X

News, tips, partners, and perspectives for Oracle’s virtualization offerings

Ksplice Zero-downtime Patching for User Space Packages

Honglin Su
Sr. Director of Product Management

Oracle has provided thousands of Ksplice kernel patches to address Linux kernel security issues. But many vulnerabilities are in user space.

Heartbleed is a good example of a huge user space openssl vulnerability that left thousands of servers at risk and cost companies hundreds of millions of dollars. glibc is another essential package in user space. With Ksplice for Oracle Linux, you are able to install bug fixes and protect your system against security vulnerabilities, in the user space or kernel, without having to restart your running process, service, or system.

It's easy and simple to install the Ksplice enhanced client for Oracle Linux 7 and Oracle Linux 6. You manage the enhanced Ksplice client by using the ksplice command to patch in-memory pages of Ksplice-aware shared libraries such as glibc and openssl for user space processes in addition to the kernel updates.

First, subscribe to the Ksplice channels on Unbreakable Linux Network (ULN). For Oracle Linux 7, they are

  • Ksplice for Oracle Linux 7 (x86_64)
  • Ksplice aware userspace packages for Oracle Linux 7 (x86_64)

Second, install the Ksplice enhanced client.

# yum install -y ksplice
Loaded plugins: langpacks, rhnplugin, ulninfo
This system is receiving updates from ULN.
ol7_x86_64_ksplice                                       | 1.2 kB     00:00
ol7_x86_64_ksplice/updateinfo                            | 2.6 kB     00:00
ol7_x86_64_ksplice/primary                               | 397 kB     00:00
ol7_x86_64_ksplice                                                    3739/3739
Resolving Dependencies
--> Running transaction check
---> Package ksplice.x86_64 0:1.0.25-1.el7 will be installed
--> Processing Dependency: ksplice-tools = 1.0.25-1.el7 for package: ksplice-1.0.25-1.el7.x86_64
--> Processing Dependency: ksplice-core0 = 1.0.25-1.el7 for package: ksplice-1.0.25-1.el7.x86_64
--> Running transaction check
---> Package ksplice-core0.x86_64 0:1.0.25-1.el7 will be installed
--> Processing Dependency: libboost_filesystem-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64
--> Processing Dependency: libboost_regex-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64
--> Processing Dependency: libboost_python-mt.so.1.53.0()(64bit) for package: ksplice-core0-1.0.25-1.el7.x86_64
---> Package ksplice-tools.x86_64 0:1.0.25-1.el7 will be installed
--> Running transaction check
---> Package boost-filesystem.x86_64 0:1.53.0-27.el7 will be installed
---> Package boost-python.x86_64 0:1.53.0-27.el7 will be installed
---> Package boost-regex.x86_64 0:1.53.0-27.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch       Version           Repository              Size
================================================================================
Installing:
 ksplice              x86_64     1.0.25-1.el7      ol7_x86_64_ksplice     5.0 k
Installing for dependencies:
 boost-filesystem     x86_64     1.53.0-27.el7     ol7_x86_64_latest       67 k
 boost-python         x86_64     1.53.0-27.el7     ol7_x86_64_latest      128 k
 boost-regex          x86_64     1.53.0-27.el7     ol7_x86_64_latest      300 k
 ksplice-core0        x86_64     1.0.25-1.el7      ol7_x86_64_ksplice     232 k
 ksplice-tools        x86_64     1.0.25-1.el7      ol7_x86_64_ksplice      88 k

Transaction Summary
================================================================================
Install  1 Package (+5 Dependent packages)

Total download size: 820 k
Installed size: 3.8 M
Downloading packages:
(1/6): boost-filesystem-1.53.0-27.el7.x86_64.rpm         |  67 kB     00:00
(2/6): boost-python-1.53.0-27.el7.x86_64.rpm             | 128 kB     00:00
(3/6): boost-regex-1.53.0-27.el7.x86_64.rpm              | 300 kB     00:00
(4/6): ksplice-1.0.25-1.el7.x86_64.rpm                   | 5.0 kB     00:00
(5/6): ksplice-core0-1.0.25-1.el7.x86_64.rpm             | 232 kB     00:00
(6/6): ksplice-tools-1.0.25-1.el7.x86_64.rpm             |  88 kB     00:00
--------------------------------------------------------------------------------
Total                                              490 kB/s | 820 kB  00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : boost-python-1.53.0-27.el7.x86_64                            1/6
  Installing : boost-filesystem-1.53.0-27.el7.x86_64                        2/6
  Installing : boost-regex-1.53.0-27.el7.x86_64                             3/6
  Installing : ksplice-core0-1.0.25-1.el7.x86_64                            4/6
  Installing : ksplice-tools-1.0.25-1.el7.x86_64                            5/6
  Installing : ksplice-1.0.25-1.el7.x86_64                                  6/6
  Verifying  : ksplice-1.0.25-1.el7.x86_64                                  1/6
  Verifying  : ksplice-core0-1.0.25-1.el7.x86_64                            2/6
  Verifying  : boost-regex-1.53.0-27.el7.x86_64                             3/6
  Verifying  : ksplice-tools-1.0.25-1.el7.x86_64                            4/6
  Verifying  : boost-filesystem-1.53.0-27.el7.x86_64                        5/6
  Verifying  : boost-python-1.53.0-27.el7.x86_64                            6/6

Installed:
  ksplice.x86_64 0:1.0.25-1.el7

Dependency Installed:
  boost-filesystem.x86_64 0:1.53.0-27.el7  boost-python.x86_64 0:1.53.0-27.el7
  boost-regex.x86_64 0:1.53.0-27.el7       ksplice-core0.x86_64 0:1.0.25-1.el7
  ksplice-tools.x86_64 0:1.0.25-1.el7

Complete!

Third, update the system to install the Ksplice-aware versions of the user space libraries:

# yum update glibc* openssl*
Loaded plugins: langpacks, rhnplugin, ulninfo
This system is receiving updates from ULN.
ol7_x86_64_userspace_ksplice                                                                       | 1.2 kB  00:00:00
ol7_x86_64_userspace_ksplice/updateinfo                                                            |  19 kB  00:00:00
ol7_x86_64_userspace_ksplice/primary                                                               |  63+ kB  00:00:00
ol7_x86_64_userspace_ksplice                                                                                      261/261
Resolving Dependencies
--> Running transaction check
---> Package glibc.i686 0:2.17-196.el7 will be updated
---> Package glibc.x86_64 0:2.17-196.el7 will be updated
---> Package glibc.i686 2:2.17-196.ksplice1.el7 will be an update
--> Processing Dependency: ksplice-helper for package: 2:glibc-2.17-196.ksplice1.el7.i686
---> Package glibc.x86_64 2:2.17-196.ksplice1.el7 will be an update
---> Package glibc-common.x86_64 0:2.17-196.el7 will be updated
---> Package glibc-common.x86_64 2:2.17-196.ksplice1.el7 will be an update
---> Package glibc-devel.x86_64 0:2.17-196.el7 will be updated
---> Package glibc-devel.x86_64 2:2.17-196.ksplice1.el7 will be an update
---> Package glibc-headers.x86_64 0:2.17-196.el7 will be updated
---> Package glibc-headers.x86_64 2:2.17-196.ksplice1.el7 will be an update
---> Package openssl.x86_64 1:1.0.2k-8.0.1.el7 will be updated
---> Package openssl.x86_64 2:1.0.2k-8.ksplice1.el7 will be an update
---> Package openssl-libs.x86_64 1:1.0.2k-8.0.1.el7 will be updated
---> Package openssl-libs.x86_64 2:1.0.2k-8.ksplice1.el7 will be an update
--> Running transaction check
---> Package ksplice-helper.x86_64 0:1.0.25-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================
 Package                  Arch             Version                           Repository                              Size
==========================================================================================================================
Updating:
 glibc                    i686             2:2.17-196.ksplice1.el7           ol7_x86_64_userspace_ksplice           4.2 M
 glibc                    x86_64           2:2.17-196.ksplice1.el7           ol7_x86_64_userspace_ksplice           3.6 M
 glibc-common             x86_64           2:2.17-196.ksplice1.el7           ol7_x86_64_userspace_ksplice            11 M
 glibc-devel              x86_64           2:2.17-196.ksplice1.el7           ol7_x86_64_userspace_ksplice           1.1 M
 glibc-headers            x86_64           2:2.17-196.ksplice1.el7           ol7_x86_64_userspace_ksplice           675 k
 openssl                  x86_64           2:1.0.2k-8.ksplice1.el7           ol7_x86_64_userspace_ksplice           491 k
 openssl-libs             x86_64           2:1.0.2k-8.ksplice1.el7           ol7_x86_64_userspace_ksplice           1.2 M
Installing for dependencies:
 ksplice-helper           x86_64           1.0.25-1.el7                      ol7_x86_64_userspace_ksplice            17 k

Transaction Summary
==========================================================================================================================
Install             ( 1 Dependent package)
Upgrade  7 Packages

Total download size: 23 M
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for ol7_x86_64_userspace_ksplice
(1/8): glibc-2.17-196.ksplice1.el7.i686.rpm                                                        | 4.2 MB  00:00:02
(2/8): glibc-2.17-196.ksplice1.el7.x86_64.rpm                                                      | 3.6 MB  00:00:02
(3/8): glibc-common-2.17-196.ksplice1.el7.x86_64.rpm                                               |  11 MB  00:00:07
(4/8): glibc-devel-2.17-196.ksplice1.el7.x86_64.rpm                                                | 1.1 MB  00:00:00
(5/8): glibc-headers-2.17-196.ksplice1.el7.x86_64.rpm                                              | 675 kB  00:00:00
(6/8): ksplice-helper-1.0.25-1.el7.x86_64.rpm                                                      |  17 kB  00:00:00
(7/8): openssl-1.0.2k-8.ksplice1.el7.x86_64.rpm                                                    | 491 kB  00:00:00
(8/8): openssl-libs-1.0.2k-8.ksplice1.el7.x86_64.rpm                                               | 1.2 MB  00:00:00
--------------------------------------------------------------------------------------------------------------------------
Total                                                                                     1.4 MB/s |  23 MB  00:00:15
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ksplice-helper-1.0.25-1.el7.x86_64                                                                    1/15
  Updating   : 2:glibc-common-2.17-196.ksplice1.el7.x86_64                                                           2/15
  Updating   : 2:glibc-2.17-196.ksplice1.el7.x86_64                                                                  3/15
  Updating   : 2:glibc-headers-2.17-196.ksplice1.el7.x86_64                                                          4/15
  Updating   : 2:openssl-libs-1.0.2k-8.ksplice1.el7.x86_64                                                           5/15
  Updating   : 2:openssl-1.0.2k-8.ksplice1.el7.x86_64                                                                6/15
  Updating   : 2:glibc-devel-2.17-196.ksplice1.el7.x86_64                                                            7/15
  Updating   : 2:glibc-2.17-196.ksplice1.el7.i686                                                                    8/15
  Cleanup    : glibc-devel-2.17-196.el7.x86_64                                                                       9/15
  Cleanup    : 1:openssl-1.0.2k-8.0.1.el7.x86_64                                                                    10/15
  Cleanup    : glibc-2.17-196.el7                                                                                   11/15
  Cleanup    : glibc-headers-2.17-196.el7.x86_64                                                                    12/15
  Cleanup    : 1:openssl-libs-1.0.2k-8.0.1.el7.x86_64                                                               13/15
  Cleanup    : glibc-common-2.17-196.el7.x86_64                                                                     14/15
  Cleanup    : glibc-2.17-196.el7                                                                                   15/15
  Verifying  : ksplice-helper-1.0.25-1.el7.x86_64                                                                    1/15
  Verifying  : 2:glibc-headers-2.17-196.ksplice1.el7.x86_64                                                          2/15
  Verifying  : 2:glibc-2.17-196.ksplice1.el7.x86_64                                                                  3/15
  Verifying  : 2:glibc-common-2.17-196.ksplice1.el7.x86_64                                                           4/15
  Verifying  : 2:openssl-libs-1.0.2k-8.ksplice1.el7.x86_64                                                           5/15
  Verifying  : 2:glibc-devel-2.17-196.ksplice1.el7.x86_64                                                            6/15
  Verifying  : 2:openssl-1.0.2k-8.ksplice1.el7.x86_64                                                                7/15
  Verifying  : 2:glibc-2.17-196.ksplice1.el7.i686                                                                    8/15
  Verifying  : 1:openssl-libs-1.0.2k-8.0.1.el7.x86_64                                                                9/15
  Verifying  : glibc-common-2.17-196.el7.x86_64                                                                     10/15
  Verifying  : glibc-2.17-196.el7.i686                                                                              11/15
  Verifying  : glibc-devel-2.17-196.el7.x86_64                                                                      12/15
  Verifying  : glibc-2.17-196.el7.x86_64                                                                            13/15
  Verifying  : 1:openssl-1.0.2k-8.0.1.el7.x86_64                                                                    14/15
  Verifying  : glibc-headers-2.17-196.el7.x86_64                                                                    15/15

Dependency Installed:
  ksplice-helper.x86_64 0:1.0.25-1.el7

Updated:
  glibc.i686 2:2.17-196.ksplice1.el7                           glibc.x86_64 2:2.17-196.ksplice1.el7
  glibc-common.x86_64 2:2.17-196.ksplice1.el7                  glibc-devel.x86_64 2:2.17-196.ksplice1.el7
  glibc-headers.x86_64 2:2.17-196.ksplice1.el7                 openssl.x86_64 2:1.0.2k-8.ksplice1.el7
  openssl-libs.x86_64 2:1.0.2k-8.ksplice1.el7

Complete!

And finally, reboot the system so that it uses the new ksplice-aware user space libraries glibc and openssl.

Now you use ksplice command to perform user space patching as well as kernel patching.

To learn more how to manage Ksplice enhanced client, how to subscribe to Oracle Linux Unbreakable Linux Network, or how to configure Ksplice offline enhanced client, visit the resources below:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.