Back to the main page

Deploying Autonomous Linux in OCI

Intro

Simply explained, Autonomous Linux (AL) is Oracle Linux with preconfigured ksplice, which does zero-downtime kernel and key user space patching. This page briefly explains how to deploy AL in OCI, and configure it with some additional features.

Create AL instance

Compute - Instances - Create Instance , select Change Image

Platform Images - select Oracle AL 7.7 (it's on April 2020).


Complete the instillation.

AL instance usage

AL instance has its own usage, from Instance Details, see "View Usage Instructions"

SSH connection into the instance

Likely, you've added SSH public key (for user "opc") during instance creation, hence SSH to the instance with the command: 
$ ssh -i </full/path/ssh-private-key> opc@<al-instance-name>.<compartment>.<tenancy>.oraclevcn.com

Instance metadata

This can be examined with the command oci-metadata. Ex: 
$ oci-metadata
 
Instance details:
  Display Name: AutonomousLinux-zarko
  Region: iad - us-ashburn-1 (Ashburn, VA, USA)
  Canonical Region Name: us-ashburn-1
  Availability Domain: DSdu:US-ASHBURN-AD-1
  Fault domain: FAULT-DOMAIN-1
  OCID: ocid1.instance.oc1.iad.anuw-shortened-hl43vma
  Compartment OCID: ocid1.compartment.oc1..aaaaa-shortened-obgza
  Instance shape: VM.Standard2.1
  Image ID: ocid1.image.oc1..aaaaaa-shortened-zxq
  Created at: 1585713324189
  state: Running
  agentConfig:
    managementDisabled: False
    monitoringDisabled: False
  ociAdName: iad-ad-2
  hostname: autonomouslinux-zarko
  Instance Metadata:
    ssh_authorized_keys: ssh-rsa AAAAB3NzaC_shortened_BK6ZSyCoWosR 
Networking details:
  VNIC OCID: ocid1.vnic.oc1.iad.abuwclj-shortened-vrrxa
  VLAN Tag: 64
  Private IP address: 100.x.x.x
  MAC address: 02:00:17:01:1E:B6
  Subnet CIDR block: 100.x.x.x/24
  Virtual router IP address: 100.x.x.1

Notification

The OCI Notifications service can be configured to receive status messages from an instance when updates have been applied or when a known exploit attempt has been detected by Ksplice.
To create notification:

Access to Notification service

The instance can access the Notification service using either Instance Principals or an API Key. This ensures the instance has the necessary permissions to publish messages to the topic. Here, we'll configure permissions using Instance Principals.

Dynamic group

We'll need a dynamic group with matching rules that allows all compartment instances to be a group member.

Identity - Dynamic Groups - Dynamic Group Details - Matching Rules 
ALL {instance.compartment.id = '<compartment OCID>'}
 
Example:
ALL {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaa_shortened_ezobgza'}

Policy

Then we need a policy to allow the dynamic group to publish messages.

Identity - Policies - Create Policy, specify name and description. For example, to allow the dynamic group to publish messages to a topic in a particular compartment, create a policy, the syntax: 
Allow dynamic-group <dynamic group name> to use ons-topic in compartment <compartment name> where request.permission='ONS_TOPIC_PUBLISH'
 
Ex.
Allow dynamic-group labops.dev.dg to use ons-topic in compartment labops.dev where request.permission='ONS_TOPIC_PUBLISH'

Configure instance

Finally, in the instance, add the notification service topic, by running: 
$ sudo al-config -T <topic OCID>
 
Ex.
$ sudo al-config -T  ocid1.onstopic.oc1.iad.aaaaa_shortened_6lkpq
Configured OCI notification service topic OCID.
Publishing message 'AL: Notification enabled on instance AutonomousLinux-zarko'
Published message 'AL: Notification enabled on instance AutonomousLinux-zarko'

Email

Success

The email subject is like: AL: Updates installed on instance AutonomousLinux-zarko

Failure

The email subject is like: AL: Upgrade failed on instance AutonomousLinux-zarko

Back to the main page