If you had `unattended-upgrades` running and had the "automatic reboot" option enabled, then all your Ubuntu 20.04 servers running Docker would reboot themselves and not come back up.
First, the bug was in a security branch. Second, it wasn't just the containers that crashed. If you booted containers on boot via Docker, then the host OS kernel-panicked and crashed at boot, since the containers share the kernel with the host.
At that point, you can't SSH in and have to follow the procedure for restoring from backup or re-mounting the root volume on an alternate house to revert the kernel version being run.
And then of course if you revert the kernel upgrade, you were once again vulnerable to whatever problem the security update was fixing...
Not to mention we’ve also had our fair share of production triple faults from bugs in the Intel firmware patches for Spectre, which took weeks to investigate & fix between ourselves struggling to keep our exchange up & running, Intel, and AWS.
And that is why there’s value in the CoreOS/ContainerLinux-like solutions we designed & implemented nearly a decade ago now. Being able to promptly rollback any kernel/system/package upgrades at once - either manually or either after it’s detected a few panics in quick successions is actually quite awesome. Not to mention the slow update rollout strategy baked into the Omaha controller.
But the reality is that the what-ifs are always the hardest to market, nearly always after-thoughts and with fast-spiking/fast-decaying traction after major events.
Elemental is pretty close to coreos: https://github.com/rancher/elemental/
They even have a way to build arbitrary os images: https://github.com/rancher/elemental-toolkit
It's pretty great
Build your images in CI job and have your deploy version be (code version, image version) so patching runs through all the same tests your code does and you have a trivial roll-forward to undo any mess you find yourself in.
> Build your images in CI job
I know container images should generally be immutable, but I would expect unattended upgrades to be mostly used on the host, not in a container, in which that management system doesn't really work (unless you're doing VMs where you can deploy immutable root images to the VMs as well, or some fun bare metal + PXE combination).
Let things be automatic to the maximum degree possible but give yourself a single hard human checkpoint and some minimum level of validation in a dummy environment first.
This is actually what I implemented for our hypervisor tier, it’s not as scary as it sounds. I could legit completely rebuild our entire stack down to the metal in about 3 hours.
Kick off a new hypervisor version, the inactive side PXE boots all the nodes, installs and configures a Proxmox cluster, slaves itself to our Ceph cluster, and then either does a hot migration of all the VMs or kicks off a full deploy which rebuilds all the infra (Consul, Rabbit, Redis, LDAP, Elastic, PowerDNS, etc) along with the app servers. The hardest part (which really isn’t) is maintaining the clusters across the blue/green sides.
With this setup our only mutable infrastructure was our Ceph cluster (because replacing OSDs takes unacceptably long) and our DB (for performance the writers lived on dedicated servers, the read replicas lived on the VMs.).
My experience has been that by the time I notice some serious vulnerability is in the news, my servers have already patched themselves. I have never "hated life" or had a "hard to find and undo bug" due to automatic security patching. I pretty quickly found what caused this and had a clear path to resolution.
This is the first security update that caused a boot failure in about a decade. It was bad, but it didn't change my mind about unattended-upgrades. My takeaway that if that maybe I should have upgraded my 20.04 servers to 22.04 server sooner.
I bet when you update your software dependencies you run those changes through your tests but your OS is a giant pile of code that usually gets updated differently and independently because mostly historical reasons.
Close. We are moving towards defining our server states through Ansible, but the project is not close to completion. Perhaps once that's further along, we could use Ansible Molecule + CI to test a new server state when there's a new patch available, but that's not an option on the table today.
The system we had in place for /today/ worked: Lower priority or redundant servers were set to auto-reboot after applying security updates, while other critical servers require manual reboot at low-risk times. By then, the patch has already been tested on lower-risk servers.
As a result, this issue caused no user-visible downtime for us, and due to the staggered runs of unattended-upgrades affected a minimal number of servers.
And this was the first time in 10+ years that something like this happened and we have to choose to write to prioritize spending our process-improvement time based on likelihood and impact.
Some years ago everyone said the same about windows-servers ;)
Or add `systemd.mask=docker.service` to your boot parameters to prevent Docker from starting.
Failing that you could try the “single” directive and poke other configurations once booted in that mode.
A faf to be sure, but hopefully viable options (assuming the interactive menu hasn't been disabled to save a few seconds off boot time!).
There are options even without out of band management. You can choose to configure your systems with PXE -- if the installation ever fails, it can boot into a recovery environment over the network.
Alternatively, you umount the drive, attach it to another machine, chroot into it, fix grub or whatever, reverse the process and boot again. It's a few steps, but can be done in a few minutes with practice.
while true; do ssh <servername> sudo mv /usr/bin/containerd /usr/bin/containerd.backup ; sleep 1; done
While rebooting the system
It's pretty standard for all distros to have that choice.
Exceptions tend to be white boxes built with desktop components, at which point, yea. The proverbial You asked for this problem
This wasn't just limited to Linux either. It was a common UNIX trick :)
This is a bit of a lost art these days though. iLo, IPMI have replaced the need for serial. Then virtualisation and, to a lesser extent, containerisation have lowered the bar even further plus also moving the industry towards more ephemeral systems that can be destroyed and rebuilt automatically rather than the old habits of nursing failed hosts back to health.
 https://www.kernel.org/doc/html/v5.3/admin-guide/serial-cons... (a lot of distros at the time did ship a kernel with this support compiled in. I don't know how common it is now).
Console servers from the likes of OpenGear and Lantronix still heavily used for those.
Most smaller teams usually don’t prioritize physical access — they usually only need it for one-off events. While this would be a one-off event, it would be one that affects many servers.
I'm not sure I've ever worked with any (2008-present) that don't in any case.
Oh well, I guess experiences differ.
I don't think the issue is so much cost but more this kind of systems administration is becoming a forgotten art because 99% of the time modern tooling removes the need for it. So younger sysadmins are never taught how to do these kinds things. However when I started out, I worked in a few small companies that had their physical hosts connected to a console server (which was a Cisco device like a network switch) via serial cables and you'd then connect to that console server remotely.
If you can afford to have something down for an extended period then fine. But even with a small team some services are built such that certain device outages cannot be tolerated, at least for an extended period.
So out-of-band/console servers or whatever still make a lot of sense and a relatively high priority.
it requires acces to the serial console or baseband management controller or whatever terms have emerged.
have never rented a physical server w/o this.
Isn't the common wisdom that you should have them enabled, but staggered across hours/days?
This is mostly an in-place upgrade issue?
Security patches matter, but I'm no one important, so I should be fine to wait a week or month...
Anyone else who is important though... servers for example...
It's nice to see LWN on HN ... but please remember: it is only LWN subscribers that make this kind of writing possible. If you are enjoying it, please consider becoming a subscriber yourself — or, even better, getting your employer to subscribe.
If you're interested in detailed commentary on and investigations of the FOSS space, I can't recommend a subscription to LWN enough!
It is possible to ssh in for about 2 seconds before the kernel panic so I solved it by doing this:
On the next reboot i was able to ssh in and change to the (then just released within the past hour) kernel that doesn't have this stupid bug. After another reboot you can move containderd back and it should be working again
not affected: >linux-image-5.13.0-1029
For example, looking at the package for postgresql-14, an update still hasn't been released for the unscheduled mid-June release version 14.4, which fixed possible index corruption.
I would have thought this would have been packaged earlier, as I would expect the Ubuntu + postgresql would be a common combination.
It makes me wonder exactly how much of a resource is behind creating Ubuntu distributions.
I don’t really have any sources to back this up, but my impression is that Canonical is kinda trying to punch above their weight.
A sysadmin friend of mine is totally against docker and his reason is that he wants as little complexity as is needed on his systems. Complexity, he says, leads to emergent behavior.
- If you throw the box out, you know you did no harm to other boxes.
- If you change your floor, you know you didn't wipe out something useful.
- Aaand you can `git switch` to a well known state
Ofcourse it's not 100% like that, in reality you still have to have some kind of consistency on where you put your docker-compose file, Dockerfiles for all the boxes, where you mount your volumes (in some folder or scattered all over system), maybe dealing with host firewall, dealing with not-commiting secrets into git etc.
But overall, it's very positive - docker-compose is (almost) one-stop file you need to see all your references to volumes, Dockerfile, network configurations, environment files with secrets.
It seems less complex to manage a bunch of systemd services than one pile of systemd services that are managed and logged one way and bunch of docker services that are managed and logged another way.
If your standard is dealing with systemd units, it may make sense to make your containers conform to that (thereby deviating from the most common way of managing containers). Maybe it's what I'd do in a larger operation. For my personal use I find it the most pragmatic to just use Docker since it's reasonably well documented, has reasonably low friction in usage and is very easy to set up.
Howevre looking at the whole chain of process:
I can deploy service/app on my local machine, including dependencies, along with other independent services/apps.
So, I can reuse what I have for production. But ofcourse, local development stuff will have different env variables, some docker-compose etc.
But it is a joy, when you can:
1. git clone something
2. set some env variables
3. docker-compose up -d
And your app, along with database, elasticsearch, whatnot - is running
So for development purposes it really helps. For deployment purposes - if that box is dedicated to something, then yeah, many of the good use cases not necessary.
(just not from the system perspective, but from the "reasoning about it" perspective)
Even container security and compliance around it is a measurable loss on its own which is trivially solved if you have bare EC2 instances and a patch cycle.
The emergent behavior of containerization has had an overall positive effect, even if it has annoying costs.
They were also better organized. Ebay and Amazon were leaner and more pleasant to use.
Citation needed. There were a lot less sites, maintenance windows in the hours weren't uncommon, there was no security to speak of (SQL injections, no SSL/TLS, etc.), and sites could do maybe 1% of what today's sites can (not saying that all of it is good or necessary, bit i quite like a non-insignificant amount of those new features like native video, audio, graphics, dynamism, etc.).
When was the last time you saw a weekly "Our website is down for maintenance for the next 2 days" message, other than for some government website still running COBOL on a mainframe? When was the last time you saw 500 errors? Used to be a daily thing.
Source? Sounds bullshit
It could be triggered by other complex applications that use kernel container features.
This is when I introduce them to something called VirtualBox and then their eyes go bright with wonder on how simple that works.
Well, If I'd have a workhorse with loads of RAM... I'd still choose docker, because how FAST it starts/restarts. And because it is easy to recreate everything with docker - a VM may get messy when installing stuff for APP #1, #2, #x, "works on my machine!" etc.
Not to mention, if you want to "natively" pack something for Windows and macOS, containers won't even solve that problem, as they only run on Linux. Only reason you can use Docker on macOS is because of virtualization.
Mac .app files are not just binary (MACH-O), they can include libraries, "frameworks", etc that will override what's loaded from the system. AppImage is even worse . .exe are usually setup with an installer that trigger the side-by-side assembly mechanism, pretending that the system is using the version of the libraries that you included (and growing your WinSXS folder forever). JAR files usually include all their required transitive dependencies rather than "dynamic linking" with other JARs.
: AppImage official documentation: "Do not depend on system-provided resources" https://docs.appimage.org/introduction/concepts.html#do-not-...
I don’t think that it uses virtualisation on windows or Mac is very bad. I think that it’s an advantage for simplicity that everything is Linux (I pretend that windows containers do not exist).
 I have a couple of bits running via LCX but otherwise use VMs to split services out
 One large VM running many containers³, or sometimes a couple of VMs, perhaps separating them performance-wise across drives or with CPU core affinity where that was/seemed easier, or just so in case of disaster they could concentrate on getting the higher priority VM+containers restored and back up first.
 Obviously one VM per container would defeat the container benefits, though I've seen this done where docker was the only officially supported install option and they wanted to run a service in a VM.
Either way, I dont think they understand what Docker is, what it's for, and why it makes things less complicated.
I've recently migrated to Ubuntu 22.04 and got this:
on HP ProLiant servers.
I actually rolled out Ubuntu 22.04 to a few servers a few weeks ago. Pretty uneventful update, all my Ansible scripts for 20.04 worked without modification against these new servers. So, I guess I dodge this bug for now. One reason I've always preferred Ubuntu over Red Hat for servers is that with Red Hat/Centos essentially everything I care about is perpetually and hopelessly out of date and obsolete. So, it just creates a lot of hassle to work around that and get reasonably current versions of things I actually need my servers to run. With Ubuntu that was always a lot more straightforward.
I currently write this on a laptop with Manjaro and Linux 5.18. I'm glad I don't have to deal with about a year of long fixed issues with hardware, bluetooth, GPUs, performance, etc. IMHO there's very little value in sticking with older kernels on desktop machines. Especially when that involves a convoluted process of back-porting and integrating lots of complicated patches. I recently put Ubuntu on an old imac (secure boot prevents booting Manjaro) and I promptly ran into hardware issues that I recall having with Manjaro a few months ago that were fixed by simply upgrading the kernel. Bluetooth especially seems way more flaky. And that's not exactly flawless on 5.18 either. I get the if it ain't broke don't fix it thing; my point is that with modern Desktop Linux things being broken is a constant. The least broken version of Linux is usually the kernel that was just released that has all the cumulative fixes for all the issues addressed in previous kernel releases. Opting out of a few years of those fixes seems misguided.
Even on servers, I suspect simply updating the kernel more regularly would not be the end of the world for most users. With an incubation period to catch bugs/blocking issues of course, the more people use a kernel version, the more stable it gets. I doubt many users would experience any regressions. And it's a lot cheaper to support. If I had the option, I don't think I would opt to run 2-3 year old kernels on any of my servers if I had a different choice. I don't see the value of opting out of 2-3 years worth of known & fixed stability, performance, and other issues.
This is exactly why you choose it. Lesser chance of insanity.
There's no "Fedora Server" product and never has been. Do you mean the rolling release CentOS?
My 3 year old server is running fine. What am I missing out on exactly? My 6 year old router is also running perfectly. Don't fix what isn't broken. Updates often break things without providing me any value.
I'm running a 5 year old Android. Upgrading to a newer version will slug my phone. I don't need a newer android (yet). My phone works perfectly for me.
Now, if you are going to tell me my security is at risk. Please be specific and provide an example :)
number of tickets in launchpad such as https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1970957
It makes me Q the value in my org looking into an ubuntu advantage subscription. When there are tickets that have lots of "me too" that result in unusable laptops, one should at least triage them / consolidate them into a single ticket and then be able to mark when fixed.
What if you're in bed with the flu
But if you're a team, then maybe.
Still, could delay the response with a whole day (checking HN once a day)
After all, they reinvented everything from DE to init system at least once in past.
(They also have their own containers, LXD. I actually really like that one, please keep working on that canonical)
But I assume as Ubuntu follows an April release schedule, it doesn't always match with an appropriate LTS kernel.
That being said, I rate Canonical's practices as rather poor.