Terry : Using Ksplice

This page last changed on Jun 03, 2014 by terry.

Take the Tour

A Ksplice Uptrack subscription gets you so much more than rebootless kernel updates!

Uptrack command line tools

uptrack-upgrade

Ksplice updates are the same security and bugfix updates you would get from your Linux vendor, packaged in a special rebootless form. To apply Ksplice updates, just run uptrack-upgrade:

root@tux:/etc/apt/sources.list.d# uptrack-upgrade 
The following steps will be taken:
Install [648z62mz] Clear garbage data on the kernel stack when handling signals.
Install [wqhjfgsm] CVE-2011-2494: Information leak in taskstats.
Install [58pp54fj] CVE-2011-2495: Information leak in /proc/PID/io.
Install [jeakcnt6] CVE-2011-2909: Information leak in comedi driver.
Install [do8qkuap] CVE-2011-2517: Buffer overflow in 802.11 netlink interface.
Install [nyvr1mx3] CVE-2011-2183: NULL pointer dereference in ksmd.
Install [gvozbijz] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [ys1dd0rb] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Install [ecun0cuj] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [skvu8u6c] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [lck89tpz] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [nguw1aoj] CVE-2011-1162: Information leak in TPM driver.
Install [44zvqgzy] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [mgmwkorb] CVE-2011-4110: Denial of service in kernel key management facilities.
Install [grijo2hx] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Install [h779xptu] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Install [a2w0j6o0] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Install [mwdps6od] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Install [hjwlk8nu] CVE-2012-0207: Denial of service bug in IGMP.
Install [kze1qpw3] CVE-2011-2518: NULL pointer dereference in Tomoyo security module.
Install [9m3xq8q8] CVE-2011-4097: Integer overflow of points in oom_badness.
Go ahead [y/N]?

You can apply all available updates, bringing your system instantly up to date, by running uptrack-upgrade -y, or you can apply updates individually by specifying a Ksplice ID (the characters in brackets in the screen shot).

uptrack-show

You can see what updates have been installed by running uptrack-show.

root@tux:/etc/apt/sources.list.d# uptrack-show
Installed updates:
[648z62mz] Clear garbage data on the kernel stack when handling signals.
[wqhjfgsm] CVE-2011-2494: Information leak in taskstats.
[58pp54fj] CVE-2011-2495: Information leak in /proc/PID/io.
[jeakcnt6] CVE-2011-2909: Information leak in comedi driver.
[do8qkuap] CVE-2011-2517: Buffer overflow in 802.11 netlink interface.
[nyvr1mx3] CVE-2011-2183: NULL pointer dereference in ksmd.
[gvozbijz] CVE-2011-2491: Local denial of service in NLM subsystem.
[ys1dd0rb] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
[ecun0cuj] CVE-2011-4077: Buffer overflow in xfs_readlink.
[skvu8u6c] CVE-2011-4132: Denial of service in Journaling Block Device layer.
[lck89tpz] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
[nguw1aoj] CVE-2011-1162: Information leak in TPM driver.
[44zvqgzy] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
[mgmwkorb] CVE-2011-4110: Denial of service in kernel key management facilities.
[grijo2hx] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
[h779xptu] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
[a2w0j6o0] CVE-2012-0038: In-memory corruption in XFS ACL processing.
[mwdps6od] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
[hjwlk8nu] CVE-2012-0207: Denial of service bug in IGMP.
[kze1qpw3] CVE-2011-2518: NULL pointer dereference in Tomoyo security module.
[9m3xq8q8] CVE-2011-4097: Integer overflow of points in oom_badness.
Effective kernel version is 2.6.38-13.56

You can see what updates are available to be installed by running uptrack-show --available

uptrack-remove

Removing Ksplice updates is easy: just run uptrack-remove. As with uptrack-upgrade, you can uninstall all updates, bringing you back to your original stock kernel, or uninstall individual updates by specifying a Ksplice ID.

root@tux:/etc/apt/sources.list.d# uptrack-remove --all
The following steps will be taken:
Remove [9m3xq8q8] CVE-2011-4097: Integer overflow of points in oom_badness.
Remove [kze1qpw3] CVE-2011-2518: NULL pointer dereference in Tomoyo security module.
Remove [hjwlk8nu] CVE-2012-0207: Denial of service bug in IGMP.
Remove [mwdps6od] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Remove [a2w0j6o0] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Remove [h779xptu] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Remove [grijo2hx] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Remove [mgmwkorb] CVE-2011-4110: Denial of service in kernel key management facilities.
Remove [44zvqgzy] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Remove [nguw1aoj] CVE-2011-1162: Information leak in TPM driver.
Remove [lck89tpz] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Remove [skvu8u6c] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Remove [ecun0cuj] CVE-2011-4077: Buffer overflow in xfs_readlink.
Remove [ys1dd0rb] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Remove [gvozbijz] CVE-2011-2491: Local denial of service in NLM subsystem.
Remove [nyvr1mx3] CVE-2011-2183: NULL pointer dereference in ksmd.
Remove [do8qkuap] CVE-2011-2517: Buffer overflow in 802.11 netlink interface.
Remove [jeakcnt6] CVE-2011-2909: Information leak in comedi driver.
Remove [58pp54fj] CVE-2011-2495: Information leak in /proc/PID/io.
Remove [wqhjfgsm] CVE-2011-2494: Information leak in taskstats.
Remove [648z62mz] Clear garbage data on the kernel stack when handling signals.
Go ahead [y/N]? y
Removing [9m3xq8q8] CVE-2011-4097: Integer overflow of points in oom_badness.
Removing [kze1qpw3] CVE-2011-2518: NULL pointer dereference in Tomoyo security module.
Removing [hjwlk8nu] CVE-2012-0207: Denial of service bug in IGMP.
Removing [mwdps6od] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Removing [a2w0j6o0] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Removing [h779xptu] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Removing [grijo2hx] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Removing [mgmwkorb] CVE-2011-4110: Denial of service in kernel key management facilities.
Removing [44zvqgzy] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Removing [nguw1aoj] CVE-2011-1162: Information leak in TPM driver.
Removing [lck89tpz] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Removing [skvu8u6c] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Removing [ecun0cuj] CVE-2011-4077: Buffer overflow in xfs_readlink.
Removing [ys1dd0rb] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Removing [gvozbijz] CVE-2011-2491: Local denial of service in NLM subsystem.
Removing [nyvr1mx3] CVE-2011-2183: NULL pointer dereference in ksmd.
Removing [do8qkuap] CVE-2011-2517: Buffer overflow in 802.11 netlink interface.
Removing [jeakcnt6] CVE-2011-2909: Information leak in comedi driver.
Removing [58pp54fj] CVE-2011-2495: Information leak in /proc/PID/io.
Removing [wqhjfgsm] CVE-2011-2494: Information leak in taskstats.
Removing [648z62mz] Clear garbage data on the kernel stack when handling signals.
root@tux:/etc/apt/sources.list.d# 
root@tux:/etc/apt/sources.list.d# uptrack-uname -a
Linux tux 2.6.38-12-generic #51-Ubuntu SMP Wed Sep 28 14:27:32 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

uptrack-uname

Ksplice Uptrack does not change the output of uname, and uname will continue to reflect the version of the kernel into which a machine was booted.

Instead, once you install updates, use uptrack-uname to see what effective kernel a machine is running. uptrack-uname has the same format as uname and supports the common uname flags, including -r and -a.

Before installing updates, the original kernel and effective kernel are the same, and uname and uptrack-uname report the same information.

root@tux:/etc/apt/sources.list.d# uptrack-show 
Installed updates:
None
Effective kernel version is 2.6.38-12.51
root@tux:/etc/apt/sources.list.d# uptrack-uname -a
Linux tux 2.6.38-12-generic #51-Ubuntu SMP Wed Sep 28 14:27:32 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

After installing updates, uptrack-uname reflects the updated running kernel.

root@tux:/etc/apt/sources.list.d# uname -a
Linux tux 2.6.38-12-generic #51-Ubuntu SMP Wed Sep 28 14:27:32 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
root@tux:/etc/apt/sources.list.d# uptrack-uname -a
Linux tux 2.6.38-13-generic #56-Ubuntu SMP Tue Feb 14 12:39:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@tux:/etc/apt/sources.list.d# uptrack-show
Installed updates:
[648z62mz] Clear garbage data on the kernel stack when handling signals.
[wqhjfgsm] CVE-2011-2494: Information leak in taskstats.
[58pp54fj] CVE-2011-2495: Information leak in /proc/PID/io.
[jeakcnt6] CVE-2011-2909: Information leak in comedi driver.
[do8qkuap] CVE-2011-2517: Buffer overflow in 802.11 netlink interface.
[nyvr1mx3] CVE-2011-2183: NULL pointer dereference in ksmd.
[gvozbijz] CVE-2011-2491: Local denial of service in NLM subsystem.
[ys1dd0rb] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
[ecun0cuj] CVE-2011-4077: Buffer overflow in xfs_readlink.
[skvu8u6c] CVE-2011-4132: Denial of service in Journaling Block Device layer.
[lck89tpz] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
[nguw1aoj] CVE-2011-1162: Information leak in TPM driver.
[44zvqgzy] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
[mgmwkorb] CVE-2011-4110: Denial of service in kernel key management facilities.
[grijo2hx] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
[h779xptu] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
[a2w0j6o0] CVE-2012-0038: In-memory corruption in XFS ACL processing.
[mwdps6od] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
[hjwlk8nu] CVE-2012-0207: Denial of service bug in IGMP.
[kze1qpw3] CVE-2011-2518: NULL pointer dereference in Tomoyo security module.
[9m3xq8q8] CVE-2011-4097: Integer overflow of points in oom_badness.
Effective kernel version is 2.6.38-13.56

You can also see a machine's effective kernel on your web interface or through our API.

Automatic updates

You can configure your systems to automatically install updates as they become available. To enable autoinstall, set autoinstall = yes in your /etc/uptrack/uptrack.conf, or pass the --autoinstall flag during installation.

Autoinstall is our most popular configuration. It is a scalable way to ensure that updates get installed quickly as they become available, regardless of when they are released.

Please note that enabling autoinstall does not mean the Uptrack client itself is automatically upgraded. You will be notified via e-mail when a new Uptrack client is available, and it can be upgraded through your package manager.

Your Package Manager

Ksplice Uptrack updates your running kernel in memory. We recommended that, in addition to using Ksplice, you continue to use your package manager to update the kernel on disk as new kernels become available. That way, if a reboot becomes necessary (e.g. power loss or a hardware upgrade) you have the option of booting into a newer kernel. Under this plan, you would install all the updates available via both Ksplice Uptrack and your package manager.

Ksplice Uptrack also works great in environments where it is desirable to stay with a particular original kernel version (e.g. because of third party modules that are compiled against that kernel) but you want to stay up to date with all the important security and reliability updates for your kernel.

By default, Ksplice Uptrack will reinstall rebootless updates during the boot process. That way you remain secure even after a reboot. You can configure this behavior with the install_on_reboot option in your /etc/uptrack/uptrack.conf.

Firewall and proxy configuration

The Uptrack client communicates with the Uptrack server by connecting to https://updates.ksplice.com:443. You can either make your firewall allow those connections, or configure the Uptrack client to use a proxy server.

To configure Ksplice Uptrack to use a proxy server, edit your /etc/uptrack/uptrack.conf and set the https_proxyoption (in the [Network] section) to a value of the form [protocol://]host[:port].

Reference

Using Ksplice

Ksplice quick start guide