1 About Oracle Ksplice

Oracle Ksplice updates select, critical components of your Linux installation with all important security patches without needing to reboot.

Ksplice is freely available for Oracle customers who subscribe to Oracle Linux Premier Support and Oracle Cloud Infrastructure services. If you are an Oracle Linux Basic, Basic Limited, or Network Support subscriber, contact your sales representatives to discuss a potential upgrade of your subscription to a Premier Support plan.

Important:

About instructions in this guide

  • Some examples use the yum command. For Oracle Linux 8 and Oracle Linux 9, use the dnf command, as appropriate.

  • Most of this guide only applies to Oracle Linux. To use Ksplice to patch the Xen hypervisor on Oracle VM Server 3.4.5 and later, refer to the corresponding Oracle VM documentation. For example, for Oracle VM 3.4.5, see Updating Oracle VM Server With Oracle Ksplice in the Oracle VM Administration Guide for Release 3.4.

Why Use Ksplice?

Ksplice can apply critical updates without rebooting. Traditionally, applying security updates to core operating system components requires you to manually install updated RPMs, schedule downtime, and reboot the server. Ksplice allows you to keep your systems secure and highly available by updating a running system with the latest kernel and key user space updates, as well as Xen hypervisor updates on Oracle VM Server 3.4.5, and later (minimum xen-4.4.4-196.el6.x86_64.rpm).

Ksplice rebootless updates:

  • Save time and hassle by updating in seconds, while your system is running.
  • Avoid downtime.
  • Prevent disastrous security incidents by making it easy to stay up to date.

Life Cycle of a Ksplice Update

When a critical bug or security vulnerability is discovered in the Linux kernel, Oracle produces a new kernel release and prepares a rebootless update corresponding to that release. The rebootless update is securely distributed by using the Ksplice Uptrack server and ULN. The Ksplice Enhanced or Ksplice Uptrack Client then applies this update to your system, with zero downtime. Your infrastructure is again up to date and secure.


The figure illustrates the steps in the life cycle of a Ksplice update and is described in the surrounding text.

In-Memory vs. On-Disk Updates

A Ksplice update occurs in memory and takes effect immediately upon application, which is different than an on-disk change that requires a reboot. However, you must continue to apply on-disk updates, even when using Ksplice, to ensure that updated package binaries can be used if the system or processes restart. On-disk updates are handled by subscribing to Unbreakable Linux Network (ULN) or by using a local ULN mirror.

Ksplice patches keep a system up to date while it is running, but you must continue to install the regular kernel packages for released errata from ULN or the Oracle Linux Yum server so that the kernel is also updated on disk. Your system is then ready for the next maintenance window or reboot. When you restart the system, you can boot it from the newer kernel version. Ksplice then uses the new kernel as a baseline for applying patches when they become available.

Available Architectures

Ksplice is available for the following platforms:

  • Intel 64-bit (x86_64)

  • AMD 64-bit (x86_64)

  • 64-bit Arm (aarch64)

Note:

Ksplice on the 64-bit Arm (aarch64) platform is only available with maintained Unbreakable Enterprise Kernel (UEK) releases. For more information, see the UEK release notes in the Unbreakable Enterprise Kernel documentation

Maintained Kernels

Only specific kernel versions are actively maintained by Ksplice.

Note:

Ksplice on Oracle Cloud Infrastructure supports specific Linux distributions. For more information, see Oracle Ksplice on Oracle Cloud Infrastructure.

For questions about supported kernels, send an email to ksplice-support_ww@oracle.com.

Kernels Actively Maintained With Ksplice

With Oracle Linux Premier Support or Premier Limited subscriptions, you can use Ksplice to bring various Linux kernels up-to-date with the latest important security and bug fix patches. The following table shows the distributions and kernel versions that are automatically maintained with Ksplice.

Note:

If the system is running RHEL and you recently migrated to Oracle Linux Premier Support, you must switch to RHCK to use Ksplice kernel patches. Oracle no longer maintains Ksplice patches for RHEL kernels.

Actively Maintained Kernel Type More Information

UEK R7 (aarch64) starting with 5.15.0-0.30.19 (released Jun 30, 2022).

 

UEK R7 (x86_64) starting with 5.15.0-0.30.19 (released Jun 30, 2022).

 

UEK R6 (aarch64) starting with 5.4.17-2011.0.7 (released Mar 17, 2020).

 

UEK R6 (x86_64) starting with 5.4.17-2011.1.2 (released Apr 27, 2020).

 

UEK R5 (aarch64) starting with 4.14.35-1902.300.11 (released Mar 18, 2020).

 

UEK R5 (x86_64) starting with 4.14.35-1818.0.9 (released Jun 20, 2018).

 

UEK R4 starting with 4.1.12-32 (released Jan 25, 2016).

Must be version v4.1.12-124.45.6 or later to be actively maintained with Ksplice on Oracle Linux 6.

See Kernels No Longer Actively Maintained With Ksplice for more information.

Oracle Linux 9 Red Hat Compatible Kernels (RHCK) starting with the official release.

 

Oracle Linux 8 Red Hat Compatible Kernels (RHCK) starting with the official release.

 

Oracle Linux 7 Red Hat Compatible Kernels (RHCK) starting with the official release.

 

Oracle Linux 6 Red Hat Compatible Kernels (RHCK) starting with the official release.

Must be version 2.6.32-754.35.1 or later to be actively maintained with Ksplice on Oracle Linux 6.

See Kernels No Longer Actively Maintained With Ksplice for more information.

Ubuntu 22.04 Jammy kernels, starting with the official release.

 

Ubuntu 20.04 Focal kernels starting with 5.4.0-37.41 (released Jun 3, 2020).

 

Important:

If you have booted the most recent available kernel and no Ksplice updates are available for that kernel, some Ksplice commands might fail or might return an error message notifying you that the kernel version isn't yet supported by Ksplice Uptrack. These commands only succeed when Ksplice updates are available for the kernel that's running on the system. As soon as an update becomes available, the command succeeds, and the update is applied.

Kernels No Longer Actively Maintained With Ksplice

The following kernels don't receive Ksplice updates, but any Ksplice updates previously issued are still available if you have a support contract.

To maintain any of the following kernels on a listed Linux distribution, you need to manually upgrade them by using the yum update or dnf update command, or in the case of Ubuntu, by using the apt command. Kernel updates that don't use Ksplice require system reboots to be effective.

If you're an Extended Support customer who is running any of these kernel types on either Oracle Linux 6 or Oracle Linux 7, update to the minimum version of UEK R4.

Kernel Type Kernel Version Releases No Longer Actively Maintained

UEK R4

Versions earlier than v4.1.12-124.45.6

Oracle Linux 6

UEK R3

All Versions

Oracle Linux 6

Oracle Linux 7

UEK R2

All versions

Oracle Linux 6

RHCK

Versions earlier than 2.6.32-754.35.1

Oracle Linux 6

Kernels shipped with RHEL 9. All versions RHEL 9

CentOS and RHEL 8 kernels.

All versions

RHEL or CentOS Linux 8

CentOS and RHEL 7 kernels.

All versions

RHEL or CentOS Linux 7

Kernels shipped in RHEL/CentOS Linux 6

All versions

RHEL or CentOS Linux 6

Kernels shipped in Ubuntu 18.04 LTS.

All versions

Ubuntu 18.04 LTS (Bionic Beaver)

Kernels shipped in Ubuntu 16.04 LTS

All versions

Ubuntu 16.04 LTS (Xenial Xerus)

About the Ksplice Inspector Tool

Use Ksplice Inspector, which is a free, online tool that lists available Ksplice updates for Maintained Kernels.

Ksplice Inspector helps you determine what updates are available for your currently running kernel and what updates can be automatically applied in-memory by using either the Ksplice Enhanced client or the Ksplice Uptrack client. The tool enables you to proactively identify security vulnerabilities, which is a critical step in assessing potential cybersecurity issues. The tool is publicly available and does not require a support subscription.

To get started using the tool, open a terminal on the Linux system that you want to check, and then run the following command:

echo "`uname -s`//`uname -m`//`uname -r`//`uname -v`"

Copy the output of the previous command into the Ksplice Inspector check box, and then click Find Updates.

The tool indicates what security patches are already available to Ksplice customers.

Oracle Cloud Infrastructure Ksplice Support

You can monitor and manage automatic updates for Oracle Linux systems that are running within Oracle Cloud infrastructure by using Ksplice.

Note the following key points about receiving automatic Ksplice updates on systems that are running within Oracle Cloud Infrastructure:

  • By default, Ksplice configuration is shipped with the Oracle Cloud Infrastructure platform images by preconfiguring the Ksplice yum repositories and Ksplice online server URL.

  • Bring Your Own Image (BYOI) configurations can use the same yum repository configuration file as the platform images (/etc/yum.repos.d/ksplice-ol*.repo), if copied there manually.

    Note:

    The /etc/yum.repos.d/ksplice-olN.repo file comes from the ksplice-release-elN RPM, which is in the yum repository that is configured by oci_included_olN.repo and is part of the oci-included-release-elN package (/etc/yum.repos.d/oci-included-olN.repo).

  • Systems running within Oracle Cloud Infrastructure that have the Ksplice client configured in online mode do not need to be registered with ULN to access the Ksplice servers and receive automatic updates.

  • Systems running within Oracle Cloud Infrastructure that have the Ksplice client configured in offline mode do not need to be registered with ULN, nor do they require a local ULN mirror configuration to receive automatic updates.

For further information, see Oracle Ksplice on Oracle Cloud Infrastructure.

Oracle Enterprise Manager Ksplice Support

All Oracle Linux systems on which Enterprise Manager Agent is installed and the Ksplice software is configured can be monitored and managed through Oracle Enterprise Manager, within the Oracle Linux Home Ksplice region of the Enterprise Manager user interface (UI).

To learn more about using Oracle Enterprise Manager to monitor and use Ksplice patching on Oracle Linux hosts, see the Oracle Enterprise Manager Life Cycle Management Administrator's Guide.