Linux-Noob Forums
How to securely update the kernel via SSH. - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Noob (https://www.linux-noob.com/forums/forum-3.html)
+--- Forum: Kernel Related (https://www.linux-noob.com/forums/forum-61.html)
+--- Thread: How to securely update the kernel via SSH. (/thread-3194.html)



How to securely update the kernel via SSH. - z0ny - 2004-08-18


Nowadays many private persons have a dedicated server somewhere. Of course there sometimes is the urge to upgrade the kernel to a newer version in order to fix holes or even add new features (like grsec). And here comes the problem for many people: if you misconfigure something your server might hang after the reboot stating "Kernel panic.". Now you have to call support ($$$) and wait until they fix the machine (in most cases reboot with the old kernel). But here comes the trick: this doesn't have to happen!

 

So here comes a howto for a kernel of the 2.4 branch - the steps for the 2.6 branch are pretty much the same (except for installation stuff of course). I also won't go into detail about how to compile the kernel as we already have tutorials about this in the forums.

 

 

 

1. Download and extract the latest kernel sources from www.kernel.org to '/usr/src' and enter the freshly created directory '/usr/src/linux-<release>'.

 

2. Open 'kernel/panic.c' with the editor of your choice.

 

3. Scroll a bit down until you see a line stating 'int panic_timeout;'.

 

4. Change that line from 'int panic_timeout;' to 'int panic_timeout = <seconds>;' (in example 'int panic_timeout = 5;' - this causes the kernel to reboot on a kernel panic after the number of seconds you specify).

 

5. Compile the kernel and its modules like the other howtos here tell you ('make mrproper', 'make menuconfig', 'make dep && make bzImage modules modules_install') and copy the kernel ('cp arch/i386/boot/bzImage /boot/vmlinuz-<release>'), the System.map ('cp System.map /boot/System.map-<release>') and the current configuration ('cp .config /boot/config-<release>') to '/boot'.

 

6. Some of you may need an initrd image so create it with 'mkinitrd /boot/initrd-<release>.img <release>' (in example: 'mkinitrd /boot/initrd-2.4.27.img 2.4.27'. See the manpage for more information.

 

7. Install the LILO bootmanager. This is important as GRUB does not have the feature we rely on soon!

 

8. Edit LILO's configuration file ('/etc/lilo.conf'). An example below:



Code:
prompt
timeout=50
default="oldkern"
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear

image=/boot/vmlinuz-oldkern
       label="oldkern"
       initrd=/boot/initrd-oldkern.img
       read-only

image=/boot/vmlinuz-newkern
       label="newkern"
       initrd=/boot/initrd-newkern.img
       read-only




Make sure you
do not
add the new kernel as the default kernel!!!
Run 'lilo' on the console to apply the changes.

 

9. Finally run 'lilo -R newkern' ("newkern" has to be the label of your new kernel of course, in my example above it was "newkern" as you can see) to boot this kernel on the next reboot and only on the next reboot. If you keep it this way and boot two times LILO will boot "newkern" first and "oldkern" afterwards.

 

 

Now you're done. As already said LILO will now boot "newkern" on the next reboot. If you misconfigured the kernel and get a kernel panic the kernel will initiate a reboot after the number of seconds you specified in panic.c and select the old and working kernel "oldkern" then (as it's the default kernel). So you either get the new kernel running or you return to the old kernel. If the new kernel is running change your bootloaders configuration (you may now switch back to GRUB if you don't like LILO) to default to that one now. Much more secure and though pretty simple, eh? :)

 

Another hint: it's also a good idea to install a crontab that does a reboot after a certain amount of time just in case your kernel works but your network card doesn't (run 'crontab -e' and add '0,30 * * * * /sbin/shutdown -r now' to reboot on every half and full hour). Hope you enjoyed it. :)

 

z0ny