Terry : Ksplice

This page last changed on Jun 03, 2014 by terry.

Ksplice in Action

Install Ksplice Uptrack on Oracle Linux

First, you'll need an Oracle Linux Premier support subscription, and an access key. If you are a Premier customer and don’t have an access key, request one via ULN.

Download the Ksplice Uptrack repository installation RPM package and run the following commands as root

rpm -i ksplice-uptrack-release.noarch.rpm
yum -y install uptrack

Edit /etc/uptrack/uptrack.conf and insert your access key. Please use the same access key for all of your systems. If you would like Uptrack to automatically install rebootless kernel updates as they become available, set autoinstall = yes.

When you are done with your Uptrack configuration, please run the following command as root to bring your kernel up to date:

[root@linux ~]# uptrack-upgrade -y
Nothing to be done.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-200.19.1.el5uek

Installing Ksplice Uptrack on Ubuntu

Request an access key here, and an access key will be emailed to you. Once you have an access key, you can use that access key on any number of computers that you administer.

Add Ksplice repository in CLI (can be used to automate)

echo "deb http://www.ksplice.com/apt `lsb_release -sc` ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list
echo "deb-src http://www.ksplice.com/apt `lsb_release -sc` ksplice | sudo tee -a /etc/apt/sources.list.d/ksplice.list

One-liner

echo -e "deb http://www.ksplice.com/apt `lsb_release -sc` ksplice \ndeb-src http://www.ksplice.com/apt `lsb_release -sc` ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list
# better way
echo -e "deb http://www.ksplice.com/apt $(lsb_release -sc) ksplice \ndeb-src http://www.ksplice.com/apt $(lsb_release -sc) ksplice" | sudo tee /etc/apt/sources.list.d/ksplice.list

NOTE: -e is to enable interpretation of backslash escapes for echo.

Manual way

To enable the Ksplice software repository and install Ksplice Uptrack, create /etc/apt/sources.list.d/ksplice.list with the following contents:

deb http://www.ksplice.com/apt codename ksplice
deb-src http://www.ksplice.com/apt codename ksplice

Then run the following commands as root:

apt-get install ca-certificates
wget -Nq https://www.ksplice.com/apt/ksplice-archive.asc -O- | sudo apt-key add -
echo 'uptrack uptrack/accesskey string INSERT_ACCESS_KEY' | debconf-set-selections
apt-get update
apt-get install uptrack

You will be prompted for your access key.

If you would like Uptrack to automatically install rebootless kernel updates as they become available, edit /etc/uptrack/uptrack.conf and set autoinstall = yes.

When you are done with your Uptrack configuration, please run the following command as root to bring your kernel up to date:

uptrack-upgrade -y

Supported distributions

Icon

Ksplice supports Ubuntu (including Ubuntu Server) and Fedora.

Ubuntu Server has been using the same generic-pae for x86 and generic kernel for x86_64, same as Desktop.

Add the Access Key in /etc/uptrack/uptrack.conf

[Auth]
accesskey = ad68366bb67507e9391d3e49b33ca134ed81d528654617b632328f3659ffbcf4

Network

Uptrack looks for proxy settings in system wide GConf database if https_proxy is not set explicitly.

gconf_proxy_lookup = yes

Manually set proxy

https_proxy = https://proxy.company.com:80

Ksplice uptrack directories

See the list of files installed by Ksplice uptrack

dpkg -L uptrack

A symbolic link under /lib/modules

 /lib/modules/$(uname -r).ksplice.updates pointing to -> /var/run/ksplice/modules/$(uname -r)

Uptrack cache directory (holding the downloaded patches) -> /var/cache/uptrack

NOTE: Kernel patch updates are files named -> ksplice-ID.tar.gz.

Command Line Interface

uptrack - Manage Ksplice rebootless kernel updates

NAME
       uptrack - Manage Ksplice rebootless kernel updates
SYNOPSIS
       uptrack-upgrade [OPTION]
       uptrack-install [OPTION] id...
       uptrack-remove [OPTION] id...
       uptrack-show [OPTION] [id...]
DESCRIPTION
       The Uptrack command-line tools manage the set of Ksplice rebootless kernel updates installed on your
       system. There are four major modes of operation:
       uptrack-upgrade
           Downloads and installs the latest Ksplice updates available for your system.
       uptrack-install
           Takes as arguments the update IDs to install, and installs them, downloading them if necessary.
       uptrack-remove
           Takes as arguments the update IDs to remove, and removes them.
       uptrack-show
           If invoked without additional arguments, shows the list of Ksplice updates currently installed.  If
           update IDs are passed as arguments, displays the status of those updates as well as the detailed
           information associated with them.
uptrack-upgrade

Sample (Oracle Linux 5.7):

root@fmw11g.vm.oracle.com $ uptrack-upgrade
The following steps will be taken:
Install [8ybqt8fh] Clear garbage data on the kernel stack when handling signals.
Install [t1lp2vb4] CVE-2011-1161: Information leak in transmission logic of TPM driver.
Install [xcqkb9aq] CVE-2011-1162: Information leak in TPM driver.
Install [7h5z00s5] CVE-2011-2494: Information leak in task/process statistics.
Install [pnsg8bsp] CVE-2011-3188: Weak TCP sequence number generation.
Install [ozelxo39] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [2ytyt2fr] CVE-2011-3191: Memory corruption in CIFS.
Install [p4lrazac] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Install [2ueimjys] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Install [3vtfb7c4] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Install [94vng7lu] CVE-2011-2699: Predictable IPv6 fragment identification numbers.

Go ahead [y/N]? y
Installing [8ybqt8fh] Clear garbage data on the kernel stack when handling signals.
Installing [t1lp2vb4] CVE-2011-1161: Information leak in transmission logic of TPM driver.
Installing [xcqkb9aq] CVE-2011-1162: Information leak in TPM driver.
Installing [7h5z00s5] CVE-2011-2494: Information leak in task/process statistics.
Installing [pnsg8bsp] CVE-2011-3188: Weak TCP sequence number generation.
Installing [ozelxo39] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [2ytyt2fr] CVE-2011-3191: Memory corruption in CIFS.
Installing [p4lrazac] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Installing [2ueimjys] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Installing [3vtfb7c4] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Installing [94vng7lu] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-200.23.1.el5uek
root@fmw11g.vm.oracle.com $ uname -a
Linux fmw11g.vm.oracle.com 2.6.32-200.20.1.el5uek #1 SMP Fri Oct 7 02:29:42 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
root@fmw11g.vm.oracle.com $ uptrack-uname -a
Linux fmw11g.vm.oracle.com 2.6.32-200.23.1.el5uek #1 SMP Thu Nov 24 08:30:48 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

uptracke-upgrade (Ubuntu 11.10)

root@OptiPlex-790:~# uptrack-upgrade
The following steps will be taken:
Install [ni7t831c] Clear garbage data on the kernel stack when handling signals.
Install [30mab0rd] Improved fix to CVE-2009-4307.
Install [qs1ql2a8] Use after free in UBI driver.
Install [37j4dlef] Denial of service in Video4Linux2 ioctls.
Install [7p0xit4n] Double free on NFS server shutdown.
Install [x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers.
Install [i5umx6kn] Denial of service in eCryptfs.
Install [7105481s] Memory corruption in the Direct Rendering Manager.
Install [4otjdhgj] Bad SHA512 calculation under heavy load.
Go ahead [y/N]? y
Installing [ni7t831c] Clear garbage data on the kernel stack when handling signals.
Installing [30mab0rd] Improved fix to CVE-2009-4307.
Installing [qs1ql2a8] Use after free in UBI driver.
Installing [37j4dlef] Denial of service in Video4Linux2 ioctls.
Installing [7p0xit4n] Double free on NFS server shutdown.
Installing [x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers.
Installing [i5umx6kn] Denial of service in eCryptfs.
Installing [7105481s] Memory corruption in the Direct Rendering Manager.
Installing [4otjdhgj] Bad SHA512 calculation under heavy load.
Your kernel is fully up to date.
Effective kernel version is 3.0.0-16.29

uptrack-upgrade (Ubuntu 12.04 LTS default kernel 3.2.0-23-generic to 3.2.0-25-generic)

root@ubuntu:~# uptrack-upgrade
The following steps will be taken:
Install [uvtw2j9z] Clear garbage data on the kernel stack when handling signals.
Install [ifcj5sty] Kernel OOPS when using the NFS client.
Install [e0bl0d3w] Memory corruption in DRM framebuffer allocation.
Install [wirnmknq] Deadlock when using oplocked files on CIFS.
Install [nsny7a5r] Bad access control permissions to dmesg_restrict sysctl.
Install [tjha1599] NULL pointer dereference when closing a bluetooth TTY.
Install [yskly2l3] NULL pointer dereference in USB serial driver.
Install [m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Install [f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation.
Install [td0igkwe] Byte counter overflow in SHA-512.
Install [4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl.
Install [sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment.
Install [46fvwq34] Denial of service in PHONET message sending.
Install [l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set.
Install [flruujbt] Denial of service in network namespace initialization.
Install [67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [amt232ak] Task hang in sync-mounted ext4 filesystems.
Install [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [jrlns7a9] Buffer overflow in KS8851 network driver.
Install [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Install [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Go ahead [y/N]? y
Installing [uvtw2j9z] Clear garbage data on the kernel stack when handling signals.
Installing [ifcj5sty] Kernel OOPS when using the NFS client.
Installing [e0bl0d3w] Memory corruption in DRM framebuffer allocation.
Installing [wirnmknq] Deadlock when using oplocked files on CIFS.
Installing [nsny7a5r] Bad access control permissions to dmesg_restrict sysctl.
Installing [tjha1599] NULL pointer dereference when closing a bluetooth TTY.
Installing [yskly2l3] NULL pointer dereference in USB serial driver.
Installing [m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Installing [f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation.
Installing [td0igkwe] Byte counter overflow in SHA-512.
Installing [4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl.
Installing [sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment.
Installing [46fvwq34] Denial of service in PHONET message sending.
Installing [l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set.
Installing [flruujbt] Denial of service in network namespace initialization.
Installing [67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [amt232ak] Task hang in sync-mounted ext4 filesystems.
Installing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [jrlns7a9] Buffer overflow in KS8851 network driver.
Installing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Your kernel is fully up to date.
Effective kernel version is 3.2.0-25.40
root@ubuntu:~# uptrack-uname -a
Linux ubuntu 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~# uname -a
Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
uptrack-show

Sample - Ubuntu 11.10

root@OptiPlex-790:~# uptrack-show
Installed updates:
[ni7t831c] Clear garbage data on the kernel stack when handling signals.
[30mab0rd] Improved fix to CVE-2009-4307.
[qs1ql2a8] Use after free in UBI driver.
[37j4dlef] Denial of service in Video4Linux2 ioctls.
[7p0xit4n] Double free on NFS server shutdown.
[x462i18j] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
[jwn1hrm0] NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers.
[i5umx6kn] Denial of service in eCryptfs.
[7105481s] Memory corruption in the Direct Rendering Manager.
[4otjdhgj] Bad SHA512 calculation under heavy load.
Effective kernel version is 3.0.0-16.29

Ubuntu 12.04 LTS 3.2.0-23-generic (patched to 3.2.0-25-generic)

root@ubuntu:~# uptrack-show
Installed updates:
[uvtw2j9z] Clear garbage data on the kernel stack when handling signals.
[ifcj5sty] Kernel OOPS when using the NFS client.
[e0bl0d3w] Memory corruption in DRM framebuffer allocation.
[wirnmknq] Deadlock when using oplocked files on CIFS.
[nsny7a5r] Bad access control permissions to dmesg_restrict sysctl.
[tjha1599] NULL pointer dereference when closing a bluetooth TTY.
[yskly2l3] NULL pointer dereference in USB serial driver.
[m4x9z8y7] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
[f1b2y86r] CVE-2012-1601: Denial of service in KVM VCPU creation.
[td0igkwe] Byte counter overflow in SHA-512.
[4dp2c5hp] NULL pointer dereference in USB gadget FunctionFS ioctl.
[sc85n8ik] CVE-2012-2121: Memory leak in KVM device assignment.
[46fvwq34] Denial of service in PHONET message sending.
[l8amwzlh] NULL pointer dereference when firmware name of i2400 driver is not set.
[flruujbt] Denial of service in network namespace initialization.
[67apq2lk] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
[amt232ak] Task hang in sync-mounted ext4 filesystems.
[isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
[jrlns7a9] Buffer overflow in KS8851 network driver.
[etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
[9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Effective kernel version is 3.2.0-25.40
uptrack-remove

Ubuntu 12.04 LTS 3.2.0-23-generic patched to 3.2.0-25-generic

Remove patch ID amt232ak - [amt232ak] Task hang in sync-mounted ext4 filesystems, uptrack will remove all its dependencies as well

root@ubuntu:~# uptrack-remove amt232ak
The following steps will be taken:
Remove [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Remove [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Remove [jrlns7a9] Buffer overflow in KS8851 network driver.
Remove [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Remove [amt232ak] Task hang in sync-mounted ext4 filesystems.
Go ahead [y/N]? y
Removing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Removing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Removing [jrlns7a9] Buffer overflow in KS8851 network driver.
Removing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Removing [amt232ak] Task hang in sync-mounted ext4 filesystems.
uptrack-install

Install patch ID (and all its dependencies automatically)

root@ubuntu:~# uptrack-install amt232ak
The following steps will be taken:
Install [amt232ak] Task hang in sync-mounted ext4 filesystems.
Go ahead [y/N]? y
Installing [amt232ak] Task hang in sync-mounted ext4 filesystems.
root@ubuntu:~# uptrack-uname -a
Linux ubuntu 3.2.0-24-generic #39-Ubuntu SMP Mon May 21 16:52:17 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

uptrack will NOT install all the dependent patches removed, what you will see is that the effective kernel is 3.2.0-24-generic after the change. Recommend running a uptrack-upgrade -y 

root@ubuntu:~# uptrack-upgrade -y
The following steps will be taken:
Install [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [jrlns7a9] Buffer overflow in KS8851 network driver.
Install [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Install [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Installing [isifwt7t] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [jrlns7a9] Buffer overflow in KS8851 network driver.
Installing [etciqkyh] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [9vxgtc97] CVE-2012-2383: Integer overflow in i915 execution buffer management.
Your kernel is fully up to date.
Effective kernel version is 3.2.0-25.40
uptrack-uname

Ubuntu 12.04 LTS 3.2.0-23-generic patched to 3.2.0-25-generic

root@ubuntu:~# uptrack-uname -a
Linux ubuntu 3.2.0-25-generic #40-Ubuntu SMP Wed May 23 20:30:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~# uname -a
Linux ubuntu 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Using Ksplice

Reference

Manual installation instructions
Take the Tour