Oracle Autonomous Linux

Oracle Autonomous Linux is a managed service for reducing the complexity and overhead of common operating system management tasks.

Autonomous Linux provides the following features:

  • Automatic daily updates, including zero-downtime Ksplice updates for kernel, OpenSSL, and glibc libraries.
  • Monitoring for critical events, such as a kernel oops or kernel crashes, including collecting and submitting the messages and logs needed to debug and provide a root cause analysis of the event.
Important

Beginning August 31, 2021, Oracle Autonomous Linux is integrated with OS Management in Oracle Cloud Infrastructure. Before creating Oracle Autonomous Linux instances, see the getting started documentation for information about supported images and required IAM policies. Existing instances that were launched before August 31, 2021 remain standalone instances until a migration plan is available. For more information, see Oracle Autonomous Linux.
Legacy Documentation for Autonomous Linux Instances Launched Before August 31, 2021

Autonomous Linux performs automatic patch updates and tuning without human interaction, improving IT staff productivity, security, and availability. Autonomous Linux is available when you use the Oracle Autonomous Linux dedicated platform image and includes Oracle Linux Premier Support at no cost to Oracle Cloud customers. The Oracle Autonomous Linux platform image is based on Oracle Linux, which is binary-compatible with Red Hat Enterprise Linux, allowing IBM Red Hat customers to immediately start using the service with current applications on Oracle Cloud Infrastructure.

This topic guides you through the deployment of the Oracle Autonomous Linux platform image on Oracle Cloud Infrastructure, including setting up notifications to keep you notified of autonomous actions performed.

Prerequisites

  • Autonomous Linux is available for deployment on Oracle Cloud Infrastructure. You need an Oracle Cloud Infrastructure account .
  • Autonomous Linux requires the dedicated Oracle Autonomous Linux platform image.
  • Autonomous Linux can be deployed on Oracle Cloud Infrastructure compute resources (bare metal and virtual machine shapes) and on Oracle Cloud Always Free Tier compute (VM.Standard.E2.1. Micro shape).
  • Autonomous Linux updates use Oracle Ksplice for zero-downtime kernel and key user space patching . Ksplice update requires Internet access . For Internet access on Oracle Cloud Infrastructure, add and configure the NAT Gateway or internet gateway to your Oracle Cloud Infrastructure Virtual Cloud Network (VCN). A NAT gateway or an internet gateway is required to allow Ksplice to receive updates, even if a Service Gateway is already configured.

Setting Up IAM Policies for Notifications

With Oracle Cloud Infrastructure dynamic group , you can associate instances with certain policies. You can create a dynamic group by specifying a compartment and a policy for that group that instructs all instances in that compartment to be automatically subscribed to your topic during cloud initialization using cloud-init.

To configure your Autonomous Linux instances for notifications :

  1. Create a dynamic group that contains the set of instances to be automatically subscribed to your topic. For more information about creating dynamic groups, see Managing Dynamic Groups.
  2. Add a rule for the dynamic group defining the set of instances to be permitted in the policy.

    For example:

    ALL {instance.compartment.id = 'ocid1.compartment.oc1..exampleunique'  instance.compartment.id = 'ocid1.compartment.oc1..exampleuniqueid2'}
  3. Create a policy that allows instances to push notifications to topics.
     Allow dynamic-group Autonomous-Group to use ons-topics in compartment autonomous-linux-compartment where request.permission='ONS_TOPIC_PUBLISH' 

Configuring Notifications

The Oracle Cloud Infrastructure Notifications service can be configured to receive email, PagerDuty, or Slack status messages from your instance when the following Autonomous Linux operations are performed:

  • Ksplice or yum updates are applied to the instance.
  • Ksplice detects certain known exploit attempts.

Before you create the instance, we recommend that you configure notifications for Autonomous Linux.

You first need to create a topic . A topic is a communication channel for sending Oracle Cloud Infrastructure messages to its subscriptions . A topic can have zero, one, or multiple subscriptions that are notified whenever a message is published to a topic.

  1. Open the navigation menu and click Developer Services. Under Application Integration, click Notifications.
  2. Click Create Topic at the top of the topic list.
  3. In the Create Topic dialog box, configure your topic.
    • Name: Required. Specify a friendly name for the topic. It must be unique across the tenancy; validation is case-sensitive. Avoid entering confidential information.
    • Description: Optional. Enter a description for the topic. Avoid entering confidential information.
  4. Click Create.

After the topic is created, you must subscribe to the topic to receive notifications.

  1. Open the navigation menu and click Developer Services. Under Application Integration, click Notifications.
  2. Click the name of the topic that you want to add the subscription to.
  3. On the topic detail page, click Create Subscription.
  4. In the Create Subscription dialog box, configure your subscription for the protocol you want. For example, Email

After creating the subscription, you need to confirm the subscription. For example, if you use the Email protocol, a confirmation email is sent to the email address that you specified. Follow the instructions in the email.

For later steps when creating the Autonomous Linux instance, you need the topic OCID that was generated.

To obtain and copy the topic OCID:

  1. Click Developer Services. Under Application Integration, click Notifications.
  2. Click the topic that you created for Autonomous Linux in the topic list.
  3. On the Topic Information tab, copy the OCID.

Creating an Autonomous Linux Instance

  1. Follow the steps to create an instance, until the advanced options. Ensure that the instance has either a public IP address or a service gateway, as described in the prerequisites. Note

    In the Image and shape section, choose the image  and shape  for the instance. Click Change Image and select the Oracle Autonomous Linux 7.x platform image.

  2. Scroll down and click Show advance options.
  3. On the Management tab, under Initialization Script, select Paste cloud-init script.
  4. Paste the following script into the provided field, taking care to substitute out the correct OCID for the notifications topic that you are using for Autonomous Linux.
    #!/bin/bash
    al-config -T  ocid1.onstopic.oc1..exampleunique 
  5. Click Create.

Connecting to the Instance

After the instance is created, you can connect to it using SSH. For detailed instructions, see Accessing Your Instance .

Use the following information to connect to the instance:

  • User: opc
  • IP Address: public IP address of the instance
  • id_rsa: path to the SSH-2 RSA private key file

For example:

$ ssh -i id_rsa opc@<IP Address>

Manually Registering an Instance with a Notification Topic (Optional)

An alternate method to register an instance with a notification topic is to manually register an instance after its creation by connecting to it using SSH and performing the following tasks.

  1. Obtain an API key

    If you already have an API key registered, you can skip this step. Otherwise generate an API key using these instructions and upload the new API key to the Oracle Cloud Infrastructure Console.

    $  mkdir ~/.oci  
    $ openssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048  
    $ openssl genrsa -out ~/.oci/oci_api_key.pem 2048 # no passphrase  
    $ chmod go-rwx ~/.oci/oci_api_key.pem  
    $ openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem 
  2. After the instance is up, copy the API key to your instance and SSH into it.

    $ scp ~/.oci/oci_api_key.pem opc@<Public IP of your instance>: 
  3. Obtain your tenancy ID.

    You need to get your tenancy OCID and User OCID. Then log in to your instance and set it up for your tenancy and user by providing the API key. Replace the correct values for your own tenancy and user OCID.

    To obtain your tenancy OCID:

    1. Open the Profile menu and click Tenancy: <your_tenancy_name>.
    2. On the Tenancy Details page, copy your tenancy OCID.
  4. Configure your instance for notifications.

    1. Log in to your instance.
    2. Configure the Autonomous Linux instance with your user and tenancy OCID and provide your API key.
      [opc@autonomous-linux ~]$ sudo al-config \  
      -u ocid1.user.oc1..exampleunique \  
      -t ocid1.tenancy.oc1..exampleunique \  
      -k ./oci_api_key.pem   
      Configured OCI CLI profile.  
      Please delete ./oci_api_key.pem 

      After configuration of the instance for the tenancy, you can register the instance for your topic. Use the topic OCID of the topic that you created.

      [opc@autonomous-linux ~]$ sudo al-config -T ocid1.onstopic.oc1..exampleunique  
      Configured OCI notification service topic OCID.  
      Publishing message 'AL: Notification enabled on instance autonomous-linux'  
      Published message 'AL: Notification enabled on instance autonomous-linux'  

      You are now set up to receive email notifications when the Autonomous Linux instance receives updates.

      +------------------------------------------------------------------------+
      |  Summary (Wed Oct 30 20:42:07 GMT 2019)                                |
      +------------------------------------------------------------------------+
      Ksplice updates installed: no
      Yum updates installed: no
      Uptime: 20:42:07 up 7 days,  2:11,  0 users,  load average: 0.00, 0.00, 0.00
      +------------------------------------------------------------------------+
      |  Ksplice upgrade report                                                |
      +------------------------------------------------------------------------+
      Running 'ksplice -y all upgrade'.
      Updating on-disk packages for new processes
      Loaded plugins: langpacks, ulninfo
      No packages marked for update
      Nothing to do.
      Nothing to be done.
      Your kernel is fully up to date.
      Effective kernel version is 4.14.35-1902.6.6.el7uek
      +------------------------------------------------------------------------+
      |  Yum upgrade report                                                    |
      +------------------------------------------------------------------------+
      Running 'yum-cron' with update cmd: default.
      +------------------------------------------------------------------------+
      |  Ksplice updates status                                                |
      +------------------------------------------------------------------------+
      Running 'ksplice all show'.
      Ksplice user-space updates:
      No Ksplice user-space updates installed
      Ksplice kernel updates:
      Installed updates:
      [1rw4f14x] Known exploit detection.
      [eexuzyat] Known exploit detection for CVE-2017-7308.
      [bum1jlug] Known exploit detection for CVE-2018-14634.
      [p31wiydb] KPTI enablement for Ksplice.
      [oql5q0mj] Known exploit detection for CVE-2018-18445.
      [mi2zbfso] Ksplice support for Intel VMX KVM patching.
      [ob2ewq0l] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.
      [fy1cbq79] Information leak in mlx5 Infiniband driver.
      [4e9tjq41] CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.
      [cekayf8k] Resource leak when deleting FIB nexthop exception.
      [rdeboz7n] CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.
      [3mf3ni0u] NULL pointer dereference in Reliable Datagram Socket binding.
      [3rn9edej] NULL pointer dereference in Xen network device error handling.
      [oe2jk3nj] Guest kernel crash in AMD VM Spectre v4 mitigation.
      [lqsoaazr] Information leak in Reliable Datagram Sockets IPv6 message info.
      [pm096u5d] CVE-2019-15666: Denial-of-service in network transformation policy removal.
      [f4gncqwi] Network device resource leak in Infiniband device destruction.
       
      Effective kernel version is 4.14.35-1902.6.6.el7uek
      --
      You are receiving notifications as a subscriber to the topic: 
      Autonomous (Topic OCID: ocid1.onstopic.oc1..exampleunique). 
      To stop receiving notifications from this topic, unsubscribe.
      Please do not reply directly to this email. If you have any questions or comments regarding this email, contact your administrator.

Configuring the Auto-Update Time

Autonomous Linux performs auto-updates daily when updates are available. Patches are automatically updated at a specific random time generated by Autonomous Linux within a given update window. The update time window is specified in 24-hour time format, where, for example, 13 is 1 PM, and 24 is 12 AM.

The default update time window is 4 hours and starts 2 hours from the first boot time of the instance. For example, if the Autonomous Linux instance boot time was 14:10 or 2:10 PM, or 14:55 or 2:55 PM, the default update window for both these cases is from 16 to 20, or 4 PM to 8 PM. The daily update time is then randomly generated between 4 PM to 8 PM. Auto-updates are then performed at the same generated time every day.

The al-config utility allows you to configure the daily auto-update window so you can control the time window in which an auto-update is performed daily.

Use the al-config utility as follows:

# al-config -w [time window] 
# al-config -s
Command Options
  • -w [time window] Time window string format: <start_hour>-<end_hour>

    <start_hour> and <end_hour> must be integers from 0 to 23. This time window specifies the acceptable time interval in which the daily updates can run.

    Minimum window is 2 hours; maximum window is 6 hours.

  • -s Show current auto update time window and update time.

Examples
  • Configure update time window and update time:

    $ sudo al-config -w 23-4
    Configured daily auto update time window(24-hour): 23-4
    Configured daily auto update time(24-hour): 02:18
    Created cron job file /etc/cron.d/al-update.
  • Show the current update time window and update time:

     $ sudo al-config -s
    
    Current daily auto update time window(24-hour): 23-4
    Current daily auto update time(24-hour): 02:18

This command can be used to show when an update is scheduled to occur each day.

To see when updates have occurred, you can check that the Autonomous Linux logs in /var/log/al.log or set up notifications.

Oracle Autonomous Linux Image Details

The following repositories are enabled by default beginning with the December 2020 Oracle Autonomous Linux platform image:

  • ol7_UEKR6
  • ol7_addons
  • ol7_ksplice
  • ol7_latest
  • ol7_oci_included
  • ol7_optional_latest
  • ol7_software_collections
  • ol7_x86_64_userspace_ksplice

To verify the enabled repositories on the instance, use the following command:

yum repolist

For example:

# yum repolist
Loaded plugins: langpacks, ulninfo
repo id                                           repo name                                                                                          status
ol7_UEKR6/x86_64                                  Latest Unbreakable Enterprise Kernel Release 6 for Oracle Linux 7Server (x86_64)                      197
ol7_addons/x86_64                                 Oracle Linux 7Server Add ons (x86_64)                                                                 473
ol7_ksplice                                       Ksplice for Oracle Linux 7Server (x86_64)                                                           9,655
ol7_latest/x86_64                                 Oracle Linux 7Server Latest (x86_64)                                                               21,367
ol7_oci_included/x86_64                           Oracle Software for OCI users on Oracle Linux 7Server (x86_64)                                        680
ol7_optional_latest/x86_64                        Oracle Linux 7Server Optional Latest (x86_64)                                                      15,491
ol7_software_collections/x86_64                   Software Collection Library release 3.0 packages for Oracle Linux 7 (x86_64)                       15,375
ol7_x86_64_userspace_ksplice                      Ksplice aware userspace packages for Oracle Linux 7Server (x86_64)                                    447
repolist: 63,685

The image includes the release packages for the ol7_developer and ol7_developer_EPEL repositories, but these repositories are disabled by default. If you need packages from these repositories, you can install the appropriate release package to obtain the correct repository configuration before enabling the repository by using the following commands:

sudo yum install oraclelinux-developer-release-el7
sudo yum install oracle-epel-release-el7
Note

Packages found in the ol7_developer and ol7_developer_EPEL repositories are only entitled to basic installation support.

Oracle Instant Client 18.3 basic package cannot be updated to 19.5 on instances that were launched before March 18, 2020 because of changes to packaging. To update Oracle Instant Client, manually remove Oracle Instant Client 18.3, and then install 19.5. Use the following commands:

sudo yum remove oracle-instantclient18.3-basic
sudo yum install oracle-instantclient19.5-basic

On Oracle Autonomous Linux images that were launched after March 18, 2020, Oracle Instant Client is not installed by default. To install Oracle Instant Client 19.5, you must manually install the package. Use the following command:

sudo yum install oracle-instantclient19.5-basic

On Oracle Autonomous Linux images that were launched after December 9, 2020, the Oracle Instant Client repository (ol7_oracleinstant client) is not available by default. To add the repository, you must first install the oracle-release-el7 release package and then enable the ol7_oracle_instantclient repository. You can then install the appropriate Oracle Instant Client version package. Use the following commands:

sudo yum install oracle-release-el7
sudo yum-config-manager --enable ol7_oracle_instantclient