Microarchitectural Data Sampling (MDS) Advisory: On 14 May 2019, Intel released a statement regarding Microarchitectural Data Sampling (MDS), a significant security vulnerability that affects cloud providers with multi-tenant environments, including DigitalOcean. In addition to the steps we are taking described on our blog, we strongly recommend that you update your internal Droplet kernels to ensure you have the latest available bug fixes and security patches. You can verify that your Droplets are patched with the instructions here.
Before you can upgrade your Droplet’s kernel, you need to make sure your Droplet is using internal kernel management.
All Droplets created after March 2017 use internal kernels by default, and older Droplets can be configured to support internal kernels with the DigitalOcean GrubLoader kernel.
If you’re not sure whether your Droplet manages its kernels internally, visit its detail page in the control panel and click Kernel in the navigation. If the kernel management page has the following message, your Droplet is set to use internal kernels natively:
The kernel for this Droplet is not managed within the control panel. Instead, you can upgrade the kernel from within the Droplet.
If you see a Select a Kernel menu with a Change button and the following description instead, your Droplet is using legacy external kernel management:
This will update your configuration. Then power off the server from the command line and boot it from the control panel and the new kernel will be active. To revert, simply select ‘Original Kernel’ and follow the same process.
If your Droplet is using legacy kernel management, you can switch to the DigitalOcean GrubLoader kernel to support internal kernels.
Once your Droplet is using internal kernel management, you can upgrade its kernel.
Before upgrading your kernel, you can use the command
uname -ir to get the version of the kernel that your Droplet is currently using and your system’s architecture (32-bit or 64-bit). The output will look similar to
3.13.0-43-generic x86_64. The first section (
3.13.0-43-generic in this example) is your Droplet’s current kernel version and the second is its architecture (
x86_64 in this example, i.e., 64-bit).
If you want to upgrade your Droplet to the latest kernel version, there are two ways to do it:
Update all packages. Applying all available package upgrades to your server will pull in the latest stable kernel if available.
Update kernel only. Targeting only the kernel for update will not modify any other packages on your server.
The commands you need to run for either option depends on your Droplet’s operating system:
|OS||Upgrade all packages||Upgrade kernel only|
To ensure data integrity, shut down your Droplet from the command line with this command:
Completely powering off the Droplet rather than just rebooting it ensures the Droplet receives the latest virtualization improvements from the hypervisor. To ensure the Droplet is able to take advantage of all updates after upgrading the kernel, it’s necessary to power off rather than reboot the Droplet.
Locate the Droplet on the Droplet page, click its name, and switch on the Droplet.
After your Droplet boots, you can use
uname -ir again to confirm the new kernel version.