In this article, we will introduce Ksplice, one of the features of Oracle Linux. Ksplice is a live patching system that allows you to apply patches to the kernel without rebooting the OS. It has a history of more than 10 years, and it is an excellent feature that is unmatched at this time. However, even among people using Oracle Linux, those who use Ksplice may be in the minority. So in this article, we will aim to deepen your understanding of Ksplice.<\/p>\n\n\n\n
Ksplice is a feature that allows you to apply patches to the Linux kernel and some user space libraries without rebooting the OS. For example, if you install a newly released kernel, you still need to reboot the OS to enable it. However, Ksplice allows you to enable the latest update without having to reboot.<\/p>\n\n\n\n
In other words, you can get the following benefits with Ksplice:<\/p>\n\n\n\n
The ability to enable updates without rebooting is a particularly important feature in “externally accessible servers” and “KVM hosts with many virtual machines running”. Externally accessible servers need to respond quickly to security vulnerabilities. In addition, multiple virtual servers run on KVM hosts. Therefore, when an OS reboot is needed, various pre-adjustments are required, and the actual work time is also required.<\/p>\n\n\n\n
In other words, Ksplice is a feature that is particularly effective in enterprise use, helping to reduce operational costs and enhance security.<\/p>\n\n\n\n
In order to help you quickly understand Ksplice, we will give you an overview titled Ksplice FAQ.<\/p>\n\n\n\n
At this time (September 2022), the following Linux OSs are supported. Ksplice also supports both the Red Hat-compatible kernel and the Unbreakable Enterprise kernel for Oracle Linux.<\/p>\n\n\n\n
In addition to Intel\/AMD (x86_64), it also supports 64-bit Arm. However, it only supports Unbreakable Enterprise Kernel for Arm.<\/p>\n<\/div>\n\n\n\n
Ksplice has online and offline modes. Online mode connects to the Unbreakable Linux Network (ULN) provided by Oracle, so you need to be able to connect to the Internet (this may be via an Internet proxy).<\/p>\n\n\n\n
In addition, in offline mode, you can use Ksplice without connecting to the Internet by setting up a Ksplice mirror. However, the server that is used as the Ksplice mirror must be able to connect to the Internet.<\/p>\n<\/div>\n\n\n\n
In addition to the following two kernels, it supports the user space packages glibc and openssl. However, only Oracle Linux supports user space packages.<\/p>\n\n\n\n
To use Ksplice, you need a paid Oracle Linux Premier Support contract. However, Ksplice is available for free on Oracle Linux on Oracle Cloud Infrastructure (set up by default). Exceptionally, you can use it for free on Ubuntu.<\/p>\n<\/div>\n\n\n\n
A 30-day trial program<\/a> is available. In addition, if you want to try Ksplice easily, we recommend Oracle Cloud Infrastructure’s Always Free. The Oracle Linux image is already set up with Ksplice, so you can use it right away.<\/p>\n<\/div>\n\n\n\n Other Linux distributions also have the following live patching systems. However, all of them have just been provided in recent years, and have not yet proven their performance.<\/p>\n\n\n\n In addition, on Windows, there is a feature called Windows hot patch. However, it is limited to Windows Server 2022 Datacenter: Azure Edition.<\/p>\n<\/div>\n\n\n\n To understand Ksplice, it is better to see how it actually works. In this article, we will explain using Oracle Linux 8 of Oracle Cloud Infrastructure, which is easy to try. The setup and details will be explained in the next article.<\/p>\n\n\n\n In addition, Oracle Linux 7 and Oracle Linux 9 are almost the same, but there may be slight differences depending on the image version you are using.<\/p>\n\n\n\n To use Ksplice, you need a Ksplice client. So, check if the Ksplice client is installed. If you search for a package, you will find that the uptrack<\/strong> package (= Ksplice client) is installed.<\/p>\n\n\n\n Next, check the configuration file \/etc\/uptrack\/uptrack.conf. You can use Ksplice if the configuration file exists and the accesskey is configured.<\/p>\n\n\n\n Now that you know that Ksplice is set up, we will actually use Ksplice. Since most operations require root privileges, we will use su<\/strong>. Alternatively, you can add sudo<\/strong> every time.<\/p>\n\n\n\n Check the currently enabled Linux kernel version. UEK6 “5.4.17-2136.306.1.3” <\/strong>is enabled.<\/p>\n\n\n\n If you check the latest version of the repository, it is “5.4.17-2136.310.7.1”<\/strong>. So you can see that a new version has been released.<\/p>\n\n\n\n In the traditional method, the kernel is updated and rebooted as follows:<\/p>\n\n\n\n In Ksplice, use the uptrack-upgrade<\/strong> command. You can view the applicable Ksplice updates by entering “uptrack-upgrade -n” as follows. Each row is a separate update.<\/p>\n\n\n\n Apply all these updates. The time to apply varies depending on the number of updates and machine specifications, and this time it took about 1 minute. The key point to note here is “5.4.17-2136.310.7<\/strong>” in the last line. Due to Ksplice, it has the same kernel version as the latest version.<\/p>\n\n\n\n The effective kernel version enabled by the Ksplice update can be viewed with the uptrack-uname<\/strong> command.<\/p>\n\n\n\n Normal uname<\/strong> displays the installed kernel version.<\/p>\n\n\n\n The list of installed UEKs is as follows. The latest “5.4.17-2136.310.7<\/strong>” is not installed. In other words, only the incremental Ksplice update (patch) is installed.<\/p>\n\n\n\n The Ksplice update you are applying can be viewed with the uptrack-show<\/strong> command.<\/p>\n\n\n\n You can easily delete the applied updates with the uptrack-remove<\/strong> command.<\/p>\n\n\n\n You are now back to the original state of not applying the Ksplice updates. In this case, we’ve applied the updates in bulk, but you can also apply them individually by specifying their IDs.<\/p>\n\n\n\n As a reminder, you won’t see anything when you view the applied Ksplice updates.<\/p>\n\n\n\n Did you understand what Ksplice is? In addition, we believe that when you actually use it, you will see that it is very easy to use. In the next article, we will discuss Ksplice in more detail.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" In this article, we will introduce Ksplice, one of the features of Oracle Linux. Ksplice is a live patching sy […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[7],"class_list":["post-367","post","type-post","status-publish","format-standard","hentry","category-knowledge-base","tag-linux"],"_links":{"self":[{"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/posts\/367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/comments?post=367"}],"version-history":[{"count":9,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/posts\/367\/revisions"}],"predecessor-version":[{"id":560,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/posts\/367\/revisions\/560"}],"wp:attachment":[{"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/media?parent=367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/categories?post=367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oracle.human-design.jp\/en\/wp-json\/wp\/v2\/tags?post=367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Are there other live patching systems like Ksplice?<\/h3>\n\n\n\n
\n
Let\u2019s try out Ksplice<\/h2>\n\n\n\n
Check the status of your Ksplice setup<\/h3>\n\n\n\n
$ rpm -qa | grep -e ksplice -e uptrack | sort\nksplice-release-el8-1.0-4.el8.x86_64\nksplice-uptrack-release-1-5.noarch\nuptrack-1.2.75-0.el8.noarch<\/code><\/pre>\n\n\n\n$ grep -v -e '^\\s*#' -e '^\\s*$' \/etc\/uptrack\/uptrack.conf\n[Auth]\naccesskey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\uff08The key for Ksplice Uptrack is retrieved from ULN\uff09\n[Network]\nhttps_proxy =\ngconf_proxy_lookup = no\n[Settings]\ninstall_on_reboot = yes\nautoinstall = no<\/code><\/pre>\n\n\n\nLearn the basics of Ksplice<\/h2>\n\n\n\n
$ sudo su -<\/code><\/pre>\n\n\n\nCheck the kernel version<\/h3>\n\n\n\n
# uname -r\n5.4.17-2136.306.1.3.el8uek.x86_64<\/code><\/pre>\n\n\n\n# yum check-update kernel-uek\nkernel-uek.x86_64 5.4.17-2136.310.7.1.el8uek ol8_UEKR6<\/code><\/pre>\n\n\n\nView updates<\/h3>\n\n\n\n
# yum update kernel-uek -y\n# reboot\n\n<\/code><\/pre>\n\n\n\n# uptrack-upgrade -n\nEffective kernel version is 5.4.17-2136.306.1.3.el8uek\nThe following steps will be taken:\nInstall [n9kprcm6] Known exploit detection.\nInstall [qivpmdlu] Known exploit detection for CVE-2019-9213.\nInstall [50qj7qw1] Known exploit detection for CVE-2017-1000253.\nInstall [3iw8b16t] Known exploit detection for CVE-2016-5195.\nInstall [sgxyx32m] Known exploit detection for CVE-2021-27363.\nInstall [92k7sosn] Known exploit detection for CVE-2021-27364.\n\u2605Omitted below<\/code><\/pre>\n\n\n\nApply the update<\/h3>\n\n\n\n
# uptrack-upgrade -y\nThe following steps will be taken:\nInstall [n9kprcm6] Known exploit detection.\nInstall [qivpmdlu] Known exploit detection for CVE-2019-9213.\nInstall [50qj7qw1] Known exploit detection for CVE-2017-1000253.\nInstall [3iw8b16t] Known exploit detection for CVE-2016-5195.\n\u2605omission\nInstalling [dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.\nYour kernel is fully up to date.\nEffective kernel version is 5.4.17-2136.310.7.el8uek<\/code><\/pre>\n\n\n\n# uptrack-uname -r\n5.4.17-2136.310.7.el8uek.x86_64<\/code><\/pre>\n\n\n\n# uname -r\n5.4.17-2136.306.1.3.el8uek.x86_64<\/code><\/pre>\n\n\n\n# rpm -q kernel-uek | sort -n\nkernel-uek-5.4.17-2102.201.3.el8uek.x86_64\nkernel-uek-5.4.17-2136.304.4.1.el8uek.x86_64\nkernel-uek-5.4.17-2136.306.1.3.el8uek.x86_64<\/code><\/pre>\n\n\n\nView updates<\/h3>\n\n\n\n
# uptrack-show\nInstalled updates:\n[n9kprcm6] Known exploit detection.\n[qivpmdlu] Known exploit detection for CVE-2019-9213.\n[50qj7qw1] Known exploit detection for CVE-2017-1000253.\n\u2605omission\n[fza3q2mo] CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine.\n[4eaq3lov] CVE-2022-21505: Lockdown bypass in Integrity Measurement Architecture.\n[dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.\nEffective kernel version is 5.4.17-2136.310.7.el8uek<\/code><\/pre>\n\n\n\nDeleting updates<\/h3>\n\n\n\n
# uptrack-remove --all -y\nThe following steps will be taken:\nRemove [dad581dd] CVE-2022-2588: Use-after-free in IP Route Classifier.\nRemove [4eaq3lov] CVE-2022-21505: Lockdown bypass in Integrity Measurement Architecture.\nRemove [jjafy1ef] CVE-2022-29582: Use-after-free in asynchronous io_uring API.\n\u2605omission\nRemoving [qivpmdlu] Known exploit detection for CVE-2019-9213.\nRemoving [n9kprcm6] Known exploit detection.\nEffective kernel version is 5.4.17-2136.306.1.3.el8uek<\/code><\/pre>\n\n\n\n# uptrack-uname -r\n5.4.17-2136.306.1.3.el8uek.x86_64\n\n# uname -r\n5.4.17-2136.306.1.3.el8uek.x86_64<\/code><\/pre>\n\n\n\n# uptrack-show\nInstalled updates:\nNone\n\nEffective kernel version is 5.4.17-2136.306.1.3.el8uek<\/code><\/pre>\n\n\n\nConclusion<\/h2>\n\n\n\n
\n