/
Use rolling versions Kasm images for nightly patches

Use rolling versions Kasm images for nightly patches

Owned by LaTroy, created
Last updated: Oct 02, 2024 by Bill Simpson
4 min read

Many Kasm administrators wish to apply regular security patches to the workspaces in their environment. Updating Kasm typically means updating the following components:

  • The host servers for Kasm service roles.

    • Kasm uses one or more of the following servers depending on your deployment architecture.

    • Kasm Server Roles: single-server host, database role host server, webapp role host servers, agent role host servers, guac / connection proxy host servers, and dedicated proxy host servers.

  • The Kasm docker services. These services are docker images and containers that are used by Kasm to perform the coordinated functions of a Kasm environment. The services are started and stopped by running the Kasm start and stop commands (/opt/kasm/bin/[start | stop]). Each of the service docker images have a standard image tag which corresponds to the the Kasm version and a “rolling” image tag which corresponds both the the Kasm version and is rebuilt nightly.

 

 

 Instructions

Update Kasm services containers:

Updating the host server often involves running a command similar to apt update or yum update. If possible it is recommended to first stop kasm services prior to applying server updates, then restarting kasm when all updates are complete. It is important to note that you should not stop the database service role without first stopping all webapp services. Reference the “Maintenance Mode” how-to guide for the proper method of stopping and restarting Kasm servers.

The act of restarting kasm services will cause docker compose used by kasm to pull the latest docker image for services.

The service images are generally static for the entire duration of a kasm release version. You want to get the build of the service container you need to edit kasm’s docker compose file (/opt/kasm/current/docker/docker-compose.yaml) to use the "-rolling" tag version of the service image. The “-rolling” tag versions can be used by appending “-rolling” at the end of the image tag. After editing the docker compose file the kasm services need to be stopped, the existing service containers need to be deleted, and kasm services restarted. The “-rolling” tag works for the following kasm services:

  • kasm_api

  • kasm_manager

  • kasm_agent

  • kasm_share

  • kasm_guac

New kasm services that can have the “-rolling” tag added in 1.16.0:

  • kasm_rdp_gateway

  • kasm_rdp_https_gateway

  • kasm_proxy

Notice that the following services do not have rolling tag versions:

  • proxy(for versions 1.15.0 to 1.11.0)

    • Change the tag to “1.25" instead of “1.25.3" for a version that updates regularly. (eg: “image: "kasmweb/nginx:1.25"")

  • db

    • No rolling version available.

    • This image receives the latest version from the official postgres image maintainer.

  • kasm_redis

    • No rolling version available

    • This image receives the latest version from the official redis image maintainer.

For example:

  • kasm_api:

    • image: "kasmweb/api:1.16.0" becomes image: "kasmweb/api:1.16.0-rolling"

 

The example below shows stopping Kasm services, editing the docker compose file, removing the old kasm service docker containers, then restarting kasm.

#Stop Kasm services sudo /opt/kasm/bin/stop #Edit the Docker Compose file sudo vi /opt/kasm/current/docker/docker-compose.yaml #Delete the existing kasm service containers sudo docker rm $(sudo docker ps -aq --filter="name=kasm_") #Start Kasm services sudo /opt/kasm/bin/start

 

The example below shows stopping Kasm services, using “apt” to apply system updates, then restarting kasm.

#Stop Kasm services sudo /opt/kasm/bin/stop #Apply system updates sudo apt update -y #Start Kasm services sudo /opt/kasm/bin/start

 

 

Update Kasm workspace images:

If you want use the latest versions of workspace images provided by Kasm then:

  1. Use the Kasm UI to edit each workspace.

  2. Append “-rolling” to the end of each Kasm maintained public workspace.

    1. For a list of Kasm maintained public workspaces and the precise tags available please reference the document listing all workspaces and their corresponding Docker Hub tags page.

    2. Kasm Default Workspace Docker Images

    3. Kasm Core Workspace Docker Images

    4. Example of Chrome workspace set to use the rolling image:

      1. image-20240318-122422.png

  3. The Kasm manager background process will ensure the new docker image is pulled to all active Kasm agents.

  4. NOTE: The previous docker image will remain on the Agent if the Agent’s “Automatically Prune Image” dropdown is set to “Off”. Change the automatic pruning value to “Normal” or “Aggressive” to allow Kasm to free disk space be pruning unused docker images.

    1. image-20240318-122156.png

 

 

Related Docs:

 Related articles

  • Links to related kb articles in the Confluence project

 

Related content