Ubuntu: Testing the official released kernel patches for Meltdown CVE-2017-5754

ubuntuThe Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes.

Canonical has committed to kernel patches to address this issue and they are now available from the both the updates and security official Ubuntu repositories.

In this article, I’ll step through patching an Ubuntu kernel with the candidate kernel fixes.

Continue reading “Ubuntu: Testing the official released kernel patches for Meltdown CVE-2017-5754”

Ubuntu: Testing the first candidate kernel patches for Meltdown CVE-2017-5754

ubuntuThe Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes.

Canonical has committed to kernel patches to address this issue by January 9, 2018 and the first candidate kernel patches have now been released for Xenial and Trusty LTS.

UPDATE Jan 11 2018: The main Ubuntu repositories now have the official patches.  Read my article here for more information.

In this article, I’ll step through patching an Ubuntu 16.04 kernel with the candidate kernel fixes.

Continue reading “Ubuntu: Testing the first candidate kernel patches for Meltdown CVE-2017-5754”

Ubuntu: Testing the KAISER kernel patch for Meltdown CVE-2017-5754

ubuntuThe Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes.  Canonical has committed to kernel patches to address this issue by January 9, 2018.

A paper coming out of Graz University of Technology in Austria and written by Daniel Gruss, Moritz Lipp, Michael Schwarz, Richard Fellner, Clementine Maurice, and Stefan Mangard provides a patched 4.10.0 kernel that isolates the kernel address space and resolves CVE-2017-5754 (Meltdown).

No one is advocating this as the fix for your production instances, but if you want to play around with this patched kernel in a virtualized environment, I’ll lead you through the steps in this article.

UPDATE Jan 11 2018: The main Ubuntu repositories now have the official patches.  Read my article here for more information.

Continue reading “Ubuntu: Testing the KAISER kernel patch for Meltdown CVE-2017-5754”

Zabbix: Enabling API fetch of Trend data in Zabbix2

Until Zabbix3, trend data was not available via the Zabbix API.  This meant that you could retrieve the  raw values of a key over time, but not the aggregated historical trends of that value (e.g. CPU average over 5 minute intervals).

The only way to monitor trends was to look at the visual graph generated by Zabbix or query the underlying database directly.  Meanwhile, graphs are arguably one of Zabbix’s weak points, especially given newer solutions like Grafana.

This was a major oversight in Zabbix2 functionality, and led to community patches that enabled this functionality in Zabbix 2.x.  With this trend data now exposed, the community was free to write custom alerting, graphing, and capacity planning tools.  For example, the Zabbix plugin for Grafana relies on this patch when the data source is Zabbix 2.x.

Continue reading “Zabbix: Enabling API fetch of Trend data in Zabbix2”

Ubuntu: Unattended Upgrades for security patches

ubuntuIf you are running an Ubuntu server for any extended period of time, security issues will arise that affect the kernel, distribution, or packages installed on that host.

While there are always minimal risks associated with automatically applying security fixes, I feel those are dwarfed by the risks of running hosts that have known security flaws.  For example, a media frenzy over the OpenSSL vulnerability Heartbleed may have forced administrators the world over to go out and manually patch their fleet of Linux hosts, but the truth is there is a constant stream of public vulnerabilities.

Expecting system administrators to manually patch each of these (in addition to their other daily tasks) is unrealistic, and therefore Ubuntu provides a simple way of scheduling unattended security updates.

First, install the unattended-upgrades package:

> sudo apt install unattended-upgrades

Continue reading “Ubuntu: Unattended Upgrades for security patches”

Ubuntu: HWE Hardware Enablement Stacks, LTS, and the Kernel

ubuntuIf you installed (or upgraded to) a later Ubuntu point release:  >= 12.04.2, >=14.04.2, or >=16.04.2, you may now be wondering why the system is warning you upon every login that you will no longer receive security updates.

WARNING: Security updates for your current Hardware Enablement Stack ended on 2016-08-04:
 * http://wiki.ubuntu.com/1404_HWE_EOL

Although the first point releases of an Ubuntu version 12.04.0 and 12.04.1, 14.04.0 and 14.04.1, and 16.04.0 and 16.04.1 maintain support of their kernel version until the standard 5 year End-Of-Life for that long-term release (LTS), subsequent point releases do not hold the same schedule.

14-04-x-ubuntu-kernel-support-scheduleThe reason why is that subsequent point releases ship with an updated kernel and X stack that require upgrade in order to maintain support. Referring to the support schedule above as an example, you can see that 14.04.3 was released with the Wily 15.04 Vivid HWE stack, and only supported for 12 months before requiring an upgrade to 14.04.5 and the Xenial 16.04 HWE.

Continue reading “Ubuntu: HWE Hardware Enablement Stacks, LTS, and the Kernel”