by Wim Coekaerts
Oracle Ksplice is an exciting new addition to the Oracle Linux Premier Support subscription. Oracle Ksplice technology allows you to update systems with new kernel security errata (CVE) without the need to reboot, which enables you to remain current with OS vulnerability patches while minimizing downtime. Oracle Ksplice actively applies updates to the running kernel image, instead of making on-disk changes that would take effect only after a subsequent reboot.
As a general rule, the Oracle Linux kernel receives security updates approximately once a month. For any general-purpose OS on the market today, applying updates requires that downtime be scheduled and the server be rebooted into the new kernel that has the security updates. As system setups become more and more complex with multisystem interdependencies, the ability to schedule reboots is becoming more and more difficult and costly.
Oracle Ksplice is available as part of the Oracle Linux Premier and Premier Limited support subscriptions. It is also part of the Oracle Premier Support for Systems and Operating Systems subscriptions offering. Oracle Linux Basic, Basic Limited, and Network Support subscribers can contact their sales representatives to discuss the potential upgrade of their subscription to a Premier support plan.
Another requirement for getting Oracle Ksplice updates is the use of the Unbreakable Enterprise Kernel from Oracle. The lowest Oracle Linux kernel version at the time of this writing is 2.6.32-100.28.9. This kernel (and newer) can be installed on both Oracle Linux 5 and Oracle Linux 6 distribution versions. Customers with Red Hat Enterprise Linux (RHEL) 5 and 6 can do the simple migration to Oracle Linux and apply the packages on their existing installation of RHEL. Oracle does not offer Oracle Ksplice for Red Hat compatible kernels.
Here is a summary of the steps for getting started and become current with Oracle Ksplice:
uptrack-upgradeto download and apply the Oracle Ksplice patches to your running system.
Log in to Oracle's Unbreakable Linux Network (http://linux.oracle.com) with your existing user name and password. If you have an active subscription that has Oracle Ksplice privileges, you will see a button labeled KSplice Uptrack Registration, which is highlighted in Figure 1. If you do not already have an Oracle Ksplice access key, click the button.
Figure 1. KSplice Uptrack Registration Button
The Unbreakable Linux Network Web site lists all valid Customer Support Identifiers (CSIs) under your account. Select the CSI you want to use to generate the access key, and then click Register, as shown in Figure 2.
Figure 2. Specifying a Customer Support Identifier
The Unbreakable Linux Network will display an acknowledgement message indicating that an e-mail containing an access key and a URL has been sent to your e-mail address, as shown in Figure 3.
Figure 3. Acknowledgment Message
After a few minutes, you should receive a welcome e-mail that provides you with the generated access key and an embedded link to the ksplice.com Web site, where you can create your Oracle Ksplice Uptrack account. See Figure 4.
Figure 4. Welcome E-mail
Click the embedded link in your welcome e-mail and your browser will open a page that contains a Web form, as shown in Figure 5.
Figure 5. Form for Creating an Account
Complete the form and click Continue to create your account.
To log in, go to https://uptrack.ksplice.com/login and log in with your newly created account's user name and password. See Figure 6.
Figure 6. Login Screen
The Uptrack home page will list your access key and an overview of active and inactive machines, as shown in Figure 7.
Figure 7. Access Key and Machine Status
At the bottom of the Active Installations pane, you will find a link to the installation instructions, as shown in Figure 8.
Figure 8. Link to Installation Instructions
Click the Installation Instructions link to access the instructions. See Figure 9.
Figure 9. Installation Instructions
From this point on, you must be logged in as
root on the server on which you want to prepare and install Oracle Ksplice.
Make sure the following prerequisites are met:
export http_proxy=http://proxy.company.com:port export https_proxy=http://proxy.company.com:port
# wget -N https://www.ksplice.com/uptrack/install-uptrack --2011-09-01 21:05:52-- https://www.ksplice.com/uptrack/install-uptrackl-uptrack Resolving proxy.company.com... 10.0.19.20 Connecting to proxy.company.com|10.0.19.20|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 8843 (8.6K) [text/plain] Remote file is newer, retrieving. --2011-09-01 21:05:53-- https://www.ksplice.com/uptrack/install-uptrack Connecting to proxy.company.com|10.0.19.20|:80... connected. Proxy request sent, awaiting response... 200 OK Length: 8843 (8.6K) [text/plain] Saving to: `install-uptrack' 100%[--------------------------------------------------->] 8.843 -- -K/s in 0.04s 2001-09-01 21:05:53 (195 KB/s) - 'install-uptrack' saved [8843/8843]
install-uptrack script using your access key as an argument, for example:
# sh install-uptrack 1234567890123456790abcdef123456890123456789012345678901234656544 [ Release detected: ol ] --2011-09-01 21:10:41-- https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm
The Uptrack package will set up a yum repository (
/etc/yum.repos.d/ksplice-uptrack.repo) and download the required packages for the
uptrack-* utilities to be able to work correctly.
The following packages will be installed:
# rpm -qa|grep uptrack uptrack-libyaml-0.1.3-1.el5 uptrack-PyYAML-3.08-4.el5 uptrack-1.2.1-0.el5 uptrack-python-pycurl-18.104.22.168-4.el5 ksplice-uptrack-release-1-3
After the installation is complete, the tool will automatically register your system with the Uptrack service and check for any available Oracle Ksplice updates for your running kernel. If new versions are available, the Uptrack tools will provide you with a list of updates.
To download and list updates, run
/usr/sbin/uptrack-upgrade. If you want to automatically apply the patches, add
-y as an argument. Once updates are applied, you will be running a kernel version that is called an effective kernel version.
uname -r command will show you the original boot kernel version. You can run
uptrack-uname -r to see what kernel you are effectively running with all the Oracle Ksplice updates applied.
#uname -r 2.6.32-100.37.1.el5uek # uptrack-uname -r 2.6.32-200.19.1.el5uek
Here are a few useful commands:
uptrack-show: List the active Oracle Ksplice updates in your running kernel.
uptrack-upgrade: Connect to the Uptrack update server, and check and download new updates when available. These can be applied immediately as well.
uptrack-remove: Remove applied updates from the running system and return to the original kernel version and state.
uptrack-uname: A modified version of
unamethat knows how to read the effective kernel version based on active Oracle Ksplice updates.
uptrack-install: Install patches that have been downloaded manually.
Uninstalling Uptrack is very easy. You should consider removing the updates with
uptrack-remove --all followed by
yum remove uptrack.
You can find instructions on the Uptrack Web site as well, as shown in Figure 10.
Figure 10. Uninstallation Instructions
The Uptrack Web site has an easy-to-use interface that lets you view registered systems, patches installed, available patches, and the status of systems, and create groups with access control.
For each server, it shows available updates that have not yet been applied. For each update, a one-line description is provided, as shown in Figure 11.
Figure 11. Viewing Available Updates
Further down, you can see a list of the updates that are installed on your running kernel, as shown in Figure 12.
Figure 12. Viewing Installed Updates
Oracle Ksplice patches are provided for each individual CVE or bug fix. They typically are downloaded in a specific order and can be applied (and removed) only sequentially. It is not possible to select which individual updates to apply.
Each applied update will be visible as an installed kernel module on the running system. You can execute
lsmod on a running system to list each loaded kernel module.
The Uptrack configuration file location is
/etc/uptrack/uptrack.conf. Modify this file if you want to configure a proxy server, automatically install updates at boot time, or automatically check for new updates and apply them at the same time.
Oracle Ksplice patches are stored locally on the file system in
/var/cache/uptrack and by default they will automatically be re-applied after a reboot (very early in the boot process). It is a good practice to also install the regular kernel RPM packages for released errata, because this allows you to boot into a newer kernel version when you restart the OS. At that point, the Oracle Ksplice patches will be applied starting from this new kernel as a baseline. The regular process of releasing kernel RPM packages for each errata kernel will be continued.
This information should be enough to get you started and actively running the latest errata updates on your Unbreakable Enterprise Kernel. Happy ksplicing.
|Revision 1.0, 10/18/2011|