News, tips, partners, and perspectives for Oracle’s virtualization offerings
-
Perspectives
September 23, 2017
Ksplice Zero-downtime Patching for User Space Packages
Oracle has provided thousands of Ksplice kernel patches to address Linux kernel security issues. But many vulnerabilities are in user space.
Heartbleed is a good example of a huge user space openssl vulnerability that left thousands of servers at risk and cost companies hundreds of millions of dollars. glibc is another essential package in user space. With Ksplice for Oracle Linux, you are able to install bug fixes and protect your system against security vulnerabilities, in the user space or kernel, without having to restart your running process, service, or system.
It's easy and simple to install the Ksplice enhanced client for Oracle Linux 7 and Oracle Linux 6. You manage the enhanced Ksplice client by using the ksplice command to patch in-memory pages of Ksplice-aware shared libraries such as glibc and openssl for user space processes in addition to the kernel updates.
First, subscribe to the Ksplice channels on Unbreakable Linux Network (ULN). For Oracle Linux 7, they are
- Ksplice for Oracle Linux 7 (x86_64)
- Ksplice aware userspace packages for Oracle Linux 7 (x86_64)
Second, install the Ksplice enhanced client.
# yum install -y ksplice Loaded plugins: langpacks, rhnplugin, ulninfo This system is receiving updates from ULN. ol7_x86_64_ksplice | 1.2 kB 00:00 ol7_x86_64_ksplice/updateinfo | 2.6 kB 00:00 ol7_x86_64_ksplice/primary | 397 kB 00:00 ol7_x86_64_ksplice 3739/3739 Resolving Dependencies --> Running transaction check ---> Package ksplice.x86_64 0:1.0.25-1.el7 will be installed --> Processing Dependency: ksplice-tools = 1.0.25-1.el7 for package: ksplice-1.0.25-1.el7.x86_64 --> Processing Dependency: ksplice-core0 = 1.0.25-1.el7 for package: ksplice-1.0.25-1.el7.x86_64 --> Running transaction check ---> Package ksplice-core0.x86_64 0:1.0.25-1.el7 will be installed --> Processing Dependency: libboost_filesystem-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64 --> Processing Dependency: libboost_regex-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64 --> Processing Dependency: libboost_python-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64 ---> Package ksplice-tools.x86_64 0:1.0.25-1.el7 will be installed --> Running transaction check ---> Package boost-filesystem.x86_64 0:1.53.0-27.el7 will be installed ---> Package boost-python.x86_64 0:1.53.0-27.el7 will be installed ---> Package boost-regex.x86_64 0:1.53.0-27.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: ksplice x86_64 1.0.25-1.el7 ol7_x86_64_ksplice 5.0 k Installing for dependencies: boost-filesystem x86_64 1.53.0-27.el7 ol7_x86_64_latest 67 k boost-python x86_64 1.53.0-27.el7 ol7_x86_64_latest 128 k boost-regex x86_64 1.53.0-27.el7 ol7_x86_64_latest 300 k ksplice-core0 x86_64 1.0.25-1.el7 ol7_x86_64_ksplice 232 k ksplice-tools x86_64 1.0.25-1.el7 ol7_x86_64_ksplice 88 k Transaction Summary ================================================================================ Install 1 Package (+5 Dependent packages) Total download size: 820 k Installed size: 3.8 M Downloading packages: (1/6): boost-filesystem-1.53.0-27.el7.x86_64.rpm | 67 kB 00:00 (2/6): boost-python-1.53.0-27.el7.x86_64.rpm | 128 kB 00:00 (3/6): boost-regex-1.53.0-27.el7.x86_64.rpm | 300 kB 00:00 (4/6): ksplice-1.0.25-1.el7.x86_64.rpm | 5.0 kB 00:00 (5/6): ksplice-core0-1.0.25-1.el7.x86_64.rpm | 232 kB 00:00 (6/6): ksplice-tools-1.0.25-1.el7.x86_64.rpm | 88 kB 00:00 -------------------------------------------------------------------------------- Total 490 kB/s | 820 kB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : boost-python-1.53.0-27.el7.x86_64 1/6 Installing : boost-filesystem-1.53.0-27.el7.x86_64 2/6 Installing : boost-regex-1.53.0-27.el7.x86_64 3/6 Installing : ksplice-core0-1.0.25-1.el7.x86_64 4/6 Installing : ksplice-tools-1.0.25-1.el7.x86_64 5/6 Installing : ksplice-1.0.25-1.el7.x86_64 6/6 Verifying : ksplice-1.0.25-1.el7.x86_64 1/6 Verifying : ksplice-core0-1.0.25-1.el7.x86_64 2/6 Verifying : boost-regex-1.53.0-27.el7.x86_64 3/6 Verifying : ksplice-tools-1.0.25-1.el7.x86_64 4/6 Verifying : boost-filesystem-1.53.0-27.el7.x86_64 5/6 Verifying : boost-python-1.53.0-27.el7.x86_64 6/6 Installed: ksplice.x86_64 0:1.0.25-1.el7 Dependency Installed: boost-filesystem.x86_64 0:1.53.0-27.el7 boost-python.x86_64 0:1.53.0-27.el7 boost-regex.x86_64 0:1.53.0-27.el7 ksplice-core0.x86_64 0:1.0.25-1.el7 ksplice-tools.x86_64 0:1.0.25-1.el7 Complete!
Third, update the system to install the Ksplice-aware versions of the user space libraries:
# yum update glibc* openssl* Loaded plugins: langpacks, rhnplugin, ulninfo This system is receiving updates from ULN. ol7_x86_64_userspace_ksplice | 1.2 kB 00:00:00 ol7_x86_64_userspace_ksplice/updateinfo | 19 kB 00:00:00 ol7_x86_64_userspace_ksplice/primary | 63+ kB 00:00:00 ol7_x86_64_userspace_ksplice 261/261 Resolving Dependencies --> Running transaction check ---> Package glibc.i686 0:2.17-196.el7 will be updated ---> Package glibc.x86_64 0:2.17-196.el7 will be updated ---> Package glibc.i686 2:2.17-196.ksplice1.el7 will be an update --> Processing Dependency: ksplice-helper for package: 2:glibc-2.17-196.ksplice1.el7.i686 ---> Package glibc.x86_64 2:2.17-196.ksplice1.el7 will be an update ---> Package glibc-common.x86_64 0:2.17-196.el7 will be updated ---> Package glibc-common.x86_64 2:2.17-196.ksplice1.el7 will be an update ---> Package glibc-devel.x86_64 0:2.17-196.el7 will be updated ---> Package glibc-devel.x86_64 2:2.17-196.ksplice1.el7 will be an update ---> Package glibc-headers.x86_64 0:2.17-196.el7 will be updated ---> Package glibc-headers.x86_64 2:2.17-196.ksplice1.el7 will be an update ---> Package openssl.x86_64 1:1.0.2k-8.0.1.el7 will be updated ---> Package openssl.x86_64 2:1.0.2k-8.ksplice1.el7 will be an update ---> Package openssl-libs.x86_64 1:1.0.2k-8.0.1.el7 will be updated ---> Package openssl-libs.x86_64 2:1.0.2k-8.ksplice1.el7 will be an update --> Running transaction check ---> Package ksplice-helper.x86_64 0:1.0.25-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================== Package Arch Version Repository Size ========================================================================================================================== Updating: glibc i686 2:2.17-196.ksplice1.el7 ol7_x86_64_userspace_ksplice 4.2 M glibc x86_64 2:2.17-196.ksplice1.el7 ol7_x86_64_userspace_ksplice 3.6 M glibc-common x86_64 2:2.17-196.ksplice1.el7 ol7_x86_64_userspace_ksplice 11 M glibc-devel x86_64 2:2.17-196.ksplice1.el7 ol7_x86_64_userspace_ksplice 1.1 M glibc-headers x86_64 2:2.17-196.ksplice1.el7 ol7_x86_64_userspace_ksplice 675 k openssl x86_64 2:1.0.2k-8.ksplice1.el7 ol7_x86_64_userspace_ksplice 491 k openssl-libs x86_64 2:1.0.2k-8.ksplice1.el7 ol7_x86_64_userspace_ksplice 1.2 M Installing for dependencies: ksplice-helper x86_64 1.0.25-1.el7 ol7_x86_64_userspace_ksplice 17 k Transaction Summary ========================================================================================================================== Install ( 1 Dependent package) Upgrade 7 Packages Total download size: 23 M Is this ok [y/d/N]: y Downloading packages: No Presto metadata available for ol7_x86_64_userspace_ksplice (1/8): glibc-2.17-196.ksplice1.el7.i686.rpm | 4.2 MB 00:00:02 (2/8): glibc-2.17-196.ksplice1.el7.x86_64.rpm | 3.6 MB 00:00:02 (3/8): glibc-common-2.17-196.ksplice1.el7.x86_64.rpm | 11 MB 00:00:07 (4/8): glibc-devel-2.17-196.ksplice1.el7.x86_64.rpm | 1.1 MB 00:00:00 (5/8): glibc-headers-2.17-196.ksplice1.el7.x86_64.rpm | 675 kB 00:00:00 (6/8): ksplice-helper-1.0.25-1.el7.x86_64.rpm | 17 kB 00:00:00 (7/8): openssl-1.0.2k-8.ksplice1.el7.x86_64.rpm | 491 kB 00:00:00 (8/8): openssl-libs-1.0.2k-8.ksplice1.el7.x86_64.rpm | 1.2 MB 00:00:00 -------------------------------------------------------------------------------------------------------------------------- Total 1.4 MB/s | 23 MB 00:00:15 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : ksplice-helper-1.0.25-1.el7.x86_64 1/15 Updating : 2:glibc-common-2.17-196.ksplice1.el7.x86_64 2/15 Updating : 2:glibc-2.17-196.ksplice1.el7.x86_64 3/15 Updating : 2:glibc-headers-2.17-196.ksplice1.el7.x86_64 4/15 Updating : 2:openssl-libs-1.0.2k-8.ksplice1.el7.x86_64 5/15 Updating : 2:openssl-1.0.2k-8.ksplice1.el7.x86_64 6/15 Updating : 2:glibc-devel-2.17-196.ksplice1.el7.x86_64 7/15 Updating : 2:glibc-2.17-196.ksplice1.el7.i686 8/15 Cleanup : glibc-devel-2.17-196.el7.x86_64 9/15 Cleanup : 1:openssl-1.0.2k-8.0.1.el7.x86_64 10/15 Cleanup : glibc-2.17-196.el7 11/15 Cleanup : glibc-headers-2.17-196.el7.x86_64 12/15 Cleanup : 1:openssl-libs-1.0.2k-8.0.1.el7.x86_64 13/15 Cleanup : glibc-common-2.17-196.el7.x86_64 14/15 Cleanup : glibc-2.17-196.el7 15/15 Verifying : ksplice-helper-1.0.25-1.el7.x86_64 1/15 Verifying : 2:glibc-headers-2.17-196.ksplice1.el7.x86_64 2/15 Verifying : 2:glibc-2.17-196.ksplice1.el7.x86_64 3/15 Verifying : 2:glibc-common-2.17-196.ksplice1.el7.x86_64 4/15 Verifying : 2:openssl-libs-1.0.2k-8.ksplice1.el7.x86_64 5/15 Verifying : 2:glibc-devel-2.17-196.ksplice1.el7.x86_64 6/15 Verifying : 2:openssl-1.0.2k-8.ksplice1.el7.x86_64 7/15 Verifying : 2:glibc-2.17-196.ksplice1.el7.i686 8/15 Verifying : 1:openssl-libs-1.0.2k-8.0.1.el7.x86_64 9/15 Verifying : glibc-common-2.17-196.el7.x86_64 10/15 Verifying : glibc-2.17-196.el7.i686 11/15 Verifying : glibc-devel-2.17-196.el7.x86_64 12/15 Verifying : glibc-2.17-196.el7.x86_64 13/15 Verifying : 1:openssl-1.0.2k-8.0.1.el7.x86_64 14/15 Verifying : glibc-headers-2.17-196.el7.x86_64 15/15 Dependency Installed: ksplice-helper.x86_64 0:1.0.25-1.el7 Updated: glibc.i686 2:2.17-196.ksplice1.el7 glibc.x86_64 2:2.17-196.ksplice1.el7 glibc-common.x86_64 2:2.17-196.ksplice1.el7 glibc-devel.x86_64 2:2.17-196.ksplice1.el7 glibc-headers.x86_64 2:2.17-196.ksplice1.el7 openssl.x86_64 2:1.0.2k-8.ksplice1.el7 openssl-libs.x86_64 2:1.0.2k-8.ksplice1.el7 Complete!
And finally, reboot the system so that it uses the new ksplice-aware user space libraries glibc and openssl.
Now you use ksplice command to perform user space patching as well as kernel patching.
To learn more how to manage Ksplice enhanced client, how to subscribe to Oracle Linux Unbreakable Linux Network, or how to configure Ksplice offline enhanced client, visit the resources below:
- Working With the Ksplice Enhanced Client
- Oracle Linux Unbreakable Linux Network User's Guide
- Installing and Configuring the Ksplice Offline Enhanced Client
- Webcast replay "Provide zero-downtime for critical applications, including container deployments"
Be the first to comment
Comments ( 0 )