# alinux-instance

Part of **ALINUX**

# Alibaba Cloud Linux Instance Management CLI Reference

## Command Overview

| Command | Purpose | Syntax |
|--------|---------|--------|
| `yum updateinfo` | List or inspect available security advisories | `yum updateinfo [list\|info <ID>]` |
| `yum check-update --security` | Check for pending security updates | `yum check-update --security [--sec-severity=<SEVS>]` |
| `yum upgrade --security` | Install security updates | `yum upgrade --security [--sec-severity=<SEVS>] [--cve=<CVEs>]` |
| `livepatch-mgr` | Manage kernel live patches | `livepatch-mgr [update\|list\|load\|unload\|sync\|remind] [flags]` |
| `docker pull` | Pull Alibaba Cloud Linux container images | `docker pull <registry>/<image>:<tag>` |
| `cat /proc/diskstats` | View raw disk I/O statistics | `cat /proc/diskstats` |
| `/usr/share/bcc/tools/alibiolatency` | Analyze block I/O latency | `alibiolatency [options]` |
| `echo > /sys/fs/cgroup/...` | Configure cgroup v1 resource controls | `echo <value> > /sys/fs/cgroup/<subsys>/<cgroup>/<file>` |

## Command Details

### yum updateinfo

**Purpose**: Query available security advisories and view details of specific updates.

**Syntax**:
```bash
yum updateinfo [list | info <update_id>] [--sec-severity=<SEVS>] [--cve=<CVEs>]
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| `list` | — | string | Yes (mutually exclusive with `info`) | List all available security advisories |
| `info <update_id>` | — | string | Yes (mutually exclusive with `list`) | Show detailed information for a specific advisory ID |
| `--sec-severity` | — | string | No | Filter by severity levels: Critical, Important, Moderate, Low (comma-separated in braces) |
| `--cve` | — | string | No | Filter by one or more CVE IDs (comma-separated) |

```bash
# List all security advisories
yum updateinfo list

# Show details for a specific advisory
yum updateinfo info ALINUX3-SA-2021:0008

# List only Critical and Important advisories
yum updateinfo list --sec-severity={Critical,Important}
```

**Output Example**:
```text
===============================================================================
  ALINUX2-SA-2020:0005: nss, nss-softokn, nss-util security update (Important)
===============================================================================
  Update ID : ALINUX2-SA-2020:0005
    Release : Alibaba Cloud Linux 2.1903
       Type : security
     Status : stable
     Issued : 2020-01-03
       CVEs : CVE-2019-11729
            : CVE-2019-11745
   Severity : Important
updateinfo info done
```

### yum check-update --security

**Purpose**: Check for available security updates without installing them.

**Syntax**:
```bash
yum check-update --security [--sec-severity=<SEVS>]
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| `--security` | — | boolean | Yes | Restrict to security-related updates |
| `--sec-severity` | — | string | No | Filter by severity (e.g., {Critical,Important}) |

```bash
# Check all security updates
yum check-update --security

# Check only Critical and Important updates
yum check-update --security --sec-severity={Critical,Important}
```

**Output Example**:
```text
49 package(s) needed for security, out of 183 available
```

### yum upgrade --security

**Purpose**: Install security updates matching specified criteria.

**Syntax**:
```bash
yum upgrade --security [--sec-severity=<SEVS>] [--cve=<CVEs>]
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| `--security` | — | boolean | Yes | Apply only security updates |
| `--sec-severity` | — | string | No | Limit to specific severity levels |
| `--cve` | — | string | No | Install updates for specific CVEs |

```bash
# Install all security updates
sudo yum upgrade --security

# Install only Critical/Important updates
sudo yum upgrade --security --sec-severity={Critical,Important}

# Install updates for specific CVEs
sudo yum upgrade --cve=CVE-2020-24659,CVE-2019-11729
```

**Output Example**:
```text
Upgrade  30 Packages (+1 Dependent package)
Total download size: 91 M
Is this ok [y/d/N]:
```

### livepatch-mgr

**Purpose**: Manage kernel live patches without rebooting the system.

**Syntax**:
```bash
livepatch-mgr [update|list|load|unload|sync|remind] [flags]
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| `update` | — | string | No | Install and load applicable patches |
| `--bugfix` | — | boolean | No | Apply only bugfix patches |
| `--security` | — | boolean | No | Apply only CVE-related patches |
| `--cves` | — | string | No | Apply patches for specific CVEs (comma-separated) |
| `--ids` | — | string | No | Apply patches by advisory ID (comma-separated) |
| `list` | — | string | No | List available patches |
| `--installed` | — | boolean | No | Show only installed patches |
| `--running` | — | boolean | No | Show only active (loaded) patches |
| `load` | — | string | No | Manually load installed patches |
| `unload` | — | string | No | Unload active patches |
| `sync` | — | string | No | Refresh patch metadata cache |
| `remind` | — | string | No | Show patch status reminder |
| `--enable` | — | boolean | No | Enable login-time reminders |
| `--disable` | — | boolean | No | Disable login-time reminders |

```bash
# Install all applicable security patches
sudo livepatch-mgr update --security

# List running patches
sudo livepatch-mgr list --running

# Enable login reminders
sudo livepatch-mgr remind --enable
```

**Output Example**:
```text
Loaded patch modules:
Update ID            CVE ID(s)       Hotfix ID       Description
HOTFIX-SA-2023:0001  CVE-2022-4378   11169823        Package updates are available...
```

### docker pull

**Purpose**: Download official Alibaba Cloud Linux container images from Alibaba Cloud Container Registry.

**Syntax**:
```bash
docker pull <registry>/<namespace>/<image>:<tag>
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| registry | — | string | Yes | Container registry endpoint (e.g., `alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com`) |
| namespace/image | — | string | Yes | Image path (e.g., `alinux3/alinux3`) |
| tag | — | string | No | Image version tag (e.g., `220901.1`) |

```bash
# Pull Alibaba Cloud Linux 3 image
sudo docker pull alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:220901.1

# Pull latest Alibaba Cloud Linux 2 image
sudo docker pull alibaba-cloud-linux-2-registry.cn-hangzhou.cr.aliyuncs.com/alinux2/alinux2
```

### cat /proc/diskstats

**Purpose**: Display low-level disk I/O statistics for latency analysis.

**Syntax**:
```bash
cat /proc/diskstats
```

**Parameters**: None

```bash
# View raw disk statistics
cat /proc/diskstats
```

**Output Example**:
```text
 254       0 vda 12345 0 67890 123 4567 0 89012 345 0 456 789
```

### /usr/share/bcc/tools/alibiolatency

**Purpose**: Track and analyze block I/O latency using BCC toolset.

**Syntax**:
```bash
/usr/share/bcc/tools/alibiolatency [options]
```

| Parameter | Short | Type | Required | Description |
|----------|-------|------|----------|-------------|
| `-h` | — | boolean | No | Show help message |

```bash
# Show help
/usr/share/bcc/tools/alibiolatency -h

# Run with default settings (requires installation first)
yum install -y bcc-tools
/usr/share/bcc/tools/alibiolatency
```

### cgroup v1 Resource Control Interfaces

**Purpose**: Configure advanced resource controls via cgroup v1 virtual filesystem.

**Syntax**:
```bash
echo <value> > /sys/fs/cgroup/<subsystem>/<cgroup_name>/<control_file>
```

| File | Subsystem | Purpose |
|------|-----------|---------|
| `memory.thp_reclaim` | memory | Enable THP reclaim (`reclaim` or `disable`) |
| `memory.thp_reclaim_ctrl` | memory | Set THP reclaim parameters (e.g., `threshold 32`) |
| `memory.min` | memory | Guarantee minimum memory (bytes) |
| `memory.low` | memory | Soft memory limit (bytes) |
| `memory.high` | memory | Hard memory limit (bytes) |
| `cpu.cfs_burst_us` | cpu | Set CPU burst allowance (microseconds) |
| `blkio.throttle.write_bps_device` | blkio | Set write bandwidth limit (device major:minor value) |

```bash
# Create memory cgroup and set QoS
sudo mkdir /sys/fs/cgroup/memory/test_memcg
echo 209715200 > /sys/fs/cgroup/memory/test_memcg/memory.min
echo 1073741824 > /sys/fs/cgroup/memory/test_memcg/memory.high

# Enable THP reclaim for a cgroup
sudo mkdir /sys/fs/cgroup/memory/test/
echo reclaim > /sys/fs/cgroup/memory/test/memory.thp_reclaim

# Enable CPU Burst globally
sudo sh -c 'echo 1 > /proc/sys/kernel/sched_cfs_bw_burst_enabled'
echo 600000 > /sys/fs/cgroup/cpu/test/cpu.cfs_burst_us
```

## Common Scenarios

### Scenario 1: Apply Critical Security Updates
```bash
# Step 1: Check for Critical/Important security updates
yum check-update --security --sec-severity={Critical,Important}

# Step 2: Install the identified updates
sudo yum upgrade --security --sec-severity={Critical,Important}

# Step 3: Verify no further security updates are pending
yum check-update --security
```

### Scenario 2: Manage Kernel Live Patches
```bash
# Step 1: Install livepatch-mgr if not present
sudo yum install livepatch-mgr -y

# Step 2: Update patch metadata cache
sudo livepatch-mgr sync

# Step 3: Apply all security-related live patches
sudo livepatch-mgr update --security

# Step 4: Verify active patches
sudo livepatch-mgr list --running
```

### Scenario 3: Configure Memory QoS for a Service
```bash
# Step 1: Create a dedicated memory cgroup
sudo mkdir /sys/fs/cgroup/memory/webapp

# Step 2: Set memory guarantees and limits
echo 536870912 > /sys/fs/cgroup/memory/webapp/memory.min    # 512 MB guaranteed
echo 2147483648 > /sys/fs/cgroup/memory/webapp/memory.high  # 2 GB hard limit

# Step 3: Move application process into the cgroup
echo $APP_PID > /sys/fs/cgroup/memory/webapp/cgroup.procs
```

## Environment Setup

### Installation
Most tools are pre-installed on Alibaba Cloud Linux:
- `yum` is included by default
- `livepatch-mgr` can be installed via: `sudo yum install livepatch-mgr -y`
- BCC tools require: `sudo yum install -y bcc-tools`
- Docker must be installed separately per standard procedures

### Configuration
- **YUM repositories**: Pre-configured for Alibaba Cloud Linux; no additional setup needed for security updates
- **Kernel live patches**: Require compatible kernel versions (check documentation for minimum versions)
- **cgroup controls**: Require root privileges; ensure cgroup v1 is mounted at `/sys/fs/cgroup`
- **Docker images**: Use official registry endpoints from Container Registry console

## FAQ

Q: How do I configure credentials for accessing private container registries?
A: Use `docker login <registry>` with your Alibaba Cloud account credentials. For public Alibaba Cloud Linux images, no authentication is required.

Q: What is the difference between `--sec-severity` and `--secseverity` in YUM commands?
A: They are aliases; both accept the same values (Critical, Important, etc.). Use either based on your YUM version—newer versions prefer `--sec-severity`.

Q: How can I verify that CPU Burst is working for my cgroup?
A: After setting `cpu.cfs_burst_us`, monitor `cpu.stat` in the cgroup directory. Look for non-zero `burst_time` and `nr_bursts` fields indicating burst usage.

Q: Why do I get "Permission denied" when writing to cgroup files?
A: You must have root privileges. Use `sudo` or run as root. Also ensure the cgroup directory exists before writing control files.

Q: How do I disable the security update login reminder?
A: Stop and disable the `update-motd` service:  
```bash
sudo systemctl stop update-motd
sudo systemctl disable update-motd
```