IT技术互动交流平台

oracleKspliceUptrack实现linux零停机内核补丁升级

来源:IT165收集  发布日期:2015-01-02 00:16:56

 

1、ORACLE linux零停机更新介绍

Linux的内核升级是一项很重大的变更,传统情况下需要停止应用,重启操作系统,现在,ORACLE使Linux可以在一秒时间内动态地应用内核与安全补丁等升级,实现零停机,对应用不产生中断影响,是依赖Ksplice Uptrack实现的。

这项技术,被ORACLE号称为号称为“永不可摧”的神力,也确实使得ORACLE Linux可以像UNIX一样,如果排除硬件的影响外,系统可以永远运行下去。不过,ORACLE的此功能产品,也是收购而来的,不管它怎么来的,是好东西我们就利用吧。

2、安装Ksplice Uptrack

2.1 下载Ksplice Uptrack

下载参考网址如下:

https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm

2.2 安装Ksplice Uptrack

需要分两步:

# rpm -ivh ksplice-uptrack-release.noarch.rpm

# yum -y install uptrack

 

3、创建Ksplice Uptrack的key

(1)登陆https://status-ksplice.oracle.com网站,选择“Ineed to create my Oracle SSO account.”创建访问updates.ksplice.com的帐号

Oracle Ksplice System Status

This interface is now using Oracle SSO accounts for authentication. Oracle's SSO accounts will allow you to have a single username and password for most Oracle services.

If you received your Access Key from ULN, you do not have to do anything. Use the link below to log in with your Oracle account.

If you are a legacy Ksplice customer and do not yet have an Oracle account, you will need to create one before you can log in. Your Oracle accountmust use an email address that is associated with your Ksplice account. Contact Ksplice Support if you have questions.

I need to create my Oracle SSO account.

I am ready to log in with my Oracle SSO account.

因为笔者有MOS帐号,所以选择”I am ready to log in withmy Oracle SSO account. “

(2)登陆后,找到页面上的下面内容

Red Hat and Oracle Linux Users

Oracle Linux and Red Hat Enterprise Linux users can try Ksplice free for 30 days. You can start your trial and experience zero-downtime updates in just a few minutes.

点击”tryKsplice free for 30 days “来创建一个30天的试用Ksplice ID

(3)试用帐号创建完成后,反回下面页面,里面包含一个Ksplice ID(d104ba79e80621e774156e582fbafb9ae3b5e793f65a0b55a8e22dca0c35599d)

Installation instructions

To install Ksplice Uptrack, please run the following commands as root:

wget -N https://www.ksplice.com/uptrack/install-uptrack
sh install-uptrack d104ba79e80621e774156e582fbafb9ae3b5e793f65a0b55a8e22dca0c35599d
uptrack-upgrade -y

If you'd like Ksplice Uptrack to automatically install updates as they become available, run:

sh install-uptrack d104ba79e80621e774156e582fbafb9ae3b5e793f65a0b55a8e22dca0c35599d --autoinstall

in place of the above install-uptrack command, or set "autoinstall = yes" in/etc/uptrack/uptrack.conf after installation.

 

(4)、配置Ksplice Uptrack

将获取到的Ksplice ID配置到/etc/uptrack/uptrack.conf文件中,如下所示:

accesskey = d104ba79e80621e774156e582fbafb9ae3b5e793f65a0b55a8e22dca0c35599d

4、手动update

4.1下载最新的软件包列表

[root@ol6u612csinglesoft]# uptrack-upgrade –n

Effective kernel version is 3.8.13-44.1.1.el6uek

The following steps will be taken:

Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Install [kciixaoz] CVE-2014-3535: NULL pointer dereference in VxLAN packet logging.

Install [h5wecdm3] CVE-2014-3601: Denial-of-service in KVM page mapping.

Install [wchzb3dy] CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Install [rknjux2h] CVE-2014-4653: Use after free in ALSA card controls.

Install [d16cfimj] CVE-2014-3611: Denial-of-service in KVM emulated programmable interval timer.

Install [1emd9koe] CVE-2014-3184: Invalid memory write in HID drivers.

Install [5tskivrn] CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.

Install [hncvf9bv] CVE-2014-3645 and CVE-2014-3646: KVM guest denial-of-service when using invalid opcodes.

Install [52rg9ul0] CVE-2014-3687: Remote denial-of-service in SCTP stack.

Install [ztshz6k2] CVE-2014-3673: Remote denial-of-service in SCTP stack.

Install [lrse39k8] Cluster deadlock during journal commit in OCFS2 filesystem.

Install [0q7yyk3e] I/O errors and spurious warning in BladeEngine 2 iSCSI driver.

Install [2c46e7uo] Device hang during cleanup in BladeEngine 2 iSCSI driver.

Install [54m33sa5] Invalid memory free when setting management address in BladeEngine 2 iSCSI driver.

Install [u84c5rdk] Use-after-free in netfilter xtables when copying counters to userspace.

Install [1ysj0myg] Soft lockup in huge page code when releasing huge TLB pool.

Install [1tmng4zr] Deadlock in USB serial driver when unloading the module.

Install [85dp2g0m] Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

Install [ui0cnkoy] NULL pointer dereference in IPv6 netlink validation callback.

Install [i7ghh69t] Memory corruption when accessing a huge TLB of a copy-on-write page.

Install [9k103dsh] NULL pointer dereference in the filesystem stack when checking ACL.

Install [br4ufjly] Kernel panic in NFSv4 client allocation.

Install [fdfa54l8] Kernel crash in timer callback when destroying NFSv4 client.

Install [7gx1bcjz] Kernel BUG() in NFS daemon when setting ACL with no entries.

Install [u2vg2kgk] Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

Install [7d42vydf] Use-after-free in libceph when sending pages over TCP.

Install [pfmujcbk] Use-after-free in memory management subsystem when releasing a VMA.

Install [n3efh5gv] CVE-2014-4014: Privilege escalation in user namespace.

Install [atq4edlz] NULL pointer dereference in Target Core Mod when reading from sysfs.

Install [dudt5tfl] Use-after-free in UDP stack in the fast transmit path.

Install [40dpjn5l] Kernel crash after freeing anonymous pages in memory management subsystem.

Install [3fqg40hl] Potential data corruption with memory-mapped files on Ext4 filesystem.

Install [opwwaxl3] Denial-of-service in EXT4 block allocation.

Install [wywz2vbx] Information leak in mcp ram disk.

Install [rcgt2rrp] Use-after-free in BTRFS extent writing.

Install [he9669oj] NULL pointer dereference in BTRFS device removal.

Install [68m9g9lg] Use-after-free in Micro PCIe SSDs block driver when unloading the module.

Install [t5456c7a] Memory leak in NFS filesystem when releasing a lock stateid.

Install [gl3fc7o0] Kernel panic in IP virtual server netfilter.

Install [huyperc4] Information leak in netfilter ULOG module.

Install [mp9z0fh3] Kernel crash in virtio scsi workqueue.

Install [wdc6hcga] NULL pointer dereference when probing non-FTDI devices.

Install [l6xoq5ft] Denial-of-service with TKIP on Ralink USB devices.

Install [yyefbwqc] Multiple denial-of-service problems in bluetooth code.

Install [6xv38tw8] Invalid memory reference in NFSv4 symlink decoding.

Install [ii44mo5l] Kernel panic during hugepage migration.

Install [y9anoniw] Use-after-free in mbind vma merge.

Install [i0pc6i0y] Multiple journal corruptions in the ext4 filesystem.

Install [0qifgsi6] CVE-2014-4171: Denial-of-service in shared memory when faulting into a hole while it's punched.

Install [8iczbx45] Memory leak in 8021q stack when re-ordering vlan headers.

Install [g64hrxp3] NULL pointer dereference in Broadcom BN2X ethernet driver under memory pressure.

Install [bsa434sc] Denial-of-service in TCP stack when pushing during TCP repair.

Install [d8vwuqeg] Information leak in the stream control transmission protocol stack.

Install [xs28o0u9] Out of bounds memory access in the DNS resolver when querying.

Install [kn3c2903] Memory leak in the Radeon display driver when retrieving the display modes.

Install [ehlv43kn] NULL pointer dereference in block control group queue draining.

Install [r8rkz947] Incorrect SELinux label in cryptographic sockets.

Install [tyk3fqid] NULL pointer dereference in 802.11 event tracing.

Install [sqohae2b] Deadlock in clockevent delta modification.

Install [zqvxy8qh] Kernel crash in Broadcom BNX2X driver during TCP offload.

Install [7a94z6c2] Denial-of-service in network sendmsg() calls.

Install [zsqnfrj5] Invalid memory access in network vectored I/O.

Install [bmxkb08h] Soft lockup after vcpu hot-remove in Xen PVM/HVM guests.

Install [t5nq18kr] Memory corruption XFS filesystem resizing.

Install [y5jfvo0v] Kernel crash when sending message in Oracle VM guest messaging driver.

Install [odnb5rlr] Memory leak in Oracle VM guest messaging driver.

Install [8urehj5h] Kernel oops when running out of Xen grant references

Install [4q3ev9x6] Memory leak when initialising ports in BladeEngine 2 iSCSI driver.

Install [f43vqxka] Memory corruption during device probing in BladeEngine 2 iSCSI driver.

Install [inim1x21] Kernel panic during BladeEngine 2 iSCSI adapter initialization.

Install [fkoxifyg] NULL pointer dereference during HP Smart Array SCSI device initialization.

Install [agwmhor4] Kernel BUG for 256-block data transfers in HP Smart Array SCSI driver.

Install [6gzs0lyj] Kernel hang in Broadcom Tigon3 ethernet driver.

Install [eofko4wq] Use-after-free in tg3 network driver stats.

Install [6khjynhq] Kernel hang in Broadcom NX2 network driver.

Install [fn3tyq9s] Kernel crash when receiving network event in Broadcom CNIC driver.

Install [upmz129f] Information leak in Broadcom Everest network driver.

Install [jxbttwug] Memory leak when removing Broadcom Everest network interface.

Install [epfpat8q] Fatal hardware error in Broadcom Everest network driver.

Install [vx3ofybf] Endless stream of errors when unloading Broadcom Everest network device.

Install [pcno7ml0] Kernel crash after EEH recovery in Broadcom Everest network driver.

Install [57e9xvte] NULL pointer dereference in Broadcom NetXtreme II driver.

Install [nya6gjqp] Memory leak in Broadcom NetXtreme II driver.

Install [7fcc82h4] Kernel crash in Broadcom NetXtreme II driver.

Install [5maph0zo] CVE-2014-3181: Memory corruption in Apple Magic Mouse USB driver.

Install [a2gzq71y] Kernel BUG during Emulex BladeEngine 2 network device shutdown.

Install [if2icqz4] Buffer overrun using Large Receive Offload in Mellanox VNIC driver.

Install [pfvhgt44] Second cluster deadlock during journal commit in OCFS2 filesystem.

Install [8yahm6zn] NULL pointer dereference during zero page writeback in OCFS2 filesystem.

Install [w0ycqxuw] Deadlock during port logins in Qlogic QLA2XXXX Fibre Channel driver.

Install [zaztb2k6] NULL pointer dereference in Qlogic QLA2XXXX Fibre Channel driver.

Install [f5vv1aiv] Stack corruption in Qlogic QLA2XXXX Fibre Channel driver.

Install [opaks6nn] Kernel crash during Qlogic QLA2XXXX Fibre Channel firmware loading.

Install [rcr2fwfu] Random timeouts in Qlogic QLCNIC SR-IOV network device.

Install [x8vi7jg6] Kernel crash during open() in Qlogic QLCNIC network device.

Install [0etwovum] Memory corruption in Qlogic QLCNIC network device when reporting statistics.

Install [nc78thrs] Multiple memory leaks in RPC over RDMA client support.

Install [raxlbhze] NULL pointer dereference during reconnect in RPC over RDMA client support.

Install [m494iulb] NULL pointer dereference in RPC over RDMA client support during GETACL request.

Install [1elo7qvy] Kernel crash during DMA in RPC over RDMA client driver.

Install [9o4ytjzs] Deadlock during filesystem removal in NVM Express block device driver.

Install [arw9264e] Invalid memory read in NVM Express block device I/O submission ioctl.

Install [j77dx1ko] Information leak in NVM Express block device ioctl.

Install [f8quvybg] Memory corruption when deleting NVM Express block device disks.

Install [g848xamo] NULL pointer dereference when closing connection in Emulex BladeEngine 2 driver.

Install [k0nkwglw] Kernel panic during shutdown in Emulex BladeEngine 2 driver.

Install [4109xiro] Kernel crash during Emulex LightPulse Fibre Channel driver unload.

Install [p4x4i1k0] Kernel panic in Emulex LightPulse Fibre Channel driver when aborting SCSI command.

Install [heiiom49] SLI data corruption in Emulex LightPulse Fibre Channel driver.

Install [xibjfk0h] Memory leak during HBA reset in Emulex LightPulse Fibre Channel driver.

Install [40nibjqs] Use of uninitialized memory during bitmap init in Emulex LightPulse Fibre Channel driver.

Install [a6rup16y] Kernel crash when shutting down QLogic NetXen ethernet adapter.

Install [3cz8j2j4] Device hang when shutting down QLogic NetXen ethernet adapter.

Install [h4ts58f6] CVE-2014-3688: Remote denial-of-service in SCTP stack by memory exhaustion.

Install [swq3mpuy] CVE-2014-3186: Memory corruption in PicoLCD USB driver.

Install [9og9y18j] CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Install [7eb3d34w] CVE-2014-4027: Information leak in iSCSI Target ramdisk transport.

Install [xj8ix80y] CVE-2014-4656: ALSA Control ID overflow.

Install [ba9k5rfj] CVE-2014-3182: Invalid memory read in HID Logitech driver.

Install [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.

Install [906qltr0] CVE-2014-9090, CVE-2014-9322: Privilege escalation in double-fault handling on bad stack segment.

Install [oz33swxn] CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.

[root@ol6u612csingle soft]#

这一步所花的时间会较长,一下为ORACLE Linux 6.6找到了共123个补丁需要更新,其中包含3个解决内核BUG的补丁,看来Linux打补丁是很必要啊。

4.2 手动安装补丁

(1)查看当前的内核版本

# uptrack-show

Installed updates:

None

 

Effective kernel version is 3.8.13-44.1.1.el6uek

(2)查看可以运行更新的补丁

#uptrack-show –available

Available updates:

[b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

……

[oz33swxn] CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.

 

Effective kernel version is 3.8.13-44.1.1.el6uek

(3)安装补丁

#uptrack-upgrade -y

 

(4)升级后再查当前已安装的补丁及内核版本号

# uptrack-show

Installed updates:

[b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

……

[oz33swxn] CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.

Effective kernel version is 3.8.13-55.1.2.el6uek

已经看到有效的内核版本已经从Effective kernel version is 3.8.13-44.1.1.el6uek升级到了Effective kernel versionis 3.8.13-55.1.2.el6uek

5、配置Ksplice Uptrack Update补丁自动更新

在/etc/uptrack/uptrack.conf文件中,autoinstall参数默认值为no,将该值改成yes即可,如下所示:

autoinstall = yes

 

6、uptrack-name所看到版本与uname命令看到的版本的区别

6.1 两种方式查看内核版本对比

(1)uptrack-name方式查看到的有效版本

[root@ol6u612csingle ~]# uptrack-uname -a

Linux ol6u612csingle 3.8.13-55.1.2.el6uek.x86_64 #2 SMP Thu Dec 18 00:15:51 PST 2014 x86_64 x86_64 x86_64 GNU/Linux

(2)uname –a方式查看到的有效版本

[root@ol6u612csingle ~]# uname -a

Linux ol6u612csingle 3.8.13-44.1.1.el6uek.x86_64 #2 SMP Wed Sep 10 06:10:25 PDT 2014 x86_64 x86_64 x86_64 GNU/Linux

 

6.2 uptrack-name与uname –a得到的版本不同原因说明

uptrack-uname

Ksplice Uptrack does not change the output of uname, and uname will continue to reflect the version of the kernel into which a machine was booted.

Instead, once you install updates, use uptrack-uname to see what effective kernel a machine is running. uptrack-uname has the same format as uname and supports the common uname flags, including -r and -a.

Before installing updates, the original kernel and effective kernel are the same, and uname and uptrack-uname report the same information:

After installing updates, uptrack-uname reflects the updated running kernel:

即uptrack-uname查看到的,是正在运行的有效内核版本,而uname所查看到的,是磁盘文件中记录的版本。

6.3 一致化解决办法建议

Ksplice Uptrack updates your running kernel in memory. We recommended that, in addition to using Ksplice, you continue to use your package manager to update the kernel on disk as new kernels become available. That way, if a reboot becomes necessary (e.g. power loss or a hardware upgrade) you have the option of booting into a newer kernel. Under this plan, you would install all the updates available via both Ksplice Uptrack and your package manager.

原来,KspliceUptrack更新的是当前运行的内存内核(服务器重启后仍然有效,因为重启时,Linux自动重新运行一次内存内核升级过程),建议手动按照补丁升级方法安装补丁,安装后不需要重启,这样可以使得Ksplice Uptrack与uname –a得到的版本号一致。

 

7、在oracle ksplice官网查看升级系统的更新信息

在” https://status-ksplice.oracle.com”网站的“SystemStatus”功能中,可以看到已经记录了升状态信息,如下:

Group

Machine

Status

Auto
install

Kernel product

Original Kernel

Effective Kernel

Uptrack
version

 

ol6u612csingle (192.168.2.190)

Up to date! (123 installed)

Yes

Oracle Unbreakable Enterprise Kernel 3

3.8.13-44.1.1.el6uek

3.8.13-55.1.2.el6uek

1.2.12

 

Tag标签: 补丁升级   内核  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规