Why We Do This
The default image provided as the RHEL7 image from Azure Marketplace is woefully out of date. The kernel is 3.x and has some critical CIFS bugs which will cause issues with Azure Files. A number of critical sub-systems are out of date and need to be upgraded.
What Could Go BANG!
The kernel is NOT RedHat and so you may get push back from RedHat on support for this kernel if you start hitting edge cases. However, we use the cloud. If you’re tickling kernel bugs and no one else on the Internet is – you’re doing something horribly wrong. Rebuild.
3rd party software support may also push back on non-standard kernel. Push back on the push back!
Safety First
If in doubt, please backup your VM before you do this. If this fails it’s VERY hard to get the machine back into a production state.
How we do this
Update the base platform from the RedHat Repo
- Login and
sudo su
to root. - Change to the \ directory
- Update yum with
yum update && yum upgrade
- Accept the defaults and allow the update to happen – this may take some time, do something else in the meantime.
- Install
yum install yum-utils
and then runpackage-cleanup --oldkernels
Upgrade the kernel from elrepo
- Import the ELRepo public key with
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
- Install the RHEL7 repo with
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
- Install the new kernel with
yum --enablerepo=elrepo-kernel install kernel-ml
- Check which
menuentry
is the new kernel withawk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
and make a note of that number - Set that number as the default kernel with
grub2-set-default <<NUMBER>>
- Regenerate grub with
grub2-mkconfig -o /boot/grub2/grub.cfg
Update any encryption patches and dracut
- Create a file called
yumupdatefix.sh
in/root
with the following contents
#!/usr/bin/env bash
# get and test path to source of most recent install
unset -v ADE_SOURCE
ADE_SEARCH=/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux*
for i in $ADE_SEARCH; do
if [[ -d "$i" ]]; then
[[ "$i" -nt $ADE_SOURCE ]] && ADE_SOURCE=$i
fi
done
if [[ ! -d "${ADE_SOURCE}" ]]; then
echo "patch failed - no source directory found matching ${ADE_SEARCH}"
exit 1
fi
# get and test path to patch file
ADE_PATCH=${ADE_SOURCE}/main/oscrypto/rhel_72/encryptpatches/rhel_72_dracut.patch
if [[ ! -f "${ADE_PATCH}" ]]; then
echo "patch failed - no patch file found matching ${ADE_PATCH}"
fi
# replace string {Encrypted_root_partition} by partition number (=2 in rhel azure gallery images)
sed -i.bak s/ENCRYPTED_DISK_PARTITION/2/ "${ADE_PATCH}"
# patch and run
bash -c "set -e; patch -b -d /usr/lib/dracut/modules.d/90crypt -p1 < ${ADE_PATCH}"
/usr/sbin/dracut -I ntfs-3g -f -v --kver `grubby --default-kernel | sed 's|/boot/vmlinuz-||g'`
The above script will generate a new initramfs image corresponding to the new kernel version with the patched up version of Dracut modules – getting warnings is FINE. Really.
- Enable execution of this script with
chmod a+x yumupdatefix.sh
- Execute this script with
./yumupdatefix.sh
- Ensure that the image it builds is the same version of the kernel-ml that was installed.
- Reboot with
reboot
- Pray or even Prey
- When the machine comes back up, it should take a few minutes, check the new kernel with
uname -msr
- Profit.
References
http://elrepo.org/tiki/tiki-index.php
http://elrepo.org/tiki/kernel-ml
https://blogs.msdn.microsoft.com/azuresecurity/2017/07/13/applying-updates-to-a-encrypted-azure-iaas-red-hat-vm-using-yum-update/
https://gist.github.com/mayank88mahajan/38faf934c86b89ad766c4c16dcd5f4aa