1. Client Life Cycle Management Guide for Release 2.10
  2. Configuring Ksplice Offline Clients

12 Configuring Ksplice Offline Clients

On average, the Linux kernel receives security updates and bug fixes about once per month. Traditionally, applying such updates would require you to obtain and install the updated kernel RPMs, to schedule downtime, and to reboot the server into the new kernel with the critical updates. As system setups become more complex with many interdependencies, and access to services and applications must remain as undisrupted as possible, scheduling such reboots becomes more difficult and costly.

Oracle Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update them with the latest kernel, Xen hypervisor updates, and key user-space security and bug fix updates. Oracle Ksplice updates the running operating system and Xen hypervisor without requiring a reboot. Your systems remain up to date with OS vulnerability patches and downtime is minimized. A Ksplice update takes effect immediately when it is applied. The update is not the same as an on-disk change that only takes effect after a subsequent reboot.

Oracle creates each Ksplice update from a kernel update that originates either from Oracle or from the Linux kernel community.

The Ksplice Offline client removes the requirement for a server on your intranet to have a direct connection to the Oracle Uptrack server. All available Ksplice updates for each supported kernel version are bundled into an RPM that is specific to that version, and this package is updated every time that a new Ksplice patch becomes available for the kernel.

Note:

Ksplice Offline client is freely available for Oracle Linux customers that subscribe to Oracle Linux Premier Support. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.

You can configure an Oracle Linux Manager server as a mirror of the Ksplice for Oracle Linux channels on ULN. The Oracle Linux Manager server does not require access to the Oracle Uptrack server. Instead, you schedule Oracle Linux Manager to download the latest Ksplice update packages to a software channel. For older Ksplice updates, an archive channel is available. The _archive suffix is usually added to the channel for which it hosts archive packages. See About Software Channel Configuration

After installing Ksplice Offline client on your Oracle Linux Manager client systems, they can install the Ksplice update packages from the Oracle Linux Manager server. The clients also do not require access the Oracle Uptrack server.

Note:

You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline client, as these systems are not registered with https://status-ksplice.oracle.com.

For more information about Ksplice see Oracle Linux: Ksplice User's Guide.

Supported Kernels

You can use Ksplice Uptrack to keep Oracle Linux kernels up to date with the latest important security and bug fix patches. To confirm whether a particular kernel is supported, install the Uptrack client on a system that is running that kernel.

For up-to-date information about supported kernels, see Oracle Linux: Ksplice User's Guide.

For additional questions, send an email to ksplice-support_ww@oracle.com.

Configuring an Oracle Linux Manager Server to Act as a Ksplice Mirror

Note:

The following information applies to the configuration of an Oracle Linux Manager server only.

To configure an Oracle Linux Manager server to act as a Ksplice mirror, you configure repositories and associated software channels for the Oracle Linux releases and architectures of the clients on which you want to run Ksplice Offline client. Each Ksplice channel should be a child of the appropriate base software channel. See Configuring Oracle Linux Manager Repositories and Configuring Software Channels.

Note:

For a list of channels that are available for Ksplice on Oracle Linux, see Available Ksplice Channels in Oracle Linux: Ksplice User's Guide.

For example, you would specify the URL of the Ksplice for Oracle Linux 7 (x86_64) channel on ULN as follows: 

uln:///ol7_x86_64_ksplice

Provisioning Client Systems as Ksplice Offline Clients

To provision a client system as a Ksplice Offline client, configure its kickstart profile as follows:

  • Under Kickstart Details, select the Operating System tab, ensure that the check box for the Ksplice child software channel is checked, and click Update Kickstart.

  • Under Software, include uptrack-offline in the list of packages to install.

  • Under Scripts, create a post-installation, nochroot shell script that installs the Ksplice update packages. 

    sudo yum install -y uptrack-updates-`uname -r`
Install new Ksplice updates as they become available. You can schedule Oracle Linux Manager to update the client system or you can set up an anacron script on the client itself. For example, you could use the following script with an Oracle Linux 6 or Oracle Linux 7 client: 
#!/bin/sh
yum install -y uptrack-updates-`uname -r`

The script must be executable and also must be owned by root. If you place the script in /etc/cron.daily on the client, it runs once every day.

Installing and Configuring Existing Client Systems as Ksplice Offline Clients

After you have set up Oracle Linux Manager to act as a Ksplice mirror, you can configure your other systems to receive yum and Ksplice updates.

To configure a system as a Ksplice Offline client, follow these steps:

  1. Subscribe the client system to the Ksplice software channel that corresponds to the Oracle Linux release and architecture.

  2. Install the offline version of the enhanced Ksplice client package: 

    sudo yum install -y ksplice-offline

  3. Insert a configuration directive into /etc/uptrack/uptrack.conf to provide the enhanced client with the label of the local user-space channel in your local Yum repository configuration. You do not need to do this if you did not use the local_ prefix for the channel label and this label matches the label used on ULN exactly. If you used the local_ prefix or labeled this channel differently, add the following lines and replace local_ol6_x86_64_ksplice_userspace with whatever you used to label the Ksplice user-space channel: 

    [User]
yum_userspace_ksplice_repo_name = local_ol6_x86_64_ksplice_userspace

  4. To install offline update packages, you must install the relevant packages for your system. For example, you might install the following packages: 

    sudo yum install ksplice-updates-glibc ksplice-updates-openssl

    When these packages have been installed, the offline version of the enhanced Ksplice client behaves exactly the same as the online version.

  5. Update the system to install the Ksplice-aware versions of the user-space libraries: 

    sudo yum update -y

    To install only the libraries and not update any other packages, limit the update to the ol_arch_userspace_ksplice channel as appropriate, for example: 

    sudo yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update

    Alternatively, use the following command: 

    sudo yum update -y *glibc *openssl*

    You may also use this client to perform kernel updates, in the same way that you are able to use the standard uptrack client: 

    sudo yum install -y uptrack-updates-`uname -r`

  6. To enable the automatic installation of updates, ensure that /etc/uptrack/uptrack.conf has the following entry for autoinstll: 

    autoinstall = yes

  7. Reboot the system so that the system uses the new libraries.

    On Oracle Linux 6: 

    sudo reboot

    On Oracle Linux 7 or Oracle Linux 8: 

    sudo systemctl reboot

Implementing Ksplice Synchronization Filters on Oracle Linux Manager Server

The Ksplice Offline repositories are massive in size and synchronizing Oracle Linux Manager server with the entire repositories would be inefficient. To reduce the overall space consumed by Ksplice Offline packages, Oracle strongly recommends using repository filters to limit downloaded packages to only those that apply to your client systems. You can apply a filter either on the Repository configuration in the Manage Repositories page in the web UI or by using the spacewalk-repo-sync -i command syntax.

The following command line example shows how to limit package synchronization only to Ksplice patches that are applicable to Unbreakable Enterprise Kernel Release 6: 

sudo spacewalk-repo-sync -c channel_label -n -i ksplice-*,python-ksplice-*,uptrack-offline-*,uptrack-updates-version*

In the example, the ksplice-*, python-ksplice-*, and uptrack-offline-* packages must be permanently included in any Ksplice synchronization because these packages contain Ksplice tools. Then for the uptrack-updates-version* packages, you specify the versions that are required by the client systems, such as uptrack-updates-5.4.17*. Being very specific in the RPM versions you add to the filter results in faster operations as well as larger conserved server disk space.

An optimum configuration for obtaining high performance when synchronizing would be to have all Oracle Linux Manager servers to run an identical base kernel version at each upgrade point on the disks.