Ksplice in Action
Install Ksplice Uptrack on Oracle Linux
First, you'll need an Oracle Linux Premier support subscription, and an access key. If you are a Premier customer and don’t have an access key, request one via ULN.
Download the Ksplice Uptrack repository installation RPM package and run the following commands as root
rpm -i ksplice-uptrack-release.noarch.rpm yum -y install uptrack
Edit /etc/uptrack/uptrack.conf and insert your access key. Please use the same access key for all of your systems. If you would like Uptrack to automatically install rebootless kernel updates as they become available, set autoinstall = yes.
When you are done with your Uptrack configuration, please run the following command as root to bring your kernel up to date:
[root@linux ~]# uptrack-upgrade -y Nothing to be done. Your kernel is fully up to date. Effective kernel version is 2.6.32-200.19.1.el5uek
Installing Ksplice Uptrack on Ubuntu
Request an access key here, and an access key will be emailed to you. Once you have an access key, you can use that access key on any number of computers that you administer.
Add Ksplice repository in CLI (can be used to automate)
echo "deb http://www.ksplice.com/apt `lsb_release -sc` ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list echo "deb-src http://www.ksplice.com/apt `lsb_release -sc` ksplice | sudo tee -a /etc/apt/sources.list.d/ksplice.list
One-liner
echo -e "deb http://www.ksplice.com/apt `lsb_release -sc` ksplice \ndeb-src http://www.ksplice.com/apt `lsb_release -sc` ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list # better way echo -e "deb http://www.ksplice.com/apt $(lsb_release -sc) ksplice \ndeb-src http://www.ksplice.com/apt $(lsb_release -sc) ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list
NOTE: -e is to enable interpretation of backslash escapes for echo.
Manual way
To enable the Ksplice software repository and install Ksplice Uptrack, create /etc/apt/sources.list.d/ksplice.list with the following contents:
deb http://www.ksplice.com/apt codename ksplice deb-src http://www.ksplice.com/apt codename ksplice
Then run the following commands as root:
apt-get install ca-certificates wget -Nq https://www.ksplice.com/apt/ksplice-archive.asc -O- | sudo apt-key add - echo 'uptrack uptrack/accesskey string INSERT_ACCESS_KEY' | debconf-set-selections apt-get update apt-get install uptrack
You will be prompted for your access key.
If you would like Uptrack to automatically install rebootless kernel updates as they become available, edit /etc/uptrack/uptrack.conf and set autoinstall = yes.
When you are done with your Uptrack configuration, please run the following command as root to bring your kernel up to date:
uptrack-upgrade -y
Supported distributions
Add the Access Key in /etc/uptrack/uptrack.conf
[Auth] accesskey = ad68366bb67507e9391d3e49b33ca134ed81d528654617b632328f3659ffbcf4
Network
Uptrack looks for proxy settings in system wide GConf database if https_proxy is not set explicitly.
gconf_proxy_lookup = yes
Manually set proxy
https_proxy = https://proxy.company.com:80
Ksplice uptrack directories
See the list of files installed by Ksplice uptrack
dpkg -L uptrack
A symbolic link under /lib/modules
/lib/modules/$(uname -r).ksplice.updates pointing to -> /var/run/ksplice/modules/$(uname -r)
Uptrack cache directory (holding the downloaded patches) -> /var/cache/uptrack
NOTE: Kernel patch updates are files named -> ksplice-ID.tar.gz.
Command Line Interface
uptrack - Manage Ksplice rebootless kernel updates
NAME uptrack - Manage Ksplice rebootless kernel updates SYNOPSIS uptrack-upgrade [OPTION] uptrack-install [OPTION] id... uptrack-remove [OPTION] id... uptrack-show [OPTION] [id...] DESCRIPTION The Uptrack command-line tools manage the set of Ksplice rebootless kernel updates installed on your system. There are four major modes of operation: uptrack-upgrade Downloads and installs the latest Ksplice updates available for your system. uptrack-install Takes as arguments the update IDs to install, and installs them, downloading them if necessary. uptrack-remove Takes as arguments the update IDs to remove, and removes them. uptrack-show If invoked without additional arguments, shows the list of Ksplice updates currently installed. If update IDs are passed as arguments, displays the status of those updates as well as the detailed information associated with them.
uptrack-upgrade
Sample (Oracle Linux 5.7):
root@fmw11g.vm.oracle.com $ uptrack-upgrade The following steps will be taken: Install [8ybqt8fh] Clear garbage data on the kernel stack when handling signals. Install [t1lp2vb4] CVE-2011-1161: Information leak in transmission logic of TPM driver. Install [xcqkb9aq] CVE-2011-1162: Information leak in TPM driver. Install [7h5z00s5] CVE-2011-2494: Information leak in task/process statistics. Install [pnsg8bsp] CVE-2011-3188: Weak TCP sequence number generation. Install [ozelxo39] CVE-2011-1577: Missing boundary checks in GPT partition handling. Install [2ytyt2fr] CVE-2011-3191: Memory corruption in CIFS. Install [p4lrazac] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY. Install [2ueimjys] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload. Install [3vtfb7c4] CVE-2011-3593: Denial of service in VLAN with priority tagged frames. Install [94vng7lu] CVE-2011-2699: Predictable IPv6 fragment identification numbers. Go ahead [y/N]? y Installing [8ybqt8fh] Clear garbage data on the kernel stack when handling signals. Installing [t1lp2vb4] CVE-2011-1161: Information leak in transmission logic of TPM driver. Installing [xcqkb9aq] CVE-2011-1162: Information leak in TPM driver. Installing [7h5z00s5] CVE-2011-2494: Information leak in task/process statistics. Installing [pnsg8bsp] CVE-2011-3188: Weak TCP sequence number generation. Installing [ozelxo39] CVE-2011-1577: Missing boundary checks in GPT partition handling. Installing [2ytyt2fr] CVE-2011-3191: Memory corruption in CIFS. Installing [p4lrazac] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY. Installing [2ueimjys] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload. Installing [3vtfb7c4] CVE-2011-3593: Denial of service in VLAN with priority tagged frames. Installing [94vng7lu] CVE-2011-2699: Predictable IPv6 fragment identification numbers. Your kernel is fully up to date. Effective kernel version is 2.6.32-200.23.1.el5uek root@fmw11g.vm.oracle.com $ uname -a Linux fmw11g.vm.oracle.com 2.6.32-200.20.1.el5uek #1 SMP Fri Oct 7 02:29:42 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux root@fmw11g.vm.oracle.com $ uptrack-uname -a Linux fmw11g.vm.oracle.com 2.6.32-200.23.1.el5uek #1 SMP Thu Nov 24 08:30:48 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
uptracke-upgrade (Ubuntu 11.10)
root@OptiPlex-790:~# uptrack-upgrade The following steps will be taken: Install [ni7t831c] Clear garbage data on the kernel stack when handling signals. Install [30mab0rd] Improved fix to CVE-2009-4307. Install [qs1ql2a8] Use after free in UBI driver. Install [37j4dlef] Denial of service in Video4Linux2 ioctls. Install [7p0xit4n] Double free on NFS server shutdown. Install [x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl. Install [jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers. Install [i5umx6kn] Denial of service in eCryptfs. Install [7105481s] Memory corruption in the Direct Rendering Manager. Install [4otjdhgj] Bad SHA512 calculation under heavy load. Go ahead [y/N]? y Installing [ni7t831c] Clear garbage data on the kernel stack when handling signals. Installing [30mab0rd] Improved fix to CVE-2009-4307. Installing [qs1ql2a8] Use after free in UBI driver. Installing [37j4dlef] Denial of service in Video4Linux2 ioctls. Installing [7p0xit4n] Double free on NFS server shutdown. Installing [x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl. Installing [jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers. Installing [i5umx6kn] Denial of service in eCryptfs. Installing [7105481s] Memory corruption in the Direct Rendering Manager. Installing [4otjdhgj] Bad SHA512 calculation under heavy load. Your kernel is fully up to date. Effective kernel version is 3.0.0-16.29
uptrack-upgrade (Ubuntu 12.04 LTS default kernel 3.2.0-23-generic to 3.2.0-25-generic)
root@ubuntu:~# uptrack-upgrade The following steps will be taken: Install [uvtw2j9z] Clear garbage data on the kernel stack when handling signals. Install [ifcj5sty] Kernel OOPS when using the NFS client. Install [e0bl0d3w] Memory corruption in DRM framebuffer allocation. Install [wirnmknq] Deadlock when using oplocked files on CIFS. Install [nsny7a5r] Bad access control permissions to dmesg_restrict sysctl. Install [tjha1599] NULL pointer dereference when closing a bluetooth TTY. Install [yskly2l3] NULL pointer dereference in USB serial driver. Install [m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. Install [f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation. Install [td0igkwe] Byte counter overflow in SHA-512. Install [4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl. Install [sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment. Install [46fvwq34] Denial of service in PHONET message sending. Install [l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set. Install [flruujbt] Denial of service in network namespace initialization. Install [67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem. Install [amt232ak] Task hang in sync-mounted ext4 filesystems. Install [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Install [jrlns7a9] Buffer overflow in KS8851 network driver. Install [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Install [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Go ahead [y/N]? y Installing [uvtw2j9z] Clear garbage data on the kernel stack when handling signals. Installing [ifcj5sty] Kernel OOPS when using the NFS client. Installing [e0bl0d3w] Memory corruption in DRM framebuffer allocation. Installing [wirnmknq] Deadlock when using oplocked files on CIFS. Installing [nsny7a5r] Bad access control permissions to dmesg_restrict sysctl. Installing [tjha1599] NULL pointer dereference when closing a bluetooth TTY. Installing [yskly2l3] NULL pointer dereference in USB serial driver. Installing [m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. Installing [f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation. Installing [td0igkwe] Byte counter overflow in SHA-512. Installing [4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl. Installing [sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment. Installing [46fvwq34] Denial of service in PHONET message sending. Installing [l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set. Installing [flruujbt] Denial of service in network namespace initialization. Installing [67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem. Installing [amt232ak] Task hang in sync-mounted ext4 filesystems. Installing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Installing [jrlns7a9] Buffer overflow in KS8851 network driver. Installing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Installing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Your kernel is fully up to date. Effective kernel version is 3.2.0-25.40 root@ubuntu:~# uptrack-uname -a Linux ubuntu 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu:~# uname -a Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
uptrack-show
Sample - Ubuntu 11.10
root@OptiPlex-790:~# uptrack-show Installed updates: [ni7t831c] Clear garbage data on the kernel stack when handling signals. [30mab0rd] Improved fix to CVE-2009-4307. [qs1ql2a8] Use after free in UBI driver. [37j4dlef] Denial of service in Video4Linux2 ioctls. [7p0xit4n] Double free on NFS server shutdown. [x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl. [jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers. [i5umx6kn] Denial of service in eCryptfs. [7105481s] Memory corruption in the Direct Rendering Manager. [4otjdhgj] Bad SHA512 calculation under heavy load. Effective kernel version is 3.0.0-16.29
Ubuntu 12.04 LTS 3.2.0-23-generic (patched to 3.2.0-25-generic)
root@ubuntu:~# uptrack-show Installed updates: [uvtw2j9z] Clear garbage data on the kernel stack when handling signals. [ifcj5sty] Kernel OOPS when using the NFS client. [e0bl0d3w] Memory corruption in DRM framebuffer allocation. [wirnmknq] Deadlock when using oplocked files on CIFS. [nsny7a5r] Bad access control permissions to dmesg_restrict sysctl. [tjha1599] NULL pointer dereference when closing a bluetooth TTY. [yskly2l3] NULL pointer dereference in USB serial driver. [m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. [f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation. [td0igkwe] Byte counter overflow in SHA-512. [4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl. [sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment. [46fvwq34] Denial of service in PHONET message sending. [l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set. [flruujbt] Denial of service in network namespace initialization. [67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem. [amt232ak] Task hang in sync-mounted ext4 filesystems. [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. [jrlns7a9] Buffer overflow in KS8851 network driver. [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Effective kernel version is 3.2.0-25.40
uptrack-remove
Ubuntu 12.04 LTS 3.2.0-23-generic patched to 3.2.0-25-generic
Remove patch ID amt232ak - [amt232ak] Task hang in sync-mounted ext4 filesystems, uptrack will remove all its dependencies as well
root@ubuntu:~# uptrack-remove amt232ak The following steps will be taken: Remove [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Remove [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Remove [jrlns7a9] Buffer overflow in KS8851 network driver. Remove [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Remove [amt232ak] Task hang in sync-mounted ext4 filesystems. Go ahead [y/N]? y Removing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Removing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Removing [jrlns7a9] Buffer overflow in KS8851 network driver. Removing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Removing [amt232ak] Task hang in sync-mounted ext4 filesystems.
uptrack-install
Install patch ID (and all its dependencies automatically)
root@ubuntu:~# uptrack-install amt232ak The following steps will be taken: Install [amt232ak] Task hang in sync-mounted ext4 filesystems. Go ahead [y/N]? y Installing [amt232ak] Task hang in sync-mounted ext4 filesystems. root@ubuntu:~# uptrack-uname -a Linux ubuntu 3.2.0-24-generic #39-Ubuntu SMP Mon May 21 16:52:17 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
uptrack will NOT install all the dependent patches removed, what you will see is that the effective kernel is 3.2.0-24-generic after the change. Recommend running a uptrack-upgrade -y
root@ubuntu:~# uptrack-upgrade -y The following steps will be taken: Install [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Install [jrlns7a9] Buffer overflow in KS8851 network driver. Install [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Install [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Installing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC. Installing [jrlns7a9] Buffer overflow in KS8851 network driver. Installing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer. Installing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management. Your kernel is fully up to date. Effective kernel version is 3.2.0-25.40
uptrack-uname
Ubuntu 12.04 LTS 3.2.0-23-generic patched to 3.2.0-25-generic
root@ubuntu:~# uptrack-uname -a Linux ubuntu 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux root@ubuntu:~# uname -a Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux