Use Oracle Ksplice on Oracle Linux

Introduction

Oracle Ksplice provides a method of patching your Oracle Linux system that has the following advantages:

Critical security patches for Linux kernels, hypervisors, and critical user-space libraries are applied immediately.
Updates are non-intrusive because the process does not require reboots and system downtime.

Objectives

In this tutorial, you'll learn how to:

Run Oracle Ksplice commands
Obtain information about updating your system from Unbreakable Linux Network (ULN).

Prerequisites

Minimum of a single Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Set up as a standard or enhanced Oracle Ksplice client
- Access to the internet

Clients can operate either online or offline. Online clients must be registered with the Unbreakable Linux Network . This tutorial assumes that you have a Ksplice client configured in online mode.

If your system is not yet configured as an Oracle Ksplice client, see https://docs.oracle.com/en/learn/oracle-linux-ksplice-enable .

Note: Oracle Ksplice is automatically installed and enabled on Oracle Linux instances running on Oracle Cloud Infrastructure (OCI). You do not need to register these instances with ULN to use Ksplice.

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

Open a terminal on the Luna Desktop.

Clone the linux-virt-labs GitHub project.

git clone https://github.com/oracle-devrel/linux-virt-labs.git

Change into the working directory.
```
cd linux-virt-labs/ol
```

Install the required collections.

ansible-galaxy collection install -r requirements.yml

Deploy the lab environment.
```
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"
```
The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.
Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Useful Ksplice Commands for Administering Oracle Ksplice

These Ksplice commands describe handling the patching and updates on Oracle Linux systems running the Ksplice clients.

Note: Some information sources refer to Ksplice uptrack clients and the uptrack command for configuring such clients. The uptrack client, or the standard client, is a subset of the functionality of the enhanced client. Thus, you can use the ksplice command instead of the uptrack command to manage these clients' updates and patches.

Open a terminal and connect via SSH to the ol-node-01 instance.
```
ssh oracle@<ip_address_of_instance>
```
Refer to the man page for a comprehensive source of information about Ksplice.
```
man ksplice
```
Use the --help option for a more summarized form of help information.
```
ksplice --help
```

Listing Targets

List all of the running user space processes that the client can patch.
```
sudo ksplice all list-targets
```
Note: Ksplice commands can be filtered to limit the command action to specific subsystems that the ksplice tool manages. The previous example lists processes on all subsystems. Instead of all, you can specify kernel, user, or xen so that the command acts only on those subsystems.
sudo ksplice user list-targets

Listing Applied Patches

Display the updates and patches currently applied to the system.
```
sudo ksplice all show
```
The output includes the effective kernel version. If you have not applied any patches, the kernel version will match the output of the uname -r command.
Use kernel to display the effective kernel version
By including the subsystem name in the command, you can limit the output to display updates to specific subsystems only.
```
sudo ksplice kernel show
```
Use user to display updates to user space processes
```
sudo ksplice user show
```
Further filter the information by specifying a PID.
```
sudo ksplice user show --pid=705
```

Listing Available Updates

The ksplice upgrade command lists or installs available updates that can be applied to the system.

Use the -n option to list available updates without installing.
```
sudo ksplice -n all upgrade
```
```
sudo ksplice -n kernel upgrade
```
```
sudo ksplice -n user upgrade
```
Note: An equivalent command for listing available updates is ksplice show --available.
sudo ksplice kernel show --available

Applying Updates and Patches

To install available updates, use the ksplice upgrade command, but use the -y option. Note that installing patches or upgrades requires user confirmation before running the action.

As with previous ksplice commands, you can limit the upgrade only to specific subsystems by specifying the subsystem instead of all.

ksplice -y all|kernel|user|xen upgrade

1, Use the kernel subsystem to only apply kernel patches.

sudo ksplice -y kernel upgrade

Removing All Applied Patches

The ksplice remove command removes updates that Ksplice has applied. Removing patches or upgrades requires user confirmation before running the action.

Remove all user patches.
```
sudo ksplice user remove --all
```
Remove a specific update by specifying the Ksplice identifier (KID).
The KID for an applied patch is displayed inside square brackets if a ksplice show command generates output.
sudo ksplice all show
... Ksplice kernel updates installed: Installed updates: [rfywob9d] Clear garbage data on the kernel stack when handling signals. [625ho5e2] Provide an interface to freeze tasks. ...
```
sudo ksplice kernel remove 625ho5e2
```
Note: The ksplice undo <KID> command performs the same action of removing an individual update.

Disabling Automatic Updates

Create a 'disable' file to prevent Ksplice from automatically applying updates when performing a system reboot.
```
sudo touch /etc/uptrack/disable
```
Reenable automatic Ksplice updates, delete the disable file.
```
sudo rm /etc/uptrack/disable
```