Security Updates

[hendr1x]

Hello everyone,
I'm trying to learn about proper security procedure with proxmox. On my current server :

root@server:~# hostnamectl
Operating System: Debian GNU/Linux 12 (bookworm)
          Kernel: Linux 6.2.16-8-pve
    Architecture: x86-64

It seem's 6.2.16 had gone EOL one year ago...which was before I installed/setup the machine using the standard proxmox image install. Did I do something wrong? Is there some sort special way I need to update/upgrade? I have been doing it on occasion and it didn't change anything. Lastly, how am I suppose to know which CVE's are patched on the distro?

Thanks for any help you can provide.

 

[leesteken]

Is there some sort special way I need to update/upgrade? I have been doing it on occasion and it didn't change anything.

Make sure to setup the Proxmox no-subscription repository (instead of the enterprise repository) if you don't have a support subscription: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_package_repositories
And then use the normal upgrade procedure (regularly): https://pve.proxmox.com/pve-docs/pve-admin-guide.html#system_software_updates

 

[LnxBil]

Lastly, how am I suppose to know which CVE's are patched on the distro?

Subscribe to debian-security mailinglist and/or install apt-listchanges.

 

[hendr1x]

I am currently setup running the no-subscription repo. And I do the normal apt update/upgrade. However this doesn't upgrade the kernel right? I'm not sure what is required for that.

Also, 6.2.16 is not getting patched any longer so I'm not clear how that is going to help.

Thanks for your help, I appreciate it.

 

[leesteken]

I am currently setup running the no-subscription repo. And I do the normal apt update/upgrade. However this doesn't upgrade the kernel right? I'm not sure what is required for that.

Did you reboot after and dist-ugprade?

Also, 6.2.16 is not getting patched any longer so I'm not clear how that is going to help.

You should move over to 6.5 as quickly as you can to get security fixes.

What are the outputs of apt update and apt dist-upgrade and pveversion -v ?

 

[hendr1x]

Rebooting is not currently part of my process. I can make it happen but that requires downtime of course and critical things are running on this server. I have never run dist-upgrade...I didn't even know about it honestly.

To answer your questions :

root@server:~# apt update
Hit:1 http://security.debian.org bookworm-security InRelease
Hit:2 http://ftp.us.debian.org/debian bookworm InRelease
Hit:3 http://download.proxmox.com/debian/pve bookworm InRelease
Hit:4 http://download.proxmox.com/debian/ceph-quincy bookworm InRelease
Get:5 http://ftp.us.debian.org/debian bookworm-updates InRelease [55.4 kB]
Fetched 55.4 kB in 1s (97.6 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
169 packages can be upgraded. Run 'apt list --upgradable' to see them.

root@server:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  fonts-font-logos libnet-subnet-perl libpve-network-perl libpve-notify-perl libsocket6-perl proxmox-kernel-6.2.16-20-pve
  proxmox-kernel-6.5 proxmox-kernel-6.5.13-3-pve-signed proxmox-termproxy pve-edk2-firmware-legacy pve-edk2-firmware-ovmf
  pve-esxi-import-tools python3-pyvmomi
The following packages will be upgraded:
  base-files bind9-dnsutils bind9-host bind9-libs bsdextrautils bsdutils ceph-common ceph-fuse curl dbus dbus-bin dbus-daemon
  dbus-session-bus-common dbus-system-bus-common debian-archive-keyring debianutils distro-info-data eject fdisk gnutls-bin grub-common
  grub-efi-amd64-bin grub-pc grub-pc-bin grub2-common gtk-update-icon-cache ifupdown2 inetutils-telnet krb5-locales libblkid1 libc-bin
  libc-dev-bin libc-devtools libc-l10n libc6 libc6-dev libcephfs2 libcryptsetup12 libcups2 libcurl3-gnutls libcurl4 libdbus-1-3
  libde265-0 libfdisk1 libgnutls-dane0 libgnutls30 libgnutlsxx30 libgssapi-krb5-2 libisl23 libk5crypto3 libknet1 libkrb5-3
  libkrb5support0 libldb2 libmariadb3 libmount1 libnftables1 libnghttp2-14 libnozzle1 libnss-systemd libnvpair3linux libpam-modules
  libpam-modules-bin libpam-runtime libpam-systemd libpam0g libperl5.36 libpq5 libproxmox-acme-perl libproxmox-acme-plugins
  libproxmox-backup-qemu0 libproxmox-rs-perl libpve-access-control libpve-apiclient-perl libpve-cluster-api-perl libpve-cluster-perl
  libpve-common-perl libpve-guest-common-perl libpve-http-server-perl libpve-rs-perl libpve-storage-perl librados2 librados2-perl
  libradosstriper1 librbd1 librgw2 librsvg2-2 librsvg2-common libsmartcols1 libsmbclient libssl3 libsystemd-shared libsystemd0 libtiff6
  libudev1 libunbound8 libuuid1 libuutil3linux libuv1 libwbclient0 libwebp7 libx11-6 libx11-data libx11-xcb1 libxpm4 libzfs4linux
  libzpool5linux linux-libc-dev locales lxcfs mariadb-common mount nftables novnc-pve openssh-client openssh-server openssh-sftp-server
  openssl perl perl-base perl-modules-5.36 postfix proxmox-backup-client proxmox-backup-file-restore proxmox-backup-restore-image
  proxmox-default-kernel proxmox-kernel-6.2 proxmox-kernel-helper proxmox-mail-forward proxmox-ve proxmox-widget-toolkit pve-cluster
  pve-container pve-docs pve-edk2-firmware pve-firmware pve-ha-manager pve-i18n pve-manager pve-qemu-kvm pve-xtermjs
  python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw python3-winrm qemu-server samba-common
  samba-libs smbclient spl ssh systemd systemd-boot systemd-boot-efi systemd-sysv systemd-timesyncd tar tzdata udev usbutils usrmerge
  util-linux util-linux-extra zfs-initramfs zfs-zed zfsutils-linux
169 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 528 MB of archives.
After this operation, 924 MB of additional disk space will be used.
Do you want to continue? [Y/n]

root@server:~# pveversion -v
proxmox-ve: 8.0.2 (running kernel: 6.2.16-8-pve)
pve-manager: 8.0.4 (running version: 8.0.4/d258a813cfa6b390)
pve-kernel-6.2: 8.0.5
proxmox-kernel-helper: 8.0.3
proxmox-kernel-6.2.16-8-pve: 6.2.16-8
proxmox-kernel-6.2: 6.2.16-8
proxmox-kernel-6.2.16-6-pve: 6.2.16-7
pve-kernel-6.2.16-3-pve: 6.2.16-3
ceph-fuse: 17.2.6-pve1+3
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-4
libknet1: 1.25-pve1
libproxmox-acme-perl: 1.4.6
libproxmox-backup-qemu0: 1.4.0
libproxmox-rs-perl: 0.3.1
libpve-access-control: 8.0.4
libpve-apiclient-perl: 3.3.1
libpve-common-perl: 8.0.7
libpve-guest-common-perl: 5.0.4
libpve-http-server-perl: 5.0.4
libpve-rs-perl: 0.8.5
libpve-storage-perl: 8.0.2
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 5.0.2-4
lxcfs: 5.0.3-pve3
novnc-pve: 1.4.0-2
proxmox-backup-client: 3.0.2-1
proxmox-backup-file-restore: 3.0.2-1
proxmox-kernel-helper: 8.0.3
proxmox-mail-forward: 0.2.0
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.0.6
pve-cluster: 8.0.3
pve-container: 5.0.4
pve-docs: 8.0.4
pve-edk2-firmware: 3.20230228-4
pve-firewall: 5.0.3
pve-firmware: 3.7-1
pve-ha-manager: 4.0.2
pve-i18n: 3.0.5
pve-qemu-kvm: 8.0.2-4
pve-xtermjs: 4.16.0-3
qemu-server: 8.0.6
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.1.12-pve1

Thanks again.

 

[Dunuin]

Without rebooting your PVE won't use the new kernels. And you also should shutdown and start your VMs/LXCs from time to time or otherwise they won't use newer LXC/QEMU versions.
If the services are critical you should think about running a cluster so you could live migrate those critical VMs to another node to be able to reboot it without any downtime.

 

[leesteken]

I have never run dist-upgrade...I didn't even know about it honestly.

I did provide a link to this in the manual: https://forum.proxmox.com/threads/security-updates.144659/post-651255

169 packages can be upgraded. Run 'apt list --upgradable' to see them.

Looks like you never updated your Proxmox. The manual tells you how to do it or to use the Proxmox web GUI.

 

[hendr1x]

I haven't updated in a while but I have updated many times. I don't know when I've rebooted last...I know its happened but I never did it unless I had to.

Ok, so it sounds like I need to setup a routine when I update, upgrade, dist-upgrade and reboot. I will also sign up for security notifications from debian. Does this sound like the correct approach?

Thanks for taking your time explaining this.

 

[leesteken]

I haven't updated in a while but I have updated many times. I don't know when I've rebooted last...I know its happened but I never did it unless I had to.

Looks like quite a while. Proxmox 8.1 was released last November. Maybe keep an eye on sticky threads of this sub-forum or the announcements.

Ok, so it sounds like I need to setup a routine when I update, upgrade, dist-upgrade and reboot. I will also sign up for security notifications from debian. Does this sound like the correct approach?

Never run apt upgrade on Proxmox and it is also not needed when you run apt dist-upgrade. Or just use the buttons on the Proxmox web GUI (Refresh and then Upgrade under Updates on each node).

 

[hendr1x]

I prefer to do things via cli. So no need to run apt upgrade..., just apt update and apt dist-upgrade, then reboot. That will take care of proxmox. For the VMs (all are running Debian bookworm)..is the same rules?

 

[Dunuin]

I prefer to do things via cli. So no need to run apt upgrade..., just apt update and apt dist-upgrade, then reboot. That will take care of proxmox. For the VMs (all are running Debian bookworm)..is the same rules?

Yes.
And there is also the unattended-upgrades package so security patches will be installed automatically. Helps to keep the VMs secure but I personally don't like to use that for the PVE host as it is way harder to backup/restore the PVE than a VM in case something might go wrong.

 

[hendr1x]

Ok. So glad I asked I about this important stuff. Thanks again...I've got some work to do

 

[hendr1x]

Ok...so seems like that work flow does not upgrade the kernel? I am inside a VM that has run all commands and rebooted twice yet it is still running an old kernel.

root@server:~# hostnamectl
Virtualization: kvm
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-18-amd64
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _i440FX + PIIX, 1996_
Firmware Version: rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org

Old data you asked for :

root@server:~# apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://repo.nordvpn.com//deb/nordvpn/debian stable InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

root@server:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Quick reading @ https://wiki.debian.org/HowToUpgradeKernel

Says I need to run ' apt install linux-image-bookworm'. Is this correct?

 

[hendr1x]

Also...I'm asssuming running apt autoclean, autoremove and purge is a recommended?

 

[leesteken]

Ok...so seems like that work flow does not upgrade the kernel? I am inside a VM that has run all commands and rebooted twice yet it is still running an old kernel.

root@server:~# hostnamectl
Virtualization: kvm
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-18-amd64
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _i440FX + PIIX, 1996_
Firmware Version: rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org

Old data you asked for :

root@server:~# apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://repo.nordvpn.com//deb/nordvpn/debian stable InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

root@server:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Quick reading @ https://wiki.debian.org/HowToUpgradeKernel

Says I need to run ' apt install linux-image-bookworm'. Is this correct?

Proxmox is based on Debian but uses they own kernels based on Ubuntu's, so not all Debian systems need to be on the same kernel version.
My Debian 12 (containers) are still on kernel 5.15 and not 6.1. Did you install a newer kernel yourself?
But since there are no updates, I assume everything is fine and you don't need to do anything.

EDIT: Silly me: the Debian containers share the kernel with the Proxmox host (which is still 7.4).

 

[Dunuin]

Kernel: Linux 6.1.0-18-amd64

Thats the latest Debian 12 kernel unless you run some testing repos (same kernel as the Debian 12 VM I installed an hour ago).

 

[hendr1x]

I didn't install any kernel's myself. However I'm not running any containers...only VMs.

Thats the latest Debian 12 kernel unless you run some testing repos (same kernel as the Debian 12 VM I installed an hour ago).

Ah ok...I saw this chart and assumed Debian was running a higher version : https://en.wikipedia.org/wiki/Linux_kernel_version_history

Can I just squeeze in that last question about apt autoclean, autoremove and purge? I assume that is good practice?

Thank you!

 

[Dunuin]

I always run apt autoremove after every upgrade. Otherwise you might run into problems and upgrades might fail because your small ESP is running out of space when old kernels will never be removed.