Rebooting ThousandEyes Appliances for Spectre and Meltdown mitigation

Last updated: Sat Sep 08 22:19:42 GMT 2018

Normally, ThousandEyes Appliances automatically download and install required Ubuntu Linux software updates without requiring user interactions. However, remediation of the Meltdown and Spectre Version 1 and 2 vulnerabilities require the installation of a new Linux kernel. To install a new kernel, a reboot must be performed by the user. Rebooting should install the latest kernel that has been downloaded by the automatic package update process run periodically by all Enterprise Agents.

This article provides instructions to check an Appliance's kernel version, and to reboot the Appliance if the kernel version is below the kernel version with mitigations for Meltdown and Spectre. Both the Virtual Appliance and the Physical Appliance can be rebooted from their web console or from a command line. Additionally, the Virtual Appliance can be rebooted by the hypervisor which runs the virtual machine.

Verification

Linux kernel versions are numbered, and the information below indicates the version numbers of kernels which contain mitigations for the Meltdown and Spectre vulnerabilities. Users may check their kernel version prior to rebooting, or simply reboot, and then check the kernel version to ensure that the correct kernel is running.

Determining the version of an Appliance's kernel must be done via the command line. The following Knowledge Base articles provide instructions for SSH logins from Windows and from Mac or Linux clients:

Once logged in via SSH, run the command lsb_release -c to identify which release of Ubuntu Linux the Appliance is running (codename "trusty" or "xenial"):

thousandeyes@teva-meltdown:~$ lsb_release -c
Codename:    xenial

For the given release of Ubuntu Linux, run the uname -r to check the version of the running kernel.

thousandeyes@teva-meltdown:~$ uname -r
4.4.0-109-generic

For the Ubuntu codename of your Appliance, compare the running kernel's version to the mitigated kernel version using the table below. Appliances with a kernel version below the mitigated version will require a reboot:

Ubuntu Codename
(from lsb_release -c)
Mitigated Kernel Version
Trusty3.13.0-143-generic
Xenial4.4.0-116-generic
 

For the example output above, the Xenial-based Virtual Appliance has a running kernel with version 4.4.0-109, which is less than version 4.4.0-116. This Appliance requires a reboot.

If the running kernel version is at or above the mitigated kernel version, then a reboot has already occurred, or the Appliance was installed with a mitigated kernel.

Rebooting

To reboot your Virtual or Physical Appliance from a Web Console, command line or via hypervisor (Virtual Appliance only), select the instructions in the appropriate section below. After rebooting, use the steps in the Verification section above to confirm that the running kernel version is a mitigated kernel.

Web Console

To reboot via the Web Console:

  1. In a browser such as Chrome, navigate to http://<Agent IP>
  2. Provide the username and password, and click the Log In button. Consult the Knowledge Base article Password reset on the Virtual Appliance if needed.
  3. Click the Reboot button at the top of the page
     
User-added image

Command line

To reboot via the command line, log in to the Appliance via SSH. The following Knowledge Base articles provide instructions for SSH logins from Windows and from Mac or Linux clients:

Once logged in via SSH, run the command sudo reboot:

thousandeyes@teva-meltdown:~$ sudo reboot

Hypervisor

To reboot via the hypervisor running the Appliance in a virtual machine, consult your hypervisor administrator or the hypervisor documentation on restarting virtual machines.

Troubleshooting

After rebooting, if the verification steps show that a mitigated kernel is not running, then copy and use the command below (in bold) to determine whether a mitigated kernel has been downloaded to the system:
 
thousandeyes@teva-meltdown:~$ apt list --installed 2> /dev/null | grep -E 'linux-image-[0-9]+'

linux-image-4.4.0-112-generic/xenial-updates,xenial-security,now 4.4.0-112.135 amd64 [installed,automatic]
linux-image-4.4.0-116-generic/xenial-updates,xenial-security,now 4.4.0-116.140 amd64 [installed,automatic]

 
Security updates are managed by the unattended-upgrades program, which is run periodically as a "cron" job. unattended-upgrades will load kernels that include security patches. If you do not have the correct kernel version downloaded, please reach out to Customer Success at support@thousandeyes.com or use our Live Chat feature of the ThousandEyes app