I was working on the Chef AMI on AWS, there is a problem in that the version of OpenSSL that comes embedded is vulnerable to CVE-2016-2107. Even though this CVE is quite hard to exploit (accroding to others), its still not ideal to be running a machine that will be orchestrating your network, vulnerable to any known exploits. Luckily though, there is an online test that can check this for you CVE Test.
The Chef AMI on AWS is actually out of date. There has been releases of Chef since this machine image was made which include a patched version of OpenSSL. So the obvious way for me to get around this CVE issue was to update Chef, which really should have been simple. It should have just been a case of running
chef-marketplace-ctl upgrade -y. Sadly, it wasnt that easy. The Chef AMI is only 10GB in size. No matter what you set the EBS volume size to be, the root (/dev/xvda1) will always be 10GB. The upgrade will always run out of space.
Extending the EBS Volume Size
The first thing to check is the available size of the entire EBS volume. You can do this with
lsblk. You will get an output similar to this:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 50G 0 disk └─xvda1 202:1 0 10G 0 part /
You can see here the disk itself (/dev/xvda) is 50G but the root partition (/dev/xvda1) is only using 10G. So how do we go about actually using all that extra space?
First we need to install the Extended Packages for Enterprise Linux repo. This is simple though, just run
sudo yum install epel-release. This is a tiny file as its just the epel.repo that sits in /etc/yum.repos.d/.
Once that is complete we can install the software which will grow the
partition which is aptly named “growpart”. To install growpart, run
sudo yum install cloud-utils-growpart. Once that is complete we are ready to actually resize the partition. Again, this is simple. Run the following
/usr/bin/growpart /dev/xdva 1. This command should be pretty self explanatory. Run growpart on disk /dev/xvda and grow partition 1. Simple.
Once that is complete, you can confirm it has worked with
lsblk which should now give an output similar to the following:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 50G 0 disk └─xvda1 202:1 0 50G 0 part /
You can clearly see the partition is now taking the entire disk.
All you need to do now is give it a reboot. Once it comes back up, run
df -h and you should see your root partition now matches the output of
We are now good to go ahead and run
chef-marketplace-ctl upgrade -y as root to upgrade Chef. Once that is complete, dont forget to confirm you are no longer vulnerable to CVE-2015-2107 using the online test linked above.