Use Oracle Ksplice on Oracle Linux
Introduction
Oracle Ksplice provides a method of patching your Oracle Linux system that has the following advantages:
- Critical security patches for Linux kernels, hypervisors, and critical user-space libraries are applied immediately.
- Updates are non-intrusive because the process does not require reboots and system downtime.
Objectives
In this tutorial, you'll learn how to:
- Run Oracle Ksplice commands
- Obtain information about updating your system from Unbreakable Linux Network (ULN).
Prerequisites
Minimum of a single Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Set up as a standard or enhanced Oracle Ksplice client
- Access to the internet
Clients can operate either online or offline. Online clients must be registered with the Unbreakable Linux Network . This tutorial assumes that you have a Ksplice client configured in online mode.
If your system is not yet configured as an Oracle Ksplice client, see https://docs.oracle.com/en/learn/oracle-linux-ksplice-enable .
Note: Oracle Ksplice is automatically installed and enabled on Oracle Linux instances running on Oracle Cloud Infrastructure (OCI). You do not need to register these instances with ULN to use Ksplice.
Deploy Oracle Linux
Note: If running in your own tenancy, read the linux-virt-labs
GitHub project README.md and complete the prerequisites before deploying the lab environment.
Open a terminal on the Luna Desktop.
Clone the
linux-virt-labs
GitHub project.git clone https://github.com/oracle-devrel/linux-virt-labs.git
Change into the working directory.
cd linux-virt-labs/ol
Install the required collections.
ansible-galaxy collection install -r requirements.yml
Deploy the lab environment.
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"
The free lab environment requires the extra variable
local_python_interpreter
, which setsansible_python_interpreter
for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.
Useful Ksplice Commands for Administering Oracle Ksplice
These Ksplice commands describe handling the patching and updates on Oracle Linux systems running the Ksplice clients.
Note: Some information sources refer to Ksplice uptrack clients and the
uptrack
command for configuring such clients. The uptrack client, or the standard client, is a subset of the functionality of the enhanced client. Thus, you can use theksplice
command instead of theuptrack
command to manage these clients' updates and patches.
Open a terminal and connect via SSH to the ol-node-01 instance.
ssh oracle@<ip_address_of_instance>
Refer to the man page for a comprehensive source of information about Ksplice.
man ksplice
Use the
--help
option for a more summarized form of help information.ksplice --help
Listing Targets
List all of the running user space processes that the client can patch.
sudo ksplice all list-targets
Note: Ksplice commands can be filtered to limit the command action to specific subsystems that the ksplice tool manages. The previous example lists processes on all subsystems. Instead of
all
, you can specifykernel
,user
, orxen
so that the command acts only on those subsystems.sudo ksplice user list-targets
Listing Applied Patches
Display the updates and patches currently applied to the system.
sudo ksplice all show
The output includes the effective kernel version. If you have not applied any patches, the kernel version will match the output of the
uname -r
command.Use
kernel
to display the effective kernel versionBy including the subsystem name in the command, you can limit the output to display updates to specific subsystems only.
sudo ksplice kernel show
Use
user
to display updates to user space processessudo ksplice user show
Further filter the information by specifying a PID.
sudo ksplice user show --pid=705
Listing Available Updates
The ksplice upgrade
command lists or installs available updates that can be applied to the system.
Use the
-n
option to list available updates without installing.sudo ksplice -n all upgrade
sudo ksplice -n kernel upgrade
sudo ksplice -n user upgrade
Note: An equivalent command for listing available updates is
ksplice show --available
.sudo ksplice kernel show --available
Applying Updates and Patches
To install available updates, use the ksplice upgrade
command, but use the -y
option. Note that installing patches or upgrades requires user confirmation before running the action.
As with previous ksplice
commands, you can limit the upgrade only to specific subsystems by specifying the subsystem instead of all
.
ksplice -y all|kernel|user|xen upgrade
1, Use the kernel
subsystem to only apply kernel patches.
sudo ksplice -y kernel upgrade
Removing All Applied Patches
The ksplice remove
command removes updates that Ksplice has applied. Removing patches or upgrades requires user confirmation before running the action.
Remove all
user
patches.sudo ksplice user remove --all
Remove a specific update by specifying the Ksplice identifier (KID).
The KID for an applied patch is displayed inside square brackets if a
ksplice show
command generates output.sudo ksplice all show
...
Ksplice kernel updates installed:
Installed updates:
[rfywob9d] Clear garbage data on the kernel stack when handling signals.
[625ho5e2] Provide an interface to freeze tasks.
...
sudo ksplice kernel remove 625ho5e2
Note: The
ksplice undo <KID>
command performs the same action of removing an individual update.
Disabling Automatic Updates
Create a 'disable' file to prevent Ksplice from automatically applying updates when performing a system reboot.
sudo touch /etc/uptrack/disable
Reenable automatic Ksplice updates, delete the
disable
file.sudo rm /etc/uptrack/disable