In this article, we will introduce Ksplice, one of the features of Oracle Linux. Ksplice is a live patching system that allows you to apply patches to the kernel without rebooting the OS. It has a history of more than 10 years, and it is an excellent feature that is unmatched at this time. However, even among people using Oracle Linux, those who use Ksplice may be in the minority. So in this article, we will aim to deepen your understanding of Ksplice.
What is Ksplice?
Ksplice is a feature that allows you to apply patches to the Linux kernel and some user space libraries without rebooting the OS. For example, if you install a newly released kernel, you still need to reboot the OS to enable it. However, Ksplice allows you to enable the latest update without having to reboot.
In other words, you can get the following benefits with Ksplice:
- Minimize system downtime
- Respond quickly to security vulnerabilities
- Minimize patch application time
The ability to enable updates without rebooting is a particularly important feature in “externally accessible servers” and “KVM hosts with many virtual machines running”. Externally accessible servers need to respond quickly to security vulnerabilities. In addition, multiple virtual servers run on KVM hosts. Therefore, when an OS reboot is needed, various pre-adjustments are required, and the actual work time is also required.
In other words, Ksplice is a feature that is particularly effective in enterprise use, helping to reduce operational costs and enhance security.
Ksplice FAQ
In order to help you quickly understand Ksplice, we will give you an overview titled Ksplice FAQ.
What OSs can I use with Ksplice?
At this time (September 2022), the following Linux OSs are supported. Ksplice also supports both the Red Hat-compatible kernel and the Unbreakable Enterprise kernel for Oracle Linux.
- Oracle Linux 6
- Oracle Linux 7
- Oracle Linux 8
- Oracle Linux 9
- CentOS and RHEL 7
- CentOS and RHEL 8
- Ubuntu 18.04
- Ubuntu 20.04
In addition to Intel/AMD (x86_64), it also supports 64-bit Arm. However, it only supports Unbreakable Enterprise Kernel for Arm.
Do I need an Internet connection to use Ksplice?
Ksplice has online and offline modes. Online mode connects to the Unbreakable Linux Network (ULN) provided by Oracle, so you need to be able to connect to the Internet (this may be via an Internet proxy).
In addition, in offline mode, you can use Ksplice without connecting to the Internet by setting up a Ksplice mirror. However, the server that is used as the Ksplice mirror must be able to connect to the Internet.
What components are covered by Ksplice’s live patch?
In addition to the following two kernels, it supports the user space packages glibc and openssl. However, only Oracle Linux supports user space packages.
- Red Hat compatible kernel
- Unbreakable Enterprise Kernel
- glibc
- openssl
Is there a fee for using Ksplice?
To use Ksplice, you need a paid Oracle Linux Premier Support contract. However, Ksplice is available for free on Oracle Linux on Oracle Cloud Infrastructure (set up by default). Exceptionally, you can use it for free on Ubuntu.
Is there a trial program for Ksplice?
A 30-day trial program is available. In addition, if you want to try Ksplice easily, we recommend Oracle Cloud Infrastructure’s Always Free. The Oracle Linux image is already set up with Ksplice, so you can use it right away.
Are there other live patching systems like Ksplice?
Other Linux distributions also have the following live patching systems. However, all of them have just been provided in recent years, and have not yet proven their performance.
- RHEL-based Linux kpatch
- SUSE KLP
- Ubuntu Livepatch Service
In addition, on Windows, there is a feature called Windows hot patch. However, it is limited to Windows Server 2022 Datacenter: Azure Edition.
Let’s try out Ksplice
To understand Ksplice, it is better to see how it actually works. In this article, we will explain using Oracle Linux 8 of Oracle Cloud Infrastructure, which is easy to try. The setup and details will be explained in the next article.
In addition, Oracle Linux 7 and Oracle Linux 9 are almost the same, but there may be slight differences depending on the image version you are using.
Check the status of your Ksplice setup
To use Ksplice, you need a Ksplice client. So, check if the Ksplice client is installed. If you search for a package, you will find that the uptrack package (= Ksplice client) is installed.
$ rpm -qa | grep -e ksplice -e uptrack | sort
ksplice-release-el8-1.0-4.el8.x86_64
ksplice-uptrack-release-1-5.noarch
uptrack-1.2.75-0.el8.noarch
Next, check the configuration file /etc/uptrack/uptrack.conf. You can use Ksplice if the configuration file exists and the accesskey is configured.
$ grep -v -e '^\s*#' -e '^\s*$' /etc/uptrack/uptrack.conf
[Auth]
accesskey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(The key for Ksplice Uptrack is retrieved from ULN)
[Network]
https_proxy =
gconf_proxy_lookup = no
[Settings]
install_on_reboot = yes
autoinstall = no
Learn the basics of Ksplice
Now that you know that Ksplice is set up, we will actually use Ksplice. Since most operations require root privileges, we will use su. Alternatively, you can add sudo every time.
$ sudo su -
Check the kernel version
Check the currently enabled Linux kernel version. UEK6 “5.4.17-2136.306.1.3” is enabled.
# uname -r
5.4.17-2136.306.1.3.el8uek.x86_64
If you check the latest version of the repository, it is “5.4.17-2136.310.7.1”. So you can see that a new version has been released.
# yum check-update kernel-uek
kernel-uek.x86_64 5.4.17-2136.310.7.1.el8uek ol8_UEKR6
View updates
In the traditional method, the kernel is updated and rebooted as follows:
# yum update kernel-uek -y
# reboot
In Ksplice, use the uptrack-upgrade command. You can view the applicable Ksplice updates by entering “uptrack-upgrade -n” as follows. Each row is a separate update.
# uptrack-upgrade -n
Effective kernel version is 5.4.17-2136.306.1.3.el8uek
The following steps will be taken:
Install [n9kprcm6] Known exploit detection.
Install [qivpmdlu] Known exploit detection for CVE-2019-9213.
Install [50qj7qw1] Known exploit detection for CVE-2017-1000253.
Install [3iw8b16t] Known exploit detection for CVE-2016-5195.
Install [sgxyx32m] Known exploit detection for CVE-2021-27363.
Install [92k7sosn] Known exploit detection for CVE-2021-27364.
★Omitted below
Apply the update
Apply all these updates. The time to apply varies depending on the number of updates and machine specifications, and this time it took about 1 minute. The key point to note here is “5.4.17-2136.310.7” in the last line. Due to Ksplice, it has the same kernel version as the latest version.
# uptrack-upgrade -y
The following steps will be taken:
Install [n9kprcm6] Known exploit detection.
Install [qivpmdlu] Known exploit detection for CVE-2019-9213.
Install [50qj7qw1] Known exploit detection for CVE-2017-1000253.
Install [3iw8b16t] Known exploit detection for CVE-2016-5195.
★omission
Installing [dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.
Your kernel is fully up to date.
Effective kernel version is 5.4.17-2136.310.7.el8uek
The effective kernel version enabled by the Ksplice update can be viewed with the uptrack-uname command.
# uptrack-uname -r
5.4.17-2136.310.7.el8uek.x86_64
Normal uname displays the installed kernel version.
# uname -r
5.4.17-2136.306.1.3.el8uek.x86_64
The list of installed UEKs is as follows. The latest “5.4.17-2136.310.7” is not installed. In other words, only the incremental Ksplice update (patch) is installed.
# rpm -q kernel-uek | sort -n
kernel-uek-5.4.17-2102.201.3.el8uek.x86_64
kernel-uek-5.4.17-2136.304.4.1.el8uek.x86_64
kernel-uek-5.4.17-2136.306.1.3.el8uek.x86_64
View updates
The Ksplice update you are applying can be viewed with the uptrack-show command.
# uptrack-show
Installed updates:
[n9kprcm6] Known exploit detection.
[qivpmdlu] Known exploit detection for CVE-2019-9213.
[50qj7qw1] Known exploit detection for CVE-2017-1000253.
★omission
[fza3q2mo] CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine.
[4eaq3lov] CVE-2022-21505: Lockdown bypass in Integrity Measurement Architecture.
[dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.
Effective kernel version is 5.4.17-2136.310.7.el8uek
Deleting updates
You can easily delete the applied updates with the uptrack-remove command.
# uptrack-remove --all -y
The following steps will be taken:
Remove [dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.
Remove [4eaq3lov] CVE-2022-21505: Lockdown bypass in Integrity Measurement Architecture.
Remove [jjafy1ef] CVE-2022-29582: Use-after-free in asynchronous io_uring API.
★omission
Removing [qivpmdlu] Known exploit detection for CVE-2019-9213.
Removing [n9kprcm6] Known exploit detection.
Effective kernel version is 5.4.17-2136.306.1.3.el8uek
You are now back to the original state of not applying the Ksplice updates. In this case, we’ve applied the updates in bulk, but you can also apply them individually by specifying their IDs.
# uptrack-uname -r
5.4.17-2136.306.1.3.el8uek.x86_64
# uname -r
5.4.17-2136.306.1.3.el8uek.x86_64
As a reminder, you won’t see anything when you view the applied Ksplice updates.
# uptrack-show
Installed updates:
None
Effective kernel version is 5.4.17-2136.306.1.3.el8uek
Conclusion
Did you understand what Ksplice is? In addition, we believe that when you actually use it, you will see that it is very easy to use. In the next article, we will discuss Ksplice in more detail.