14

I currently use Ubuntu with unattended-upgrades on all my ec2-instances, to keep any nasty holes closed, but when running apps via Elastic beanstalk i can't see any option on how to handle patches to them. The only alternative is to manually log in to them and run yum.

How can I handle security patches on Elastic Beanstalk-instances?

starball
  • 20,030
  • 7
  • 43
  • 238
glance
  • 141
  • 5
  • This question is a bit old, but for anyone reading, with Beanstalk you should be using Chef, Puppet, Ansible, Salt or similar CM so that the instances setup themselves on boot and keep themselves properly configured with fine grained control. Of course, if you go that route you may as well use OpWorks or bare EC2+CM. – MV. Oct 26 '15 at 21:45
  • The reason that you would use Beanstalk is to not need to run anything else. – glance Jan 11 '16 at 19:18
  • I agree with you. Yet, in our applications hosted using Beanstalk we set several cron jobs (using ebextensions) to do automated patching, backups, and log processing. However, automatic patching has always made me nervous (if it breaks, it will break all servers) and so for one very critical app I still do the patching manually (on this one the patching is only done on deploy, so I just redeploy). Beanstalk simplified most task for us (I like it very much), but it may still require some customization according to your needs. – MV. Jan 12 '16 at 02:40

2 Answers2

12

We added the following to our .ebextensions/01run.config file to address this issue:

commands:
  security_updates: 
    command: "yum update -y --security"
Mike Carson
  • 121
  • 4
  • 1
    That would just deploy the security patches on instance startup, and not deploy patches released while the machines are running. I was hoping for something more like unattended-upgrades for the Amazon rhel clone. – glance Nov 07 '13 at 13:13
  • 1
    still, it runs when your instance is terminated and comes back up. There is an app called yum crontab that might help, it does nightly updates. – radtek Nov 27 '14 at 04:12
3

You could run the following using a nightly or hourly cron job.

bash sudo yum update --sec-severity=critical,important

Just think through how you will do rollback and notification in the event that a patch causes your application to fail.

Michael Connor
  • 4,182
  • 24
  • 21
  • 1
    How well does Amazon QA there security patches before pushing them to there Amazon linux repos? Does yum restart patched services when needed? Does it reboot the instance when needed? It feels to me like the whole security patching aspect of elastic beanstalk is just left out from Amazons picture. – glance Aug 17 '14 at 13:09