Using the Ksplice Uptrack Client

Installing Ksplice Uptrack from ULN

Note:

If using Oracle Cloud Infrastructure, Ksplice is already installed by default (on all Oracle Linux instances launched after August 25, 2017). For more information, see Oracle Ksplice on Oracle Cloud Infrastructure.

Verify the system meets requirements:
- Must have access to the internet.
- Must be registered with ULN.
- Must be running a supported Oracle Linux release, with a supported version of either UEK or RHCK installed. You can verify the kernel version by using the uname -a command. For more details, see Maintained Kernels.
- Ensure that the currently running is also the kernel you want to update, as Ksplice Uptrack applies updates to the running kernel only.
Log in as the root user on the system.

If you use an Internet proxy, configure the HTTP and HTTPS settings for the proxy in the shell.

For the sh, ksh, or bash shells, use commands such as the following:

sudo http_proxy=http://proxy_URL:http_port
sudo https_proxy=http://proxy_URL:https_port
sudo export http_proxy https_proxy

For the csh shell, use commands such as the following:

sudo setenv http_proxy=http://proxy_URL:http_port
sudo setenv https_proxy=http://proxy_URL:https_port

Using a browser, log in at https://linux.oracle.com with your ULN user name and password, then follow these steps:
1. On the Systems tab, click the link that is named for your system in the list of registered machines.
2. On the System Details page, click Manage Subscriptions.
3. On the System Summary page, from the list of available channels, select the appropriate Ksplice for Oracle Linux channel your Oracle Linux release system's architecture (i386 or x86_64).
4. Click the right arrow (>) to move your selection to the list of subscribed channels.
5. Save the subscription and log out of ULN.
On your system, use the yum command to install the uptrack package.
```
sudo yum install -y uptrack
```
The access key for Ksplice Uptrack is retrieved from ULN and added to /etc/uptrack/uptrack.conf, for example:
```
[Auth]
accesskey = 0e1859ad8aea14b0b4306349142ce9160353297daee30240dab4d61f4ea4e59b
```
To enable automatic installation of updates, change the value of the autoinstall entry in the /etc/uptrack/uptrack.conf file from no to yes:
```
autoinstall = yes
```

For information about configuring Ksplice Uptrack, see Configuring the Ksplice Uptrack Client.

For information about managing Ksplice updates, see Using the uptrack-upgrade Command to Manage Ksplice Updates.

Configuring the Ksplice Uptrack Client

The configuration file for both the Ksplice Uptrack client and the Ksplice Enhanced client is /etc/uptrack/uptrack.conf. You can modify this file to configure a proxy server, install updates automatically at boot time, and check for and apply new updates automatically.

If your system is registered with the Ksplice Uptrack repository, the client communicates with the Uptrack server by connecting to https://updates.ksplice.com:443. You can either configure your firewall to allow the connection through port 443, or you can configure the client to use a proxy server. To configure the client to use a proxy server, set the following entry in the /etc/uptrack/uptrack.conf file:

https_proxy = https://proxy_URL:https_port

You receive an email notification when Ksplice updates are available for your system.

To instruct the client to install all updates automatically, as they become available, set the following entry in the /etc/uptrack/uptrack.conf file:

autoinstall = yes

Note:

Enabling the automatic installation of updates does not automatically update the Ksplice client itself. Oracle notifies you by email when you can upgrade the Ksplice software by using the yum command.

Setting the autoinstall entry value to yes also installs updates automatically at boot time. When you boot the system, the /etc/init.d/uptrack script reapplies the installed Ksplice updates.

To install all available updates at boot time, uncomment the following entry in the /etc/uptrack/uptrack.conf file:

upgrade_on_reboot = yes

Note:

The upgrade_on_reboot setting is not implemented for user space updates.

Using the uptrack-upgrade Command to Manage Ksplice Updates

Use the uptrack command to manage the Ksplice Uptrack Client. For the Enhanced Client, see Using the ksplice Command to Manage the Ksplice Enhanced Client.

List all available updates

sudo uptrack-upgrade -n

Install all available Ksplice updates

sudo uptrack-upgrade -y

Display the effective version of the kernel

sudo uptrack-uname -r

You can compare this to the original boot version displayed by the uname -a command.

The uptrack-uname command supports commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice has applied to the kernel.

View updates made to running kernel

uptrack-show

View the updates that are available for installation

uptrack-show --available

Remove all of the updates from the kernel

uptrack-remove --all

Prevent Ksplice from reapplying the updates at the next system reboot and create the empty file /etc/uptrack/disable

touch /etc/uptrack/disable

Alternatively, you can specify the nouptrack argument as a parameter on the boot command line when you next reboot the system.

Updating the Ksplice Uptrack Client to a Specific Effective Kernel Version

You might want to limit the set of updates that uptrack-upgrade installs. For example, the security policy at your site might require a senior administrator to approve Ksplice updates before you can install these updates on production systems. In such cases, you can direct uptrack-upgrade to upgrade to a specific effective kernel version instead of the latest available version.

Note:

You can only select a specific effective version when using the offline Ksplice client and offline update RPM packages. This ability enables production systems to remain at a tested update level temporarily, while the latest updates are tested in an integration or UAT environment.

Install the uptrack-updates package for the current kernel.
```
sudo yum -y install uptrack-updates-`uname -r`
```
Important:

If you have booted the most recent available kernel and no Ksplice updates are available, this command may fail or may return an error message notifying you that your kernel version is not yet supported by Ksplice Uptrack. This command only succeeds when Ksplice updates are available for the kernel that you are running.
Use the uptrack-uname -r command to display the current effective kernel version:
```
sudo uptrack-uname -r
```

To list all of the effective kernel versions that are available, specify the --list-effective option to the uptrack-upgrade command, for example:

sudo uptrack-upgrade --list-effective

Output similar to the following is displayed:

Available effective kernel versions:

3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 2014
3.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 2014
3.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 2014
3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014
3.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 2014
3.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014

Remove the installed updates to revert the effective kernel version to the earliest that is available, which is 44.1.1 in the following example:
```
sudo uptrack-remove --all
sudo uptrack-uname -r
```
The current effective kernel version is displayed:
```
3.8.13-44.1.1.el6uek.x86_64
```
You can set the effective kernel version that you want the system to use by using either of the following methods:
- Specify the --effective option to the uptrack-upgrade command.
  
  For example, if you want to update from 44.1.1 to 44.1.5 instead of updating to the latest 55.1.1, use the --effective option to specify 44.1.5:
```
sudo uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014"
```
  The effective kernel version is displayed after the upgrade:
```
...
Effective kernel version is 3.8.13-44.1.5.el6uek
```
  You can check that the effective kernel version matches:
```
sudo uptrack-uname -r
```
  Output similar to the following is displayed:
```
3.8.13-44.1.5.el6uek.x86_64
```
  This method is suitable for setting the effective kernel version on individual systems.
- Use the effective_version option in the /etc/uptrack/uptrack.conf file to set an effective package version for the uptrack-upgrade command. This method works the same as specifying --effective on the command line.
  
  Because uptrack-upgrade runs automatically whenever you update the uptrack-updates package on a system, the following entry would limit the effective kernel version to 44.1.5:
```
effective_version = 3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014
```
  This method is convenient for setting the effective version for a package on multiple production systems, where the content of the /etc/uptrack/uptrack.conf file can be obtained from a centrally maintained primary copy.

Switching Between Online and Offline Ksplice Uptrack Installation Modes

To switch from one Ksplice client software version (or mode) to another Ksplice software version, for example, switch from a Ksplice online installation to a Ksplice offline installation, you must first remove the existing Ksplice client software from the system. You can then install the new version of the Ksplice client software.

Caution:

Failure to remove an existing Ksplice client software version prior to installing a new Ksplice client software version results in transaction check errors during the package installation process.

For example, if you have the Ksplice Uptrack client software installed on the system and you want to install the offline version of the Ksplice Enhanced client software, you would need to first remove the Ksplice Uptrack client software, and then install the Ksplice offline Enhanced client software, for example:

sudo yum remove uptrack ksplice-tools
sudo yum install ksplice-offline

To switch from an offline installation to an online installation, for example, to switch from the offline Ksplice Uptrack client software to the Ksplice Uptrack (online) client software, use the following commands:

sudo yum remove ksplice-offline ksplice-tools
sudo yum install uptrack

Configuring Ksplice Uptrack Clients for Offline Mode

The offline Ksplice client eliminates the need for having a server on your intranet that has a direct connection to the Oracle Uptrack server. Also, a Ksplice offline client does not require a network connection to be able to apply the update package to the kernel. For example, you could use the yum command to install the update package directly from a memory stick.

For more information about running Ksplice offline, see About Ksplice Offline Mode.

Before proceeding, you must configure a local ULN mirror.

Import the GPG key:

sudo rpm --import /usr/share/rhn/RPM-GPG-KEY

Set up a local ULN mirror:
- Disable any existing yum repositories configured in the /etc/yum.repos.d directory. You can either edit any existing repository files and disable all entries by setting enabled=0 or you can use yum-config-manager:
```
sudo yum-config-manager --disable \*
```
  Alternately, you can rename any of the files in this directory so that they do not use the .repo suffix. This causes yum to ignore these entries. For example:
```
sudo cd /etc/yum.repos.d
sudo for i in *.repo; do mv $i $i.disabled; done
```
- In the /etc/yum.repos.d directory, create the file local-yum.repo, which contains entries such as the following for an Oracle Linux 7 yum client:
```
[local_ol7_x86_64_ksplice]
name=Ksplice for Oracle Linux $releasever - $basearch
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/ksplice/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_latest]
name=Oracle Linux $releasever - $basearch - latest
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_UEKR5_latest]
name=Unbreakable Enterprise Kernel Release 5 for Oracle Linux $releasever - $basearch - latest
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/UEKR5/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1

[local_ol7_addons]
name=Oracle Linux $releasever - $basearch - addons
baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
gpgcheck=1
enabled=1
```
  - To distinguish the local repositories from the ULN repositories, prefix the labels of their entries with a string such as local_.
  - Replace local_uln_mirror with the IP address or resolvable host name of the local ULN mirror.
  - The example configuration enables the local_ol7_x86_64_ksplice, local_ol7_latest, local_ol7_UEKR5_latest, and local_ol7_addons channels.
    
    Note:
    
    The Ksplice offline client package is unable to install user space updates, so you should not enable any *_userspace_ksplice channels unless you intend to use the offline version of the Ksplice Enhanced client.
Install the Ksplice offline client package:
```
sudo yum -y install uptrack-offline
```
Test the configuration:
1. Clear the yum metadata cache.
```
sudo yum clean metadata
```
2. Verify the configuration.
```
sudo yum repolist
```
  Note:
  
  If the yum command cannot connect to the local ULN mirror, check that the firewall settings on the local ULN mirror server allow incoming TCP connections to the HTTP port (usually, port 80).
Install the Ksplice updates that are available for the kernel.
```
sudo yum -y install uptrack-updates-`uname -r`
```
As new Ksplice updates are made available, use the same command to pick up and apply these updates. You should set up an anacron script to perform this task. For example, the following script named uptrack-updates in /etc/cron.daily would run one time daily:
```
#!/bin/sh
yum -y install uptrack-updates-`uname -r`
exit 0
```
Important:

The script must be executable and be owned by root. Also, you must include the -y option with the yum command when using a script; otherwise, the command hangs and waits for user input.

To display information about Ksplice updates, use the rpm -qa | grep uptrack-updates and uptrack-show commands.

Using the SNMP Plugin for Ksplice Uptrack

The SNMP plugin for Ksplice enables you to use Oracle Enterprise Manager to monitor the status of Ksplice on your systems. It also works with any monitoring solution that is compatible with SNMP.

Installing and Configuring the SNMP Plugin

Install the SNMP plugin on the system that you want to monitor.

Verify the system meets all prerequisites:
- The net-snmp package must be installed.
- The net-snmp-utils package must be installed if you want to be able to test the configuration using the snmpwalk command.
- The snmpd service must be configured to start automatically.
- SELinux must either be disabled or set to permissive mode on the system.
Subscribe the system to the appropriate Ksplice channel for the installed Oracle Linux distribution and system architecture, for example, ol6_x86_64_ksplice for Oracle Linux 6 on x86_64.
As the root use, install the ksplice-snmp-plugin package on the system:
```
sudo yum -y install ksplice-snmp-plugin
```
(Optional) If you plan to test the configuration by using the snmpwalk command, install the net-snmp-utils package as follows:
```
sudo yum -y install net-snmp-utils
```
Configure the system to use the SNMP plugin by editing the /etc/snmp/snmpd.conf file.

The following example shows how the entries in this file might look on an Oracle Linux 6 system:
```
# Setting up permissions
# ======================
com2sec local localhost public
com2sec mynet source public

group local v1 local
group local v2c local
group local usm local
group mynet v1  mynet
group mynet v2c mynet
group mynet usm mynet

view all included .1 80

access mynet "" any noauth exact all none none
access local "" any noauth exact all all none

syslocation Oracle Linux 6
syscontact sysadmin <root@localhost>

# Load the plugin
# ===============
dlmod kspliceUptrack /usr/lib/ksplice-snmp/kspliceUptrack.so
```
1. In the com2sec mynet community entry, replace source with the IP address or resolvable host name of the server that hosts the SNMP monitoring software, or with a subnet address represented as IP_address / netmask, for example, com2sec mynet 192.168.10.0/24 private.
  
  For IPv6 configuration, specify an IPv6 address and netmask to a com2sec6 mynet community entry, for example, com2sec6 mynet fec0::/64 private.
2. In the syslocation entry, replace the argument for the identifier of the system being monitored.
3. In the dlmod entry that loads the kspliceUptrack.so plugin, replace the lib path element with lib on a 32-bit system and lib64 on a 64-bit system.
This sample configuration file is suitable for the purposes of testing.
Restart the SNMP service:
```
sudo systemctl restart snmpd
```
For an Oracle Linux 6 client, use the following command:
```
sudo service snmpd restart
```

For information about configuring SNMP, refer to the documentation at https://www.net-snmp.org/docs/readmefiles.html. See also the snmpd(8) and snmpd.conf(5) manual pages.

Testing the SNMP Plugin

You can use the snmpwalk command to check information and test the SNMP plugin.

Display the installed version of Ksplice.

snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceVersion

Sample output:

KSPLICE-UPTRACK-MIB::kspliceVersion.0 = STRING: 1.2.12

Check if available updates for a kernel have been installed.

snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus

Sample output (which shows the kernel is out of date):

KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: outofdate

Compare the installed kernel with the Ksplice effective version.

snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceBaseKernel
snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel

Sample output (which shows the base kernel and effective kernel are the same, implying no updates have been applied):

KSPLICE-UPTRACK-MIB::kspliceBaseKernel.0 = STRING: 2.6.18-274.3.1.el5
KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel.0 = STRING: 2.6.18-274.3.1.el5

Display a list of all of the updates that have been applied to the kernel.
```
snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable
```
In this example, we receive no output, meaning no updates have been applied. This confirms why the base and effective kernel versions are the identical and why the kernel is out of date.

Display a list of updates that can be installed.

snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable

Sample output:

KSPLICE-UPTRACK-MIB::kspliceavailIndex.0 = INTEGER: 0
KSPLICE-UPTRACK-MIB::kspliceavailIndex.1 = INTEGER: 1
KSPLICE-UPTRACK-MIB::kspliceavailIndex.2 = INTEGER: 2
...
KSPLICE-UPTRACK-MIB::kspliceavailDesc.23 = STRING: CVE-2011-4325: Denial of service in NFS direct-io.
KSPLICE-UPTRACK-MIB::kspliceavailDesc.24 = STRING: CVE-2011-4348: Socking locking race in SCTP.
KSPLICE-UPTRACK-MIB::kspliceavailDesc.25 = STRING: CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.

After fully upgrading your kernel by using Ksplice Uptrack, you can run the following snmpwalk commands to verify that the kernel is up to date.
```
snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus
```
Sample output:
```
KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: uptodate
```

Check that there are no updates available for installation, and also that the patches that have been applied.

snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable
snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable

Output similar to the following is displayed:

KSPLICE-UPTRACK-MIB::ksplicepatchIndex.0 = INTEGER: 0
KSPLICE-UPTRACK-MIB::ksplicepatchIndex.1 = INTEGER: 1
KSPLICE-UPTRACK-MIB::ksplicepatchIndex.2 = INTEGER: 2
...

Removing the Ksplice Uptrack Client Software

To remove the online Ksplice Uptrack software from a system:

sudo yum -y remove uptrack

To remove the offline Ksplice Uptrack software from a system:

sudo yum -y remove uptrack-offline