In this post, we will describe the steps you must take before you apply the updates (patch) to an already encrypted Azure IaaS RHEL VM using yum update or newly encrypted IaaS RHEL VM. Lets take a look at the below two scenarios:
A. Deploying new encrypted IaaS Red Hat VM in Azure and applying updates using yum updates
- Create a RHEL 7.3 VM from Azure gallery image
- Attach/mount data disks
- Encrypt all disks using the Azure disk encryption (ADE) supported scenarios and interfaces from ADE located here
- Reboot when ADE PS cmdlet Get-AzureRmVmDiskEncryptionStatus returns “VMRestartPending” (for OS disk encryption)
- Run the command “Yum update” on the VM (this should update both kernel and Dracut modules)
- Run the following 2 additional commands:
1. bash -c “set -e; patch -b -d /usr/lib/dracut/modules.d/90crypt -p1
</var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297/main/oscrypto/rhel_72/encryptstates/../encryptpatches/rhel_72_dracut.patch”
2. /usr/sbin/dracut -I ntfs-3g -f -v –kver `grubby –default-kernel | sed ‘s|/boot/vmlinuz-||g’`
Step 6.2 will generate a new initramfs image corresponding to the new kernel version with the patched up version of Dracut module
7. Reboot the VM.
B. Applying updates using yum updates to existing (running) encrypted IaaS Red Hat VM in Azure
- Run the command “Yum update” on the VM (this should update both kernel and Dracut modules)
- Run the following 2 additional commands:
- bash -c “set -e; patch -b -d /usr/lib/dracut/modules.d/90crypt -p1 </var/lib/waagent/Microsoft.Azure.Security.AzureDiskEncryptionForLinux-0.1.0.999297/main/oscrypto/rhel_72/encryptstates/../encryptpatches/rhel_72_dracut.patch”
- /usr/sbin/dracut -I ntfs-3g -f -v –kver `grubby –default-kernel | sed ‘s|/boot/vmlinuz-||g’`
Step 2.2 will generate a new initramfs image corresponding to the new kernel version with the patched up version of Dracut modules
3. Reboot the VM.