Ksplice: Overview of Enterprise Live Patching Services

November 2, 2020 - TuxCare PR Team

Overview of Enterprise Live Patching services: Spotlight on Ksplice

Before 2008, the only way to install new patches to Linux kernels was the yum update kernel command. It quickly became clear that those who use 24/7 servers would become annoyed by constant updates, as would the administrators who had to update hundreds of servers manually. The only solution for downtime was to delay the installation until the weekend, which gave hackers enough time to exploit vulnerabilities.

The commercial history of kernel live patching started with Ksplice. Nowadays, besides Linux kernels, Ksplice also releases patches for shared libraries and APIs. These patches can be applied live as long as they do not make changes to the data’s infrastructure.

Commercial live patching has grown significantly over the years, with enterprise customers being its top consumers. Nowadays enterprises run a multitude flavor of Linux servers depending on specific purposes, which creates homogeneous networks. As a consumer, you can install a patch management solution depending on its cost-effectiveness and versatile services. If you are in the process of making this decision, we will give you an overview of Ksplice, concentrating on its installation, deployment and subscription options.

The History of Ksplice

In 2008, Jeff Arnold teamed up with others to look for a solution to updating Linux kernels without having to reboot the system and cause disruptions. They created Ksplice and launched Ksplice, Inc. The company won the Global Security Challenge and the MIT $100K Entrepreneurship Competition. Ksplice was an open-source software, but Ksplice, Inc. made it even easier to use the software.

In 2015 Ksplice became available for free on Ubuntu and Fedora. Oracle purchased Ksplice, Inc. in 2011; in 2016, they integrated it into the Unbreakable Enterprise Kernel Release 4 for Oracle Linux 6 and 7. Ksplice had been available through the open-source until Oracle purchased it in 2011, which led administrators to find new alternatives for live patching. Many of them developed their own software for live patching.

KernelCare was one of the solutions for live patching that was developed once Ksplice was only available through Oracle. Its approach to live patching allows customers to patch any type of Linux, so you do not need to have multiple expensive applications.

How it Works: Persistent vs. Temporary Live Patching

When a security vulnerability or critical bug is detected in a Linux kernel, Oracle will prepare a new kernel to be released in a rebootless update. The update is distributed through the Oracle Ksplice Uptrack server, without disrupting your systems at all.

When it comes to live patching, there are two basic methods: persistent and temporary. A persistent patch, which is what Ksplice is, does not require a reboot. A temporary patching will apply the patch without rebooting, but you still have to reboot the server later.

Persistent live patching has a dedicated patch server that stores patches and incorporates the new ones into the old patches. There is a program that runs in the background that checks regularly for new patches and installs them accordingly. Persistent patching will not slow down a system because every patch has every cumulative fix in a single binary, and you do not need to reboot. A server that runs on this can run constantly for years without issues.

Temporary live patching requires you to package management software on the server. When a patch is ready to be downloaded, the software installs it accordingly. This method requires you to reboot your servers, and the patches are not seamlessly integrated like they are with a persistent software. Instead, the patches will just stack on top of each other over time and can lead to degrading stability and performance. The only way to fix this pile up is to reboot the servers.

The persistent method is superior because you do not have to make any reboots, so there is no disruption to service; this helps keep hackers from exploiting your downtime as a way to sneak in. There are only two live patching systems that use the persistent method, Ksplice and CloudLinux KernelCare.

Ksplice Uptrack

Uptrack is a subscription that has a web interface that summarizes information about your systems that tells you when Ksplice is working on a new update for you. You will get notifications for updates in progress, new Uptrack releases, and inactive machines that are either not using Uptrack or are not communicating with Uptrack’s servers.

You can also see in-depth details about each machine on your server, including available updates, basic information about the system, and when it last communicated with the Uptrack servers.

Uptrack offers an Offline Client that will remove the need for a server on your intranet to be connected directly to the Oracle Uptrack servers. It allows you to have more control of how updates are installed on your systems.

How to Install Ksplice Uptrack

Access Key

Before you install Ksplice Uptrack, you will need to obtain an access key by logging into the Unbreakable Linux Network and follow the instructions to register your system.

Proxy

You have to have access to the internet while installing Ksplice Uptrack. If you will use a proxy, set the proxy in the shell to:

# export http_proxy=http://proxy.example.com:port

# export https_proxy=http://proxy.example.com:port

The proxy string should be of the form [protocol://][username:password@]<host>[:port], where:

protocol is the protocol to connect to the proxy (http or https)
username and password are the authentication information needed to use your proxy (if any).
host and port are the hostname/ip address and port number used to connect to the proxy

The proxy must support making HTTPS connections.

Installation

Once you have the access key, you can start installing Ksplice Uptrack. You will need to run these instructions as root, substituting YOUR_ACCESS_KEY with the access key you have.

Automatic Update Installation

If you want to receive your updates automatically, follow these instructions:

Inside the Oracle Cloud:

# wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc

# sh install-uptrack-oc –autoinstall

For all other installations:

# wget -N https://ksplice.oracle.com/uptrack/install-uptrack

# sh install-uptrack YOUR_ACCESS_KEY –autoinstall

Apply available updates with:

# uptrack-upgrade -y “

Manual Update Installation

If you want to manually update Uptrack, follow these instructions:

Inside the Oracle Cloud:

# wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc

# sh install-uptrack-oc

For all other installations:

# wget -N https://ksplice.oracle.com/uptrack/install-uptrack

# sh install-uptrack YOUR_ACCESS_KEY

Apply available updates with:

# uptrack-upgrade -y “

How to Update Oracle Linux Kernel using Ksplice

When you need to apply Ksplice upgrades, run uptrack-upgrade -y. This will allow you to apply all of the available updates at once, or you can choose to apply each update individually by running a specific Ksplice ID.

If you want to see what updates have been installed, run uptrack-show. To see what updates are currently available to be installed, run uptrack-show –available.

To remove Ksplice updates, run uptrack-remove. You can choose to remove every update or to remove specific updates by their Ksplice IDs. After you have done this, you can run uptrack-show to verify that you have uninstalled all of your updates or to verify that the updates you wanted to remove were successfully uninstalled.

What is Ksplice Enhanced Client and How to Manage it

The Ksplice Enhanced Client is only available for Oracle Linux 6. It is an enhanced version of the online Ksplice client that supports updates for kernel and the user-space, and it can be used to patch Xen hypervisor on the Oracle servers. It can patch in-memory pages from shared libraries like openssl and glibc for user-space processes. This patching will enable you to install bug fixes and protect your system from vulnerabilities without requiring you to restart services and processes. The Enhanced Client is available both online and offline.

To manage the Ksplice Enhanced Client, instead of using the Uptrack commands, use the ksplice commands. This command will enable you to perform both kernel patching and user-space patching. To see the running user-space processes that are available for patching, run ksplice all list-targets. If you want to only see the Xen hypervisor targets available to patch, run ksplice xen list-targets. To see what updates are on the system, run ksplice all show. If you need to remove all updates, run ksplice user remove –all –pid=705, and to remove just specific updates, run ksplice user undo –pid=705 h73qvumn.

To see the available updates, run the upgrade command, ksplice -y user upgrade. To see every update that has been applied, run ksplice kernel show. To remove all updates, run ksplice kernel remove –all.

Downsides of Ksplice Uptrack

While Ksplice does have pros, it does have some downsides to it too. Since Oracle owns Ksplice, it is only available for Oracle Linux, Ubuntu, Red Hat Enterprise Linux, and CentOS. It also requires you to have a support license, and the pricing starts at $1,399 a year per system.

Further Reading on Ksplice

For additional information on Ksplice, you can visit:

Oracle’s online community, where you can connect with other customers, their developers, and partners is available here: https://community.oracle.com/hub/
Oracle’s blog, which covers a number of subjects, from Ksplice to the finance sector, can be found at: https://blogs.oracle.com

Conclusion

Ksplice may have been the pioneer to automatic, rebootless patching for Linux kernels, but after Oracle made it available to only Oracle Linux and RedHat Enterprise Linux, and that you would need a license from Oracle to operate it. While Oracle makes great products and platforms, many people have a more varied approach to their systems.

KernelCare fills the gap that Oracle created when they closed the source code for Ksplice in 2011. KernelCare takes an agnostic approach to Linux kernels, offering support for every type of Linux available, including Oracle and Red Hat, and you do not need to have an expensive license from Oracle to use KernelCare.

If you use more than just Oracle’s products, you are most likely using multiple live patching software options to make sure everything stays safe from vulnerabilities and bugs. However, since only Ksplice and KernelCare offer persistent patching, any other patching software you are using is eventually going to require you to reboot your system, otherwise, it starts to slow down over time. Thus, you will still be opening up your system to hackers, which defeats the purpose of using live patching. KernelCare will eliminate the need to use other patching software, so you never have to reboot your systems to apply updates again.

If you currently have Ksplice but want to switch to KernelCare, you can change out the software seamlessly, without requiring any downtime or server reboots.

To learn more about KernelCare and its features, and to see a side by side comparison of KernelCare and Ksplice — as well as other live patching software — visit our website and get started using a more agnostic and affordable approach to your Linux kernel updates today!

Get a FREE 7-Day Supported Trial of KernelCare

Check out other overviews of live patching services:

Overview of Enterprise Live Patching services: Spotlight on Canonical Livepatch

Overview of Enterprise Live Patching services: Spotlight on kpatch

Overview of Enterprise Live Patching services: Spotlight on Amazon Kernel Live Patching