RulerOf/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Amazon Linux 2 on Lightsail, Bare Minimum Setup

The idea here is to give a set of "common sense" defaults for running Amazon Linux 2 on Lightsail. These defaults include:

Automatic Updates
Live Kernel Patching
Automatic Reboots when Required by Updates

Usage

Either run the setup.sh file directly like this:
curl -fsSL https://gist.githubusercontent.com/RulerOf/5be53075c7d679c961a433ae0c258194/raw/setup.sh | sudo bash
Or copy/paste it directly into your terminal.
Or supply the yaml version as user-data to your instance. (This doesn't appear to work on Lightsail, but it would on EC2)

  
## setup.sh
#!/bin/bash
# Enable Live patching
yum install binutils yum-plugin-kernel-livepatch -y
yum kernel-livepatch enable -y
yum update kpatch-runtime -y
systemctl enable kpatch.service
systemctl start kpatch.service
amazon-linux-extras enable livepatch
# Auto-update software
yum install yum-cron -y; systemctl enable yum-cron
cat << "EOF" > /etc/yum/yum-cron.conf
[commands]
update_cmd = default
# update_cmd = security # Use this for production
update_messages = yes
download_updates = yes
apply_updates = yes
random_sleep = 0
EOF
systemctl start yum-cron
yum update --security -y
# Enable swap
MEMKB=$(egrep 'MemTotal:*' /proc/meminfo | egrep -o '[0-9]*')
MEM2X=$(expr $MEMKB \* 2)
fallocate -l ${MEM2X}K /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
grep swapfile /etc/fstab || echo /swapfile swap swap defaults 0 0 >> /etc/fstab
### Automatic Reboots ###
# Reboot script
cat << "EOF" > /usr/local/bin/reboot-if-necessary.sh
#!/bin/bash
if ! needs-restarting -r; then
  logger -s "updates" "YUM reports restart is required. Rebooting server."
  reboot now
fi
EOF
chmod +x /usr/local/bin/reboot-if-necessary.sh
# Reboot Unit
cat << "EOF" > /etc/systemd/system/reboot-if-necessary.service
[Unit]
Description=reboot-if-necessary

[Service]
Type=oneshot
ExecStart=/usr/local/bin/reboot-if-necessary.sh
WorkingDirectory=/tmp
EOF
# Reboot Timer
cat << "EOF" > /etc/systemd/system/reboot-if-necessary.timer
[Unit]
Description=reboot-if-necessary

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target
EOF
systemctl daemon-reload
systemctl enable reboot-if-necessary.timer
systemctl start reboot-if-necessary.timer

## setup.yml
#cloud-config
package_upgrade: true
runcmd:
  # Enable Live patching
  - yum install binutils yum-plugin-kernel-livepatch -y
  - yum kernel-livepatch enable -y
  - yum update kpatch-runtime -y
  - systemctl enable kpatch.service
  - amazon-linux-extras enable livepatch
  # Auto-update software
  - yum install yum-cron -y; systemctl enable yum-cron; systemctl start yum-cron
  - yum update -y
  # Enable swap
  - /usr/local/bin/enable-swap.sh
  # Automatic Reboots
  - systemctl daemon-reload
  - systemctl enable reboot-if-necessary.timer
  - systemctl start reboot-if-necessary.timer
write_files:
- path: /usr/local/bin/enable-swap.sh
  owner: root:root
  permissions: '0750'
  content: |
    #!/bin/bash
    MEMKB=$(egrep 'MemTotal:*' /proc/meminfo | egrep -o '[0-9]*')
    MEM2X=$(expr $MEMKB \* 2)
    fallocate -l ${MEM2X}K /swapfile
    chmod 600 /swapfile
    mkswap /swapfile
    swapon /swapfile
    grep swapfile /etc/fstab || echo /swapfile swap swap defaults 0 0 >> /etc/fstab
- path: /etc/yum/yum-cron.conf
  owner: root:root
  permissions: '0644'
  content: |
    [commands]
    update_cmd = default
    # update_cmd = security # Use this for production
    update_messages = yes
    download_updates = yes
    apply_updates = yes
    random_sleep = 0
- path: /usr/local/bin/reboot-if-necessary.sh
  owner: root:root
  permissions: '0750'
  content: |
    #!/bin/bash
    if ! needs-restarting -r; then
      logger -s "updates" "YUM reports restart is required. Rebooting server."
      reboot now
    fi
- path: /etc/systemd/system/reboot-if-necessary.service
  owner: root:root
  permissions: '0644'
  content: |
    [Unit]
    Description=reboot-if-necessary

    [Service]
    Type=oneshot
    ExecStart=/usr/local/bin/reboot-if-necessary.sh
- path: /etc/systemd/system/reboot-if-necessary.timer
  owner: root:root
  permissions: '0644'
  content: |
    [Unit]
    Description=reboot-if-necessary

    [Timer]
    OnCalendar=daily
    Persistent=true

    [Install]
    WantedBy=timers.target
	#!/bin/bash
	# Enable Live patching
	yum install binutils yum-plugin-kernel-livepatch -y
	yum kernel-livepatch enable -y
	yum update kpatch-runtime -y
	systemctl enable kpatch.service
	systemctl start kpatch.service
	amazon-linux-extras enable livepatch
	# Auto-update software
	yum install yum-cron -y; systemctl enable yum-cron
	cat << "EOF" > /etc/yum/yum-cron.conf
	[commands]
	update_cmd = default
	# update_cmd = security # Use this for production
	update_messages = yes
	download_updates = yes
	apply_updates = yes
	random_sleep = 0
	EOF
	systemctl start yum-cron
	yum update --security -y
	# Enable swap
	MEMKB=$(egrep 'MemTotal:' /proc/meminfo \| egrep -o '[0-9]')
	MEM2X=$(expr $MEMKB \* 2)
	fallocate -l ${MEM2X}K /swapfile
	chmod 600 /swapfile
	mkswap /swapfile
	swapon /swapfile
	grep swapfile /etc/fstab \|\| echo /swapfile swap swap defaults 0 0 >> /etc/fstab
	### Automatic Reboots ###
	# Reboot script
	cat << "EOF" > /usr/local/bin/reboot-if-necessary.sh
	#!/bin/bash
	if ! needs-restarting -r; then
	logger -s "updates" "YUM reports restart is required. Rebooting server."
	reboot now
	fi
	EOF
	chmod +x /usr/local/bin/reboot-if-necessary.sh
	# Reboot Unit
	cat << "EOF" > /etc/systemd/system/reboot-if-necessary.service
	[Unit]
	Description=reboot-if-necessary

	[Service]
	Type=oneshot
	ExecStart=/usr/local/bin/reboot-if-necessary.sh
	WorkingDirectory=/tmp
	EOF
	# Reboot Timer
	cat << "EOF" > /etc/systemd/system/reboot-if-necessary.timer
	[Unit]
	Description=reboot-if-necessary

	[Timer]
	OnCalendar=daily
	Persistent=true

	[Install]
	WantedBy=timers.target
	EOF
	systemctl daemon-reload
	systemctl enable reboot-if-necessary.timer
	systemctl start reboot-if-necessary.timer
	#cloud-config
	package_upgrade: true
	runcmd:
	# Enable Live patching
	- yum install binutils yum-plugin-kernel-livepatch -y
	- yum kernel-livepatch enable -y
	- yum update kpatch-runtime -y
	- systemctl enable kpatch.service
	- amazon-linux-extras enable livepatch
	# Auto-update software
	- yum install yum-cron -y; systemctl enable yum-cron; systemctl start yum-cron
	- yum update -y
	# Enable swap
	- /usr/local/bin/enable-swap.sh
	# Automatic Reboots
	- systemctl daemon-reload
	- systemctl enable reboot-if-necessary.timer
	- systemctl start reboot-if-necessary.timer
	write_files:
	- path: /usr/local/bin/enable-swap.sh
	owner: root:root
	permissions: '0750'
	content: \|
	#!/bin/bash
	MEMKB=$(egrep 'MemTotal:' /proc/meminfo \| egrep -o '[0-9]')
	MEM2X=$(expr $MEMKB \* 2)
	fallocate -l ${MEM2X}K /swapfile
	chmod 600 /swapfile
	mkswap /swapfile
	swapon /swapfile
	grep swapfile /etc/fstab \|\| echo /swapfile swap swap defaults 0 0 >> /etc/fstab
	- path: /etc/yum/yum-cron.conf
	owner: root:root
	permissions: '0644'
	content: \|
	[commands]
	update_cmd = default
	# update_cmd = security # Use this for production
	update_messages = yes
	download_updates = yes
	apply_updates = yes
	random_sleep = 0
	- path: /usr/local/bin/reboot-if-necessary.sh
	owner: root:root
	permissions: '0750'
	content: \|
	#!/bin/bash
	if ! needs-restarting -r; then
	logger -s "updates" "YUM reports restart is required. Rebooting server."
	reboot now
	fi
	- path: /etc/systemd/system/reboot-if-necessary.service
	owner: root:root
	permissions: '0644'
	content: \|
	[Unit]
	Description=reboot-if-necessary

	[Service]
	Type=oneshot
	ExecStart=/usr/local/bin/reboot-if-necessary.sh
	- path: /etc/systemd/system/reboot-if-necessary.timer
	owner: root:root
	permissions: '0644'
	content: \|
	[Unit]
	Description=reboot-if-necessary

	[Timer]
	OnCalendar=daily
	Persistent=true

	[Install]
	WantedBy=timers.target