Microarchitectural Data Sampling (MDS) Advisory: On 14 May 2019, Intel released a statement regarding Microarchitectural Data Sampling (MDS), a significant security vulnerability that affects cloud providers with multi-tenant environments, including DigitalOcean. In addition to the steps we are taking described on our blog, we strongly recommend that you update your internal Droplet kernels to ensure you have the latest available bug fixes and security patches.
Your Droplet may use one of two different kernel management methods, depending on when you created it and what operating system it’s running: modern internally-managed kernels or legacy externally-managed kernels.
Modern, internally-managed kernels. DigitalOcean’s current backend infrastructure supports internal (i.e. inside the Droplet) kernel management. This allows for a simplified kernel upgrade process and integration with the server’s regular software management processes, so you can manage your kernel the same way you manage other packages.
Legacy kernels managed in the control panel. In the past, kernels were managed externally (i.e. outside of the Droplet, using the DigitalOcean Control Panel instead). Droplets with this legacy management system can use the special DigitalOcean GrubLoader kernel to allow them to boot into internally-installed kernels.
All Droplets created after March 2017 use internal kernels by default, and older Droplets can be configured to support internal kernels with the DigitalOcean GrubLoader kernel.
If you’re not sure whether your Droplet manages its kernels internally, visit its detail page in the control panel and click Kernel in the navigation. If the kernel management page has the following message, your Droplet is set to use internal kernels natively:
The kernel for this Droplet is not managed within the control panel. Instead, you can upgrade the kernel from within the Droplet.
If you see a Select a Kernel menu with a Change button and the following description instead, your Droplet is using legacy external kernel management:
This will update your configuration. Then power off the server from the command line and boot it from the control panel and the new kernel will be active. To revert, simply select ‘Original Kernel’ and follow the same process.
If your Droplet is using legacy kernel management, you can switch to the DigitalOcean GrubLoader kernel to support internal kernels.
If your Droplet uses external kernel management, switch to the GrubLoader by searching for “grub” in the search box. Select one of the resulting kernels and click the Change button:
Next, log into your Droplet and power off your Droplet.
You must completely power off your Droplet to change to the GrubLoader kernel. Rebooting your Droplet will not change the kernel.
When the Droplet is powered down, return to the control panel. On the Droplet’s page, slide the Off button to On to power your Droplet back up.
Your Droplet will boot using the new GrubLoader kernel, and you will be able to use kernels installed from within the operating system itself.