Most likely you have heard about Spectre and Meltdown by now. It’s all over the news. As an IT or DevOps engineer, it’s now your job to patch your EC2 instance operating systems.
This task can be “fun” if you need to SSH/RDP into every EC2 instance and apply patches. Or, it can be truly fun if you decide to use AWS Systems Manager to apply patches to your OS.
AWS Systems Manager, previously known as Amazon System Service Manager (SSM), is a sub-service of AWS where you can manage tasks on your AWS infrastructure, such as executing commands on your EC2 instances. You can use this system to apply patches to your OS and install software.
AWS has provided a detailed document regarding the AWS state of Spectre and Meltdown. In this document, it includes instructions on how to update various operating systems with necessary kernel patches.
For example, you can apply the following command to your Amazon Linux EC2 instance to update the kernel:
sudo yum update kernel
If you want to SSH into every EC2 instance you have, be my guest. But it will be much easier to use AWS Systems Manager. Just spin up a shell and execute the following AWS CLI command:
aws ssm send-command \
--document-name AWS-RunShellScript \
--instance-ids i-xxxx \
--parameters commands="yum install -y kernel"
Here, we’re adding the -y parameter to assume “yes” to any prompts because yum will confirm if we want to apply the updates and we won’t have keyboard access to press y.
After you execute the above command, you’ll need to wait a few minutes for the update to complete on the EC2 instance. Once complete, you’ll see the something like the following in the command log:
Loaded plugins: priorities, update-motd, upgrade-helper Resolving Dependencies --> Running transaction check ---> Package kernel.x86_64 0:4.9.75-25.55.amzn1 will be installed --> Finished Dependency Resolution --> Running transaction check ---> Package kernel.x86_64 0:4.9.51-10.52.amzn1 will be erased --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: kernel x86_64 4.9.75-25.55.amzn1 amzn-updates 18 M Removing: kernel x86_64 4.9.51-10.52.amzn1 @amzn-main 71 M Transaction Summary ================================================================================ Install 1 Package Remove 1 Package Total download size: 18 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : kernel-4.9.75-25.55.amzn1.x86_64 1/2 Cleanup : kernel-4.9.51-10.52.amzn1.x86_64 2/2 Verifying : kernel-4.9.75-25.55.amzn1.x86_64 1/2 Verifying : kernel-4.9.51-10.52.amzn1.x86_64 2/2 Removed: kernel.x86_64 0:4.9.51-10.52.amzn1 Installed: kernel.x86_64 0:4.9.75-25.55.amzn1 Complete!
If you happen to see some warnings “No such file or directory”, don’t worry about it.
You can do this individually for each EC2 instance from the same shell, or you can script it.
Other operating systems (Ubuntu, Windows) will require other commands, but using the same send-command CLI command will make it easier.
Using Skeddly, you can automate this even further. Using Skeddly’s “Send SSM Command” action, you can easily send these commands to all your EC2 instances at once (or a subset if needed).
Skeddly is the leading managed scheduling service for your AWS account. Using Skeddly, you can:
Sign-up for our 30 day free trial or sign-in to your Skeddly account to get started.