X

Oracle Linux, virtualization , Enterprise and Cloud Management Cloud technology musings

  • August 9, 2018

Oracle Ksplice for Oracle Linux in Oracle Cloud

My favorite topic.. Ksplice! Just a friendly reminder that every Oracle Linux instance in Oracle Cloud comes with Oracle Ksplice installed/enabled by default at no additional cost beyond basic compute.

When you run an OL instance, the uptrack tools are on the base image. (uptrack-upgrade, uptrack-uname, etc..). The config file (/etc/uptrack/uptrack.conf) contains an access-key that enables any cloud instance to talk to our Ksplice service without registration. So as soon as you log into your system you can run # uptrack-upgrade or # uptrack-show .

uptrack doesn't run automatically, by default.  You are expected to manually type # uptrack-upgrade . What this does is the following: it goes to our service and looks at which Ksplice patches are available for your running kernel and asks if you want to install them. if you add - y then  it will just go ahead and install whatever is available without prompting you.

uptrack-show lists the patches that are already applied on your running kernel/system.

uptrack-uname shows the 'effective' kernel version. What this means is which kernel version you are effectively updated to with relevant CVEs and critical issues.

Here's a concrete example of my OCI instance:

 

# uname -a
Linux devel 4.1.12-124.14.5.el7uek.x86_64 #2 SMP Fri May 4 15:26:53 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux

My instance runs UEK R4 (4.1.12-124.14.5) that's the actual RPM that's installed and the actual kernel that I booted the instance with.

 

# uptrack-uname -a
Linux devel 4.1.12-124.15.1.el7uek.x86_64 #2 SMP Tue May 8 16:27:00 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux

I already ran uptrack-upgrade before so a number of patches are already applied and installed up to the same level as 4.1.12-124.15.1. So instead of installing the 4.1.12-124.15.1 kernel-uek RPM and rebooting, when I ran uptrack-upgrade a while back, it got me right to that level without affecting my availability one bit.

I did not enable auto-install so since I ran that command a while back, I have not done it again, a good number of (some serious) CVE's have been fixed and released since so it's time to update... but I so hate reboots! luckily.. no need.

What's already installed? Let's see...

 

# uptrack-show
Installed updates:
[1zkgpvff] KAISER/KPTI enablement for Ksplice.
[1ozdguag] Improve the interface to freeze tasks.
[nw9iml90] CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.
[i9x5u5uf] CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.
[dwwke2ym] CVE-2017-7294: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU.
[cxke2gao] CVE-2017-15299: Denial-of-service in uninstantiated key configuration.
[nwtwa8b3] CVE-2017-16994: Information leak when using mincore system call.
[hfehp9m0] CVE-2017-17449: Missing permission check in netlink monitoring.
[7x9spq2j] CVE-2017-17448: Unprivileged access to netlink namespace creation.
[lvyij5z2] NULL pointer dereference when rebuilding caches in Reliable Datagram Sockets protocol.
[s31vmh6q] CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.
[3x6jix1s] Denial-of-service of KVM L1 nested hypervisor when exiting L2 guest.
[d22dawa6] Improved CPU feature detection on microcode updates.
[fszq2l5k] CVE-2018-3639: Speculative Store Bypass information leak.
[58rtgwo2] Device Mapper encrypted target Support big-endian plain64 IV.
[oita8o1p] CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.
[qenhqrfo] CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.
[965vypan] CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem.
[drgt70ax] CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver.
[fa0wqzlw] CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting.
[bghp5z31] Denial-of-service in NFS dentry invalidation.
[7n6p7i4h] CVE-2017-18203: Denial-of-service during device mapper destruction.
[okbvjnaf] CVE-2018-6927: Integer overflow when re queuing a futex.
[pzuay984] CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.
[j5pxwei9] CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

Effective kernel version is 4.1.12-124.15.1.el7uek

so the above patches were installed last time. Quite a few! All applied, without affecting availability.

Ok, what else is available... a whole bunch, best apply them!

 

# uptrack-upgrade
The following steps will be taken:
Install [f9c8g2hm] CVE-2018-3665: Information leak in floating point registers.
Install [eeqhvdh8] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode.
Install [s3g55ums] DMA memory exhaustion in Xen software IO TLB.
Install [nne9ju4x] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.
Install [3xsxgabo] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target.
Install [rt4hra3j] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.
Install [2ycvrhs6] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.
Install [rjklau8v] Incorrect sequence numbers in RDS/TCP.
Install [qc163oh5] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.
Install [5g4kpl3f] Denial-of-service when removing USB3 device.
Install [lhr4t7eg] CVE-2017-7616: Information leak when setting memory policy.
Install [mpc40pom] CVE-2017-11600: Denial-of-service in IP transformation configuration.
Install [s77tq4wi] CVE-2018-1130: Denial-of-service in DCCP message send.
Install [fli7048b] Incorrect failover group parsing in RDS/IP.
Install [lu9ofhmo] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Install [dbhfmo13] Fail-over delay in Reliable Datagram Sockets.
Install [7ag5j1qq] Device mapper path setup failure on queue limit change.
Install [8l28npgh] Performance loss with incorrect IBRS usage when retpoline enabled.
Install [sbq777bi] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled.
Install [ls429any] Denial-of-service in RDS user copying error.
Install [u79kngd9] Denial of service in RDS TCP socket shutdown.

Go ahead [y/N]? y
Installing [f9c8g2hm] CVE-2018-3665: Information leak in floating point registers.
Installing [eeqhvdh8] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode.
Installing [s3g55ums] DMA memory exhaustion in Xen software IO TLB.
Installing [nne9ju4x] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.
Installing [3xsxgabo] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target.
Installing [rt4hra3j] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.
Installing [2ycvrhs6] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.
Installing [rjklau8v] Incorrect sequence numbers in RDS/TCP.
Installing [qc163oh5] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.
Installing [5g4kpl3f] Denial-of-service when removing USB3 device.
Installing [lhr4t7eg] CVE-2017-7616: Information leak when setting memory policy.
Installing [mpc40pom] CVE-2017-11600: Denial-of-service in IP transformation configuration.
Installing [s77tq4wi] CVE-2018-1130: Denial-of-service in DCCP message send.
Installing [fli7048b] Incorrect failover group parsing in RDS/IP.
Installing [lu9ofhmo] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Installing [dbhfmo13] Fail-over delay in Reliable Datagram Sockets.
Installing [7ag5j1qq] Device mapper path setup failure on queue limit change.
Installing [8l28npgh] Performance loss with incorrect IBRS usage when retpoline enabled.
Installing [sbq777bi] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled.
Installing [ls429any] Denial-of-service in RDS user copying error.
Installing [u79kngd9] Denial of service in RDS TCP socket shutdown.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-124.17.2.el7uek

Done!

I now have a total of 46 Ksplice updates applied on this running kernel.

 

# uptrack-uname -a
Linux devel 4.1.12-124.17.2.el7uek.x86_64 #2 SMP Tue Jul 17 20:28:07 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux

current to the 'latest' UEKR4 version in terms of CVEs

Now we don't provide driver 'updates' or so in these patches only critical fixes and security fixes. So the kernel is not -identical- to the 4.1.12-17.2 in every sense. But it certainly is on your current system as it's related to bad things that could happen!

Since I don't want to forget running the update, I am going to just enable Ksplice to run through a cron job. Just edit /etc/uptrack/uptrack.conf and change autoinstall = no to autoinstall = yes.

A few other things:

When Ksplice patches are installed and you do end up doing a reboot, the installed patches will be automatically applied again right at boot time if you reboot into the same original kernel. Note - it will not automatically go look for new patches.

If you want to also go check for new updates, you can comment out #upgrade_on_reboot = yes  this will make that happen.

I removed all installed Ksplice updates (online, using # uptrack-remove --all) and now will time reapplying all 46:

 

# time uptrack-upgrade -y
...
real 0m11.705s
user 0m4.273s
sys  0m4.807s

So 11.7 seconds to apply all 46. Each patch gets applied one after the other, there is no system halt for that long at all, for each individual patch it just halts for a few us (not noticeable) and then has a short pause to continue to the next but this pause is just the uptrack tool, not your server instance.

So enable autoinstall, enable upgrade_on_reboot=yes and you have an Oracle Linux system that you can just leave running and you automatically are current with CVEs/critical fixes without having to worry...Autonomous Oracle Linux patching. Pretty cool!

Some vendors are trying to offer 'live patching' but those things don't come even close. It validates the importance of this technology and feature set,  it's not anywhere near a viable alternative.

Have fun!

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services