Use Oracle Ksplice on Oracle Linux
Introduction
Oracle Ksplice provides a method of patching your Oracle Linux system that has the following advantages:
- Critical security patches for Linux kernels, hypervisors, and critical user-space libraries are applied immediately.
- Updates are non-intrusive because the process does not require reboots and system downtime.
Objectives
In this tutorial, you'll learn how to:
- Run Oracle Ksplice commands
- Obtain information about updating your system from Unbreakable Linux Network (ULN).
Prerequisites
Minimum of a single Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Set up as a standard or enhanced Oracle Ksplice client
- Access to the internet
Clients can operate either online or offline. Online clients must be registered with the Unbreakable Linux Network . This tutorial assumes that you have a Ksplice client configured in online mode.
If your system is not yet configured as an Oracle Ksplice client, see https://docs.oracle.com/en/learn/oracle-linux-ksplice-enable .
Note: Oracle Ksplice is automatically installed and enabled on Oracle Linux instances running on Oracle Cloud Infrastructure (OCI). You do not need to register these instances with ULN to use Ksplice.
Deploy Oracle Linux
Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.
Open a terminal on the Luna Desktop.
Clone the
linux-virt-labsGitHub project.git clone https://github.com/oracle-devrel/linux-virt-labs.gitChange into the working directory.
cd linux-virt-labs/olInstall the required collections.
ansible-galaxy collection install -r requirements.ymlDeploy the lab environment.
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"The free lab environment requires the extra variable
local_python_interpreter, which setsansible_python_interpreterfor plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Cloud Native Environment is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.
Useful Ksplice Commands for Administering Oracle Ksplice
These Ksplice commands describe handling the patching and updates on Oracle Linux systems running the Ksplice clients.
Note: Some information sources refer to Ksplice uptrack clients and the
uptrackcommand for configuring such clients. The uptrack client, or the standard client, is a subset of the functionality of the enhanced client. Thus, you can use theksplicecommand instead of theuptrackcommand to manage these clients' updates and patches.
Refer to the man page for a comprehensive source of information about Ksplice.
man kspliceYou can also use the --help option for a more summarized form of help information.
ksplice --helpListing Targets
List all of the running user space processes that the client can patch.
sudo ksplice all list-targetsNote: Ksplice commands can be filtered to limit the command action to specific subsystems that the ksplice tool manages. The previous example lists processes on all subsystems. Instead of
all, you can specifykernel,user, orxenso that the command acts only on those subsystems.
sudo ksplice user list-targets
Listing Applied Patches
Display the updates and patches currently applied to the system.
sudo ksplice all showThe output includes the effective kernel version. If you have not applied any patches, the kernel version will match the output of the uname -r command.
By including the subsystem name in the command, you can limit the output to display updates to specific subsystems only.
- Use
kernelto display the effective kernel version
sudo ksplice kernel show- Use
userto display updates to user space processes
sudo ksplice user showYou can further filter the information by specifying a PID.
sudo ksplice user show --pid=705Listing Available Updates
The ksplice upgrade command lists or installs available updates that can be applied to the system. Use the -n option to list available updates without installing.
sudo ksplice -n all upgradesudo ksplice -n kernel upgradesudo ksplice -n user upgradeNote: An equivalent command for listing available updates is
ksplice show --available.
sudo ksplice kernel show --available
Applying Updates and Patches
To install available updates, use the ksplice upgrade command, but use the -y option. Note that installing patches or upgrades requires user confirmation before running the action.
As with previous ksplice commands, you can limit the upgrade only to specific subsystems by specifying the subsystem instead of all.
ksplice -y all|kernel|user|xen upgrade
Using the kernel subsystem only applies kernel patches.
sudo ksplice -y kernel upgradeRemoving All Applied Patches
The ksplice remove command removes updates that Ksplice has applied. Removing patches or upgrades requires user confirmation before running the action.
sudo ksplice user remove --allYou can remove a specific update by specifying the Ksplice identifier (KID). The KID for an applied patch is displayed inside square brackets if a ksplice show command generates output.
sudo ksplice all show
...Ksplice kernel updates installed:Installed updates:[rfywob9d] Clear garbage data on the kernel stack when handling signals.[625ho5e2] Provide an interface to freeze tasks....
Thus, you can type:
sudo ksplice kernel remove 625ho5e2Note: The
ksplice undo <KID>command performs the same action of removing an individual update.
Disabling Automatic Updates
Create a 'disable' file to prevent Ksplice from automatically applying updates when performing a system reboot.
sudo touch /etc/uptrack/disableTo reenable automatic Ksplice updates, delete the disable file.
sudo rm /etc/uptrack/disable