Ksplice - Install Linux Kernel Updates without Reboot

December 15, 2013 | By
| Reply More

Have you ever see this message after installing kernel updates?

Reboot

For System Administrators, server uptime is important. Productions servers which running mission critical application, must be running as long as possible. But in the other side, System Administrator have to apply patches to their servers in order to maintain the reliability of their servers. If the patches is for application, he may not need to reboot his servers. But if the patches is intended for the kernel, you may need to reboot your server.

This situation is more complicated when you are running virtual machines on top of your server. Imagine if the host server need to reboot because the kernel must be patch. How many virtual machines will be have downtime for it? Your customers may be angry if their business application is down for something that they don’t care about it.

So is there any way to apply kernel patches without rebooting the server? Let’s start to see about it.

What is Ksplice

Ksplice is a technology in Linux that makes updating security updates, diagnostic patches and critical bug fixes is done without rebooting your Linux. This technology keep your server uptime is untouchable. Your server can still running while the updating kernel activities is running at the same time.

Why go rebootless

From Ksplice website, the reasons are :

  • Save time and pain by updating in seconds, while your system are running
  • Avoid downtime
  • Prevent disastrous security incidents by making it easy to stay up to date

    Installing Ksplice

    Ksplice is a feature of Oracle Linux and it is a paid application. This feature is intended to server environment. But you can get Ksplice for Ubuntu Desktop and Fedora for free. Before we try Ksplice into our production server, let’s try it on desktop machine to see how it works.

    The first step is you need to download Ksplice for your distribution. In this article, we are using Ubuntu 13.10 (Saucy Salamander)

    $ wget https://www.ksplice.com/uptrack/dist/saucy/ksplice-uptrack.deb

    Ksplice depends on curl. Install it if you don’t have it.

    $ sudo apt-get install curl

    Then you can install Ksplice by typing

    $ sudo dpkg -i ksplice-uptrack.deb

    If you found errors like this :

    (Reading database ... 172559 files and directories currently installed.)
    Unpacking ksplice-uptrack (from ksplice-uptrack.deb) ...
    dpkg: dependency problems prevent configuration of ksplice-uptrack:
    ksplice-uptrack depends on python-support (>= 0.90.0); however:
    Package python-support is not installed.
    ksplice-uptrack depends on python-yaml; however:
    Package python-yaml is not installed.
    ksplice-uptrack depends on python-glade2; however:
    Package python-glade2 is not installed.
    dpkg: error processing ksplice-uptrack (--install):
    dependency problems - leaving unconfigured
    Processing triggers for ureadahead ...
    Processing triggers for hicolor-icon-theme ...
    Processing triggers for desktop-file-utils ...
    Processing triggers for bamfdaemon ...
    Rebuilding /usr/share/applications/bamf.index...
    Processing triggers for gnome-menus ...
    Processing triggers for man-db ...
    Errors were encountered while processing:
    ksplice-uptrack

    Just run :

    $ sudo apt-get -f install

    to solved the dependencies problem. Then try installing Ksplice again. You must agree to the Ksplice Uptrack terms of service to install Ksplice.

    Ksplice agreement

    Ksplice agreement confirmation

    Running Ksplice

    Before running Ksplice, let we see the kernel version before update. Run this command to see the kernel release :

    $ uname -a
    Linux dev-machine 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:12:00 UTC 2013 i686 i686 i686 GNU/Linux

    Since servers generally does not have a GUI screen, then we will run it via console mode to make it near server experience.

    Show the available updates

    To show the available updates, use this command :

    $ sudo uptrack-show --available

    Available updates:
    [aonnvekn] Clear garbage data on the kernel stack when handling signals.
    [uthtg8fp] Provide an interface to freeze tasks
    [a1f7xpa8] Memory corruption in filesystem buffer management.
    [knhhoik2] Data loss in block device writeback flushing.
    [11v1gntr] Use-after-free in kernel device management.
    [6ag5g3st] Kernel crash in Bluetooth HID reporting.
    [sqzxuzvv] NULL pointer dereference in IPv6 FIB rule addition failure.
    [gyyef88t] NULL pointer dereference in netpoll driver cleanup.
    [l2lqtufh] CVE-2013-4343: Use-after-free in tun driver.
    [7nw7dl7g] CVE-2013-4350: SCTP over IPv6 disables encryption.
    [lbs1aaxp] Kernel crash in Xen netback frontend slot packing.
    [gf0b12o7] NULL pointer dereference in bridge link handling.
    [evsg76kv] NULL pointer dereference in bridge port removal.
    [iu8hccoe] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
    [4v9jcdr0] Predictable sequence numbers in network packets.
    [yemzfg9j] Use-after-free in IP tunnel transmission.
    [d9s6clxr] Memory corruption in IP tunnel packet transmission.
    [la85ojyp] Kernel panic in ELF coredumping with large number of mmapped files.
    [x05l09af] Kernel crash in 88pm860x audio codec driver.
    [7f571s8o] Kernel crash and information leak in ab8500 audio codec driver.
    [jfknh36y] Use-after-free in Linux Security Modules.
    [6k88fw2e] NULL pointer dereference with invalid /proc/sys/kernel/core_pattern.
    [fgf4iwve] NULL pointer dereference in NFSv4.1 data server connection failure.
    [j1l1y0zg] Incorrect permission checks on networking sysctls.
    [jjq12vek] NULL pointer dereference in MMC card removal.
    [hmjxigtu] Kernel crash in btrfs backref checking.
    [nkeohosj] Use-after-free in btrfs reference handling.
    [yt3wi9st] NULL pointer dereference in bcache write requests.
    [hm9c6cgx] Denial-of-service in ext4 extended attribute error handling.
    [u768c456] Data loss in ecryptfs on 32-bit systems.
    [ndab5788] Kernel crash in TCP stack with cloned socket buffers.
    [9y33q2oz] Use-after-free in IP TIME_WAIT sockets.
    [03oynojm] Information leak in netlink connector.
    [bydozs03] Soft lockup in L2TP during packet transmission.
    [eg0x7f56] Memory leak in Network Emulator scheduler during queue reset.
    [t0ry8mgk] Information leak in FarSync network driver ioctl.
    [p3s7uvjd] Information leak in Unix socket monitoring interface.
    [1lk6cuv9] Kernel panic in netlink kernel/userspace connector.
    [t6bbl2ss] Information leak in wanXL IF_GET_IFACE ioctl.
    [w626eeyh] Memory corruption in socket buffer.
    [2xnumbhk] Use-after-free in temporary files on ext3 and ext4 filesystems.
    [ugrb1edv] CVE-2013-4299: Information leak in device mapper persistent snapshots.
    [8uy3ixcg] Denial-of-service in transparent huge pages with MADV_DONTNEED madvise().
    [90drovzx] Denial-of-service in 802.11 radiotap packet parsing.

    Effective kernel version is 3.11.0-12.19
    pungki@dev-machine:~$

    As you can see, there is a lot of kernel updates there.

    Installing the updates

    Once you know about the updates, the decision is becoming yours. To install the updates run this command :

    $ sudo uptrack-upgrade

    The following steps will be taken:
    Install [aonnvekn] Clear garbage data on the kernel stack when handling signals.
    Install [uthtg8fp] Provide an interface to freeze tasks
    Install [a1f7xpa8] Memory corruption in filesystem buffer management.
    Install [knhhoik2] Data loss in block device writeback flushing.
    Install [11v1gntr] Use-after-free in kernel device management.
    Install [6ag5g3st] Kernel crash in Bluetooth HID reporting.
    Install [sqzxuzvv] NULL pointer dereference in IPv6 FIB rule addition failure.
    Install [gyyef88t] NULL pointer dereference in netpoll driver cleanup.
    Install [l2lqtufh] CVE-2013-4343: Use-after-free in tun driver.
    Install [7nw7dl7g] CVE-2013-4350: SCTP over IPv6 disables encryption.
    Install [lbs1aaxp] Kernel crash in Xen netback frontend slot packing.
    Install [gf0b12o7] NULL pointer dereference in bridge link handling.
    Install [evsg76kv] NULL pointer dereference in bridge port removal.
    Install [iu8hccoe] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
    Install [4v9jcdr0] Predictable sequence numbers in network packets.
    Install [yemzfg9j] Use-after-free in IP tunnel transmission.
    Install [d9s6clxr] Memory corruption in IP tunnel packet transmission.
    Install [la85ojyp] Kernel panic in ELF coredumping with large number of mmapped files.
    Install [x05l09af] Kernel crash in 88pm860x audio codec driver.
    Install [7f571s8o] Kernel crash and information leak in ab8500 audio codec driver.
    Install [jfknh36y] Use-after-free in Linux Security Modules.
    Install [6k88fw2e] NULL pointer dereference with invalid /proc/sys/kernel/core_pattern.
    Install [fgf4iwve] NULL pointer dereference in NFSv4.1 data server connection failure.
    Install [j1l1y0zg] Incorrect permission checks on networking sysctls.
    Install [jjq12vek] NULL pointer dereference in MMC card removal.
    Install [hmjxigtu] Kernel crash in btrfs backref checking.
    Install [nkeohosj] Use-after-free in btrfs reference handling.
    Install [yt3wi9st] NULL pointer dereference in bcache write requests.
    Install [hm9c6cgx] Denial-of-service in ext4 extended attribute error handling.
    Install [u768c456] Data loss in ecryptfs on 32-bit systems.
    Install [ndab5788] Kernel crash in TCP stack with cloned socket buffers.
    Install [9y33q2oz] Use-after-free in IP TIME_WAIT sockets.
    Install [03oynojm] Information leak in netlink connector.
    Install [bydozs03] Soft lockup in L2TP during packet transmission.
    Install [eg0x7f56] Memory leak in Network Emulator scheduler during queue reset.
    Install [t0ry8mgk] Information leak in FarSync network driver ioctl.
    Install [p3s7uvjd] Information leak in Unix socket monitoring interface.
    Install [1lk6cuv9] Kernel panic in netlink kernel/userspace connector.
    Install [t6bbl2ss] Information leak in wanXL IF_GET_IFACE ioctl.
    Install [w626eeyh] Memory corruption in socket buffer.
    Install [2xnumbhk] Use-after-free in temporary files on ext3 and ext4 filesystems.
    Install [ugrb1edv] CVE-2013-4299: Information leak in device mapper persistent snapshots.
    Install [8uy3ixcg] Denial-of-service in transparent huge pages with MADV_DONTNEED madvise().
    Install [90drovzx] Denial-of-service in 802.11 radiotap packet parsing.

    Go ahead [y/N]? Y

    Press “y” to confirm the installation steps. Once it finished, you will see message like this :

    Installing [90drovzx] Denial-of-service in 802.11 radiotap packet parsing.
    Your kernel is fully up to date.
    Effective kernel version is 3.11.0-14.21
    pungki@dev-machine:~$

    Verify if the Kernel is Upgraded

    Previously we have captured the kernel version before the installation. It was running kernel version 3.11.0-12-generic (see above). To see that your kernel is patched, run this command :

    $ uptrack-uname -a

    Linux dev-machine 3.11.0-14-generic #21-Ubuntu SMP Tue Nov 12 17:07:40 UTC 2013 i686 i686 i686 GNU/Linux

    Now its running on kernel version 3.11.0.14-generic. And all this updates are applied without rebooting.

    Screenshots on GUI

    You can also run Ksplice on GUI. Here are some screenshots about it on Ubuntu 13.10 (Saucy Salamander)

    Run Ksplice

    Ksplice Uptrack Manager

    Kernel updates

    New updates

    Click on Install all updates button to start the installation.

    Enter root password

    Enter root password

    Applying new updates

    Applying updates

    Completing updates

    Kernel up to date!

    Kernel up to date

    Conclusion

    Since virtualization and cloud technology is becoming more and more popular, zero down-time is becoming more critical. Ksplice can help you to apply all kernel updates, patches and critical bug fixes without rebooting your Linux system. To more detail on Ksplice, you can see its manual page by typing man uptrack on your console. Or visit Ksplice website to gain more detail information about it.

    Filed Under : BOOTING, LINUX HOWTO

    Free Linux Ebook to Download

    Leave a Reply

    Commenting Policy:
    Promotion of your products ? Comment gets deleted.
    All comments are subject to moderation.