Chapter 12 Configuring Ksplice Offline Clients
On average, the Linux kernel receives security updates and bug fixes about once per month. Traditionally, applying such updates would require you to obtain and install the updated kernel RPMs, to schedule downtime, and to reboot the server into the new kernel with the critical updates. As system setups become more complex with many interdependencies, and access to services and applications must remain as undisrupted as possible, scheduling such reboots becomes more difficult and costly.
Oracle Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update them with the latest kernel, Xen hypervisor updates, and key user space security and bug fix updates. Oracle Ksplice updates the running operating system and Xen hypervisor without requiring a reboot. Your systems remain up to date with OS vulnerability patches and downtime is minimized. A Ksplice update takes effect immediately when it is applied. The update is not the same as an on-disk change that only takes effect after a subsequent reboot.
Oracle creates each Ksplice update from a kernel update that originates either from Oracle or from the Linux kernel community.
The Ksplice Offline Client removes the requirement for a server on your intranet to have a direct connection to the Oracle Uptrack server. All available Ksplice updates for each supported kernel version are bundled into an RPM that is specific to that version, and this package is updated every time that a new Ksplice patch becomes available for the kernel.
Ksplice Offline Client is freely available for Oracle Linux customers that subscribe to Oracle Linux Premier Support. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.
You can configure a Spacewalk server as a mirror of the Ksplice for
Oracle Linux channels on ULN. The Spacewalk server does not require
access to the Oracle Uptrack server. Instead, you schedule Spacewalk
to download the latest Ksplice update packages to a software
channel. For older Ksplice updates, an archive channel is available.
The _archive
suffix is usually added to the
channel for which it hosts archive packages. See
Section 2.1, “About Software Channel Configuration”
After installing Ksplice Offline Client on your Spacewalk client systems, they can install the Ksplice update packages from the Spacewalk server. The clients also do not require access the Oracle Uptrack server.
You cannot use the web interface or the Ksplice Uptrack API to monitor systems that are running Ksplice Offline Client, as these systems are not registered with https://status-ksplice.oracle.com/.
For more information about Ksplice see Oracle® Linux: Ksplice User's Guide.
12.1 Supported Kernels
You can use Ksplice Uptrack to bring the following Oracle Linux kernels up to date with the latest important security and bug fix patches:
-
All Oracle Linux 6 and Oracle Linux 7 kernels starting with the official release.
-
All Oracle Unbreakable Enterprise Kernel versions for Oracle Linux 6, starting with 2.6.32-100.28.9 (released March 16, 2011).
To confirm whether a particular kernel is supported, install the Uptrack client on a system that is running the kernel.
If you have a question about supported kernels, send e-mail to ksplice-support_ww@oracle.com.
12.2 Configuring a Spacewalk Server to Act as a Ksplice Mirror
To configure a Spacewalk server to act as a Ksplice mirror, you configure repositories and associated software channels for the Oracle Linux releases and architectures of the clients on which you want to run Ksplice Offline Client. Each Ksplice channel should be a child of the appropriate base software channel. See Section 2.4, “Working With Repositories” and Section 2.5, “Working With Software Channels”.
The following table shows the channels that are available for Ksplice on Oracle Linux.
Channel Name |
Channel Label |
Description |
---|---|---|
Ksplice for Oracle Linux 6 (i386) |
|
Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on i386 systems. |
Ksplice for Oracle Linux 6 (x86_64) |
|
Oracle Ksplice clients, updates, and dependencies for Oracle Linux 6 on x86-64 systems. |
Ksplice for Oracle Linux 7 (x86_64) |
|
Oracle Ksplice clients, updates, and dependencies for Oracle Linux 7 on x86_64 systems. |
Ksplice aware user space packages for Oracle Linux 6 (x86_64) |
|
Latest packages for Ksplice aware user space packages for Oracle Linux 6 (x86_64). This channel should only be used with the Ksplice Enhanced client. |
Ksplice aware user space packages for Oracle Linux 7 (x86_64). |
|
Latest packages for Ksplice aware user space packages for Oracle Linux 7 (x86_64). This channel should only be used with the Ksplice Enhanced client. |
For example, you would specify the URL of the Ksplice for Oracle Linux 6 (x86_64) channel on ULN as follows:
uln:///ol6_x86_64_ksplice
To reduce the overall space consumed by Ksplice Offline packages, Oracle strongly recommends using repository filters to limit downloaded packages to only those required by your client systems. You can apply a filter either on the Repository configuration in the Manage Repositories page in the web UI or by providing the -i or --include parameter with the spacewalk-repo-sync command line, for example:
#spacewalk-repo-sync --channel ol6_x86_64_ksplice -t uln
\-i uptrack-updates-
installed kernel base version
,...
12.3 Provisioning Client Systems as Ksplice Offline Clients
To provision a client system as a Ksplice offline client, configure its kickstart profile as follows:
-
Under Kickstart Details, select the Operating System tab, ensure that the check box for the Ksplice child software channel is checked, and click Update Kickstart.
-
Under Software, include
uptrack-offline
in the list of packages to install. -
Under Scripts, create a post-installation,
nochroot
shell script that installs the Ksplice update packages.For Oracle Linux 6 or Oracle Linux 7:
yum install uptrack-updates-`uname -r`
Install new Ksplice updates as they become available. You can
schedule Spacewalk to update the client system or you can set up
an anacron
script on the client itself. For
example, you could use the following script with an Oracle Linux 6
or Oracle Linux 7 client:
#!/bin/sh yum install uptrack-updates-`uname -r`
The script must be executable and also must be owned by
root
. If you place the script in
/etc/cron.daily
on the client, it runs once
every day.
12.4 Installing and Configuring Existing Client Systems as Ksplice Offline Clients
After you have set up Spacewalk to act as a Ksplice mirror, you
can configure your other systems to receive yum
and Ksplice updates.
To configure a system as a Ksplice offline client, follow these steps:
-
Subscribe the client system to the Ksplice software channel that corresponds to the Oracle Linux release and architecture.
-
Install the offline version of the enhanced Ksplice client package:
#
yum install ksplice-offline
-
Insert a configuration directive into
/etc/uptrack/uptrack.conf
to provide the enhanced client with the label of the local user-space channel in your local Yum repo configuration. You do not need to do this if you did not use thelocal_
prefix for the channel label and this label matches the label used on ULN exactly. If you used thelocal_
prefix or labeled this channel differently, add the following lines and replacelocal_ol6_x86_64_ksplice_userspace
with whatever you used to label the Ksplice user-space channel:[User] yum_userspace_ksplice_repo_name =
local_ol6_x86_64_ksplice_userspace
-
To install offline update packages, you must install the relevant packages for your system. For example, you might install the following packages:
#
yum install ksplice-updates-glibc ksplice-updates-openssl
When these packages have been installed, the offline version of the enhanced Ksplice client behaves exactly the same as the online version.
-
Update the system to install the Ksplice-aware versions of the user-space libraries:
#
yum update
To install only the libraries and not update any other packages, limit the update to the
ol6_x86_64_userspace_ksplice
orol7_x86_64_userspace_ksplice
channel as appropriate, for example:#
yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update
Alternatively, use the following command:
#
yum update *glibc *openssl*
You may also use this client to perform kernel updates, in the same way that you are able to use the standard uptrack client:
#
yum install uptrack-updates-`uname -r`
-
To enable the automatic installation of updates, change the following entry in
/etc/uptrack/uptrack.conf
:autoinstall = no
so that it reads:
autoinstall = yes
-
Reboot the system so that the system uses the new libraries.
On Oracle Linux 6:
#
reboot
On Oracle Linux 7:
#
systemctl reboot