MONDAY SPOTLIGHT: Patching User Space with Oracle Ksplice

Oracle Ksplice is a powerful tool that allows administrators to increase the speed of deployment of critical patches and helps eliminate downtime.

The Ksplice enhanced client extends the ability of Ksplice to enable in-memory patching of critical user space libraries in Oracle Linux. The ability to patch these libraries in-memory without rebooting not only increases system security but also reduces costly system downtime. Recent exploits such as Heartbleed can be patched automatically without administrator intervention, maintenance windows or downtime. 

Before you enable Ksplice, you need to disable any prelinking of binaries that may have occurred. Oracle Linux 6 systems come with the prelink tool installed by default which must be removed to prevent conflicts with the Ksplice enhanced client. Oracle Linux 7 systems do not have prelink installed by default.

# prelink –au

# yum remove prelink

Installation of the Ksplice enhanced client is simple for Oracle Linux servers that are registered to the Unbreakable Linux Network (ULN).

Login to the ULN web interface, select the system you want to enable Ksplice on, then click on Manage Subscriptions.  Next, enable the Ksplice-aware user space packages channel for that server.

After enabling the Ksplice-aware user space packages channel, use yum to install the Ksplice enhanced client on the server:

# yum install –y ksplice

Once the Ksplice client is installed, retrieve your access key for Ksplice from ULN and add it to the Ksplice configuration by editing /etc/uptrack/uptrack.conf.

Next, use yum to install the Ksplice aware versions of the user space packages installed on your server, without updating any other packages on the system, by running following command:

# yum --disablerepo=* --enablerepo=ol7_x86_64_userspace_ksplice update

A single reboot is required to activate the newly installed Ksplice aware libraries. After you reboot the system once, you will then be able to apply any future patches to both the kernel and critical user space libraries without rebooting. 

In addition to patching both kernel and critical user space packages, Ksplice can also be used as a diagnostic tool by Oracle Support to load diagnostic kernels without rebooting the system. 

The following white paper provides the workflow of using Ksplice as a diagnostic tool with Oracle Support: 

http://www.oracle.com/us/technologies/linux/using-ksplice-wp-2228962.pdf

The full Ksplice User Guide can be found here: 

http://docs.oracle.com/cd/E52668_01/E39380/html/index.html

Are you ready to take back your weekends and increase the security of your systems with Ksplice?

http://ksplice.oracle.com/