Do you update kernels sometimes?

September 24, 2012 18.3k views
simonrainville
By:
simonrainville
Hello, the question is in the title. I'm asking this because in past (this summer), I had a VPS, based on openvz technology, and the kernel was terribly old (2.6.18) and I had Ubuntu 11.10 but I was unable to upgrade to 12.04 LTS directly because of the kernel. (I was able to bypass this by doing a "apt-add-repository ppa:izx/ovz-libc" but i searched a couple of hours). I decided to quit because mysql server 5.5 never wanted to install (even with 512 ram, so probably because of the old kernel), and your VPS, even with 256 mb, installs it without problem. Also, is there a kernel by OS or the server runs its own kernel and VPS inherits it (like openvz)?
Log In to Comment
28 Answers
simonrainville September 24, 2012
I saw that you use KVM, but which linux system do you run on your hypervisors?

Thanks
Reply
moisey MOD September 24, 2012
We use Ubuntu on the hypervisors and the kernel is run through the hypervisor.

We are in the process of building and testing where we allow customers to run their own hypervisors.

Unlike OpenVZ we are very up to date on the kernels because it increases stability and performance. With OpenVZ its more paravirtualization and totally different from KVM or Xen and how it's often sold is through over provisioning which increases the likelihood of problem as well.
Reply
simonrainville September 25, 2012
Okay thanks. I saw that my vps runs 3.2.0-24 virtual. It runs on ubuntu 12.04 and when i did a dist-upgrade, i quicly saw 3.2.0-31 virtual. I saw myself "the vps lets me to install a custom kernel? interesting" So I loaded it, it installed without trouble, I updated grub to boot on 31, but 24 loads always anyway, even if 31 is set as default, but if you say that the kernel is run through your hypervisor, thats ok, and thats why the kernel will always be the one which is run on the server. Thanks
Reply
moisey MOD September 25, 2012
We'll be making updates for this in the future but it is currently a small subset of power users that are upgrading systems and running their own kernels.

As that number grows we'll prioritize that higher up the queue, right now we are working on a few other elements that will benefit all users of DigitalOcean.

But you can always up-vote the features that you are most interested in by logging into the Control Panel and clicking on the "Feedback" icon.

Thanks
Reply
blair.sadewitz September 30, 2012
Build iPXE with DOWNLOAD_PROTO_HTTPS defined. You can then use dnsmasq or the like on a private interface to allow the user to boot anything.

Having a "virtual machine" implies exactly that--a machine. Your service is stellar overall. Please don't continue to cripple it by not providing this critical feature.
Reply
moisey MOD October 1, 2012
That's an interesting suggestion we'll have to look into that.

It is on our roadmap to give more power to the users but while we are still building things out it makes it easier for us to troubleshoot issues when we provide a few less choices or things that can be configured.

But it is on the roadmap, so it's just a question of when, not if and a lot of that depends on what customers rate as the priority using the feedback voting system because we listen to that as closely as we can to guide our development.
Reply
AndoWebsit.es April 14, 2013
I did exactly what the OP did... and I'm still seeing 3.2.0.24 even if I dist-upgrade(d) to last 3.2.0.40 and edited /boot/grub/menu.lst accordingly. No change after six months?

So, if I understand it correctly, these droplets are sold like KVM but behave like OpenVPS: I have no control over the kernel. This is quite a limitation !! I created the droplet with the default kernel but I thought, "no problem, even if it's quite old, I can upgrade it whenever I deem it feasible". But now I'm stuck to... to what? I mean, if you've not updated images for NEW droplets in six months, I must change how I intended to use digitalocean, from "let's see if I can bend this at will and use it in production" to "ok, if I continue using it, remember it must be only for testing".
Reply
dd April 24, 2013
I agree: I just discovered this, and as a new customer, I'm pretty disappointed.
Reply
jshanley May 19, 2013
This is a big deal. For example, there is a local root exploit that became public recently, and affects a HUGE number of kernels - including CentOS 6.4 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094). Yet, I can't upgrade my kernel without talking to you?

So if someone finds any flaw in anything running on my droplet, and/or manages to get user-level access - they can immediately get root until the kernel is upgraded. That's really not good.



Reply
kamaln7 MOD May 19, 2013
You can update the kernel on your droplet from the Settings tab so you're always up to date on security patches.
Reply
bbulzak May 27, 2013
@jshanley: the Settings tab doesn't allow me to update to the latest ubuntu 32 12.04 LTS kernel (you have 3.2.0-24, apt has 3.2.0-44). I see .44 on the 64bit version of 12.04, does that mean only the 64bit version is supported?
Reply
kamaln7 MOD May 28, 2013
@bbulzak we'll be updating the kernels regularly so the 3.2.0-44 kernel should be available soon.
Reply
moisey MOD May 29, 2013
Updated kernels are in the settings selection of the droplet menu and base OS distros have also been updated.

Thanks
Reply
serinmo July 30, 2013
I have updated my 12.04.02 ubuntu and there is a new kernel --> /boot/vmlinuz-3.2.0-51-virtual

How can I activate it?, in the settings tab it doesn't appear.

Thanks
Reply
kamaln7 MOD July 30, 2013
Unfortunately you cannot use a kernel that is not present in the Kernels dropdown in the Settings tab. We update the kernels periodically so it should be there in a couple of weeks.
Reply
travis103489 July 31, 2013
How long until CentOS 6.4 kernels are updated? The latest kernel through yum is kernel-2.6.32-358.14.1.el6.i686, but this is not available in the Kernels dropdown.
Reply
digitalocean124297 August 1, 2013
Why can't I run my own kernel? I thought that this was one of the advantages of KVM.
Reply
kamaln7 MOD August 2, 2013
@Ian: Unfortunately it is currently not possible due to how our platform works. We have an internal beta that we are working on, it'll hopefully released for public beta access in the next few months.
Reply
zac.wheeler October 3, 2013
Any update on this? Need to trial mptcp and I guess I still have to go elsewhere to install a custom kernel?
Reply
alepot October 22, 2013
I've been hearing "we will update the kernels soon" for 6 moths now, and I'm still limited to using an ancient kernel on my Centos systems.

Please realise that kernels are very much a moving target, and you should be making updated kernels available pretty well as soon as they're released. Not doing so has huge security implications.
Reply
dkhizhniak October 27, 2013
I'm completely agree with Alex... CentOS Kernel has a few critical vulnerabilities.
Reply
trevorlee.nc December 11, 2013
on ubuntu 12.04LTS there is a few pretty serious upgrades out there waiting too.

this is really disappointing and troubling at the same time.
Reply
system.administrator January 11, 2014
I've just seen this thread after wasting an afternoon trying to work out why I couldn't get our kernels to update from yum :/ I hadn't even realised we couldn't till now, just assumed that as DO run KVM we should be OK.

This is a biggie guys - I entirely agree with the views expressed above. Saying "we're going to do it" for 6 months is pretty poor customer relations - can you at least give an updated ETA and explanation of where the problems are?

I do appreciate that you are at least keeping your Kernel list pretty current, for CentOS anyway - I also use other providers who don't which is a *real* nightmare. However, it is still a pain (and a potential way to expose vulnerabilities) to have to remember, check and manually update all VMs periodically. It would really be good to have direct control for messing with non-standard kernels, and ideally also automatically just through yum's updates - is that the plan?

Reply
jon1 March 31, 2014
After making the case to a client to start using DigitalOcean, I'm embarrassed to discover that providing the latest kernels to users isn't much of a priority. Indeed, as Colin stated earlier, 'this is a biggie guys'.
Reply
info363675 June 29, 2014

This is mind blowing. We can't update kernels on our own? A patched kernel should be deployed within hours of a vulnerability - not weeks or months.

This is possibly the largest oversight of any vendor I've ever seen. Even no-named web hosts have this capability. Good luck when millions of droplets fall victim to a kernel exploit only to find out DigitalOcean isn't concerned about patching kernels.

Bad news for your lawyers, too. You've documented that you know about this issue and you're not prioritizing it. It's been two years since this has been made public but still no movement.

My business is adding several servers a month - they will no longer be at DigitalOcean. Anyone at least slightly concerned with security should be removing their DigitalOcean servers immediately. With two CentOS kernel exploits just in the past two weeks, it's completely unacceptable to rely on your platform to patch it when there are several already working alternatives provided by CentOS itself.

Again - my mind is blown....

Reply
robin482304 August 16, 2014

I too tried to follow to procedure at https://www.digitalocean.com/community/tutorials/how-to-update-a-digitalocean-server-s-kernel-using-the-control-panel but was unable to upgrade the kernel after going from debian wheezy to jessie. I don't know if it's something I'm doing wrong, or if it's simply not supported.

Reply
rick October 4, 2014

I'd like to add my voice to the chorus of disappointment here. I'm concerned, even more generally, at DO's bootloading procedure. And since they have disabled access to iPXE (during the power up) -- which was working about a year ago -- DO users are further hobbled, not helped.

BTW, the disabling of iPXE for pxe boots happened within 3 days of a video hitting youtube which described how to pxe boot a droplet (Shane Spencer, "Digital Ocean: Droplet iPXE install of Debian Linux 7.0 Minimal", https://www.youtube.com/watch?v=hd0Ln2jL8Lo).

I'm also disappointed at the way DO handles informing users of what is going on related to something they ask about on community or (formerly?) uservoice. It usually goes like this. Someone, like Moisey, will say on a discussion group that they plan to roll out an enhancement/fix for X in N months; N months go by, then someone (or more people) ask what is the status of the enhancement/fix; there is no response from DO; you go out and ask about it on, say, Twitter; no response or an evasive response. It gets tiring.

Reply
beanaroo November 7, 2015

Any update on this issue? I am trying to install services that require a more recent kernel than the ancient one provided. It also isn't in the dropdown list. Please advise.

Reply
Have another answer? Share your knowledge.