Chapter 1 About Oracle Ksplice

This chapter provides an overview of Oracle Ksplice and also includes reference information and tasks that you might need to perform in preparation for using Ksplice in Oracle Linux.

Note

Some of the instructions and examples in this document apply to multiple Oracle Linux releases. The examples use the yum command for compatibility with several supported versions of Oracle Linux. If you are running Oracle Linux 8, you may opt to use the dnf command, as appropriate.

1.1 Overview of Oracle Ksplice

Caution

The majority of the installation and configuration instructions that are described in this guide apply only to Oracle Linux releases. If you plan to use Oracle Ksplice to patch the Xen hypervisor on Oracle VM Server 3.4.5 and later releases, refer to the documentation for the Oracle VM release that you are running for further instructions. For example, if you are running Oracle VM 3.4.5, see Updating Oracle VM Server With Oracle Ksplice in the Oracle VM Administration Guide for Release 3.4.

Linux systems receive regular security updates to core operating system components that necessitate patching and rebooting. Traditionally, applying such updates would require you to manually obtain and install the updated RPMs, schedule downtime, and reboot the server to the new package version with any critical updates. However, as system setups become more complex, with many interdependencies, access to services and applications must remain as undisrupted as possible, as scheduling such reboots becomes more difficult and costly.

Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update the running systems with the latest kernel and key user space security and bug fix updates, as well as Xen hypervisor updates on Oracle VM Server 3.4.5, and later.

Note

When using Ksplice to patch the Xen hypervisor on Oracle VM Server 3.4.5 and later, the minimum version that is required is xen-4.4.4-196.el6.x86_64.rpm.

Ksplice updates the running operating system without requiring a reboot. Your systems remain up to date with OS vulnerability patches and downtime is minimized. A Ksplice update takes effect immediately upon application, which is different than an on-disk change that requires a subsequent reboot to take effect. However, note that on-disk updates are still required, even when using Ksplice, to ensure that package binaries are updated to the most recent version and can be used in the event that the system or processes are restarted. On-disk updates are handled by subscribing to Unbreakable Linux Network (ULN) or by using a local ULN mirror.

Oracle creates each Ksplice update from a package update that originates either from Oracle or from the open source community.

1.1.1 Available Architectures

Oracle Ksplice is available for the following platforms:

  • Intel 64-bit (x86_64)

  • AMD 64-bit (x86_64)

  • 64-bit Arm (aarch64)

    Note

    Ksplice on the 64-bit Arm (aarch64) platform is only available with maintained Unbreakable Enterprise Kernel (UEK) releases. For more information, see the release notes for the UEK release that you are running in Unbreakable Enterprise Kernel Documentation.

1.1.2 Kernels Actively Maintained With Ksplice

With Oracle Linux Premier Support or Premier Limited subscriptions, you can use Ksplice to bring Oracle Linux kernels up to date with the latest, important security and bug fix patches. You can also use Ksplice to update and patch kernels from other Linux distributions, provided that they are hosted within Oracle Cloud Infrastructure. The following table shows the distributions and kernel versions that are automatically maintained with Ksplice.

For more information about maintaining kernels that are out of Premier Support, see Section 1.1.3, “Kernels That Are No Longer Actively Maintained With Ksplice”.

Table 1.1 Kernels That Are Actively Maintained With Ksplice

Kernel Type

On-Premise Availability

Oracle Cloud Infrastructure Availability

Additional Information

UEK R4 starting with 4.1.12-32 (released Jan 25, 2016).

Yes

Yes

Must be version v4.1.12-124.45.6 or later to be actively maintained with Ksplice on Oracle Linux 6.

See Section 1.1.3, “Kernels That Are No Longer Actively Maintained With Ksplice” for more information.

UEK R5 (x86_64) starting with 4.14.35-1818.0.9 (released Jun 20, 2018).

Yes

Yes

 

UEK R5 (aarch64) starting with 4.14.35-1902.300.11 (released Mar 18, 2020).

Yes

Yes

 

UEK R6 (x86_64) starting with 5.4.17-2011.1.2 (released Apr 27, 2020).

Yes

Yes

 

UEK R6 (aarch64) starting with 5.4.17-2011.0.7 (released Mar 17, 2020).

Yes

Yes

 

Oracle Linux 8 Red Hat Compatible Kernels (RHCK) starting with the official release.

Yes

Yes

 

Oracle Linux 7 Red Hat Compatible Kernels (RHCK) starting with the official release.

Yes

Yes

 

Oracle Linux 6 Red Hat Compatible Kernels (RHCK) starting with the official release.

Yes

Yes

Must be version 2.6.32-754.35.1 or later to be actively maintained with Ksplice on Oracle Linux 6.

See Section 1.1.3, “Kernels That Are No Longer Actively Maintained With Ksplice” for more information.

CentOS and RHEL 8 kernels starting with the official release.

Yes

Yes

Support for CentOS Linux 8 kernels is available for online updates only.

CentOS and RHEL 7 kernels starting with the official release.

Yes

Yes

Support for CentOS Linux 7 kernels is available for online updates only.

Ubuntu 20.04 Focal kernels starting with 5.4.0-37.41 (released Jun 3, 2020).

No

Yes

 

Ubuntu 19.04 Disco kernels starting with 5.0.0-13.14 (released Apr 16, 2019).

No

Yes

 

Ubuntu 18.04 Bionic kernels, starting with the official release.

No

Yes

 

Ubuntu 16.04 LTS Xenial kernels starting with the official release.

No

Yes

 

Ubuntu kernels starting with 4.15.0-1017.19 with bug fixes or patches already applied by Oracle.

No

Yes

 

Note

If your system is currently running RHEL and you recently migrated to Oracle Linux Premier Support, you can use Ksplice to update the existing RHEL kernel. You do not need to switch to RHCK to use Ksplice kernel patches. These patches are available on ULN as uptrack-updates-kernel_version packages in the Ksplice for Oracle Linux channels.

For questions about supported kernels, send an email to ksplice-support_ww@oracle.com.

1.1.3 Kernels That Are No Longer Actively Maintained With Ksplice

The following kernels are in Extended Support or Sustaining Support. As such, these kernels no longer receive new Ksplice updates on specified Oracle Linux releases. However, note that these kernels continue to be available in Ksplice at the same patch level as they were when Premier Support expired.

If you are an Extended Support customer who is running any of these kernel types on either Oracle Linux 6 or Oracle Linux 7, you should update to the minimum version of UEK R4.

If you wish to maintain any of the following kernels on Oracle Linux 6 or Oracle Linux 7, you will need to manually upgrade them by using the yum update command.

Table 1.2 Kernels No Longer Actively Maintained With Ksplice

Kernel Type

Kernel Version

Releases No Longer Actively Maintained

UEK R2

All versions

Oracle Linux 6

UEK R3

All Versions

Oracle Linux 6

Oracle Linux 7

UEK R4

Versions earlier than v4.1.12-124.45.6

Oracle Linux 6

RHCK

Versions earlier than 2.6.32-754.35.1

Oracle Linux 6

Kernels shipped in RHEL/CentOS Linux 6

All versions

RHEL or CentOS Linux 6


1.1.4 About Ksplice Updates

The following figure illustrates the life cycle of a Ksplice update for the Linux kernel.

Figure 1.1 Life Cycle of a Ksplice Update

Per the previous figure, when a critical bug or security vulnerability is discovered in the Linux kernel, Oracle produces a new kernel release and prepares a rebootless update corresponding to that release. The rebootless update is securely distributed by using the Oracle Ksplice Uptrack server and ULN, and is then applied to your systems by the Ksplice Uptrack client or Ksplice Enhanced client, with zero downtime. Your infrastructure is again up to date and secure.

Note

The Ksplice Uptrack API does not currently support user space or Xen updates. However, the online version of the Ksplice Enhanced client can patch shared libraries for user space processes that are running on an Oracle Linux 6, Oracle Linux 7, or Oracle Linux 8 system.

1.1.5 Patching and Updating a System

Ksplice patches enable you to keep a system up to date while it is running. Note that you must continue to install the regular kernel packages for released errata that are made available from ULN or the Oracle Linux yum server so that the kernel is also updated on disk. Your system is then ready for the next maintenance window or reboot. When you restart the system, you can boot it from the newer kernel version. Ksplice Uptrack uses the new kernel as a baseline for applying patches when they become available.

1.1.6 Using Ksplice With Oracle Enterprise Manager

All Oracle Linux systems on which Enterprise Manager Agent is installed and the Ksplice software is configured, can be monitored and managed through Oracle Enterprise Manager, within the Oracle Linux Home Ksplice region of the Enterprise Manager user interface (UI).

To learn more about using Oracle Enterprise Manager to monitor and use Oracle Ksplice patching on Oracle Linux hosts, see the Oracle Enterprise Manager Lifecycle Management Administrator's Guide at https://docs.oracle.com/cd/cloud-control-13.3/EMLCM/GUID-DA483950-9009-4293-BEF2-2F3C9DAACF33.htm#EMLCM-GUID-DA483950-9009-4293-BEF2-2F3C9DAACF33.

1.2 About the Ksplice Client Software

The following client software types are available for Oracle Ksplice.

For a quick reference to the level of support that each Ksplice client provides and when to use each client, see Section 1.3.1, “Choosing a Ksplice Client”.

1.2.1 About the Ksplice Enhanced Client

The Ksplice Enhanced client is available as both an online and offline client for Oracle Linux 6, Oracle Linux 7, and Oracle Linux 8. The online version of the Ksplice Enhanced client supports kernel and user space updates and can also be used to patch the Xen hypervisor on Oracle VM Server Release 3.4.5, and later.

Note

To use Ksplice to patch the Xen hypervisor on Oracle VM, the minimum Xen hypervisor version that is required is xen-4.4.4-196.el6.x86_64.rpm.

In addition to the kernel updates that are applied by the traditional Ksplice Uptrack client, the Ksplice Enhanced client can patch in-memory pages for the Ksplice-aware glibc and openssl shared libraries for user space processes. User space patching enables you to install bug fixes and protect your system against security vulnerabilities, without having to restart processes and services. Both an online and an offline version of the enhanced client are available.

You manage the Ksplice Enhanced client by using the ksplice command rather than uptrack commands. Note that the Enhanced client shares the same configuration file as the Uptrack client, which is the /etc/uptrack/uptrack.conf file. For more information about this file, see Section 3.3, “Configuring the Ksplice Uptrack Client”.

Be aware of the following important Ksplice limitations:

  • Ksplice reports an error similar to the following if it cannot apply updates to processes that do not have access to the /var/cache/ksplice directory:

    Ksplice was unable to load the update as the target process is in a
    different mount namespace or has changed root.  The service must be
    restarted to apply on-disk updates.
    Extra information: the process has changed root or mount namespace.
      └─ rtkit-daemon (3680)

    This error might typically occur with processes that use chroot or those that run in an LXC or Docker container. In such cases, you must restart the process to apply any available updates. For example, to restart the rtkit-daemon service, you would use the systemctl restart rtkit-daemon command.

    To avoid having to restart a chrooted application that you maintain and compile, ensure that the /var/cache/ksplice directory is bind-mounted in the chrooted environment.

  • Ksplice cannot patch applications that use either setcontext or swapcontext from glibc to perform user space context switching between process threads.

  • Due to certain kernel limitations, Ksplice does not patch the init process (PID 1).

    On Oracle Linux 7, the init process, which is actually systemd, is automatically re-executed on system updates, so it does not require patching with Ksplice.

    On Oracle Linux 6, Upstart is not capable of re-executing itself, so any updates to glibc that can affect Upstart might require a reboot.

The offline version of the Ksplice Enhanced client removes the requirement that a server on your intranet have a direct connection to the Oracle Uptrack server or to ULN. All available Ksplice updates for each supported kernel version or user space package are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel. In this way, you can create a local ULN mirror that acts as a mirror for the Ksplice-aware channels for Oracle Linux on ULN. See Section 2.5, “Configuring the Ksplice Enhanced Client for Offline Mode”.

At regular intervals, you can download the latest Ksplice update packages to this server. After installing the offline Ksplice Enhanced client on your local systems, they can then connect to the local ULN mirror to receive updates. See Section 1.3.4, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror” for more information about configuring a local ULN mirror.

When you have set up a local ULN mirror to act as a Ksplice mirror, you can then configure your other systems to receive yum updates, as well as Ksplice updates. For task-related information, see Chapter 2, Working With the Ksplice Enhanced Client.

1.2.2 About the Ksplice Uptrack Client

The Ksplice Uptrack client is available as both an online and offline client. Ksplice Uptrack enables you to apply the latest kernel security errata for Common Vulnerabilities and Exposures (CVEs) without halting the system or restarting any applications. Ksplice Uptrack applies the updated patches in the background with negligible impact, and usually only requires a pause of a few milliseconds. You can use Ksplice Uptrack, as well as continue to upgrade your kernel through the usual mechanism, such as running the yum command.

Ksplice Uptrack is freely available for Oracle customers who subscribe to Oracle Linux Premier Support and Oracle Cloud Infrastructure services. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.

The Ksplice Offline client removes the requirement that a server on your intranet have a direct connection to the Oracle Uptrack server. All of the available Ksplice updates for each supported kernel version are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel.

A Ksplice Offline client does not require a network connection to be able to apply the update package to the kernel. For example, you could use the yum command to install the update package directly from a memory stick. However, a more typical method would be to create a local ULN mirror that acts as a mirror of the Ksplice for Oracle Linux channels on ULN. At regular intervals, you download the latest Ksplice update packages to this server. After installing the Ksplice Offline client on your local systems, the systems can connect to the local ULN mirror to receive updates without requiring access to the Oracle Uptrack server. See Section 3.7, “Working With the Ksplice Uptrack Client in Offline Mode”.

For information about when you might want to use the Ksplice Offline client, see Section 1.3.1, “Choosing a Ksplice Client”.

Note

You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline client, as such systems are not registered with https://status-ksplice.oracle.com/static/landing.html.

1.3 Preparing to Use Oracle Ksplice

The following tasks might be required prior to installing and configuring Ksplice, depending on which Ksplice client you plan to use:

For further details on setting up the Ksplice Enhanced client in offline mode, see Section 2.5, “Configuring the Ksplice Enhanced Client for Offline Mode”. For further details on setting up the Ksplice Uptrack client in offline mode, see Section 3.7.1, “Configuring Ksplice Uptrack Clients for Offline Mode”

1.3.1 Choosing a Ksplice Client

The following table describes the features that are supported for each Ksplice client type. Refer to this information to determine which Ksplice client best suits your needs.

Ksplice Client

User Space Support

x86_64 Support

Arm (aarch64) Support

Xen Hypervisor Patching Support

Known Exploit Detection Support

Legacy Compatibility (Pre-acquisition customers)

Ksplice Enhanced Client

Supported

Supported

Supported

Supported on x86_64 platform only

Supported on x86_64 platform only

Not supported

Ksplice Uptrack Client

Not supported

Supported

Supported

Not Supported

Not supported

Supported

Note

For legacy compatibility, Oracle continues to support kernels for various Linux distributions for pre-acquisition customers. For more information, see https://ksplice.oracle.com/legacy#supported-kernels.

1.3.2 About Oracle Ksplice and ULN Registration

To use Oracle Ksplice, your system must have access to the Internet. You must also register your system with ULN prior to using Ksplice, unless the system is configured to use the Oracle Ksplice client as an offline client. If your system is configured to function as an offline client, you will need to configure a local ULN mirror that the client can access to receive updates. For more information, see Section 1.3.4, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror”.

If you have an Oracle Linux Premier support subscription, a Premier Limited support subscription, or an Oracle Premier Support for Systems and Operating Systems subscription and a Customer Support Identifier (CSI), your account is automatically registered to use the Ksplice Uptrack server. Systems that are registered with ULN can install either the Ksplice Enhanced client software or the Ksplice Uptrack client software from ULN to automatically receive updates from the Ksplice Uptrack server. When the Ksplice client is installed, it is allocated an identification key that associates it with the CSI for your account.

If your account has a valid CSI, you can log in to the Ksplice Uptrack server web interface at https://status-ksplice.oracle.com/status/settings by using your Oracle Account credentials. After logging into the server, you can view the status of your registered systems, the patches that have been applied, and the patches that are available. You can also create access control groups for your registered systems.

1.3.3 About Ksplice Channels

The following table describes the channels that are available for Ksplice in Oracle Linux.

Channel Name

Channel Label

Description

Ksplice for Oracle Linux 6 (i386)

ol6_i386_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on i386 systems.

Ksplice for Oracle Linux 6 (x86_64)

ol6_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on x86_64 systems.

Ksplice for Oracle Linux 7 (x86_64)

ol7_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on x86_64 systems.

Ksplice for Oracle Linux 7 (aarch64)

ol7_aarch64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on aarch64 systems.

Ksplice for Oracle Linux 8 (x86_64)

ol8_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 8 on x86_64 systems.

Ksplice for Oracle Linux 8 (aarch64)

ol8_aarch64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 8 on aarch64 systems.

Ksplice-aware user space packages for Oracle Linux 6 (x86_64)

ol6_x86_64_userspace_ksplice

Latest packages for Ksplice-aware user space packages for Oracle Linux 6 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user space packages for Oracle Linux 7 (x86_64)

ol7_x86_64_userspace_ksplice

Latest packages for Ksplice-aware user space packages for Oracle Linux 7 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user space packages for Oracle Linux 7 (aarch64)

ol7_aarch64_userspace_ksplice

Latest packages for Ksplice-aware user space packages for Oracle Linux 7 (aarch64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user space packages for Oracle Linux 8 (x86_64)

ol8_x86_64_userspace_ksplice

Latest packages for Ksplice-aware user space packages for Oracle Linux 8 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user space packages for Oracle Linux 8 (aarch64)

ol8_aarch64_userspace_ksplice

Latest packages for Ksplice-aware user space packages for Oracle Linux 8 (aarch64). This channel should only be used with the Ksplice Enhanced client.

1.3.4 Configuring a Local ULN Mirror to Act as a Ksplice Mirror

The following procedure describes how to configure a local ULN mirror to act as a Ksplice mirror on an Oracle Linux 7 host. Use this procedure if you are planning to install and configure the Ksplice client as an offline client.

For more information about setting up a local ULN mirror, see Oracle® Linux: Unbreakable Linux Network User's Guide for Oracle Linux 6 and Oracle Linux 7.

Note

If you are setting up a local ULN mirror on an Oracle Linux 8 host, the instructions may vary slightly. Refer to Oracle Linux Software Management Guide for Release 8 for more information.

  1. Using a browser, log in to https://linux.oracle.com, and provide the ULN user name and password that you used to register your system.

  2. On the Systems tab, from the list of registered machines, select the link for your system's name.

  3. On the System Details page, select Edit.

  4. On the Edit System Properties page, select the Yum Server check box, then apply your changes.

  5. On the System Details page, select Manage Subscriptions.

  6. On the System Summary page, select the appropriate channels from the list of available or subscribed channels, then move the channels between the two lists by using the arrows.

  7. Modify the list of subscribed channels to include the Ksplice for Oracle Linux channels that you want to make available to local, offline clients.

    See Section 1.3.3, “About Ksplice Channels”.

  8. When you are finished with the channel selection process, save the subscription and log out of ULN.

1.3.5 Configuring an Oracle Linux Manager Server to Act as a Ksplice Mirror

Note

The following information applies to the configuration of an Oracle Linux Manager server only.

To set up an Oracle Linux Manager server to act as a Ksplice mirror, you must configure the repositories and associated software channels for the Oracle Linux releases and architectures of the systems on which you want to run the Ksplice Offline client. Note that each Ksplice channel should be a child of the appropriate, base software channel. For information about the channels that are available for Ksplice, see Section 1.3.3, “About Ksplice Channels”.

You then need to specify the URL for the appropriate Ksplice channel. For the Oracle Linux 7 (x86_64) channel on ULN, you would specify the URL as follows:

              uln:///ol7_x86_64_ksplice
            

For more information, see the chapter that describes how to use Ksplice with Oracle Linux Manager in Oracle® Linux Manager: Client Life Cycle Management Guide.