Introduction

Oracle Autonomous Linux executes automatic patch updates and tuning without human interaction, improving IT staff productivity, security, and availability. It is available with Oracle Linux Premier Support at no cost to Oracle Cloud customers. Oracle Autonomous Linux is based on Oracle Linux, which is binary-compatible with Red Hat Enterprise Linux, allowing IBM Red Hat customers to immediately start using the service with current applications on Oracle Cloud Infrastructure (OCI).

This document guides you through the deployment of Oracle Autonomous Linux on Oracle Cloud Infrastructure, including setting up notifications to keep you notified of autonomous actions performed.

Deploying Oracle Autonomous Linux on Oracle Cloud Infrastructure

Installation Requirements

  • Oracle Autonomous Linux is available for deployment on Oracle Cloud Infrastructure. You need an Oracle Cloud Infrastructure account .
  • Oracle Autonomous Linux can be deployed on Oracle Cloud Infrastructure compute resources (bare metal and virtual machine shapes) and on Oracle Cloud Always Free Tier compute (VM.Standard.E2.1.Micro shape).
  • Oracle Autonomous Linux updates leverage Oracle Ksplice for zero-downtime kernel and key user space patching . Ksplice update requires Internet access . For Internet access on Oracle Cloud Infrastructure, add and configure the NAT Gateway or Internet Gateway to your Oracle Cloud Infrastructure Virtual Cloud Network (VCN). Note that a NAT Gateway or an Internet Gateway is required in order to allow Ksplice to receive updates, even if a Service Gateway is already configured.

Configuring Notifications

The Oracle Cloud Infrastructure Notifications service can be configured to receive email, PagerDuty, or Slack status messages from your instance when Ksplice and/or yum updates have been applied or when certain known exploit attempts has been detected by Ksplice. Before you create the new instance, it is recommended to configure notifications for Autonomous Linux. The following outlines how to set up notifications:

In the Oracle Cloud Infrastructure console main drop-down menu, under Solutions and Platform , select Application Integration -> Notifications.

The Notifications option is found in the Oracle Cloud Infrastructure console main window navigation, under the Solutions and Platform heading in the Application Integration menu.

You will need to create a topic . A topic is a communication channel for sending Oracle Cloud Infrastructure messages to its subscriptions . A topic can have zero, one, or multiple subscriptions that are notified whenever a message is published to a topic.

In this example we will simply name the topic Autonomous.

The Create Topic dialog allows you to set the Name and description for the topic in this compartment
Click to view larger image al-create-topic.png

Once the topic is created, you will need to subscribe to it. In this example, the subscription PROTOCOL is Email. Choose the topic from the drop-down menu and fill in the email address that should receive notifications for the topic. You can add more than one email address.

After you have created the subscription, the email(s) specified will receive a confirmation email. Follow the instructions in the email(s) to authorize the receipt of notifications for the email address(es).

The Create Subscription dialog allows you to select the Topic for the subscription and the Protocol to use for the notification. In this example the Email protocol is selected and an email address is entered into the Email field.
Click to view larger image ai-email-subscription.png

For later steps when creating the Autonomous Linux instance, you will need the topic OCID that was generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.

Configuring an Instance for Notifications

In order to configure your Autonomous Linux instances for notifications you can either create a dynamic group and have the instance added to the topic automatically, or you can choose to register the instance manually after its creation.

Below are the steps for both approaches.

Automatic Notification Registration with Dynamic Groups and cloud-init

With an Oracle Cloud Infrastructure dynamic group , you can associate instances with certain policies. You can create a dynamic group by specifying a compartment and a policy for that group that instructs all instances in that compartment to be automatically subscribed to your topic during cloud initialization using cloud-init.

From the main menu, under Governance and Administration , select Identity -> Dynamic Groups to create a new group.

To create a new group access the Identity menu in the Governance and Administration section of the navigation and select Dynamic Groups.

In this example, for the group Autonomous-Group, configure it to match all instances in a particular compartment (autonomous-linux-compartment) by providing the following rule using the OCID of your compartment):

ALL {instance.compartment.id = 'ocid1.compartment.oc1..xxxaaaaaiydkxepmxy45zu436zvbn7vrcfscwjwe7xekw43upf2qpn4zvlma'}

The Create Dynamic Group dialog allows you to set the group name and description and to create a matching rule for your group. In the example a rule is create to match all instances in a compartment.
Click to view larger image autonomous_linux_group_screenshot-1.jpg

Once the group is created, specify a policy that connects the dynamic group with your topic. From the main menu, under Governance and Administration , select Identity -> Policies to create a new policy .

To create a new policy access the Identity menu in the Governance and Administration section of the navigation and select Policies.

Define the policy to allow registration of the dynamic group Autonomous-Group defined earlier to register all instances in the compartment autonomous-linux-compartment. Specify the rule providing the name of the dynamic group and compartment as follows:

 Allow dynamic-group Autonomous-Group to use ons-topics in compartment autonomous-linux-compartment where request.permission='ONS_TOPIC_PUBLISH' 

The Create Policy dialog allows you to set a Name and Description for the policy. The Policay statement is updated to display a policy for the dynamic group and compartment.
Click to view larger image al-policy.png

You can now proceed to the next section on Launching an Oracle Autonomous Linux Instance.

Launching an Oracle Autonomous Linux Instance

To launch an Oracle Autonomous Linux instance, navigate from the Main Menu to Compute -> Instances , and click on Create Instance . Alternatively, from the Oracle Cloud Infrastructure home page, under Quick Actions , click on Create a VM Instance.

Navigate to the Instances page by clicking on the Compute navigation item under Core Infrastructure and select Instances.

On the Create Compute Instance page, click on Change Image Source .

The Create Compute Instance dialog includes a button to Change Image Source to allow you to select an alternate image.
Click to view larger image Change_image_source-1.png

This takes you to the Oracle Cloud Infrastructure Image Catalog. Select Oracle Autonomous Linux under Platform Images , and click Select Image.

Browse All Images to select the Oracle Autonomous Linux image under the Platform Images tab.

This will take you back to the Create Compute Instance page:

  • Specify the instance configuration parameters including the Availability Domain, Instance Type, Compute Shape, network information, SSH key, and other relevant details.
  • Scroll down and click on Advanced Options .
    • Select the Compartment for your instance.
    • Select Paste cloud-init script . You will need the topic OCID generated. You can find and copy the topic OCID by going to Application Integration -> Notifications -> Subscriptions, select the subscription created, and clicking on the topic.
    • Paste the following script into the provided field, taking care to substitute out the correct OCID.
#!/bin/bash
al-config -T  ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh4zhpcmwudh   evz7s6ecywesrlq   # <-replace with topic OCID  
In the Advanced options you can select a compartment for your instance to paste a 'cloud-init' script.
Click to view larger image ai-cloud-init.png

Click on Create to deploy the image. The Autonomous Linux image will be provisioned and automatically started.

Manually Registering an Instance with a Notification Topic (Optional)

An alternate method to register an instance with a notification topic is to manually register an instance after its creation by connecting to it with SSH and performing the the following tasks.

Obtain an API Key

You can skip this step if you already have an API key registered. Otherwise generate an API key with the following instructions ( instructions ) and upload the new API key to User Settings -> API Keys in the Oracle Cloud Infrastructure Console

$ mkdir ~/.oci  
$ openssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048  
$ openssl genrsa -out ~/.oci/oci_api_key.pem 2048 # no passphrase  
$ chmod go-rwx ~/.oci/oci_api_key.pem  
$ openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem  	

Commands to Configure Instance for Notifications

Once the instance is up, copy the API key to your instance and SSH into it.

$ scp ~/.oci/oci_api_key.pem opc@<Public IP of your instance>:  	

You need to get your Tenancy OCID under Administration -> Tenancy Details and your User OCID under User Settings . Then ssh into the instance and set it up for your tenancy and user by providing the api key. Replace the correct values for your own tenancy and user OCIDs

[opc@autonomous-linux ~]$ sudo al-config \  
     -u ocid1.user.oc1..xxxaaaaacawrvomnea7lwgjd56ahne3crjnv4lpwb675dog77q75glac7cta \  
     -t ocid1.tenancy.oc1..xxxaaaaaqeq4bzhikdf3brmhqb667jg4xvtcp4t2io5exogs2oupk4x3w2ya \  
     -k ./oci_api_key.pem   
Configured OCI CLI profile.  
Please delete ./oci_api_key.pem 

After configuration of the instance for the tenancy, you can register the instance for your topic. Use the topic OCID you copied earlier.

[opc@autonomous-linux ~]$ sudo al-config -T ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq  
Configured OCI notification service topic OCID.  
Publishing message 'AL: Notification enabled on instance autonomous-linux'  
Published message 'AL: Notification enabled on instance autonomous-linux'  

You will now receive email notifications when the Autonomous Linux instance receives updates. Here is an example of such an e-mail:

+------------------------------------------------------------------------+
|  Summary (Wed Oct 30 20:42:07 GMT 2019)                                |
+------------------------------------------------------------------------+
Ksplice updates installed: no
Yum updates installed: no
Uptime: 20:42:07 up 7 days,  2:11,  0 users,  load average: 0.00, 0.00, 0.00
+------------------------------------------------------------------------+
|  Ksplice upgrade report                                                |
+------------------------------------------------------------------------+
Running 'ksplice -y all upgrade'.
Updating on-disk packages for new processes
Loaded plugins: langpacks, ulninfo
No packages marked for update
Nothing to do.
Nothing to be done.
Your kernel is fully up to date.
Effective kernel version is 4.14.35-1902.6.6.el7uek
+------------------------------------------------------------------------+
|  Yum upgrade report                                                    |
+------------------------------------------------------------------------+
Running 'yum-cron' with update cmd: default.
+------------------------------------------------------------------------+
|  Ksplice updates status                                                |
+------------------------------------------------------------------------+
Running 'ksplice all show'.
Ksplice user-space updates:
No Ksplice user-space updates installed
Ksplice kernel updates:
Installed updates:
[1rw4f14x] Known exploit detection.
[eexuzyat] Known exploit detection for CVE-2017-7308.
[bum1jlug] Known exploit detection for CVE-2018-14634.
[p31wiydb] KPTI enablement for Ksplice.
[oql5q0mj] Known exploit detection for CVE-2018-18445.
[mi2zbfso] Ksplice support for Intel VMX KVM patching.
[ob2ewq0l] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.
[fy1cbq79] Information leak in mlx5 Infiniband driver.
[4e9tjq41] CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.
[cekayf8k] Resource leak when deleting FIB nexthop exception.
[rdeboz7n] CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.
[3mf3ni0u] NULL pointer dereference in Reliable Datagram Socket binding.
[3rn9edej] NULL pointer dereference in Xen network device error handling.
[oe2jk3nj] Guest kernel crash in AMD VM Spectre v4 mitigation.
[lqsoaazr] Information leak in Reliable Datagram Sockets IPv6 message info.
[pm096u5d] CVE-2019-15666: Denial-of-service in network transformation policy removal.
[f4gncqwi] Network device resource leak in Infiniband device destruction.
 
Effective kernel version is 4.14.35-1902.6.6.el7uek
--
You are receiving notifications as a subscriber to the topic: 
Autonomous (Topic OCID: ocid1.onstopic.oc1.phx.xxxaaaaaxpgwyvuj5javrwvu7sppeingkfh3zhpcmwudhevz7s6ecywesrlq). 
To stop receiving notifications from this topic, unsubscribe.
Please do not reply directly to this email. If you have any questions or comments regarding this email, contact your administrator.

Connecting to the Instance

Once the instance launches, you can connect to it using SSH. For detailed instructions, please see Accessing Your Instance .

Use the following information to connect to the instance:

  • User: opc
  • IP Address: public IP address of the instance
  • id_rsa: path to the SSH-2 RSA private key file

For example:

$ ssh -i id_rsa opc@<IP Address>

Running Administrative Commands

You can use sudo to run commands.

For example, to show instance metadata, including region, compartment and IP address run:

$ sudo oci-metadata

Configuring the Auto-Update Time

Oracle Autonomous Linux performs auto-updates on a daily basis, if updates are available. Patches are automatically updated at a specific random time generated by Autonomous Linux within a given update window. The update time window is specified as a 0-24 hour window, where for example, 13 is 1 PM, and 24 is 12 AM.

The default update time window is 4 hours and starts 2 hours from the first boot time of the instance. For example, if the Autonomous Linux instance boot time was 14:10 or 2:10 PM, or 14:55 or 2:55 PM, the default update window for both these cases is 16-20, or 4 PM-8 PM. The daily update time is then randomly generated between 4 PM to 8 PM. Auto-updates will then be performed at the same generated time every day.

The al-config utility allows you to configure the daily auto-update window so you can control the time window in which an auto-update is performed daily.

Use the al-config utility as follows:

# al-config -w [time window] 
# al-config -s

Command Options:

  • -w [time window] Time window string format: <start_hour>-<end_hour>

    <start_hour> and <end_hour> must be integers between 0 and 23. This time window specifies the acceptable time interval in which the daily updates can run.

    Minimum window is 2 hours, maximum window is 6 hours.

  • -s Show current auto update time window and update time.

Examples:

  • Configure update time window and update time:

    $ sudo al-config -w 23-4
    Configured daily auto update time window(24-hour): 23-4
    Configured daily auto update time(24-hour): 02:18
    Created cron job file /etc/cron.d/al-update.
  • Show the current update time window and update time:

     $ sudo al-config -s
    
    Current daily auto update time window(24-hour): 23-4
    Current daily auto update time(24-hour): 02:18

This command can be used to show when an update is scheduled to occur each day.

You can check the Autonomous Linux log located at /var/log/al.log, or set up notifications to let you know when an update has occurred.

More Information