Do you update kernels sometimes?

September 24, 2012 12.9k views
Hello, the question is in the title. I'm asking this because in past (this summer), I had a VPS, based on openvz technology, and the kernel was terribly old (2.6.18) and I had Ubuntu 11.10 but I was unable to upgrade to 12.04 LTS directly because of the kernel. (I was able to bypass this by doing a "apt-add-repository ppa:izx/ovz-libc" but i searched a couple of hours). I decided to quit because mysql server 5.5 never wanted to install (even with 512 ram, so probably because of the old kernel), and your VPS, even with 256 mb, installs it without problem. Also, is there a kernel by OS or the server runs its own kernel and VPS inherits it (like openvz)?
28 Answers
I saw that you use KVM, but which linux system do you run on your hypervisors?

We use Ubuntu on the hypervisors and the kernel is run through the hypervisor.

We are in the process of building and testing where we allow customers to run their own hypervisors.

Unlike OpenVZ we are very up to date on the kernels because it increases stability and performance. With OpenVZ its more paravirtualization and totally different from KVM or Xen and how it's often sold is through over provisioning which increases the likelihood of problem as well.
Okay thanks. I saw that my vps runs 3.2.0-24 virtual. It runs on ubuntu 12.04 and when i did a dist-upgrade, i quicly saw 3.2.0-31 virtual. I saw myself "the vps lets me to install a custom kernel? interesting" So I loaded it, it installed without trouble, I updated grub to boot on 31, but 24 loads always anyway, even if 31 is set as default, but if you say that the kernel is run through your hypervisor, thats ok, and thats why the kernel will always be the one which is run on the server. Thanks
We'll be making updates for this in the future but it is currently a small subset of power users that are upgrading systems and running their own kernels.

As that number grows we'll prioritize that higher up the queue, right now we are working on a few other elements that will benefit all users of DigitalOcean.

But you can always up-vote the features that you are most interested in by logging into the Control Panel and clicking on the "Feedback" icon.

Build iPXE with DOWNLOAD_PROTO_HTTPS defined. You can then use dnsmasq or the like on a private interface to allow the user to boot anything.

Having a "virtual machine" implies exactly that--a machine. Your service is stellar overall. Please don't continue to cripple it by not providing this critical feature.
That's an interesting suggestion we'll have to look into that.

It is on our roadmap to give more power to the users but while we are still building things out it makes it easier for us to troubleshoot issues when we provide a few less choices or things that can be configured.

But it is on the roadmap, so it's just a question of when, not if and a lot of that depends on what customers rate as the priority using the feedback voting system because we listen to that as closely as we can to guide our development.
I did exactly what the OP did... and I'm still seeing even if I dist-upgrade(d) to last and edited /boot/grub/menu.lst accordingly. No change after six months?

So, if I understand it correctly, these droplets are sold like KVM but behave like OpenVPS: I have no control over the kernel. This is quite a limitation !! I created the droplet with the default kernel but I thought, "no problem, even if it's quite old, I can upgrade it whenever I deem it feasible". But now I'm stuck to... to what? I mean, if you've not updated images for NEW droplets in six months, I must change how I intended to use digitalocean, from "let's see if I can bend this at will and use it in production" to "ok, if I continue using it, remember it must be only for testing".
I agree: I just discovered this, and as a new customer, I'm pretty disappointed.
This is a big deal. For example, there is a local root exploit that became public recently, and affects a HUGE number of kernels - including CentOS 6.4 ( Yet, I can't upgrade my kernel without talking to you?

So if someone finds any flaw in anything running on my droplet, and/or manages to get user-level access - they can immediately get root until the kernel is upgraded. That's really not good.

You can update the kernel on your droplet from the Settings tab so you're always up to date on security patches.
@jshanley: the Settings tab doesn't allow me to update to the latest ubuntu 32 12.04 LTS kernel (you have 3.2.0-24, apt has 3.2.0-44). I see .44 on the 64bit version of 12.04, does that mean only the 64bit version is supported?
@bbulzak we'll be updating the kernels regularly so the 3.2.0-44 kernel should be available soon.
Updated kernels are in the settings selection of the droplet menu and base OS distros have also been updated.

I have updated my 12.04.02 ubuntu and there is a new kernel --> /boot/vmlinuz-3.2.0-51-virtual

How can I activate it?, in the settings tab it doesn't appear.

Unfortunately you cannot use a kernel that is not present in the Kernels dropdown in the Settings tab. We update the kernels periodically so it should be there in a couple of weeks.
How long until CentOS 6.4 kernels are updated? The latest kernel through yum is kernel-2.6.32-358.14.1.el6.i686, but this is not available in the Kernels dropdown.
Why can't I run my own kernel? I thought that this was one of the advantages of KVM.
@Ian: Unfortunately it is currently not possible due to how our platform works. We have an internal beta that we are working on, it'll hopefully released for public beta access in the next few months.
Any update on this? Need to trial mptcp and I guess I still have to go elsewhere to install a custom kernel?
I've been hearing "we will update the kernels soon" for 6 moths now, and I'm still limited to using an ancient kernel on my Centos systems.

Please realise that kernels are very much a moving target, and you should be making updated kernels available pretty well as soon as they're released. Not doing so has huge security implications.
I'm completely agree with Alex... CentOS Kernel has a few critical vulnerabilities.
on ubuntu 12.04LTS there is a few pretty serious upgrades out there waiting too.

this is really disappointing and troubling at the same time.
I've just seen this thread after wasting an afternoon trying to work out why I couldn't get our kernels to update from yum :/ I hadn't even realised we couldn't till now, just assumed that as DO run KVM we should be OK.

This is a biggie guys - I entirely agree with the views expressed above. Saying "we're going to do it" for 6 months is pretty poor customer relations - can you at least give an updated ETA and explanation of where the problems are?

I do appreciate that you are at least keeping your Kernel list pretty current, for CentOS anyway - I also use other providers who don't which is a *real* nightmare. However, it is still a pain (and a potential way to expose vulnerabilities) to have to remember, check and manually update all VMs periodically. It would really be good to have direct control for messing with non-standard kernels, and ideally also automatically just through yum's updates - is that the plan?

After making the case to a client to start using DigitalOcean, I'm embarrassed to discover that providing the latest kernels to users isn't much of a priority. Indeed, as Colin stated earlier, 'this is a biggie guys'.

This is mind blowing. We can't update kernels on our own? A patched kernel should be deployed within hours of a vulnerability - not weeks or months.

This is possibly the largest oversight of any vendor I've ever seen. Even no-named web hosts have this capability. Good luck when millions of droplets fall victim to a kernel exploit only to find out DigitalOcean isn't concerned about patching kernels.

Bad news for your lawyers, too. You've documented that you know about this issue and you're not prioritizing it. It's been two years since this has been made public but still no movement.

My business is adding several servers a month - they will no longer be at DigitalOcean. Anyone at least slightly concerned with security should be removing their DigitalOcean servers immediately. With two CentOS kernel exploits just in the past two weeks, it's completely unacceptable to rely on your platform to patch it when there are several already working alternatives provided by CentOS itself.

Again - my mind is blown....

I too tried to follow to procedure at but was unable to upgrade the kernel after going from debian wheezy to jessie. I don't know if it's something I'm doing wrong, or if it's simply not supported.

I'd like to add my voice to the chorus of disappointment here. I'm concerned, even more generally, at DO's bootloading procedure. And since they have disabled access to iPXE (during the power up) -- which was working about a year ago -- DO users are further hobbled, not helped.

BTW, the disabling of iPXE for pxe boots happened within 3 days of a video hitting youtube which described how to pxe boot a droplet (Shane Spencer, "Digital Ocean: Droplet iPXE install of Debian Linux 7.0 Minimal",

I'm also disappointed at the way DO handles informing users of what is going on related to something they ask about on community or (formerly?) uservoice. It usually goes like this. Someone, like Moisey, will say on a discussion group that they plan to roll out an enhancement/fix for X in N months; N months go by, then someone (or more people) ask what is the status of the enhancement/fix; there is no response from DO; you go out and ask about it on, say, Twitter; no response or an evasive response. It gets tiring.

Any update on this issue? I am trying to install services that require a more recent kernel than the ancient one provided. It also isn't in the dropdown list. Please advise.

Have another answer? Share your knowledge.