Chapter 12 Configuring Ksplice Offline Clients

On average, the Linux kernel receives security updates and bug fixes about once per month. Traditionally, applying such updates would require you to obtain and install the updated kernel RPMs, to schedule downtime, and to reboot the server into the new kernel with the critical updates. As system setups become more complex with many interdependencies, and access to services and applications must remain as undisrupted as possible, scheduling such reboots becomes more difficult and costly.

Oracle Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update them with the latest kernel, Xen hypervisor updates, and key user space security and bug fix updates. Oracle Ksplice updates the running operating system and Xen hypervisor without requiring a reboot. Your systems remain up to date with OS vulnerability patches and downtime is minimized. A Ksplice update takes effect immediately when it is applied. The update is not the same as an on-disk change that only takes effect after a subsequent reboot.

Oracle creates each Ksplice update from a kernel update that originates either from Oracle or from the Linux kernel community.

The Ksplice Offline Client removes the requirement for a server on your intranet to have a direct connection to the Oracle Uptrack server. All available Ksplice updates for each supported kernel version are bundled into an RPM that is specific to that version, and this package is updated every time that a new Ksplice patch becomes available for the kernel.


Ksplice Offline Client is freely available for Oracle Linux customers that subscribe to Oracle Linux Premier Support. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.

You can configure a Spacewalk server as a mirror of the Ksplice for Oracle Linux channels on ULN. The Spacewalk server does not require access to the Oracle Uptrack server. Instead, you schedule Spacewalk to download the latest Ksplice update packages to a software channel. For older Ksplice updates, an archive channel is available. The _archive suffix is usually added to the channel for which it hosts archive packages. See Section 2.1, “About Software Channel Configuration”

After installing Ksplice Offline Client on your Spacewalk client systems, they can install the Ksplice update packages from the Spacewalk server. The clients also do not require access the Oracle Uptrack server.


You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline Client, as these systems are not registered with

For more information about Ksplice see Oracle® Linux: Ksplice User's Guide.

12.1 Supported Kernels

You can use Ksplice Uptrack to bring the following Oracle Linux kernels up to date with the latest important security and bug fix patches:

  • All Oracle Linux 6 and Oracle Linux 7 kernels starting with the official release.

  • All Oracle Unbreakable Enterprise Kernel versions for Oracle Linux 6, starting with 2.6.32-100.28.9 (released March 16, 2011).

To confirm whether a particular kernel is supported, install the Uptrack client on a system that is running the kernel.

If you have a question about supported kernels, send e-mail to

12.2 Configuring a Spacewalk Server to Act as a Ksplice Mirror

To configure a Spacewalk server to act as a Ksplice mirror, you configure repositories and associated software channels for the Oracle Linux releases and architectures of the clients on which you want to run Ksplice Offline Client. Each Ksplice channel should be a child of the appropriate base software channel. See Section 2.4, “Working With Repositories” and Section 2.5, “Working With Software Channels”.

The following table shows the channels that are available for Ksplice on Oracle Linux.

Channel Name

Channel Label


Ksplice for Oracle Linux 6 (i386)


Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on i386 systems.

Ksplice for Oracle Linux 6 (x86_64)


Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on x86-64 systems.

Ksplice for Oracle Linux 7 (x86_64)


Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on x86_64 systems.

Ksplice aware user space packages for Oracle Linux 6 (x86_64)


Latest packages for Ksplice aware user space packages for Oracle Linux 6 (x86_64). This channel should only be used with the Ksplice Enhanced client.

Ksplice aware user space packages for Oracle Linux 7 (x86_64).


Latest packages for Ksplice aware user space packages for Oracle Linux 7 (x86_64). This channel should only be used with the Ksplice Enhanced client.

For example, you would specify the URL of the Ksplice for Oracle Linux 6 (x86_64) channel on ULN as follows:


To reduce the overall space consumed by Ksplice Offline packages, Oracle strongly recommends using repository filters to limit downloaded packages to only those required by your client systems. You can apply a filter either on the Repository configuration in the Manage Repositories page in the web UI or by providing the -i or --include parameter with the spacewalk-repo-sync command line, for example:

# spacewalk-repo-sync --channel ol6_x86_64_ksplice -t uln \
  -i uptrack-updates-installed kernel base version,...

12.3 Provisioning Client Systems as Ksplice Offline Clients

To provision a client system as a Ksplice offline client, configure its kickstart profile as follows:

  • Under Kickstart Details, select the Operating System tab, ensure that the check box for the Ksplice child software channel is checked, and click Update Kickstart.

  • Under Software, include uptrack-offline in the list of packages to install.

  • Under Scripts, create a post-installation, nochroot shell script that installs the Ksplice update packages.

    For Oracle Linux 6 or Oracle Linux 7:

    yum install uptrack-updates-`uname -r`

Install new Ksplice updates as they become available. You can schedule Spacewalk to update the client system or you can set up an anacron script on the client itself. For example, you could use the following script with an Oracle Linux 6 or Oracle Linux 7 client:

yum install uptrack-updates-`uname -r`

The script must be executable and also must be owned by root. If you place the script in /etc/cron.daily on the client, it runs once every day.

12.4 Installing and Configuring Existing Client Systems as Ksplice Offline Clients

After you have set up Spacewalk to act as a Ksplice mirror, you can configure your other systems to receive yum and Ksplice updates.

To configure a system as a Ksplice offline client, follow these steps:

  1. Subscribe the client system to the Ksplice software channel that corresponds to the Oracle Linux release and architecture.

  2. Install the offline version of the enhanced Ksplice client package:

    # yum install ksplice-offline
  3. Insert a configuration directive into /etc/uptrack/uptrack.conf to provide the enhanced client with the label of the local user-space channel in your local Yum repo configuration. You do not need to do this if you did not use the local_ prefix for the channel label and this label matches the label used on ULN exactly. If you used the local_ prefix or labeled this channel differently, add the following lines and replace local_ol6_x86_64_ksplice_userspace with whatever you used to label the Ksplice user-space channel:

    yum_userspace_ksplice_repo_name = local_ol6_x86_64_ksplice_userspace
  4. To install offline update packages, you must install the relevant packages for your system. For example, you might install the following packages:

    # yum install ksplice-updates-glibc ksplice-updates-openssl

    When these packages have been installed, the offline version of the enhanced Ksplice client behaves exactly the same as the online version.

  5. Update the system to install the Ksplice-aware versions of the user-space libraries:

    # yum update

    To install only the libraries and not update any other packages, limit the update to the ol6_x86_64_userspace_ksplice or ol7_x86_64_userspace_ksplice channel as appropriate, for example:

    # yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update

    Alternatively, use the following command:

    # yum update *glibc *openssl*

    You may also use this client to perform kernel updates, in the same way that you are able to use the standard uptrack client:

    # yum install uptrack-updates-`uname -r`
  6. To enable the automatic installation of updates, change the following entry in /etc/uptrack/uptrack.conf:

    autoinstall = no

    so that it reads:

    autoinstall = yes
  7. Reboot the system so that the system uses the new libraries.

    On Oracle Linux 6:

    # reboot

    On Oracle Linux 7:

    # systemctl reboot