1. Ksplice User's Guide
  2. Using the Ksplice Enhanced Client
  3. Using the ksplice Command For the Ksplice Enhanced Client

Using the ksplice Command For the Ksplice Enhanced Client

Summary

You manage the Ksplice Enhanced client by using the ksplice command. Use this command instead of the uptrack commands that are used with the traditional Ksplice Uptrack client. The ksplice command can perform user space patching, in addition to kernel patching.

Usage

The ksplice command performs actions on the following subsystems:

  • kernel: action is performed on the kernel subsystem only
  • user: action is performed on the user space subsystem only
  • xen: action is performed on the Xen hypervisor subsystem only
  • all: : action is performed on all subsystems

Actions, in the form of subcommands include:

  • list-target: list the available targets that can be patched by the client
  • show: show updates that have already been applied by the client
  • apply: apply an update to the system specified by an update path
  • undo: undo an update to the system specified by a unique Ksplice identifier
  • upgrade: update the system with all available Ksplice updates
  • remove: remove updates either by specified Ksplice identifiers or by using the --all option to remove all updates.

Command syntax is as follows:

ksplice [OPTIONS] SUBSYSTEM SUBCOMMAND

See the ksplice(8) manual page for more information.

Ksplice Subcommands

  • List targets.

    To display all the running user space processes that the client can patch, use the ksplice all list-targets command, for example: 

    sudo ksplice all list-targets

    Output might appear as follows:

    User-space targets:

glibc-libm-2.34.100.0.1.ksplice1.el9_4.2:
 - crond (46435)
 - ksplice (51778)

glibc-libc-2.34.100.0.1.ksplice1.el9_4.2:
 - crond (46435)
 - ksplice (51778)
 - less (51781)

openssl-libssl-3.0.7.27.0.3.ksplice1.el9:
 - ksplice (51778)

openssl-libcrypto-3.0.7.27.0.3.ksplice1.el9:
 - ksplice (51778)


Kernel version: Linux/x86_64/5.15.0-206.153.7.el9uek.x86_64/#2 SMP Thu May 9 15:59:05 PDT 2024

    To display only the Xen hypervisor targets that the client can patch, use the ksplice xen list-targets command: 

    sudo ksplice xen list-targets

    For each Ksplice-aware library, the command reports the running processes that would be affected by an update. The command also reports the effective version of the loaded kernel.

  • Show updates.

    To display the updates that have been applied to the system, use the ksplice all show command: 

    sudo ksplice all show

    Output might appear as follows:

    Ksplice user-space updates:
chronyd (705)
httpd (1503)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().

Ksplice kernel updates:
Installed updates:
[nf9nfyzj] Enablement update for live patching.
[fe2qyrtu] Denial-of-service when checking if an address is a jump label.
[bvjiimlr] Enable livepatching of jump labels.
[id9g0y8c] Known exploit detection.
[aq4p03vt] Known exploit detection for CVE-2019-9213.
[pjd4ekqc] Known exploit detection for CVE-2017-1000253.
[syt1v7t7] Known exploit detection for CVE-2022-0847.
[rpa4ixvy] Known exploit detection for CVE-2022-27666.
[hisf1nu9] Known exploit detection for CVE-2016-5195.
...
[gsf5wlo8] CVE-2024-36934: Information leak in QLogic BR-series Ethernet driver.
[e12zrdy5] CVE-2024-36919: Denial-of-service in QLogic Fiber-Channel-over-Ethernet offload driver.
[ednh9erf] CVE-2024-36904: Remote code execution in TCP/IP networking stack.
[8vkhpraf] CVE-2024-27398: Denial-of-service in Bluetooth Classic (BR/EDR) features.

Effective kernel version is 5.15.0-208.159.3.el9uek

    The command reports the updates that have been applied to running processes, and the updates to the kernel. In the example output, Ksplice applied updates for CVE-2014-7817 and CVE-2015-1781 to some user space processes.

    To restrict the scope of the ksplice command to user space updates or kernel updates, specify user or kernel instead of all with the command.

    To restrict the ksplice command to only the Xen hypervisor, specify xen instead of all with the command.

    To display the updates that have been applied to a process specified by its PID, use the --pid=$PID option with the ksplice user show command: 

    sudo ksplice user show --pid=705

    Output similar to the following is displayed:

    chronyd (705)
  ├─ [h73qvumn]: CVE-2014-7817: Command execution in wordexp().
  └─ [ml55ngz4]: CVE-2015-1781: Privilege escalation in gethostbyname_r().
  • Remove updates.

    Use the remove subcommand to remove all the updates from a process, for example: 

    sudo ksplice user remove --all --pid=705

    To remove a specific update that Ksplice has applied to a process, use the undo subcommand: 

    sudo ksplice user undo --pid=705 h73qvumn

    Note:

    You can prevent Ksplice from patching specified executables and libraries. See Preventing the Ksplice Enhanced Client From Patching User Space Processes and Libraries.

    Ksplice patches are stored in the /var/cache/uptrack directory. Following a reboot, Ksplice automatically reapplies these patches early in the boot process before the network is configured so that the system is hardened before any remote connections can be established.

  • List and install available updates.

    To list all the available Ksplice updates, use the upgrade subcommand: 

    sudo ksplice -n kernel upgrade

    To install all the available Ksplice updates, use the upgrade subcommand as follows: 

    sudo ksplice -y user upgrade

    To list all the available Ksplice updates for the Xen hypervisor, use the upgrade subcommand: 

    sudo ksplice -n xen upgrade
  • Show kernel version.

    After Ksplice applies updates to a running kernel, the kernel has an effective version that's different than the original boot version displayed by the uname -a command.

    Use the ksplice kernel uname -r command to display the effective version of the kernel: 

    sudo ksplice kernel uname -r
3.8.13-55.1.1.el6uek.x86_64

    The ksplice kernel uname command supports the commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice Uptrack has applied to the kernel.

Example 3-1 Example Usage

The following examples show ways in which you can view information about Ksplice updates and administer Ksplice updates on a system.

View the updates that Ksplice Uptrack has made to the running kernel: 

sudo ksplice kernel show

View the updates that Ksplice Uptrack has made to the Xen hypervisor: 

sudo ksplice xen show

View the updates that are available to be installed: 

sudo ksplice kernel show --available

Remove all updates from the kernel: 

sudo ksplice kernel remove --all

Remove all updates from the Xen hypervisor: 

sudo ksplice xen remove --all
Prevent Ksplice from reapplying the updates at the next system reboot, create the empty file /etc/uptrack/disable: 
touch /etc/uptrack/disable

Or, you can specify nouptrack as a parameter on the boot command line when you next restart the system.