Unixchips : ksplice configuration in OEL ( Oracle Enterprise Linux) for uninterrupted updates

Ksplice is a tool from oracle which will help you to configure patches without downtime.This tool is very much usefull where SLA needs to be maintained with less downtime. But one important thing major kernel changes cannot be performed using ksplice and it will pushes the patches to the current active kernels.

First we need to register the server to oracle ULN network ( Unbreakable Linux)

Type the command "up2date --register" as root and it will prompt you to enter your ULN credentials which is received from oracle in below screen.including the CSI number

Select "next" option 1 by 1 in below screens

Some time you will get the popup as system is already registered if it is not registered already, we have a work around for this issue which i will show you below

type the below command as root and copy the uuid of the system

[root@unixchips01 ~]# /usr/bin/uuidgen -r

1ba9f165-9357-451e-ad48-b19d500bf5d1

edit the etc/sysconfig/rhn/up2date-uuid and update the copied uuid as below format (comment the old uuid)

[root@unixchips01 ~]# vi /etc/sysconfig/rhn/up2date-uuid

#rhnuuid=91d0junk-1538-11db-8f59-123bdba2bb0f
rhnuuid=1ba9f165-9357-451e-ad48-b19d500bf5d1

Now run the "up2date --register" command again and it will allow you to register the system in ULN network

Now we need to download the ksplice and install it

*********************************************************************************

[root@unixchips01 ~]# wget -N https://www.ksplice.com/uptrack/install-uptrack

--2017-12-06 15:35:49-- https://www.ksplice.com/uptrack/install-uptrack

Resolving www.ksplice.com... 137.254.56.32

Connecting to www.ksplice.com|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 10218 (10.0K) [text/plain]

Saving to: `install-uptrack'

100%[==============================================================================================================================>] 10,218 --.-K/s in 0.09s

2017-12-06 15:35:50 (113 KB/s) - `install-uptrack' saved [10218/10218]

*********************************************************************************

Once you download the script called install-uptrack provide the executable permission and install using below command (where the id is the ksplice id which is received while purchasing the support)

[root@unixchips01 ~]# sh install-uptrack 82d8fa9a78789cb865948f246723250a924052b64e7b8364e63991576747dd27

[ Release detected: ol ]

--2017-12-06 15:36:09-- https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm

Resolving www.ksplice.com... 137.254.56.32

Connecting to www.ksplice.com|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 6876 (6.7K) [application/x-rpm]

Saving to: `ksplice-uptrack-release.noarch.rpm'

100%[==============================================================================================================================>] 6,876 --.-K/s in 0.09s

2017-12-06 15:36:09 (76.4 KB/s) - `ksplice-uptrack-release.noarch.rpm' saved [6876/6876]

[ Installing Uptrack ]

warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 16c083cd

Preparing packages for installation...

ksplice-uptrack-release-1-3

Loaded plugins: rhnplugin, security

This system is receiving updates from ULN.

ksplice-uptrack | 951 B 00:00

ksplice-uptrack/primary | 8.6 kB 00:00

ksplice-uptrack 44/44

ol5_x86_64_UEK_latest | 1.2 kB 00:00

ol5_x86_64_UEK_latest/primary | 32 MB 00:33

ol5_x86_64_UEK_latest 686/686

ol5_x86_64_ksplice | 1.2 kB 00:00

ol5_x86_64_ksplice/primary | 354 kB 00:00

ol5_x86_64_ksplice 3543/3543

ol5_x86_64_latest | 1.4 kB 00:00

ol5_x86_64_latest/primary | 29 MB 00:31

ol5_x86_64_latest: [############################################ ] 5181/15734

ol5_x86_64_latest 15734/15734

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package uptrack.noarch 0:1.2.47-0.el5 set to be updated

--> Processing Dependency: uptrack-python-pycurl for package: uptrack

--> Processing Dependency: uptrack-PyYAML for package: uptrack

--> Running transaction check

---> Package uptrack-PyYAML.x86_64 0:3.08-4.el5 set to be updated

--> Processing Dependency: uptrack-libyaml >= 0.1.3-1 for package: uptrack-PyYAML

---> Package uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5 set to be updated

--> Running transaction check

---> Package uptrack-libyaml.x86_64 0:0.1.4-1.el5 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================

Package Arch Version Repository Size

========================================================================================================================================================================

Installing:

uptrack noarch 1.2.47-0.el5 ksplice-uptrack 667 k

Installing for dependencies:

uptrack-PyYAML x86_64 3.08-4.el5 ol5_x86_64_ksplice 164 k

uptrack-libyaml x86_64 0.1.4-1.el5 ksplice-uptrack 52 k

uptrack-python-pycurl x86_64 7.15.5.1-4.el5 ol5_x86_64_ksplice 31 k

Transaction Summary

========================================================================================================================================================================

Install 4 Package(s)

Upgrade 0 Package(s)

Total download size: 914 k

Downloading Packages:

(1/4): uptrack-python-pycurl-7.15.5.1-4.el5.x86_64.rpm | 31 kB 00:00

(2/4): uptrack-libyaml-0.1.4-1.el5.x86_64.rpm | 52 kB 00:00

(3/4): uptrack-PyYAML-3.08-4.el5.x86_64.rpm | 164 kB 00:00

(4/4): uptrack-1.2.47-0.el5.noarch.rpm | 667 kB 00:01

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Total 308 kB/s | 914 kB 00:02

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : uptrack-python-pycurl 1/4

Installing : uptrack-libyaml 2/4

Installing : uptrack-PyYAML 3/4

Installing : uptrack 4/4

There are no existing modules on disk that need basename migration.

Installed:

uptrack.noarch 0:1.2.47-0.el5

Dependency Installed:

uptrack-PyYAML.x86_64 0:3.08-4.el5 uptrack-libyaml.x86_64 0:0.1.4-1.el5 uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5

Complete!

Also you can see the updates pending for installation as below

Effective kernel version is 2.6.39-400.297.3.el5uek

The following steps will be taken:

Install [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.

Install [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Install [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.

Install [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.

Install [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.

Install [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.

Install [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.

Install [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.

Install [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

Install [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.

Install [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.

Install [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.

Install [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.

Install [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.

Install [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.

Install [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.

Install [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

Install [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.

Install [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

Install [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Install [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.

Install [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.

Install [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.

Install [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.

Install [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.

Install [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.

Install [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

Install [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.

We can install the updates of the current kernel using the command "uptrack-upgrade -y"

[root@unixchips01 ~]# uptrack-upgrade -y