provisioned and automatically started.

Manually Registering an Instance with a Notification Topic (Optional)

An alternate method to register an instance with a notification topic is to manually register an instance after its creation by connecting to it with SSH and performing the the following tasks.

Obtain an API Key

You can skip this step if you already have an API key registered. Otherwise generate an API key with the following instructions (instructions) and upload the new API key to User Settings -> API Keys in the OCI Console

mkdir ~/.ociopenssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048openssl genrsa -out ~/.oci/oci_api_key.pem 2048 # no passphrasechmod go-rwx ~/.oci/oci_api_key.pemopenssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

Commands to Configure Instance for Notifications

Once the instance is up, copy the API key to your instance and SSH into it.

$ scp ~/.oci/oci_api_key.pem [email protected]<Public IP of your instance>:

You need to get your Tenancy OCID under Administration -> Tenancy Details and your User OCID under User Settings. Then ssh into the instance and set it up for your tenancy and user by providing the api key. Replace the correct values for your own tenancy and user OCIDs

[[email protected] ~]$ sudo al-config \     -u ocid1.user.oc1..xxxaaaaacawrvomnea7lwgjd56ahne3crjnv4lpwb675dog77q75glac7cta \     -t ocid1.tenancy.oc1..xxxaaaaaqeq4bzhikdf3brmhqb667jg4xvtcp4t2io5exogs2oupk4x3w2ya \     -k ./oci_api_key.pem Configured OCI CLI profile.Please delete ./oci_api_key.pem

After configuration of the instance for the tenancy, you can register the instance for your topic. Use the topic OCID you copied earlier.

[[email protected] ~]$ sudo al-config -T ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlqConfigured OCI notification service topic OCID.Publishing message 'AL: Notification enabled on instance autonomous-linux'Published message 'AL: Notification enabled on instance autonomous-linux'

You will now receive email notifications when the Autonomous Linux instance receives updates. Here is an example of such an e-mail:

+------------------------------------------------------------------------+

|  Summary (Wed Oct 30 20:42:07 GMT 2019)                                |

+------------------------------------------------------------------------+

Ksplice updates installed: no

Yum updates installed: no

Uptime: 20:42:07 up 7 days,  2:11,  0 users,  load average: 0.00, 0.00, 0.00

+------------------------------------------------------------------------+

|  Ksplice upgrade report                                                |

+------------------------------------------------------------------------+

Running 'ksplice -y all upgrade'.

Updating on-disk packages for new processes

Loaded plugins: langpacks, ulninfo

No packages marked for update

Nothing to do.

Nothing to be done.

Your kernel is fully up to date.

Effective kernel version is 4.14.35-1902.6.6.el7uek

+------------------------------------------------------------------------+

|  Yum upgrade report                                                    |

+------------------------------------------------------------------------+

Running 'yum-cron' with update cmd: default.

+------------------------------------------------------------------------+

|  Ksplice updates status                                                |

+------------------------------------------------------------------------+

Running 'ksplice all show'.

Ksplice user-space updates:

No Ksplice user-space updates installed

Ksplice kernel updates:

Installed updates:

[1rw4f14x] Known exploit detection.

[eexuzyat] Known exploit detection for CVE-2017-7308.

[bum1jlug] Known exploit detection for CVE-2018-14634.

[p31wiydb] KPTI enablement for Ksplice.

[oql5q0mj] Known exploit detection for CVE-2018-18445.

[mi2zbfso] Ksplice support for Intel VMX KVM patching.

[ob2ewq0l] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.

[fy1cbq79] Information leak in mlx5 Infiniband driver.

[4e9tjq41] CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

[cekayf8k] Resource leak when deleting FIB nexthop exception.

[rdeboz7n] CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

[3mf3ni0u] NULL pointer dereference in Reliable Datagram Socket binding.

[3rn9edej] NULL pointer dereference in Xen network device error handling.

[oe2jk3nj] Guest kernel crash in AMD VM Spectre v4 mitigation.

[lqsoaazr] Information leak in Reliable Datagram Sockets IPv6 message info.

[pm096u5d] CVE-2019-15666: Denial-of-service in network transformation policy removal.

[f4gncqwi] Network device resource leak in Infiniband device destruction.

Effective kernel version is 4.14.35-1902.6.6.el7uek

--

You are receiving notifications as a subscriber to the topic: Autonomous (Topic OCID: ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq). To stop receiving notifications from this topic, unsubscribe.

Please do not reply directly to this email. If you have any questions or comments regarding this email, contact your administrator.

Connecting to the Instance

Once the instance launches, you can connect to it using SSH. For detailed instructions, please see Accessing Your Instance.

Use the following information to connect to the instance:

    • User: opc
    • IP Address: public IP address of the instance
    • id_rsa:  path to the SSH-2 RSA private key file

For example:

$ ssh –i id_rsa [email protected]<IP Address>

Running Administrative Commands

You can use sudo to run commands.

For example, to show instance metadata, including region, compartment and IP address run:

$ sudo oci-metadata

Configuring the Auto-Update Time

Oracle Autonomous Linux performs auto-updates on a daily basis, if updates are available. Patches are automatically updated at a specific random time generated by Autonomous Linux within a given update window. The update time window is specified as a 0-24 hour window, where for example, 13 is 1 PM, and 24 is 12 AM.

The default update time window is 4 hours and starts 2 hours from the first boot time of the instance. For example, if the Autonomous Linux instance boot time was 14:10 or 2:10 PM, or 14:55 or 2:55 PM, the default update window for both these cases is 16-20, or 4 PM-8 PM. The daily update time is then randomly generated between 4 PM to 8 PM.  Auto-updates will then be performed at the same generated time every day.

The al-config utility allows you to configure the daily auto-update window so you can control the time window in which an auto-update is performed daily.

Use the al-config utility as follows:

  •   al-config -w [time window]
  •   al-config -s
  •   Options:
    •   -w [time window] Time window string format: <start_hour>-<end_hour>

        <start_hour> and <end_hour> must be integers between 0 and 23. This time window specifies the acceptable time interval in which the daily updates can run.

                  Minimum window is 2 hours, maximum window is 6 hours.

    •   -s Show current auto update time window and update time.

Examples:

  • Configure update time window and update time:

$ sudo al-config -w 23-4
Configured daily auto update time window(24-hour): 23-4
Configured daily auto update time(24-hour): 02:18
Created cron job file /etc/cron.d/al-update.

  • Show the current update time window and update time:

    $ sudo al-config -s

Current daily auto update time window(24-hour): 23-4
Current daily auto update time(24-hour): 02:18      

This command can be used to show when an update is scheduled to occur each day. You can check the Autonomous Linux log located at /var/log/al.log, or set up notifications to let you know when an update has occurred.

More Information

Comments

  • Arnoschots-Oracle
    Arnoschots-Oracle Member Posts: 1 Employee
    edited Apr 22, 2020 8:36AM

    Hi,

    The "sudo al-config -s" doesn't work on my Autonomous Linux instance.

    Command output:

    [[email protected] ~]$ sudo al-config -s

    /sbin/al-config: illegal option -- s

    Configure OCI notification service topic OCID:

      Usage:

        al-config -T [topic OCID]

      Options:

        -T [topic OCID] OCI notification service topic OCID

    Configure OCI CLI profile:

      Usage:

        al-config -u [user OCID] -t [tenancy OCID] -k [key file]

      Options:

        -u [user OCID] OCI User OCID

        -t [tenancy OCID] OCI Tenancy OCID

        -k [key file] from which we obtaion the API private key

        -p [key passphrase file] from which we obtain API key passphrase. Provide

           this if API private key is encrypted. If not provided, user will be

           prompted to enter passphrase.