Fixing Security Issues – Low Stress, the LXD Way

Routine updates – but not really.  So we got a routine report from this excellent server scanning service @ www.scanmyserver.com
And it seems they did not like our Apache2 install on this site:

Scary stuff, given the incredible hacking risks of today.
Now updating the primary web server is not always a comfortable journey – you can break more than you can fix.  At www.exploinsights.com, we don’t like to live dangerously, so we took full advantage of the snapshot capabilities of LXD to update the server.  The WordPress instance that operates the public web site (what you are reading now!) is running in an LXD container, so here’s the hard server update today, exactly as employed from the primary Ubuntu server:

lxc snapshot WordPress
lxc exec WordPress bash
add-apt-repository ppa:ondrej/apache2
apt update
apt upgrade
exit
logout

This created a full working copy of the exploinsights web site container (so it can be restored if it breaks during the update), then updated the repository so the instance uses the latest and greatest version of apache2, then it updated the entire web server, including ‘apache2’.
Note that none of these commands require root access on the main server, so the risk to actual hardware running the primary linux OS is very very low.  Root is needed in the LXD container, but that is separate from the host OS by design.  Excellent security management!
After that, we accessed the site to make sure it works (and it does)…and then wrote this article to share the low-risk experience.  So it WORKED!  It took longer to write this article than it took to perform the update – that’s our kind of IT maintenance.
The web site should receive a much better security score when scanmyserver.com revisits (in about a week unless we initiate it manually).  But here’s the results from a similar scan, which was satisfactory:

No high risk issues, but probably still more work to do, so no surprises there.  Since the web site does NOT host sensitive or mission-critical information, we will address additional lower risk issues routinely.  But for our mission-critical assets, we like to fix things immediately or at least ASAP.  Our cloud file server gets a much better score, and hopefully always will:
We love containers for running and updating key IT infrastructure as they continue to take the stress out of important and potentially system-breaking updates

UPDATE 14th July:

So we just got a new vulnerability report: 😊

Progress.  And an A+ rating is not as shabby as we have seen elsewhere for even government web servers.  Of course, this does NOT mean that we can relax.  You have to keep looking for vulnerabilities and address them as you find them, and you always find more.  But this is progress.  Thanks LXD!