Use Ksplice on Oracle Linux

Introduction

Oracle Ksplice provides a method of patching your Oracle Linux system that has the following advantages:

• Critical security patches for Linux kernels, hypervisors and critical user space libraries are applied immediately.
• Updates are non-intrusive because the process does not require reboots and system downtime.

Objectives

This tutorial describes useful Oracle Ksplice commands for obtaining information related to updating systems with the latest packages from Unbreakable Linux Network (ULN).

Prerequisites

• An Oracle Linux system that has been set up as an Oracle Ksplice client, either as a standard or an enhanced client. The system must also have access to the Internet.

• If the Ksplice client is configured in online mode, it must be registered with the Unbreakable Linux Network .

  Clients can operate either in online or offline mode. This tutorial assumes that you have a Ksplice client that is configured in online mode.

If your system is not yet configured as an Oracle Ksplice client, see https://docs.oracle.com/en/learn/oracle-linux-ksplice-enable .

Note: Oracle Ksplice is automatically installed and enabled on Oracle Linux instances that are running on Oracle Cloud Infrastructure (OCI). You do not need to register these instances with ULN to be able to work with Ksplice.

Useful Ksplice commands for administering Oracle Ksplice

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

This section describes certain Ksplice commands for managing patching and updates on Oracle Ksplice clients.

Note: Some information sources refer to Ksplice uptrack clients and the uptrack command for configuring such clients. The uptrack client, or the standard client, is a subset of the functionality of the enhanced client. Thus, the ksplice command can also be used in place of the uptrack command to manage these clients' updates and patches.

For a comprehensive source of information about Ksplice, refer to the man page by typing:

man ksplice

For a more summarized form of help information, you can also type:

ksplice --help

Listing targets

The following command lists all of the running user space processes that can be patched by the client:

sudo ksplice all list-targets

Note: Ksplice commands can be filtered so that the command action is limited to specific subsystems that the ksplice tool manages. The previous example lists processes on all subsystems. Instead of all, you can specify kernel, user, or xen so that the command acts only on those subsystems, for example:

sudo ksplice user list-targets

Listing patches that have been applied

The following command displays the updates and patches that have been applied to the system:

sudo ksplice all show

The output includes the effective kernel version. If no patches had been applied, then the kernel version would match the output of the uname -r command.

You can limit the output to display only the updates to specific subsystems, as shown in the following examples:

• To display the effective kernel version, type:

  sudo ksplice kernel show

• To display updates to user space processes, type:

  sudo ksplice user show

  You can further filter the information by specifying a PID, for example:

  sudo ksplice user show --pid=705

Listing available updates

The ksplice upgrade command lists or installs available updates that can be applied to the system. Use the -n option to list available updates without installing.

sudo ksplice -n all upgrade

sudo ksplice -n kernel upgrade

sudo ksplice -n user upgrade

Note: An equivalent command for listing available updates is ksplice show --available, for example:

sudo ksplice kernel show --available

Applying updates and patches

To install available updates, use the ksplice upgrade command, but use the -y option. Note that installing patches or upgrades requires user confirmation before the action is executed.

As with previous ksplice commands, you can limit the upgrade only to specific subsystems by specifying the subsystem instead of all, as shown in the following syntax:

ksplice -y all|kernel|user|xen upgrade

For example, the following command applies only kernel patches:

sudo ksplice -y kernel upgrade

Removing all applied patches

The ksplice remove command removes updates that have been applied by Ksplice. Note that removing patches or upgrades requires user confirmation before the action is executed.

sudo ksplice user remove --all

You can remove a specific update by specifying the Ksplice identifier (KID). The KID for an applied patch is displayed inside square brackets if a ksplice show command generates output, for example:

sudo ksplice all show

... Ksplice kernel updates installed: Installed updates: [rfywob9d] Clear garbage data on the kernel stack when handling signals. [625ho5e2] Provide an interface to freeze tasks. ...

Thus, you can type:

sudo ksplice kernel remove 625ho5e2

Note: The ksplice undo <KID> command performs the same action of removing an individual update.

Disabling automatic updates

To prevent Ksplice from applying updates automatically when you perform a system reboot, create a disable file, as follows:

sudo touch /etc/uptrack/disable

To reenable automatic Ksplice updates, delete the disable file.

sudo rm /etc/uptrack/disable

Video Demonstration

The video tutorial Running Oracle Ksplice commands (online mode) on Oracle Linux demonstrates the use of these commands on your Oracle Linux system.

For more information

See other related resources:

• Oracle Ksplice Documentation
• Oracle Linux Documentation
• Oracle Linux Training Station