Can kernel upgrades be done with configuration management (CM) tools for above-OS software?
I use various Linux Distros, mostly Debian-based, usually all default (I change nothing in the kernel/shell or internal-utilities (utilities that come with the distro). I usually install Apache, MySQL and PHP on these systems and doesn't change there anything either.
I never did a kernel upgrade to any system as I don't recall ever having such a need or getting some local mail requiring that.
I know that configuration-management (CM) tools, like Ansible, use to orchestrate, deploy and maybe also automate basically everything above the OS layer (which includes the kernel, of course) but of curiosity - can one "dive down" with Ansible to the kernel and automate kernel upgrades with it as well?
Please also share if you think it's a best practice in a basically all-default system (a system where the distro itself - its kernel, shell(s) and internal utilities aren't changed at all).
kernel upgrade ansible distributions stability
asked Dec 19 '18 at 0:45
JohnDoea
1001132
add a comment |
I use various Linux Distros, mostly Debian-based, usually all default (I change nothing in the kernel/shell or internal-utilities (utilities that come with the distro). I usually install Apache, MySQL and PHP on these systems and doesn't change there anything either.
I never did a kernel upgrade to any system as I don't recall ever having such a need or getting some local mail requiring that.
I know that configuration-management (CM) tools, like Ansible, use to orchestrate, deploy and maybe also automate basically everything above the OS layer (which includes the kernel, of course) but of curiosity - can one "dive down" with Ansible to the kernel and automate kernel upgrades with it as well?
Please also share if you think it's a best practice in a basically all-default system (a system where the distro itself - its kernel, shell(s) and internal utilities aren't changed at all).
kernel upgrade ansible distributions stability
asked Dec 19 '18 at 0:45
JohnDoea
1001132
add a comment |
I use various Linux Distros, mostly Debian-based, usually all default (I change nothing in the kernel/shell or internal-utilities (utilities that come with the distro). I usually install Apache, MySQL and PHP on these systems and doesn't change there anything either.
I never did a kernel upgrade to any system as I don't recall ever having such a need or getting some local mail requiring that.
I know that configuration-management (CM) tools, like Ansible, use to orchestrate, deploy and maybe also automate basically everything above the OS layer (which includes the kernel, of course) but of curiosity - can one "dive down" with Ansible to the kernel and automate kernel upgrades with it as well?
Please also share if you think it's a best practice in a basically all-default system (a system where the distro itself - its kernel, shell(s) and internal utilities aren't changed at all).
kernel upgrade ansible distributions stability
asked Dec 19 '18 at 0:45
JohnDoea
1001132
I use various Linux Distros, mostly Debian-based, usually all default (I change nothing in the kernel/shell or internal-utilities (utilities that come with the distro). I usually install Apache, MySQL and PHP on these systems and doesn't change there anything either.
I never did a kernel upgrade to any system as I don't recall ever having such a need or getting some local mail requiring that.
I know that configuration-management (CM) tools, like Ansible, use to orchestrate, deploy and maybe also automate basically everything above the OS layer (which includes the kernel, of course) but of curiosity - can one "dive down" with Ansible to the kernel and automate kernel upgrades with it as well?
Please also share if you think it's a best practice in a basically all-default system (a system where the distro itself - its kernel, shell(s) and internal utilities aren't changed at all).
kernel upgrade ansible distributions stability
kernel upgrade ansible distributions stability
asked Dec 19 '18 at 0:45
JohnDoea
1001132
asked Dec 19 '18 at 0:45
JohnDoea
1001132
edited Dec 19 '18 at 11:43
asked Dec 19 '18 at 0:45
JohnDoea
1001132
asked Dec 19 '18 at 0:45
JohnDoea
1001132
asked Dec 19 '18 at 0:45
JohnDoea
1001132
1001132
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
With most modern Linux distros, the kernel is distributed as a package, just like any other piece of software/library. Therefore, with Ansible as the example, you can have a task such as:
- name: Ensure that latest kernel is installed
apt:
name: linux-image-amd64
state: latest
update_cache: yes
notify: reboot_server # You would need a corresponding handler that reboots the system
and this will ensure that each time the play is run, the latest kernel package will be installed.
The kernel is however different to most other software packages in that:
- Multiple versions can be installed simultaneously, so you need to manage the removal of older versions. You don't necessarily want to do this automatically because:
- To enable a newly installed kernel, you need to reboot the system, so that needs to be managed, both from a business process POV and also technically. This is not an entirely risk free operation, so dependent on the nature of the system architecture, is often not seen as being an appropriate task to simply automate.
There are methods to activate a newly installed kernel without a reboot, but they are still not really a mainstream approach.
As to whether you should do kernel updates, in general yes. Given the litany of high profile security failures as a result of out of date software (and the high profile failures likely being just the tip of the iceberg), all software should be kept up to date. The recent Meltdown and Spectre vulnerabilities underline that the kernel is not special, and needs to be kept up to date like any other package.
Maintaining an effective patching policy needs serious thought given the trade off between the failures that can occur during the process, versus the failures that can occur if it is not done. Automation can certainly help, but each environment is different so you have to examine your own requirements to assess to what extent it is appropriate in your own case.
Either way, if when you say:
(a system where the distro itself - its kernel, shell(s) and internal
utilities aren't changed at all)
you mean that once installed, you never revisit and patch/update/upgrade those elements, you are significantly increasing the risk of your system being compromised.
answered Dec 19 '18 at 10:48
clockworknet
1793
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
add a comment |
Yes, given the OS Kernel is software and not firmware (like a BIOS or Boot Loader), it can be changed from the shell, as well as a CM that would change it through implementing the shell in its particular way (like Ansible's YAML dialect).
answered Dec 19 '18 at 6:58
JohnDoea
1001132
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489793%2fcan-kernel-upgrades-be-done-with-configuration-management-cm-tools-for-above-o%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
With most modern Linux distros, the kernel is distributed as a package, just like any other piece of software/library. Therefore, with Ansible as the example, you can have a task such as:
- name: Ensure that latest kernel is installed
apt:
name: linux-image-amd64
state: latest
update_cache: yes
notify: reboot_server # You would need a corresponding handler that reboots the system
and this will ensure that each time the play is run, the latest kernel package will be installed.
The kernel is however different to most other software packages in that:
- Multiple versions can be installed simultaneously, so you need to manage the removal of older versions. You don't necessarily want to do this automatically because:
- To enable a newly installed kernel, you need to reboot the system, so that needs to be managed, both from a business process POV and also technically. This is not an entirely risk free operation, so dependent on the nature of the system architecture, is often not seen as being an appropriate task to simply automate.
There are methods to activate a newly installed kernel without a reboot, but they are still not really a mainstream approach.
As to whether you should do kernel updates, in general yes. Given the litany of high profile security failures as a result of out of date software (and the high profile failures likely being just the tip of the iceberg), all software should be kept up to date. The recent Meltdown and Spectre vulnerabilities underline that the kernel is not special, and needs to be kept up to date like any other package.
Maintaining an effective patching policy needs serious thought given the trade off between the failures that can occur during the process, versus the failures that can occur if it is not done. Automation can certainly help, but each environment is different so you have to examine your own requirements to assess to what extent it is appropriate in your own case.
Either way, if when you say:
(a system where the distro itself - its kernel, shell(s) and internal
utilities aren't changed at all)
you mean that once installed, you never revisit and patch/update/upgrade those elements, you are significantly increasing the risk of your system being compromised.
answered Dec 19 '18 at 10:48
clockworknet
1793
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
add a comment |
With most modern Linux distros, the kernel is distributed as a package, just like any other piece of software/library. Therefore, with Ansible as the example, you can have a task such as:
- name: Ensure that latest kernel is installed
apt:
name: linux-image-amd64
state: latest
update_cache: yes
notify: reboot_server # You would need a corresponding handler that reboots the system
and this will ensure that each time the play is run, the latest kernel package will be installed.
The kernel is however different to most other software packages in that:
- Multiple versions can be installed simultaneously, so you need to manage the removal of older versions. You don't necessarily want to do this automatically because:
- To enable a newly installed kernel, you need to reboot the system, so that needs to be managed, both from a business process POV and also technically. This is not an entirely risk free operation, so dependent on the nature of the system architecture, is often not seen as being an appropriate task to simply automate.
There are methods to activate a newly installed kernel without a reboot, but they are still not really a mainstream approach.
As to whether you should do kernel updates, in general yes. Given the litany of high profile security failures as a result of out of date software (and the high profile failures likely being just the tip of the iceberg), all software should be kept up to date. The recent Meltdown and Spectre vulnerabilities underline that the kernel is not special, and needs to be kept up to date like any other package.
Maintaining an effective patching policy needs serious thought given the trade off between the failures that can occur during the process, versus the failures that can occur if it is not done. Automation can certainly help, but each environment is different so you have to examine your own requirements to assess to what extent it is appropriate in your own case.
Either way, if when you say:
(a system where the distro itself - its kernel, shell(s) and internal
utilities aren't changed at all)
you mean that once installed, you never revisit and patch/update/upgrade those elements, you are significantly increasing the risk of your system being compromised.
answered Dec 19 '18 at 10:48
clockworknet
1793
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
add a comment |
With most modern Linux distros, the kernel is distributed as a package, just like any other piece of software/library. Therefore, with Ansible as the example, you can have a task such as:
- name: Ensure that latest kernel is installed
apt:
name: linux-image-amd64
state: latest
update_cache: yes
notify: reboot_server # You would need a corresponding handler that reboots the system
and this will ensure that each time the play is run, the latest kernel package will be installed.
The kernel is however different to most other software packages in that:
- Multiple versions can be installed simultaneously, so you need to manage the removal of older versions. You don't necessarily want to do this automatically because:
- To enable a newly installed kernel, you need to reboot the system, so that needs to be managed, both from a business process POV and also technically. This is not an entirely risk free operation, so dependent on the nature of the system architecture, is often not seen as being an appropriate task to simply automate.
There are methods to activate a newly installed kernel without a reboot, but they are still not really a mainstream approach.
As to whether you should do kernel updates, in general yes. Given the litany of high profile security failures as a result of out of date software (and the high profile failures likely being just the tip of the iceberg), all software should be kept up to date. The recent Meltdown and Spectre vulnerabilities underline that the kernel is not special, and needs to be kept up to date like any other package.
Maintaining an effective patching policy needs serious thought given the trade off between the failures that can occur during the process, versus the failures that can occur if it is not done. Automation can certainly help, but each environment is different so you have to examine your own requirements to assess to what extent it is appropriate in your own case.
Either way, if when you say:
(a system where the distro itself - its kernel, shell(s) and internal
utilities aren't changed at all)
you mean that once installed, you never revisit and patch/update/upgrade those elements, you are significantly increasing the risk of your system being compromised.
answered Dec 19 '18 at 10:48
clockworknet
1793
With most modern Linux distros, the kernel is distributed as a package, just like any other piece of software/library. Therefore, with Ansible as the example, you can have a task such as:
- name: Ensure that latest kernel is installed
apt:
name: linux-image-amd64
state: latest
update_cache: yes
notify: reboot_server # You would need a corresponding handler that reboots the system
and this will ensure that each time the play is run, the latest kernel package will be installed.
The kernel is however different to most other software packages in that:
- Multiple versions can be installed simultaneously, so you need to manage the removal of older versions. You don't necessarily want to do this automatically because:
- To enable a newly installed kernel, you need to reboot the system, so that needs to be managed, both from a business process POV and also technically. This is not an entirely risk free operation, so dependent on the nature of the system architecture, is often not seen as being an appropriate task to simply automate.
There are methods to activate a newly installed kernel without a reboot, but they are still not really a mainstream approach.
As to whether you should do kernel updates, in general yes. Given the litany of high profile security failures as a result of out of date software (and the high profile failures likely being just the tip of the iceberg), all software should be kept up to date. The recent Meltdown and Spectre vulnerabilities underline that the kernel is not special, and needs to be kept up to date like any other package.
Maintaining an effective patching policy needs serious thought given the trade off between the failures that can occur during the process, versus the failures that can occur if it is not done. Automation can certainly help, but each environment is different so you have to examine your own requirements to assess to what extent it is appropriate in your own case.
Either way, if when you say:
(a system where the distro itself - its kernel, shell(s) and internal
utilities aren't changed at all)
you mean that once installed, you never revisit and patch/update/upgrade those elements, you are significantly increasing the risk of your system being compromised.
answered Dec 19 '18 at 10:48
clockworknet
1793
edited Dec 19 '18 at 11:52
answered Dec 19 '18 at 10:48
clockworknet
1793
answered Dec 19 '18 at 10:48
clockworknet
1793
answered Dec 19 '18 at 10:48
clockworknet
1793
1793
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
add a comment |
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
Hi, I didn't understand the last part of the answer. Please edit it. I should tell you (and will edit the question to clarify) that I usually use my Debian-LAMP environments all-default; I change (customize) basically nothing in the kernel/shell/internal-utilities or in LAMP.
– JohnDoea
Dec 19 '18 at 11:40
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
I have edited and hopefully that clears up any confusion.
– clockworknet
Dec 19 '18 at 11:53
add a comment |
Yes, given the OS Kernel is software and not firmware (like a BIOS or Boot Loader), it can be changed from the shell, as well as a CM that would change it through implementing the shell in its particular way (like Ansible's YAML dialect).
answered Dec 19 '18 at 6:58
JohnDoea
1001132
add a comment |
Yes, given the OS Kernel is software and not firmware (like a BIOS or Boot Loader), it can be changed from the shell, as well as a CM that would change it through implementing the shell in its particular way (like Ansible's YAML dialect).
answered Dec 19 '18 at 6:58
JohnDoea
1001132
add a comment |
Yes, given the OS Kernel is software and not firmware (like a BIOS or Boot Loader), it can be changed from the shell, as well as a CM that would change it through implementing the shell in its particular way (like Ansible's YAML dialect).
answered Dec 19 '18 at 6:58
JohnDoea
1001132
Yes, given the OS Kernel is software and not firmware (like a BIOS or Boot Loader), it can be changed from the shell, as well as a CM that would change it through implementing the shell in its particular way (like Ansible's YAML dialect).
answered Dec 19 '18 at 6:58
JohnDoea
1001132
edited Dec 19 '18 at 8:39
answered Dec 19 '18 at 6:58
JohnDoea
1001132
answered Dec 19 '18 at 6:58
JohnDoea
1001132
answered Dec 19 '18 at 6:58
JohnDoea
1001132
1001132
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489793%2fcan-kernel-upgrades-be-done-with-configuration-management-cm-tools-for-above-o%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
