1.2.1 About the Ksplice Enhanced Client

The Ksplice Enhanced client is available for Oracle Linux 6 and Oracle Linux 7, but not for Oracle Linux 5. The enhanced version of the Ksplice online client supports kernel and user-space updates and can also be used to patch the Xen hypervisor on Oracle VM Server Release 3.4.5 and later.

Note

To use Ksplice to patch the Xen hypervisor on Oracle VM 3.4.5 and later, the minimum Xen hypervisor version is xen-4.4.4-196.el6.x86_64.rpm.

For information about when to use the Ksplice Enhanced client, see Section 1.3.1, “Choosing a Ksplice Client”.

The Ksplice Enhanced client can patch in-memory pages of Ksplice aware shared libraries such as glibc and openssl for user-space processes, in addition to the kernel updates applied by the traditional Ksplice Uptrack client. User-space patching enables you to install bug fixes and protect your system against security vulnerabilities without having to restart processes and services. Both an online and an offline version of the enhanced client are available.

You manage the Ksplice Enhanced client by using the ksplice command rather than uptrack commands. Note that the enhanced client shares the same configuration file as the Uptrack client, which is located at /etc/uptrack/uptrack.conf. For more information about this file, see Section 3.3, “Configuring a Ksplice Uptrack Client”.

Note the following important information about Ksplice limitations:

  • Ksplice reports an error similar to the following if it cannot apply updates to processes that do not have access to /var/cache/ksplice:

    Ksplice was unable to load the update as the target process is in a
    different mount namespace or has changed root.  The service must be
    restarted to apply on-disk updates.
    Extra information: the process has changed root or mount namespace.
      └─ rtkit-daemon (3680)

    This error might typically occur with processes that use chroot or those that run in an LXC or Docker container. In such cases, you must restart the process to apply any available updates. For example, to restart the rtkit-daemon service, you would use the systemctl restart rtkit-daemon command.

    To avoid having to restart a chrooted application that you maintain and compile, ensure that /var/cache/ksplice is bind mounted in the chrooted environment.

  • Ksplice cannot patch applications that use either setcontext or swapcontext from glibc to perform user-space context switching between process threads.

  • Due to certain kernel limitations, Ksplice does not patch the init process (PID 1).

    On Oracle Linux 7, the init process, which is actually systemd, is automatically re-executed on system updates, so it does not require patching with Ksplice.

    On Oracle Linux 6, Upstart is not capable of re-executing itself, so any updates to glibc that can affect Upstart might require a reboot.

The offline version of the Ksplice Enhanced client removes the requirement that a server on your intranet have a direct connection to the Oracle Uptrack server or to ULN. All available Ksplice updates for each supported kernel version or user-space package are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel. In this way, you can create a local ULN mirror that acts as a mirror for the Ksplice aware channels for Oracle Linux on ULN. See Section 2.4, “Configuring the Ksplice Enhanced Client for Offline Mode”.

At regular intervals, you can download the latest Ksplice update packages to this server. After installing the offline Ksplice Enhanced client on your local systems, they can then connect to the local ULN mirror to receive updates. See Section 1.3.3, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror” for more information about configuring a local ULN mirror.

When you have set up a local ULN mirror to act as a Ksplice mirror, you can then configure your other systems to receive yum updates, as well as Ksplice updates. For task-related information, see Chapter 2, Working With the Ksplice Enhanced Client.