Ksplice is a tool from oracle which will help you to configure patches without downtime.This tool is very much usefull where SLA needs to be maintained with less downtime. But one important thing major kernel changes cannot be performed using ksplice and it will pushes the patches to the current active kernels.
rhnuuid=1ba9f165-9357-451e-ad48-b19d500bf5d1
First we need to register the server to oracle ULN network ( Unbreakable Linux)
- Type the command "up2date --register" as root and it will prompt you to enter your ULN credentials which is received from oracle in below screen.including the CSI number
- Select "next" option 1 by 1 in below screens
- Some time you will get the popup as system is already registered if it is not registered already, we have a work around for this issue which i will show you below
type the below command as root and copy the uuid of the system
[root@unixchips01 ~]# /usr/bin/uuidgen -r
1ba9f165-9357-451e-ad48-b19d500bf5d1
edit the etc/sysconfig/rhn/up2date-uuid and update the copied uuid as below format (comment the old uuid)
[root@unixchips01 ~]# vi /etc/sysconfig/rhn/up2date-uuid
#rhnuuid=91d0junk-1538-11db-8f59-123bdba2bb0frhnuuid=1ba9f165-9357-451e-ad48-b19d500bf5d1
Now run the "up2date --register" command again and it will allow you to register the system in ULN network
- Now we need to download the ksplice and install it
*********************************************************************************
[root@unixchips01 ~]# wget -N https://www.ksplice.com/uptrack/install-uptrack
--2017-12-06 15:35:49-- https://www.ksplice.com/uptrack/install-uptrack
Resolving www.ksplice.com... 137.254.56.32
Connecting to www.ksplice.com|137.254.56.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10218 (10.0K) [text/plain]
Saving to: `install-uptrack'
100%[==============================================================================================================================>] 10,218 --.-K/s in 0.09s
2017-12-06 15:35:50 (113 KB/s) - `install-uptrack' saved [10218/10218]
*********************************************************************************
- Once you download the script called install-uptrack provide the executable permission and install using below command (where the id is the ksplice id which is received while purchasing the support)
[root@unixchips01 ~]# sh install-uptrack 82d8fa9a78789cb865948f246723250a924052b64e7b8364e63991576747dd27
[ Release detected: ol ]
--2017-12-06 15:36:09-- https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm
Resolving www.ksplice.com... 137.254.56.32
Connecting to www.ksplice.com|137.254.56.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6876 (6.7K) [application/x-rpm]
Saving to: `ksplice-uptrack-release.noarch.rpm'
100%[==============================================================================================================================>] 6,876 --.-K/s in 0.09s
2017-12-06 15:36:09 (76.4 KB/s) - `ksplice-uptrack-release.noarch.rpm' saved [6876/6876]
[ Installing Uptrack ]
warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 16c083cd
Preparing packages for installation...
ksplice-uptrack-release-1-3
Loaded plugins: rhnplugin, security
This system is receiving updates from ULN.
ksplice-uptrack | 951 B 00:00
ksplice-uptrack/primary | 8.6 kB 00:00
ksplice-uptrack 44/44
ol5_x86_64_UEK_latest | 1.2 kB 00:00
ol5_x86_64_UEK_latest/primary | 32 MB 00:33
ol5_x86_64_UEK_latest 686/686
ol5_x86_64_ksplice | 1.2 kB 00:00
ol5_x86_64_ksplice/primary | 354 kB 00:00
ol5_x86_64_ksplice 3543/3543
ol5_x86_64_latest | 1.4 kB 00:00
ol5_x86_64_latest/primary | 29 MB 00:31
ol5_x86_64_latest: [############################################ ] 5181/15734
ol5_x86_64_latest 15734/15734
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package uptrack.noarch 0:1.2.47-0.el5 set to be updated
--> Processing Dependency: uptrack-python-pycurl for package: uptrack
--> Processing Dependency: uptrack-PyYAML for package: uptrack
--> Running transaction check
---> Package uptrack-PyYAML.x86_64 0:3.08-4.el5 set to be updated
--> Processing Dependency: uptrack-libyaml >= 0.1.3-1 for package: uptrack-PyYAML
---> Package uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5 set to be updated
--> Running transaction check
---> Package uptrack-libyaml.x86_64 0:0.1.4-1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
uptrack noarch 1.2.47-0.el5 ksplice-uptrack 667 k
Installing for dependencies:
uptrack-PyYAML x86_64 3.08-4.el5 ol5_x86_64_ksplice 164 k
uptrack-libyaml x86_64 0.1.4-1.el5 ksplice-uptrack 52 k
uptrack-python-pycurl x86_64 7.15.5.1-4.el5 ol5_x86_64_ksplice 31 k
Transaction Summary
========================================================================================================================================================================
Install 4 Package(s)
Upgrade 0 Package(s)
Total download size: 914 k
Downloading Packages:
(1/4): uptrack-python-pycurl-7.15.5.1-4.el5.x86_64.rpm | 31 kB 00:00
(2/4): uptrack-libyaml-0.1.4-1.el5.x86_64.rpm | 52 kB 00:00
(3/4): uptrack-PyYAML-3.08-4.el5.x86_64.rpm | 164 kB 00:00
(4/4): uptrack-1.2.47-0.el5.noarch.rpm | 667 kB 00:01
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 308 kB/s | 914 kB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : uptrack-python-pycurl 1/4
Installing : uptrack-libyaml 2/4
Installing : uptrack-PyYAML 3/4
Installing : uptrack 4/4
There are no existing modules on disk that need basename migration.
Installed:
uptrack.noarch 0:1.2.47-0.el5
Dependency Installed:
uptrack-PyYAML.x86_64 0:3.08-4.el5 uptrack-libyaml.x86_64 0:0.1.4-1.el5 uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5
Complete!
- Also you can see the updates pending for installation as below
Effective kernel version is 2.6.39-400.297.3.el5uek
The following steps will be taken:
Install [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Install [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Install [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Install [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Install [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Install [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Install [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Install [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Install [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Install [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Install [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Install [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Install [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Install [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Install [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Install [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Install [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Install [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Install [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Install [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Install [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Install [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Install [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Install [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Install [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Install [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Install [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Install [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.
- We can install the updates of the current kernel using the command "uptrack-upgrade -y"
[root@unixchips01 ~]# uptrack-upgrade -y
The following steps will be taken:
Install [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Install [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Install [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Install [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Install [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Install [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Install [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Install [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Install [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Install [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Install [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Install [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Install [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Install [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Install [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Install [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Install [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Install [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Install [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Install [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Install [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Install [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Install [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Install [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Install [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Install [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Install [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Install [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.
Installing [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Installing [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Installing [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Installing [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Installing [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Installing [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Installing [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Installing [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Installing [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Installing [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Installing [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Installing [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Installing [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Installing [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Installing [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Installing [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Installing [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Installing [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Installing [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Installing [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Installing [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Installing [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Installing [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Installing [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Installing [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Installing [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Installing [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Installing [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.
Your kernel is fully up to date.
Now your system is fully updated with current kernel and we can check the changes in the current kernel version also
https://status-ksplice.oracle.com/status/
- We can check the system status using the below weblink with your oracle support credentials
https://status-ksplice.oracle.com/status/
Useful blog.
ReplyDeleteDevOps institute certification
Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. DevOps Training | Certification in Chennai | DevOps Training | Certification in anna nagar | DevOps Training | Certification in omr | DevOps Training | Certification in porur | DevOps Training | Certification in tambaram | DevOps Training | Certification in velachery
ReplyDeleteNice blog. Thanks for sharing it with us.
ReplyDeleteLinux Course in Pune