Questions tagged with Linux Provisioning
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Linux aws ec2 and Ubuntu t2.micro instances failed to update and install any software
I have launched today two Linux ec2 t2.micro instances and one Ubuntu t2.micro instances in us-west-2 region. All there did not either update the software or install java-11-openjdk. I have sent the complain to aws and they just gave me a like to the aws re:Post site. It was not my problem. I launched dozen of ec2 instances before and everything was OK. My home network was working fine. I was connected to the instances. The inbound and outbound security rules were set to accept HTTP traffic (TCP port 80 was open). ![I have attached a screenshot of the Ubuntu aws ec2, that failed to connect to archive.ubunty.com:80 and can not connet to security.ubuntu.com:80](/media/postImages/original/IMl_EasOC6QJa2I-sy1-bO5w)
No FreeType support in PHP 8.1 on Amazon Linux 2 / Elastic Beanstalk?
I have an Elastic Beanstalk app running on PHP 8.1. However, there is no FreeType support, even though I have both GD and libfreetype installed on the EC2 instances. All of the instructions I can find on the web say you have to recompile PHP with FreeType (--with-freetype) in order to turn it on. Obviously, I don't want to have an unsupported, hand-built PHP installation on EB if I can avoid it. That's the whole point of Elastic Beanstalk. Can anyone tell me how to add GD with FreeType support on PHP 8.1 on Amazon Linux 2 without having to recompile? Or, can anyone from AWS make sure it gets added to the EB images? This is a major missing feature. Thanks.
Why My EC2 Ubuntu Linux instance status showed "1/2 checks passed"? How to solve this issue?
I am using EC2 Ubuntu 20.04 Linux instance (t2.micro). After 3/4 days, My instance status showed "1/2 checks passed". I have some small websites running in this instance. When this message appears, I cannot able to access those websites. Currently, each time I reboot my instance, and after some time, the status checked showed 2/2 checks passed. Then, I can able to access my website. Rebooting after 3/4 days at regular intervals is very painful. Please help me to solve my issue.
Amazon Linux 2 - How can I know if a CVE has been patched?
Hi, My question is - how can we see what CVEs are patched? Where is it recorded if Amazon Linux has patched a particular CVE? There is the security centre here: https://alas.aws.amazon.com/alas2.html, however, that only lists the advisories as far as I can tell - it doesn't say what's patched and what isn't. Is it the case that if an item there shows that there are new packages, we can just assume it's patched in AL? Thanks in advance for any help. **Context** We've had a pen test conducted in our Elastic Beanstalk / Amazon Linux 2 environment. It flagged some potential common vulnerability & exposures (CVEs) - a number of which turned out to be false positives as Amazon Linux maintains its own release of packages. We found that Nginx running in our environment was not version 1.20.0 - vulnerable to CVE-2021-23017, but was version 1.20.0, release 2.amzn.2.0.4 - which according to https://github.com/aws/elastic-beanstalk-roadmap/issues/221 , has been patched against this vulnerability. Having the same version number for each seems like a recipee for disaster. It certainly cost me a few days time trying to look into the issue. ``` [ec2-user@ip-x ~]$ yum info nginx Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 207 packages excluded due to repository priority protections Installed Packages Name : nginx Arch : aarch64 Epoch : 1 Version : 1.20.0 Release : 2.amzn2.0.4 Size : 1.7 M Repo : installed From repo : amzn2extra-nginx1 ``` I've a number of other CVE's that I need to determine if our elastic beanstalk environment is potentially compromised by: If I can just look them up, it would be helpful. ``` OpenSSH <= 8.6 Command Injection Vulnerability CVE-2021-23017 Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) CVE-2002-20001 nginx <= 1.21.1 Information Disclosure Vulnerability CVE-2013-0337 OpenSSH 6.2 <= 8.7 Privilege Escalation Vulnerability CVE-2021-41617 OpenBSD OpenSSH <= 7.9 Multiple Vulnerabilities CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 OpenBSD OpenSSH Information Disclosure Vulnerability (CVE-2020-14145) CVE-2020-14145 SSL/TLS: BREACH attack against HTTP compression CVE-2013-3587 OpenSSH 'auth2-gss.c' User Enumeration Vulnerability - Linux CVE-2018-15919 OpenSSH 'sftp-server' Security Bypass Vulnerability (Linux) CVE-2017-15906 OpenSSH < 7.8 User Enumeration Vulnerability - Linux CVE-2018-15473 OpenSSH Information Disclosure Vulnerability (CVE-2016-20012) CVE-2016-20012 ```
getting 502 bad gateway errors every time I turn on ec2 instance
I am currently building a web application on an ec2 instance. All of the code is stored within the server. When I type in the ec2 instance's ip address (184.108.40.206), I get a 502 bad gateway error. Although the server itself may have turned on, I still get a 502 bad gateway error because the code relies on a python import called flask. To enable flask, I have to manually type in "sudo service nginx restart" and "sudo service gunicorn3" restart within the /etc/nginx/sites-available directory. Once I type in those commands, the website works. Is there a way that I can enable these commands to run automatically every time I turn on the ec2 instance?
How do I stop credentials from changing every couple of hours? Working on pushing docker images to an EC2 instance to train up machine learning algorithms and I need to access data on s3 during the training. My current credentials change every couple of hours and that makes it difficult to persist information within the docker containers.
AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys <username> SHA256:<long hex string> failed, status 22
We use Ubuntu 20.04 (`ami-0c8858c090152d291`) as the basis for a production ecommerce stack, and I need to move users around as part of a handover. In order to do this I am trying to ssh in to the instance using the original ami-configured instance user and AWS generated key, so I can move the user I normally log in as. This fails with the subject error in `/var/log/auth.log`. I have reconfirmed keys and user many times obviously. This appears to be related to [AuthorizedKeysCommand fails on Ubuntu 20.04](https://github.com/widdix/aws-ec2-ssh/issues/157), which blames the package `ec2-instance-connect`. We keep instances up to date, so I suspect this package was installed as part of a post-install security update. The above-linked GitHub thread suggests: ``` # rm /usr/lib/systemd/system/ssh.service.d/ec2-instance-connect.conf # systemctl daemon-reload ``` I have tried the above unsuccessfully. Even after removing `ec2-instance-connect.conf` and issuing either `systemctl daemon-reload` or `kill -s HUP <sshd pid>` the sshd process is *still* running using the `ec2-instance-connect.conf` settings: ``` sshd: /usr/sbin/sshd -D -o AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %u %f -o AuthorizedKeysCommandUser ec2-instance-connect [listener] 0 of 10-100 startups ``` For obvious reasons I am reluctant to tinker more extensively with the sshd configuration on a production server without hearing from the community. It seems rather questionable (to put it mildly) for a "security update package" to hijack the normal sshd auth process, especially with no well publicized info, only to come to light when I actually have to work on it. The package listing says > Configures ssh daemon to accept EC2 Instance Connect ssh keys -but what it fails to add is "... and may disable other keys". We surely cannot be the first ones to encounter this problem??
Deregister the SLES15 SP1 Module for On Demand EC2 instance.
For one of our On Demand EC2 "r5.large" instance, which is currently hosting SLES15 SP1; we have activated couple of SUSE Modules/Extensions which we are not able to Deregister as the Error says that "SUSEConnect error: SUSE::Connect::UnsupportedOperation: De-registration is disabled for on-demand instances. Use `registercloudguest --clean` instead." Please guide us on how we can deregister the same for On Demand EC2 instance.