X

Oracle Linux, virtualization , Enterprise and Cloud Management Cloud technology musings

Recent Posts

Oracle Linux on Arm (aarch64) update

Nothing new to announce but I wanted to take a few minutes to give a little update on where we are with Oracle Linux for Arm. Just a quick summary: - We have a full version of Oracle Linux 7 (update 5) for Arm. This is freely downloadable from edelivery. The ISO is free download, you can freely use it, you can redistribute it. Just like Oracle Linux x86. No authorization codes, no activation keys. Just download, install and use. Of course, this includes all source code. - OL7 on Arm uses UEKR5 (4.14.x Linux) including DTrace support (Sometimes I hear people say that UEK is a proprietary kernel. It is not! It is fully open. All the changes, so you actually get to see every single commit of every single change we or others made, not a tar file. it's OPEN) - there are a ton of packages built for OL/Arm: ol7_MySQL80/aarch64 MySQL 8.0 for Oracle Linux 7 (aarch64) 32 ol7_developer/aarch64 Oracle Linux 7Server Packages for Develo 15 ol7_developer_EPEL/aarch64 Oracle Linux 7Server EPEL Packages for D 12,410 ol7_developer_UEKR5/aarch64 Oracle Linux 7Server Unbreakable Enterpr 183 ol7_latest/aarch64 Oracle Linux 7Server Latest (aarch64) 8,881 ol7_optional_latest/aarch64 Oracle Linux 7Server Optional Latest (aa 7,246 ol7_software_collections/aarch64 Software Collection Library for Oracle L 136 repolist: 28,903 This includes a ton of EPEL stuff, as you can see above. We have a devtoolset containing gcc 7.3.1 we have support for other languages :golang 1.10, nodejs, python php,...  docker is there... lots of goodies to have a good easy full-fledged development environment. As a reminder:  if you have an Arm box and you want to use docker -> we have images on docker hub for Arm as well. you can simply do: # docker pull oraclelinux:latest and it pulls in the Arm docker image for Oracle Linux.   # docker pull oraclelinux:latest latest: Pulling from library/oraclelinux cd165b3abf95: Download complete [6329822.343702] XFS (dm-3): Mounting V4 Filesystem cd165b3abf95: Extracting 86.45MB/86.45MB cd165b3abf95: Pull complete Digest: sha256:d60084c2aea5fa6cb8ed20c04ea5a8cd39c176c82a9015cc59ad6e860855c27f Status: Downloaded newer image for oraclelinux:latest    

Nothing new to announce but I wanted to take a few minutes to give a little update on where we are with Oracle Linux for Arm. Just a quick summary: - We have a full version of Oracle Linux 7 (update 5)...

Oracle Ksplice patch for CVE-2018-3620 and CVE-2018-3646 for Oracle Linux UEK r4

There was an Intel disclosure yesterday of a set of vulnerabilities around L1TF. You can read a summary here. We released, as you can see from the blog, a number of kernel updates for Oracle Linux and a Ksplice patch for the same.  I wanted to take the opportunity again to show off how awesome Oracle Ksplice is. The kernel patch we have for L1TF was about 106 different patches together. 54 files changed, 2079 insertions(+), 501 deletions(-). About 1.2Mb binary size of the ksplice kernel module for this patch. All this went into a single Ksplice patch! Applied in a few microseconds. On one server I have in Oracle Cloud, I always run # uptrack-upgrade manually, on another server I have autoinstall=yes. # uptrack-upgrade The following steps will be taken: Install [1vao34m9] CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault. Go ahead [y/N]? y Installing [1vao34m9] CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault. Your kernel is fully up to date. Effective kernel version is 4.1.12-124.18.1.el7uek My other machine was up to date automatically and I didn't even know it.  I had to run # uptrack-show and it already had it applied. No reboot, no impact on my stuff I run here. Just autonomously done. Patched. Current. Folks sometimes ask me about other live patch abilities from some other vendors. Well,  We have the above for every errata kernel released since the spectre/meltdown CVEs (as this is a layer on top of that code) at the same time as the kernel RPMs were released, as an integrated service. 'nuf said. Oh and everyone in Oracle Cloud, remember, the Oracle Ksplice tools (uptrack) are installed in every OL image by default and you can run this without any additional configuration (or additional charges).

There was an Intel disclosure yesterday of a set of vulnerabilities around L1TF. You can read a summary here. We released, as you can see from the blog, a number of kernel updates for Oracle Linux and...

Oracle Ksplice for Oracle Linux in Oracle Cloud

My favorite topic.. Ksplice! Just a friendly reminder that every Oracle Linux instance in Oracle Cloud comes with Oracle Ksplice installed/enabled by default at no additional cost beyond basic compute. When you run an OL instance, the uptrack tools are on the base image. (uptrack-upgrade, uptrack-uname, etc..). The config file (/etc/uptrack/uptrack.conf) contains an access-key that enables any cloud instance to talk to our Ksplice service without registration. So as soon as you log into your system you can run # uptrack-upgrade or # uptrack-show . uptrack doesn't run automatically, by default.  You are expected to manually type # uptrack-upgrade . What this does is the following: it goes to our service and looks at which Ksplice patches are available for your running kernel and asks if you want to install them. if you add - y then  it will just go ahead and install whatever is available without prompting you. uptrack-show lists the patches that are already applied on your running kernel/system. uptrack-uname shows the 'effective' kernel version. What this means is which kernel version you are effectively updated to with relevant CVEs and critical issues. Here's a concrete example of my OCI instance:   # uname -a Linux devel 4.1.12-124.14.5.el7uek.x86_64 #2 SMP Fri May 4 15:26:53 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux My instance runs UEK R4 (4.1.12-124.14.5) that's the actual RPM that's installed and the actual kernel that I booted the instance with.   # uptrack-uname -a Linux devel 4.1.12-124.15.1.el7uek.x86_64 #2 SMP Tue May 8 16:27:00 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux I already ran uptrack-upgrade before so a number of patches are already applied and installed up to the same level as 4.1.12-124.15.1. So instead of installing the 4.1.12-124.15.1 kernel-uek RPM and rebooting, when I ran uptrack-upgrade a while back, it got me right to that level without affecting my availability one bit. I did not enable auto-install so since I ran that command a while back, I have not done it again, a good number of (some serious) CVE's have been fixed and released since so it's time to update... but I so hate reboots! luckily.. no need. What's already installed? Let's see...   # uptrack-show Installed updates: [1zkgpvff] KAISER/KPTI enablement for Ksplice. [1ozdguag] Improve the interface to freeze tasks. [nw9iml90] CVE-2017-15129: Use-after-free in network namespace when getting namespace ids. [i9x5u5uf] CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets. [dwwke2ym] CVE-2017-7294: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU. [cxke2gao] CVE-2017-15299: Denial-of-service in uninstantiated key configuration. [nwtwa8b3] CVE-2017-16994: Information leak when using mincore system call. [hfehp9m0] CVE-2017-17449: Missing permission check in netlink monitoring. [7x9spq2j] CVE-2017-17448: Unprivileged access to netlink namespace creation. [lvyij5z2] NULL pointer dereference when rebuilding caches in Reliable Datagram Sockets protocol. [s31vmh6q] CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint. [3x6jix1s] Denial-of-service of KVM L1 nested hypervisor when exiting L2 guest. [d22dawa6] Improved CPU feature detection on microcode updates. [fszq2l5k] CVE-2018-3639: Speculative Store Bypass information leak. [58rtgwo2] Device Mapper encrypted target Support big-endian plain64 IV. [oita8o1p] CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump. [qenhqrfo] CVE-2017-1000410: Information leak in Bluetooth L2CAP messages. [965vypan] CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem. [drgt70ax] CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver. [fa0wqzlw] CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting. [bghp5z31] Denial-of-service in NFS dentry invalidation. [7n6p7i4h] CVE-2017-18203: Denial-of-service during device mapper destruction. [okbvjnaf] CVE-2018-6927: Integer overflow when re queuing a futex. [pzuay984] CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver. [j5pxwei9] CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver. Effective kernel version is 4.1.12-124.15.1.el7uek so the above patches were installed last time. Quite a few! All applied, without affecting availability. Ok, what else is available... a whole bunch, best apply them!   # uptrack-upgrade The following steps will be taken: Install [f9c8g2hm] CVE-2018-3665: Information leak in floating point registers. Install [eeqhvdh8] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode. Install [s3g55ums] DMA memory exhaustion in Xen software IO TLB. Install [nne9ju4x] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid. Install [3xsxgabo] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target. Install [rt4hra3j] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket. Install [2ycvrhs6] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check. Install [rjklau8v] Incorrect sequence numbers in RDS/TCP. Install [qc163oh5] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid. Install [5g4kpl3f] Denial-of-service when removing USB3 device. Install [lhr4t7eg] CVE-2017-7616: Information leak when setting memory policy. Install [mpc40pom] CVE-2017-11600: Denial-of-service in IP transformation configuration. Install [s77tq4wi] CVE-2018-1130: Denial-of-service in DCCP message send. Install [fli7048b] Incorrect failover group parsing in RDS/IP. Install [lu9ofhmo] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization. Install [dbhfmo13] Fail-over delay in Reliable Datagram Sockets. Install [7ag5j1qq] Device mapper path setup failure on queue limit change. Install [8l28npgh] Performance loss with incorrect IBRS usage when retpoline enabled. Install [sbq777bi] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled. Install [ls429any] Denial-of-service in RDS user copying error. Install [u79kngd9] Denial of service in RDS TCP socket shutdown. Go ahead [y/N]? y Installing [f9c8g2hm] CVE-2018-3665: Information leak in floating point registers. Installing [eeqhvdh8] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode. Installing [s3g55ums] DMA memory exhaustion in Xen software IO TLB. Installing [nne9ju4x] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid. Installing [3xsxgabo] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target. Installing [rt4hra3j] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket. Installing [2ycvrhs6] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check. Installing [rjklau8v] Incorrect sequence numbers in RDS/TCP. Installing [qc163oh5] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid. Installing [5g4kpl3f] Denial-of-service when removing USB3 device. Installing [lhr4t7eg] CVE-2017-7616: Information leak when setting memory policy. Installing [mpc40pom] CVE-2017-11600: Denial-of-service in IP transformation configuration. Installing [s77tq4wi] CVE-2018-1130: Denial-of-service in DCCP message send. Installing [fli7048b] Incorrect failover group parsing in RDS/IP. Installing [lu9ofhmo] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization. Installing [dbhfmo13] Fail-over delay in Reliable Datagram Sockets. Installing [7ag5j1qq] Device mapper path setup failure on queue limit change. Installing [8l28npgh] Performance loss with incorrect IBRS usage when retpoline enabled. Installing [sbq777bi] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled. Installing [ls429any] Denial-of-service in RDS user copying error. Installing [u79kngd9] Denial of service in RDS TCP socket shutdown. Your kernel is fully up to date. Effective kernel version is 4.1.12-124.17.2.el7uek Done! I now have a total of 46 Ksplice updates applied on this running kernel.   # uptrack-uname -a Linux devel 4.1.12-124.17.2.el7uek.x86_64 #2 SMP Tue Jul 17 20:28:07 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux current to the 'latest' UEKR4 version in terms of CVEs Now we don't provide driver 'updates' or so in these patches only critical fixes and security fixes. So the kernel is not -identical- to the 4.1.12-17.2 in every sense. But it certainly is on your current system as it's related to bad things that could happen! Since I don't want to forget running the update, I am going to just enable Ksplice to run through a cron job. Just edit /etc/uptrack/uptrack.conf and change autoinstall = no to autoinstall = yes. A few other things: When Ksplice patches are installed and you do end up doing a reboot, the installed patches will be automatically applied again right at boot time if you reboot into the same original kernel. Note - it will not automatically go look for new patches. If you want to also go check for new updates, you can comment out #upgrade_on_reboot = yes  this will make that happen. I removed all installed Ksplice updates (online, using # uptrack-remove --all) and now will time reapplying all 46:   # time uptrack-upgrade -y ... real 0m11.705s user 0m4.273s sys 0m4.807s So 11.7 seconds to apply all 46. Each patch gets applied one after the other, there is no system halt for that long at all, for each individual patch it just halts for a few us (not noticeable) and then has a short pause to continue to the next but this pause is just the uptrack tool, not your server instance. So enable autoinstall, enable upgrade_on_reboot=yes and you have an Oracle Linux system that you can just leave running and you automatically are current with CVEs/critical fixes without having to worry...Autonomous Oracle Linux patching. Pretty cool! Some vendors are trying to offer 'live patching' but those things don't come even close. It validates the importance of this technology and feature set,  it's not anywhere near a viable alternative. Have fun!  

My favorite topic.. Ksplice! Just a friendly reminder that every Oracle Linux instance in Oracle Cloud comes with Oracle Ksplice installed/enabled by default at no additional cost beyond...

Oracle Linux containers security

I recently did a short webcast that talked about Oracle Linux & Containers and some suggestions around best practices and some security considerations. The webcast had just a few slides and some of the feedback I received was that there could have been more textual assist to the talking so I promised I would write up a few things that came up during the webcast. Here it is: We have been providing Oracle Linux along with great support for nearly 12 years. During those years, we have added many features and enhancements. Through upstream contributions, picked up by the various open source projects that are distributed as part of Oracle Linux (in particular UEK) or additional features/services such as Oracle Ksplice or DTrace (released under GPL), etc... we have been helping make Linux better. In terms of virtualization, we’ve been contributing to Xen since 2005+.  Xen is the hypervisor used in Oracle VM. A bit more recently, we are also heavily focus on kvm and qemu in Linux.  Of course, we have Oracle VM VirtualBox. So a lot of virtualization work has been going on for a very long time and will continue to be the case for a very long time. We have many developers working on this full time (and upstream). Container work: We were early adopters of lxc and were one of the first, if not the first, to certify lxc with enterprise applications such as our database or applications. This was before Docker existed. Lxc was the initial push to  mainstreaming container support in Linux.  It helped push a lot of projects in the Linux kernel around resource management, namespace support, all the cgroups work,... lots of isolation support really got a big start around this time. Many developers contributed to it and certainly a bunch of openvz concepts got proposed to get merged into the mainline kernel. A few years after lxc, Docker came to the forefront and really made containers popular - talk about mainstream… and again, we ended up providing Docker from the very beginning and saw a lot of potential in the concept of lightweight small images on Linux for our product set. Today - everyone talks about Kubernetes, Docker or Docker-alternatives such as Rkt and microservices. We provide Oracle Container Services for use with Kubernetes and Oracle Container Runtime for Docker support to our customers as part of Oracle Linux subscriptions. Oracle also has various Oracle Cloud services that provide Kubernetes and Docker orchestration and automation. And, of course, we do a lot of testing and support many Oracle products running in these isolation environments. The word isolation is very important. For many years I have been using the world isolation when it comes to containers, not virtualization. There is a big distinction. Running containers in a Linux environment is very different from running Solaris Zones, or running VMs with kvm or Xen. Kvm or Xen, that’s "real" virtualization. You create a virtual compute environment and boot an entire operating system inside (it has a virtual bios, boots a kernel from a virtual disk, etc). Sure-  there are some optimizations and tricks around paravirtualization but for the most part it’s a Virtual Machine on a real machine. The way Solaris Zones is implemented  is also not virtualization, since you share the same host kernel amongst all zones etc, But - the Solaris Zones  implementation is done as a full fledged feature. It’s a full-on isolation layer inside Oracle Solaris top to bottom. You create a zone and the kernel does it all for you right then and there: it creates a completely separate OS container for you, with all the isolation provided across the board. It’s great. Has been around for a very long time, is used widely by almost every Oracle Solaris user and it works great. It provides a very good level of isolation for a complete operating system environment. Just like a VM provides a full virtual hardware platform for a complete operating system environment. Linux containers, on the other hand, are implemented very differently. A container is created through using a number of different Linux kernel features and you can provide isolation at different layers. So you can create a Linux container that acts very, very similar to a Solaris zone but you can also create a Linux container that has a tremendous amount of sharing amongst other containers or just other processes. The Linux resource manager and various namespace implementations let you pick and choose. You can share what you want, and you can isolate what you want. You have a PID namespace, IPC namespace, User Namespace, Net namespace ,... each of these can be used in different ways or combined in different ways. So there’s no CONTAINER config option in Linux, no container feature but there are tools, libraries, programs that use these namespaces and cgroups to create something that looks like a complete isolated environment akin to zones. Tools like Docker and lxc do all the "dirty work" for you, so to speak. They also provide you with options to change that isolation level up and down. Heck, you can  create a container environment using bash!  Just echo some values to a bunch of cgroups files and off you go. It’s incredibly flexible. Having this flexibility is great as it allows for things like Docker (just isolated a process, not a whole operating environment). You don’t have to start with /bin/init or /bin/systemd and bring up all the services. You can literally just start httpd and it sees nothing but itself in its process namespace. Or… sure… you can start /bin/init and you get a whole environment, like what you get by default with lxc. I think Docker (and things like Docker - Rkt,..) is the best user of all these namespace enhancements in the Linux kernel. I also think that, because the Linux kernel developers implemented resource and namespace management the way they did, it allowed for a project like Docker to take shape. Otherwise, this would have been very difficult to conceive. It allowed us to really enter a new world of… just start an app, just distribute the app with the libraries it needs, isolate an app from everything else, package things as small as possible as a complete standalone unit… This,in turn, really helped the microservices concept because it makes micro really... micro... Docker-like images give a lot more flexibility to application developers because now you can have different applications running on the same host that have different library needs or different versions of the  same application without having to mess with PATH settings and carving out directories and seeing one big mess of things… Sure, you can do that with VMs… but the drawback of a VM is (typically) that you bring in an entire OS (kernel, operating environment) to then start an app. This can cause a lot of overhead. Process isolation along with small portable images gives you an incredibly amount of flexibility and...sharing... With that flexibility also comes responsibility - whereas one would have in the order of 10-20 VMs on a given server, you can run maybe 30-40-50 containerized OS environments (using lxc) but you could run literally 1000s of application containers using Docker. They are, after all, just a bunch of OS processes with some namespaces and isolation. And if all they run is the application itself, without the surrounding OS supported services, you have much less overhead per app than traditional containers. If you run very big applications that need 100% performance and power and the best ‘isolation’... you run a single app on a single physical server. If you have a lot of smaller apps, and you’re not worried about isolation you can just run those apps on a single physical server. Best performance, harder to manage. If you have a lot of smaller environments that you need to host with different OSs or different OS levels,.. You typically just run tons of VMs on a physical server. Each VM boots its own kernel, has its own virtual disk, memory etc. and you can scale.. 4-16 typical. If you want to have the best performance where you don’t need that high isolation of separate kernels and independent OS releases down the kernel version (or even something like Windows and Linux  or Oracle Linux  and Ubuntu etc)... then you can consider containers. Super light weight, super scalable and portable. The image can range from an OS image (all binaries installed, all libraries like a vm or physical OS install) or… just an app binary, or an app binary + libraries it needs. If you create a binary that is statically linked, you can have a container that's exactly 1 file. Isn't that awesome? Working on Operating Systems at a company that is also a major cloud provider is really great. It gives us direct access to scale. Very, very large scale... and also a direct requirement around security. As a cloud provider we have to work very, very hard towards ensuring security in a multi-tenant environment. Protect customers data from one another. Deploying systems in isolation in an enterprise can be at a reasonable scale and of course security is very important or should be but the single tenancy aspect reduces the complexity to a certain extend. Oracle Linux is used throughout Oracle Cloud as the host for running VMs, as the host for running container services or other services, in our PaaS, SaaS stacks, etc. We work very closely with the cloud development teams to provide the fastest, most scalable solutions without compromising security. We want VMs to run as fast possible, we want to provide container services, but we also make sure that a container running for tenant A doesn’t, in any way, expose any data to a container running for tenant B. So let’s talk a little bit about security around all this. Security breaches are up. A significant increase of data breaches every month, hacking attempts… just start a server or a VM with a public IP on the internet and watch your log files - within a few minutes you see login attempts and probes. It’s really frightening. Enterprises used to have 100s maybe 1000s of servers - you have to keep the OS and applications current with security fixes. While reasonably large, still manageable… then add in virtualization and you increase by a  factor the number of instances (10000+)… so you drastically increase your exposure … and then you go another factor or couple of factors up  to microservices and containers - deployed across huge numbers of servers… security becomes increasingly more important and more difficult. 100000+... Do you even know where they run, what they run, who owns them? On top of all that - in the last 8 or so months: Spectre and Meltdown.  Removing years of assumptions and optimizations everyone has relied upon. We suddenly couldn't trust VMs on the same host being isolated well enough, or processes from snooping on other processes, without applying code changes on the OS side or even in some cases in the applications to prevent exposure. Patches get introduced. Performance drops.. And it’s not always clear to everyone what the potential exposure is and where you have to really worry and where you might not have to worry too much. When it comes to container security, there are different layers: Getting images / content from external (or even internal sites) There are various places where developers can download 3rd party container images. Whereas in the past one would download source code for some project or download a specific application… these container images (let’s call them docker images) are now somewhat magical blackboxes you download a filesystem layer, or a set of layers. There are tons of files inside but you don’t typically look around, you pull an image and start it… not quite knowing what’s inside… these things get downloaded onto a laptop.. Executed… and … do you know what’s inside? Do you know what it’s doing? Have these been validated? Scanned? Never trust what you just download from random sites. Make sure you download things that are signed, or have been checksummed and come from reputable places. Good companies will run vulnerability scanners such as Clair or Qualys as part of the process, make sure developers have good security coding practices in place. When you download an image published on Oracle Container Registry, it contains code that we built, compiled, tested, scanned, put together.  When you download something from a random site, that might not be the case. One problem: it is very easy to get things from the outside world.. # docker pull,  by default, goes to Docker hub.. Companies can’t easily put development environments in place that prevent you from doing that. One thing we are working on with Oracle Containers Runtime using Docker is adding support for access control to Docker image repos. You can lock down which repos are accessible and which aren’t. . for instance: your Docker repo list can be an internal site only, not Docker hub. When building container images you should always run some form of image scanner. We are experimenting with Notary - use Notary to digitally sign content so that you  can verify images that are pulled down. We are looking at providing a Notary service and the tools for you to build your own. Building images Aside from using Clair or Qualys in your own CI/CD environment, you also have to make sure that you update the various layers (OS, library layer, application layer(s)) with the latest patches. Security errata are released on a regular basis. With normal OS’s whether bare metal or VMs, sysadmins run management software that easily updates packages on a regular basis and keeps things up to date. It’s relatively easy to do so and it is easy to see what is installed on a given server. There might be an availability impact when it comes to kernel updates but for the most part it is a known problem...  Updating containers, while technically, you can argue, it’s easy… just rebuild your images… it does mean that you have to go to all servers running these containers and bring them down and back up. You can’t just update a running image. The ability to do anything at runtime is much more limited than when you run an OS instance with an application. From a security point of view, you have to consider that. Before you start deploying containers at scale, you have to decide on your patch strategy. How often do you update your images, how do you distribute these images, how do you know all the containers that are running and which versions they run, which layers are they running etc.. sorting this out after a critical vulnerability hits will introduce delays and have a negative impact and potentially create large exposure. So - have a strategy in place to update your OS and application layers with security fixes, have a strategy in place on how to distribute these new image updates and refresh your container farm. Lock down If you are a sophisticated user/developer, you have the ability to really add very fine grained controls. With Docker you have options like privileged containers: giving extra access to devices and resources. Always verify that anything that is started privileged has been reviewed by a few people. Docker also provides Linux Capabilities control such as mknod or setgid or chroot or nice etc.. look at your default capabilities that are defined and where possible, remove any and all that are not absolutely needed. Look into the use of SELinux policies.  While SELinux operates at the host level only, it provides you with an additional security blanket. Create policies to restrict access to files or operations. There is no SELinux namespace support yet.  This is an important project to work on, we started investigating this, so that you can use SELnux within a container in its own namespace, with its own local container policies. Something we use a lot as well inside Oracle: seccomp. Seccomp lets you filter syscalls (white list). Now, when you really lock down your syscalls and have a large list, there can be a bit of a performance penalty… We’re doing development work to help improve seccomp’s filter handling in the kernel. This will show up in future versions of upstream Linux and also in our UEK kernel. What’s nice with seccomp is that if you have an app and you know exactly which few syscalls are required, you can enforce that it will only ever be allowed to access / execute those systemcalls and nothing else will get through in case a rogue library would magically get loaded and try to do something. So if you are really in need of the highest level of lockdown, a combination of these 3 is ideal. Use seccomp to restrict your system calls exposed to your container, use SELinux policies to control access to processes that are running and what they can do with labels, use capabilities alongside / on top of seccomp to prevent privileged commands to run and run everything non-privileged. The third major part is the host OS. You can lock down your container images and such, but remember that these instances all run (typically) on a Linux server. This server runs an OS kernel, OS libraries (glibc)... and security vulnerability fixes need to be applied. Always ensure that you apply errata on the host OS…  I would always recommend customers to use Oracle Ksplice with Oracle Linux Oracle Ksplice is a service that provides the ability for users to apply critical fixes (whether bugs or vulnerabilities) while the system is up and running with no impact to the applications (or containers). While not every update can be provided as an online patch, we’ve had a very, very high success rate. Even very complex code changes have been fixed or changed using Ksplice. We have two areas that we can address. Kernel – the original functionality since 2009 and also since a number of years, a handful of userspace libraries. We are in particular focused on those libraries that are in the critical path – glibc being the most obvious one along with openssl. While some aspects of security are the ability to lock down systems and reduce the attack surface, implement best practices, protect source of truth, prevent unauthorized access as much as possible, etc… if applying security fixes is difficult and have a high impact on availability, most companies / admins will take their time to apply them. Potentially waiting weeks or months or even longer to schedule downtime. Keep in mind that with Ksplice we provide the ability to ensure your host OS (whether using kvm or just containers) can be patched while all your VMs and/or containers continue to run without any impact whatsoever. We have a unique ability to significantly reduce the service impact of staying current with security fixes. Some people will be quick to say that live migration can help with upgrading VM hosts by migrating VM guest off to another server and reboot the host that was freed up – while that’s definitely a possibility, it’s not always possible to offer live migrate capabilities at scale. It’s certainly difficult in a huge cloud infrastructure. In the world of containers where we are talking about a 10-100 fold or even more number of instances running per server, this is even more critical. Also, there is no live migration yet for containers. There’s some experimental work but not production quality to migrate a container/Docker instance / Kubernetes pod from one server to another. As we look more into the future with Ksplice: we are looking at more userspace library patching and to see how can make that scale on a container level  - the ability to apply , for instance, glibc fixes within container instances directly without downtime. This is a very difficult problem to solve because there can be 100’s of different versions of glibc running and we also have to ensure images are updated on the fly so that a new instance will be ‘patched’ at startup. This is a very dynamic environment. This brings me to a final project we are working on in the container world: Project Kata is a hybrid model of deploying applications with the flexibility and ease of use (small, low overhead) of containers and with the security level of VMs.  The scalability of Kata containers is somewhere in between VMs and native containers. Order of low 1000s not high 1000s. Startup time is incredibly fast. Starting a VM typically take 20-30 seconds, starting Docker instances takes in the order of few milliseconds. Starting a Kata container takes between half a second and 3 seconds depending on the task you run.  A Kata container effectively creates a hardware virtualization context (like kvm uses) and boots a very,  very optimized Linux kernel, that can start up in a fraction of a second, with a tiny ramdisk image that can execute the binaries in your container image. It provides enough sharing on the host to scale but it also provides a nice clean virtualization context that helps isolation between processes. Most, if not all, cloud vendors run container services inside VMs for a given tenant. So the containers are isolated from other tenants through a VM context. But that provides a bit more overhead than is ideal. We would like to be able to provide containers that run as native and low overhead as possible.,.. We are looking into providing a preview for developers and users to play with this. Oracle Linux with UEKR5.  We have a Kata container kernel built that boots in a fraction of a second and we created a tiny package that executes a Docker instance on an Oracle Linux host. It’s experimental,  we are evaluating the advantages and disadvantages (how secure is the kernel memory sharing, how good is performance at scale, how transparent is it to run normal docker images in these kata containers, are they totally compatible etc etc). Lots of exciting technology work happening.

I recently did a short webcast that talked about Oracle Linux & Containers and some suggestions around best practices and some security considerations. The webcast had just a few slides and some of the...

bbcp and rclone for Oracle Linux

Last week we packaged up a few more RPMs for Oracle Linux 7 that will help make life easier for Cloud users. bbcp 15.02.03.01.1-3  in ol7_developer: # yum install bbcp bbcp is what I would call ssh on steroids. If you want to copy files from a local node to a remote node (say in Oracle Cloud) then this is a great tool. It might require some tuning but the idea is that you can open up parallel TCP streams. When you do large file transfers this should be able to give you a bit of a performance boost. I would also recommend using UEK5 and enable BBR as the congestion control algo. (see an old blog entry). The combination of enabling BBR (only has to be done on one of the 2 nodes (src or dest)) and using bbcp to copy large files using parallel streams should provide you the best throughput. By making this into an RPM for OL, it makes it easily available for everyone to use. rclone 1.42 in ol7_developer # yum install rclone rclone is a very cool command line tool to move files around from/to local storage and cloud object storage. This works very well with Oracle Cloud Infrastructure's Object Storage. Now that it's packaged as an RPM with OL you can just install it directly from the command line instead of having to go download a file from a website. rclone works like scp. Example could be  # rclone copy localdir ocistorage:remotedir In order to configure rclone for Oracle Cloud Infrastructure's Object Storage, you have to create an "Amazon S3 Compatible API Key". This generates a secret key that you have to use during rclone config along with the access key (looks like an OCID in Object Storage   ocid1.credential.oc1.<string>) . Configuration example: # sudo yum install -y rclone -> In the OCI console you go to Identity -> Users -> User Details -> Amazon S3 Compatible API Key and generate a new Secret Key. -> copy the secret key because you need that to configure rclone, and you will also need the  Access Key (which is an OCID) -> configure rclone on your OL7 client. Example : # rclone config -> type n (new remote) and give it a name name> ocistorage Type of storage to configure. -> type 3  (Amazon S3 Compliant Storage Providers (AWS, Ceph, Dreamhost, IBM COS, Minio)) Choose your S3 provider. type 8 (Any other s3 compatible provider) -> Next type 1 (1 / Enter AWS credentials in the next step)  For access key provide the ocid -> access_key_id> ocid1.credential..... For the secret access key use your secret key that was just generated. secret_access_key> tyjXhM7eUuB2v........ Region to connect to. -> hit enter For endpoint (example, phoenix) enter a https url example :  https://orclwim.compat.objectstorage.us-phoenix-1.oraclecloud.com my tenant name is orclwim  so replace it with your tenant name. The end point URLs are https://<tenantname>.compat.objectstorage.us-phoenix-1.oraclecloud.com https://<tenantname>.compat.objectstorage.us-ashburn-1.oraclecloud.com https://<tenantname>.compat.objectstorage.eu-frankfurt-1.oraclecloud.com https://<tenantname>.compat.objectstorage.uk-london-1.oraclecloud.com Location Constraint hit enter and ACL hit enter type y OK to store the settings you should get something like Current remotes: Name                 Type ====                 ==== ocistorage           s3   That's it - we have some code changes pending that will include oracle and the endpoints in rclone but those are being reviewed still.  

Last week we packaged up a few more RPMs for Oracle Linux 7 that will help make life easier for Cloud users. bbcp 15.02.03.01.1-3  in ol7_developer: # yum install bbcp bbcp is what I would call ssh on...

Oracle Linux 7 for Arm is now Generally Available

We released Oracle Linux 7 for Arm a few days ago. General Availability. We have been making previews available for a few months now but the time has come to put support behind it and make clear to customers and partners that this is a real product, not just a preview. A few specific things: - This is a 64-bit version only. We do not intend to support ILP 32. Our focus is on making sure we can provide a high quality server product to run now and in the future, serious applications and I think it's fair to say that ILP32 would just be more work with little added value to reach that goal. So OL7 is a very clean 64-bit only distribution. - Oracle Linux 7 update 5 is the base level of OL7 for Arm. We have done a lot of work to ensure that it's very close to x86(x64). Our Arm packages are built off of the same source RPMs as the x86 version and that allows us to have as little, if any deviation between the 2 architectures. We want it to be as seamless as possible to go from one architecture to the other. We will make the same errata available across the architectures and where it makes sense, have the same repo names and structure. - Our Arm port uses UEK5 only. The other distribution kernels are still a bit in flux on Arm because their x86 kernel is a bit older and Arm is still undergoing a decent amount of churn. For us, with the UEK model, it was a lot easier to align the 2 architectures and it worked out perfectly fine timing wise. UEK5 is 4.14.x mainline Linux based. So we have the same kernel, same source-base on x86 as well as arm. That means dtrace is there, ksplice support is there, etc...  Errata for one architecture, when relevant on the other will be released at same time. Again - streamline it as much as possible so that our customers and partners that have both x86 and arm architectures won't really notice any difference at all.  Also, UEK5 on x86 is built with the default gcc version that comes with OL7 (gcc 4.8). However on Arm we decided to build with gcc7.3. and... UEK5 ARM is built with 64k page size. - As with x86, Oracle Linux for Arm is freely downloadable. We have installable ISO images. Errata will also be freely available. It can be used in test, dev or production, we have no restrictions on that. If you want support, you get a support subscription, just like on x86, otherwise you can use it as much as you want. No auth keys, no private repos. Just simple public https://yum.oracle.com for errata. Of course the source code as well. - Since a lot of enhancements have gone into the toolchain (compiler, glibc, ...) we decided to provide a gcc7.3 environment with OL7/Arm. The Software Collection 3.0 repo on ARM contains the 'Oracle Arm toolset'. Which is basically gcc 7.3 and related items. The toolchain team is doing a lot of work with Arm optimizations. (as is the kernel team for that matter). - Hardware partners : Right now we have validated and work closely with our partners Ampere Computing and Cavium. The majority of our testing and validation happens on these platforms and chips. - ISVs. In order to build out a very viable server/cloud platform for Arm. We (as everyone else) need our ISV partner ecosystem to follow us. This is one reason we decided to go GA. We want to ensure we show that we are serious about this platform and that helps partners move forward as well. Internally we have already worked with the MySQL team to provide MySQL 8.0 for Arm. We are also doing work on Java optimizations and looking at other products. - Cloud-'native'... docker for Oracle Linux/Arm is there - we have Oracle Linux images on docker hub (in case you didn't know...). You will see k8s show up etc.. - Basics/beginnings of EPEL. A lot of our users on x86 use a lot of EPEL packages. As many of you already know, we started rebuilding (not modifying) the EPEL packages so that they are (1) signed by us (2) come from the same repo source as the base OL (easier to have a single download location) (3) allows us to easily make all our RPMs available for Oracle Cloud users on the 'internal' cloud network. We are going to expand this to Arm as well so that we slowly increase the Arm/EPEL repo. This will take some time. - We have a Raspberry Pi 3B and 3B+ image that is still pre-GA with UEK5 and grub. Expect to see an update to the GA code-base in the near future. RPI3 is more of a 'fun' and easy way to get to play with OL7/Arm, we don't see it (sorry) as a production target. Go download it, play with it, have fun... and thanks to my team at Oracle for making this happen and also a shout out to our partners for their contributions (Ampere Computing folks! and Cavium folks!)        

We released Oracle Linux 7 for Arm a few days ago. General Availability. We have been making previews available for a few months now but the time has come to put support behind it and make clear to...

Unbreakable Enterprise Kernel Release 5 for Oracle Linux 7

Yesterday we released the 5th version of our "UEK" package for Oracle Linux 7 (UEKR5). This kernel version is based on a 4.14.x mainline Linux kernel. One of the nice things is that 4.14 is an upstream Long Term Stable kernel version as well as maintained by gregkh. UEKR5 is a 64-bit only kernel. We released it on x86(-64) and ARM64 (aarch64) and it is supported starting with Oracle Linux 7. Updating to UEK5 is easy - just add the UEKR5 yum repo and update. We have some release notes posted here and a more detailed blog here. A lot of new stuff  in UEKR5... we also put a few extra tools in the yum repo that let you make use of these newer features where tool updates are needed. xfsprogs, btrfsprogs, ixpdimm libraries pmemsdk, updated dtrace utils updated bcache, updated iproute etc. For those that don't remember, we launched the first version of our kernel for Oracle Linux back in 2010 when we launched the 8 socket Exadata system. We have been releasing a new Linux kernel for Oracle Linux on a regular basis ever since. Every Exadata system, in fact every Oracle Engineered system that runs Linux uses Oracle Linux and uses one of the versions of UEK inside. So for customers, it's the most tested kernel out there, you can run the exact same OS software stack as we run, on our biggest and fastest database servers, on-premises or in the cloud, and in fact, run the exact same OS software stack as we run inside Oracle Cloud in general. That's pretty unique compared to other vendors where the underlying stack is a black box. Not here. 10/2010 - 2.6.32 [UEK] OL5/OL6 03/2012 - 2.6.39 [UEKR2] OL5/OL6 10/2013 - 3.8 [UEKR3] OL6/OL7 01/2016 - 4.1 [UEKR4] OL6/OL7 06/2018 - 4.14 [UEKR5] OL7/ The source code for UEKR5 (as has been the case since day 0) is fully available publicly, the entire git repo is there with changelog, all the patches are there with all the changelog history - not just some tar file with patchfiles on top of tar files to obfuscate? things for some reason. It's all just -right there-. In fact we recently even moved our kernel gitrepo to github. Have at it.  

Yesterday we released the 5th version of our "UEK" package for Oracle Linux 7 (UEKR5). This kernel version is based on a 4.14.x mainline Linux kernel. One of the nice things is that 4.14 is an...

oci-utils-0.6-34.el7

I will write up some examples on this later but for now... here's the changelog: The oci-utils package is used to manage block volumes and VNICs and is available for use with Oracle Linux 7 images in Oracle Cloud (excludes support for OCI-C). The latest release (oci-utils-0.6-34.el7) is available in the Oracle Linux 7 developer channel on YUM. The following changes/additions have been made in this release (0.6): - Support added for API access through Instance Principals - Support added for root using a designated user's OCI config files and keys - oci_utils API automatically detects authentication method to be used - ocid can discover secondary IP addresses and CHAP user/password using OCI API calls, if the Python SDK is configured or if Instance Principals is used - network proxy support for making SDK calls - configuration files for ocid: /etc/oci-utils.d/* - support configuring the various functions of ocid individually, including refresh frequency or turning them off completely. - ocid saves state and restores all volumes and VNIC configuration after reboot - oci-network-config: new option: --detach-vnic - oci-iscsi-config: new option: --destroy-volume - oci-utils APIs are now thread safe - NEW tool: oci-image-cleanup - a script that runs a set of cleanup steps to prepare the instance for a custom image - oci-kvm utility rejects attempts to create guests if the required virtualization support is not enabled in the image it is being executed on      

I will write up some examples on this later but for now... here's the changelog: The oci-utils package is used to manage block volumes and VNICs and is available for use with Oracle Linux 7 images in...

Some tips for using Oracle Linux in Oracle Cloud

Creating an Oracle Linux instance in Oracle Cloud Infrastructure is easy. For the most part it is the same as creating your own image from the install media but we have done a few extra things that are very useful and you should know about :) - with recent images, the yum repo file points to a local OCI mirror of yum.oracle.com (and a few repos that are only available on linux.oracle.com for subscribers - but since all OCI users' instances are technically   subscribers -> remember - Oracle Linux support is included with OCI instances at no additional cost or no extra button to click or anything) So downloading RPMs or using yum on an OCI instance is very, very fast and it does not incur any network traffic to the outside world. - a number of repos are enabled by default - ol7_UEKR4, _developer, _developer_EPEL, _ksplice _latest _optional_latest _addons _software collections. This gives you direct access to a ton of Oracle Linux related packages out of the box. But consider looking at a number of other repos that we have not enabled by default.  All you have to do is change enabled=0 to enabled=1 in /etc/yum.repos.d/public-yum-ol7.repo. Example : ol7_preview Alternatively you can enable a repo from the yum commandline : yum --enablerepo=ol7_preview <option> The reason we don't enable these by default is that some of the packages in these channels are newer but, in some cases, pre-releases or developer versions of packages and we want to default to the "GA" versions but you are more than welcome to add these other packages of course. For instance, By default docker-engine gets you 17.06 but... if you want 17.12, then that's in the ol7_preview channel. So if you're looking for something new, don't forget to go look there before manually downloading stuff from a random 3rd party site. We might already have it available. Other channels include nodejs8, gluster312, php72, MySQL8, developer_UEKR5 etc... Take a look at the repo file. You can always browse the repo content on https://yum.oracle.com. And if you want to see what's added on a regular basis, go check out the yum.oracle.com what's new page.  Anyway having EPEL and software collections gives you quick access to a very wide range of packages. Again, no need to download a yum repo rpm or download packages with wget or what not. Easy to create a development environment and deployment environment. - some tools are installed by default. For instance an OCI OL instance comes with oci-utils pre-installed. oci-utils contains a number of command lines tools that make it very easy to work with attached block volumes, handle instance metadata, find your public-ip easily, configure your secondary VNICs. I wrote a blog entry about this a few months ago. - easy access to OCI toolkits: Want to use terraform? No problem, no need to download stuff, just get it from our yum repo. # yum install terraform terraform-provider-oci  We are typically just a few days behind the tagged releases of both terraform and the oci provider. Want to use the OCI SDK and OCI CLI? # yum install python-oci-cli python-oci-sdk done. Same as with terraform, these packages are updated at most a few days after the github projects have release tags. No need to mess with updates or adding dependency RPMs. We take care of it and we update them for you

Creating an Oracle Linux instance in Oracle Cloud Infrastructure is easy. For the most part it is the same as creating your own image from the install media but we have done a few extra things that...

Oracle Ksplice and Oracle Linux reminder

For those of you that keep up with my blog and twitter musings... you know how much I love Ksplice. This morning I was connecting to one of my cloud VMs and did an uptrack-upgrade as it had been a while and I hadn't turned on automatic ksplice updates on this node. I was pleasantly reminded of the awesomeness that is Ksplice.  Here's the output, a kernel from 2-MAR-2018, no reboot, just a quick # uptrack-upgrade and look at all the stuff that I am now protected against. A few seconds, no impact on apps, done. Now I know that there are some other projects out there that talk about being able to patch something here or there. But nothing comes even close to this. Not in terms of service, not in terms of patch complexity, not in terms of easy of use, etc, etc etc. Remember, everyone using Oracle Linux in Oracle Cloud has full use of ksplice included at no extra cost and no extra configuration, every Oracle Linux instance is configured out of the box to use this.  No other cloud provider has this service for their OSs. No other OS vendor provides this as a service for their own product at this level of sophistication and certainly not in any cloud environment. Best place to run Linux, best place to run Oracle Linux, all integrated, inclusive ... in Oracle Cloud Infrastructure.. Yes this is/sounds like marketing but.. fact is, it works and it's there. [root@vm1-phx opc]# uname -a Linux vm1-phx 4.1.12-112.16.4.el7uek.x86_64 #2 SMP Mon Mar 12 23:57:12 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux [root@vm1-phx opc]# uptrack-upgrade The following steps will be taken: Install [q0j0yb6c] KAISER/KPTI enablement for Ksplice. Install [afoeymft] Improve the interface to freeze tasks. Install [bohqh05m] CVE-2017-17052: Denial-of-service due to incorrect reference counting in fork. Install [eo2kqthd] Weakness when checking the keys in the XTS crypto algorithm. Install [nq1xhhj5] CVE-2018-7492: Denial-of-service when setting options for RDS over Infiniband socket. Install [b1gg8wsq] CVE-2017-7518: Privilege escalation in KVM emulation subsystem. Install [lzckru19] Information leak when setting crypto key using RNG algorithm. Install [npbx6wcr] Deadlock while queuing messages before remote node is up using RDS protocol. Install [4fmvm11y] NULL pointer dereference when using bind system call on RDS over Infiniband socket. Install [3eilpxc9] CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler. Install [385b9ve0] Denial-of-service in SCSI Lower Level Drivers (LLD) infrastructure. Install [aaaqchtz] Denial-of-service when creating session in QLogic HBA Driver. Install [d0apeo6x] CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices. Install [5vzbq8ct] CVE-2017-15537: Information disclosure in FPU restoration after signal. Install [6qv3bfyi] Kernel panic in HyperV guest-to-host transport. Install [35rms9ga] Memory leak when closing VMware VMXNET3 ethernet device. Install [5gdk22so] Memory corruption in IP packet redirection. Install [6m4jnrwq] NULL pointer dereference in Hyper-V transport driver on allocation failure. Install [owihyva9] CVE-2018-1068: Privilege escalation in bridging interface. Install [buc7tc4q] Data-loss when writing to XFS filesystem. Install [kef372kx] Denial-of-service when following symlink in ext4 filesystem. Install [hb1vibbw] Denial-of-service during NFS server migration. Install [4cqic4y6] Denial-of-service during RDS socket operation. Install [4av6l7rd] Denial-of-service when querying ethernet statistics. Install [8irqvffd] Denial-of-service in Hyper-V utilities driver. Install [5ey3jcat] Denial-of-service in Broadcom NetXtreme-C/E network adapter. Install [npapntll] Denial-of-service when configuring SR-IOV virtual function. Install [s9mkcqwb] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver. Install [470l2f6x] Kernel panic during asynchronous event registration in LSI Logic MegaRAID SAS driver. Install [cb7q8ihy] Kernel crash during PCI hotplug of Emulex LightPulse FibreChannel driver. Install [tztxs6wf] Kernel crash during Emulex LightPulse FibreChannel I/O. Install [o7drldhw] NULL pointer dereference during Emulex LightPulse FibreChannel removal. Install [t8a1epky] Hard lockup in Emulex LightPulse FibreChannel driver. Install [8du7f5q4] Deadlock during abort command in QLogic QLA2XXX driver. Install [rghn5nkz] Kernel crash when creating RDS-over-IPv6 sockets. Install [taix4vnz] CVE-2017-12146: Privilege escalation using a sysfs entry from platform driver. Install [60u6sewd] CVE-2017-17558: Buffer overrun in USB core via integer overflow. Install [2a1t0wfk] CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing. Install [tcxwzxmf] CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check. Install [3qhfzsex] CVE-2018-1000199: Denial-of-service in hardware breakpoints. Go ahead [y/N]? y Installing [q0j0yb6c] KAISER/KPTI enablement for Ksplice. Installing [afoeymft] Improve the interface to freeze tasks. Installing [bohqh05m] CVE-2017-17052: Denial-of-service due to incorrect reference counting in fork. Installing [eo2kqthd] Weakness when checking the keys in the XTS crypto algorithm. Installing [nq1xhhj5] CVE-2018-7492: Denial-of-service when setting options for RDS over Infiniband socket. Installing [b1gg8wsq] CVE-2017-7518: Privilege escalation in KVM emulation subsystem. Installing [lzckru19] Information leak when setting crypto key using RNG algorithm. Installing [npbx6wcr] Deadlock while queuing messages before remote node is up using RDS protocol. Installing [4fmvm11y] NULL pointer dereference when using bind system call on RDS over Infiniband socket. Installing [3eilpxc9] CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler. Installing [385b9ve0] Denial-of-service in SCSI Lower Level Drivers (LLD) infrastructure. Installing [aaaqchtz] Denial-of-service when creating session in QLogic HBA Driver. Installing [d0apeo6x] CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices. Installing [5vzbq8ct] CVE-2017-15537: Information disclosure in FPU restoration after signal. Installing [6qv3bfyi] Kernel panic in HyperV guest-to-host transport. Installing [35rms9ga] Memory leak when closing VMware VMXNET3 ethernet device. Installing [5gdk22so] Memory corruption in IP packet redirection. Installing [6m4jnrwq] NULL pointer dereference in Hyper-V transport driver on allocation failure. Installing [owihyva9] CVE-2018-1068: Privilege escalation in bridging interface. Installing [buc7tc4q] Data-loss when writing to XFS filesystem. Installing [kef372kx] Denial-of-service when following symlink in ext4 filesystem. Installing [hb1vibbw] Denial-of-service during NFS server migration. Installing [4cqic4y6] Denial-of-service during RDS socket operation. Installing [4av6l7rd] Denial-of-service when querying ethernet statistics. Installing [8irqvffd] Denial-of-service in Hyper-V utilities driver. Installing [5ey3jcat] Denial-of-service in Broadcom NetXtreme-C/E network adapter. Installing [npapntll] Denial-of-service when configuring SR-IOV virtual function. Installing [s9mkcqwb] NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver. Installing [470l2f6x] Kernel panic during asynchronous event registration in LSI Logic MegaRAID SAS driver. Installing [cb7q8ihy] Kernel crash during PCI hotplug of Emulex LightPulse FibreChannel driver. Installing [tztxs6wf] Kernel crash during Emulex LightPulse FibreChannel I/O. Installing [o7drldhw] NULL pointer dereference during Emulex LightPulse FibreChannel removal. Installing [t8a1epky] Hard lockup in Emulex LightPulse FibreChannel driver. Installing [8du7f5q4] Deadlock during abort command in QLogic QLA2XXX driver. Installing [rghn5nkz] Kernel crash when creating RDS-over-IPv6 sockets. Installing [taix4vnz] CVE-2017-12146: Privilege escalation using a sysfs entry from platform driver. Installing [60u6sewd] CVE-2017-17558: Buffer overrun in USB core via integer overflow. Installing [2a1t0wfk] CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing. Installing [tcxwzxmf] CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check. Installing [3qhfzsex] CVE-2018-1000199: Denial-of-service in hardware breakpoints. Your kernel is fully up to date. Effective kernel version is 4.1.12-124.14.3.el7uek

For those of you that keep up with my blog and twitter musings... you know how much I love Ksplice. This morning I was connecting to one of my cloud VMs and did an uptrack-upgrade as it had been a...

Congestion Control algorithms in UEK5 preview - try out BBR

One of the new features in UEK5 is a new TCP congestion control management algorithm called BBR (bottleneck bandwidth and round-trip propagation time). You can find very good papers here and here. Linux supports a large variety of congestion control algorithms,  bic, cubic, westwood, hybla, vegas,  h-tcp, veno, etc.. Wikipedia has some good information on them : https://en.wikipedia.org/wiki/TCP_congestion_control Here is a good overview of the important ones, including BBR : https://blog.apnic.net/2017/05/09/bbr-new-kid-tcp-block/ The default algorithm used, for quite some time now, is cubic (and this will remain the default also in UEK5). But we now also include support for BBR. BBR was added in the mainline Linux kernel version 4.9. UEK5 picked it up because we based the UEK5 tree on mainline 4.14. Remember we have our kernels on github for easy access and reading. We don't do tar files, you get the whole thing with changelog - standard upstream kernel git with backports, fixes, etc... We have seen very promising performance improvements using bbr when downloading or uploading large files over the WAN. So for cloud computing usage and moving data from on-premises to cloud or the other way around, this might (in some situations) provide a bit of a performance boost. I've measured 10% in some tests. Your mileage may vary. It certainly should help when you have packet loss. One advantage is that you don't need to have both source and target systems run this kernel. So to test out BBR you can run OL7 on either side and install uek5 on it (see here) and just enable it on that system. Try ssh or netperf or wget of a large(ish) file. All you have to do is: - use an Oracle Linux 7 install on one of the 2 servers. - install the UEK5 preview kernel and boot into that one - use sysctl (as root) to modify the settings / enable BBR. You can do this online. No reboot required. You should also set the queue discipline to fq instead of pfifo_fast(default). # sysctl -w net.ipv4.tcp_congestion_control=bbr # sysctl -w net.core.default_qdisc=fq if you want to go back to the defaults: # sysctl -w net.ipv4.tcp_congestion_control=cubic # sysctl -w net.core.default_qdisc=pfifo_fast (feel free to experiment with switching pfifo_fast vs fq as well). If need be, this can be set on an individual socket level in Linux. If you have a specific application (like a webserver or a data transfer program), use setsockopt(). Something like: sock = socket(AF_INET, SOCK_STREAM, 0); sockfd = accept(sock, ...); strcpy(optval, "bbr"); optlen = strlen(optval); if (setsockopt(sockfd, IPPROTO_TCP, TCP_CONGESTION, optval, optlen) < 0) error("setsockopt(TCP_CONGESTION) failed"); or you should be able to do the same in Python starting in Python 3.6+. sock.setsockopt(socket.IPPROTO_IP, socket.TCP_CONGESTION,...) Have fun playing with it. Let me know if/when you see advantages as well.

One of the new features in UEK5 is a new TCP congestion control management algorithm called BBR (bottleneck bandwidth and round-trip propagation time). You can find very good papers here and here. Linu...

Running VirtualBox inside a VM instance in Oracle Cloud Infrastructure

OK - So don't ask "Why?"... Because... I can! :) would be the answer for the most part. Oracle Cloud Infrastructure supports nested virtualization. When you create a VM instance in OCI, and you run Oracle Linux 7 with our kernel, you can create KVM or (soon you see how...) VirtualBox VMs inside. If you create a BM instance, you can install VirtualBox or use kvm as you normally would on a local server. Since, well, it's a bare metal server - full access to the hardware and its features. VirtualBox has some very interesting built-in features which might make it useful to run remote (even when virtualized). One example would be the embedded vRDP server. It can do great remote audio and video (enable/tune videochannel), it makes it easy to take your local VirtualBox images and run them unmodified remotely, it lets you create smaller VMs that you constantly start/stop... you can use vagrant boxes, and it opens up the whole vagrant VirtualBox environment to a remote cloud. So aside from "Because I can"... there are actual good use cases for this! How do you go about doing this. For the most part it's pretty trivial, installation of VirtualBox in a VM in OCI is no different than how you would install it on your local desktop or server. Configuring a guest VM in VirtualBox should be done using the command line (vboxmanage) instead of installing a full remote desktop and run vnc and such. It's a lot faster to do it using the command line. And then also, if you want to run VirtualBox in Bridged mode so that you have full access to the OCI native cloud network facilities (VCN/Subnet/IP addresses, even public IPs - without NAT) there are a few minor things you need to do. Here are some of the steps to get going: I'm not a big screenshot guy so bear with me in text for the most part. Step 1: Create an OCI VM and create/assign an extra VNIC to pass through to your VirtualBox VM. If you don't already have an OCI account, you can go sign up and get a $300 credit trial account here. That should give you enough to get started. Set up your account, create a Virtual Cloud Network (VCN) with its subnets and create a VM instance in one of the availability domains/regions. To test this out I created a VM.Standard2.2 shape instance with Oracle Linux 7. Once this instance is created, you can log in with user opc and get going. When you log into your VM instance, and from the OCI web console you will see that you have a primary VNIC attached. This might show up as ens3 or so inside your VM. In the OCI web console the VNIC has a name (typically the primary VNIC's name is the same as your instance name), it has a private IP and if you decided to have it on a public network, a public ip address as well. All this stuff will be configured out of the box for you as part of your instance creation. Since I want to show how to use a bridged network in VirtualBox, you will need a second VNIC. You can create that at this point, or you can come back later and do it once you are ready to start your VirtualBox VM. Just go to Attached VNICs in the webconsole (or use the OCI cli) and create a VNIC on a given VCN/Subnet.                                                 The important information to jot down are the mac address and the private ip address of this newly created vnic. In the example 10.0.0.2 and 00:00:17:02:EB:EA  this info is needed later. Step 2: Install and configure VirtualBox With Oracle Linux 7 - this is a very easy process. Use yum to install VirtualBox and the dependencies for building the VirtualBox kernel modules and quickly download and install the Extension Pack and you're done: # yum install -y kernel-uek-devel-`uname -r` gcc # yum install -y VirtualBox-5.2 # wget https://download.virtualbox.org/virtualbox/5.2.8/Oracle_VM_VirtualBox_Extension_Pack-5.2.8.vbox-extpack # vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.2.8.vbox-extpack That's it - you now have a fully functioning VirtualBox hypervisor installed on top of Oracle Linux 7 in an OCI VM instance. Step 3: Create your first VirtualBox guest VM The following instructions show you how to create a VM from the command line. The nice thing with using the command line is that you can clearly see what it takes for a VM to be configured and you can easily tweak the values (memory, disk,...). First, you likely want to create a new VM from an install ISO. So upload your installation media to your OCI VM. I uploaded my Oracle Linux 7.5 preview image which you can get here. Create your VirtualBox VM # vboxmanage createvm --name oci-test --ostype oracle_64 --register # vboxmanage modifyvm oci-test --memory 4096 --vram 128 --ioapic on # vboxmanage modifyvm oci-test --boot1 dvd --boot2 disk --boot3 none --boot4 none # vboxmanage modifyvm oci-test --vrde on Configure the Virtual Disk and Storage controllers (Feel free to attach an OCI Block Volume to your VM and put the VirtualBox virtual disks on that volume, of course). The example below creates a 40G virtual disk image and attaches the OL7.5 ISO as a DVD image. # vboxmanage createhd --filename oci-test.vdi --size 40960 # vboxmanage storagectl oci-test --name "SATA Controller" --add sata --controller IntelAHCI # vboxmanage storageattach oci-test --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium oci-test.vdi # vboxmanage storagectl oci-test --name "IDE Controller" --add ide # vboxmanage storageattach oci-test --storagectl "IDE Controller" --port 0 --device 0 --type dvddrive --medium /home/opc/OracleLinux-R7-U5-BETA-Server-x86_64-dvd.iso Configure the Bridged Network Adapter to directly connect to the OCI VNIC This is a little more involved. You have to find out which network device was created on the VM host for this secondary VNIC. # ip addr 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens3: mtu 9000 qdisc mq state UP qlen 1000 link/ether 00:00:17:02:3a:29 brd ff:ff:ff:ff:ff:ff inet 192.168.1.8/24 brd 192.168.1.255 scope global dynamic ens3 valid_lft 73962sec preferred_lft 73962sec 3: ens4: mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:00:17:02:eb:ea brd ff:ff:ff:ff:ff:ff Bring up this network adapter without an IP address and configure the MTU to 9000 (default mtu settings for VNICs in OCI) # ip link set dev ens4 up # ip link set ens4 mtu 9000 Almost there... Now just create the NIC in VirtualBox and assign the mac address you recorded earlier to this NIC. It is very important to make sure you use that mac address, otherwise the networking will not allow traffic over the network. Note: don't use : for the mac address on the command line. # vboxmanage modifyvm oci-test --nic1 bridged --bridgeadapter1 ens4 --macaddress1 00001702ebea That's it. You now have a VirtualBox VM that can be started, will boot from install media, and be directly connected to the hosts network in OCI. There is no DHCP running on this network, so when you create your VirtualBox VM, you have to assign a static IP (use the one that was assigned as Private IP address (10.0.02 in the example above)). Before you start your VM, open up the firewall on the host for remote RDP connections and do the same in the OCI console, modify the security list for your host primary VNIC to allow for port 3389 (RDP) traffic ingress. # firewall-cmd --permanent --add-port=3389/tcp # firewall-cmd --reload Start your VM in headless mode and use your favorite RDP client on your desktop or laptop to connect to the remote VirtualBox console. # vboxmanage startvm oci-test --type headless If you want to experiment with remote video/audio (for instance, play a youtube video inside your VM or play a movie file), enable the vrde video channel. Use the quality parameter to modify the compression/lossy ratio (improves performance) of the mjpeg stream. # vboxmanage modifyvm oci-test --vrdevideochannel on # vboxmanage modifyvm oci-test --vrdevideochannelquality 70

OK - So don't ask "Why?"... Because... I can! :) would be the answer for the most part. Oracle Cloud Infrastructure supports nested virtualization. When you create a VM instance in OCI, and you run...

Raspberry Pi 3 B Oracle Linux 7.4 ARM64 with UEK5 preview image available for download

A few weeks ago we released an Oracle Linux 7 Update 4 for ARM64 preview update on OTN. This updated ISO installs on Ampere X-Gene 3 (emag) and Cavium ThunderX / ThunderX2 -based systems (and it's also known to work on Qualcomm Centriq 2400-based servers). Today we added the RPI3 (Raspberry Pi 3 Model B) disk image as well. The previous RPI3 image was still using Oracle Linux 7.3 as a base along with a 4.9 Linux kernel. The newly released image makes it current. It is the same Oracle Linux 7.4 package set as we released on the ISO and it uses the same UEK5 preview kernel (based on 4.14.30 right now). The current image uses uboot and boots the kernel directly. We will do another update in the near future where we switch to uboot+efi and grub2, so that updating kernels will work the same way as we can do on the regular ARM server installs (where we boot with EFI -> grub2). A few things to point out: - OL7/ARM64 is a 64-bit only build. That makes binaries pretty large and the RPI3 only has 1GB of RAM so it's a bit of a stretch. - X/gnome-shell doesn't work in this release, this is a known issue, when we move to 7.5 this will be resolved but our focus is mostly server and per the above, running a heavy GUI stack is hard on a 1GB system. - We do not yet support the latest RPI3 Model B+.  Only the RPI3 Model B. We don't have a device tree/dtb file yet for the RPI3 Model B+. Since it has all the same packages as the server one, you can run docker on the RPI3: # cat /etc/oracle-release Oracle Linux Server release 7.4 # uname -a Linux rpi3 4.14.30-1.el7uek.aarch64 #1 SMP Mon Mar 26 23:11:30 PDT 2018 aarch64 aarch64 aarch64 GNU/Linux # yum install docker-engine # systemctl enable docker # systemctl start docker # docker pull oraclelinux:7-slim And there you go a small Oracle Linux 7 for ARM image right on your rpi - directly from docker hub. # docker pull oraclelinux:7-slim 7-slim: Pulling from library/oraclelinux eefac02db809: Pull complete Digest: sha256:fc684f5bbd1e46cfa28f56a0340026bca640d6188ee79ef36ab2d58d41636131 Status: Downloaded newer image for oraclelinux:7-slim

A few weeks ago we released an Oracle Linux 7 Update 4 for ARM64 preview update on OTN. This updated ISO installs on Ampere X-Gene 3 (emag) and Cavium ThunderX / ThunderX2 -based systems (and it's...

yum-builddep and rpmbuild

I sometimes try to build an RPM from source (to patch something or try a patch). Since I do these things every now and then, I tend to forget stuff easily and it takes me a while to get back into it. Anyway - I was trying to build lxc (example) earlier today and I wanted to patch the lxc-oracle template. So I log into my OL7 box and use yumdownloader to download the lxc source. # yumdownloader --source lxc Install the src rpm # rpm -ivh lxc-1.1.5-2.0.9.el7.src.rpm so I now have ~/rpmbuild/SPECS/lxc.spec ~/rpm/build/SOURCES/<bunch of patch files and the lxc-1.1.5.tar.gz) Install rpmbuild (wasn't installed yet) # yum install rpm-build (I know - the rpm is called rpm-build but the binary is rpmbuild... odd. never figured out why in the world it couldn't just be the same - anyway) Ok. So... my usual step is :  # rpmbuild -bp SPECS/lxc.spec I don't want to build binaries. Just create the whole BUILD/tree with patches applied Here is where I always waste time. There are a bunch of build dependencies that are not yet installed and in the past I would *pretty stupid of me, thinking back* just go down the list one by one doing yum install <rpm needed> until rpmbuild stops complaining. Turns out that yum-utils includes a tool called yum-builddep! Aha. # yum-builddep SPECS/lxc.spec Look at that! It goes and pulls in all the build dependency packages for you. ok, back to # rpmbuild -bp SPECS/lxc.spec and all is happy!  This is one I won't forget.          

I sometimes try to build an RPM from source (to patch something or try a patch). Since I do these things every now and then, I tend to forget stuff easily and it takes me a while to get back into it. An...

Updated Oracle Linux 7 update 4 ARM64/aarch64 with uek5 4.14.26-2

We refreshed the installation media for OL7/ARM64 with the latest uek5 preview build based on upstream stable 4.14.26 and added perf and tuned. You can download it from the OTN  OL ARM webpage. Ignore the 4.14-14 in the text, that will get updated. We're also working on updating the Raspberry Pi 3 image to match the same version. Hopefully using grub2 there as well to make it easier to have a single image repo. The arm64 yum repo on http://yum.oracle.com has also been updated. A few things to point out : Oracle Linux 7 for ARM64 is going to be a 64-bit only distribution (aarch64). All binaries are built 64-bit and we have no support in user space libraries nor in the kernel for 32-bit. Our ARM port is sharing the same source code base as x64. There are minor architecture changes where required to build but we have a single source code repository from which we build both architectures. This is important because it makes it easy and clean and allows us to synchronize the two architectures without problem. Our kernel on ARM64 is built using GCC 7.3 : Linux version 4.14.26-2.el7uek.aarch64 gcc version 7.3.0 20180125 We currently test on Ampere Computing and Cavium ThunderX® systems. We plan to add more processor types over time.

We refreshed the installation media for OL7/ARM64 with the latest uek5 preview build based on upstream stable 4.14.26 and added perf and tuned. You can download it from the OTN  OL ARM webpage. Ignore...

Oracle Linux in Oracle Cloud Infrastructure and on-premises.

Oracle Cloud Infrastructure is a really great platform to run many types of operating systems on many compute instance shapes available with larger amounts of NVMe storage, lots of threads or cores and super fast networking. OCI lets you run pretty much any operating system (Windows, Ubuntu, CentOS, any Linux pretty much runs..and of course Oracle Linux). With the Emulation Mode VMs, you can go way back with old version and someone even showed OS2 running! One really nice thing about OCI is the fact that Oracle Linux support is included at no additional cost. I wrote about this before. You can file SRs, you get support for OL5 extended support, you can use Oracle Enterprise Manager Cloud Control instances to manage the OS, you can use spacewalk, you can use kubernetes, docker, it's all included. We have local yum repository mirrors inside OCI regions for fast downloads of packages and also making sure you get these without incurring external network traffic. And of course, we do very frequent updates of the Oracle Linux images so that you can always start instance create with the latest and greatest updates. We have scripts to make life easier (such as oci-utils), we create RPMs for the OCI CLI, python SDK, terraform provider etc.. so you don't have to manually download scripts or tools and compile or install them, it's all there. Another reason is that we all work very closely together to support you. The Oracle Cloud Infrastructure development team and  the Oracle Linux development team work hand in hand to figure out what went wrong, in the rare case something happens. We're one team towards our customers and partners. Another nice thing with Oracle Linux in OCI is the on-premises angle. When you run Oracle Linux on your serves on-prem, you have access to the exact same code, packages, with a support subscription you have full Oracle support, and even without a support subscription you have access to the errata updates, and all the packages I mentioned here without a need for authorization keys or access codes. It's all right there. If you are an ISV that wants to package an application and embed an OS, OL is perfect (you can distribute it for free, you can decide to get support subscriptions when you need it without being forced to change OSs underneath) you can then take that exact same code and run it in a cloud environment, and in OCI in particular at no additional cost including full support. Create a VM image and distribute the entire image, no contract needed. You can provide that VM image on-premises or in the cloud. You can install it on bare-metal servers, it's not limited to VMs. And of course customers have the flexibility of moving between on-premises and Oracle Cloud without having to worry. Same code, predictable cost. Full support in both places. Whether you are a developer, a customer with test and development systems, production systems, an ISV that creates solution bundles with an embedded OS... no difference. You don't have to worry about taking an RPM from your developer platform and install it on your production system.  Want to play with docker images? They're on docker hub, they're on Oracle Container registry, free to use by anyone and everyone. Both in our cloud (and any cloud) and on-premises. Regularly updated images. For the exact some OS you can run in production, in test/dev, for developers, ISVs, anywhere. No distinction. And we have an OCI mirror of our Container registry, again, for fast access and  to ensure you don't create external network usage. Sure there are other Linux distributions out there. Free ones, great, but if you need help, support, service levels for production, it's not offered. Commercial ones, well, no such flexibility, not even close. And if something goes wrong, you deal with at least 2 companies to figure out what happened.  1 call, 1 SR, on-prem, in cloud. Same code everywhere. Public Oracle Linux yum server Source code https://oss.oracle.com/sources/ Vagrant boxes docker hub ISO images full public git repo with mainline and our commits, transparent. (not tar balls to actually try and obfuscate) public service patch breakout for those that don't want to go through patch files for that other kernel   

Oracle Cloud Infrastructure is a really great platform to run many types of operating systems on many compute instance shapes available with larger amounts of NVMe storage, lots of threads or cores...

Oracle Linux 7 UEK5 - preview updated from 4.14.20 to 4.14.23 for both x64 and arm64

latest update of uek5 preview is on https://yum.oracle.com Oracle Linux 7 Server - Developer preview Unbreakable Enterprise Kernel Release 5 kernel-uek-4.14.23-1.el7uek - The Linux kernel (Update) # rpm -q --changelog kernel-uek-4.14.23-1.el7uek | more Remember - go check http://yum.oracle.com/whatsnew.html on a regular basis, good source to see what's been updated or added.   x86_64: kernel-uek-4.14.23-1.el7uek.x86_64.rpm kernel-uek-debug-4.14.23-1.el7uek.x86_64.rpm kernel-uek-debug-devel-4.14.23-1.el7uek.x86_64.rpm kernel-uek-devel-4.14.23-1.el7uek.x86_64.rpm aarch64: kernel-uek-4.14.23-1.el7uek.aarch64.rpm kernel-uek-debug-4.14.23-1.el7uek.aarch64.rpm kernel-uek-debug-devel-4.14.23-1.el7uek.aarch64.rpm kernel-uek-devel-4.14.23-1.el7uek.aarch64.rpm kernel-uek-headers-4.14.23-1.el7uek.aarch64.rpm   Description of changes since last released kernel (4.14.20-1): [4.14.23-1.el7uek] - Xen: Rename cpu_data.x86_mask to cpu_data.x86_stepping (Somasundaram Krishnasamy)  [Orabug: 27602172] - dtrace: prefetch of arguments from stack breaks NOFAULT protection (Tomas Jedlicka)  [Orabug: 27593504] - dtrace: remove use of flag SLAB_NOTRACK (Tomas Jedlicka)  [Orabug: 27415846] - dtrace: update assembly routines to match 4.14.21 kernels (Tomas Jedlicka)  [Orabug: 27591318] - uek-rpm: Set base_sublevel to 23 (Somasundaram Krishnasamy)  [Orabug: 27601642] - Linux 4.14.23 (Greg Kroah-Hartman) - microblaze: fix endian handling (Arnd Bergmann) - m32r: fix endianness constraints (Geert Uytterhoeven) - drm/i915/breadcrumbs: Ignore unsubmitted signalers (Chris Wilson) - drm/amdgpu: add new device to use atpx quirk (Kai-Heng Feng) - drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) (Alex Deucher) - drm/amdgpu: add atpx quirk handling (v2) (Alex Deucher) - drm/amdgpu: only check mmBIF_IOV_FUNC_IDENTIFIER on tonga/fiji (Alex Deucher) - drm/amdgpu: Add dpm quirk for Jet PRO (v2) (Alex Deucher) - drm/amdgpu: disable MMHUB power gating on raven (Huang Rui) - drm: Handle unexpected holes in color-eviction (Chris Wilson) - drm/cirrus: Load lut in crtc_commit (Daniel Vetter) - usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path (Yoshihiro Shimoda) - usb: gadget: f_fs: Use config_ep_by_speed() (Jack Pham) - usb: gadget: f_fs: Process all descriptors during bind (Jack Pham) - Revert "usb: musb: host: don't start next rx urb if current one failed" (Bin Liu) - usb: ldusb: add PIDs for new CASSY devices supported by this driver (Karsten Koop) - usb: dwc3: ep0: Reset TRB counter for ep0 IN (Thinh Nguyen) - usb: dwc3: gadget: Set maxpacket size for ep0 IN (Thinh Nguyen) - usb: host: ehci: use correct device pointer for dma ops (Peter Chen) - drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA (Kai-Heng Feng) - Add delay-init quirk for Corsair K70 RGB keyboards (Jack Stocker) - arm64: cpufeature: Fix CTR_EL0 field definitions (Will Deacon) - arm64: Disable unhandled signal log messages by default (Michael Weiser) - arm64: Remove unimplemented syscall log message (Michael Weiser) - usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() (AMAN DEEP) - ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func() (Shigeru Yoshida) - PCI/cxgb4: Extend T3 PCI quirk to T4+ devices (Casey Leedom) - irqchip/mips-gic: Avoid spuriously handling masked interrupts (Matt Redfearn) - irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() (Shanker Donthineni) - mm, swap, frontswap: fix THP swap if frontswap enabled (Huang Ying) - x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() (Arnd Bergmann) - Kbuild: always define endianess in kconfig.h (Arnd Bergmann) - iio: adis_lib: Initialize trigger before requesting interrupt (Lars-Peter Clausen) - iio: buffer: check if a buffer has been set up when poll is called (Stefan Windfeldt-Prytz) - iio: srf08: fix link error "devm_iio_triggered_buffer_setup" undefined (Andreas Klinger) - iio: adc: stm32: fix stm32h7_adc_enable error handling (Fabrice Gasnier) - RDMA/uverbs: Sanitize user entered port numbers prior to access it (Leon Romanovsky) - RDMA/uverbs: Fix circular locking dependency (Leon Romanovsky) - RDMA/uverbs: Fix bad unlock balance in ib_uverbs_close_xrcd (Leon Romanovsky) - RDMA/uverbs: Protect from command mask overflow (Leon Romanovsky) - RDMA/uverbs: Protect from races between lookup and destroy of uobjects (Leon Romanovsky) - extcon: int3496: process id-pin first so that we start with the right status (Hans de Goede) - PKCS#7: fix certificate blacklisting (Eric Biggers) - PKCS#7: fix certificate chain verification (Eric Biggers) - X.509: fix NULL dereference when restricting key with unsupported_sig (Eric Biggers) - X.509: fix BUG_ON() when hash algorithm is unsupported (Eric Biggers) - i2c: bcm2835: Set up the rising/falling edge delays (Eric Anholt) - i2c: designware: must wait for enable (Ben Gardner) - cfg80211: fix cfg80211_beacon_dup (Arnd Bergmann) - MIPS: Drop spurious __unused in struct compat_flock (James Hogan) - scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info (Tyrel Datwyler) - xtensa: fix high memory/reserved memory collision (Max Filippov) - MIPS: boot: Define __ASSEMBLY__ for its.S build (Kees Cook) - kconfig.h: Include compiler types to avoid missed struct attributes (Kees Cook) - arm64: mm: don't write garbage into TTBR1_EL1 register (Ard Biesheuvel) - netfilter: drop outermost socket lock in getsockopt() (Paolo Abeni) - Linux 4.14.22 (Greg Kroah-Hartman) - vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems (Michal Hocko) - mei: me: add cannon point device ids for 4th device (Tomas Winkler) - mei: me: add cannon point device ids (Alexander Usyskin) - crypto: s5p-sss - Fix kernel Oops in AES-ECB mode (Kamil Konieczny) - drm/i915: fix intel_backlight_device_register declaration (Arnd Bergmann) - crypto: talitos - fix Kernel Oops on hashing an empty file (LEROY Christophe) - hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close (Jia-Ju Bai) - powerpc/perf/imc: Fix nest-imc cpuhotplug callback failure (Anju T Sudhakar) - PCI: rcar: Fix use-after-free in probe error path (Geert Uytterhoeven) - xen: XEN_ACPI_PROCESSOR is Dom0-only (Jan Beulich) - platform/x86: dell-laptop: Fix keyboard max lighting for Dell Latitude E6410 (Pali Rohár) - x86/mm/kmmio: Fix mmiotrace for page unaligned addresses (Karol Herbst) - mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep (Dave Young) - usb: dwc3: of-simple: fix missing clk_disable_unprepare (Andreas Platschek) - usb: dwc3: gadget: Wait longer for controller to end command processing (Vincent Pelletier) - dmaengine: jz4740: disable/unprepare clk if probe fails (Tobias Jordan) - drm/vc4: Release fence after signalling (Stefan Schake) - ASoC: rsnd: ssi: fix race condition in rsnd_ssi_pointer_update (Jiada Wang) - drm/armada: fix leak of crtc structure (Russell King) - xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. (Steffen Klassert) - IB/mlx4: Fix RSS hash fields restrictions (Guy Levi) - spi: sun4i: disable clocks in the remove function (Takuo Koguchi) - ASoC: rockchip: disable clock on error (Stefan Potyra) - staging: ccree: Uninitialized return in ssi_ahash_import() (Dan Carpenter) - clk: fix a panic error caused by accessing NULL pointer (Cai Li) - netfilter: xt_bpf: add overflow checks (Jann Horn) - xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0) (Aviv Heller) - dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved (Gustavo A. R. Silva) - dmaengine: ioat: Fix error handling path (Christophe JAILLET) - scsi: bfa: fix type conversion warning (Arnd Bergmann) - scsi: bfa: fix access to bfad_im_port_s (Johannes Thumshirn) - scsi: lpfc: Use after free in lpfc_rq_buf_free() (Dan Carpenter) - gianfar: Disable EEE autoneg by default (Claudiu Manoil) - 509: fix printing uninitialized stack memory when OID is empty (Eric Biggers) - net: dsa: mv88e6xxx: Unregister MDIO bus on error path (Andrew Lunn) - net: dsa: mv88e6xxx: Fix interrupt masking on removal (Andrew Lunn) - net: ethernet: arc: fix error handling in emac_rockchip_probe (Branislav Radocaj) - virtio_net: fix return value check in receive_mergeable() (Yunjian Wang) - brcmfmac: Avoid build error with make W=1 (Andy Shevchenko) - btrfs: Fix possible off-by-one in btrfs_search_path_in_tree (Nikolay Borisov) - Btrfs: disable FUA if mounted with nobarrier (Omar Sandoval) - btrfs: Fix quota reservation leak on preallocated files (Justin Maggard) - locking/lockdep: Fix possible NULL deref (Peter Zijlstra) - net: qualcomm: rmnet: Fix leak on transmit failure (Subash Abhinov Kasiviswanathan) - KVM: VMX: fix page leak in hardware_setup() (Jim Mattson) - VSOCK: fix outdated sk_state value in hvs_release() (Stefan Hajnoczi) - net_sched: red: Avoid illegal values (Nogah Frankel) - net_sched: red: Avoid devision by zero (Nogah Frankel) - gianfar: fix a flooded alignment reports because of padding issue. (Zumeng Chen) - nfp: fix port stats for mac representors (Pieter Jansen van Vuuren) - ARM: dts: Fix elm interrupt compiler warning (Tony Lindgren) - s390/dasd: prevent prefix I/O error (Stefan Haberland) - s390/virtio: add BSD license to virtio-ccw (Michael S. Tsirkin) - PM / runtime: Fix handling of suppliers with disabled runtime PM (Rafael J. Wysocki) - powerpc/perf: Fix oops when grouping different pmu events (Ravi Bangoria) - m68k: add missing SOFTIRQENTRY_TEXT linker section (Greg Ungerer) - ipvlan: Add the skb->mark as flow4's member to lookup route (Gao Feng) - bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown (Ray Jui) - scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none (Will Deacon) - iio: fix kernel-doc build errors (Randy Dunlap) - iio: proximity: sx9500: Assign interrupt from GpioIo() (Andy Shevchenko) - md/raid1/10: add missed blk plug (Shaohua Li) - phylink: ensure we take the link down when phylink_stop() is called (Russell King) - sfp: fix RX_LOS signal handling (Russell King) - sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune (Xin Long) - md/raid5: correct degraded calculation in raid5_error (bingjingc) - IB/core: Init subsys if compiled to vmlinuz-core (Dmitry Monakhov) - RDMA/cma: Make sure that PSN is not over max allowed (Moni Shoua) - i40iw: Correct ARP index mask (Mustafa Ismail) - i40iw: Do not free sqbuf when event is I40IW_TIMER_TYPE_CLOSE (Mustafa Ismail) - i40iw: Allocate a sdbuf per CQP WQE (Chien Tin Tung) - KVM: arm/arm64: Fix spinlock acquisition in vgic_set_owner (Marc Zyngier) - meson-gx-socinfo: Fix package id parsing (Arnaud Patard) - IB/hfi1: Initialize bth1 in 16B rc ack builder (Dennis Dalessandro) - pinctrl: sunxi: Fix A64 UART mux value (Andre Przywara) - pinctrl: sunxi: Fix A80 interrupt pin bank (Andre Przywara) - gpio: davinci: Assign first bank regs for unbanked case (Keerthy) - gpio: 74x164: Fix crash during .remove() (Geert Uytterhoeven) - net: mvpp2: allocate zeroed tx descriptors (Yan Markman) - media: ov13858: Select V4L2_FWNODE (Sakari Ailus) - media: s5k6aa: describe some function parameters (Mauro Carvalho Chehab) - trace/xdp: fix compile warning: 'struct bpf_map' declared inside parameter list (Xie XiuQi) - kvm: arm: don't treat unavailable HYP mode as an error (Ard Biesheuvel) - pinctrl: denverton: Fix UART2 RTS pin mode (Andy Shevchenko) - perf test: Fix test 21 for s390x (Thomas Richter) - perf bench numa: Fixup discontiguous/sparse numa nodes (Satheesh Rajendran) - perf top: Fix window dimensions change handling (Jiri Olsa) - perf: Fix header.size for namespace events (Jiri Olsa) - perf test shell: Fix check open filename arg using 'perf trace' on s390x (Thomas Richter) - perf annotate: Do not truncate instruction names at 6 chars (Ravi Bangoria) - perf help: Fix a bug during strstart() conversion (Namhyung Kim) - perf record: Fix -c/-F options for cpu event aliases (Andi Kleen) - ARM: dts: am437x-cm-t43: Correct the dmas property of spi0 (Peter Ujfalusi) - ARM: dts: am4372: Correct the interrupts_properties of McASP (Peter Ujfalusi) - ARM: dts: logicpd-somlv: Fix wl127x pinmux (Adam Ford) - ARM: dts: logicpd-som-lv: Fix gpmc addresses for NAND and enet (Adam Ford) - ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen (Tony Lindgren) - ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function (Keerthy) - ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context (Tony Lindgren) - serdev: fix receive_buf return value when no callback (Johan Hovold) - usb: build drivers/usb/common/ when USB_SUPPORT is set (Randy Dunlap) - usbip: keep usbip_device sockfd state in sync with tcp_socket (Shuah Khan) - staging: iio: ad5933: switch buffer mode to software (Alexandru Ardelean) - staging: iio: adc: ad7192: fix external frequency setting (Alexandru Ardelean) - staging: fsl-mc: fix build testing on x86 (Arnd Bergmann) - binder: replace "%p" with "%pK" (Todd Kjos) - binder: check for binder_thread allocation failure in binder_poll() (Eric Biggers) - staging: android: ashmem: Fix a race condition in pin ioctls (Ben Hutchings) - ANDROID: binder: synchronize_rcu() when using POLLFREE. (Martijn Coenen) - ANDROID: binder: remove WARN() for redundant txn error (Todd Kjos) - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock (Paolo Abeni) - arm64: dts: add #cooling-cells to CPU nodes (Arnd Bergmann) - ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag (Arnd Bergmann) - video: fbdev/mmp: add MODULE_LICENSE (Arnd Bergmann) - ASoC: ux500: add MODULE_LICENSE tag (Arnd Bergmann) - net_sched: gen_estimator: fix lockdep splat (Eric Dumazet) - net: avoid skb_warn_bad_offload on IS_ERR (Willem de Bruijn) - rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete (Sowmini Varadhan) - rds: tcp: correctly sequence cleanup on netns deletion. (Sowmini Varadhan) - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert (Cong Wang) - netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1() (Cong Wang) - netfilter: on sockopt() acquire sock lock only in the required scope (Paolo Abeni) - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (Dmitry Vyukov) - netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} (Eric Dumazet) - netfilter: x_tables: fix int overflow in xt_alloc_table_info() (Dmitry Vyukov) - kcov: detect double association with a single task (Dmitry Vyukov) - KVM: x86: fix escape of guest dr6 to the host (Wanpeng Li) - blk_rq_map_user_iov: fix error override (Douglas Gilbert) - staging: android: ion: Switch from WARN to pr_warn (Laura Abbott) - staging: android: ion: Add __GFP_NOWARN for system contig heap (Laura Abbott) - crypto: x86/twofish-3way - Fix %rbp usage (Eric Biggers) - media: pvrusb2: properly check endpoint types (Andrey Konovalov) - selinux: skip bounded transition processing if the policy isn't loaded (Paul Moore) - selinux: ensure the context is NUL terminated in security_context_to_sid_core() (Paul Moore) - ptr_ring: try vmalloc() when kmalloc() fails (Jason Wang) - ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE (Jason Wang) - ALSA: bcd2000: Add a sanity check for invalid EPs (Takashi Iwai) - ALSA: caiaq: Add a sanity check for invalid EPs (Takashi Iwai) - ALSA: line6: Add a sanity check for invalid EPs (Takashi Iwai) - drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all (Chris Wilson) - dnotify: Handle errors from fsnotify_add_mark_locked() in fcntl_dirnotify() (Jan Kara) - blktrace: fix unlocked registration of tracepoints (Jens Axboe) - sctp: set frag_point in sctp_setsockopt_maxseg correctly (Xin Long) - xfrm: check id proto in validate_tmpl() (Cong Wang) - xfrm: Fix stack-out-of-bounds read on socket policy lookup. (Steffen Klassert) - RDMA/netlink: Fix general protection fault (Leon Romanovsky) - KVM/x86: Check input paging mode when cs.l is set (Lan Tianyu) - mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa) - xfrm: skip policies marked as dead while rehashing (Florian Westphal) - xfrm: fix rcu usage in xfrm_get_type_offload (Sabrina Dubroca) - xfrm: don't call xfrm_policy_cache_flush while holding spinlock (Florian Westphal) - esp: Fix GRO when the headers not fully in the linear part of the skb. (Steffen Klassert) - mac80211_hwsim: validate number of different channels (Johannes Berg) - cfg80211: check dev_set_name() return value (Johannes Berg) - bpf: mark dst unknown on inconsistent {s, u}bounds adjustments (Daniel Borkmann) - kcm: Only allow TCP sockets to be attached to a KCM mux (Tom Herbert) - kcm: Check if sk_user_data already set in kcm_attach (Tom Herbert) - vhost: use mutex_lock_nested() in vhost_dev_lock_vqs() (Jason Wang) - usb: core: Add a helper function to check the validity of EP type in URB (Takashi Iwai) - Linux 4.14.21 (Greg Kroah-Hartman) - ovl: hash directory inodes for fsnotify (Amir Goldstein) - ASoC: acpi: fix machine driver selection based on quirk (Pierre-Louis Bossart) - mmc: sdhci-of-esdhc: fix the mmc error after sleep on ls1046ardb (yinbo.zhu) - mmc: sdhci-of-esdhc: fix eMMC couldn't work after kexec (yinbo.zhu) - mmc: sdhci-of-esdhc: disable SD clock for clock value 0 (yangbo lu) - media: r820t: fix r820t_write_reg for KASAN (Arnd Bergmann) - ARM: dts: Delete bogus reference to the charlcd (Linus Walleij) - arm: dts: mt2701: Add reset-cells (Matthias Brugger) - arm: dts: mt7623: Update ethsys binding (Matthias Brugger) - ARM: dts: s5pv210: add interrupt-parent for ohci (Arnd Bergmann) - arm64: dts: msm8916: Add missing #phy-cells (Bjorn Andersson) - ARM: pxa/tosa-bt: add MODULE_LICENSE tag (Arnd Bergmann) - ARM: dts: exynos: fix RTC interrupt for exynos5410 (Arnd Bergmann) - Bluetooth: BT_HCIUART now depends on SERIAL_DEV_BUS (Arnd Bergmann) - scsi: core: check for device state in __scsi_remove_target() (Hannes Reinecke) - x86/mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages (Tony Luck) - usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT (James Hogan) - mvpp2: fix multicast address filter (Mikulas Patocka) - ALSA: seq: Fix racy pool initializations (Takashi Iwai) - ALSA: usb: add more device quirks for USB DSD devices (Daniel Mack) - ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 (Lassi Ylikojola) - ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 (Jan-Marek Glogowski) - ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform (Kailang Yang) - ALSA: hda/realtek - Add headset mode support for Dell laptop (Kailang Yang) - ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (Kirill Marinushkin) - ALSA: hda - Fix headset mic detection problem for two Dell machines (Hui Wang) - mtd: nand: vf610: set correct ooblayout (Stefan Agner) - 9p/trans_virtio: discard zero-length reply (Greg Kurz) - Btrfs: fix unexpected -EEXIST when creating new inode (Liu Bo) - Btrfs: fix use-after-free on root->orphan_block_rsv (Liu Bo) - Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly (Liu Bo) - Btrfs: fix extent state leak from tree log (Liu Bo) - Btrfs: fix crash due to not cleaning up tree log block's dirty bits (Liu Bo) - Btrfs: fix deadlock in run_delalloc_nocow (Liu Bo) - dm: correctly handle chained bios in dec_pending() (NeilBrown) - iscsi-target: make sure to wake up sleeping login worker (Florian Westphal) - target/iscsi: avoid NULL dereference in CHAP auth error path (David Disseldorp) - blk-wbt: account flush requests correctly (Jens Axboe) - xprtrdma: Fix BUG after a device removal (Chuck Lever) - xprtrdma: Fix calculation of ri_max_send_sges (Chuck Lever) - drm/qxl: reapply cursor after resetting primary (Ray Strode) - qxl: alloc & use shadow for dumb buffers (Gerd Hoffmann) - arm64: proc: Set PTE_NG for table entries to avoid traversing them twice (Will Deacon) - rtlwifi: rtl8821ae: Fix connection lost problem correctly (Larry Finger) - mpls, nospec: Sanitize array index in mpls_label_ok() (Dan Williams) - tracing: Fix parsing of globs with a wildcard at the beginning (Steven Rostedt (VMware)) - seq_file: fix incomplete reset on read from zero offset (Miklos Szeredi) - xenbus: track caller request id (Joao Martins) - xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests (Simon Gaiser) - rbd: whitelist RBD_FEATURE_OPERATIONS feature bit (Ilya Dryomov) - console/dummy: leave .con_font_get set to NULL (Nicolas Pitre) - video: fbdev: atmel_lcdfb: fix display-timings lookup (Johan Hovold) - PCI: keystone: Fix interrupt-controller-node lookup (Johan Hovold) - PCI: iproc: Fix NULL pointer dereference for BCMA (Ray Jui) - PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode (Dongdong Liu) - MIPS: Fix incorrect mem=X@Y handling (Marcin Nowakowski) - MIPS: Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN (Corentin Labbe) - mm: Fix memory size alignment in devm_memremap_pages_release() (Jan H. Schönherr) - mm: hide a #warning for COMPILE_TEST (Arnd Bergmann) - ext4: correct documentation for grpid mount option (Ernesto A. Fernández) - ext4: save error to disk in __ext4_grp_locked_error() (Zhouyi Zhou) - ext4: fix a race in the ext4 shutdown path (Harshad Shirwadkar) - jbd2: fix sphinx kernel-doc build warnings (Tobin C. Harding) - Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" (Lukas Wunner) - mlx5: fix mlx5_get_vector_affinity to start from completion vector 0 (Sagi Grimberg) - Revert "mmc: meson-gx: include tx phase in the tuning process" (Jerome Brunet) - mmc: bcm2835: Don't overwrite max frequency unconditionally (Phil Elwell) - mmc: sdhci: Implement an SDHCI-specific bounce buffer (Linus Walleij) - mbcache: initialize entry->e_referenced in mb_cache_entry_create() (Alexander Potapenko) - rtc-opal: Fix handling of firmware error codes, prevent busy loops (Stewart Smith) - drm/radeon: adjust tested variable (Julia Lawall) - drm/radeon: Add dpm quirk for Jet PRO (v2) (Alex Deucher) - arm64: Add missing Falkor part number for branch predictor hardening (Shanker Donthineni) - drm/ast: Load lut in crtc_commit (Daniel Vetter) - drm/amd/powerplay: Fix smu_table_entry.handle type (Andrey Grodzovsky) - drm/qxl: unref cursor bo when finished with it (Ray Strode) - drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2) (Tom St Denis) - drm/ttm: Don't add swapped BOs to swap-LRU list (Felix Kuehling) - x86/entry/64: Fix CR3 restore in paranoid_exit() (Ingo Molnar) - x86/cpu: Change type of x86_cache_size variable to unsigned int (Gustavo A. R. Silva) - x86/spectre: Fix an error message (Dan Carpenter) - x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping (Jia Zhang) - selftests/x86/mpx: Fix incorrect bounds with old _sigfault (Rui Wang) - x86/mm: Rename flush_tlb_single() and flush_tlb_one() to __flush_tlb_one_[user|kernel]() (Andy Lutomirski) - kmemcheck: rip it out for real (Michal Hocko) - kmemcheck: rip it out (Levin, Alexander (Sasha Levin)) - kmemcheck: remove whats left of NOTRACK flags (Levin, Alexander (Sasha Levin)) - kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK (Levin, Alexander (Sasha Levin)) - kmemcheck: remove annotations (Levin, Alexander (Sasha Levin)) dependency (Peter Zijlstra) - nospec: Move array_index_nospec() parameter checking into separate macro (Will Deacon) - x86/speculation: Fix up array_index_nospec_mask() asm constraint (Dan Williams) - x86/debug: Use UD2 for WARN() (Peter Zijlstra) - x86/debug, objtool: Annotate WARN()-related UD2 as reachable (Josh Poimboeuf) - objtool: Fix segfault in ignore_unreachable_insn() (Josh Poimboeuf) - selftests/x86: Disable tests requiring 32-bit support on pure 64-bit systems (Dominik Brodowski) - selftests/x86: Do not rely on "int $0x80" in single_step_syscall.c (Dominik Brodowski) - selftests/x86: Do not rely on "int $0x80" in test_mremap_vdso.c (Dominik Brodowski) - selftests/x86/pkeys: Remove unused functions (Ingo Molnar) - selftests/x86: Clean up and document sscanf() usage (Dominik Brodowski) - selftests/x86: Fix vDSO selftest segfault for vsyscall=none (Dominik Brodowski) - x86/entry/64: Remove the unused 'icebp' macro (Borislav Petkov) - x86/entry/64: Fix paranoid_entry() frame pointer warning (Josh Poimboeuf) - x86/entry/64: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly (Dominik Brodowski) - x86/entry/64: Get rid of the ALLOC_PT_GPREGS_ON_STACK and SAVE_AND_CLEAR_REGS macros (Dominik Brodowski) - x86/entry/64: Use PUSH_AND_CLEAN_REGS in more cases (Dominik Brodowski) - x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro (Dominik Brodowski) - x86/entry/64: Interleave XOR register clearing with PUSH instructions (Dominik Brodowski) - x86/entry/64: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a single POP_REGS macro (Dominik Brodowski) - x86/entry/64: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused extensions (Dominik Brodowski) - x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface (Dan Williams) - PM: cpuidle: Fix cpuidle_poll_state_init() prototype (Rafael J. Wysocki) - PM / runtime: Update links_count also if !CONFIG_SRCU (Lukas Wunner) - x86/speculation: Clean up various Spectre related details (Ingo Molnar) - KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 MSR bitmap (KarimAllah Ahmed) - X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs (KarimAllah Ahmed) - KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods (David Woodhouse) - Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()" (David Woodhouse) - x86/speculation: Correct Speculation Control microcode blacklist again (David Woodhouse) - x86/speculation: Update Speculation Control microcode blacklist (David Woodhouse) - x86/mm/pti: Fix PTI comment in entry_SYSCALL_64() (Nadav Amit) - powerpc/mm/radix: Split linear mapping on hot-unplug (Balbir Singh) - crypto: sun4i_ss_prng - convert lock to _bh in sun4i_ss_prng_generate (Artem Savkov) - crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate (Artem Savkov) - compiler-gcc.h: __nostackprotector needs gcc-4.4 and up (Geert Uytterhoeven) - compiler-gcc.h: Introduce __optimize function attribute (Geert Uytterhoeven) - x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (Dan Williams) - x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface (Dan Williams) - x86: PM: Make APM idle driver initialize polling state (Rafael J. Wysocki) - x86/xen: init %gs very early to avoid page faults with stack protector (Juergen Gross) - x86/kexec: Make kexec (mostly) work in 5-level paging mode (Kirill A. Shutemov) - x86/gpu: add CFL to early quirks (Lucas De Marchi) - drm/i915/kbl: Change a KBL pci id to GT2 from GT1.5 (Anuj Phogat) - drm/i915: add GT number to intel_device_info (Lionel Landwerlin) - arm: spear13xx: Fix spics gpio controller's warning (Viresh Kumar) - arm: spear13xx: Fix dmas cells (Viresh Kumar) - arm: spear600: Add missing interrupt-parent of rtc (Viresh Kumar) - arm: dts: mt7623: fix card detection issue on bananapi-r2 (Sean Wang) - ARM: dts: nomadik: add interrupt-parent for clcd (Arnd Bergmann) - ARM: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property (Patrice Chotard) - ARM: lpc3250: fix uda1380 gpio numbers (Arnd Bergmann) - arm64: dts: msm8916: Correct ipc references for smsm (Bjorn Andersson) - s390: fix handling of -1 in set{,fs}[gu]id16 syscalls (Eugene Syromiatnikov) - dma-buf: fix reservation_object_wait_timeout_rcu once more v2 (Christian König) - powerpc: Fix DABR match on hash based systems (Benjamin Herrenschmidt) - powerpc/xive: Use hw CPU ids when configuring the CPU queues (Cédric Le Goater) - powerpc/mm: Flush radix process translations when setting MMU type (Alexey Kardashevskiy) - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (Nathan Fontenot) - powerpc/radix: Remove trace_tlbie call from radix__flush_tlb_all (Mahesh Salgaonkar) - ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE (Gang He) - mwifiex: resolve reset vs. remove()/shutdown() deadlocks (Brian Norris) - PM / devfreq: Propagate error from devfreq_add_device() (Bjorn Andersson) - swiotlb: suppress warning when __GFP_NOWARN is set (Christian König) - cpufreq: powernv: Dont assume distinct pstate values for nominal and pmin (Shilpasri G Bhat) - RDMA/rxe: Fix rxe_qp_cleanup() (Bart Van Assche) - RDMA/rxe: Fix a race condition in rxe_requester() (Bart Van Assche) - RDMA/rxe: Fix a race condition related to the QP error state (Bart Van Assche) - kselftest: fix OOM in memory compaction test (Arnd Bergmann) - selftests: seccomp: fix compile error seccomp_bpf (Anders Roxell) - IB/core: Avoid a potential OOPs for an unused optional parameter (Michael J. Ruhl) - IB/core: Fix ib_wc structure size to remain in 64 bytes boundary (Bodong Wang) - IB/core: Fix two kernel warnings triggered by rxe registration (Bart Van Assche) - IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports (Jack Morgenstein) - IB/qib: Fix comparison error with qperf compare/swap test (Mike Marciniszyn) - IB/umad: Fix use of unprotected device pointer (Jack Morgenstein) - scsi: smartpqi: allow static build ("built-in") (Steffen Weber) - tracing: Prevent PROFILE_ALL_BRANCHES when FORTIFY_SOURCE=y (Randy Dunlap)

latest update of uek5 preview is on https://yum.oracle.com Oracle Linux 7 Server - Developer preview Unbreakable Enterprise Kernel Release 5 kernel-uek-4.14.23-1.el7uek - The Linux kernel (Update)# rpm...

Oracle Linux 7 UEK5 (Linux kernel 4.14) sneak preview

We just published an initial preview version of our next kernel-uek. This is based on upstream Linux 4.14 (latest stable -14). UEK4 is/was based on a 4.1 upstream Linux kernel. If you want to try it out, you can just add the yum repo below on your  Oracle Linux 7-based system. If you don't have a quick OL7 environment, remember you can sign up for a free account on Oracle Cloud and quickly create an Oracle Linux 7 instance and do exactly the same. There will be very regular updates of this preview kernel going forward so you can remain up to date with our development efforts. The source code is there as well and we are going to push the git repos onto github/oracle soon(ish). All you have to do is add the following to your /etc/yum.repos.d/public-yum-ol7.repo file. [ol7_developer_UEKR5] name=Oracle Linux $releasever UEK5 Development Packages ($basearch) baseurl=http://yum.oracle.com/repo/OracleLinux/OL7/developer_UEKR5/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=1 and then upgrade your kernel # yum upgrade kernel-uek reboot and you are all set. If you want the latest dtrace along with it, it's in the same repo, you can just do # yum install dtrace-utils Do a dtrace -l, you can see there are over 5000 probes now!  

We just published an initial preview version of our next kernel-uek. This is based on upstream Linux 4.14 (latest stable -14). UEK4 is/was based on a 4.1 upstream Linux kernel. If you want to try it...

oci-utils (oracle cloud infrastructure) for Oracle Linux package

We recently added another little utilities RPM for Oracle Linux 7 to our collection: oci-utils is an Oracle Linux RPM that contains a set of scripts to make managing an OCI instance easier, from within the instance. The current version provides tools that help with managing block volumes (attach, remove, automatic discovery), secondary vnic configuration, a script to query the public IP of an instances and a script that lets you query instance metadata key/value pairs without having to parse or read json. # yum install oci-utils Package content: Binaries: /usr/bin/oci-iscsi-config /usr/bin/oci-metadata /usr/bin/oci-network-config /usr/bin/oci-public-ip System service /etc/systemd/ocid.service /usr/libexec/ocid MAN pages oci-iscsi-config(1) oci-metadata(1) oci-network-config(1) oci-public-ip(1) ocid(8) Ideally you start the ocid service, it will monitor for any changes in block devices or vnic's attached or removed. Today, when you add a block device, you have to run a number of iscsiadm commands to actually discover it and attach it to your instance. When ocid is running, it will, on a regular basis, probe to see if these devices have been created through the OCI web console, cli or SDK. It will then automatically disover them for you. oci-iscsi-config is a simple wrapper around iscsiadm that provides you with a single command to list and attach/detach devices without having to know the iscsiadm command syntax. ex: # oci-iscsi-config -s For full functionality of this utility the ocid service must be running The administrator can start it using this command: sudo systemctl start ocid.service ocid already running. Currently attached iSCSI devices: Target iqn.2015-02.oracle.boot:uefi Persistent portal: 169.254.0.2:3260 Current portal: 169.254.0.2:3260 State: running Attached device: sda Size: 46.6G Partitions: Device Size Filesystem Mountpoint sda1 544M vfat /boot/efi sda2 8G swap [SWAP] sda3 38G xfs / <attach a 50G block volume in the OCI webconsole> # oci-iscsi-config -s Currently attached iSCSI devices: Target iqn.2015-12.com.oracleiaas:31b78e27-0c73-43ff-98b9-0ced1722a08c Persistent portal: 169.254.2.2:3260 Current portal: 169.254.2.2:3260 State: running Attached device: sdb Size: 50G File system type: Unknown Mountpoint: Not mounted Target iqn.2015-02.oracle.boot:uefi Persistent portal: 169.254.0.2:3260 Current portal: 169.254.0.2:3260 State: running Attached device: sda Size: 46.6G Partitions: Device Size Filesystem Mountpoint sda1 544M vfat /boot/efi sda2 8G swap [SWAP] sda3 38G xfs / You can see /dev/sdb now show up after a few seconds, without having to run any commands. oci-network-config is similar oci-network-config is similar # oci-network-config -s CONFIG ADDR SPREFIX SBITS VIRTRT NS IND IFACE VLTAG VLAN STATE MAC VNIC - 10.0.0.2 10.0.0.0 24 10.0.0.1 - 0 ens3 - - UP 02:00:17:01:ed:6b ocid1.vnic.oc1.iad.abuwcljs4ik52qrq7itbb32rwajjqddt7utla64t47fkkq7tebw5gknt5csa <add a secondary interface> # oci-network-config -s CONFIG ADDR SPREFIX SBITS VIRTRT NS IND IFACE VLTAG VLAN STATE MAC VNIC - 10.0.0.2 10.0.0.0 24 10.0.0.1 - 0 ens3 - - UP 02:00:17:01:ed:6b ocid1.vnic.oc1.iad.abuwcljs4ik52qrq7itbb32rwajjqddt7utla64t47fkkq7tebw5gknt5csa ADD 10.0.0.3 10.0.0.0 24 10.0.0.1 - 1 ens4 - - UP 02:00:17:01:eb:53 ocid1.vnic.oc1.iad.abuwcljsxek2mqaotafcohdmvghzrzx3jiiwq3zo45fh65dvlkpinndfjvma oci-public-ip just contacts an internet facing server to return your public IP of your instance. # oci-public-ip Public IP address: 129.213.44.98 oci-medata let's you pretty-print the instance metadata and query for a given key # oci-metadata -g region Instance details: Region: iad (Ashburn, VA, USA) # oci-metadata -g state Instance details: Instance state: Running An updated version in the near future will also use the SDK (if installed along with your pem key) to go and create a block device and attach it from within your instance and/or create a secondary vnic and automatically create and attach it. One roadmap item is the ability to use dynamic groups and principals to allow for an instance with the right privileges to do the block volume create/secondary vnic create without a pem key. give it a try.

We recently added another little utilities RPM for Oracle Linux 7 to our collection: oci-utils is an Oracle Linux RPM that contains a set of scripts to make managing an OCI instance easier, from within...

Using a BareMetal GPU shape in Oracle Cloud Infrastructure with Oracle Linux 7 and TensorFlow

A lot of developers are using TensorFlow for Machine Learning these days. In Oracle Cloud Infrastructure we provide some great GPU options. One of them is the BM.GPU2.2 shape which is an X7-based GPU system (contains 2 P100 Nvidia GPUs). When you create an OCI instance using this shape with Oracle Linux 7, it comes pre-installed with the kernel modules to enable the GPUs. Ready to use. Getting TensorFlow installed is very easy: Install some prerequisite RPMs, some come from the EPEL yum repo which we provide as part of Oracle Linux and is enabled by default in your yum.repos file. # sudo yum -y install python-pip python-devel atlas atlas-devel gcc-gfortran openssl-devel libffi-devel # sudo pip install --upgrade virtualenv # virtualenv --system-site-packages ~/venvs/tensorflow # source ~/venvs/tensorflow/bin/activate Now you can install TensorFlow using pip. use tensorflow-gpu if you want the GPU enabled version otherwise just use tensorflow. (tensorflow) # pip install --upgrade tensorflow-gpu or (tensorflow) # pip install --upgrade tensorflow To use tensorflow-gpu you have to install the Nvidia CUDA packages. This version of tensorflow depends on version 9.0 (tensorflow) # sudo yum -y install cuda-9-0 Run a TF example: (tensorflow) #  pip install pandas (tensorflow) # sudo yum -y install git (tensorflow) # mkdir git (tensorflow) # cd git (tensorflow) # git clone https://github.com/tensorflow/models (tensorflow) # cd models/samples/core/get_started/ (tensorflow) # python premade_estimator.py and that's it. Super easy without any manual downloads. this is a test

A lot of developers are using TensorFlow for Machine Learning these days. In Oracle Cloud Infrastructure we provide some great GPU options. One of them is the BM.GPU2.2 shape which is an X7-based...

RPMs for VirtualBox guest addition drivers for Oracle Linux now available

This has been a long time coming... but finally... for those that don't regularly check our 'What's new' page on yum.oracle.com... We started building the kernel modules and guest additions for VirtualBox guests for Oracle Linux 6 and 7 (UEK4):   Packages Released on Fri Dec 22 2017  VirtualBox-5.2-5.2.4_119785_el7-1 - Oracle VM VirtualBox (Update)  vboxguest-tools-5.2.4-1.el7 - VirtualBox guest utilities (New)  kmod-vboxguest-uek4-5.2.4-1.el7 - vboxguest kernel modules (New)  VirtualBox-5.2-5.2.4_119785_el6-1 - Oracle VM VirtualBox (Update)  vboxguest-tools-5.2.4-1.el6 - VirtualBox guest utilities (New)  kmod-vboxguest-uek4-5.2.4-1.el6 - vboxguest kernel modules (New) The main reason for doing this is to make it easy to have a guest with the additions installed. No need to install gcc and kernel-devel etc... it makes the image smaller or even if you remove gcc etc afterwards you have to compact the filesystem again and so on. Anyway... I hope people like this. I think it's pretty cool and I will use it a lot when building VirtualBox guest images. On a side note, my previous blog post about yum in OCI... someone asked if we plan to do https as well as http. Yes, we plan to do that it's being worked on.

This has been a long time coming... but finally... for those that don't regularly check our 'What's new' page on yum.oracle.com... We started building the kernel modules and guest additions...

New packages added to Oracle Linux (OCI SDK/CLI, more EPEL packages, GlusterFS server, Terraform,...

For the folks that don't check our awesomely cool what's new page :-) on yum.oracle.com : whats new here's a bit of a summary of some of the cool packages we just added in the last week or 2: - latest version of terraform (0.11.1-1) and soon a new terraform-provider-oci - VirtualBox-5.2-5.2.2 updates in the developer repo so you can just yum install it instead of downloading it manually - a TON, and I mean a TON more packages in our EPEL clone (again, no forking or modifying we just want to make sure it comes from the same place and is signed by us and built by us and we also clone our yum repo inside Oracle Cloud so customers don't get charged for network bandwidth when they download packages for the OS. By having our EPEL clone it counts for all those packages as well of course). Last time I checked we had about 7500 RPMs in the EPEL repo. - the latest tagged version of the OCI python SDK and CLI (1.3.11 and 2.4.13) - we had a bit of a delay in the past but that's resolved and we're caught up - GlusterFS server is now in the developer repository for both OL6 and OL78 - we now have an em agent 13cr2 preinstall rpm for OL7 (in add ons) to make it easy to install em agent - UEK4 update 6 was released yesterday. More stuff coming soon...  

For the folks that don't check our awesomely cool what's new page :-) on yum.oracle.com : whats new here's a bit of a summary of some of the cool packages we just added in the last week or 2: - latest...

Wim Coekaerts

Installing Visual Studio Code on Oracle Linux 7

Visual Studio Code is a popular editor. There is an RPM available for "el7" from the Microsoft yumrepo. This RPM can be manually downloaded on Oracle Linux 7 and installed with # yum localinstall code...  or # rpm -ivh code... but it's easier to just create a yum repo file so that you can just do # yum install code and # yum update code. Here's an example. On Oracle Linux 7 (not 6), as user root: # cd /etc/yum.repos.d create a file, let's say vscode.repo with the following content: [vscode] name=vscode baseurl=https://packages.microsoft.com/yumrepos/vscode/ enabled=1 gpgcheck=1 gpgkey=https://packages.microsoft.com/keys/microsoft.asc   and now you can just do # yum install code Loaded plugins: langpacks, ulninfo vscode                                                   | 2.9 kB     00:00      Resolving Dependencies --> Running transaction check ---> Package code.x86_64 0:1.18.1-1510857496.el7 will be installed y --> Finished Dependency Resolution Dependencies Resolved ================================================================================  Package      Arch           Version                       Repository      Size ================================================================================ Installing:  code         x86_64         1.18.1-1510857496.el7         vscode          63 M Transaction Summary ================================================================================ Install  1 Package Total download size: 63 M Installed size: 186 M Is this ok [y/d/N]: Downloading packages: code-1.18.1-1510857496.el7.x86_64.rpm                      |  63 MB   00:41      Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum.   Installing : code-1.18.1-1510857496.el7.x86_64                            1/1   Verifying  : code-1.18.1-1510857496.el7.x86_64                            1/1 Installed:   code.x86_64 0:1.18.1-1510857496.el7                                            Complete! That's it.  

Visual Studio Code is a popular editor. There is an RPM available for "el7" from the Microsoft yumrepo. This RPM can be manually downloaded on Oracle Linux 7 and installed with # yum localinstall...

ARM, YUM, Cloud, containers,...

It's been a while since my last post so a lot of stuff has been going on! This one will be a random collection of things that I want to point out. I will have to use a lot of tags to keep search engines happy here :-) Where to start... Preview release : Oracle Linux 7 for ARM64 (aarch64) Given the growing interest in ARM64.  We created a publicly available, free download, no registration keys, no access codes, no authentication codes,version of OL7 for ARM64. You can go download it here:  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-arm-4072846.html We have an ISO you can install on a few available ARM64 servers, more servers will be tested and added over time. (See release notes) and we also created a little runtime image for the RPI3. That way you can easily try it out in minutes on a cheap, readily available platform. Tons of RPMs have been built and are on http://yum.oracle.com (specifically: http://yum.oracle.com/repo/OracleLinux/OL7/latest/aarch64/index.html ) We currently use a 4.13 kernel but that will soon move to 4.14 (basis for the next version of UEK). One of the reasons we do a preview release right now and not GA is because it's still a fast moving target. Lots of kernel changes coming, we're looking at providing the latest toolchain, gcc7, create a good public developer program around Oracle Linux for ARM64 and the introduction of new platforms over the next several months that might require adding new drivers, compile the binaries with better optimizations etc... so right now I would not want  to call this Generally Available. It's certainly in a good state for developers to start using and get their feet wet, for partners that are interested in ARM to start porting apps and work with us as we improve performance and build out the developer ecosystem. It's certainly an exciting development. We're working on all the usual things, we are working on ksplice,  dtrace, lots of server side enhancements that are still missing, testing of kvm, seeing if we can build even the kernel with gcc7.2? Pick the right chip to target for optimizations... New packages for Oracle Linux Over the last several months we started adding a ton of new RPMs on yum to make it easier for admins and developers that want newer stuff that's just not typically available directly from the Enterprise Linux vendor side. We track the latest versions of terraform (and the OCI-provider for terraform), we released dotnet2.0, powershell updates, over a 1000 RPMs added from the EPEL repository, docker 17.06. We packaged the OCI SDK and CLI into RPMs to make it easy (no need to run pip install). For the nitpickers - as I mentioned previously, we are just replicating EPEL, we are not 'forking' it, we are not modifying source, the intent is to have it available from the same 'location', signed by us, built by us tested together in terms of dependencies. It's still EPEL. If we were to find bugs or whatever we'd get that fixed on the EPEL source side. No other intent... just to re-iterate that. "What's new" on yum Since we do a lot of packages updates on yum.oracle.com, we added a what's new page, it lists new RPMs that are published every day and we keep 6 months of history. This way  you can easily see if something got updated without having to run yum commands on a server. Kernel Blog In order to be more public about the type of development projects we have going on, we are finally back to writing regular articles about various kernel projects. You can find that here. It's a random collection of things developers will write up, stuff they worked on in the past or something like that. It gives a bit more context than just seeing commit messages. We started this way back when, then it went dormant but we picked it up again. Some good stuff can be found there. Linux NFS appliance image for Oracle Cloud Infrastructure Regular updates continue on our Linux NFS appliance image that can be found here. An easy way to create a Linux-based NFS server in your own tenancy. It's not an NFS service, it's just a standard Oracle Linux image that creates an NFS  server setup. Oracle Container Registry A reminder that we have replicas of the Oracle Container registry in each of the Oracle Cloud Infrastructure regions for fast, internal to the region access to our docker images. container-registry-ash.oracle.com (Ashburn datacenter) container-registry-phx.oracle.com (Phoenix datacenter) container-registry-fra.oracle.com (Frankfurt datacenter) These registries are also externally accessible so you can use it from wherever you are. Pick the one that's fastest for you. We will introduce yum replicas soon as well.                  

It's been a while since my last post so a lot of stuff has been going on! This one will be a random collection of things that I want to point out. I will have to use a lot of tags to keep...

Oracle Container Registry mirrors in Oracle Cloud Infrastructure

Just in time for Oracle OpenWorld 2017! For quite some time now, we have had a Container Registry available for users with an Oracle Single-Signon account. This registry contains a large number of Docker images to make it really easy to get started with Oracle Products such as the Oracle Database, MySQL, Oracle Linux, Java, Weblogic etc...No need to create or register a new account. Many of you already have an Oracle SSO account for use with OTN, My Oracle Support or Oracle Software Delivery Cloud. The first time, you have to log in to the website hosted at http://container-registry.oracle.com (use your SSO account) and accept the licences for the products you want to download/pull with the Docker client. Once you have accepted the licenses, unless a license changes, or you want to access a product for which you have not yet accepted the license, you do not have to login to the website any more. From here on, you can use docker pull container-registry.oracle.com/<repository>/<product> to pull down the images you are interested in.  Well, the above is not new, really but I wanted to give a very quick overview of what we have on our container registry. What IS new: Lots of our customers are using Oracle Cloud Infrastructure and there is a big interest in using Docker images for new projects. Since we want our customers/developers to have the best experience, we created / will create local mirrors of the central Container Registry in each OCI region. As of right now, the Ashburn and Phoenix OCI regions mirrors are online, Frankfurt will follow shortly. Why does this help? Well, first of all, performance. A few examples: timing a pull (and extract) of an Oracle Linux 7-slim image is just over 3 seconds. MySQL Community server 8 seconds, Oracle Database Standard or Enteprise Edition 3 minutes (full downloaded and extracted in your local OCI instance). And secondly, all network traffic stays within the Oracle Datacenters so you are not consuming Internet Traffic bandwidth. The process remains the same: the main website to accept licenses is still http://container-registry.oracle.com. When you use docker on the command line in your instance, use either container-registry-phx.oracle.com or container-registry-ash.oracle.com. In the near future we will enable container-registry-fra.oracle.com.  First you have to login on the command line:   # docker login container-registry-ash.oracle.comUsername: wim.coekaerts@oracle.comPassword: Login Succeeded   Next you can pull one of the many images:   # docker pull container-registry-ash.oracle.com/os/oraclelinux:7-slim7-slim: Pulling from os/oraclelinuxd9ca67fed2e2: Pull complete Digest: sha256:2c4be3230da36933e1e9961909ed40c7fc3cc36107f86c2ed6c1775ea1c884fcStatus: Downloaded newer image for container-registry-ash.oracle.com/os/oraclelinux:7-slim These registries are also accessible from outside of the OCI regions over the internet so if you experience slow access to container-registry.oracle.com, try one of these new ones. We have a number of product categories available. You can find all the details on how to use them, which tags (versions of images such as 7.1 7.4, latest,...) on the registry website: We are working on providing a mirror for http://yum.oracle.com inside OCI as well. Stay tuned for more Oracle Linux goodies in Oracle Cloud Infrastructure.    

Just in time for Oracle OpenWorld 2017! For quite some time now, we have had a Container Registryavailable for users with an Oracle Single-Signon account. This registry contains a large number of...

Quickly create a high performance NFS server in Oracle Cloud Infrastructure using Oracle Linux

To make it easy for customers that rely heavily on an NFS server for their on-premises applications, we created an Oracle Linux Storage Appliance image for Oracle Cloud Infrastructure. There are times where you want to be able to provide a really fast shared filesystem to multiple instances. eg. a shared 'Oracle Home'  or in the applications world a shared APPLTOP. It is really easy to set up a Linux NFS server but we decided to go beyond DIY and we created one for you. The Linux Storage Appliance image available in Oracle Cloud Infrastructure uses Oracle Linux 7 on your choice of either a BM dense IO (28.8TB NVMe/512G) node or BM high IO (12.8TB NVMe/512G) node. When you deploy the LSA image, at first boot, it automatically detects the NVMe volumes, creates a big raid with filesystems on top and starts a simple webserver that lets you create new shares, see log files,  see the status of the server etc. We have a roadmap of items that we are working on, such as auto-restart, backup to object storage, iscsi volume support as an alternative to NVMe to create smaller setups, etc... The Linux Storage Appliance image is provided for everyone to use, it runs within your own tenancy and with your own resource quota for the servers it is deployed on. You can find more details here.  Here are a few screenshots to give you an idea:                              

To make it easy for customers that rely heavily on an NFS server for their on-premises applications, we created an Oracle Linux Storage Appliance image for Oracle Cloud Infrastructure. There are times...

Running Oracle Linux 5 applications in Oracle Cloud Infrastructure using lxc.

Oracle Cloud Infrastructure bare-metal servers and virtual machines require an EFI capable OS and as such we offer Oracle Linux 6 and Oracle Linux 7 images for customers to deploy their instances. Most applications are certified and support with these OS versions however in some rare cases a customer has an older application that requires something like Oracle Linux 4 or 5. While we currently cannot run these versions as native instances, it is possible to run Linux Containers on Oracle Linux with an OL4 or OL5 environment. We have, for many years, supported lxc (https://blogs.oracle.com/wim/oracle-linux-containers) with Oracle Linux. lxc is great for system-containers, if you want to call it that, an entire OS environment ( basically "start /bin/init" ) whereas docker is more an application-container, start your app. Sure you can run /bin/init as your 'app' but lxc is a bit more tuned towards this model, I think. The generic lxc documentation can be found here. lxc is fully supported on Oracle Linux 6 and Oracle Linux 7 and Oracle Linux 5 is fully supported as a container OS on top. So for customers that have a need to run older applications on older versions  of Linux in OCI, this is a great option. To get started with lxc in Oracle Cloud Infrastructure, you first need to create a bare-metal server or VM instance using Oracle Linux 7 as the OS image, create your virtual cloud network, create a block volume, attach the block volume etc. I will assume that you are familiar with these steps.  I make one additional assumption around VNICs. The easiest way to set up the networking is by allocating a separate secondary VNIC for each container and pass this VNIC into the container. A quick tutorial is here. In summary: - Create a compartment, virtual cloud network and subnet - Create an instance (BM or VM) - Create and attach a block volume that will host the containers - Create a number of  VNICs (1 per container) - Install lxc - Create and mount a filesystem on the block volume that holds the containers - Create a container.   To install lxc, simply use yum on your Oracle Linux instance: # yum install lxc ... Dependencies Resolved ================================================================================  Package         Arch          Version                  Repository         Size ================================================================================ Updating:  lxc             x86_64        1.1.5-2.0.9.el7          ol7_latest        231 k Updating for dependencies:  lxc-libs        x86_64        1.1.5-2.0.9.el7          ol7_latest        219 k Transaction Summary ================================================================================ Upgrade  1 Package (+1 Dependent package) Total download size: 450 k Is this ok [y/d/N]: Make sure you use the latest version of lxc (1.1.5-2.0.9 or newer) I suggest using btrfs as the container filesystem. Assuming you created a block volume, it should show up as /dev/sdb: $ cat /proc/partitions major minor  #blocks  name    8        0   48838656 sda    8        1     556988 sda1    8        2    8420348 sda2    8        3   39808260 sda3    8       16  134217728 sdb Create a partition using fdisk, simply create 1 partition that uses the entire volume $ fdisk /dev/sdb Enter n (new partition), p (primary partition) 1 (first partition on new volume) and hit enter twice if you want to use the entire Block Volume. Enter w to write the partition table out to disk. This should now show up: $ cat /proc/partitions major minor  #blocks  name    8        0   48838656 sda    8        1     556988 sda1    8        2    8420348 sda2    8        3   39808260 sda3    8       16  134217728 sdb    8       17  134216704 sdb1 Next create your btrfs volume and mount it under /container: $ mkfs.btrfs /dev/sdb1 $ echo "/dev/sdb1 /container btrfs defaults,noatime,_netdev 0 2" > /etc/fstab $ mount -a The installation of lxc already created the /container directory on your server. Next up,  configure your secondary VNICs using the scripts referenced here. It is slightly different in a VM instance versus a BM instance. Create your first lxc container. The syntax is as follows:  lxc-create -n <container name> -t <template> -- -R <release> - Specify a container name that you want to use, for instance "ol5". - To create Oracle Linux containers use the "oracle" template. - Release specifies which release of the container OS you want to use. We are creating an Oracle Linux 5 container so we use -R 5.latest - For Oracle Linux 4,6 or 7, use the same "oracle" template and change <release> to 4.latest, 6.latest or 7.latest $ lxc-create -n ol5 -t oracle -- -R 5.latest Host is OracleServer 7.3 Create configuration file /container/ol5/config Yum installing release 5.latest for x86_64 ... Added container user:oracle password:oracle Added container user:root password:root Container : /container/ol5/rootfs Config    : /container/ol5/config Network   : eth0 (veth) on lxcbr0 There is an additional configuration step required. The network configuration of the newly created container needs to be modified. Modify the container configuration file $ vi /container/ol5/config change the following lines: lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.hwaddr = 00:16:3e:xx:xx:xx <- where xx:xx:xx has assigned values to lxc.network.type = phys lxc.network.link = ens2f0.vlan.1  or ens4 or whatever name of the secondary vnic interface created earlier was called  comment out or remove the lxc.network.hwaddr line #lxc.network.hwaddr = It is important to comment out the hwaddr line because we want to use the mac address of the interface created by the scripts. veth gets changed to phys because we are effectively passing through the network interface directly to the container Start the container $ lxc-start -n ol5.1 Connect to the console $ lxc-console -n ol5.1 The default root password is root. Please modify this after creating your container. To exit the console, type ctrl-a q Configure the network inside the container. To find the IP configuration for your VNICs from inside your instance, you can view this URL: $ wget http://169.254.169.254/opc/v1/vnics/ Manually: $ ifconfig eth0 10.0.2.3 netmask 255.255.255.0 $ route add default gw 10.0.2.1 Configure the network at start time by creating a new ifcfg script : edit /etc/sysconfig/network-scripts/ifcfg-eth0 example: DEVICE="eth0" BOOTPROTO=none ONBOOT=yes TYPE="Ethernet" IPADDR=10.0.2.3 PREFIX=24 GATEWAY=10.0.2.1 DEFROUTE=yes   To see which lxc containers are actively running type $ lxc-ls --active This container would be a supported Oracle Linux 5 environment running on Oracle Linux 7. NOTE: Oracle Linux 5 has entered extended support. See here. Keep in mind that for Oracle Cloud subscription customers, Extended support is included with your subscription without any additional cost/fees.    

Oracle Cloud Infrastructure bare-metal servers and virtual machines require an EFI capable OS and as such we offer Oracle Linux 6 and Oracle Linux 7 images for customers to deploy their instances....

More packages for Oracle Linux to make life easier.

A lot of development work we do for Oracle Linux is focused around Oracle Cloud. Work with the infrastructure team to provide the best OS for them, work on new features that can help in various areas (NVMe, kvm, GPU, security, containers...) and so on. But we also put a lot of effort into making Oracle Linux run extremely well for customers on Oracle Cloud. Pre-built images which we try to make as efficient as possible and configured out of the box to just work seamlessly. For instance, a few weeks ago we added the Oracle Ksplice package to the base image and pre-configured them so that Ksplice works without any additional steps. Want to use it? Just type uptrack-upgrade. The latest kernel version is typically installed, latest fixes for drivers. Anything that every customer would have to do themselves we try to pre-emptively take care of. Another aspect of running Oracle Linux in Oracle Cloud is providing the right packages and make it easy to get to them. We are working on a mirror of  yum.oracle.com  and the Oracle Container Registry inside the Oracle Cloud regions for super highspeed access to packages without having to go outside of the datacenters. And we are building packages that are not part of the base Oracle Linux but are certainly very useful and frequently asked for by customers. For instance, we released RPMs for Terraform with the Oracle Bare Metal cloud provider so that you don't have to manually download binaries, but just use a local pre-configured yum repo. We also released fluentd and collectd packages here and here . Oracle Managed Cloud works with collectd for instance for its data collection to do analytics. While customers or developers can certainly go and download these packages elsewhere, it would require extra steps. We're just doing it to ensure that they're all in the same place. They're mirrored inside the datacenters, they're signed by our key, preconfigured yum.repo files, and all the dependencies have been verified to ensure we don't break anything when they are published. Of course all the source code is also available in the usual place. As we get more requests to add more packages these _developer, _preview and _developer_epel channels will get more content. The biggest focus area here will be developers, container services and providing all the packages to easily get going. And remember, all this is included with every instance of Oracle Linux you run in Oracle Cloud, no additional charges. Oracle Ksplice, full support, everything we have is out of the box, included.  

A lot of development work we do for Oracle Linux is focused around Oracle Cloud. Work with the infrastructure team to provide the best OS for them, work on new features that can help in various areas...

Oracle Ksplice for Oracle Linux in Bare Metal Cloud Services

A few weeks ago I wrote a blog post that talked about setting up Oracle Ksplice in Oracle Cloud (specifically Bare Metal Cloud Services). At the time, the instructions included editing the uptrack.conf file and adding a specific auth key. We have since automated that part as well. For existing instances or newly created instances (any VM.* and BM.* shapes with Oracle Linux) you can just simply download a new installation script that takes care of it all for you. As mentioned in the previous post, we are going to include the uptrack tools by default as well in a future image version of Oracle Linux but that's not completed yet. The simple steps to follow now: Connect to your BMCS instance # ssh -l opc <public ip address of your instance> sudo to root # sudo bash # cd Download the ksplice installation script    # wget -N https://www.ksplice.com/uptrack/install-uptrack-oc --2017-07-30 17:27:59--  https://www.ksplice.com/uptrack/install-uptrack-oc Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32 Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10154 (9.9K) [text/plain] Saving to: ‘install-uptrack-oc’ 100%[======================================>] 10,154      --.-K/s   in 0.06s    2017-07-30 17:28:00 (179 KB/s) - ‘install-uptrack-oc’ saved [10154/10154] Run the installation script    # sh install-uptrack-oc [ Release detected: ol ] --2017-07-30 17:30:36--  https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32 Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6876 (6.7K) [application/x-rpm] Saving to: ‘ksplice-uptrack-release.noarch.rpm’ 100%[======================================>] 6,876       --.-K/s   in 0s       2017-07-30 17:30:36 (46.5 MB/s) - ‘ksplice-uptrack-release.noarch.rpm’ saved [6876/6876] [ Installing Uptrack ] warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 16c083cd: NOKEY Preparing packages... ksplice-uptrack-release-1-3.noarch Loaded plugins: langpacks, ulninfo ksplice-uptrack                                          |  951 B     00:00      ol7_UEKR4                                                | 1.2 kB     00:00      ol7_addons                                               | 1.2 kB     00:00      ol7_latest                                               | 1.4 kB     00:00      ol7_optional_latest                                      | 1.2 kB     00:00      (1/7): ol7_UEKR4/x86_64/updateinfo                         |  83 kB   00:00      (2/7): ol7_latest/x86_64/updateinfo                        | 1.3 MB   00:00      (3/7): ksplice-uptrack/7Server/x86_64/primary              | 2.0 kB   00:00      (4/7): ol7_optional_latest/x86_64/primary                  | 4.0 MB   00:00      (5/7): ol7_optional_latest/x86_64/updateinfo               | 940 kB   00:00      (6/7): ol7_latest/x86_64/primary                           |  26 MB   00:00      (7/7): ol7_UEKR4/x86_64/primary                            |  19 MB   00:00      ksplice-uptrack                                                             7/7 ol7_UEKR4                                                               396/396 ol7_latest                                                          19362/19362 ol7_optional_latest                                                 13397/13397 Resolving Dependencies --> Running transaction check ---> Package uptrack.noarch 0:1.2.41-0.el7 will be installed --> Processing Dependency: perl(Fatal) for package: uptrack-1.2.41-0.el7.noarch --> Processing Dependency: perl-autodie for package: uptrack-1.2.41-0.el7.noarch --> Running transaction check ---> Package perl-autodie.noarch 0:2.16-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================  Package            Arch         Version            Repository             Size ================================================================================ Installing:  uptrack            noarch       1.2.41-0.el7       ksplice-uptrack       298 k Installing for dependencies:  perl-autodie       noarch       2.16-2.el7         ol7_latest             77 k Transaction Summary ================================================================================ Install  1 Package (+1 Dependent package) Total download size: 375 k Installed size: 996 k Downloading packages: (1/2): perl-autodie-2.16-2.el7.noarch.rpm                  |  77 kB   00:00      (2/2): uptrack-1.2.41-0.el7.noarch.rpm                     | 298 kB   00:00      -------------------------------------------------------------------------------- Total                                              689 kB/s | 375 kB  00:00      Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum.   Installing : perl-autodie-2.16-2.el7.noarch                               1/2    Installing : uptrack-1.2.41-0.el7.noarch                                  2/2  There are no existing modules on disk that need basename migration.   Verifying  : perl-autodie-2.16-2.el7.noarch                               1/2    Verifying  : uptrack-1.2.41-0.el7.noarch                                  2/2  Installed:   uptrack.noarch 0:1.2.41-0.el7                                                  Dependency Installed:   perl-autodie.noarch 0:2.16-2.el7                                               Complete! Effective kernel version is 4.1.12-94.3.6.el7uek The following steps will be taken: Install [nq2lixsa] Improve the interface to freeze tasks. Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB. Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call. Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation. Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices. [ Installation Complete! ] [ Please run '/usr/sbin/uptrack-upgrade -y' to bring your system up to date ] To install the available Ksplice patches on your running kernel, just run the uptrack-upgrade tool (as root)   # uptrack-upgrade  The following steps will be taken: Install [nq2lixsa] Improve the interface to freeze tasks. Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB. Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call. Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation. Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices. Go ahead [y/N]? y Installing [nq2lixsa] Improve the interface to freeze tasks. Installing [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB. Installing [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call. Installing [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation. Installing [5v18x54y] Denial-of-service when bonding multiple IPOIB devices. Your kernel is fully up to date. Effective kernel version is 4.1.12-94.3.9.el7uek  

A few weeks ago I wrote a blog post that talked about setting up Oracle Ksplice in Oracle Cloud (specifically Bare Metal Cloud Services). At the time, the instructions included editing the...

CVE-2017-1000364

As I am sure many of you have heard/read about CVE-2017-1000364. If not, you can find some information here: https://blog.qualys.com/tag/cve-2017-1000364 https://nvd.nist.gov/vuln/detail/CVE-2017-1000364 http://www.securityfocus.com/bid/99130 An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). This CVE has a very high CVSS score of 9.8. There are a number of packages release for Oracle Linux to deal with this CVE. An updated glibc: https://linux.oracle.com/cve/CVE-2017-1000366.html An updated kernel:  https://linux.oracle.com/cve/CVE-2017-1000364.html A very important additional detail is that we also have an online fix available through Ksplice. So for Oracle Linux users/customers with a support subscription, you can simply run uptrack-upgrade on a running kernel. No reboot required. # uptrack-upgrade The following steps will be taken: Install [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB. Go ahead [y/N]? y Installing [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB. Your kernel is fully up to date. Effective kernel version is 4.1.12-94.3.7.el7uek    

As I am sure many of you have heard/read about CVE-2017-1000364. If not, you can find some information here: https://blog.qualys.com/tag/cve-2017-1000364 https://nvd.nist.gov/vuln/detail/CVE-2017-1000364 h...

Oracle Ksplice on Oracle Linux in Bare Metal Cloud

One of the great advantages of using Oracle Cloud is the fact that it includes full Oracle Linux support. All the services that you get with Oracle Linux Premier support are included without additional cost when you use Oracle Cloud. Oracle Ksplice is such a service. (see: http://www.ksplice.com/ ). In order to use Oracle Ksplice outside of Oracle Cloud you configure it at install time when registering your Oracle Linux server with ULN (http://linux.oracle.com ) and you then use the generated access key to configure the uptrack tools. With Oracle Cloud, both Oracle Public Cloud and Oracle Bare Metal Cloud Services ( http://cloud.oracle.com ), we have made it very easy. Any instance that runs inside our infrastructure has immediate access to the ksplice servers. For customers or users with existing Oracle Linux instances in BMCS, you have to do a few simple steps to enable Ksplice. We are in the process of adding the uptrack tools to the image by default so, soon, you don't have to do any configuration at all. Enable Ksplice today: Log into your Oracle Linux instance as user opc (or as root) # sudo bash Download the uptrack client: # wget -N https://www.ksplice.com/uptrack/install-uptrack or if you prefer to use curl # curl -O https://www.ksplice.com/uptrack/install-uptrack Install the client, make sure you use this exact key, it will only work inside BMCS and is a generic identifier. # sh install-uptrack dfc21b3ced9af52f6a8760c1b1860f928ba240970a3612bb354c84bb0ce5903e --autoinstall   This command unpacks the downloaded script and install the uptrack utilities (Ksplice client tools). Ignore the connect error, you need the step below. One more step. In order for the above key to work, you have to point the uptrack tools to a specific update server. edit /etc/uptrack/uptrack.conf: # The location of the Uptrack updates repository. update_repo_url=https://oraclecloud-updates-ksplice.oracle.com/update-repository and that's it. # uptrack-upgrade Nothing to be done. Your kernel is fully up to date. Effective kernel version is 4.1.12-94.3.6.el6uek   For instances that are Bring Your Own we will automate the above steps as well. But at least this gets you going right away.  

One of the great advantages of using Oracle Cloud is the fact that it includes full Oracle Linux support. All the services that you get with Oracle Linux Premier support are included without...

Wim Coekaerts

Introducing UEK4 and DTrace on Oracle Linux for SPARC

About 2 months ago we released the first version of Oracle Linux 6, Update 7 for SPARC. That was the same version of Oracle Linux used in Exadata SL6. OL6 installed on T4, T5 and T7 systems but it did not yet support the S7 processors/systems. It contained support for the various M7 processor features (DAX, ADI, crypto,...), gcc optimizations to support better code generation for SPARC, important optimizations in functions like memcpy() etc. We also introduced support for Linux as the control domain (guest domain worked before). So this was the first time one could use Linux as the control domain with a vdiskserver, vswitch and virtual console driver. For this release we based the kernel on UEK2 (2.6.39). The development team has been hard at work doing a number of things: - continue to work with upstream Linux  and gcc/glibc/binutils development to submit all the code changes for inclusion. Many SPARC features have already been committed upstream and many are pending/Work in Progress. - part of the work is  to forward port, so to speak, a lot of the uek2/sparc/exadata features into uek4, alongside upstream/mainline development. - performance work, both in kernel and userspace (glibc, gcc in particular) Today, we released an updated version of the ISO image that contains UEK4 QU4 (4.1.12-94.3.2). The main reason for updating the ISO is to introduce support for the S7 processor and S7-based servers. It contains a ton of improvements over UEK2,  we also added support for DTrace. You can download the latest version of the ISO here :  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-sparc-3665558.html The DTrace utilities can be downloaded here : http://www.oracle.com/technetwork/server-storage/linux/downloads/linux-dtrace-2800968.html As we add more features we will update the kernel and we will also publish a new version of the software collections for Oracle Linux for SPARC with newer versions of gcc (6.x etc) so more coming! We are working on things like gccgo, valgrind, node... and the yum repo on http://yum.oracle.com/ contains about 5000 RPMs. Download it, play with it, have fun.  

About 2 months ago we released the first version of Oracle Linux 6, Update 7 for SPARC. That was the same version of Oracle Linux used in Exadata SL6. OL6 installed on T4, T5 and T7 systems but it did...

Oracle Linux 6 for SPARC

Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip. OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc... have fun

Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here. This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no...

Oracle Linux 6 update 9

We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.Since we caught this prior to release, we have, of course, fixed the bug.The following code change introduced the bug (glibc-rh1012343.patch) char newmode[modelen + 2]; - memcpy (mempcpy (newmode, mode, modelen), "c", 2); + memcpy (mempcpy (newmode, mode, modelen), "ce", 2); FILE *result = fopen (file, newmode);As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.The correct patch that we have in glibc as part of OL6.9 is:- char newmode[modelen + 2];- memcpy (mempcpy (newmode, mode, modelen), "ce", 2);+ char newmode[modelen + 3];+ memcpy (mempcpy (newmode, mode, modelen), "ce", 3);The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.Something like this: Wed Mar 22 *17:19:51* 2017 *ORA-00210: cannot open the specified control file* ORA-00202: control file:'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_001' ORA-27054: NFS file system where the file is created or resides is not mounted with correct options *Linux-x86_64 Error: 13: Permission denied* Additional information: 2 ORA-205 signalled during: ALTER DATABASE MOUNT... Shutting down instance (abort)

We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page,...

Oracle Linux and Software Collections make it a great 'current' developer platform

Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5. A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.An example :scl enable rh-python35 -- bash One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out...

ksplice

As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.# uptrack-upgrade The following steps will be taken:Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Go ahead [y/N]? yInstalling [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Your kernel is fully up to date.Effective kernel version is 2.6.32-642.15.1.el6and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.# uptrack-showInstalled updates:[cct5dnbf] Clear garbage data on the kernel stack when handling signals.[ektd95cj] Reduce usage of reserved percpu memory.[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.[b4ljcwin] Message corruption in pseudo terminal output.[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Effective kernel version is 2.6.32-642.15.1.el6Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:oracle-2.6.18-238.0.0.0.1.el5oracle-2.6.18-238.1.1.0.1.el5oracle-2.6.18-238.5.1.0.1.el5oracle-2.6.18-238.9.1.0.1.el5oracle-2.6.18-238.12.1.0.1.el5oracle-2.6.18-238.19.1.0.1.el5oracle-2.6.18-274.0.0.0.1.el5oracle-2.6.18-274.3.1.0.1.el5oracle-2.6.18-274.7.1.0.1.el5oracle-2.6.18-274.12.1.0.1.el5oracle-2.6.18-274.17.1.0.1.el5oracle-2.6.18-274.18.1.0.1.el5oracle-2.6.18-308.0.0.0.1.el5oracle-2.6.18-308.1.1.0.1.el5oracle-2.6.18-308.4.1.0.1.el5oracle-2.6.18-308.8.1.0.1.el5oracle-2.6.18-308.8.2.0.1.el5oracle-2.6.18-308.11.1.0.1.el5oracle-2.6.18-308.13.1.0.1.el5oracle-2.6.18-308.16.1.0.1.el5oracle-2.6.18-308.20.1.0.1.el5oracle-2.6.18-308.24.1.0.1.el5oracle-2.6.18-348.0.0.0.1.el5oracle-2.6.18-348.1.1.0.1.el5oracle-2.6.18-348.2.1.0.1.el5oracle-2.6.18-348.3.1.0.1.el5oracle-2.6.18-348.4.1.0.1.el5oracle-2.6.18-348.6.1.0.1.el5oracle-2.6.18-348.12.1.0.1.el5oracle-2.6.18-348.16.1.0.1.el5oracle-2.6.18-348.18.1.0.1.el5oracle-2.6.18-371.0.0.0.1.el5oracle-2.6.18-371.1.2.0.1.el5oracle-2.6.18-371.3.1.0.1.el5oracle-2.6.18-371.4.1.0.1.el5oracle-2.6.18-371.6.1.0.1.el5oracle-2.6.18-371.8.1.0.1.el5oracle-2.6.18-371.9.1.0.1.el5oracle-2.6.18-371.11.1.0.1.el5oracle-2.6.18-371.12.1.0.1.el5oracle-2.6.18-398.0.0.0.1.el5oracle-2.6.18-400.0.0.0.1.el5oracle-2.6.18-400.1.1.0.1.el5oracle-2.6.18-402.0.0.0.1.el5oracle-2.6.18-404.0.0.0.1.el5oracle-2.6.18-406.0.0.0.1.el5oracle-2.6.18-407.0.0.0.1.el5oracle-2.6.18-408.0.0.0.1.el5oracle-2.6.18-409.0.0.0.1.el5oracle-2.6.18-410.0.0.0.1.el5oracle-2.6.18-411.0.0.0.1.el5oracle-2.6.18-412.0.0.0.1.el5oracle-2.6.18-416.0.0.0.1.el5oracle-2.6.18-417.0.0.0.1.el5oracle-2.6.18-418.0.0.0.1.el5oracle-2.6.32-642.0.0.0.1.el6oracle-3.10.0-514.6.1.0.1.el7oracle-3.10.0-514.6.2.0.1.el7oracle-uek-2.6.39-100.5.1oracle-uek-2.6.39-100.6.1oracle-uek-2.6.39-100.7.1oracle-uek-2.6.39-100.10.1oracle-uek-2.6.39-200.24.1oracle-uek-2.6.39-200.29.1oracle-uek-2.6.39-200.29.2oracle-uek-2.6.39-200.29.3oracle-uek-2.6.39-200.31.1oracle-uek-2.6.39-200.32.1oracle-uek-2.6.39-200.33.1oracle-uek-2.6.39-200.34.1oracle-uek-2.6.39-300.17.1oracle-uek-2.6.39-300.17.2oracle-uek-2.6.39-300.17.3oracle-uek-2.6.39-300.26.1oracle-uek-2.6.39-300.28.1oracle-uek-2.6.39-300.32.4oracle-uek-2.6.39-400.17.1oracle-uek-2.6.39-400.17.2oracle-uek-2.6.39-400.21.1oracle-uek-2.6.39-400.21.2oracle-uek-2.6.39-400.23.1oracle-uek-2.6.39-400.24.1oracle-uek-2.6.39-400.109.1oracle-uek-2.6.39-400.109.3oracle-uek-2.6.39-400.109.4oracle-uek-2.6.39-400.109.5oracle-uek-2.6.39-400.109.6oracle-uek-2.6.39-400.209.1oracle-uek-2.6.39-400.209.2oracle-uek-2.6.39-400.210.2oracle-uek-2.6.39-400.211.1oracle-uek-2.6.39-400.211.2oracle-uek-2.6.39-400.211.3oracle-uek-2.6.39-400.212.1oracle-uek-2.6.39-400.214.1oracle-uek-2.6.39-400.214.3oracle-uek-2.6.39-400.214.4oracle-uek-2.6.39-400.214.5oracle-uek-2.6.39-400.214.6oracle-uek-2.6.39-400.215.1oracle-uek-2.6.39-400.215.2oracle-uek-2.6.39-400.215.3oracle-uek-2.6.39-400.215.4oracle-uek-2.6.39-400.215.6oracle-uek-2.6.39-400.215.7oracle-uek-2.6.39-400.215.10oracle-uek-2.6.39-400.215.11oracle-uek-2.6.39-400.215.12oracle-uek-2.6.39-400.215.13oracle-uek-2.6.39-400.215.14oracle-uek-2.6.39-400.215.15oracle-uek-2.6.39-400.243.1oracle-uek-2.6.39-400.245.1oracle-uek-2.6.39-400.246.2oracle-uek-2.6.39-400.247.1oracle-uek-2.6.39-400.248.3oracle-uek-2.6.39-400.249.1oracle-uek-2.6.39-400.249.3oracle-uek-2.6.39-400.249.4oracle-uek-2.6.39-400.250.2oracle-uek-2.6.39-400.250.4oracle-uek-2.6.39-400.250.5oracle-uek-2.6.39-400.250.6oracle-uek-2.6.39-400.250.7oracle-uek-2.6.39-400.250.9oracle-uek-2.6.39-400.250.10oracle-uek-2.6.39-400.250.11oracle-uek-2.6.39-400.264.1oracle-uek-2.6.39-400.264.4oracle-uek-2.6.39-400.264.5oracle-uek-2.6.39-400.264.6oracle-uek-2.6.39-400.264.13oracle-uek-2.6.39-400.276.1oracle-uek-2.6.39-400.277.1oracle-uek-2.6.39-400.278.1oracle-uek-2.6.39-400.278.2oracle-uek-2.6.39-400.278.3oracle-uek-2.6.39-400.280.1oracle-uek-2.6.39-400.281.1oracle-uek-2.6.39-400.282.1oracle-uek-2.6.39-400.283.1oracle-uek-2.6.39-400.283.2oracle-uek-2.6.39-400.284.1oracle-uek-2.6.39-400.284.2oracle-uek-2.6.39-400.286.2oracle-uek-2.6.39-400.286.3oracle-uek-2.6.39-400.290.1oracle-uek-2.6.39-400.290.2oracle-uek-2.6.39-400.293.1oracle-uek-2.6.39-400.293.2oracle-uek-2.6.39-400.294.1oracle-uek-2.6.39-400.294.2oracle-uek-2.6.39-400.128.21oracle-uek-3.8.13-16oracle-uek-3.8.13-16.1.1oracle-uek-3.8.13-16.2.1oracle-uek-3.8.13-16.2.2oracle-uek-3.8.13-16.2.3oracle-uek-3.8.13-16.3.1oracle-uek-3.8.13-26oracle-uek-3.8.13-26.1.1oracle-uek-3.8.13-26.2.1oracle-uek-3.8.13-26.2.2oracle-uek-3.8.13-26.2.3oracle-uek-3.8.13-26.2.4oracle-uek-3.8.13-35oracle-uek-3.8.13-35.1.1oracle-uek-3.8.13-35.1.2oracle-uek-3.8.13-35.1.3oracle-uek-3.8.13-35.3.1oracle-uek-3.8.13-35.3.2oracle-uek-3.8.13-35.3.3oracle-uek-3.8.13-35.3.4oracle-uek-3.8.13-35.3.5oracle-uek-3.8.13-44oracle-uek-3.8.13-44.1.1oracle-uek-3.8.13-44.1.3oracle-uek-3.8.13-44.1.4oracle-uek-3.8.13-44.1.5oracle-uek-3.8.13-55oracle-uek-3.8.13-55.1.1oracle-uek-3.8.13-55.1.2oracle-uek-3.8.13-55.1.5oracle-uek-3.8.13-55.1.6oracle-uek-3.8.13-55.1.8oracle-uek-3.8.13-55.2.1oracle-uek-3.8.13-68oracle-uek-3.8.13-68.1.2oracle-uek-3.8.13-68.1.3oracle-uek-3.8.13-68.2.2oracle-uek-3.8.13-68.2.2.1oracle-uek-3.8.13-68.2.2.2oracle-uek-3.8.13-68.3.1oracle-uek-3.8.13-68.3.2oracle-uek-3.8.13-68.3.3oracle-uek-3.8.13-68.3.4oracle-uek-3.8.13-68.3.5oracle-uek-3.8.13-98oracle-uek-3.8.13-98.1.1oracle-uek-3.8.13-98.1.2oracle-uek-3.8.13-98.2.1oracle-uek-3.8.13-98.2.2oracle-uek-3.8.13-98.4.1oracle-uek-3.8.13-98.5.2oracle-uek-3.8.13-98.6.1oracle-uek-3.8.13-98.7.1oracle-uek-3.8.13-98.8.1oracle-uek-3.8.13-118oracle-uek-3.8.13-118.2.1oracle-uek-3.8.13-118.2.2oracle-uek-3.8.13-118.2.4oracle-uek-3.8.13-118.2.5oracle-uek-3.8.13-118.3.1oracle-uek-3.8.13-118.3.2oracle-uek-3.8.13-118.4.1oracle-uek-3.8.13-118.4.2oracle-uek-3.8.13-118.6.1oracle-uek-3.8.13-118.6.2oracle-uek-3.8.13-118.7.1oracle-uek-3.8.13-118.8.1oracle-uek-3.8.13-118.9.1oracle-uek-3.8.13-118.9.2oracle-uek-3.8.13-118.10.2oracle-uek-3.8.13-118.11.2oracle-uek-3.8.13-118.13.2oracle-uek-3.8.13-118.13.3oracle-uek-3.8.13-118.14.1oracle-uek-3.8.13-118.14.2oracle-uek-3.8.13-118.15.1oracle-uek-3.8.13-118.15.2oracle-uek-3.8.13-118.15.3oracle-uek-3.8.13-118.16.2oracle-uek-3.8.13-118.16.3oracle-uek-4.1.12-32oracle-uek-4.1.12-32.1.2oracle-uek-4.1.12-32.1.3oracle-uek-4.1.12-32.2.1oracle-uek-4.1.12-32.2.3oracle-uek-4.1.12-37.2.1oracle-uek-4.1.12-37.2.2oracle-uek-4.1.12-37.3.1oracle-uek-4.1.12-37.4.1oracle-uek-4.1.12-37.5.1oracle-uek-4.1.12-37.6.1oracle-uek-4.1.12-37.6.2oracle-uek-4.1.12-37.6.3oracle-uek-4.1.12-61.1.6oracle-uek-4.1.12-61.1.9oracle-uek-4.1.12-61.1.10oracle-uek-4.1.12-61.1.13oracle-uek-4.1.12-61.1.14oracle-uek-4.1.12-61.1.16oracle-uek-4.1.12-61.1.17oracle-uek-4.1.12-61.1.18oracle-uek-4.1.12-61.1.19oracle-uek-4.1.12-61.1.21oracle-uek-4.1.12-61.1.22oracle-uek-4.1.12-61.1.23oracle-uek-4.1.12-61.1.24oracle-uek-4.1.12-61.1.25oracle-uek-4.1.12-61.1.27rhel-2.6.32-71.el6rhel-2.6.32-71.7.1.el6rhel-2.6.32-71.14.1.el6rhel-2.6.32-71.18.1.el6rhel-2.6.32-71.18.2.el6rhel-2.6.32-71.24.1.el6rhel-2.6.32-71.29.1.el6rhel-2.6.32-131.0.15.el6rhel-2.6.32-131.2.1.el6rhel-2.6.32-131.4.1.el6rhel-2.6.32-131.6.1.el6rhel-2.6.32-131.12.1.el6rhel-2.6.32-131.17.1.el6rhel-2.6.32-131.21.1.el6rhel-2.6.32-220.el6rhel-2.6.32-220.2.1.el6rhel-2.6.32-220.4.1.el6rhel-2.6.32-220.4.2.el6rhel-2.6.32-220.7.1.el6rhel-2.6.32-220.13.1.el6rhel-2.6.32-220.17.1.el6rhel-2.6.32-220.23.1.el6rhel-2.6.32-279.el6rhel-2.6.32-279.1.1.el6rhel-2.6.32-279.2.1.el6rhel-2.6.32-279.5.1.el6rhel-2.6.32-279.5.2.el6rhel-2.6.32-279.9.1.el6rhel-2.6.32-279.11.1.el6rhel-2.6.32-279.14.1.el6rhel-2.6.32-279.19.1.el6rhel-2.6.32-279.22.1.el6rhel-2.6.32-358.el6rhel-2.6.32-358.0.1.el6rhel-2.6.32-358.2.1.el6rhel-2.6.32-358.6.1.el6rhel-2.6.32-358.6.2.el6rhel-2.6.32-358.6.2.el6.x86_64.crt1rhel-2.6.32-358.11.1.el6rhel-2.6.32-358.14.1.el6rhel-2.6.32-358.18.1.el6rhel-2.6.32-358.23.2.el6rhel-2.6.32-431.el6rhel-2.6.32-431.1.2.el6rhel-2.6.32-431.3.1.el6rhel-2.6.32-431.5.1.el6rhel-2.6.32-431.11.2.el6rhel-2.6.32-431.17.1.el6rhel-2.6.32-431.20.3.el6rhel-2.6.32-431.20.5.el6rhel-2.6.32-431.23.3.el6rhel-2.6.32-431.29.2.el6rhel-2.6.32-504.el6rhel-2.6.32-504.1.3.el6rhel-2.6.32-504.3.3.el6rhel-2.6.32-504.8.1.el6rhel-2.6.32-504.12.2.el6rhel-2.6.32-504.16.2.el6rhel-2.6.32-504.23.4.el6rhel-2.6.32-504.30.3.el6rhel-2.6.32-573.el6rhel-2.6.32-573.1.1.el6rhel-2.6.32-573.3.1.el6rhel-2.6.32-573.7.1.el6rhel-2.6.32-573.8.1.el6rhel-2.6.32-573.12.1.el6rhel-2.6.32-573.18.1.el6rhel-2.6.32-573.22.1.el6rhel-2.6.32-573.26.1.el6rhel-2.6.32-642.el6rhel-2.6.32-642.1.1.el6rhel-2.6.32-642.3.1.el6rhel-2.6.32-642.4.2.el6rhel-2.6.32-642.6.1.el6rhel-2.6.32-642.6.2.el6rhel-2.6.32-642.11.1.el6rhel-2.6.32-642.13.1.el6rhel-2.6.32-642.13.2.el6rhel-3.10.0-123.el7rhel-3.10.0-123.1.2.el7rhel-3.10.0-123.4.2.el7rhel-3.10.0-123.4.4.el7rhel-3.10.0-123.6.3.el7rhel-3.10.0-123.8.1.el7rhel-3.10.0-123.9.2.el7rhel-3.10.0-123.9.3.el7rhel-3.10.0-123.13.1.el7rhel-3.10.0-123.13.2.el7rhel-3.10.0-123.20.1.el7rhel-3.10.0-229.el7rhel-3.10.0-229.1.2.el7rhel-3.10.0-229.4.2.el7rhel-3.10.0-229.7.2.el7rhel-3.10.0-229.11.1.el7rhel-3.10.0-229.14.1.el7rhel-3.10.0-229.20.1.el6.x86_64.knl2rhel-3.10.0-229.20.1.el7rhel-3.10.0-327.el7rhel-3.10.0-327.3.1.el7rhel-3.10.0-327.4.4.el7rhel-3.10.0-327.4.5.el7rhel-3.10.0-327.10.1.el7rhel-3.10.0-327.13.1.el7rhel-3.10.0-327.18.2.el7rhel-3.10.0-327.22.2.el7rhel-3.10.0-327.28.2.el7rhel-3.10.0-327.28.3.el7rhel-3.10.0-327.36.1.el7rhel-3.10.0-327.36.2.el7rhel-3.10.0-327.36.3.el7rhel-3.10.0-514.el7rhel-3.10.0-514.2.2.el7rhel-3.10.0-514.6.1.el7rhel-3.10.0-514.6.2.el7rhel-2.6.18-92.1.10.el5rhel-2.6.18-92.1.13.el5rhel-2.6.18-92.1.17.el5rhel-2.6.18-92.1.18.el5rhel-2.6.18-92.1.22.el5rhel-2.6.18-128.el5rhel-2.6.18-128.1.1.el5rhel-2.6.18-128.1.6.el5rhel-2.6.18-128.1.10.el5rhel-2.6.18-128.1.14.el5rhel-2.6.18-128.1.16.el5rhel-2.6.18-128.2.1.el5rhel-2.6.18-128.4.1.el5rhel-2.6.18-128.7.1.el5rhel-2.6.18-149.el5rhel-2.6.18-164.el5rhel-2.6.18-164.2.1.el5rhel-2.6.18-164.6.1.el5rhel-2.6.18-164.9.1.el5rhel-2.6.18-164.10.1.el5rhel-2.6.18-164.11.1.el5rhel-2.6.18-164.15.1.el5rhel-2.6.18-194.el5rhel-2.6.18-194.3.1.el5rhel-2.6.18-194.8.1.el5rhel-2.6.18-194.11.1.el5rhel-2.6.18-194.11.3.el5rhel-2.6.18-194.11.4.el5rhel-2.6.18-194.17.1.el5rhel-2.6.18-194.17.4.el5rhel-2.6.18-194.26.1.el5rhel-2.6.18-194.32.1.el5rhel-2.6.18-238.el5rhel-2.6.18-238.1.1.el5rhel-2.6.18-238.5.1.el5rhel-2.6.18-238.9.1.el5rhel-2.6.18-238.12.1.el5rhel-2.6.18-238.19.1.el5rhel-2.6.18-274.el5rhel-2.6.18-274.3.1.el5rhel-2.6.18-274.7.1.el5rhel-2.6.18-274.12.1.el5rhel-2.6.18-274.17.1.el5rhel-2.6.18-274.18.1.el5rhel-2.6.18-308.el5rhel-2.6.18-308.1.1.el5rhel-2.6.18-308.4.1.el5rhel-2.6.18-308.8.1.el5rhel-2.6.18-308.8.2.el5rhel-2.6.18-308.11.1.el5rhel-2.6.18-308.13.1.el5rhel-2.6.18-308.16.1.el5rhel-2.6.18-308.20.1.el5rhel-2.6.18-308.24.1.el5rhel-2.6.18-348.el5rhel-2.6.18-348.1.1.el5rhel-2.6.18-348.2.1.el5rhel-2.6.18-348.3.1.el5rhel-2.6.18-348.4.1.el5rhel-2.6.18-348.6.1.el5rhel-2.6.18-348.12.1.el5rhel-2.6.18-348.16.1.el5rhel-2.6.18-348.18.1.el5rhel-2.6.18-371.el5rhel-2.6.18-371.1.2.el5rhel-2.6.18-371.3.1.el5rhel-2.6.18-371.4.1.el5rhel-2.6.18-371.6.1.el5rhel-2.6.18-371.8.1.el5rhel-2.6.18-371.9.1.el5rhel-2.6.18-371.11.1.el5rhel-2.6.18-371.12.1.el5rhel-2.6.18-398.el5rhel-2.6.18-400.el5rhel-2.6.18-400.1.1.el5rhel-2.6.18-402.el5rhel-2.6.18-404.el5rhel-2.6.18-406.el5rhel-2.6.18-407.el5rhel-2.6.18-408.el5rhel-2.6.18-409.el5rhel-2.6.18-410.el5rhel-2.6.18-411.el5rhel-2.6.18-412.el5rhel-2.6.18-416.el5rhel-2.6.18-417.el5rhel-2.6.18-418.el5compare that to kpatch or kgraft or so.

As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug...

Secure Boot support with Oracle Linux 7.1

Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)Another feature introduced with Oracle Linux 7.1 is support for Secure Boot. If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules. Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;) Another feature introduced with...

Oracle Linux 7.1 and MySQL 5.6

Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will. I have a little screenshot available here.Enjoy.

Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be...

Oracle Linux and Database Smart Flash Cache

One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.It is also incredibly easy to configure. -1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)-4 attach the storage to the database in sqlplus Done.$ ls /dev/sdb/dev/sdb$ sqlplus '/ as sysdba'SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015Copyright (c) 1982, 2014, Oracle. All rights reserved.Connected to:Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionWith the Partitioning, OLAP, Advanced Analytics and Real Application Testing optionsSQL> alter system set db_flash_cache_file='/dev/sdb' scope=spfile;System altered.SQL> alter system set db_flash_cache_size=1G scope=spfile;System altered.SQL> shutdown immediate;Database closed.Database dismounted.ORACLE instance shut down.SQL> startupORACLE instance started.Total System Global Area 4932501504 bytesFixed Size 2934456 bytesVariable Size 1023412552 bytesDatabase Buffers 3892314112 bytesRedo Buffers 13840384 bytesDatabase mounted.Database opened.SQL> show parameters flashNAME TYPE VALUE------------------------------------ ----------- ------------------------------db_flash_cache_file string /dev/sdbdb_flash_cache_size big integer 1Gdb_flashback_retention_target integer 1440SQL> select * from v$flashfilestat; FLASHFILE#----------NAME-------------------------------------------------------------------------------- BYTES ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO CON_ID---------- ---------- ------------ -------------------- ---------- 1/dev/sdb1073741824 1 0 0 0You can get more information on configuration and guidelines/tuning here.If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option. alter table foo storage (flash_cache none);This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.Here is a link to a white paper that gives a bit of a performance overview.

One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache. You can find an overview of the feature in the Oracle Database...

New features in ksplice uptrack-upgrade tools for Oracle Linux

We have many, many happy Oracle Linux customers that use and rely on the Oracle Ksplice service to keep their kernels up to date with all the critical CVEs/bugfixes that we release as zero downtime patches. There are 2 ways to use the Ksplice service :Online edition/clientThe uptrack tools (the Ksplice utilities you install on an Oracle Linux server to start applying ksplice updates) connect directly with the Oracle server to download updates. This model gives the most flexibility in terms of providing information of patches and detail of what is installed because we have a website on which you can find your servers and detailed patch status.Offline edition/clientMany companies cannot or do not register all servers remotely with our system so they can rely on the offline client to apply updates. In this mode, the ksplice patches are packaged in RPMs for convenience. For each kernel that is shipped by Oracle for Oracle Linux, we provide a corresponding uptrack-update RPM for that specific kernel version. This RPM contains all the updates that have been released since that version was released. The RPM is updated whenever a new ksplice patch becomes available. So you always have 1 RPM installed for a given kernel, and this RPM gets updated. This was standard yum / rpm commands can be used to update your server(s) with ksplice patches as well and everything is nicely integrated.The standard model is that an uptrack-upgrade command will apply all updates to current/latest on your server. This is of course the preferred way of applying security fixes on your running system, it's best to be on the latest version. However, in some cases, customers want more fine-grained control than latest.We just did an update of the ksplice offline tools to add support for updating to a specific "kernel version". This way, if you are on kernel version x, you would like to go to kernel version y (effective patches/security fixes) but latest is kernel version z, you can tell uptrack-upgrade to go to kernel version y. Let me give a quick and simple example below. I hope this is a useful addition to the tools.happy holidays and happy ksplicing!To install the tools, make sure that your server(s) has access to the ol6_x86_64_ksplice channel (if it's OL6) :$ yum install uptrack-offlineNow, in my example, I have Oracle Linux 6 installed with the following version of UEK3 :$ uname -r3.8.13-44.1.1.el6uek.x86_64Let's check if updates are available :$ yum search uptrack-updates-3.8.13-44.1.1Loaded plugins: rhnplugin, securityThis system is receiving updates from ULN.=========== N/S Matched: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 ===========uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch : Rebootless updates for the ...: Ksplice Uptrack rebootless kernel update serviceAs I mentioned earlier, for each kernel there's a corresponding ksplice update RPM. Just install that. In this case, I run 3.8.13-44.1.1. $ yum install uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarchLoaded plugins: rhnplugin, securityThis system is receiving updates from ULN.Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 will be installed--> Finished Dependency ResolutionDependencies Resolved================================================================================ Package Arch Version Repository Size================================================================================Installing: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 noarch 20141216-0 ol6_x86_64_ksplice 39 MTransaction Summary================================================================================Install 1 Package(s)Total download size: 39 MInstalled size: 40 MIs this ok [y/N]: yDownloading Packages:uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.n | 39 MB 00:29 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 The following steps will be taken:Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.......Installing [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.Your kernel is fully up to date.Effective kernel version is 3.8.13-55.1.1.el6uek Verifying : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 Installed: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 Complete!There have been a ton of updates released since 44.1.1, and the above update gets me to effectively running 3.8.13-55.1.1. Of course, without a reboot. $ uptrack-uname -r3.8.13-55.1.1.el6uek.x86_64Now we get to the new feature. There's a new option in uptrack-upgrade that lists all effective kernel versions from the installed kernel to the latest based on the ksplice rpm installed. $ uptrack-upgrade --list-effectiveAvailable effective kernel versions:3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 20143.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 20143.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 20143.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 20143.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 20143.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014So as an example, let's say I want to update from 44.1.1 to 44.1.5 instead of to 55.1.1 (for whatever reason I might have). All I have to do, is run uptrack-upgrade to go to that effective kernel version.Let's start with removing the installed updates and go back from 55.1.1 to 44.1.1 and then upgrade again to 44.1.5 :$ uptrack-remove --all...$ uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014"......Effective kernel version is 3.8.13-44.1.5.el6uekAnd that's it.

We have many, many happy Oracle Linux customers that use and rely on the Oracle Ksplice service to keep their kernels up to date with all the critical CVEs/bugfixes that we release as zero...

Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.Supported.. since a year ago. Stable.

So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a...

The magic of ksplice continues...

My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.Installing [lrh0cfph] Reduce usage of reserved percpu memory.Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [mhsn7n2j] Memory corruption during KSM swapping.Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.Installing [xmx98rz9] Erroneous merge of block write with block discard request.Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.Installing [20cz9gp7] Kernel oops in network neighbour update.Installing [m650djkx] Deadlock on fsync during dm device resize.Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.Installing [en0luyx8] Denial of service on empty virtio_console write.Installing [yv0cumoa] Denial of service in r8169 receive queue handling.Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.Installing [q53j90kj] KVM guest crash due to stale memory on migration.Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [9eta98wf] Use-after-free in CIFS session management.Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.Installing [gb4ntots] Cache allocation bug in DCCP.Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.Installing [ea8bohrp] Infinite loop in tty auditing.Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystemInstalling [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.Installing [2k2kq44h] Fix crash on discard in the software RAID driver.Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.Installing [3ujb9j7q] Inode corruption in XFS inode lookup.Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.Installing [j01o1nco] ext4 filesystem corruption on fallocate.Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.Installing [dxshabnc] Use-after-free in USB.Installing [aovf4isj] Race condition in SUNRPC.Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.Your kernel is fully up to date.Effective kernel version is 2.6.32-431.29.2.el6real1m26.960suser0m39.562ssys0m34.806sAnd now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the...

The magic of ksplice

I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time. If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it. I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.time uptrack-upgrade -yThe following steps will be taken:Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Install [qdlkztzx] Kernel crash forwarding network traffic.Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstall [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Install [xem0m4sg] Floating point state corruption after signal.Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Install [3ulklysv] CVE-2010-0307: Denial of service on amd64Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstall [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstall [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstall [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstall [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstall [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstall [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstall [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstall [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Install [5mgd1si0] Improved fix to CVE-2010-1173.Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Install [ff1wrijq] Buffer overflow in icmpmsg_put.Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Install [usukkznh] Mitigate denial of service attacks with large argument lists.Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Install [ifgdet83] Use-after-free in MPT driver.Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Install [jz43fdgc] Denial of service in NFS server via reference count leak.Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstall [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Install [ofrder8l] Hangs using direct I/O with XFS filesystem.Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Install [uknrp2eo] Denial of service in filesystem unmounting.Install [97u6urvt] Soft lockup in USB ACM driver.Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Install [bvoz27gv] Arithmetic overflow in clock source calculations.Install [lzwurn1u] ext4 filesystem corruption on fallocate.Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Install [9do532u6] Kernel panic when overcommiting memory with NFSd.Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Install [l093jvcl] Kernel panic in SMB extended attributes.Install [qlzoyvty] Kernel panic in ext3 indirect blocks.Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Install [pz65qqpk] Panic in GFS2 filesystem locking code.Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Installing [qdlkztzx] Kernel crash forwarding network traffic.Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstalling [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Installing [xem0m4sg] Floating point state corruption after signal.Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstalling [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstalling [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstalling [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstalling [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstalling [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstalling [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstalling [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstalling [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Installing [5mgd1si0] Improved fix to CVE-2010-1173.Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Installing [ff1wrijq] Buffer overflow in icmpmsg_put.Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [usukkznh] Mitigate denial of service attacks with large argument lists.Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Installing [ifgdet83] Use-after-free in MPT driver.Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Installing [jz43fdgc] Denial of service in NFS server via reference count leak.Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstalling [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Installing [uknrp2eo] Denial of service in filesystem unmounting.Installing [97u6urvt] Soft lockup in USB ACM driver.Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Installing [bvoz27gv] Arithmetic overflow in clock source calculations.Installing [lzwurn1u] ext4 filesystem corruption on fallocate.Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Installing [l093jvcl] Kernel panic in SMB extended attributes.Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Installing [pz65qqpk] Panic in GFS2 filesystem locking code.Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Your kernel is fully up to date.Effective kernel version is 2.6.18-398.el5real0m59.447suser0m22.640ssys0m22.611s1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until...

MySQL 5.6.20-4 and Oracle Linux DTrace

The MySQL team just released MySQL 5.6.20. One of the cool new things for Oracle Linux users is the addition of MySQL DTrace probes. When you use Oracle Linux 6, or 7 with UEKr3 (3.8.x) and the latest DTrace utils/tools, then you can make use of this. MySQL 5.6 is available for install through ULN or from public-yum. You can just install it using yum.# yum install mysql-community-serverThen install dtrace utils from ULN.# yum install dtrace-utilsAs root, enable DTrace and allow normal users to record trace information:# modprobe fasttrap# chmod 666 /dev/dtrace/helperStart MySQL server.# /etc/init.d/mysqld startNow you can try out various dtrace scripts. You can find the reference manual for MySQL DTrace support here.Example1Save the script below as query.d.#!/usr/sbin/dtrace -qws#pragma D option strsize=1024mysql*:::query-start /* using the mysql provider */{ self->query = copyinstr(arg0); /* Get the query */ self->connid = arg1; /* Get the connection ID */ self->db = copyinstr(arg2); /* Get the DB name */ self->who = strjoin(copyinstr(arg3),strjoin("@", copyinstr(arg4))); /* Get the username */ printf("%Y\t %20s\t Connection ID: %d \t Database: %s \t Query: %s\n", walltimestamp, self->who ,self->connid, self->db, self->query);}Run it, in another terminal, connect to MySQL server and run a few queries.# dtrace -s query.d dtrace: script 'query.d' matched 22 probesCPU ID FUNCTION:NAME 0 4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 Jul 29 12:32:21 root@localhost Connection ID: 5 Database: Query: select @@version_comment limit 1 0 4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 Jul 29 12:32:28 root@localhost Connection ID: 5 Database: Query: SELECT DATABASE() 0 4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 Jul 29 12:32:28 root@localhost Connection ID: 5 Database: database Query: show databases 0 4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 Jul 29 12:32:28 root@localhost Connection ID: 5 Database: database Query: show tables 0 4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 Jul 29 12:32:31 root@localhost Connection ID: 5 Database: database Query: select * from fooExample 2Save the script below as statement.d.#!/usr/sbin/dtrace -s#pragma D option quietdtrace:::BEGIN{ printf("%-60s %-8s %-8s %-8s\n", "Query", "RowsU", "RowsM", "Dur (ms)");}mysql*:::update-start, mysql*:::insert-start,mysql*:::delete-start, mysql*:::multi-delete-start,mysql*:::multi-delete-done, mysql*:::select-start,mysql*:::insert-select-start, mysql*:::multi-update-start{ self->query = copyinstr(arg0); self->querystart = timestamp;}mysql*:::insert-done, mysql*:::select-done,mysql*:::delete-done, mysql*:::multi-delete-done, mysql*:::insert-select-done/ self->querystart /{ this->elapsed = ((timestamp - self->querystart)/1000000); printf("%-60s %-8d %-8d %d\n", self->query, 0, arg1, this->elapsed); self->querystart = 0;}mysql*:::update-done, mysql*:::multi-update-done/ self->querystart /{ this->elapsed = ((timestamp - self->querystart)/1000000); printf("%-60s %-8d %-8d %d\n", self->query, arg1, arg2, this->elapsed); self->querystart = 0;}Run it and do a few queries.# dtrace -s statement.d Query RowsU RowsM Dur (ms)select @@version_comment limit 1 0 1 0SELECT DATABASE() 0 1 0show databases 0 6 0show tables 0 2 0select * from foo 0 1 0

The MySQL team just released MySQL 5.6.20. One of the cool new things for Oracle Linux users is the addition of MySQL DTrace probes. When you use Oracle Linux 6, or 7 with UEKr3 (3.8.x) and the latest...

Openstack with Oracle Linux and Oracle VM

The OpenStack Summit has been an exciting event. We announced the Oracle OpenStack Distribution with support for Oracle Linux and Oracle VM, and support included with Oracle Linux and Oracle VM Premier Support at no additional cost. The announcement was well received by our customers and partners. We’re pleased to continue the Oracle tradition of translating our enterprise experience into community contributions as we’ve done with Linux and Xen. Oracle is committed to ensuring choice for both our partners and customers.A preview of OpenStack distribution (Havana) is now available on oracle.com for Oracle Linux (controller + compute) and Oracle VM (compute). We will follow this up with the production (GA) release in the next several months, including an update to IceHouse and later Juno. (whitepaper)An OpenStack distribution contains several components that can be grouped into 2 major buckets (a) controller components, such as keystone, horizon, glance, cinder,.... (b) compute components such as nova and neutron. We provide support for the controller components on top of Oracle Linux and as part of Oracle Linux Premier Support. We provide support for the compute components on top of either Oracle Linux or Oracle VM (as part of Premier Support for both products).By adding the Oracle OpenStack Distribution to Oracle Linux and Oracle VM, we can provide integrated support for all components in the stack including applications, database, middleware, guest OS, host OS, virtualization, and OpenStack – plus servers and storage. Our experience attacking the world’s toughest enterprise workloads means we focus on OpenStack stability, availability, performance, debugging and diagnostics. Oracle OpenStack customers and partners can immediately benefit from advanced features like Ksplice and DTrace from Oracle Linux and the hardening, testing, performance and stability of Oracle VM.If you have chosen an OpenStack distribution other than Oracle’s, rest assured. Oracle will not attempt to force you to choose our OpenStack distribution by withholding support; we will provide the same high quality Oracle Linux and Oracle VM support no matter which OpenStack distribution you choose.Furthermore, Oracle will continue to collaborate with Oracle’s OpenStack partners validating with Oracle Linux and Oracle VM. Our goal remains the same: jointly deliver great solutions and support experience for our mutual customers. We also look forward to working with other vendors to certify networking, storage, hypervisor and other plugins into the Oracle OpenStack Distribution.Finally, we plan to follow a development model similar to the approach we use with Linux and the Unbreakable Enterprise Kernel. Our development work is focused on contributing upstream to the OpenStack community and we will pick up new releases of OpenStack after testing and validation.It is an exciting time for OpenStack developers and users. We are thrilled that Oracle and our customers are part of it!

The OpenStack Summit has been an exciting event. We announced the Oracle OpenStack Distribution with support for Oracle Linux and Oracle VM, and support included with Oracle Linux and Oracle...

A good use-case for Oracle Ksplice

One of the advantages of Oracle Ksplice is that you can stick to a given version of a kernel for a very long time. We provide you with the security updates through our Ksplice technology for all the various kernels released so that there's no need for a reboot and also no need to install a newer kernel version that typically also contains new drivers or even new features. Zero downtime yet you are current. Ksplice updates are always based on critical bugfixes or security fixes, things you really want to apply. We do not use Ksplice to provide new driver updates or new features, it's purely focused on those patches that you really want to apply on your environment without downtime and risk of change.The typical model for providing kernel errata (security/critical fixes) is through providing a newer version of the latest kernel in a "dot dot" release. For instance, for Oracle Linux 6 if the current latest "Red Hat Compatible kernel" is 2.6.32-431.1.2 and a security issue gets fixed, there will be a 2.6.32-431.3.1 (or so). The sysadmin then has to install the new kernel and reboot the server(s) in order to get that fix to be active. Now these "dot dot" release versions typically only contain security fixes or critical bugfixes so while a reboot is annoying and can have a significant time impact, the actual updates are very specific.When updated versions of the OS are released (such as OL6 update 1, OL6 update 2,...) however, the change in the kernel can be more significant. For instance when you look at the lifecycle of Oracle Linux 6 with the "RHCK" versions. OL6 GA was shipping with kernel 2.6.32-71, update 1 2.6.32-131, update 2 2.6.32-220, update 3 2.6.32-279, update 4 2.6.32-358, update 5 2.6.32-431. Each of these kernels will have pretty significant changes. Aside from carrying forward the security fixes and critical bugfixes, they typically also contain new device drivers, new features backported into older kernels. In fact, if you look at the changelog of the RHCKs you will see features from kernels as current as 3.x backported into 2.6.32.In this case, going from one version to another is a bigger deal for some customers that have a very conservative upgrade policy. However to be current with security updates one typically has to go to a newer version in order to get the errata. Security fixes are not backported to all older versions by default, while some vendors have a support option where they will support one or 2 other kernel versions, it's relatively selective.With Ksplice however, we make the security/critical fix errata available for all the various kernels. Not just one or 2 selective versions. So you can be on any of these kernels, and without the need for a reboot, have the fixes available. That's choice and flexibility. It reduces risk of upgrading to newer kernels to get a fix, it reduces down time to zero and increases the security of your servers.By the way, 2.6.32-71 was released 03-Jan-2011. Since then there were 45 kernels released (RHCK), with vulnerability fixes and critical fixes, so if you wanted to remain current, that would have resulted in 44 reboots for each server since 2011 (so 3.5 years). With Oracle Ksplice, you could still be running that 2.6.32-71 kernel from January 2011, without any reboot and be current with your CVEs. Imagine having 100's, if not 1000's of servers... time saved, cost saved...To give you a concrete example, here is a list of all the different kernel versions (RHCK) for Oracle Linux 6 :kernel-2.6.32-71kernel-2.6.32-71.14.1kernel-2.6.32-71.18.1kernel-2.6.32-71.18.2kernel-2.6.32-71.24.1kernel-2.6.32-71.29.1kernel-2.6.32-131.0.15kernel-2.6.32-131.2.1kernel-2.6.32-131.4.1kernel-2.6.32-131.6.1kernel-2.6.32-131.12.1kernel-2.6.32-131.17.1kernel-2.6.32-131.21.1kernel-2.6.32-220.2.1kernel-2.6.32-220.4.1kernel-2.6.32-220.4.2kernel-2.6.32-220.7.1kernel-2.6.32-220.13.1kernel-2.6.32-220.17.1kernel-2.6.32-220.23.1kernel-2.6.32-220kernel-2.6.32-279.1.1kernel-2.6.32-279.2.1kernel-2.6.32-279.5.1kernel-2.6.32-279.5.2kernel-2.6.32-279.9.1kernel-2.6.32-279.11.1kernel-2.6.32-279.14.1kernel-2.6.32-279.19.1kernel-2.6.32-279.22.1kernel-2.6.32-279kernel-2.6.32-358.0.1kernel-2.6.32-358.2.1kernel-2.6.32-358.6.1kernel-2.6.32-358.6.2kernel-2.6.32-358.11.1kernel-2.6.32-358.14.1kernel-2.6.32-358.18.1kernel-2.6.32-358.23.2kernel-2.6.32-358kernel-2.6.32-431.1.2kernel-2.6.32-431.3.1kernel-2.6.32-431.5.1kernel-2.6.32-431.11.2kernel-2.6.32-431.17.1kernel-2.6.32-431With Oracle Linux and Ksplice you could be running -any- of the above kernel versions in your production environments when a security vulnerability gets fixed, we will make a fix available for all of the above.Here is a list of the latest Ksplice update packages for Oracle Linux 6 with RHCK, as you can see, all the kernels are there :uptrack-updates-2.6.32-131.0.15.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.12.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.17.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.21.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.2.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.4.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-131.6.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.13.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.17.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.2.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.23.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.4.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.4.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.7.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-220.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.11.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.1.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.14.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.19.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.2.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.22.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.5.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.5.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.9.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-279.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.0.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.11.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.14.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.18.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.2.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.23.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.6.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.6.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-358.el6.x86_64.20140331-0uptrack-updates-2.6.32-431.11.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-431.1.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-431.3.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-431.5.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-431.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.14.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.18.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.18.2.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.24.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.29.1.el6.x86_64.20140331-0uptrack-updates-2.6.32-71.el6.x86_64.20140331-0

One of the advantages of Oracle Ksplice is that you can stick to a given version of a kernel for a very long time. We provide you with the security updates through our Ksplice technology for all...

Unbreakable Linux Network APIs example

I posted a short blog entry about the recently released ULN APIs the other day with a sample of how to call the different APIs. Here is a concrete example to use the API to find a package in a channel and download it.$ ./ulnget.py kernel-headers.2.6.32-71.29 ol6_x86_64_latestSearching for 'kernel-headers.2.6.32-71.29' in channel 'ol6_x86_64_latest'Logging in...Logged in...Retrieving all packages...Found kernel-headers.2.6.32-71.29.1.el6Getting package details...Downloading https://uln.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/kernel-headers-2.6.32-71.29.1.el6.x86_64.rpm...Logged out...The code for the above is pasted below, this is just a very simplistic example...#!/usr/bin/pythontry: import os import sys import getpass import datetime import xmlrpclibexcept ImportError, e: raise ImportError (str(e) + ': Module not found')if len(sys.argv) != 3: print "Usage : ulnget.py [packagename] [channelname]" exit(1) search = str(sys.argv[1])channelLabel = str(sys.argv[2])print "Searching for '%s' in channel '%s'" % (search, channelLabel)SERVER_URL = 'https://linux-update.oracle.com/rpc/api'USERNAME = 'username'PASSWORD = 'password'# channelLabel = 'ol6_x86_64_latest'client = xmlrpclib.Server(SERVER_URL)print ""# loginprint "Logging in..."sessionKey = client.auth.login(USERNAME,PASSWORD)if len(sessionKey) != 43: print "Invalid %d sessionKey : '%s'" % sessionKey exit(1)print "Logged in..." print "Retrieving all packages..."packageList = client.channel.software.listAllPackages(sessionKey, channelLabel)for package in packageList: packageName = '%s.%s-%s' % (package['package_name'],package['package_version'] ,package['package_release']) if search in packageName: print "Found %s" % packageName pid = package['package_id'] print "Getting package details..." packageDetail = client.packages.getDetails(sessionKey, pid) url = packageDetail['download_urls'][0] import urllib2 req = urllib2.Request(url,headers={'X-ULN-API-User-Key': sessionKey}) try: print "Downloading %s..." %url response = urllib2.urlopen(req) contents = response.read() except urllib2.HTTPError, e: print print "HTTP error code : %d" %e.code except Exception, e: print print str(e)print ""retval = client.auth.logout(sessionKey)if retval == 1: print "Logged out..."else: print "Failed to log out..."

I posted a short blog entry about the recently released ULN APIs the other day with a sample of how to call the different APIs. Here is a concrete example to use the API to find a package in a...

Unbreakable Linux Network APIs available

Aside from the uln_channel tool that we recently released, we are now also supporting a number of webservices on ULN. A handful of useful APIs are available. Below is a little simple python example that works out of the box on Oracle Linux 6 (when you have an account on ULN) and a description of the currently available APIs. Note that the python code is very simplistic... I know no exception handling, wasn't the point ;)...Additionally, the ULN integration with Spacewalk uses these APIs as well. See hereAPIs :client.auth.login(username,password) returns sessionKey client.errata.listCves(sessionKey, advisory) returns cveListclient.errata.applicableToChannels(sessionKey, advisory) returns channelListclient.channel.software.listLatestPackages(sessionKey, channelLabel) returns packageListclient.channel.software.listErrata(sessionKey, channelLabel) returns errataListclient.packages.listProvidingErrata(sessionKey, pid) returns errataListclient.channel.listSoftwareChannels(sessionKey) returns channelListclient.channel.software.listAllPackages(sessionKey, channelLabel) returns packageListclient.errata.listPackages(sessionKey, advisory) returns packageListclient.errata.getDetails(sessionKey, advisory) returns errataDetailclient.channel.software.getDetails(sessionKey, channelLabel) returns channelDetailclient.packages.getDetails(sessionKey, pid) returns packageDetailclient.auth.logout(sessionKey) returns retvalsample output of the code : $ ./sample.py Login : client.auth.login(username,password) returns sessionKey Logged in...List CVEs for a particular advisory : client.errata.listCves(sessionKey, advisory) returns cveListExample : CVEs for advisory 'ELSA-2013-1100' : ['CVE-2013-2231']List channels applicable to advisory : client.errata.applicableToChannels(sessionKey, advisory) returns channelListExample : Channels applicable to advisory 'ELSA-2013-1100' : [{'channel_name': 'Oracle Linux 6 Latest (i386)', 'channel_label': 'ol6_i386_latest', 'parent_channel_id': ' ', 'channel_id': 941}, {'channel_name': 'Oracle Linux 6 Latest (x86_64)', 'channel_label': 'ol6_x86_64_latest', 'parent_channel_id': ' ', 'channel_id': 944}, {'channel_name': 'Oracle Linux 6 Update 4 Patch (i386)', 'channel_label': 'ol6_u4_i386_patch', 'parent_channel_id': ' ', 'channel_id': 1642}, {'channel_name': 'Oracle Linux 6 Update 4 Patch (x86_64)', 'channel_label': 'ol6_u4_x86_64_patch', 'parent_channel_id': ' ', 'channel_id': 1644}]List latest packages in a given channel : client.channel.software.listLatestPackages(sessionKey, channelLabel) returns packageListExample : Packages for channel 'ol6_x86_64_latest' returns 6801 packagesList errata in a given channel : client.channel.software.listErrata(sessionKey, channelLabel) returns errataListExample : Errata in channel 'ol6_x86_64_latest' returns 1403 errataList errata for a given package : client.packages.listProvidingErrata(sessionKey, pid) returns errataListExample : [{'errata_update_date': '2011-06-08 00:00:00', 'errata_advisory_type': 'Security Advisory', 'errata_synopsis': 'subversion security update', 'errata_advisory': 'ELSA-2011-0862', 'errata_last_modified_date': '2011-06-08 00:00:00', 'errata_issue_date': '2011-06-08 00:00:00'}]List software channels available : client.channel.listSoftwareChannels(sessionKey) returns channelListExample : List of channels returns '253' channelsList all packages for a given channel : client.channel.software.listAllPackages(sessionKey, channelLabel) returns packageListExample : All packages for channel 'ol6_x86_64_latest' returns 25310 packagesList packages for a given advisory : client.errata.listPackages(sessionKey, advisory) returns packageListExample : Packages for advisory 'ELSA-2013-1100' returns 12 packagesDetails for a specific advisory : client.errata.getDetails(sessionKey, advisory) returns errataDetailExample : {'errata_update_date': '7/22/13', 'errata_topic': ' ', 'errata_type': 'Security Advisory', 'errata_severity': 'Important', 'errata_notes': ' ', 'errata_synopsis': 'qemu-kvm security update', 'errata_references': ' ', 'errata_last_modified_date': '2013-07-22 00:00:00', 'errata_issue_date': '7/22/13', 'errata_description': '[qemu-kvm-0.12.1.2-2.355.el6_4.6]\n- kvm-qga-cast-to-int-for-DWORD-type.patch [bz#980758]\n- kvm-qga-remove-undefined-behavior-in-ga_install_service.patch [bz#980758]\n- kvm-qga-diagnostic-output-should-go-to-stderr.patch [bz#980758]\n- kvm-qa_install_service-nest-error-paths-more-idiomatically.patch [bz#980758]\n- kvm-qga-escape-cmdline-args-when-registering-win32-service.patch [bz#980758]\n- Resolves: bz#980758\n (qemu-kvm: CVE-2013-2231 qemu: qemu-ga win32 service unquoted search path [rhel-6.4.z])'}Details for a given channel : client.channel.software.getDetails(sessionKey, channelLabel) returns channelDetailExample : {'channel_description': 'All packages released for Oracle Linux 6 (x86_64), including the very latest updated packages', 'channel_summary': 'Oracle Linux 6 Latest (x86_64)', 'channel_arch_name': 'x86_64', 'metadata_urls': {'group': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/comps.xml', 'checksum': '08ec74da7552f56814bc7f94d60e6d1c3d8d9ff9', 'checksum_type': 'sha', 'file_name': 'repodata/comps.xml'}], 'filelists': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/filelists.xml.gz', 'checksum': '2fb7fe60c7ee4dc948bbc083c18ab065384e990f', 'checksum_type': 'sha', 'file_name': 'repodata/filelists.xml.gz'}], 'updateinfo': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/updateinfo.xml.gz', 'checksum': '15b889640ad35067d99b15973bb71aa1dc33ab00', 'checksum_type': 'sha', 'file_name': 'repodata/updateinfo.xml.gz'}], 'primary': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/primary.xml.gz', 'checksum': '21f7115120c03a9dbaf25c6e1e9e3d6288bf664f', 'checksum_type': 'sha', 'file_name': 'repodata/primary.xml.gz'}], 'repomd': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/repomd.xml', 'file_name': 'repodata/repomd.xml'}], 'other': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/other.xml.gz', 'checksum': '30a176c8509677b588863bf21d7b196941e866af', 'checksum_type': 'sha', 'file_name': 'repodata/other.xml.gz'}]}}Details for a given package : client.packages.getDetails(sessionKey, pid) returns packageDetailExample : {'package_size': 5855337, 'package_arch_label': 'i686', 'package_cookie': '1307566435', 'package_md5sum': 'e74525b5bbaa9e637fe818f3f5777c02', 'package_name': 'subversion', 'package_summary': 'A Modern Concurrent Version Control System', 'package_epoch': ' ', 'package_checksums': [{'md5': 'e74525b5bbaa9e637fe818f3f5777c02'}], 'package_payload_size': 5857988, 'package_version': '1.6.11', 'package_license': 'ASL 1.1', 'package_vendor': 'Oracle America', 'package_release': '2.el6_1.4', 'package_last_modified_date': '2011-06-08 15:53:55', 'package_description': 'Subversion is a concurrent version control system which enables one\nor more users to collaborate in developing and maintaining a\nhierarchy of files and directories while keeping a history of all\nchanges. Subversion only stores the differences between versions,\ninstead of every complete file. Subversion is intended to be a\ncompelling replacement for CVS.', 'package_id': 2814035, 'providing_channels': ['ol6_x86_64_latest'], 'package_build_host': 'ca-build44.us.oracle.com', 'package_build_date': '2011-06-08 15:53:55', 'download_urls': ['https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/subversion-1.6.11-2.el6_1.4.src.rpm'], 'package_file': 'subversion-1.6.11-2.el6_1.4.src.rpm'}Logout : client.auth.logout(sessionKey) returns retvalLogged out...Sample code :#!/usr/bin/env pythontry: import os import sys import getpass import datetime import xmlrpclibexcept ImportError, e: raise ImportError (str(e) + ': Module not found')SERVER_URL = 'https://linux-update.oracle.com/rpc/api'USERNAME = 'myusername@company.com'PASSWORD = 'mypassword'client = xmlrpclib.Server(SERVER_URL)# loginprint "Login : client.auth.login(username,password) returns sessionKey "sessionKey = client.auth.login(USERNAME,PASSWORD)if len(sessionKey) != 43: print "Invalid %d sessionKey : '%s'" % sessionKey exit(1)print "Logged in..."print ""print ""print ""# list CVEs for an advisoryprint "List CVEs for a particular advisory : client.errata.listCves(sessionKey, advisory)\ returns cveList"advisory = "ELSA-2013-1100"cveList = client.errata.listCves(sessionKey, advisory)print "Example : CVEs for advisory '%s' : %s" % (advisory, cveList)print ""print ""print ""# list channels for CVEprint "List channels applicable to advisory : \client.errata.applicableToChannels(sessionKey, advisory) returns channelList"channelList = client.errata.applicableToChannels(sessionKey, advisory)print "Example : Channels applicable to advisory '%s' : %s" % (advisory, channelList)print ""print ""print ""# list latest packages in a channelprint "List latest packages in a given channel : \client.channel.software.listLatestPackages(sessionKey, channelLabel) returns\ packageList"channelLabel= 'ol6_x86_64_latest'packageList = client.channel.software.listLatestPackages(sessionKey, channelLabel)print "Example : Packages for channel '%s' returns %d packages" %(channelLabel, len(packageList))print ""print ""print ""# list errata in a channelprint "List errata in a given channel : \client.channel.software.listErrata(sessionKey, channelLabel) returns errataList"errataList = client.channel.software.listErrata(sessionKey, channelLabel)print "Example : Errata in channel '%s' returns %d errata" %(channelLabel, len(errataList))print ""print ""print ""# list errata for a package with a specific idprint "List errata for a given package : client.packages.listProvidingErrata(sessionKey, pid) returns errataList"pid = '2814035'errataList = client.packages.listProvidingErrata(sessionKey, pid)print "Example : \n%s\n" % errataListprint ""print ""print ""# list software channelsprint "List software channels available : client.channel.listSoftwareChannels(sessionKey)\ returns channelList"channelList = client.channel.listSoftwareChannels(sessionKey)print "Example : List of channels returns '%d' channels" %(len(channelList))print ""print ""print ""# list all packages of a channelprint "List all packages for a given channel : \client.channel.software.listAllPackages(sessionKey, channelLabel) returns packageList"packageList = client.channel.software.listAllPackages(sessionKey, channelLabel)print "Example : All packages for channel '%s' returns %d packages" %(channelLabel, len(packageList))print ""print ""print ""# list packages for an errataprint "List packages for a given advisory : client.errata.listPackages(sessionKey, advisory) returns packageList"packageList = client.errata.listPackages(sessionKey, advisory)print "Example : Packages for advisory '%s' returns %d packages" %(advisory, len(packageList))print ""print ""print ""# get errata detailsprint "Details for a specific advisory : \client.errata.getDetails(sessionKey, advisory) returns errataDetail"errataDetail = client.errata.getDetails(sessionKey, advisory)print "Example : \n%s\n" %errataDetailprint ""print ""print ""# get channel detailsprint "Details for a given channel : \client.channel.software.getDetails(sessionKey, channelLabel) returns channelDetail"channelDetail = client.channel.software.getDetails(sessionKey, channelLabel)print "Example : \n%s\n" % channelDetailprint ""print ""print ""# get package details from package with an idprint "Details for a given package : client.packages.getDetails(sessionKey, pid) \returns packageDetail"packageDetail = client.packages.getDetails(sessionKey, pid)print "Example : \n%s\n" % packageDetailprint ""print ""print ""print "Logout : client.auth.logout(sessionKey) returns retval"retval = client.auth.logout(sessionKey)if retval == 1: print "Logged out..."else: print "Failed to log out..."

Aside from the uln_channel tool that we recently released, we are now also supporting a number of webservices on ULN. A handful of useful APIs are available. Below is a little simple python example...

Channel subscription from command-line support added to the Unbreakable Linux Network(ULN)

Until recently, to add channels to a server or to register a server as a yum-repository server, one had to log into ULN and manually do this. First a server had to be tagged as a yum server and then any channels that would be included, would have to be added to this server. While this is an easy task, it does involve logging into the website, and manually following a few steps and it could not be automated.We provided an updated rhn-setup RPM that now adds a new tool called uln-channel which allows users with ULN access to enable a server as a yum server and also add/remove/list channels for this server. This will allow for easy automation.The latest version of the rhn-setup rpm is rhn-setup-1.0.0.1-16.0.9.el6.noarch. The uln-channel rpm is currently only supported with Oracle Linux version 6.# uln-channel -hUsage: uln-channel [options]Options: -c CHANNEL, --channel=CHANNEL name of channel you want to (un)subscribe -a, --add subscribe to channel -r, --remove unsubscribe from channel -l, --list list channels -b, --base show base channel of a system -L, --available-channels list all available child channels -v, --verbose verbose output -u USER, --user=USER your user name -p PASSWORD, --password=PASSWORD your password --enable-yum-server enable yum server setting --disable-yum-server disable yum server setting -h, --help show this help message and exit# uln-channel --listUsername: wim@company.comPassword:ol6_i386_UEK_latestol6_i386_kspliceol6_i386_latest# uln-channel --baseUsername: wim@company.comPassword:ol6_i386_kspliceol6_i386_latestol6_i386_UEK_latest# uln-channel --enable-yum-serverUsername: wim@company.comPassword:# uln-channel --disable-yum-serverUsername: wim@company.comPassword:# uln-channel --available-channelsUsername: wim@company.comPassword: el3_i386_latestel3_u8_i386_patchel3_u8_x86_64_patchel3_u9_i386_baseel3_u9_i386_patchel3_u9_x86_64_baseel3_u9_x86_64_patchel3_x86_64_latest...ol6_x86_64_Dtrace_BETAol6_x86_64_Dtrace_latestol6_x86_64_Dtrace_userspace_latestol6_x86_64_MySQLol6_x86_64_MySQL56ol6_x86_64_UEKR3_latestol6_x86_64_UEK_BETAol6_x86_64_UEK_baseol6_x86_64_UEK_latestol6_x86_64_addonsol6_x86_64_gdm_multiseatol6_x86_64_kspliceol6_x86_64_latestol6_x86_64_mysql-ha-utilsol6_x86_64_ofed_UEKol6_x86_64_oracleovm22_2.2.0_i386_baseovm22_2.2.0_i386_patchovm22_2.2.1_i386_baseovm22_2.2.1_i386_patchovm22_2.2.2_i386_baseovm22_2.2.2_i386_patchovm22_2.2.3_i386_baseovm22_2.2.3_i386_patchovm22_i386_latestovm22_i386_oracleovm2_2.1.0_i386_baseovm2_2.1.0_i386_patchovm2_2.1.1_i386_baseovm2_2.1.1_i386_patchovm2_2.1.2_i386_baseovm2_2.1.2_i386_patchovm2_2.1.5_i386_baseovm2_2.1.5_i386_patchovm2_i386_latestovm3_3.0.2_x86_64_baseovm3_3.0.3_x86_64_baseovm3_3.0.3_x86_64_patchovm3_3.0_x86_64_baseovm3_3.0_x86_64_patchovm3_3.1.1_x86_64_baseovm3_3.1.1_x86_64_patchovm3_3.2.1_x86_64_baseovm3_3.2.1_x86_64_patchovm3_x86_64_latest# uln-channel --add --channel=ol6_x86_64_oracleUsername: wim@company.comPassword:# uln-channel --listUsername: wim@company.comPassword:ol6_i386_UEK_latestol6_i386_kspliceol6_i386_latestol6_x86_64_oracle

Until recently, to add channels to a server or to register a server as a yum-repository server, one had to log into ULN and manually do this. First a server had to be tagged as a yum server and then...

Oracle E-Business Suite R12 Pre-Install RPM available for Oracle Linux 5 and 6

One of the things we have been focusing on with Oracle Linux for quite some time now, is making it easy to install and deploy Oracle products on top of it without having to worry about which RPMs to install and what the basic OS configuration needs to be. A minimal Oracle Linux install contains a really small set of RPMs but typically not enough for a product to install on and a full/complete install contains way more packages than you need. While a full install is convenient, it also means that the likelihood of having to install an errata for a package is higher and as such the cost of patching and updating/maintaining systems increases. In an effort to make it as easy as possible, we have created a number of pre-install RPM packages which don't really contain actual programs but they 're more or less dummy packages and a few configuration scripts. They are built around the concept that you have a minimal OL installation (configured to point to a yum repository) and all the RPMs/packages which the specific Oracle product requires to install cleanly and pass the pre-requisites will be dependencies for the pre-install script. When you install the pre-install RPM, yum will calculate the dependencies, figure out which additional RPMs are needed beyond what's installed, download them and install them. The configuration scripts in the RPM will also set up a number of sysctl options, create the default user, etc. After installation of this pre-install RPM, you can confidently start the Oracle product installer.We have released a pre-install RPM in the past for the Oracle Database (11g, 12c,..) and Oracle Enterprise Manager 12c agent. And we now also released a similar RPM for E-Business R12.This RPM is available on both ULN and public-yum in the addons channel.

One of the things we have been focusing on with Oracle Linux for quite some time now, is making it easy to install and deploy Oracle products on top of it without having to worry about which RPMs...

Easy access to Java SE 7 on Oracle Linux

In order to make it very easy to install Java SE 7 on Oracle Linux, we added a Java channel on ULN (http://linux.oracle.com). Here is a brief description of how to enable the channel and install Java on your system.Enable the Java SE 7 ULN channel for Oracle Linux 6- Start with a server or desktop installed with Oracle Linux 6 and registered with ULN (http://linux.oracle.com) for updatesThis is typically using uln_register on your system.- Log into ULN, go to the Systems tab for your server/desktop and click on Manage Subscriptions-> Ensure your system is registered to the "Oracle Linux 6 Add ons (x86_64)" channel (it should appear in the 'Subscribed channels' list)if your system is not registered with the above channel, add it :-> Click on "Oracle Linux 6 Add ons (x86_64)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels.-> Click on Save Subscriptions- In order to register with the 'Java SE 7' channel, you first have to install a yum plugin to enable access to channels with licenses# yum install yum-plugin-ulninfoLoaded plugins: rhnpluginThis system is receiving updates from ULN.ol6_x86_64_addons | 1.2 kB 00:00 ol6_x86_64_addons/primary | 44 kB 00:00 ol6_x86_64_addons 177/177Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package yum-plugin-ulninfo.noarch 0:0.2-9.el6 will be installed--> Finished Dependency ResolutionDependencies Resolved======================================================================================================================== Package Arch Version Repository Size========================================================================================================================Installing: yum-plugin-ulninfo noarch 0.2-9.el6 ol6_x86_64_addons 13 kTransaction Summary========================================================================================================================Install 1 Package(s)Total download size: 13 kInstalled size: 23 kIs this ok [y/N]: yDownloading Packages:yum-plugin-ulninfo-0.2-9.el6.noarch.rpm | 13 kB 00:00 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : yum-plugin-ulninfo-0.2-9.el6.noarch 1/1 Verifying : yum-plugin-ulninfo-0.2-9.el6.noarch 1/1 Installed: yum-plugin-ulninfo.noarch 0:0.2-9.el6 Complete!- In future versions of Oracle Linux 6, this RPM will become part of the base channel and at that point you will no longer need to register with the Add ons channel to install yum-plugin-ulninfo- Add the Java SE 7 channel subscription to your system in ULN -> Click on "Java SE 7 for Oracle Linux 6 (x86_64) (Public)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels-> Click on Save Subscriptions-> A popup will appear with the EULA for Java SE 7, click on Accept or Decline- Now your system has access to the Java SE 7 channel. You can verify this by executing :# yum repolistLoaded plugins: rhnplugin, ulninfoThis system is receiving updates from ULN.ol6_x86_64_JavaSE7_public:By downloading the Java software, you acknowledge that your use of the Java software is subject to the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX (which you acknowledge you have read and agree to) available at http://www.java.com/license.ol6_x86_64_JavaSE7_public | 1.2 kB 00:00 ol6_x86_64_JavaSE7_public/primary | 1.9 kB 00:00 ol6_x86_64_JavaSE7_public 2/2repo id repo name statusol6_x86_64_JavaSE7_public Java SE 7 for Oracle Linux 6 (x86_64) (Public) 2ol6_x86_64_UEKR3_latest Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64) - Latest 122ol6_x86_64_addons Oracle Linux 6 Add ons (x86_64) 177ol6_x86_64_ksplice Ksplice for Oracle Linux 6 (x86_64) 1,497ol6_x86_64_latest Oracle Linux 6 Latest (x86_64) 25,093repolist: 26,891- To install Java SE 7 on your system, simply us yum install :# yum install jdkLoaded plugins: rhnplugin, ulninfoThis system is receiving updates from ULN.ol6_x86_64_JavaSE7_public:By downloading the Java software, you acknowledge that your use of the Java software is subject to the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX (which you acknowledge you have read and agree to) available at http://www.java.com/license.Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package jdk.x86_64 2000:1.7.0_51-fcs will be installed--> Finished Dependency ResolutionDependencies Resolved======================================================================================================================== Package Arch Version Repository Size========================================================================================================================Installing: jdk x86_64 2000:1.7.0_51-fcs ol6_x86_64_JavaSE7_public 117 MTransaction Summary========================================================================================================================Install 1 Package(s)Total download size: 117 MInstalled size: 193 MIs this ok [y/N]: yDownloading Packages:jdk-1.7.0_51-fcs.x86_64.rpm | 117 MB 02:27 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : 2000:jdk-1.7.0_51-fcs.x86_64 1/1 Unpacking JAR files...rt.jar...jsse.jar...charsets.jar...tools.jar...localedata.jar...jfxrt.jar... Verifying : 2000:jdk-1.7.0_51-fcs.x86_64 1/1 Installed: jdk.x86_64 2000:1.7.0_51-fcs Complete!- You now have a completely install Java SE 7 on your Oracle Linux environment.# ls /usr/java/jdk1.7.0_51/bin COPYRIGHT db include jre lib LICENSE man README.html release src.zip THIRDPARTYLICENSEREADME-JAVAFX.txt THIRDPARTYLICENSEREADME.txt

In order to make it very easy to install Java SE 7 on Oracle Linux, we added a Java channel on ULN (http://linux.oracle.com). Here is a brief description of how to enable the channel and install Java...

OpenSCAP distributed with Oracle VM Server for x86

Security Compliance : trueWe recently released Oracle VM Server for x86 3.2.7. For more information you can go here. In addition we also recently released Oracle Linux 6.5. Find the press release here and the link to the release notes here.You will notice that for Oracle Linux we have updated the version of OpenSCAP to use the NIST SCAP 1.2 specification.We have also decided to distribute OpenSCAP with Oracle VM Server for x86 so you will be able to use the same utility for security compliance checks that you may use with Oracle Linux and Oracle Solaris. Initially, the OpenSCAP package we are distributing with Oracle VM Server for x86 is available on the Oracle Public Yum Server, so you may start by using the oscap(8) - OpenSCAP command line tool after you've installed the openscap-utils RPM on your Dom0 test environment. If you are working on the technical security controls that are required by your organization for the approval to operate Oracle VM Server for x86, then you should understand that OpenSCAP is an effective tool to demonstrate security compliance to your authorizing official. However, you should carefully examine your organizations SCAP content and the implementation details such as the use of OVAL for compliance checks.We typically recommend that you do not directly execute additional utilities within the Oracle VM Server management domain (i.e. the Dom0 domain), but checking security compliance requires careful limited access by your authorized administrators to produce the reports. The Oracle VM Security Guide for Release 3 explains the philosophy of protection for the installation of the Oracle VM Server using a small footprint: "Oracle VM Server runs a lightweight, optimized version of Oracle Linux. It is based upon an updated version of the Xen hypervisor technology and includes Oracle VM Agent. The installation of Oracle VM Server in itself is secure: it has no unused packages or applications and no services listening on any ports except for those required for the operation of the Oracle VM environment."Please note that you should report any potential security vulnerabilities in Oracle products following the instructions found here.We posted some helpful details about Oracle Linux Errata and CVE information this time last year and you may also review the notifications of Oracle VM errata here. For the examples we are reviewing now, the use of OVAL checks is a part the traditional ways you would show that your servers are all compliant (locked-down or hardened) with relevant security settings in your checklists that reference the product security guides.The Oracle Software Security Assurance Secure Configuration Initiative has established Oracle product security goals for both Secure Configuration and Security Guides. We have built in the security features with Oracle VM Server for x86 and you should expect that the default installation follows the software security assurance guidelines. Using OpenSCAP for security compliance checks may help you to show that the Oracle VM Server for x86 configuration is up to date with the latest details documented in the security guides for operating systems and server virtualization.A standardized approach to security compliance is a goal that many organizations are working toward and includes a broad set of security controls typically found within a complete Risk Management Framework provided by the NIST RMF and other standards bodies within the international IT security community. When you begin to use OpenSCAP you will find that the standard SCAP content contains product specific technical security controls that are expected to be unique and have version dependencies as well. You will notice the standard SCAP content used with OpenSCAP on Oracle VM Server for x86 can produce valid securty compliance reports, but you must still understand the technical nuances for measuring compliance that show results for each test: True False Error Unknown Not Applicable Not EvaluatedAdvantages to using a standardized approach for security compliance include considerations of "what is measured" and "how it is measured" to improve the precision, accuracy and ultimate effectiveness required to mitigate risks. The initial results that are produced using OpenSCAP for security compliance checks must be further examined to truly understand the meaning of 'true' or 'false' so that you can demonstrate the rationalization for applying any fixes to re-mediate a verifiable problem. The effectiveness of OpenSCAP depends on the thorough understanding of all the technical details at the early stages of your testing, so you will benefit by the complete coverage that may be repeated for all of your production Oracle VM Servers.Automating system administration activities is a fundamental objective for on-premise and cloud computing architectures and we are working to standardize as much of the enterprise infrastructure components as possible to produce the most cost effective solutions using Oracle VM Server. The security compliance requirements of many organizations have increased reporting cycles that must be continuously monitored. With careful planning, OpenSCAP may be an effective tool for reporting your organizations IT security controls, but we want to review some of the basic concepts that you should be aware of.We noted earlier that Dom0 is a special purpose management domain that is based on Xen built with Oracle Linux. The Oracle Linux and Oracle Solaris configurations share a common set of technical security controls that are useful to measure consistently with Oracle VM Server. However, the results you analyse requires historic perspectives and current insight to determine the relevance and criticality that is important to convey to the decision makers or authorizing officials in your organization.One random example of a security compliance check that illustrates a number of considerations is related to CWE-264: Permissions, Privileges, and Access Controls. More specifically, as an exercise, we want to drill down to both CWE-275: Permission Issues and CWE-426: Untrusted Search Path potential problems.To demonstrate how OpenSCAP can be used to report the results of a check related to CWE-275 and CWE-426 we can start by viewing the Red Hat 5 STIG Benchmark, Version 1, Release 4 from DISA:[root@ovm327 ~]# wget http://iase.disa.mil/stigs/os/unix/u_redhat_5_v1r4_stig_benchmark.zipFor brevity, we have extracted out the OVAL compliance item for 'STIG ID: GEN000960' that we show using the DISA STIG Viewer:If you also want to test this, here is the raw XMLThis looks simple enough, so let's see the result using OpenSCAP on Oracle VM Server for x86:[root@ovm327 ~]# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: trueEvaluation done.[root@ovm327 ~]#We think we understand the result but let's view this differently just to be sure:[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`ls: /root/bin: No such file or directorydrwxr-xr-x 2 root root 4096 Jan 2 12:45 /bindrwxr-xr-x 2 root root 4096 Jan 2 12:45 /sbindrwxr-xr-x 3 root root 16384 Jan 2 12:45 /usr/bindrwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/bindrwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/sbindrwxr-xr-x 2 root root 12288 Jan 2 12:45 /usr/sbin[root@ovm327 ~]#This looks good to us, but let's make the '/root/bin' directory that we intentionally want to violate the compliance check to see what happens:[root@ovm327 ~]# mkdir -m 0777 /root/bin[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`drwxr-xr-x 2 root root 4096 Jan 2 12:45 /bindrwxrwxrwx 2 root root 4096 Jan 2 13:55 /root/bindrwxr-xr-x 2 root root 4096 Jan 2 12:45 /sbindrwxr-xr-x 3 root root 16384 Jan 2 12:45 /usr/bindrwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/bindrwxr-xr-x 2 root root 4096 Feb 16 2010 /usr/local/sbindrwxr-xr-x 2 root root 12288 Jan 2 12:45 /usr/sbin[root@ovm327 ~]# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: falseEvaluation done.[root@ovm327 ~]#We have reasonably good confirmation that the OVAL compliance check works the way we expect. However, if we look at the entire set of permissions that enforce the discretionary access control policy, we then realize that there are also permissions on the '/root' directory that prevent the write operations by 'others' in the '/root/bin' directory from succeeding:[root@ovm327 ~]# ls -ldL /root /root/bindrwxr-x--- 4 root root 4096 Jan 2 13:55 /rootdrwxrwxrwx 2 root root 4096 Jan 2 13:55 /root/bin[root@ovm327 ~]#We are not suggesting that the mode '0777' permissions on the '/root/bin' are acceptable because we have safer permissions on the '/root' directory, but the example shows that the OVAL check does not completely test the security controls exactly how the kernel enforces the permissions. We should justifiably state that the result of the OVAL security compliance check '0777' permissions on the '/root/bin' directory is a 'condition negative' with a 'test outcome negative' (i.e. a true negative), but also continue to note our other observations related to the access control enforcement.Before proceeding, we will clean up the problem we just temporarily created on our test server:[root@ovm327 ~]# chmod 0700 /root/bin[root@ovm327 ~]# ls -ldL /root /root/bindrwxr-x--- 4 root root 4096 Jan 2 13:55 /rootdrwx------ 2 root root 4096 Jan 2 13:55 /root/bin[root@ovm327 ~]# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: trueEvaluation done.[root@ovm327 ~]#Hopefully you find this random security compliance check interesting and somewhat enlightening to illustrate what OpenSCAP can help you with. To continue, we decided to check a slightly different way to demonstrate the same security control:[root@ovm327 ~]# wget https://git.fedorahosted.org/cgit/openscap.git/plain/dist/fedora/scap-fedora14-oval.xmlTo simplify viewing the portion of the OVAL compliance entry we extracted it like we did with the DISA STIG item. If you also want to test this, here is the raw XMLNow we can show similar results using a slightly different implementation of the compliance check:[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: trueEvaluation done.[root@ovm327 ~]# chmod 0770 /root/bin[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: falseEvaluation done.[root@ovm327 ~]#But we can also see that it is indeed a different check because it includes the test for group write permissions and the 'STIG ID: GEN000960' does not:[root@ovm327 ~]# chmod 0770 /root/bin[root@ovm327 ~]# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: trueEvaluation done.[root@ovm327 ~]#Again, let's fix the problem we temporarily created on our test server:[root@ovm327 ~]# chmod 0700 /root/bin[root@ovm327 ~]#You should also review the CIS Oracle Solaris 11.1 Benchmark v1.0.0 and the CIS Red Hat Enterprise Linux 6 Benchmark v1.2.0 to see that they both have the same entry to 'Ensure root PATH Integrity (Scored)' that has an audit section showing script commands that step through multiple potential security compliance issues to check. It is a common practice to combine similar checks in a group, but you may need to parse out the results to obtain a discrete value for a singular check.As an additional consideration, let's shift our focus away from the differences within OVAL compliance definitions, to the different operating systems that the SCAP content was orignially written for. For this part of our testing we start up an Oracle Solaris 11.1 X86 instance running on a VM to demonstrate the OpenSCAP tests with the same OVAL compliance checks:root@sol11:/root# pkg install security/compliance/openscaproot@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bindrwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbinroot@sol11:/root# oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: trueEvaluation done.root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: trueEvaluation done.root@sol11:/root# export PATH=$PATH:/tmproot@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`drwxrwxrwt 5 root sys 432 Jan 2 14:09 /tmpdrwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bindrwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbinroot@sol11:/root# oscap oval eval GEN000960.xmlDefinitionoval:mil.disa.fso.rhel:def:77: falseEvaluation done.root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: falseEvaluation done.root@sol11:/root#Now let's repeat the same OpenSCAP checks with a non-root user account:admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`drwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bindrwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbinadmin@sol11:~$ oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: trueEvaluation done.admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: trueEvaluation done.admin@sol11:~$ export PATH=$PATH:/tmpadmin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`drwxrwxrwt 5 root sys 432 Jan 2 14:09 /tmpdrwxr-xr-x 4 root bin 1126 Jan 2 14:05 /usr/bindrwxr-xr-x 4 root bin 445 Jan 2 13:54 /usr/sbinadmin@sol11:~$ oscap oval eval GEN000960.xmlDefinition oval:mil.disa.fso.rhel:def:77: falseEvaluation done.admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xmlDefinition oval:org.open-scap.f14:def:200855: falseEvaluation done.admin@sol11:~$We have discovered some additional interesting considerations when reviewing the OpenSCAP results executed on Oracle Solaris: The OVAL content appears to also work on Oracle Solaris 11.1 The OVAL check is on the current PATH environment variable The OVAL check is for the current user shell or cron(1M) process running oscap(8) The OVAL check does not look for scripts that set the PATH for application run time environments The OVAL check does not account for more sophisticated access control technologyTo further our understanding of the OVAL content, we decided to run the jOVAL tool which is not included with Oracle Solaris:admin@sol11:~$ echo $PATH/usr/bin:/usr/sbin:/tmpadmin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o GEN000960.xml----------------------------------------------------jOVAL Definition InterpreterVersion: 5.10.1.2Build date: Thursday, January 2, 2014 04:46:39 PM PSTCopyright (c) 2011-2013 - jOVAL.orgPlugin: Default PluginVersion: 5.10.1.2Copyright (C) 2011-2013 - jOVAL.org----------------------------------------------------Start Time: Fri Jan 02 16:50:05 2014 ** parsing /home/admin/GEN000960.xml - validating xml schema. ** checking schema version - Schema version - 5.4 ** skipping Schematron validation ** creating a new OVAL System Characteristics file. ** gathering data for the OVAL definitions. Collecting object: FINISHED ** saving data model to system-characteristics.xml. ** skipping Schematron validation ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:mil.disa.fso.rhel:def:77 true ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** skipping Schematron validation ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.----------------------------------------------------admin@sol11:~$ echo $PATH/usr/bin:/usr/sbin:/tmpadmin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o fedora-accounts_root_path_dirs_no_write.xml----------------------------------------------------jOVAL Definition InterpreterVersion: 5.10.1.2Build date: Thursday, January 2, 2014 04:46:39 PM PSTCopyright (c) 2011-2013 - jOVAL.orgPlugin: Default PluginVersion: 5.10.1.2Copyright (C) 2011-2013 - jOVAL.org----------------------------------------------------Start Time: Fri Jan 02 16:50:30 2014 ** parsing /home/admin/fedora-accounts_root_path_dirs_no_write.xml - validating xml schema. ** checking schema version - Schema version - 5.5 ** skipping Schematron validation ** creating a new OVAL System Characteristics file. ** gathering data for the OVAL definitions. Collecting object: FINISHED ** saving data model to system-characteristics.xml. ** skipping Schematron validation ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** OVAL definition results. OVAL Id Result ------------------------------------------------------- oval:org.open-scap.f14:def:200855 false ------------------------------------------------------- ** finished evaluating OVAL definitions. ** saving OVAL results to results.xml. ** skipping Schematron validation ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.----------------------------------------------------admin@sol11:~$For now, this concludes our initial investigation of OpenSCAP to show the potential effectiveness on Oracle VM Server for x86 with careful consideration of the results you may observe with your SCAP content. You will also want to understand the XCCDF security checklists that are most often used to perform more complete security compliance checks with OpenSCAP in the same way you can check for STIG compliance:# oscap xccdf eval --profile stig-rhel6-server --report report.html --results results.xml --cpe ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xmlWe hope that the random security compliance example we chose will help to illustrate that the use of OpenSCAP is not a substitute for adequately proficient expertise for analyzing IT security controls, but it allows for the repetitive checks in your production Oracle VM Servers after you have completed sufficient testing. Please contact your Oracle representitives if you have any quetions or place service requests with Oracle Support when you encounter problems.Finally, please remember that you should report any potential security vulnerabilities in Oracle products following the instructions found here.

Security Compliance : true We recently released Oracle VM Server for x86 3.2.7. For more information you can go here. In addition we also recently released Oracle Linux 6.5. Find the press release here...

Oracle Linux containers continued

More on Linux containers... the use of btrfs in particular and being able to easily create clones/snapshots of container images. To get started : have an Oracle Linux 6.5 installation with UEKr3 and lxc installed and configured.lxc by default uses /container as the directory to store container images and metadata. /container/[containername]/rootfs and /container/[containername]/config. You can specify an alternative pathname using -P. To make it easy I added an extra disk to my VM that I use to try out containers (xvdc) and then just mount that volume under /container.- Create btrfs volumeIf not yet installed, install btrfs-progs (yum install btrfs-progs)# mkfs.btrfs /dev/xvdc1# mount /dev/xvdc1 /container You can auto-mount this at startup by adding a line to /etc/fstab /dev/xvdc1/containerbtrfs defaults 0 0- Create a container # lxc-create -n OracleLinux59 -t oracle -- -R 5.9This creates a btrfs subvolume /container/OracleLinux59/rootfsUse the following command to verify :# btrfs subvolume list /container/ID 260 gen 33 top level 5 path OracleLinux59/rootfs- Start/Stop container# lxc-start -n OracleLinux59This starts the container but without extra options your current shell becomes the console of the container.Add -c [file] and -d for the container to log console output to a file and return control to the shell after starting the container.# lxc-start -n OracleLinux59 -d -c /tmp/OL59console# lxc-stop -n OracleLinux59- Clone a container using btrfs's snapshot feature which is built into lxc# lxc-clone -o OracleLinux59 -n OracleLinux59-dev1 -sTweaking configurationCopying rootfs...Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev1/rootfs'Updating rootfs...'OracleLinux59-dev1' created# btrfs subvolume list /container/ID 260 gen 34 top level 5 path OracleLinux59/rootfsID 263 gen 34 top level 5 path OracleLinux59-dev1/rootfsThis snapshot clone is instantaneous and is a copy on write snapshot.You can test space usage like this :# btrfs filesystem df /containerData: total=1.01GB, used=335.17MBSystem: total=4.00MB, used=4.00KBMetadata: total=264.00MB, used=25.25MB# lxc-clone -o OracleLinux59 -n OracleLinux59-dev2 -sTweaking configurationCopying rootfs...Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev2/rootfs'Updating rootfs...'OracleLinux59-dev2' created# btrfs filesystem df /containerData: total=1.01GB, used=335.17MBSystem: total=4.00MB, used=4.00KBMetadata: total=264.00MB, used=25.29MB- Adding Oracle Linux 6.5# lxc-create -n OracleLinux65 -t oracle -- -R 6.5lxc-create: No config file specified, using the default config /etc/lxc/default.confHost is OracleServer 6.5Create configuration file /container/OracleLinux65/configDownloading release 6.5 for x86_64...Configuring container for Oracle Linux 6.5Added container user:oracle password:oracleAdded container user:root password:rootContainer : /container/OracleLinux65/rootfsConfig : /container/OracleLinux65/configNetwork : eth0 (veth) on virbr0'oracle' template installed'OracleLinux65' created- Install an RPM in a running container# lxc-attach -n OracleLinux59-dev1 -- yum install mysqlSetting up Install ProcessResolving Dependencies--> Running transaction check---> Package mysql.i386 0:5.0.95-3.el5 set to be updated..Complete!This connects to the container and executes # yum install mysql inside the container. - Modify container resource usage# lxc-cgroup -n OracleLinux59-dev1 memory.limit_in_bytes 53687091# lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus0-3# lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus 0,1Assigns cores 0 and 1. You can also use a range 0-2,...# lxc-cgroup -n OracleLinux59-dev1 cpu.shares1024# lxc-cgroup -n OracleLinux59-dev1 cpu.shares 100# lxc-cgroup -n OracleLinux59-dev1 cpu.shares100# lxc-cgroup -n OracleLinux59-dev1 blkio.weight500# lxc-cgroup -n OracleLinux59-dev1 blkio.weight 20etc...A list of resource control parameters : http://docs.oracle.com/cd/E37670_01/E37355/html/ol_subsystems_cgroups.html#ol_cpu_cgroupsLenz has created a Hands-on lab which you can find here : https://wikis.oracle.com/display/oraclelinux/Hands-on+Lab+-+Linux+Containers

More on Linux containers... the use of btrfs in particular and being able to easily create clones/snapshots of container images. To get started : have an Oracle Linux 6.5 installation with UEKr3 and...

Oracle Linux containers

So I played a bit with docker yesterday (really cool) and as I mentioned, it uses lxc (linux containers) underneath the covers. To create an image based on OL6, I used febootstrap, which works fine but Dwight Engen pointed out that I should just use lxc-create since it does all the work for you.Dwight's one of the major contributors to lxc. One of the things he did a while back, was adding support in lxc-create to understand how to create Oracle Linux images. All you have to do is provide a version number and it will figure out which yum repos to connect to on http://public-yum.oracle.com and download the required rpms and install them in a local subdirectory. This is of course superconvenient and incredibly fast. So... I played with that briefly this morning and here's the very short summary.Start out with a standard Oracle Linux 6.5 install and uek3. Make sure to add/install lxc if it's not yet there (yum install lxc) and you're good to go.*note - you also have to create /container for lxc - so also do mkdir /container after you install lxc, thank Tony for pointing this out.# lxc-create -n ol65 -t oracle -- -R 6.5.That's it. lxc-create will know this is an Oracle Linux container, using OL6.5's repository to create the container named ol65.lxc-create automatically connects to public-yum, figures out which repos to use for 6.5, downloads all required rpms and generates the container. At the end you will see :Configuring container for Oracle Linux 6.5Added container user:oracle password:oracleAdded container user:root password:rootContainer : /container/ol65/rootfsConfig : /container/ol65/configNetwork : eth0 (veth) on virbr0'oracle' template installed'ol65' createdNow all you need to do is : lxc-start --name ol65And you are up and running with a new container. Very fast, very easy. If you want an OL5.9 container (or so) just do lxc-create -n ol59 -t oracle -- -R 5.9. Done. lxc has tons of very cool features, which I will get into more later.You can use this model to import images into docker as well, instead of using febootstrap.# lxc-create -n ol65 -t oracle -- -R 6.5# tar --numeric-owner -jcp -C /container/ol65/rootfs . | \ docker import - ol6.5# lxc-destroy -n ol65

So I played a bit with docker yesterday (really cool) and as I mentioned, it uses lxc (linux containers) underneath the covers. To create an image based on OL6, I used febootstrap, which works...

Oracle Linux 6.5 and Docker

I have been following the Docker project with great interest for a little while now but never got to actually try it out at all. I found a little bit of time tonight to at least try hello world.Since docker relies on cgroups and lxc, it should be easy with uek3. We provide official support for lxc, we are in fact a big contributor to the lxc project (shout out to Dwight Engen) and the docker website says that you need to be on 3.8 for it to just work. So, OL6.5 + UEK3 seems like the perfect combination to start out with.Here are the steps to do few very simple things:- Install Oracle Linux 6.5 (with the default UEK3 kernel (3.8.13))- To quickly play with docker you can just use their example (*) if you are behind a firewall, set your HTTP_PROXY -> If you start from a Basic Oracle Linux 6.5 installation, install lxc first. Your out-of-the-box OL should be configured to access the public-yum repositories. # yum install lxc-> ensure you mount the cgroups fs# mkdir -p /cgroup ; mount none -t cgroup /cgroup-> grab the docker binary # wget https://get.docker.io/builds/Linux/x86_64/docker-latest -O docker# chmod 755 docker-> start the daemon(*) again, if you are behind a firewall, set your HTTP_PROXY setting (http_proxy won't work with docker)# ./docker -d &-> you can verify if it works# ./docker versionClient version: 0.7.0Go version (client): go1.2rc5Git commit (client): 0d078b6Server version: 0.7.0Git commit (server): 0d078b6Go version (server): go1.2rc5-> now you can try to download an example using ubuntu (we will have to get OL up there :))# ./docker run -i -t ubuntu /bin/bashthis will go and pull in the ubuntu template and run bash inside # ./docker run -i -t ubuntu /bin/bashWARNING: IPv4 forwarding is disabled.root@7ff7c2bae124:/# and now I have a shell inside ubuntu!-> ok so now on to playing with OL6. Let's create and import a small OL6 image.-> first install febootstrap so that we can create an image# yum install febootstrap-> now you have to point to a place where you have the repoxml file and the packages on an http server. I copied my ISO content over to a place I will install some basic packages in the subdirectory ol6 (it will create an OL installed image - this is based on what folks did for centos so it works the same (https://github.com/dotcloud/docker/blob/master/contrib/mkimage-centos.sh)# febootstrap -i bash -i coreutils -i tar -i bzip2 -i gzip \-i vim-minimal -i wget -i patch -i diffutils -i iproute -i yum ol6 ol6 http://wcoekaer-srv/ol/# touch ol6/etc/resolv.conf# touch ol6/sbin/init-> tar it up and import it# tar --numeric-owner -jcpf ol6.tar.gz -C ol6 .# cat ol6.tar.gz | ./docker import - ol6Success!List the image# ./docker images# ./docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEol6 latest d389ed8db59d 8 minutes ago 322.7 MB (virtual 322.7 MB)ubuntu 12.04 8dbd9e392a96 7 months ago 128 MB (virtual 128 MB)And now I have a docker image with ol6 that I can play with!# ./docker run -i -t ol6 ps auxWARNING: IPv4 forwarding is disabled.USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 1.0 0.0 11264 656 ? R+ 23:58 0:00 ps auxWay more to do but this all just worked out of the box!# ./docker run ol6 /bin/echo hello worldWARNING: IPv4 forwarding is disabled.hello worldThat's it for now. Next time, I will try to create a mysql/ol6 image and various other things. This really shows the power of containers on Linux and Linux itself. We have all these various Linux distributions but inside lxc (or docker) you can run ubuntu, debian, gentoo, yourowncustomcrazything and it will just run, old versions of OL, newer versions of OL, all on the same host kernel. I can run OL6.5 and create OL4, OL5, OL6 containers or docker images but I can also run any old debian or slackware images at the same time.

I have been following the Docker project with great interest for a little while now but never got to actually try it out at all. I found a little bit of time tonight to at least try hello world. Since...

Spacewalk 2.0 provided to manage Oracle Linux systems

Oracle Linux customers have a few options to manage and provision their servers. We provide a license to use Oracle Enterprise Manager's Linux OS management, monitoring and provisioning features without additional cost for every server that has an Oracle Linux support subscription. So there is no additional pack to license and no additional per server cost, it's all included in our Basic, Premier and Systems support subscriptions. The nice thing with Oracle Enterprise Manager is that you end up with a single management product that can manage all aspects of your software stack. You have complete insight into the applications running, you have roles and responsibilities, you have third party connectors for storage or other products and it makes it very easy and convenient to correlate data and events when something happens. If you use Oracle VM as well, you end up with a complete cloud portal with selfservice, chargeback, etc...Another, much simpler option, is just using yum. It is very easy to take a server and create directories and expose these through apache as repositories. You can have a simple yum config on each server pointing to a few specific repositories. It requires some manual effort in terms of creating directories, downloading packages and creating local repo files but it's easy to do and for many people a preferred solution.There are also a good number of customers that just connect their servers directly to ULN or to our free update server public-yum. Just to re-iterate, our public-yum servers have all the errata and updates available for free.Now we added another option. Many of our customers have switched from a competing Linux vendor and they had familiarity with their management tools. Switching to Oracle for support is very easy since we don't require changes to the installed servers but we also want to make sure there is a very easy and almost transparent switch for the management tools as well. While Oracle Enterprise Manager is our preferred way of managing systems, we now are offering Spacewalk 2.0 to our customers. The community project can be found here. We have made a few changes to ensure easy and complete support for Oracle Linux, tested it with public-yum, etc.. You can find the rpms in our public-yum repos at http://public-yum.oracle.com/repo/OracleLinux/OL6/. There are repositories for spacewalk server and then for each version (OL5,OL6) and architecture (x86 and x86-64) we have the client repositories as well. Spacewalk itself is only made available for OL6 x86-64.Documentation can be found here.I set it up myself and here are some quick steps on how you can get going in just a matter of minutes:Spacewalk Server Installation :1) Installing an Oracle DatabaseUse an existing Oracle Database or install a new Oracle Database (Standard or Enterprise Edition) [at this time use 11g, we will add support for 12c in the near future]. This database can be installed on the spacewalk server or on a separate remote server.While Oracle XE might work to create a small sample POC, we do not support the use of Oracle XE, spacewalk repositories can become large and create a significant database workload.Customers can use their existing database licenses, they can download the database with a trial licence from http://edelivery.oracle.com or Oracle Linux subscribers (customers) will be allowed to use the Oracle Database as a spacewalk repository as part of their Oracle Linux subscription at no additional cost.|NOTE : spacewalk requires the database to be configured with the UTF8 characterset.|Installation will fail if your database does not use UTF8.|To verify if your database is configured correctly, run the following command in sqlplus:||select value from nls_database_parameters where parameter='NLS_CHARACTERSET';|This should return 'AL32UTF8'2) Configure the database schema for spacewalkIdeally, create a tablespace in the database to hold the spacewalk schema tables/data;create tablespace spacewalk datafile '/u01/app/oracle/oradata/orcl/spacewalk.dbf' size 10G autoextend on;Create the database user spacewalk (or use some other schema name) in sqlplus.example : create user spacewalk identified by spacewalk; grant connect, resource to spacewalk; grant create table, create trigger, create synonym, create view, alter session to spacewalk; grant unlimited tablespace to spacewalk; alter user spacewalk default tablespace spacewalk;4) Spacewalk installation and configurationSpacewalk server requires an Oracle Linux 6 x86-64 system. Clients can be Oracle Linux 5 or 6, both 32- and 64bit. The server is only supported on OL6/64bit.The easiest way to get started is to do a 'Minimal' install of Oracle Linux on a server and configure the yum repository to include the spacewalk repo from public-yum.Once you have a system with a minimal install, modify your yum repo to include the spacewalk repo.Example :edit /etc/yum.repos.d/public-yum-ol.repo and add the following lines at the end of the file :[spacewalk]name=spacewalkbaseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/spacewalk20/server/$basearch/gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6gpgcheck=1enabled=1Install the following pre-requisite packages on your spacewalk server :oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64rpm -ivh oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64 rpm -ivh oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64The above RPMs can be found on the Oracle Technology Network website :http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.htmlAs the root user, configure the library path to include the Oracle Instant Client libraries :cd /etc/ld.so.conf.decho /usr/lib/oracle/11.2/client64/lib > oracle-instantclient11.2.confldconfigInstall spacewalk :# yum install spacewalk-oracleThe above yum command should download and install all required packages to run spacewalk on your local server.| NOTE : if you did a full, desktop or workstation installation, | you have to remove the JTA package| BEFORE installing spacewalk-oracle (rpm -e --nodeps jta)Once the installation completes, simply run the spacewalk configuration tool and you are all set. (make sure to run the command with the 2 arguments)spacewalk-setup --disconnected --external-dbAnswer the questions during the setup, ensure you provide the current database user (example : spacewalk) and password (example : spacewalk) and database server hostname (the standard hostname of the server on which you have deployed the Oracle database)At the end of the setup script, your spacewalk server should be fully configured and you can log into the web portal. Use your favorite browser to connect to the website : http://[spacewalkserverhostname]The very first action will be to create the main admin account.

Oracle Linux customers have a few options to manage and provision their servers. We provide a license to use Oracle Enterprise Manager's Linux OS management, monitoring and provisioning...

Oracle Linux and Oracle VM pricing guide

A few days ago someone showed me a pricing guide from a Linux vendor and I was a bit surprised at the complexity of it. Especially when you look at larger servers (4 or 8 sockets) and when adding virtual machine use into the mix.I think we have a very compelling and simple pricing model for both Oracle Linux and Oracle VM. Let me see if I can explain it in 1 page, not 10 pages.This pricing information is publicly available on the Oracle store, I am using the current public list prices. Also keep in mind that this is for customers using non-oracle x86 servers. When a customer purchases an Oracle x86 server, the annual systems support includes full use (all you can eat) of Oracle Linux, Oracle VM and Oracle Solaris (no matter how many VMs you run on that server, in case you deploy guests on a hypervisor). This support level is the equivalent of premier support in the list below.Let's start with Oracle VM (x86) :Oracle VM support subscriptions are per physical server on which you deploy the Oracle VM Server product.(1) Oracle VM Premier Limited -> 1- or 2 socket server : $599 per server per year (2) Oracle VM Premier -> more than 2 socket server (4, or 8 or whatever more) : $1199 per server per yearThe above includes the use of Oracle VM Manager and Oracle Enterprise Manager Cloud Control's Virtualization management pack (including self service cloud portal, etc..)24x7 support, access to bugfixes, updates and new releases. It also includes all options, live migrate, dynamic resource scheduling, high availability, dynamic power management, etcIf you want to play with the product, or even use the product without access to support services, the product is freely downloadable from edelivery.Next, Oracle Linux : Oracle Linux support subscriptions are per physical server.If you plan to run Oracle Linux as a guest on Oracle VM, VMWare or Hyper-v, you only have to pay for a single subscription per system, we do not charge per guest or per number of guests. In other words, you can run any number of Oracle Linux guests per physical server and count it as just a single subscription.(1) Oracle Linux Network Support -> any number of sockets per server : $119 per server per yearNetwork support does not offer support services. It provides access to the Unbreakable Linux Network and also offers full indemnification for Oracle Linux. (2) Oracle Linux Basic Limited Support -> 1- or 2 socket servers : $499 per server per yearThis subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem.(3) Oracle Linux Basic Support -> more than 2 socket server (4, or 8 or more) : $1199 per server per yearThis subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem(4) Oracle Linux Premier Limited Support -> 1- or 2 socket servers : $1399 per server per yearThis subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.(5) Oracle Linux Premier Support -> more than 2 socket servers : $2299 per server per yearThis subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.(6) Freely available Oracle Linux -> any number of sockets You can freely download Oracle Linux, install it on any number of servers and use it for any reason, without support, without right to use of these extra features like Oracle Clusterware or ksplice, without indemnification. However, you do have full access to all errata as well. Need support? then use options (1)..(5)So that's it. Count number of 2 socket boxes, more than 2 socket boxes, decide on basic or premier support level and you are done. You don't have to worry about different levels based on how many virtual instances you deploy or want to deploy. A very simple menu of choices. We offer, inclusive, Linux OS clusterware, Linux OS Management, provisioning and monitoring, cluster filesystem (ocfs), high performance filesystem (xfs), dtrace, ksplice, ofed (infiniband stack for high performance networking). No separate add-on menus.NOTE : socket/cpu can have any number of cores. So whether you have a 4,6,8,10 or 12 core CPU doesn't matter, we count the number of physical CPUs.

A few days ago someone showed me a pricing guide from a Linux vendor and I was a bit surprised at the complexity of it. Especially when you look at larger servers (4 or 8 sockets) and when adding...

Oracle Linux 6 on Microsoft Azure

One of the great keynotes at Oracle OpenWorld last week, was from Microsoft. You can watch the replay here. I think Brad did an awesome job, very engaging and a very positive partner message. There was a lot of Oracle Linux talk in the Microsoft session, just awesome.We have worked closely with Microsoft to ensure that we can deploy Oracle Linux inside their Azure platform (and also just in general on Hyper-v). Part of the work is to provide templates that include Oracle products such as Oracle RDBMS and Oracle WebLogic on Oracle Linux in Azure. This is a similar concept as Oracle VM templates. You can go through the catalog on Azure, select a template and a few minutes later you end up with a complete running Virtual Machine. These templates with Oracle products are available for both Windows and Oracle Linux environments.Microsoft has a free trial offering which I tried out last night (with my personal account) and within a few minutes and no prior knowledge of how their environment works, I had an Oracle Linux 6 update 4 instance up and running. Logged in using ssh. They have a very easy to navigate portal. We have configured Oracle Linux out of the box with public-yum for updates. So if you need an enterprise grade Linux distribution on Azure that comes with free updates/errata and fast connectivity to the update servers, go use Oracle Linux. And the nice thing is, if you need support for some of those VM's deployed, you just pay for those VM's you want support for. This is also nice for ISVs that want to provide their own application solutions in Azure, they can use Oracle Linux and embed it in their VM with their app and, again, an enterprise grade solution that can be freely used without signing contracts with us, and be current with updates and errata. If the ISV then wants support, they can resell Oracle Linux subscriptions. This is a very simple, open, hassle-free solution.

One of the great keynotes at Oracle OpenWorld last week, was from Microsoft. You can watch the replay here. I think Brad did an awesome job, very engaging and a very positive partner message. There...

Oracle Linux 6 UEK3 beta

Last week we published UEK3 beta on http://public-yum.oracle.com.It is very easy to get started with this and play around with the new features. Just takes a few steps :Install Oracle Linux 6 (preferrably the latest update) on a system or in a VMAdd the beta repository file in /etc/yum.repos.dEnable the beta channelReboot into the new kernelAdd updated packages like lxc tools and dtraceOracle Linux is freely downloadable from http://edelivery.oracle.com/linux. Oracle Linux is free to use on as many systems as you want, is freely re-distributable without changing the CD/ISO content (so including our cute penguin), provides free security errata and bugfix errata updates. You only need to pay for a support subscription for those systems that you want/need support for, not for other systems. This allows our customers/users to run the exact same software on test and dev systems as well as production systems without having to maintain potentially two kinds of repositories. All systems can run the exact same software all the time. The free yum repository for security and bugfix errata is at http://public-yum.oracle.com. This site also contains a few other repositories : Playground channel (a yum repository where we publish the latest kernels as released on kernel.org. We take the mainline tree and build it into RPMs that can easily be installed on Oracle Linux (Oracle Linux 6 and x86_64 specifically). Beta channel (a yum repository where we publish new early versions of UEK along with corresponding packages that need to be updated along with it.Now, back to UEK3 beta. Just a few steps are needed to get started.I will assume you have already installed Oracle Linux 6 (update 4) on a system and it is configured to use public-yum as the repository.First download and enable the beta repository.# cd /etc/yum.repos.d/# wget http://public-yum.oracle.com/beta/public-yum-ol6-beta.repo# sed -i s/enabled=0/enabled=1/g public-yum-ol6-beta.repo You don't have to do sed you can just edit (vi/emacs) the repo file and manually set it to 1 (enable). Now you can just run yum update# yum updateThis will install UEK3 (3.8.13-13) and it will update any relevant packages that are required to be on a later version as well. At this point you should reboot into UEK3.New features introduced in UEK3 are listed in our release notes.There are tons of detailed improvements in the kernel since UEK2 (3.0 based). Kernelnewbies is an awesome site that keeps a nice list of changes for each version. We will add more detail to our release notes over time but for those that want to browse through all the changes, check it out.http://kernelnewbies.org/Linux_3.1http://kernelnewbies.org/Linux_3.2http://kernelnewbies.org/Linux_3.3http://kernelnewbies.org/Linux_3.4http://kernelnewbies.org/Linux_3.5http://kernelnewbies.org/Linux_3.6http://kernelnewbies.org/Linux_3.7http://kernelnewbies.org/Linux_3.8To try out dtrace, you need to install the dtrace packages. We introduced USDT in UEK3's version of dtrace, there is some information in the release notes about the changes. # yum install dtrace-utilsTo try out lxc, you need to install the lxc packages. lxc is capable of using Oracle VM Oracle Linux templates as a base image to create a container.# yum install lxcEnjoy.

Last week we published UEK3 beta on http://public-yum.oracle.com. It is very easy to get started with this and play around with the new features. Just takes a few steps : Install Oracle Linux 6...

Single Instance/RAC Oracle VM templates update

Superstar Saar just released a new set of Oracle VM templates. We (Oracle) just released 2 patch sets for the Oracle RDBMS - 11.2.0.4.0 and 11.2.0.2.11 (x86 and x86_64)Simultaneously, Saar updated his Oracle VM templates to include these latest patchsets as well for both architectures (x86 and x86_64).11.2.0.4.0 with OL511.2.0.4.0 with OL611.2.0.2.11 with OL511.2.0.2.11 with OL6These templates can be deployed on Oracle VM using the DeployCluster tool, all you need to do is create a very simple textfile with the parameters.All templates default to UEK2 2.6.39-400. The templates can be used to create Single Instance, Single Instance with HA (Oracle Restart) and Oracle RAC databases.The options vary from ASM, NFS, OCFS2 for db files, local filesystem, no DB, Clusterware only etc.Full stack, download, deploy. Production RDBMS code, Production Oracle Linux. http://www.oracle.com/technetwork/server-storage/vm/database-templates-12c-11gr2-1972804.htmlSimple Sample script:# cat netconfig.ini NODE1=server3NODE1IP=10.0.0.4PUBADAP=eth0PUBMASK=255.255.255.0PUBGW=10.0.0.1DOMAINNAME=wimmekes.net # May be blankDNSIP=10.0.0.1 # Starting from 2013 Templates allows multi valueCLONE_SINGLEINSTANCE=yes # Setup Single Instanceand then # deploycluster -u admin -p mypassword -H localhost -M mydbvm1 -> done

Superstar Saar just released a new set of Oracle VM templates. We (Oracle) just released 2 patch sets for the Oracle RDBMS - 11.2.0.4.0 and 11.2.0.2.11 (x86 and x86_64) Simultaneously, Saar updated...

A little sample snmp module for Oracle VM Server 3.2

I was looking at snmp for a few days and decided to put together a little snmp module (extension) that would work on Oracle VM Server (3.2 and up). In 3.2 we started to include the net-snmp rpms to allow customers to monitor any given Oracle VM server with standard SNMP tools. Whether that be cacti, snmpwalk, even Oracle Enterprise Manager (snmp fetchlets) or whatever tool. The standard net-snmp installation will expose MIBs and return data pretty much exactly the same as what you would get when installing net-snmp on Oracle Linux and monitoring an Oracle Linux server.The little snmp module I added exposes a few extra Oracle VM specific objects. To start with I basically looked at the data you can see on the local console of the server (version, cluster state, management uuid,...). I created a custom MIB (falls in the oracle enterprise oid range ( 1.3.6.1.4.1.111.57.1.1 – 1.3.6.1.4.1.111.57.1.13 )) and packaged it all up in a little RPM (ovs-snmp.rpm) that can be installed in dom0.ovs-snmp is an extension to net-snmp. It is a dynamically loadable module that allows extra bits to bemonitored in dom0 that are specific to Oracle VM. Once the RPM is installed, snmpd.conf must beupdated to load the module at start of snmpd. When you restart the snmpd service, you then haveaccess to an extra MIB.This extra MIB is documented in /usr/share/snmp/mibs/OVS-MIB.txt The raw oid range for the OVSextension is from 1.3.6.1.4.1.111.57.1.1 – 1.3.6.1.4.1.111.57.1.13. The module also contains a trap at1.3.6.1.4.1.111.57.2.0. The trap is defined around ovsAgentState (Running/Stopped) and will allow anadmin to monitor the state of the Oracle VM Server agent which is a critical component of every serverinstalled and get a notification from the snmpd.If you copy the OVS-MIB.txt file over to another regular server and put the file in the same directory(/usr/share/snmp/mibs) then you can use the text version instead of the raw oid numbers. For instance :1.3.6.1.4.1.111.57.1.1 is the same as : ORACLE-OVS-MIB::ovsType. This is more humanly readable.The following set of attributes are defined in the MIB :ovsType : Oracle VM ServerovsVersion : Version of Oracle VM Server installedovsMaster : Master node in serverpool?ovsClusterState : Cluster configured / online?ovsClusterType : NFS or Lun basedovsClusterStorage : the nfs mount or lun used for the server pool filesystemovsManagerUUID : UUID of the Oracle VM Manager instanceovsServerpoolName : serverpool name this server is a member of (or None)ovsServerpoolIP : Virtual IP address of the serverpool masterovsAgentState : Agent running or stoppedovsFreeMemory : free memory available for Virtual Machines on this serverovsHostname : hostname as known by the Oracle VM Manager instancevmTable : table with an index listing all the currently running VMs columns -> vmIndex, vmTypeexample snmpd.conf file:# more /etc/snmp/snmpd.confrocommunity publicsyslocation "hq"dlmod ovs /usr/lib64/ovs-snmp/ovs.soSome examples :# snmpwalk -v 1 -c public -O e localhost ORACLE-OVS-MIB::ovsAgentStateORACLE-OVS-MIB::ovsAgentState.0 = STRING: Running# snmpwalk -v 1 -c public -O e localhost 1.3.6.1.4.1.111.57.1.1SNMPv2-SMI::enterprises.111.57.1.1.0 = STRING: "Oracle VM Server"You can download the rpm from MOS, bug number is 17344092. At this point it's provided as-is, tech preview. Once I get some feedback on it we will consider integrating this.have fun

I was looking at snmp for a few days and decided to put together a little snmp module (extension) that would work on Oracle VM Server (3.2 and up). In 3.2 we started to include the net-snmp rpms...

The life of a Linux RPM (package)

Another frequently asked question related to Oracle Linux is how versions of specific packages (RPMs) are picked. A Linux distribution is basically a collection of a ton of open source projects that make up the Operating System environment, with at its core the Linux kernel. Linux as a development project is about the Linux kernel specifically. There are then many (1000's) of random open source projects out there and a Linux distribution basically is an OS made up of, at its core, the kernel, and tons of those other projects packaged up. Now some packages are more critical than others, there's a small true core of packages that you will find in any Linux distribution, glibc (c library), gcc (compiler), filesystem utils, core utils, binutils, bash,... etc. A good guess would be about 150-200 packages that make up pretty much any more or less usable environment (yes you can do with far fewer but I 'm talking standard OS installs here...)All these projects have their own development cycle, their own maintainers/developers, their own project plans, and their own dependencies. They just kind of all move along on their own pace, they're worked on by (usually) different people and so on. So how do these 1000's of packages get into Oracle Linux? Oracle Linux is an exact replica of Red Hat Enterprise Linux (same packages, same source code, same versions,...)... so that's what we base our distribution on (similar to CentOS). Now Red Hat Enterprise Linux, in turn, uses the Fedora Linux distribution as its upstream baseline. Fedora is a community distribution (fedoraproject.org) that typically lives far ahead of what any one would install for a stable environment. It's a community driven, cutting edge Linux distribution. Fedora as a project has very frequent releases (like every 6 or so months). The fedora maintainers distribute maintainership of these 1000's of RPMs across a group of people and they gather newer versions of all these projects and build them for a given version of Fedora. They then stabilize this and release it. By stabilizing, I mean, they create packages, test out if all the dependencies work, if there's a build environment that's consistent and if there are bugs, and fix them of course. So Fedora evolves rapidly (like every 6 months a new release) and as you go from Fedora 12 to 13 to 14 etc, you see the packages of gcc and glibc and all other stuff evolve version by version, gcc 3.2 to 3.3 to 4.0 to 4.4 etc. Depending on when the fedora project starts "freezing" the package list of the next version, that's what the various versions of those 1000's of packages will be based off of. The maintainers usually will, at some point of the release cycle, take the latest "stable" version of a given project (say gcc) and check that version into the Fedora tree. What happens here is that you typically see Fedora pick up the stable versions of projects pretty regularly. It helps shake out bugs, it reaches a large (end)-userbase and it helps the Linux community that wants to be on the cutting edge by doing a lot of the packaging for them and it helps the downstream use of Fedora because many of the base/generic obvious bugs and build issues have been resolved during the Fedora test, dev and release process. Now, because Fedora moves so rapidly, newer versions of RHEL, and as such OL, obviously skip quite a few versions of Fedora. For instance, RHEL6 is based on Fedora 12/13, RHEL5 was based on Fedora Core6, etc... A new version of RHEL is released every few years. So Red Hat decides at a certain point in time to take a snapshot of a given Fedora release they deem stable enough at that point in time and then fork that internally into a separate repository, change the trademarks,logos, add some packages that might not be in Fedora, tests the components for a more commercial use, server use, (most of Fedora is desktop use) and then releases that as the next version of RHEL. And we then similarly follow with OL.An important point to make is that within a given release cycle of RHEL or OL, the version of the packages typically doesn't change, at least not the major version (usually not 2 digit versions). For the lifetime of, say, OL5, the version of, say, glibc, will remain pretty static. It will include bugfixes over the lifetime of the distribution version, security fixes and sometimes minor important things that might get backported of a newer version (albeit rare) but that's it. So you have a relatively static vesion of an OS, it improves in stability, quality, security but it doens't improve much in terms of functionality. (Most of the enhancements would probably be in the kernel.). This also means that a Linux distribution (RHEL, OL, CentOS,...) can skip package versions, if some external project goes from version 2.1 to 2.2 to 2.3 to 3.0 to 3.1 etc... over the lifecycle of OL5 and OL6, then OL5 might contain 2.1 and OL6 might contain 3.0 or 3.1. You won't see versions in between get picked up. Or, again, in some rare cases, if there's something really important that went into 2.3 that would be really relevant, it might have gotten backported to 2.1 as part of RHEL/OL. You cannot expect that OL5 would go from 2.1 to 2.2 to 3.0 for that given package. That's just not how things work. So if you expect major enhancements or features of some package that's newer than the version that's in the current distribution, you might (likely) have to wait until the next major release. Example : OL5 contains glibc 2.5, OL6 contains glibc 2.12. If there was something really, really important in glibc 2.8, that might have gotten backported into 2.5 and gotten into OL5, but it's unlikely. And OL5 will not start adding 2.6, or 2.7 or so into the distribution. And then the same cycle starts again with OL6, it contains glibc 2.12... but the current version of glibc upstream is 2.18, and Fedora 19 contains glibc 2.17. So the future version of RHEL7/OL7 might end up with 2.16 or 2.17, and it would have skipped over 2.13-2.15. One cannot expect that the commercial distributions backport features of future package versions into prior versions. That doesn't happen for OL, or for RHEL or CentOS or SLES etc.What does happen, and it's important to point this out, is the fixing of CVE's/Security vulnerabilities or critical bugfixes. Example, let's say there is a security issue found in glibc 2.17 (upstream), and this is also relevant to glibc 2.5 found in RHEL5/OL5. We obviously will end up fixing that in 2.5 (backport the security fix) and in 2.12 (OL6)... So in terms of critical fixes and security vulnerabilities found in any version of a supported Linux distribution's package, those will be found in various versions, where they matter.You can always track this by looking at the changelog of an RPM or look for a CVE number and you will see hits on different versions of an RPM in different versions of OL where it is relevant. This is pretty normal stuff, new features go into new versions of a product, like new features go into new versions of the oracle database and we will fix problems and backport changes into older versions but you will not see new features for a new versions of the database pop up in an old version of the database. It's not rocket science. A Linux Distributions is a product based on tons of small subcomponents but in the end the major release is the overarching "feature" release.The few exceptions (obviously there are exceptions :-) are : (1) it's possible that new packages for new products or components are introduced during the lifetime of the OS release, a new RPM can be introduced in 5.8 or 5.9 or so... (2) some of the backports of features I talked about earlier can introduce some enhancements, although rare (3) the Linux kernel is probably the most lively component in the OS where the rate of enhancements is the largest compared to anything else.I hope this helps.

Another frequently asked question related to Oracle Linux is how versions of specific packages (RPMs) are picked. A Linux distribution is basically a collection of a ton of open source projects that...

Of updates and errata.

A frequently discussed topic inside Oracle and also outside with customers and partners is Oracle Linux versions and how to treat updates and support and certifications and minimum levels. Here's our take on it, from the Oracle Linux side.When talking about Oracle Linux and versions, there really are 3 major components :-1- A major new release, such as Oracle Linux 5, Oracle Linux 6,...A major new release is an update of the entire OS, kernel, userspace, all the 1000's of packages that make up Oracle Linux. A major release is significant in change compared to the previous version. You will see pretty much every package(RPM) updated to a whole new version, like Apache, MySQL, GCC, glibc, X-windows, gnome, etc etc... In a number of cases, the owners of the packages are not so careful about maintaining backward compatibility and introduce different style config files that could make upgrades difficult or sometimes impossible. This is one of the reasons why it's not easy to 'upgrade' from, say, Oracle Linux 5 to Oracle Linux 6. While it would be ok for a good number of RPMs, it's not guaranteed to work for everything. A config file might get overwritten or the older edited config file is not compatible with the new version...etc. So upgrading here, very often is a new/fresh install of the OS on a server. We see most customers go to new versions at time of a hardware refresh and use that as a good opportunity, and that makes total sense.Because a major version has signifcant changes (new kernel, with new features, new glibc,... so core components), unfortunately sometimes changes that affect or really need change not just testing (upstart from OL5 to OL6,... potentially interesting changes due to systemd in future versions), there's typically a good reason to do certification testing of userspace applications on top of the new version. The way we work here is that we build on the lowest common version of the OS we want to support and run certification against newer versions. So we build an Oracle product on Oracle Linux 5, we won't support anything on a version that's older than Oracle Linux 5, and we do extras testing and certification for any new major version, like Oracle Linux 6. This can require us to do some changes to our application (like the database) in order for us to be able to complete that certifcation (or OS bugfixes), this was a big reason as to why it took a long time to be able to consider Oracle Linux 6 certified for the database. (due to, for instance, things like upstart)ISV's typically will do the same thing, it takes some time for development teams to add a new major version of the OS, again, because sometimes application changes might be required or OS changes might be required, like bugfixes due to testing.A major OS release happens every few years, not more frequently. OL4 -> (for us 2006 since we started with update 4), OL5 -> mid 2006 OL6 -> early 2011-2- A minor update, really just a point in time current snapshot of a given major release with bugfixes and security updates applied (Oracle Linux 5 update 9, Oracle Linux 6 update 4...)A minor update, released on a regular basis (several months), is really just a snapshot in time of the major OS release. As a version is out, on a regular basis, there are bugfixes, security updates introduced into that release, so out of the 1000's of packages, a number of those will have a minor bugfix update every now and then. These updates really are focused on fixing bugs and fixing security vulnerabilities. New features are normally not introduced into packages as part of a certain major OS release. Sometimes there are some new things added but they are only introduced if it doesn't break compatibility or doesn't change the understood use of that package. Because a major OS release is only every few years and to make it easy to provide a good snapshot of fixes within the release cycle, updates are done on a regular basis. The update is literally a snapshot at a given date and then the latest version of all packages within the release are bundled together and put onto an updated media (iso). This makes it convenient for users in a number of ways : 1) As mentioned in the first point, sometimes we need to create OS bugfixes for an application to work on a given version of the OS, these fixes go into the OS at some point or another. It is very convenient to use the update releases to point customers to the minimum version as a starting point. 2) a very important component that gets updated regularly (bugfixes, updated device drivers/hardware support) is the kernel. So if new hardware is released, you typically need a new boot kernel to recognize newer hardware, an update release pretty much always have a newer version of the linux kernel with updated device drivers on the installation media and that's required to be able to install a given OS version on newer hardware. So it might be that you need a minimum level of Oracle Linux 5.9 to install on the latest version of a given server... but it's still "Oracle Linux 5" as a product. So, look at update releases as minimum patch levels of an OS release, not as a product version. Oracle Linux 5.9 is not a product version, Oracle Linux 5 is the product, update 9 just implies a recent point in time of the fixes made in the product. Too often a customer (or product team) certifies on very specific update versions, and make the mistake of implying really just that version and not that version and newer. We all stand by the fact that if a minimum version required is, let's say Oracle Linux 5 update 6, then that always implies Oracle Linux 5, starting from the snapshot point update 6 and anything newer since then, as part of Oracle Linux 5.There is no point in sticking to a given update version and consider that a release, there are -always- important fixes, whether it be potential crashes or security vulnerabilities released after that update and it really is not a best practice to stick at a certain point in time. We always do a lot of testing on any bugfixes update or security vulnerability and there's no breakage or introduction of incompatibilities within a given OS version. Look at Oracle Linux X update Y as running Oracle Linux X, update Y is just a point in time. ISVs should point out a starting update of what is considered supported or certified but with the understanding that it will imply anything changed from that point on for the same major version X. So if 5.6 is the base certification level, then anything post 5.6 as part of Oracle Linux 5 should be OK and it makes sense to try to remain as current as possible.-3- An errata update, an update of a given package, either because of a bugfix or a security vulnerability fix.At any point in time during the lifetime of a major OS version (OL5, OL6,...) we obviously fix bugs or address a security issue. These fixes are introduced in a continous stream of updates for each major OS. They always update the minor digits of the package version, for instance the kernel, 2.6.39-300.0.1 to 2.6.39-300.0.2 etc... They do not introduce behavior change or impact how an application runs, they make things more stable and secure. We try to not do this more often than necessary. It would be highly recommended to apply these updates soon after they are released. Most critically the kernel and glibc ones as they are under every application. Of course, with ksplice updates we make kernel updates a breeze since there's no reboot involved. And as mentioned in -2-, these errata are on a regular basis bundled into a newer snapshot of the OS.What's the take-away here? We recommend you look at an update release as a starting point, not as a product version, and we highly recommend customers and partners to be as current as possible in applying errata packages on their OS. It makes things more stable... it contains fixes... it contains patched security vulnerabilities... those all seem rather important to keep in mind. So often, a customer service request comes into the support organization and it's a problem that's known and fixed in an errata, a downtime that could've been prevented by being more current...

A frequently discussed topic inside Oracle and also outside with customers and partners is Oracle Linux versions and how to treat updates and support and certifications and minimum levels. Here's our...

Oracle VM templates for Database 12c 12.1.0.1.0 both single instance and rac

Today we made available a few new Oracle VM templates on edelivery. A set of VM templates for database 12c and another set for database 11g 11.2.0.3.7.You can find more information on the otn pages here.A very important new feature added is the ability to deploy single instance database. In the past the database templates were focused on RAC deployments (Real Application Cluster) but because of popular demand, we also added support for Single Instance. With Single Instance you can really create a new VM with the database up and running in a matter of a few (very few) minutes, and with a very simple config file.Example config file for single instance :$ cat netconfig.ini NODE1=dbsingle1NODE1IP=192.168.1.72PUBADAP=eth0PUBMASK=255.255.255.0PUBGW=192.168.1.1DOMAINNAME=wimmekes.net # May be blankDNSIP=8.8.8.8 # Starting from 2013 Templates allows multi valueCLONE_SINGLEINSTANCE=yes # Setup Single InstanceThat's literally it. You don't need to do anything other than run a few Oracle VM CLI or UI commands and run deploycluster and you're all set. After a few minutes, the VM will be pingable and you can run sqlplus against the database running inside the VM.If you use the CLI, here is a sample workflow :import the template - importtemplate repository name=[reponame] url=[http://myurl/template.tbz] server=[servername]create vm from template- clone vm name=[templatename] destType=Vm destName=[vmname] serverpool=[serverpoolname]Create new vnic- create vnic name=[macaddress] network=[network] (list network, will show you the various networks)remove old vnics (you could rename one or alter one but to simplify I just remove the old vnics of the cloned vm and add the newly created- remove vnic name=[macaddr] from vm name=[vmname]- show vm name=[vmname] to see the attached vnicsAnd that's it, now you can use that netconfig.ini example, edit it for your environment and run deploycluster:

Today we made available a few new Oracle VM templates on edelivery. A set of VM templates for database 12c and another set for database 11g 11.2.0.3.7. You can find more information on the otn pages he...

The Ksplice differentiator

It's been exactly two years since we acquired a small startup called Ksplice. Ksplice as a company created the zero downtime update technology for the Linux kernel and they provided a service to their customers which tracked Linux kernel security fixes and providing these fixes as zero downtime Ksplice updates. Essentially the ksplice technology allows us to create Linux kernel patches that can be applied in an online fashion. We are not talking about the ability to install a patch while the system is running and make it active after reboot. We are talking about a running system with a given kernel being patched and this patch becoming active instantly, without the need for a costly reboot (costly in terms of downtime caused by a reboot that has to be scheduled or coordinated and causing systems and applications to be unavailable during this time).We offer this service as part of Oracle Linux Premier (and premier-limited) support, there's no extra $$ add-on option for this, anyone with Premier/Premier-limited has full access to this service. We support both the, what we call, Red Hat Compatible Kernel(RHCK) and the Unbreakable Enterprise Kernel (UEK). So whether a customer starts from RHEL, from OL with RHCK or OL with UEK, they're covered. Essentially, when we release security errata for Oracle Linux, specifically for the Linux kernel itself, we release, as usual, a new kernel RPM and customers can just apply this RPM, reboot the server and they have the errata applied/active. Or, if they install the Ksplice update, then we provide what we call Ksplice zero downtime patches for each of the security fixes and they can then be applied to their running systems without reboot and the fixes are active/effective immediately. This can be done while production applications continue to run, at any point during the day or night, no need to bring applications down or do any specific planning.Aside from continuing the model of providing a service for security updates, we have since done a few additional things for our customers :1) We integrated the Ksplice portal with the Unbreakable Linux Network (ULN). When a customer logs into ULN they can generate a Ksplice key or when they run up2date to register a system they can automatically set it up to be enabled for ksplice tools. So there is no longer a need to have a separate registration, one with ULN and one with the Ksplice update server. We now do this behind the scenes. The customer can then install the uptrack tools (these are the tools that download and apply the updates) and be ready to use apply the updates. You can read more about that here.2) While the above made it very convenient, it still meant that every server had to connect directly to servers hosted by us (oracle.com) and for many customers, it's very difficult to have servers in a datacenter be directly connected or have direct access to the internet. So to help these customers we created the offline client. A customer can create a local yum repository which contains RPMs that contain the ksplice updates for a given kernel and then distribute the updates locally within the company from a server on the intranet. This makes it easier to have one system that is registered with our system instead of having to register each server individually. You can read more about that here.Now - there is another fundamental use-case for the Ksplice technology that we have incorporated in the Oracle Linux support service.We obviously have a large and rapidly growing customer base that runs mission critical systems on Oracle Linux. Database servers running on top of Oracle Linux, WebLogic servers, Oracle Applications,... etc.. in order to provide the very best customer experience we have trained our engineers on the Oracle Linux side to make use of Ksplice technology in the case of gathering diagnostics and even fix specific problems.Imagine a server that cannot have downtime but we are working on diagnosing a problem. In some cases, we would typically create a kernel with some extra debug or diagnostics code, provide this to the customer and then they schedule a reboot to apply this kernel, they run their system, after gathering the data, they re-install the original kernel and continue. Then, if we find out the issue and have a fix for this, we can provide them with a kernel that has the fix, they have to schedule downtime, apply the fix and reboot. Typically these systems are interconnected. What do I mean by that? Typically a database server has an application frontend, they are multitiered environments, you have, for instance, 3 middle tier servers connecting to a database server. So in order to reboot the database server, the application admin has to first schedule downtime for the app, bring down the app, and then the database admin can bring down the database and sysadmin can reboot the server. Yes it's that complex. So if you have to do three reboots, you can imagine the cost of that and the time impact. It's not just about a quick reboot of the server, there's a whole ecosystem that goes along with this.In our case, when a customer has a critical production ticket open with us for their database server, we can do the following : 1) if we cannot get diagnostics without adding code to the Linux kernel, we can create a Ksplice update for the diagnosics and provide this Ksplice update. The customer can then apply this update onto their production system, without any downtime whatsoever. (1 reboot saved on the backend, and saved an application shutdown for each app)2) once we gather the diagnostics, we can ask the customer to UNDO this Ksplice update, without downtime, the technology supports applying and removing patches online. (2 reboots saved and again saved an application shutdown for each app)3) if we then determine what the problem is, and we come up with a patch/bugfix, we can create a Ksplice update for this fix and let the customer apply this on their production system, again, without downtime, without any additional work. (3 reboots saved and yet again saved an application shutdown for each app)This is service is only provided in critical situations. We apply this model internally (1) on our own production system that run Oracle Linux (2) to provide fixes to customers running engineered systems like Exadata and Exalogic. Another thing that is important to point out is that you do not have to reboot your system in order to start using this service. An existing environment that's up and running can be made Ksplice ready by just installing a few additional tools and no reboot needed. Once the tools are installed they can be used to apply the updates to your current running system, so even prepping the server is without downtime.Some customers have procedures in place that apply security updates on a regular basis and as such they don't always want or need to be current when a security update is released, so they might have less use for the security update service but certainly still very much can rely on the latter model of fixing critical issues. Other customers have very strict requirements in patching vulnerabilities as soon as possible, for them, the service we offer by releasing security errata both as a separate kernel RPM and a Ksplice update, this service is just absolutely invaluable. They are released at the same time, so you can be constantly up to date without worry.Let me give you an example using Oracle Linux 5 :I went to the extreme and installed Oracle Linux 5 update 4 (released 9-3-2009). Installed the Ksplice uptrack tools and without doing any reboot, I can now start updating my system using uptrack-upgrade.A timed 50 seconds later, the following errata updates were applied on this running system (without any impact on any running applications) :Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Installing [qdlkztzx] Kernel crash forwarding network traffic.Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstalling [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Installing [xem0m4sg] Floating point state corruption after signal.Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstalling [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstalling [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstalling [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstalling [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstalling [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstalling [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstalling [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstalling [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Installing [5mgd1si0] Improved fix to CVE-2010-1173.Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Installing [ff1wrijq] Buffer overflow in icmpmsg_put.Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [usukkznh] Mitigate denial of service attacks with large argument lists.Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Installing [ifgdet83] Use-after-free in MPT driver.Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Installing [jz43fdgc] Denial of service in NFS server via reference count leak.Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstalling [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Installing [uknrp2eo] Denial of service in filesystem unmounting.Installing [97u6urvt] Soft lockup in USB ACM driver.Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Installing [bvoz27gv] Arithmetic overflow in clock source calculations.Installing [lzwurn1u] ext4 filesystem corruption on fallocate.Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Installing [l093jvcl] Kernel panic in SMB extended attributes.Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.That's 190 kernel fixes that were released between 2009 and now, applied in one go, on a running system. When I go and look at the number of kernels we have released to customers for this version since 2009, I find just over 60 kernel RPMS. So that means, if you wanted to be current using the traditional model of applying kernel updates, the model used by the other Linux vendors (or any other OS for that matter), you'd have scheduled 60 reboots on your servers (for each server with all the multitiered complexities), or if you did it once every several months, still at least 6-10 reboots per server. Now, with us, 0. Rebootless updates, active when installed, not after reboot. Zero downtime updates, active when installed not after reboot.

It's been exactly two years since we acquired a small startup called Ksplice. Ksplice as a company created the zero downtime update technology for the Linux kernel and they provided a service to their...

easily install Oracle RDBMS 12cR1 on Oracle Linux 6

This week we released the latest version of our database, Oracle database 12c Release 1. To make it very easy for people to start using it or trying it out, we already created the oracle-rdbms preinstall rpm and uploaded it to both ULN and public-yum.So in order to start the database install without trouble, these few simple steps will get you going :If you want to create a virtual machineDownload Oracle VM VirtualBox from virtualbox.org orDownload Oracle VM Server from edeliveryDownload Oracle Linux from edeliveryYou can do a minimal installation of OL6, or any other installation that you prefer (Desktop, Workstation, etc). The install by default, if you don't register with ULN, will point to our free public-yum repository with all the latest RPMs (errata, bugfixes,...). It might make sense to run yum update although you don't really have to.Then just install the oracle-rdbms-server-preinstall RPM and your OS is completely configured to start the Oracle database installer. Simply type yum install oracle-rdbms-server-12cR1-preinstall and it will download all required dependencies, create the oracle user id, modify sysctl.conf and modify limits.conf.Next, download the 12c R1 software, start the installer and you're good to go.We make it easy, or at least try to :). enjoy.

This week we released the latest version of our database, Oracle database 12c Release 1. To make it very easy for people to start using it or trying it out, we already created the...

ovm_utils 0.6.5

Finally found some time to play with ovm_utils again and added another little tool to the package. ovm_utils is a collection of little tools I wrote over the last year or 2. They can help make command line use a little easier. Of course we have since introduced a real ovm_cli in Oracle VM Manager in 3.1 which is officially part of the product and officially supported. ovm_utils is provided as-is, for fun. If you find them useful, great, if not, oh well :-)ovm_logger (there's also a man page as part of the utilities man/man8/...) is a little tool that you can run as a daemon or just as a log dump tool. Oracle VM Manager runs most of it's tasks as jobs and handles most responses as events. So we have a joblog and an eventlog in the Oracle VM Manager database. When an action occurs from the UI or if an error gets reported from an agent, these things then create jobs and events. If you run the ovm_logger with -d, it will just start up, open the joblog and eventlog and dump the history to stdout, completed with the timestamp of when it occured. You probably want to re-direct that output to a file because it can be a lot of data.If you run ovm_logger by itself, (without -d) then it basically starts logging events and jobs as of the time you start the tool. Any new job or event that occurs from then on, will be displayed, until you cancel the tool, kill it or use ctrl-c.Examples : ./ovm_logger -u admin -p MyPassword -h localhost -X -d > /tmp/logoutput./ovm_logger -u admin -p MyPassword -h localhost -X# ./ovm_logger -u admin -p Manager1 -h localhost -X Oracle VM Log utility 0.6.4.Connecting with a secure connection.Connected.Tue Jun 11 03:48:34 PDT 2013 Oracle VM LogTue Jun 11 03:48:34 PDT 2013 Oracle VM Manager Version : 3.2.3.521Tue Jun 11 03:48:34 PDT 2013 Oracle VM Manager IP : 192.168.1.5Tue Jun 11 03:48:34 PDT 2013 Oracle VM Manager UUID : 0004fb0000010000b66b471827b0b09dTue Jun 11 03:49:04 PDT 2013 Job - Rediscover Server wcoekaer-srv1Tue Jun 11 03:49:29 PDT 2013 Job - Refresh File Server srv4nfsTue Jun 11 03:49:39 PDT 2013 Job - Start Virtual Machine ol6u3apitestTue Jun 11 03:49:54 PDT 2013 Event - Job AbortedTue Jun 11 03:49:54 PDT 2013 (06/11/2013 03:49:51:970 AM)Due to Abort by user: adminTue Jun 11 03:49:54 PDT 2013 Job - Discover Server thisonedoesntexistTue Jun 11 03:49:54 PDT 2013 []Tue Jun 11 03:50:29 PDT 2013 Event - Job Internal Error (Operation)Tue Jun 11 03:50:29 PDT 2013 (06/11/2013 03:50:26:420 AM)OVMAPI_4010E Attempt to send command: get_api_version to server: 192.168.1.10 failed. OVMAPI_4004E Server Failed Command: get_api_version , Status: org.apache.xmlrpc.XmlRpcException: I/O error while communicating with HTTP server: Connection refused [Tue Jun 11 03:50:26 PDT 2013] [Tue Jun 11 03:50:26 PDT 2013]Tue Jun 11 03:50:29 PDT 2013 Job - Discover Server wcoekaer-srv3< Tue Jun 11 03:50:29 PDT 2013 [{OPERATION_NAME=Discover Manager Server Discover, JOB_STEP=Commit, SERVER_NAME=Unknown, EXIT_STATUS=Failed:OVMAPI_4010E Attempt to send command: get_api_version to server: 192.168.1.10 failed. OVMAPI_4004E Server Failed Command: get_api_version , Status: org.apache.xmlrpc.XmlRpcException: I/O error while communicating with HTTP server: Connection refused [Tue Jun 11 03:50:26 PDT 2013] [Tue Jun 11 03:50:26 PDT 2013], MANAGED_OBJECT_NAME=OVM Foundry : Discover Manager}, {OPERATION_NAME=Discover Manager Server Discover, JOB_STEP=Rollback, SERVER_NAME=Unknown, EXIT_STATUS=DONE, MANAGED_OBJECT_NAME=OVM Foundry : Discover Manager}]Anyway it's simple but it helps to easily do some form of audit on operations that happened and highlights errors in red.have fun...

Finally found some time to play with ovm_utils again and added another little tool to the package. ovm_utils is a collection of little tools I wrote over the last year or 2. They can help make command...

Oracle

Integrated Cloud Applications & Platform Services