Why We Do This

The default image provided as the RHEL7 image from Azure Marketplace is woefully out of date. The kernel is 3.x and has some critical CIFS bugs which will cause issues with Azure Files. A number of critical sub-systems are out of date and need to be upgraded.

What Could Go BANG!

The kernel is NOT RedHat and so you may get push back from RedHat on support for this kernel if you start hitting edge cases. However, we use the cloud. If you’re tickling kernel bugs and no one else on the Internet is – you’re doing something horribly wrong. Rebuild.

3rd party software support may also push back on non-standard kernel. Push back on the push back!

Safety First

If in doubt, please backup your VM before you do this. If this fails it’s VERY hard to get the machine back into a production state.

How we do this

Update the base platform from the RedHat Repo

  • Login and sudo su to root.
  • Change to the \ directory
  • Update yum with yum update && yum upgrade
  • Accept the defaults and allow the update to happen – this may take some time, do something else in the meantime.
  • Install yum install yum-utils and then run package-cleanup --oldkernels

Upgrade the kernel from elrepo

  • Import the ELRepo public key with rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
  • Install the RHEL7 repo with rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
  • Install the new kernel with yum --enablerepo=elrepo-kernel install kernel-ml
  • Check which menuentry is the new kernel with awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg and make a note of that number
  • Set that number as the default kernel with grub2-set-default <<NUMBER>>
  • Regenerate grub with grub2-mkconfig -o /boot/grub2/grub.cfg

Update any encryption patches and dracut

  • Create a file called yumupdatefix.sh in /root with the following contents
#!/usr/bin/env bash

# get and test path to source of most recent install
unset -v ADE_SOURCE
ADE_SEARCH=/var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux*
for i in $ADE_SEARCH; do
  if [[ -d "$i" ]]; then
    [[ "$i" -nt $ADE_SOURCE ]] && ADE_SOURCE=$i
  fi
done

if [[ ! -d "${ADE_SOURCE}" ]]; then
  echo "patch failed - no source directory found matching ${ADE_SEARCH}"
  exit 1
fi

# get and test path to patch file
ADE_PATCH=${ADE_SOURCE}/main/oscrypto/rhel_72/encryptpatches/rhel_72_dracut.patch
if [[ ! -f "${ADE_PATCH}" ]]; then
  echo "patch failed - no patch file found matching ${ADE_PATCH}"
fi

# replace string {Encrypted_root_partition} by partition number (=2 in rhel azure gallery images)
sed -i.bak s/ENCRYPTED_DISK_PARTITION/2/ "${ADE_PATCH}"

# patch and run
bash -c "set -e; patch -b -d /usr/lib/dracut/modules.d/90crypt -p1 < ${ADE_PATCH}"
/usr/sbin/dracut -I ntfs-3g -f -v --kver `grubby --default-kernel | sed 's|/boot/vmlinuz-||g'`

The above script will generate a new initramfs image corresponding to the new kernel version with the patched up version of Dracut modules – getting warnings is FINE. Really.

  • Enable execution of this script with chmod a+x yumupdatefix.sh
  • Execute this script with ./yumupdatefix.sh
  • Ensure that the image it builds is the same version of the kernel-ml that was installed.
  • Reboot with reboot
  • Pray or even Prey
  • When the machine comes back up, it should take a few minutes, check the new kernel with uname -msr
  • Profit.

References

http://elrepo.org/tiki/tiki-index.php
http://elrepo.org/tiki/kernel-ml
https://blogs.msdn.microsoft.com/azuresecurity/2017/07/13/applying-updates-to-a-encrypted-azure-iaas-red-hat-vm-using-yum-update/
https://gist.github.com/mayank88mahajan/38faf934c86b89ad766c4c16dcd5f4aa

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s