Chapter 3 Working With Ksplice Uptrack

This chapter describes how to configure and use Ksplice Uptrack to update packages on a running system. For more information about Ksplice Uptrack, visit http://www.ksplice.com/.

Note

Some of the instructions and examples in this document apply to multiple Oracle Linux releases. The examples use the yum command for compatibility with several supported versions of Oracle Linux. If you are running Oracle Linux 8, you may opt to use the dnf command, as appropriate.

3.1 Installing Ksplice Uptrack From ULN

If you have an Oracle Linux Premier support subscription, a Premier Limited subscription, or an Oracle Premier Support for Systems and Operating Systems support subscription, you are automatically registered to use Oracle Ksplice. You can configure your registered systems to use Ksplice Uptrack through the Ksplice for Oracle Linux channel on ULN by using the yum command. See Section 1.3.2, “About Oracle Ksplice and ULN Registration”.

The system on which you want to install Ksplice Uptrack must also meet the following requirements:

  • Must have access to the Internet.

  • Must be registered with ULN.

  • Must be running a supported Oracle Linux release, with a supported version of either UEK or RHCK installed. You can verify the kernel version by using the uname -a command. See Section 1.1.2, “Supported Kernels”.

  • The kernel that is currently running is also the kernel you want to update, as Ksplice Uptrack applies updates only to the running kernel.

To install Ksplice Uptrack from ULN:

  1. Log in as the root user on the system.

  2. If you use an Internet proxy, configure the HTTP and HTTPS settings for the proxy in the shell.

    • For the sh, ksh, or bash shells, use commands such as the following:

      # http_proxy=http://proxy_URL:http_port
      # https_proxy=http://proxy_URL:https_port
      # export http_proxy https_proxy

      For the csh shell, use commands such as the following:

      # setenv http_proxy=http://proxy_URL:http_port
      # setenv https_proxy=http://proxy_URL:https_port
  3. Using a browser, log in at https://linux.oracle.com with your ULN user name and password, then do the following:

    1. On the Systems tab, click the link that is named for your system in the list of registered machines.

    2. On the System Details page, click Manage Subscriptions.

    3. On the System Summary page, from the list of available channels, select the appropriate Ksplice for Oracle Linux channel your Oracle Linux release system's architecture (i386 or x86_64).

    4. Click the right arrow (>) to move your selection to the list of subscribed channels.

    5. Save the subscription and log out of ULN.

  4. On your system, use the yum command to install the uptrack package.

    # yum install -y uptrack

    The access key for Ksplice Uptrack is retrieved from ULN and added to /etc/uptrack/uptrack.conf, for example:

    [Auth]
    accesskey = 0e1859ad8aea14b0b4306349142ce9160353297daee30240dab4d61f4ea4e59b
  5. To enable automatic installation of updates, change the value of the autoinstall entry in the /etc/uptrack/uptrack.conf file from no to yes:

    autoinstall = yes

For information about configuring Ksplice Uptrack, see Section 3.3, “Configuring the Ksplice Uptrack Client”.

For information about managing Ksplice updates, see Section 3.4, “Managing Ksplice Updates by Using the uptrack-upgrade Command”.

3.2 Installing Ksplice Uptrack Within Oracle Cloud Infrastructure

If you are an Oracle Cloud Infrastructure customer, you can use Oracle Ksplice on any of the Oracle Linux, Red Hat Enterprise Linux (RHEL), CentOS, and Ubuntu systems that are hosted in your cloud environment. You do not need to register with ULN to use Ksplice.

Note

The following installation procedure is only required for Oracle Cloud Infrastructure instances that were launched prior to August 25, 2017.

For Oracle Cloud Infrastructure instances launched on or after August 25, 2017, Ksplice is installed by default. For these instances, you only need to run Ksplice to install the available Ksplice patches.

For information about configuring the Ksplice Uptrack client and managing Ksplice updates, see Section 3.3, “Configuring the Ksplice Uptrack Client” and Section 3.4, “Managing Ksplice Updates by Using the uptrack-upgrade Command”.

Also, for Oracle Autonomous Linux images, Ksplice is installed and configured by default to run automatic updates. For more information, see https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/installingconfiguringksplice.htm.

To install Ksplice Uptrack on a instance that is running on Oracle Cloud Infrastructure:

  1. Connect your Linux instance by using a Secure Shell.

    For instructions, see https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/accessinginstance.htm.

  2. Access the instance by using the following command:

    $ ssh –l opc@public-ip-address

    In the previous command, public-ip-address is the instance IP address that you retrieved from the Console. For more information, see https://docs.cloud.oracle.com/en-us/iaas/Content/GSG/Tasks/launchinginstance.htm#Getting.

  3. Run the following command to sudo to root:

    $ sudo bash
  4. Download the Ksplice installer for Oracle Cloud Infrastructure.

    $ wget -N https://www.ksplice.com/uptrack/install-uptrack-oc
  5. After the script is downloaded, install Ksplice.

    $ sh install-uptrack-oc

3.3 Configuring the Ksplice Uptrack Client

The configuration file for both the Ksplice Uptrack client and the Ksplice Enhanced client is /etc/uptrack/uptrack.conf. You can modify this file to configure a proxy server, install updates automatically at boot time, and check for and apply new updates automatically.

If your system is registered with the Ksplice Uptrack repository, the client communicates with the Uptrack server by connecting to https://updates.ksplice.com:443. You can either configure your firewall to allow the connection through port 443, or you can configure the client to use a proxy server. To configure the client to use a proxy server, set the following entry in the /etc/uptrack/uptrack.conf file:

https_proxy = https://proxy_URL:https_port

You receive an email notification when Ksplice updates are available for your system.

To instruct the client to install all updates automatically, as they become available, set the following entry in the /etc/uptrack/uptrack.conf file:

autoinstall = yes
Note

Enabling the automatic installation of updates does not automatically update the Ksplice client itself. Oracle notifies you by email when you can upgrade the Ksplice software by using the yum command.

Setting the autoinstall entry value to yes also installs updates automatically at boot time. When you boot the system, the /etc/init.d/uptrack script reapplies the installed Ksplice updates.

To install all available updates at boot time, uncomment the following entry in the /etc/uptrack/uptrack.conf file:

upgrade_on_reboot = yes
Note

The upgrade_on_reboot setting is not implemented for user-space updates.

3.4 Managing Ksplice Updates by Using the uptrack-upgrade Command

Ksplice patches are stored in /var/cache/uptrack. Following a reboot, Ksplice automatically re-applies these patches very early in the boot process, before the network is configured, so that the system is hardened before any remote connections can be established.

To list all of the available Ksplice updates, use the uptrack-upgrade command:

# uptrack-upgrade -n

Install all of the available Ksplice updates as follows:

# uptrack-upgrade -y

After Ksplice has applied updates to a running kernel, the kernel has an effective version that is different from the original boot version displayed by the uname -a command.

Use the uptrack-uname command to display the effective version of the kernel:

# uptrack-uname -r

The uptrack-uname command supports commonly used uname flags, including -a and -r, and also provides a way for applications to detect that the kernel has been patched. The effective version is based on the version number of the latest patch that Ksplice has applied to the kernel.

The following examples show ways in which you can view information about Ksplice updates and administer Ksplice updates on a system.

View the updates that Ksplice has made to the running kernel:

# uptrack-show

View the updates that are available for installation:

# uptrack-show --available

Remove all of the updates from the kernel:

# uptrack-remove --all

Prevent Ksplice from reapplying the updates at the next system reboot, create the empty file /etc/uptrack/disable:

# touch /etc/uptrack/disable

Alternatively, you can specify the nouptrack argument as a parameter on the boot command line when you next reboot the system.

3.5 Removing the Ksplice Uptrack Client Software

You can remove the Ksplice Uptrack software from a system by using the following command:

# yum -y remove uptrack

Remove the offline Ksplice Uptrack software from a system as follows:

# yum -y remove uptrack-offline

3.6 Switching Between Online and Offline Ksplice Uptrack Installation Modes

To switch from one Ksplice client software version (or mode) to another Ksplice software version, for example, switch from a Ksplice online installation to a Ksplice offline installation, you must first remove the existing Ksplice client software from the system. You can then install the new version of the Ksplice client software.

Caution

Failure to remove an existing Ksplice client software version prior to installing a new Ksplice client software version results in transaction check errors during the package installation process.

For example, if you have the Ksplice Uptrack client software installed on the system and you want to install the Ksplice Offline Enhanced client software, you would need to first remove the Ksplice Uptrack client software, and then install the Ksplice Offline Enhanced client software as follows:

# yum remove uptrack ksplice-tools
# yum install ksplice-offline

To switch from an offline installation to an online installation, for example, switch from the Ksplice Uptrack Offline client software to the Ksplice Uptrack client software, you would run the following commands:

# yum remove ksplice-offline ksplice-tools
# yum install uptrack

3.7 Working With the Ksplice Uptrack Client in Offline Mode

The Ksplice Offline client eliminates the need for having a server on your intranet that has a direct connection to the Oracle Uptrack server. Also, a Ksplice Offline client does not require a network connection to be able to apply the update package to the kernel. For example, you could use the yum command to install the update package directly from a memory stick. The following tasks describe how to configure systems to use the Ksplice Offline client.

Note

You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline client, as such systems are not registered with https://status-ksplice.oracle.com/static/landing.html.

3.7.1 Configuring Ksplice Uptrack Clients for Offline Mode

Prior to configuring a Ksplice Offline client, you must set up a local ULN mirror that can act as a Ksplice mirror. See Section 1.3.4, “Configuring a Local ULN Mirror to Act as a Ksplice Mirror”. After you set up a local ULN mirror that can act as a Ksplice mirror, you can configure your other systems to receive yum and Ksplice updates.

You can also configure Ksplice Offline Clients by creating software channels in Spacewalk that can act as a Ksplice mirror. For instructions, see Chapter 12 in the Spacewalk for Oracle® Linux: Client Life Cycle Management Guide for Release 2.10.

To configure a system as a Ksplice Offline client by setting up a local ULN mirror, do the following:

  1. Import the GPG key:

    # rpm --import /usr/share/rhn/RPM-GPG-KEY
  2. Set up a local ULN mirror:

    • Disable any existing yum repositories configured in the /etc/yum.repos.d directory. You can either edit any existing repository files and disable all entries by setting enabled=0 or you can use yum-config-manager:

      # yum-config-manager --disable \*

      Alternately, you can rename any of the files in this directory so that they do not use the .repo suffix. This causes yum to ignore these entries. For example:

      # cd /etc/yum.repos.d
      # for i in *.repo; do mv $i $i.disabled; done
    • In the /etc/yum.repos.d directory, create the file local-yum.repo, which contains entries such as the following for an Oracle Linux 7 yum client:

      [local_ol7_x86_64_ksplice]
      name=Ksplice for Oracle Linux $releasever - $basearch
      baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/ksplice/$basearch/
      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
      gpgcheck=1
      enabled=1
      
      [local_ol7_latest]
      name=Oracle Linux $releasever - $basearch - latest
      baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/latest/$basearch/
      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
      gpgcheck=1
      enabled=1
      
      [local_ol7_UEKR5_latest]
      name=Unbreakable Enterprise Kernel Release 5 for Oracle Linux $releasever - $basearch - latest
      baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/UEKR5/latest/$basearch/
      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
      gpgcheck=1
      enabled=1
      
      [local_ol7_addons]
      name=Oracle Linux $releasever - $basearch - addons
      baseurl=http://local_uln_mirror/yum/OracleLinux/OL7/addons/$basearch/
      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY
      gpgcheck=1
      enabled=1
      • To distinguish the local repositories from the ULN repositories, prefix the labels of their entries with a string such as local_.

      • Replace local_uln_mirror with the IP address or resolvable host name of the local ULN mirror.

      • The example configuration enables the local_ol7_x86_64_ksplice, local_ol7_latest, local_ol7_UEKR5_latest, and local_ol7_addons channels. Note that the Ksplice Offline client package is unable to install user-space updates, so you should not enable any *_userspace_ksplice channels unless you intend to use the offline version of the Ksplice Enhanced client.

  3. Install the Ksplice Offline client package:

    # yum -y install uptrack-offline
  4. Test the configuration:

    1. Clear the yum metadata cache.

      # yum clean metadata
    2. Verify the configuration.

      # yum repolist
      Note

      If the yum command cannot connect to the local ULN mirror, check that the firewall settings on the local ULN mirror server allow incoming TCP connections to the HTTP port (usually, port 80).

  5. Install the Ksplice updates that are available for the kernel.

    # yum -y install uptrack-updates-`uname -r`

    For Oracle Linux 5, you would use the following command:

    # yum -y install uptrack-updates-`uname -r`.`uname -m`

    As new Ksplice updates are made available, use the same command to pick up and apply these updates. You should set up an anacron script to perform this task. For example, the following script named uptrack-updates in /etc/cron.daily would run one time daily:

    #!/bin/sh
    yum -y install uptrack-updates-`uname -r`
    exit 0
    Important

    The script must be executable and be owned by root. Also, you must include the -y option with the yum command when using a script; otherwise, the command hangs and waits for user input.

To display information about Ksplice updates, use the rpm -qa | grep uptrack-updates and uptrack-show commands.

3.8 Updating the Ksplice Uptrack Client to a Specific Effective Kernel Version

Under some circumstances, you might want to limit the set of updates that uptrack-upgrade installations. For example, the security policy at your site might require a senior administrator to approve Ksplice updates before you can install these updates on production systems. In such cases, you can direct uptrack-upgrade to upgrade to a specific effective kernel version instead of the latest available version.

The options for selecting a specific effective version are only available in the Ksplice Offline client for use with the offline update RPM packages.

Note

Oracle Ksplice is intended to provide the latest security and stability fixes, and the goal is to get the effective kernel up-to-date as soon as possible. Choosing a specific effective kernel version is only intended to allow the offline update RPM package to be updated without immediately applying the latest available patches bundled in that package. This enables production systems to remain temporarily at a tested update level, while the latest updates are tested in an integration or UAT environment.

To update a system to a specific effective kernel version:

  1. Install the uptrack-updates package for the current kernel.

    # yum -y install uptrack-updates-`uname -r`

    For an Oracle Linux 5 client, use the following command:

    # yum -y install uptrack-updates-`uname -r`.`uname -m`
  2. Use the uptrack-uname -r command to display the current effective kernel version:

    # uptrack-uname -r
  3. To list all of the effective kernel versions that are available, specify the --list-effective option to the uptrack-upgrade command, for example:

    # uptrack-upgrade --list-effective
    Available effective kernel versions:
    
    3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 2014
    3.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 2014
    3.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 2014
    3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014
    3.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 2014
    3.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014
  4. Remove the installed updates to revert the effective kernel version to the earliest that is available, which is 44.1.1 in the following example:

    # uptrack-remove --all
    ...
    # uptrack-uname -r
    3.8.13-44.1.1.el6uek.x86_64
  5. You can set the effective kernel version that you want the system to use by using either of the following methods:

    • Specify the --effective option to the uptrack-upgrade command.

      For example, if you want to update from 44.1.1 to 44.1.5 instead of updating to the latest 55.1.1, use the --effective option to specify 44.1.5:

      # uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014"
      ...
      Effective kernel version is 3.8.13-44.1.5.el6uek
      # uptrack-uname -r
      3.8.13-44.1.5.el6uek.x86_64

      This method is suitable for setting the effective kernel version on individual systems.

    • Use the effective_version option in the /etc/uptrack/uptrack.conf file to set an effective package version for the uptrack-upgrade command. This method works the same as specifying --effective on the command line.

      Because uptrack-upgrade runs automatically whenever you update the uptrack-updates package on a system, the following entry would limit the effective kernel version to 44.1.5:

      effective_version = 3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014

      This method is convenient for setting the effective version for a package on multiple production systems, where the content of the /etc/uptrack/uptrack.conf file can be obtained from a centrally maintained master copy.

3.9 Using the SNMP Plugin for Ksplice Uptrack

The SNMP plugin for Ksplice enables you to use Oracle Enterprise Manager to monitor the status of Ksplice on your systems. It also works with any monitoring solution that is compatible with SNMP.

3.9.1 Installing and Configuring the SNMP Plugin

The following prerequisites apply to the system that you want to monitor:

  • The net-snmp package must be installed.

  • The net-snmp-utils package must be installed if you want to be able to test the configuration using the snmpwalk command.

  • The snmpd service must be configured to start automatically.

  • SELinux must either be disabled or set to permissive mode on the system.

To install and configure the SNMP plugin on a system that you want to monitor using SNMP, follow these steps:

  1. Subscribe the system to the appropriate Ksplice channel for the installed Oracle Linux distribution and system architecture, for example, ol6_x86_64_ksplice for Oracle Linux 6 on x86_64.

  2. As the root use, install the ksplice-snmp-plugin package on the system:

    # yum -y install ksplice-snmp-plugin
  3. (Optional) If you plan to test the configuration by using the snmpwalk command, install the net-snmp-utils package as follows:

    # yum -y install net-snmp-utils
  4. Configure the system to use the SNMP plugin by editing the /etc/snmp/snmpd.conf file.

    The following example shows how the entries in this file might look on an Oracle Linux 6 system:

    # Setting up permissions
    # ======================
    com2sec local localhost public
    com2sec mynet source public
    
    group local v1 local
    group local v2c local
    group local usm local
    group mynet v1  mynet
    group mynet v2c mynet
    group mynet usm mynet
    
    view all included .1 80
    
    access mynet "" any noauth exact all none none
    access local "" any noauth exact all all none
    
    syslocation Oracle Linux 6
    syscontact sysadmin <root@localhost>
    
    # Load the plugin
    # ===============
    dlmod kspliceUptrack /usr/lib/ksplice-snmp/kspliceUptrack.so
    1. In the com2sec mynet community entry, replace source with the IP address or resolvable host name of the server that hosts the SNMP monitoring software, or with a subnet address represented as IP_address/netmask, for example, com2sec mynet 192.168.10.0/24 private.

      For IPv6 configuration, specify an IPv6 address and netmask to a com2sec6 mynet community entry, for example, com2sec6 mynet fec0::/64 private.

    2. In the syslocation entry, replace the argument for the identifier of the system being monitored.

    3. In the dlmod entry that loads the kspliceUptrack.so plugin, replace the lib path element with lib on a 32-bit system and lib64 on a 64-bit system.

    This sample configuration file is suitable for the purposes of testing.

  5. Restart the SNMP service:

    # systemctl restart snmpd

    For Oracle Linux 5 and Oracle Linux 6 clients, use the following command:

    # service snmpd restart

For information about configuring SNMP, refer to the documentation at http://www.net-snmp.org/docs/readmefiles.html. See also the snmpd(8) and snmpd.conf(5) manual pages.

3.9.2 Testing the SNMP Plugin

You can use the snmpwalk command in the following ways to check information and test the SNMP plugin.

Display the installed version of Ksplice as follows:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceVersion
KSPLICE-UPTRACK-MIB::kspliceVersion.0 = STRING: 1.2.12

To check whether all of the available updates for a kernel have been installed:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus
KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: outofdate

In the previous example, the kernel is shown as being out of date.

Display and compare the kernel that is installed on disk with the Ksplice effective version as follows:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceBaseKernel
KSPLICE-UPTRACK-MIB::kspliceBaseKernel.0 = STRING: 2.6.18-274.3.1.el5
$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel
KSPLICE-UPTRACK-MIB::kspliceEffectiveKernel.0 = STRING: 2.6.18-274.3.1.el5

In the output of the previous example, the base kernel version and the effective kernel version are the same, which implies that no updates have been applied.

Display a list of all of the updates that have been applied to the kernel as follows:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable

In the previous example, no updates have been applied, which confirms why the base and effective kernel versions are the identical and why the kernel is out of date.

Display a list of updates that can be installed as follows:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable
KSPLICE-UPTRACK-MIB::kspliceavailIndex.0 = INTEGER: 0
KSPLICE-UPTRACK-MIB::kspliceavailIndex.1 = INTEGER: 1
KSPLICE-UPTRACK-MIB::kspliceavailIndex.2 = INTEGER: 2
...
KSPLICE-UPTRACK-MIB::kspliceavailDesc.23 = STRING: CVE-2011-4325: Denial of service in NFS direct-io.
KSPLICE-UPTRACK-MIB::kspliceavailDesc.24 = STRING: CVE-2011-4348: Socking locking race in SCTP.
KSPLICE-UPTRACK-MIB::kspliceavailDesc.25 = STRING: CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.

After fully upgrading your kernel by using Ksplice Uptrack, you can run the following snmpwalk commands to verify that the kernel is up to date, that there are no updates available for installation, and also that the patches that have been applied:

$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceStatus
KSPLICE-UPTRACK-MIB::kspliceStatus.0 = STRING: uptodate
$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::kspliceAvailTable
$ snmpwalk -v 1 -c public -O e localhost KSPLICE-UPTRACK-MIB::ksplicePatchTable
KSPLICE-UPTRACK-MIB::ksplicepatchIndex.0 = INTEGER: 0
KSPLICE-UPTRACK-MIB::ksplicepatchIndex.1 = INTEGER: 1
KSPLICE-UPTRACK-MIB::ksplicepatchIndex.2 = INTEGER: 2
...