Wednesday, December 6, 2017

ksplice configuration in OEL ( Oracle Enterprise Linux) for uninterrupted updates

Ksplice is a tool from oracle which will help you to configure patches without downtime.This tool is very much usefull where SLA needs to be maintained with less downtime. But one important thing major kernel changes cannot be performed using ksplice and it will pushes the patches to the current active kernels.

First we need to register the server to oracle ULN network ( Unbreakable Linux) 

  •  Type the command "up2date --register" as root and it will prompt you to enter your ULN credentials which is received from oracle in below screen.including the CSI number 



  •  Select "next" option 1 by 1 in below screens 



























  • Some time you will get the popup as system is already registered if it is not registered already, we have a work around for this issue which i will show you below 













type the below command as root and copy the uuid of the system 

[root@unixchips01 ~]#  /usr/bin/uuidgen -r
1ba9f165-9357-451e-ad48-b19d500bf5d1

edit the etc/sysconfig/rhn/up2date-uuid and update the copied uuid as below format (comment the old uuid)

[root@unixchips01 ~]# vi /etc/sysconfig/rhn/up2date-uuid
#rhnuuid=91d0junk-1538-11db-8f59-123bdba2bb0f
rhnuuid=1ba9f165-9357-451e-ad48-b19d500bf5d1

Now run the "up2date --register" command again and it will allow you to register the system in ULN network 















  • Now we need to download the ksplice and install it 

*********************************************************************************
[root@unixchips01 ~]# wget -N https://www.ksplice.com/uptrack/install-uptrack
--2017-12-06 15:35:49--  https://www.ksplice.com/uptrack/install-uptrack
Resolving www.ksplice.com... 137.254.56.32
Connecting to www.ksplice.com|137.254.56.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10218 (10.0K) [text/plain]
Saving to: `install-uptrack'

100%[==============================================================================================================================>] 10,218      --.-K/s   in 0.09s

2017-12-06 15:35:50 (113 KB/s) - `install-uptrack' saved [10218/10218]
*********************************************************************************
  • Once you download the script called install-uptrack provide the executable permission and install using below command  (where the id is the ksplice id which is received while purchasing the support) 
[root@unixchips01 ~]# sh install-uptrack 82d8fa9a78789cb865948f246723250a924052b64e7b8364e63991576747dd27
[ Release detected: ol ]
--2017-12-06 15:36:09--  https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm
Resolving www.ksplice.com... 137.254.56.32
Connecting to www.ksplice.com|137.254.56.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6876 (6.7K) [application/x-rpm]
Saving to: `ksplice-uptrack-release.noarch.rpm'

100%[==============================================================================================================================>] 6,876       --.-K/s   in 0.09s

2017-12-06 15:36:09 (76.4 KB/s) - `ksplice-uptrack-release.noarch.rpm' saved [6876/6876]

[ Installing Uptrack ]
warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 16c083cd
Preparing packages for installation...
ksplice-uptrack-release-1-3
Loaded plugins: rhnplugin, security
This system is receiving updates from ULN.
ksplice-uptrack                                                                                                                                  |  951 B     00:00
ksplice-uptrack/primary                                                                                                                          | 8.6 kB     00:00
ksplice-uptrack                                                                                                                                                   44/44
ol5_x86_64_UEK_latest                                                                                                                            | 1.2 kB     00:00
ol5_x86_64_UEK_latest/primary                                                                                                                    |  32 MB     00:33
ol5_x86_64_UEK_latest                                                                                                                                           686/686
ol5_x86_64_ksplice                                                                                                                               | 1.2 kB     00:00
ol5_x86_64_ksplice/primary                                                                                                                       | 354 kB     00:00
ol5_x86_64_ksplice                                                                                                                                            3543/3543
ol5_x86_64_latest                                                                                                                                | 1.4 kB     00:00
ol5_x86_64_latest/primary                                                                                                                        |  29 MB     00:31
ol5_x86_64_latest: [############################################                                                                                           ] 5181/15734

ol5_x86_64_latest                                                                                                                                           15734/15734
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package uptrack.noarch 0:1.2.47-0.el5 set to be updated
--> Processing Dependency: uptrack-python-pycurl for package: uptrack
--> Processing Dependency: uptrack-PyYAML for package: uptrack
--> Running transaction check
---> Package uptrack-PyYAML.x86_64 0:3.08-4.el5 set to be updated
--> Processing Dependency: uptrack-libyaml >= 0.1.3-1 for package: uptrack-PyYAML
---> Package uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5 set to be updated
--> Running transaction check
---> Package uptrack-libyaml.x86_64 0:0.1.4-1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
 Package                                       Arch                           Version                                  Repository                                  Size
========================================================================================================================================================================
Installing:
 uptrack                                       noarch                         1.2.47-0.el5                             ksplice-uptrack                            667 k
Installing for dependencies:
 uptrack-PyYAML                                x86_64                         3.08-4.el5                               ol5_x86_64_ksplice                         164 k
 uptrack-libyaml                               x86_64                         0.1.4-1.el5                              ksplice-uptrack                             52 k
 uptrack-python-pycurl                         x86_64                         7.15.5.1-4.el5                           ol5_x86_64_ksplice                          31 k

Transaction Summary
========================================================================================================================================================================
Install       4 Package(s)
Upgrade       0 Package(s)

Total download size: 914 k
Downloading Packages:
(1/4): uptrack-python-pycurl-7.15.5.1-4.el5.x86_64.rpm                                                                                           |  31 kB     00:00
(2/4): uptrack-libyaml-0.1.4-1.el5.x86_64.rpm                                                                                                    |  52 kB     00:00
(3/4): uptrack-PyYAML-3.08-4.el5.x86_64.rpm                                                                                                      | 164 kB     00:00
(4/4): uptrack-1.2.47-0.el5.noarch.rpm                                                                                                           | 667 kB     00:01
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                   308 kB/s | 914 kB     00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : uptrack-python-pycurl                                                                                                                            1/4
  Installing     : uptrack-libyaml                                                                                                                                  2/4
  Installing     : uptrack-PyYAML                                                                                                                                   3/4
  Installing     : uptrack                                                                                                                                          4/4
There are no existing modules on disk that need basename migration.

Installed:
  uptrack.noarch 0:1.2.47-0.el5

Dependency Installed:
  uptrack-PyYAML.x86_64 0:3.08-4.el5                 uptrack-libyaml.x86_64 0:0.1.4-1.el5                 uptrack-python-pycurl.x86_64 0:7.15.5.1-4.el5

Complete!

  • Also you can see the updates pending for installation as below 
Effective kernel version is 2.6.39-400.297.3.el5uek
The following steps will be taken:
Install [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Install [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Install [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Install [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Install [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Install [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Install [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Install [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Install [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Install [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Install [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Install [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Install [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Install [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Install [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Install [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Install [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Install [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Install [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Install [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Install [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Install [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Install [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Install [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Install [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Install [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Install [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Install [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.


  • We can install the updates of the current kernel using the command "uptrack-upgrade -y"
[root@unixchips01 ~]# uptrack-upgrade -y
The following steps will be taken:
Install [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Install [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Install [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Install [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Install [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Install [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Install [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Install [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Install [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Install [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Install [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Install [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Install [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Install [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Install [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Install [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Install [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Install [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Install [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Install [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Install [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Install [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Install [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Install [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Install [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Install [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Install [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Install [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.
Installing [suh79ofj] Correctly clear garbage data on the kernel stack when handling signals.
Installing [1sh67r01] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Installing [am4utewl] CVE-2015-2686: Privilege escalation in sendto() and recvfrom() syscalls.
Installing [6ex4rf8z] CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
Installing [bid2es5g] CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
Installing [houxosz2] CVE-2015-1465: Denial of service in IPv4 packet forwarding.
Installing [iwxmcukh] CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.
Installing [5kb8dcqi] CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.
Installing [h6osusrl] CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
Installing [bb8dm7ft] CVE-2016-9685: Memory leak in XFS filesystem operations.
Installing [dsja5i0v] CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
Installing [f4bfciaj] CVE-2017-1000365: Privilege escalation when performing exec.
Installing [t7upxzml] CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Installing [j9s7zjzf] CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Installing [4h95f4sm] CVE-2017-1000253: Privilege escalation via stack overflow in PIE binaries.
Installing [n5hdfyhm] CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
Installing [c8t1eenj] CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
Installing [4p5x4q18] CVE-2017-11176: Use-after-free in message queue notify syscall.
Installing [7ycabyox] CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
Installing [fpz4et19] CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Installing [5qajgmai] CVE-2017-9075: Denial-of-service in SCTPv6 sockets.
Installing [gczn7k1y] CVE-2017-9077: Denial-of-service in TCPv6 sockets.
Installing [qvq8bn89] CVE-2017-9074: Information leak via ipv6 fragment header.
Installing [ew4sffpv] CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
Installing [36v62nbc] CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Installing [56lrpsgc] CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Installing [7plhqvh9] CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.
Installing [clznw6t3] CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.
Your kernel is fully up to date.


Now your system is fully updated with current kernel and we can check the changes in the current kernel version also


  • We can check the system status using the below weblink with your oracle support credentials 

https://status-ksplice.oracle.com/status/
















3 comments: