Chapter 1 About Oracle Ksplice

This chapter provides a high-level overview of Oracle Ksplice, including tasks that you might need to perform in preparation for using Ksplice in Oracle Linux.

Note

Some of the instructions and examples in this document apply to multiple Oracle Linux releases. The examples use the yum command for compatibility with several supported versions of Oracle Linux. If you are running Oracle Linux 8, you may opt to use the dnf command, as appropriate.

1.1 Overview of Oracle Ksplice

Caution

The majority of the installation and configuration instructions in this guide apply only to Oracle Linux releases. If you plan to use Oracle Ksplice to patch the Xen hypervisor on Oracle VM Server 3.4.5, and later releases, refer to the documentation for the Oracle VM release that you are running for step-by-step instructions. For example, if you are running Oracle VM 3.4.5, see Updating Oracle VM Server With Oracle Ksplice in the Oracle VM Administration Guide for Release 3.4.

Linux systems receive regular security updates to core operating system components that necessitate patching and rebooting. Traditionally, applying such updates would require you to obtain and install the updated RPMs, schedule downtime, and reboot the server to the new package version, with any critical updates. However, as system setups become more complex, with many interdependencies, access to services and applications must remain as undisrupted as possible, as scheduling such reboots becomes more difficult and costly.

Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update the running systems with the latest kernel and key user-space security and bug fix updates, as well as Xen hypervisor updates on Oracle VM Server 3.4.5, and later.

Note

When using Ksplice to patch the Xen hypervisor on Oracle VM Server 3.4.5 and later, the minimum version that is required is xen-4.4.4-196.el6.x86_64.rpm.

Ksplice updates the running operating system without requiring a reboot. Your systems remain up to date with OS vulnerability patches and downtime is minimized. A Ksplice update takes effect immediately upon application, which is different than an on-disk change that requires a subsequent reboot to take effect. However, note that on-disk updates are still required, even when using Ksplice, to ensure that package binaries are updated to the most recent version and can be used in the event that the system or processes are restarted. On-disk updates are handled by subscribing to Unbreakable Linux Network (ULN) or by using a local ULN mirror.

Oracle creates each Ksplice update from a package update that originates either from Oracle or from the open source community.

1.1.1 Supported Architectures

Oracle Ksplice is supported on the following platforms:

  • Intel 64-bit (x86_64)

  • AMD 64-bit (x86_64)

  • 64-bit Arm (aarch64)

    Note

    Ksplice support on the Arm platform is for the Ksplice Uptrack client only.

    Ksplice support on the 64-bit Arm (aarch64) platform is only available with supported Unbreakable Enterprise Kernel (UEK) releases. For more information, see the release notes for the UEK release that you are running in the Unbreakable Enterprise Kernel Documentation Library.

1.1.2 Supported Kernels

You can use Ksplice to bring the Oracle Linux kernels up to date with the latest important security and bug fix patches. You can also use Ksplice to update and patch kernels from other Linux distributions, provided that they are hosted within Oracle Cloud Infrastructure. The following table shows the distributions and kernel versions that are supported with Ksplice.

Table 1.1 Kernels That Are Supported With Ksplice
Kernel type On Premise Support Oracle Cloud Infrastructure Support

Unbreakable Enterprise Kernel (UEK) versions for all Oracle Linux releases:

  • UEK R2 starting with 2.6.39-100.5.1 (released Mar 13, 2012)

  • UEK R3 starting with 3.8.13-35 (released May 13, 2014)

  • UEK R4 starting with 4.1.12-32 (released Jan 25, 2016)

  • UEK R5 (x86_64) starting with 4.14.35-1818.0.9 (released Jun 20, 2018)

  • UEK R5 (aarch64) starting with 4.14.35-1902.300.11 (released Mar 18, 2020)

  • UEK R6 (x86_64) starting with 5.4.17-2011.1.2 (released Apr 27, 2020)

  • UEK R6 (aarch64) starting with 5.4.17-2011.0.7 (released Mar 17, 2020)

Yes

Yes

Oracle Linux 8 Red Hat Compatible Kernels (RHCK) starting with the official release

Yes

Yes

Oracle Linux 7 Red Hat Compatible Kernels (RHCK) starting with the official release

Yes

Yes

Oracle Linux 6 Red Hat Compatible Kernels (RHCK) starting with the official release

Yes

Yes

Oracle Linux 5.11 RHCK starting with 2.6.18-398 (released Sept, 2014 with an Extended Support agreement)

Yes

Not applicable

Oracle Linux 5.11 RHCK starting with 2.6.18-398.0.0.0.1 (released Sept, 2014 with bug fixes added by Oracle and an Extended Support agreement)

Yes

Not applicable

CentOS and RHEL 8 kernels starting with the official release

No

Yes

CentOS and RHEL 7 kernels starting with the official release

No

Yes

CentOS and RHEL 6 kernels starting with the official release

No

Yes

Ubuntu 20.04 Focal kernels starting with 5.4.0-37.41 (released Jun 3, 2020)

No

Yes

Ubuntu 19.04 Disco kernels starting with 5.0.0-13.14 (released Apr 16, 2019)

No

Yes

Ubuntu 18.04 Bionic kernels, starting with the official release.

No

Yes

Ubuntu 16.04 LTS Xenial kernels starting with the official release

No

Yes

Ubuntu kernels starting with 4.15.0-1017.19 with bug fixes or patches already applied by Oracle.

No

Yes


Note

If your system is currently running Red Hat Enterprise Linux (RHEL) and you recently migrated to Oracle Linux Premier Support, you can use Ksplice to update the existing RHEL kernel. You do not need to switch to RHCK to use Ksplice kernel patches. These patches are available on ULN as uptrack-updates-kernel_version packages in the Ksplice for Oracle Linux channels.

For questions about supported kernels, send an email to ksplice-support_ww@oracle.com.

1.1.3 About Ksplice Updates

The following figure illustrates the life cycle of a Ksplice update for the Linux kernel.

Figure 1.1 Life Cycle of a Ksplice Update
The figure illustrates the steps in the life cycle of a Ksplice update and is described in the surrounding text.

Per the previous figure, when a critical bug or security vulnerability is discovered in the Linux kernel, Oracle produces a new kernel release and prepares a rebootless update corresponding to that release. The rebootless update is securely distributed by using the Oracle Ksplice Uptrack server and ULN, and is then applied to your systems by the Ksplice Uptrack client or Ksplice Enhanced client, with zero downtime. Your infrastructure is again up to date and secure.

Note

The Ksplice Uptrack API does not currently support userspace or Xen updates. However, the online version of the Ksplice Enhanced client can patch shared libraries for user-space processes that are running on an Oracle Linux 6, Oracle Linux 7, or Oracle Linux 8 system.

1.1.4 Patching and Updating Your System

Ksplice patches enable you to keep a system up to date while it is running. Note that you must continue to install the regular kernel packages for released errata that are made available from ULN or the Oracle Linux yum server so that the kernel is also updated on disk. Your system is then ready for the next maintenance window or reboot. When you restart the system, you can boot it from the newer kernel version. Ksplice Uptrack uses the new kernel as a baseline for applying patches when they become available.

1.1.5 Using Ksplice With Oracle Enterprise Manager

All Oracle Linux systems on which Enterprise Manager Agent is installed and the Ksplice software is configured, can be monitored and managed through Oracle Enterprise Manager, within the Oracle Linux Home Ksplice region of the Enterprise Manager user interface (UI).

To learn more about using Oracle Enterprise Manager to monitor and use Oracle Ksplice patching on Oracle Linux hosts, see the Oracle Enterprise Manager Lifecycle Management Administrator's Guide at https://docs.oracle.com/cd/cloud-control-13.3/EMLCM/GUID-DA483950-9009-4293-BEF2-2F3C9DAACF33.htm#EMLCM-GUID-DA483950-9009-4293-BEF2-2F3C9DAACF33.

1.2 About Ksplice Client Software

The following client software types are available for Oracle Ksplice.

For a quick reference to the level of support that each Ksplice client provides and when to use each client, see Section 1.3.1, “Choosing a Ksplice Client”.

1.2.1 About the Ksplice Enhanced Client

The Ksplice Enhanced client is available as both an online and offline client for Oracle Linux 6, Oracle Linux 7, and Oracle Linux 8, but not Oracle Linux 5. The online version of the Ksplice Enhanced client supports kernel and user-space updates and can also be used to patch the Xen hypervisor on Oracle VM Server Release 3.4.5, and later.

Note

To use Ksplice to patch the Xen hypervisor on Oracle VM, the minimum Xen hypervisor version that is required is xen-4.4.4-196.el6.x86_64.rpm.

The Ksplice Enhanced client can patch in-memory pages of Ksplice-aware shared libraries such as glibc and openssl for user-space processes, in addition to the kernel updates that are applied by the traditional Ksplice Uptrack client. User-space patching enables you to install bug fixes and protect your system against security vulnerabilities, without having to restart processes and services. Both an online and an offline version of the enhanced client are available.

You manage the Ksplice Enhanced client by using the ksplice command rather than uptrack commands. Note that the enhanced client shares the same configuration file as the Uptrack client, which is located at /etc/uptrack/uptrack.conf. For more information about this file, see Section 3.3, “Configuring the Ksplice Uptrack Client”.

Note the following important information about Ksplice limitations:

  • Ksplice reports an error similar to the following if it cannot apply updates to processes that do not have access to the /var/cache/ksplice directory:

    Ksplice was unable to load the update as the target process is in a
    different mount namespace or has changed root.  The service must be
    restarted to apply on-disk updates.
    Extra information: the process has changed root or mount namespace.
      └─ rtkit-daemon (3680)

    This error might typically occur with processes that use chroot or those that run in an LXC or Docker container. In such cases, you must restart the process to apply any available updates. For example, to restart the rtkit-daemon service, you would use the systemctl restart rtkit-daemon command.

    To avoid having to restart a chrooted application that you maintain and compile, ensure that the /var/cache/ksplice directory is bind-mounted in the chrooted environment.

  • Ksplice cannot patch applications that use either setcontext or swapcontext from glibc to perform user-space context switching between process threads.

  • Due to certain kernel limitations, Ksplice does not patch the init process (PID 1).

    On Oracle Linux 7, the init process, which is actually systemd, is automatically re-executed on system updates, so it does not require patching with Ksplice.

    On Oracle Linux 6, Upstart is not capable of re-executing itself, so any updates to glibc that can affect Upstart might require a reboot.

The offline version of the Ksplice Enhanced client removes the requirement that a server on your intranet have a direct connection to the Oracle Uptrack server or to ULN. All available Ksplice updates for each supported kernel version or user-space package are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel. In this way, you can create a local ULN mirror that acts as a mirror for the Ksplice-aware channels for Oracle Linux on ULN. See Section 2.5, “Configuring the Ksplice Enhanced Client for Offline Mode”.

At regular intervals, you can download the latest Ksplice update packages to this server. After installing the offline Ksplice Enhanced client on your local systems, they can then connect to the local ULN mirror to receive updates. See Section 1.3.4, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror” for more information about configuring a local ULN mirror.

When you have set up a local ULN mirror to act as a Ksplice mirror, you can then configure your other systems to receive yum updates, as well as Ksplice updates. For task-related information, see Chapter 2, Working With the Ksplice Enhanced Client.

1.2.2 About the Ksplice Uptrack Client

The Ksplice Uptrack client is available as both an online and offline client. Ksplice Uptrack enables you to apply the latest kernel security errata for Common Vulnerabilities and Exposures (CVEs) without halting the system or restarting any applications. Ksplice Uptrack applies the updated patches in the background with negligible impact, and usually only requires a pause of a few milliseconds. You can use Ksplice Uptrack, as well as continue to upgrade your kernel through the usual mechanism, such as running the yum command.

Ksplice Uptrack is freely available for Oracle customers who subscribe to Oracle Linux Premier Support, and to Oracle Cloud Infrastructure services. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.

The Ksplice Offline client removes the requirement that a server on your intranet have a direct connection to the Oracle Uptrack server. All of the available Ksplice updates for each supported kernel version are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel.

A Ksplice Offline client does not require a network connection to be able to apply the update package to the kernel. For example, you could use the yum command to install the update package directly from a memory stick. However, a more typical method would be to create a local ULN mirror that acts as a mirror of the Ksplice for Oracle Linux channels on ULN. At regular intervals, you download the latest Ksplice update packages to this server. After installing the Ksplice Offline client on your local systems, the systems can connect to the local ULN mirror to receive updates without requiring access to the Oracle Uptrack server. See Section 3.7, “Working With the Ksplice Uptrack Client in Offline Mode”.

For information about when you might want to use the Ksplice Offline client, see Section 1.3.1, “Choosing a Ksplice Client”.

Note

You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline client, as such systems are not registered with https://status-ksplice.oracle.com/static/landing.html.

1.3 Preparing to Use Oracle Ksplice

The following tasks might be required prior to installing and configuring Ksplice, depending on which Ksplice client you plan to use:

For further details on setting up the Ksplice Enhanced client in offline mode, see Section 2.5, “Configuring the Ksplice Enhanced Client for Offline Mode”. For further details on setting up the Ksplice Uptrack client in offline mode, see Section 3.7.1, “Configuring Ksplice Uptrack Clients for Offline Mode”

1.3.1 Choosing a Ksplice Client

The following table describes feature support, requirements, and limitations for each Ksplice client. Use this information to decide which Ksplice client will best suit your needs.

Ksplice Client

User-Space Support

x86_64 Support

Arm (aarch64) support

Xen Hypervisor Patching Support

Legacy Compatibility

Ksplice Enhanced Client

Supported

Supported

Not supported

Supported

Not supported

Ksplice Uptrack Client

Not supported

Supported

Supported

Not Supported

Supported

1.3.2 About Oracle Ksplice and ULN Registration

To use Oracle Ksplice, your system must have access to the Internet, and you must register your system with ULN first, unless the system is configured to use the Oracle Ksplice client as an offline client. If your client is configured to function as an offline client, you must configure a local ULN mirror that the client can access to receive updates. For more information, see Section 1.3.4, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror”.

If you have an Oracle Linux Premier support subscription, a Premier Limited support subscription, or an Oracle Premier Support for Systems and Operating Systems subscription and a Customer Support Identifier (CSI), your account is automatically registered to use the Ksplice Uptrack server. Systems that are registered with ULN can install either the Ksplice Enhanced client software or the Ksplice Uptrack client software from ULN to automatically receive updates from the Ksplice Uptrack server. When the Ksplice client is installed, it is allocated an identification key that associates it with the CSI for your account.

If your account has a valid CSI, you can log in to the Ksplice Uptrack server web interface at https://status-ksplice.oracle.com/status/settings by using your Oracle Account credentials. After logging into the server, you can view the status of your registered systems, the patches that have been applied, and the patches that are available. You can also create access control groups for your registered systems.

1.3.3 Available Ksplice Channels

The following table describes the channels that are available for Ksplice on Oracle Linux.

Channel Name

Channel Label

Description

Ksplice for Oracle Linux 5 (i386)

ol5_i386_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 5 on i386 systems.

Ksplice for Oracle Linux 5 (x86_64)

ol5_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 5 on x86_64 systems.

Ksplice for Oracle Linux (i386)

ol6_i386_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on i386 systems.

Ksplice for Oracle Linux 6 (x86_64)

ol6_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on x86_64 systems.

Ksplice for Oracle Linux 7 (x86_64)

ol7_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on x86_64 systems.

Ksplice for Oracle Linux 7 (aarch64)

ol7_aarch64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on aarch64 systems.

Ksplice for Oracle Linux 8 (x86_64)

ol8_x86_64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 8 on x86_64 systems.

Ksplice for Oracle Linux 8 (aarch64)

ol8_aarch64_ksplice

Oracle Ksplice clients, updates, and dependencies for Oracle Linux 8 on aarch64 systems.

Ksplice-aware user-space packages for Oracle Linux 6 (x86_64)

ol6_x86_64_userspace_ksplice

Latest packages for Ksplice-aware user-space packages for Oracle Linux 6 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user-space packages for Oracle Linux 7 (x86_64)

ol7_x86_64_userspace_ksplice

Latest packages for Ksplice- aware user-space packages for Oracle Linux 7 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice-aware user-space packages for Oracle Linux 8 (x86_64)

ol8_x86_64_userspace_ksplice

Latest packages for Ksplice- aware user-space packages for Oracle Linux 8 (x86_64). This channel should only be used with the Ksplice Enhanced client.

1.3.4 Configuring a Local ULN Mirror to Act as a Ksplice Mirror

The following procedure describes how to configure a local ULN mirror to act as a Ksplice mirror. Use this procedure if you are planning to install and configure the Ksplice client as an offline client.

For more information about setting up a local ULN mirror, see Creating and Using a Local ULN Mirror in the Oracle Linux Unbreakable Linux Network User's Guide.

  1. Using a browser, log in to https://linux.oracle.com by providing the ULN user name and password that you used to register your system.

  2. On the Systems tab, click the link that is named for your system in the list of registered machines.

  3. On the System Details page, click Edit.

  4. On the Edit System Properties page, select the Yum Server check box and then click Apply Changes.

  5. On the System Details page, click Manage Subscriptions.

  6. On the System Summary page, select channels from the list of available or subscribed channels and click the arrows to move the channels between the lists.

    Modify the list of subscribed channels to include those Ksplice for Oracle Linux channels that you want to make available to local offline clients. See Section 1.3.3, “Available Ksplice Channels”.

  7. When you are finished selecting channels, save the subscription and log out of ULN.

1.3.5 Configuring an Oracle Linux 7 Spacewalk Server to Act as a Ksplice Mirror

Note

The following information applies to the configuration of an Oracle Linux 7 Spacewalk server only.

To configure a Spacewalk server to act as a Ksplice mirror, you configure repositories and the associated software channels for the Oracle Linux releases and architectures of the systems on which you want to run Ksplice Offline client. Note that each Ksplice channel should be a child of the appropriate base software channel. For information about the channels that are available for Ksplice, see Section 1.3.3, “Available Ksplice Channels”.

You would then specify the URL for the appropriate Ksplice channel. For example, for the Oracle Linux 7 (x86_64) channel on ULN, you would specify the URL as follows:

              uln:///ol7_x86_64_ksplice
            

See Chapter 12 in the Spacewalk for Oracle® Linux: Client Life Cycle Management Guide for Release 2.10 for further instructions.