Using Oracle Ksplice to Update Oracle Linux Systems Without Rebooting

October 2011

by Wim Coekaerts

How to use Oracle Ksplice to apply kernel updates to the running kernel image on Oracle Linux systems without rebooting.

Introduction

Oracle Ksplice is an exciting new addition to the Oracle Linux Premier Support subscription. Oracle Ksplice technology allows you to update systems with new kernel security errata (CVE) without the need to reboot, which enables you to remain current with OS vulnerability patches while minimizing downtime. Oracle Ksplice actively applies updates to the running kernel image, instead of making on-disk changes that would take effect only after a subsequent reboot.

As a general rule, the Oracle Linux kernel receives security updates approximately once a month. For any general-purpose OS on the market today, applying updates requires that downtime be scheduled and the server be rebooted into the new kernel that has the security updates. As system setups become more and more complex with multisystem interdependencies, the ability to schedule reboots is becoming more and more difficult and costly.

Oracle Ksplice is available as part of the Oracle Linux Premier and Premier Limited support subscriptions. It is also part of the Oracle Premier Support for Systems and Operating Systems subscriptions offering. Oracle Linux Basic, Basic Limited, and Network Support subscribers can contact their sales representatives to discuss the potential upgrade of their subscription to a Premier support plan.

Another requirement for getting Oracle Ksplice updates is the use of the Unbreakable Enterprise Kernel from Oracle. The lowest Oracle Linux kernel version at the time of this writing is 2.6.32-100.28.9. This kernel (and newer) can be installed on both Oracle Linux 5 and Oracle Linux 6 distribution versions. Customers with Red Hat Enterprise Linux (RHEL) 5 and 6 can do the simple migration to Oracle Linux and apply the packages on their existing installation of RHEL. Oracle does not offer Oracle Ksplice for Red Hat compatible kernels.

Here is a summary of the steps for getting started and become current with Oracle Ksplice:

• Generate an Oracle Ksplice Uptrack access key through your Unbreakable Linux Network account.
• Create an account in the Oracle Ksplice Uptrack system through the ksplice.com Web site.
• Download the install script to your server.
• Run the install script, which downloads the Uptrack packages.
• Run uptrack-upgrade to download and apply the Oracle Ksplice patches to your running system.

Generate an Access Key Through Your Unbreakable Linux Network Account

Log in to Oracle's Unbreakable Linux Network (http://linux.oracle.com) with your existing user name and password. If you have an active subscription that has Oracle Ksplice privileges, you will see a button labeled KSplice Uptrack Registration, which is highlighted in Figure 1. If you do not already have an Oracle Ksplice access key, click the button.

Figure 1. KSplice Uptrack Registration Button

The Unbreakable Linux Network Web site lists all valid Customer Support Identifiers (CSIs) under your account. Select the CSI you want to use to generate the access key, and then click Register, as shown in Figure 2.

Figure 2. Specifying a Customer Support Identifier

The Unbreakable Linux Network will display an acknowledgement message indicating that an e-mail containing an access key and a URL has been sent to your e-mail address, as shown in Figure 3.

Figure 3. Acknowledgment Message

After a few minutes, you should receive a welcome e-mail that provides you with the generated access key and an embedded link to the ksplice.com Web site, where you can create your Oracle Ksplice Uptrack account. See Figure 4.

Figure 4. Welcome E-mail

Create Your Oracle Ksplice Uptrack Account

Click the embedded link in your welcome e-mail and your browser will open a page that contains a Web form, as shown in Figure 5.

Figure 5. Form for Creating an Account

Complete the form and click Continue to create your account.

To log in, go to https://uptrack.ksplice.com/login and log in with your newly created account's user name and password. See Figure 6.

Figure 6. Login Screen

The Uptrack home page will list your access key and an overview of active and inactive machines, as shown in Figure 7.

Figure 7. Access Key and Machine Status

At the bottom of the Active Installations pane, you will find a link to the installation instructions, as shown in Figure 8.

Figure 8. Link to Installation Instructions

Download the Install Script

Click the Installation Instructions link to access the instructions. See Figure 9.

Figure 9. Installation Instructions

From this point on, you must be logged in as root on the server on which you want to prepare and install Oracle Ksplice.

Make sure the following prerequisites are met:

• Ensure that Oracle Linux 5 or 6 with the Unbreakable Enterprise Kernel is installed. The minimum kernel level is 2.6.32-100.28.9. Verify this by running uname -a.
• Ensure the kernel you want to update is running. The currently running kernel is the one that will be updated. Oracle Ksplice does not apply updates to installed, but not running, kernels.
• Ensure your server has access to the Internet. If a proxy is used, set the proxy in your shell:

  export http_proxy=http://proxy.company.com:port
  export https_proxy=http://proxy.company.com:port
  

Download the install-uptrack script:

# wget -N https://www.ksplice.com/uptrack/install-uptrack
--2011-09-01 21:05:52--  https://www.ksplice.com/uptrack/install-uptrackl-uptrack
Resolving proxy.company.com... 10.0.19.20
Connecting to proxy.company.com|10.0.19.20|:80... connected.
Proxy request sent, awaiting response... 200 OK
Length: 8843 (8.6K) [text/plain]
Remote file is newer, retrieving.

--2011-09-01 21:05:53--  https://www.ksplice.com/uptrack/install-uptrack
Connecting to proxy.company.com|10.0.19.20|:80... connected.
Proxy request sent, awaiting response... 200 OK
Length: 8843 (8.6K) [text/plain]
Saving to: `install-uptrack'

100%[--------------------------------------------------->]
8.843   -- -K/s  in 0.04s

2001-09-01 21:05:53 (195 KB/s) - 'install-uptrack' saved [8843/8843]

Run the Install Script

Run the install-uptrack script using your access key as an argument, for example:

# sh install-uptrack 1234567890123456790abcdef123456890123456789012345678901234656544
[ Release detected: ol ]
--2011-09-01 21:10:41--  https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm

The Uptrack package will set up a yum repository (/etc/yum.repos.d/ksplice-uptrack.repo) and download the required packages for the uptrack-* utilities to be able to work correctly.

The following packages will be installed:

# rpm -qa|grep uptrack
uptrack-libyaml-0.1.3-1.el5
uptrack-PyYAML-3.08-4.el5
uptrack-1.2.1-0.el5
uptrack-python-pycurl-7.15.5.1-4.el5
ksplice-uptrack-release-1-3

After the installation is complete, the tool will automatically register your system with the Uptrack service and check for any available Oracle Ksplice updates for your running kernel. If new versions are available, the Uptrack tools will provide you with a list of updates.

Download and Apply Oracle Ksplice Patches

To download and list updates, run /usr/sbin/uptrack-upgrade. If you want to automatically apply the patches, add -y as an argument. Once updates are applied, you will be running a kernel version that is called an effective kernel version.

The uname -r command will show you the original boot kernel version. You can run uptrack-uname -r to see what kernel you are effectively running with all the Oracle Ksplice updates applied.

#uname -r
2.6.32-100.37.1.el5uek
# uptrack-uname -r
2.6.32-200.19.1.el5uek

Here are a few useful commands:

• uptrack-show: List the active Oracle Ksplice updates in your running kernel.
• uptrack-upgrade: Connect to the Uptrack update server, and check and download new updates when available. These can be applied immediately as well.
• uptrack-remove: Remove applied updates from the running system and return to the original kernel version and state.
• uptrack-uname: A modified version of uname that knows how to read the effective kernel version based on active Oracle Ksplice updates.
• uptrack-install: Install patches that have been downloaded manually.

Uninstall

Uninstalling Uptrack is very easy. You should consider removing the updates with uptrack-remove --all followed by yum remove uptrack.

You can find instructions on the Uptrack Web site as well, as shown in Figure 10.

Figure 10. Uninstallation Instructions

Some Extra Features of the Uptrack Web Site

The Uptrack Web site has an easy-to-use interface that lets you view registered systems, patches installed, available patches, and the status of systems, and create groups with access control.

For each server, it shows available updates that have not yet been applied. For each update, a one-line description is provided, as shown in Figure 11.

Figure 11. Viewing Available Updates

Further down, you can see a list of the updates that are installed on your running kernel, as shown in Figure 12.

Figure 12. Viewing Installed Updates

Oracle Ksplice patches are provided for each individual CVE or bug fix. They typically are downloaded in a specific order and can be applied (and removed) only sequentially. It is not possible to select which individual updates to apply.

Each applied update will be visible as an installed kernel module on the running system. You can execute lsmod on a running system to list each loaded kernel module.

The Uptrack configuration file location is /etc/uptrack/uptrack.conf. Modify this file if you want to configure a proxy server, automatically install updates at boot time, or automatically check for new updates and apply them at the same time.

Oracle Ksplice patches are stored locally on the file system in /var/cache/uptrack and by default they will automatically be re-applied after a reboot (very early in the boot process). It is a good practice to also install the regular kernel RPM packages for released errata, because this allows you to boot into a newer kernel version when you restart the OS. At that point, the Oracle Ksplice patches will be applied starting from this new kernel as a baseline. The regular process of releasing kernel RPM packages for each errata kernel will be continued.

This information should be enough to get you started and actively running the latest errata updates on your Unbreakable Enterprise Kernel. Happy ksplicing.