Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 17 hours 4 min ago

Introducing UEK4 and DTrace on Oracle Linux for SPARC

Fri, 2017-05-26 13:18

About 2 months ago we released the first version of Oracle Linux 6, Update 7 for SPARC. That was the same version of Oracle Linux used in Exadata SL6. OL6 installed on T4, T5 and T7 systems but it did not yet support the S7 processors/systems. It contained support for the various M7 processor features (DAX, ADI, crypto,...), gcc optimizations to support better code generation for SPARC, important optimizations in functions like memcpy() etc.

We also introduced support for Linux as the control domain (guest domain worked before). So this was the first time one could use Linux as the control domain with a vdiskserver, vswitch and virtual console driver. For this release we based the kernel on UEK2 (2.6.39).

The development team has been hard at work doing a number of things:

- continue to work with upstream Linux  and gcc/glibc/binutils development to submit all the code changes for inclusion. Many SPARC features have already been committed upstream and many are pending/Work in Progress.

- part of the work is  to forward port, so to speak, a lot of the uek2/sparc/exadata features into uek4, alongside upstream/mainline development.

- performance work, both in kernel and userspace (glibc, gcc in particular)

Today, we released an updated version of the ISO image that contains UEK4 QU4 (4.1.12-94.3.2). The main reason for updating the ISO is to introduce support for the S7 processor and S7-based servers. It contains a ton of improvements over UEK2,  we also added support for DTrace.

You can download the latest version of the ISO here :  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-sparc-3665558.html

The DTrace utilities can be downloaded here : http://www.oracle.com/technetwork/server-storage/linux/downloads/linux-dtrace-2800968.html

As we add more features we will update the kernel and we will also publish a new version of the software collections for Oracle Linux for SPARC with newer versions of gcc (6.x etc) so more coming!

We are working on things like gccgo, valgrind, node... and the yum repo on http://yum.oracle.com/ contains about 5000 RPMs.

Download it, play with it, have fun.

 

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "c", 2);

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

FILE *result = fopen (file, newmode);
As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:

- char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

+ char newmode[modelen + 3];

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 3);
The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
Wed Mar 22 *17:19:51* 2017 *ORA-00210: cannot open the specified control file* ORA-00202: control file:'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_001' ORA-27054: NFS file system where the file is created or resides is not mounted with correct options *Linux-x86_64 Error: 13: Permission denied* Additional information: 2 ORA-205 signalled during: ALTER DATABASE MOUNT... Shutting down instance (abort)

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

 	
	     char newmode[modelen + 2];
	  -  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
	  +  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	     FILE *result = fopen (file, newmode);

As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:
	-  char newmode[modelen + 2];
	-  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	+  char newmode[modelen + 3];
	+  memcpy (mempcpy (newmode, mode, modelen), "ce", 3);

The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
  Wed Mar 22 *17:19:51* 2017
  *ORA-00210: cannot open the specified control file*
  ORA-00202: control file:
  
'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_0
01'
  ORA-27054: NFS file system where the file is created or resides is
  not mounted with correct options
  *Linux-x86_64 Error: 13: Permission denied*
  Additional information: 2
  ORA-205 signalled during: ALTER DATABASE   MOUNT...
  Shutting down instance (abort) 


Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :scl enable rh-python35 -- bash

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :

scl enable rh-python35 -- bash 

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade The following steps will be taken:Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Go ahead [y/N]? yInstalling [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Your kernel is fully up to date.Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.# uptrack-showInstalled updates:[cct5dnbf] Clear garbage data on the kernel stack when handling signals.[ektd95cj] Reduce usage of reserved percpu memory.[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.[b4ljcwin] Message corruption in pseudo terminal output.[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5oracle-2.6.18-238.1.1.0.1.el5oracle-2.6.18-238.5.1.0.1.el5oracle-2.6.18-238.9.1.0.1.el5oracle-2.6.18-238.12.1.0.1.el5oracle-2.6.18-238.19.1.0.1.el5oracle-2.6.18-274.0.0.0.1.el5oracle-2.6.18-274.3.1.0.1.el5oracle-2.6.18-274.7.1.0.1.el5oracle-2.6.18-274.12.1.0.1.el5oracle-2.6.18-274.17.1.0.1.el5oracle-2.6.18-274.18.1.0.1.el5oracle-2.6.18-308.0.0.0.1.el5oracle-2.6.18-308.1.1.0.1.el5oracle-2.6.18-308.4.1.0.1.el5oracle-2.6.18-308.8.1.0.1.el5oracle-2.6.18-308.8.2.0.1.el5oracle-2.6.18-308.11.1.0.1.el5oracle-2.6.18-308.13.1.0.1.el5oracle-2.6.18-308.16.1.0.1.el5oracle-2.6.18-308.20.1.0.1.el5oracle-2.6.18-308.24.1.0.1.el5oracle-2.6.18-348.0.0.0.1.el5oracle-2.6.18-348.1.1.0.1.el5oracle-2.6.18-348.2.1.0.1.el5oracle-2.6.18-348.3.1.0.1.el5oracle-2.6.18-348.4.1.0.1.el5oracle-2.6.18-348.6.1.0.1.el5oracle-2.6.18-348.12.1.0.1.el5oracle-2.6.18-348.16.1.0.1.el5oracle-2.6.18-348.18.1.0.1.el5oracle-2.6.18-371.0.0.0.1.el5oracle-2.6.18-371.1.2.0.1.el5oracle-2.6.18-371.3.1.0.1.el5oracle-2.6.18-371.4.1.0.1.el5oracle-2.6.18-371.6.1.0.1.el5oracle-2.6.18-371.8.1.0.1.el5oracle-2.6.18-371.9.1.0.1.el5oracle-2.6.18-371.11.1.0.1.el5oracle-2.6.18-371.12.1.0.1.el5oracle-2.6.18-398.0.0.0.1.el5oracle-2.6.18-400.0.0.0.1.el5oracle-2.6.18-400.1.1.0.1.el5oracle-2.6.18-402.0.0.0.1.el5oracle-2.6.18-404.0.0.0.1.el5oracle-2.6.18-406.0.0.0.1.el5oracle-2.6.18-407.0.0.0.1.el5oracle-2.6.18-408.0.0.0.1.el5oracle-2.6.18-409.0.0.0.1.el5oracle-2.6.18-410.0.0.0.1.el5oracle-2.6.18-411.0.0.0.1.el5oracle-2.6.18-412.0.0.0.1.el5oracle-2.6.18-416.0.0.0.1.el5oracle-2.6.18-417.0.0.0.1.el5oracle-2.6.18-418.0.0.0.1.el5oracle-2.6.32-642.0.0.0.1.el6oracle-3.10.0-514.6.1.0.1.el7oracle-3.10.0-514.6.2.0.1.el7oracle-uek-2.6.39-100.5.1oracle-uek-2.6.39-100.6.1oracle-uek-2.6.39-100.7.1oracle-uek-2.6.39-100.10.1oracle-uek-2.6.39-200.24.1oracle-uek-2.6.39-200.29.1oracle-uek-2.6.39-200.29.2oracle-uek-2.6.39-200.29.3oracle-uek-2.6.39-200.31.1oracle-uek-2.6.39-200.32.1oracle-uek-2.6.39-200.33.1oracle-uek-2.6.39-200.34.1oracle-uek-2.6.39-300.17.1oracle-uek-2.6.39-300.17.2oracle-uek-2.6.39-300.17.3oracle-uek-2.6.39-300.26.1oracle-uek-2.6.39-300.28.1oracle-uek-2.6.39-300.32.4oracle-uek-2.6.39-400.17.1oracle-uek-2.6.39-400.17.2oracle-uek-2.6.39-400.21.1oracle-uek-2.6.39-400.21.2oracle-uek-2.6.39-400.23.1oracle-uek-2.6.39-400.24.1oracle-uek-2.6.39-400.109.1oracle-uek-2.6.39-400.109.3oracle-uek-2.6.39-400.109.4oracle-uek-2.6.39-400.109.5oracle-uek-2.6.39-400.109.6oracle-uek-2.6.39-400.209.1oracle-uek-2.6.39-400.209.2oracle-uek-2.6.39-400.210.2oracle-uek-2.6.39-400.211.1oracle-uek-2.6.39-400.211.2oracle-uek-2.6.39-400.211.3oracle-uek-2.6.39-400.212.1oracle-uek-2.6.39-400.214.1oracle-uek-2.6.39-400.214.3oracle-uek-2.6.39-400.214.4oracle-uek-2.6.39-400.214.5oracle-uek-2.6.39-400.214.6oracle-uek-2.6.39-400.215.1oracle-uek-2.6.39-400.215.2oracle-uek-2.6.39-400.215.3oracle-uek-2.6.39-400.215.4oracle-uek-2.6.39-400.215.6oracle-uek-2.6.39-400.215.7oracle-uek-2.6.39-400.215.10oracle-uek-2.6.39-400.215.11oracle-uek-2.6.39-400.215.12oracle-uek-2.6.39-400.215.13oracle-uek-2.6.39-400.215.14oracle-uek-2.6.39-400.215.15oracle-uek-2.6.39-400.243.1oracle-uek-2.6.39-400.245.1oracle-uek-2.6.39-400.246.2oracle-uek-2.6.39-400.247.1oracle-uek-2.6.39-400.248.3oracle-uek-2.6.39-400.249.1oracle-uek-2.6.39-400.249.3oracle-uek-2.6.39-400.249.4oracle-uek-2.6.39-400.250.2oracle-uek-2.6.39-400.250.4oracle-uek-2.6.39-400.250.5oracle-uek-2.6.39-400.250.6oracle-uek-2.6.39-400.250.7oracle-uek-2.6.39-400.250.9oracle-uek-2.6.39-400.250.10oracle-uek-2.6.39-400.250.11oracle-uek-2.6.39-400.264.1oracle-uek-2.6.39-400.264.4oracle-uek-2.6.39-400.264.5oracle-uek-2.6.39-400.264.6oracle-uek-2.6.39-400.264.13oracle-uek-2.6.39-400.276.1oracle-uek-2.6.39-400.277.1oracle-uek-2.6.39-400.278.1oracle-uek-2.6.39-400.278.2oracle-uek-2.6.39-400.278.3oracle-uek-2.6.39-400.280.1oracle-uek-2.6.39-400.281.1oracle-uek-2.6.39-400.282.1oracle-uek-2.6.39-400.283.1oracle-uek-2.6.39-400.283.2oracle-uek-2.6.39-400.284.1oracle-uek-2.6.39-400.284.2oracle-uek-2.6.39-400.286.2oracle-uek-2.6.39-400.286.3oracle-uek-2.6.39-400.290.1oracle-uek-2.6.39-400.290.2oracle-uek-2.6.39-400.293.1oracle-uek-2.6.39-400.293.2oracle-uek-2.6.39-400.294.1oracle-uek-2.6.39-400.294.2oracle-uek-2.6.39-400.128.21oracle-uek-3.8.13-16oracle-uek-3.8.13-16.1.1oracle-uek-3.8.13-16.2.1oracle-uek-3.8.13-16.2.2oracle-uek-3.8.13-16.2.3oracle-uek-3.8.13-16.3.1oracle-uek-3.8.13-26oracle-uek-3.8.13-26.1.1oracle-uek-3.8.13-26.2.1oracle-uek-3.8.13-26.2.2oracle-uek-3.8.13-26.2.3oracle-uek-3.8.13-26.2.4oracle-uek-3.8.13-35oracle-uek-3.8.13-35.1.1oracle-uek-3.8.13-35.1.2oracle-uek-3.8.13-35.1.3oracle-uek-3.8.13-35.3.1oracle-uek-3.8.13-35.3.2oracle-uek-3.8.13-35.3.3oracle-uek-3.8.13-35.3.4oracle-uek-3.8.13-35.3.5oracle-uek-3.8.13-44oracle-uek-3.8.13-44.1.1oracle-uek-3.8.13-44.1.3oracle-uek-3.8.13-44.1.4oracle-uek-3.8.13-44.1.5oracle-uek-3.8.13-55oracle-uek-3.8.13-55.1.1oracle-uek-3.8.13-55.1.2oracle-uek-3.8.13-55.1.5oracle-uek-3.8.13-55.1.6oracle-uek-3.8.13-55.1.8oracle-uek-3.8.13-55.2.1oracle-uek-3.8.13-68oracle-uek-3.8.13-68.1.2oracle-uek-3.8.13-68.1.3oracle-uek-3.8.13-68.2.2oracle-uek-3.8.13-68.2.2.1oracle-uek-3.8.13-68.2.2.2oracle-uek-3.8.13-68.3.1oracle-uek-3.8.13-68.3.2oracle-uek-3.8.13-68.3.3oracle-uek-3.8.13-68.3.4oracle-uek-3.8.13-68.3.5oracle-uek-3.8.13-98oracle-uek-3.8.13-98.1.1oracle-uek-3.8.13-98.1.2oracle-uek-3.8.13-98.2.1oracle-uek-3.8.13-98.2.2oracle-uek-3.8.13-98.4.1oracle-uek-3.8.13-98.5.2oracle-uek-3.8.13-98.6.1oracle-uek-3.8.13-98.7.1oracle-uek-3.8.13-98.8.1oracle-uek-3.8.13-118oracle-uek-3.8.13-118.2.1oracle-uek-3.8.13-118.2.2oracle-uek-3.8.13-118.2.4oracle-uek-3.8.13-118.2.5oracle-uek-3.8.13-118.3.1oracle-uek-3.8.13-118.3.2oracle-uek-3.8.13-118.4.1oracle-uek-3.8.13-118.4.2oracle-uek-3.8.13-118.6.1oracle-uek-3.8.13-118.6.2oracle-uek-3.8.13-118.7.1oracle-uek-3.8.13-118.8.1oracle-uek-3.8.13-118.9.1oracle-uek-3.8.13-118.9.2oracle-uek-3.8.13-118.10.2oracle-uek-3.8.13-118.11.2oracle-uek-3.8.13-118.13.2oracle-uek-3.8.13-118.13.3oracle-uek-3.8.13-118.14.1oracle-uek-3.8.13-118.14.2oracle-uek-3.8.13-118.15.1oracle-uek-3.8.13-118.15.2oracle-uek-3.8.13-118.15.3oracle-uek-3.8.13-118.16.2oracle-uek-3.8.13-118.16.3oracle-uek-4.1.12-32oracle-uek-4.1.12-32.1.2oracle-uek-4.1.12-32.1.3oracle-uek-4.1.12-32.2.1oracle-uek-4.1.12-32.2.3oracle-uek-4.1.12-37.2.1oracle-uek-4.1.12-37.2.2oracle-uek-4.1.12-37.3.1oracle-uek-4.1.12-37.4.1oracle-uek-4.1.12-37.5.1oracle-uek-4.1.12-37.6.1oracle-uek-4.1.12-37.6.2oracle-uek-4.1.12-37.6.3oracle-uek-4.1.12-61.1.6oracle-uek-4.1.12-61.1.9oracle-uek-4.1.12-61.1.10oracle-uek-4.1.12-61.1.13oracle-uek-4.1.12-61.1.14oracle-uek-4.1.12-61.1.16oracle-uek-4.1.12-61.1.17oracle-uek-4.1.12-61.1.18oracle-uek-4.1.12-61.1.19oracle-uek-4.1.12-61.1.21oracle-uek-4.1.12-61.1.22oracle-uek-4.1.12-61.1.23oracle-uek-4.1.12-61.1.24oracle-uek-4.1.12-61.1.25oracle-uek-4.1.12-61.1.27rhel-2.6.32-71.el6rhel-2.6.32-71.7.1.el6rhel-2.6.32-71.14.1.el6rhel-2.6.32-71.18.1.el6rhel-2.6.32-71.18.2.el6rhel-2.6.32-71.24.1.el6rhel-2.6.32-71.29.1.el6rhel-2.6.32-131.0.15.el6rhel-2.6.32-131.2.1.el6rhel-2.6.32-131.4.1.el6rhel-2.6.32-131.6.1.el6rhel-2.6.32-131.12.1.el6rhel-2.6.32-131.17.1.el6rhel-2.6.32-131.21.1.el6rhel-2.6.32-220.el6rhel-2.6.32-220.2.1.el6rhel-2.6.32-220.4.1.el6rhel-2.6.32-220.4.2.el6rhel-2.6.32-220.7.1.el6rhel-2.6.32-220.13.1.el6rhel-2.6.32-220.17.1.el6rhel-2.6.32-220.23.1.el6rhel-2.6.32-279.el6rhel-2.6.32-279.1.1.el6rhel-2.6.32-279.2.1.el6rhel-2.6.32-279.5.1.el6rhel-2.6.32-279.5.2.el6rhel-2.6.32-279.9.1.el6rhel-2.6.32-279.11.1.el6rhel-2.6.32-279.14.1.el6rhel-2.6.32-279.19.1.el6rhel-2.6.32-279.22.1.el6rhel-2.6.32-358.el6rhel-2.6.32-358.0.1.el6rhel-2.6.32-358.2.1.el6rhel-2.6.32-358.6.1.el6rhel-2.6.32-358.6.2.el6rhel-2.6.32-358.6.2.el6.x86_64.crt1rhel-2.6.32-358.11.1.el6rhel-2.6.32-358.14.1.el6rhel-2.6.32-358.18.1.el6rhel-2.6.32-358.23.2.el6rhel-2.6.32-431.el6rhel-2.6.32-431.1.2.el6rhel-2.6.32-431.3.1.el6rhel-2.6.32-431.5.1.el6rhel-2.6.32-431.11.2.el6rhel-2.6.32-431.17.1.el6rhel-2.6.32-431.20.3.el6rhel-2.6.32-431.20.5.el6rhel-2.6.32-431.23.3.el6rhel-2.6.32-431.29.2.el6rhel-2.6.32-504.el6rhel-2.6.32-504.1.3.el6rhel-2.6.32-504.3.3.el6rhel-2.6.32-504.8.1.el6rhel-2.6.32-504.12.2.el6rhel-2.6.32-504.16.2.el6rhel-2.6.32-504.23.4.el6rhel-2.6.32-504.30.3.el6rhel-2.6.32-573.el6rhel-2.6.32-573.1.1.el6rhel-2.6.32-573.3.1.el6rhel-2.6.32-573.7.1.el6rhel-2.6.32-573.8.1.el6rhel-2.6.32-573.12.1.el6rhel-2.6.32-573.18.1.el6rhel-2.6.32-573.22.1.el6rhel-2.6.32-573.26.1.el6rhel-2.6.32-642.el6rhel-2.6.32-642.1.1.el6rhel-2.6.32-642.3.1.el6rhel-2.6.32-642.4.2.el6rhel-2.6.32-642.6.1.el6rhel-2.6.32-642.6.2.el6rhel-2.6.32-642.11.1.el6rhel-2.6.32-642.13.1.el6rhel-2.6.32-642.13.2.el6rhel-3.10.0-123.el7rhel-3.10.0-123.1.2.el7rhel-3.10.0-123.4.2.el7rhel-3.10.0-123.4.4.el7rhel-3.10.0-123.6.3.el7rhel-3.10.0-123.8.1.el7rhel-3.10.0-123.9.2.el7rhel-3.10.0-123.9.3.el7rhel-3.10.0-123.13.1.el7rhel-3.10.0-123.13.2.el7rhel-3.10.0-123.20.1.el7rhel-3.10.0-229.el7rhel-3.10.0-229.1.2.el7rhel-3.10.0-229.4.2.el7rhel-3.10.0-229.7.2.el7rhel-3.10.0-229.11.1.el7rhel-3.10.0-229.14.1.el7rhel-3.10.0-229.20.1.el6.x86_64.knl2rhel-3.10.0-229.20.1.el7rhel-3.10.0-327.el7rhel-3.10.0-327.3.1.el7rhel-3.10.0-327.4.4.el7rhel-3.10.0-327.4.5.el7rhel-3.10.0-327.10.1.el7rhel-3.10.0-327.13.1.el7rhel-3.10.0-327.18.2.el7rhel-3.10.0-327.22.2.el7rhel-3.10.0-327.28.2.el7rhel-3.10.0-327.28.3.el7rhel-3.10.0-327.36.1.el7rhel-3.10.0-327.36.2.el7rhel-3.10.0-327.36.3.el7rhel-3.10.0-514.el7rhel-3.10.0-514.2.2.el7rhel-3.10.0-514.6.1.el7rhel-3.10.0-514.6.2.el7rhel-2.6.18-92.1.10.el5rhel-2.6.18-92.1.13.el5rhel-2.6.18-92.1.17.el5rhel-2.6.18-92.1.18.el5rhel-2.6.18-92.1.22.el5rhel-2.6.18-128.el5rhel-2.6.18-128.1.1.el5rhel-2.6.18-128.1.6.el5rhel-2.6.18-128.1.10.el5rhel-2.6.18-128.1.14.el5rhel-2.6.18-128.1.16.el5rhel-2.6.18-128.2.1.el5rhel-2.6.18-128.4.1.el5rhel-2.6.18-128.7.1.el5rhel-2.6.18-149.el5rhel-2.6.18-164.el5rhel-2.6.18-164.2.1.el5rhel-2.6.18-164.6.1.el5rhel-2.6.18-164.9.1.el5rhel-2.6.18-164.10.1.el5rhel-2.6.18-164.11.1.el5rhel-2.6.18-164.15.1.el5rhel-2.6.18-194.el5rhel-2.6.18-194.3.1.el5rhel-2.6.18-194.8.1.el5rhel-2.6.18-194.11.1.el5rhel-2.6.18-194.11.3.el5rhel-2.6.18-194.11.4.el5rhel-2.6.18-194.17.1.el5rhel-2.6.18-194.17.4.el5rhel-2.6.18-194.26.1.el5rhel-2.6.18-194.32.1.el5rhel-2.6.18-238.el5rhel-2.6.18-238.1.1.el5rhel-2.6.18-238.5.1.el5rhel-2.6.18-238.9.1.el5rhel-2.6.18-238.12.1.el5rhel-2.6.18-238.19.1.el5rhel-2.6.18-274.el5rhel-2.6.18-274.3.1.el5rhel-2.6.18-274.7.1.el5rhel-2.6.18-274.12.1.el5rhel-2.6.18-274.17.1.el5rhel-2.6.18-274.18.1.el5rhel-2.6.18-308.el5rhel-2.6.18-308.1.1.el5rhel-2.6.18-308.4.1.el5rhel-2.6.18-308.8.1.el5rhel-2.6.18-308.8.2.el5rhel-2.6.18-308.11.1.el5rhel-2.6.18-308.13.1.el5rhel-2.6.18-308.16.1.el5rhel-2.6.18-308.20.1.el5rhel-2.6.18-308.24.1.el5rhel-2.6.18-348.el5rhel-2.6.18-348.1.1.el5rhel-2.6.18-348.2.1.el5rhel-2.6.18-348.3.1.el5rhel-2.6.18-348.4.1.el5rhel-2.6.18-348.6.1.el5rhel-2.6.18-348.12.1.el5rhel-2.6.18-348.16.1.el5rhel-2.6.18-348.18.1.el5rhel-2.6.18-371.el5rhel-2.6.18-371.1.2.el5rhel-2.6.18-371.3.1.el5rhel-2.6.18-371.4.1.el5rhel-2.6.18-371.6.1.el5rhel-2.6.18-371.8.1.el5rhel-2.6.18-371.9.1.el5rhel-2.6.18-371.11.1.el5rhel-2.6.18-371.12.1.el5rhel-2.6.18-398.el5rhel-2.6.18-400.el5rhel-2.6.18-400.1.1.el5rhel-2.6.18-402.el5rhel-2.6.18-404.el5rhel-2.6.18-406.el5rhel-2.6.18-407.el5rhel-2.6.18-408.el5rhel-2.6.18-409.el5rhel-2.6.18-410.el5rhel-2.6.18-411.el5rhel-2.6.18-412.el5rhel-2.6.18-416.el5rhel-2.6.18-417.el5rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade 
The following steps will be taken:
Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Go ahead [y/N]? y
Installing [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.

# uptrack-show
Installed updates:
[cct5dnbf] Clear garbage data on the kernel stack when handling signals.
[ektd95cj] Reduce usage of reserved percpu memory.
[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.
[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.
[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.
[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.
[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.
[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.
[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.
[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.
[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.
[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.
[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.
[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.
[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.
[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.
[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.
[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.
[b4ljcwin] Message corruption in pseudo terminal output.
[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.
[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.
[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.
[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.
[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.
[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.
[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.
[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.
[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.
[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5
oracle-2.6.18-238.1.1.0.1.el5
oracle-2.6.18-238.5.1.0.1.el5
oracle-2.6.18-238.9.1.0.1.el5
oracle-2.6.18-238.12.1.0.1.el5
oracle-2.6.18-238.19.1.0.1.el5
oracle-2.6.18-274.0.0.0.1.el5
oracle-2.6.18-274.3.1.0.1.el5
oracle-2.6.18-274.7.1.0.1.el5
oracle-2.6.18-274.12.1.0.1.el5
oracle-2.6.18-274.17.1.0.1.el5
oracle-2.6.18-274.18.1.0.1.el5
oracle-2.6.18-308.0.0.0.1.el5
oracle-2.6.18-308.1.1.0.1.el5
oracle-2.6.18-308.4.1.0.1.el5
oracle-2.6.18-308.8.1.0.1.el5
oracle-2.6.18-308.8.2.0.1.el5
oracle-2.6.18-308.11.1.0.1.el5
oracle-2.6.18-308.13.1.0.1.el5
oracle-2.6.18-308.16.1.0.1.el5
oracle-2.6.18-308.20.1.0.1.el5
oracle-2.6.18-308.24.1.0.1.el5
oracle-2.6.18-348.0.0.0.1.el5
oracle-2.6.18-348.1.1.0.1.el5
oracle-2.6.18-348.2.1.0.1.el5
oracle-2.6.18-348.3.1.0.1.el5
oracle-2.6.18-348.4.1.0.1.el5
oracle-2.6.18-348.6.1.0.1.el5
oracle-2.6.18-348.12.1.0.1.el5
oracle-2.6.18-348.16.1.0.1.el5
oracle-2.6.18-348.18.1.0.1.el5
oracle-2.6.18-371.0.0.0.1.el5
oracle-2.6.18-371.1.2.0.1.el5
oracle-2.6.18-371.3.1.0.1.el5
oracle-2.6.18-371.4.1.0.1.el5
oracle-2.6.18-371.6.1.0.1.el5
oracle-2.6.18-371.8.1.0.1.el5
oracle-2.6.18-371.9.1.0.1.el5
oracle-2.6.18-371.11.1.0.1.el5
oracle-2.6.18-371.12.1.0.1.el5
oracle-2.6.18-398.0.0.0.1.el5
oracle-2.6.18-400.0.0.0.1.el5
oracle-2.6.18-400.1.1.0.1.el5
oracle-2.6.18-402.0.0.0.1.el5
oracle-2.6.18-404.0.0.0.1.el5
oracle-2.6.18-406.0.0.0.1.el5
oracle-2.6.18-407.0.0.0.1.el5
oracle-2.6.18-408.0.0.0.1.el5
oracle-2.6.18-409.0.0.0.1.el5
oracle-2.6.18-410.0.0.0.1.el5
oracle-2.6.18-411.0.0.0.1.el5
oracle-2.6.18-412.0.0.0.1.el5
oracle-2.6.18-416.0.0.0.1.el5
oracle-2.6.18-417.0.0.0.1.el5
oracle-2.6.18-418.0.0.0.1.el5
oracle-2.6.32-642.0.0.0.1.el6
oracle-3.10.0-514.6.1.0.1.el7
oracle-3.10.0-514.6.2.0.1.el7
oracle-uek-2.6.39-100.5.1
oracle-uek-2.6.39-100.6.1
oracle-uek-2.6.39-100.7.1
oracle-uek-2.6.39-100.10.1
oracle-uek-2.6.39-200.24.1
oracle-uek-2.6.39-200.29.1
oracle-uek-2.6.39-200.29.2
oracle-uek-2.6.39-200.29.3
oracle-uek-2.6.39-200.31.1
oracle-uek-2.6.39-200.32.1
oracle-uek-2.6.39-200.33.1
oracle-uek-2.6.39-200.34.1
oracle-uek-2.6.39-300.17.1
oracle-uek-2.6.39-300.17.2
oracle-uek-2.6.39-300.17.3
oracle-uek-2.6.39-300.26.1
oracle-uek-2.6.39-300.28.1
oracle-uek-2.6.39-300.32.4
oracle-uek-2.6.39-400.17.1
oracle-uek-2.6.39-400.17.2
oracle-uek-2.6.39-400.21.1
oracle-uek-2.6.39-400.21.2
oracle-uek-2.6.39-400.23.1
oracle-uek-2.6.39-400.24.1
oracle-uek-2.6.39-400.109.1
oracle-uek-2.6.39-400.109.3
oracle-uek-2.6.39-400.109.4
oracle-uek-2.6.39-400.109.5
oracle-uek-2.6.39-400.109.6
oracle-uek-2.6.39-400.209.1
oracle-uek-2.6.39-400.209.2
oracle-uek-2.6.39-400.210.2
oracle-uek-2.6.39-400.211.1
oracle-uek-2.6.39-400.211.2
oracle-uek-2.6.39-400.211.3
oracle-uek-2.6.39-400.212.1
oracle-uek-2.6.39-400.214.1
oracle-uek-2.6.39-400.214.3
oracle-uek-2.6.39-400.214.4
oracle-uek-2.6.39-400.214.5
oracle-uek-2.6.39-400.214.6
oracle-uek-2.6.39-400.215.1
oracle-uek-2.6.39-400.215.2
oracle-uek-2.6.39-400.215.3
oracle-uek-2.6.39-400.215.4
oracle-uek-2.6.39-400.215.6
oracle-uek-2.6.39-400.215.7
oracle-uek-2.6.39-400.215.10
oracle-uek-2.6.39-400.215.11
oracle-uek-2.6.39-400.215.12
oracle-uek-2.6.39-400.215.13
oracle-uek-2.6.39-400.215.14
oracle-uek-2.6.39-400.215.15
oracle-uek-2.6.39-400.243.1
oracle-uek-2.6.39-400.245.1
oracle-uek-2.6.39-400.246.2
oracle-uek-2.6.39-400.247.1
oracle-uek-2.6.39-400.248.3
oracle-uek-2.6.39-400.249.1
oracle-uek-2.6.39-400.249.3
oracle-uek-2.6.39-400.249.4
oracle-uek-2.6.39-400.250.2
oracle-uek-2.6.39-400.250.4
oracle-uek-2.6.39-400.250.5
oracle-uek-2.6.39-400.250.6
oracle-uek-2.6.39-400.250.7
oracle-uek-2.6.39-400.250.9
oracle-uek-2.6.39-400.250.10
oracle-uek-2.6.39-400.250.11
oracle-uek-2.6.39-400.264.1
oracle-uek-2.6.39-400.264.4
oracle-uek-2.6.39-400.264.5
oracle-uek-2.6.39-400.264.6
oracle-uek-2.6.39-400.264.13
oracle-uek-2.6.39-400.276.1
oracle-uek-2.6.39-400.277.1
oracle-uek-2.6.39-400.278.1
oracle-uek-2.6.39-400.278.2
oracle-uek-2.6.39-400.278.3
oracle-uek-2.6.39-400.280.1
oracle-uek-2.6.39-400.281.1
oracle-uek-2.6.39-400.282.1
oracle-uek-2.6.39-400.283.1
oracle-uek-2.6.39-400.283.2
oracle-uek-2.6.39-400.284.1
oracle-uek-2.6.39-400.284.2
oracle-uek-2.6.39-400.286.2
oracle-uek-2.6.39-400.286.3
oracle-uek-2.6.39-400.290.1
oracle-uek-2.6.39-400.290.2
oracle-uek-2.6.39-400.293.1
oracle-uek-2.6.39-400.293.2
oracle-uek-2.6.39-400.294.1
oracle-uek-2.6.39-400.294.2
oracle-uek-2.6.39-400.128.21
oracle-uek-3.8.13-16
oracle-uek-3.8.13-16.1.1
oracle-uek-3.8.13-16.2.1
oracle-uek-3.8.13-16.2.2
oracle-uek-3.8.13-16.2.3
oracle-uek-3.8.13-16.3.1
oracle-uek-3.8.13-26
oracle-uek-3.8.13-26.1.1
oracle-uek-3.8.13-26.2.1
oracle-uek-3.8.13-26.2.2
oracle-uek-3.8.13-26.2.3
oracle-uek-3.8.13-26.2.4
oracle-uek-3.8.13-35
oracle-uek-3.8.13-35.1.1
oracle-uek-3.8.13-35.1.2
oracle-uek-3.8.13-35.1.3
oracle-uek-3.8.13-35.3.1
oracle-uek-3.8.13-35.3.2
oracle-uek-3.8.13-35.3.3
oracle-uek-3.8.13-35.3.4
oracle-uek-3.8.13-35.3.5
oracle-uek-3.8.13-44
oracle-uek-3.8.13-44.1.1
oracle-uek-3.8.13-44.1.3
oracle-uek-3.8.13-44.1.4
oracle-uek-3.8.13-44.1.5
oracle-uek-3.8.13-55
oracle-uek-3.8.13-55.1.1
oracle-uek-3.8.13-55.1.2
oracle-uek-3.8.13-55.1.5
oracle-uek-3.8.13-55.1.6
oracle-uek-3.8.13-55.1.8
oracle-uek-3.8.13-55.2.1
oracle-uek-3.8.13-68
oracle-uek-3.8.13-68.1.2
oracle-uek-3.8.13-68.1.3
oracle-uek-3.8.13-68.2.2
oracle-uek-3.8.13-68.2.2.1
oracle-uek-3.8.13-68.2.2.2
oracle-uek-3.8.13-68.3.1
oracle-uek-3.8.13-68.3.2
oracle-uek-3.8.13-68.3.3
oracle-uek-3.8.13-68.3.4
oracle-uek-3.8.13-68.3.5
oracle-uek-3.8.13-98
oracle-uek-3.8.13-98.1.1
oracle-uek-3.8.13-98.1.2
oracle-uek-3.8.13-98.2.1
oracle-uek-3.8.13-98.2.2
oracle-uek-3.8.13-98.4.1
oracle-uek-3.8.13-98.5.2
oracle-uek-3.8.13-98.6.1
oracle-uek-3.8.13-98.7.1
oracle-uek-3.8.13-98.8.1
oracle-uek-3.8.13-118
oracle-uek-3.8.13-118.2.1
oracle-uek-3.8.13-118.2.2
oracle-uek-3.8.13-118.2.4
oracle-uek-3.8.13-118.2.5
oracle-uek-3.8.13-118.3.1
oracle-uek-3.8.13-118.3.2
oracle-uek-3.8.13-118.4.1
oracle-uek-3.8.13-118.4.2
oracle-uek-3.8.13-118.6.1
oracle-uek-3.8.13-118.6.2
oracle-uek-3.8.13-118.7.1
oracle-uek-3.8.13-118.8.1
oracle-uek-3.8.13-118.9.1
oracle-uek-3.8.13-118.9.2
oracle-uek-3.8.13-118.10.2
oracle-uek-3.8.13-118.11.2
oracle-uek-3.8.13-118.13.2
oracle-uek-3.8.13-118.13.3
oracle-uek-3.8.13-118.14.1
oracle-uek-3.8.13-118.14.2
oracle-uek-3.8.13-118.15.1
oracle-uek-3.8.13-118.15.2
oracle-uek-3.8.13-118.15.3
oracle-uek-3.8.13-118.16.2
oracle-uek-3.8.13-118.16.3
oracle-uek-4.1.12-32
oracle-uek-4.1.12-32.1.2
oracle-uek-4.1.12-32.1.3
oracle-uek-4.1.12-32.2.1
oracle-uek-4.1.12-32.2.3
oracle-uek-4.1.12-37.2.1
oracle-uek-4.1.12-37.2.2
oracle-uek-4.1.12-37.3.1
oracle-uek-4.1.12-37.4.1
oracle-uek-4.1.12-37.5.1
oracle-uek-4.1.12-37.6.1
oracle-uek-4.1.12-37.6.2
oracle-uek-4.1.12-37.6.3
oracle-uek-4.1.12-61.1.6
oracle-uek-4.1.12-61.1.9
oracle-uek-4.1.12-61.1.10
oracle-uek-4.1.12-61.1.13
oracle-uek-4.1.12-61.1.14
oracle-uek-4.1.12-61.1.16
oracle-uek-4.1.12-61.1.17
oracle-uek-4.1.12-61.1.18
oracle-uek-4.1.12-61.1.19
oracle-uek-4.1.12-61.1.21
oracle-uek-4.1.12-61.1.22
oracle-uek-4.1.12-61.1.23
oracle-uek-4.1.12-61.1.24
oracle-uek-4.1.12-61.1.25
oracle-uek-4.1.12-61.1.27
rhel-2.6.32-71.el6
rhel-2.6.32-71.7.1.el6
rhel-2.6.32-71.14.1.el6
rhel-2.6.32-71.18.1.el6
rhel-2.6.32-71.18.2.el6
rhel-2.6.32-71.24.1.el6
rhel-2.6.32-71.29.1.el6
rhel-2.6.32-131.0.15.el6
rhel-2.6.32-131.2.1.el6
rhel-2.6.32-131.4.1.el6
rhel-2.6.32-131.6.1.el6
rhel-2.6.32-131.12.1.el6
rhel-2.6.32-131.17.1.el6
rhel-2.6.32-131.21.1.el6
rhel-2.6.32-220.el6
rhel-2.6.32-220.2.1.el6
rhel-2.6.32-220.4.1.el6
rhel-2.6.32-220.4.2.el6
rhel-2.6.32-220.7.1.el6
rhel-2.6.32-220.13.1.el6
rhel-2.6.32-220.17.1.el6
rhel-2.6.32-220.23.1.el6
rhel-2.6.32-279.el6
rhel-2.6.32-279.1.1.el6
rhel-2.6.32-279.2.1.el6
rhel-2.6.32-279.5.1.el6
rhel-2.6.32-279.5.2.el6
rhel-2.6.32-279.9.1.el6
rhel-2.6.32-279.11.1.el6
rhel-2.6.32-279.14.1.el6
rhel-2.6.32-279.19.1.el6
rhel-2.6.32-279.22.1.el6
rhel-2.6.32-358.el6
rhel-2.6.32-358.0.1.el6
rhel-2.6.32-358.2.1.el6
rhel-2.6.32-358.6.1.el6
rhel-2.6.32-358.6.2.el6
rhel-2.6.32-358.6.2.el6.x86_64.crt1
rhel-2.6.32-358.11.1.el6
rhel-2.6.32-358.14.1.el6
rhel-2.6.32-358.18.1.el6
rhel-2.6.32-358.23.2.el6
rhel-2.6.32-431.el6
rhel-2.6.32-431.1.2.el6
rhel-2.6.32-431.3.1.el6
rhel-2.6.32-431.5.1.el6
rhel-2.6.32-431.11.2.el6
rhel-2.6.32-431.17.1.el6
rhel-2.6.32-431.20.3.el6
rhel-2.6.32-431.20.5.el6
rhel-2.6.32-431.23.3.el6
rhel-2.6.32-431.29.2.el6
rhel-2.6.32-504.el6
rhel-2.6.32-504.1.3.el6
rhel-2.6.32-504.3.3.el6
rhel-2.6.32-504.8.1.el6
rhel-2.6.32-504.12.2.el6
rhel-2.6.32-504.16.2.el6
rhel-2.6.32-504.23.4.el6
rhel-2.6.32-504.30.3.el6
rhel-2.6.32-573.el6
rhel-2.6.32-573.1.1.el6
rhel-2.6.32-573.3.1.el6
rhel-2.6.32-573.7.1.el6
rhel-2.6.32-573.8.1.el6
rhel-2.6.32-573.12.1.el6
rhel-2.6.32-573.18.1.el6
rhel-2.6.32-573.22.1.el6
rhel-2.6.32-573.26.1.el6
rhel-2.6.32-642.el6
rhel-2.6.32-642.1.1.el6
rhel-2.6.32-642.3.1.el6
rhel-2.6.32-642.4.2.el6
rhel-2.6.32-642.6.1.el6
rhel-2.6.32-642.6.2.el6
rhel-2.6.32-642.11.1.el6
rhel-2.6.32-642.13.1.el6
rhel-2.6.32-642.13.2.el6
rhel-3.10.0-123.el7
rhel-3.10.0-123.1.2.el7
rhel-3.10.0-123.4.2.el7
rhel-3.10.0-123.4.4.el7
rhel-3.10.0-123.6.3.el7
rhel-3.10.0-123.8.1.el7
rhel-3.10.0-123.9.2.el7
rhel-3.10.0-123.9.3.el7
rhel-3.10.0-123.13.1.el7
rhel-3.10.0-123.13.2.el7
rhel-3.10.0-123.20.1.el7
rhel-3.10.0-229.el7
rhel-3.10.0-229.1.2.el7
rhel-3.10.0-229.4.2.el7
rhel-3.10.0-229.7.2.el7
rhel-3.10.0-229.11.1.el7
rhel-3.10.0-229.14.1.el7
rhel-3.10.0-229.20.1.el6.x86_64.knl2
rhel-3.10.0-229.20.1.el7
rhel-3.10.0-327.el7
rhel-3.10.0-327.3.1.el7
rhel-3.10.0-327.4.4.el7
rhel-3.10.0-327.4.5.el7
rhel-3.10.0-327.10.1.el7
rhel-3.10.0-327.13.1.el7
rhel-3.10.0-327.18.2.el7
rhel-3.10.0-327.22.2.el7
rhel-3.10.0-327.28.2.el7
rhel-3.10.0-327.28.3.el7
rhel-3.10.0-327.36.1.el7
rhel-3.10.0-327.36.2.el7
rhel-3.10.0-327.36.3.el7
rhel-3.10.0-514.el7
rhel-3.10.0-514.2.2.el7
rhel-3.10.0-514.6.1.el7
rhel-3.10.0-514.6.2.el7
rhel-2.6.18-92.1.10.el5
rhel-2.6.18-92.1.13.el5
rhel-2.6.18-92.1.17.el5
rhel-2.6.18-92.1.18.el5
rhel-2.6.18-92.1.22.el5
rhel-2.6.18-128.el5
rhel-2.6.18-128.1.1.el5
rhel-2.6.18-128.1.6.el5
rhel-2.6.18-128.1.10.el5
rhel-2.6.18-128.1.14.el5
rhel-2.6.18-128.1.16.el5
rhel-2.6.18-128.2.1.el5
rhel-2.6.18-128.4.1.el5
rhel-2.6.18-128.7.1.el5
rhel-2.6.18-149.el5
rhel-2.6.18-164.el5
rhel-2.6.18-164.2.1.el5
rhel-2.6.18-164.6.1.el5
rhel-2.6.18-164.9.1.el5
rhel-2.6.18-164.10.1.el5
rhel-2.6.18-164.11.1.el5
rhel-2.6.18-164.15.1.el5
rhel-2.6.18-194.el5
rhel-2.6.18-194.3.1.el5
rhel-2.6.18-194.8.1.el5
rhel-2.6.18-194.11.1.el5
rhel-2.6.18-194.11.3.el5
rhel-2.6.18-194.11.4.el5
rhel-2.6.18-194.17.1.el5
rhel-2.6.18-194.17.4.el5
rhel-2.6.18-194.26.1.el5
rhel-2.6.18-194.32.1.el5
rhel-2.6.18-238.el5
rhel-2.6.18-238.1.1.el5
rhel-2.6.18-238.5.1.el5
rhel-2.6.18-238.9.1.el5
rhel-2.6.18-238.12.1.el5
rhel-2.6.18-238.19.1.el5
rhel-2.6.18-274.el5
rhel-2.6.18-274.3.1.el5
rhel-2.6.18-274.7.1.el5
rhel-2.6.18-274.12.1.el5
rhel-2.6.18-274.17.1.el5
rhel-2.6.18-274.18.1.el5
rhel-2.6.18-308.el5
rhel-2.6.18-308.1.1.el5
rhel-2.6.18-308.4.1.el5
rhel-2.6.18-308.8.1.el5
rhel-2.6.18-308.8.2.el5
rhel-2.6.18-308.11.1.el5
rhel-2.6.18-308.13.1.el5
rhel-2.6.18-308.16.1.el5
rhel-2.6.18-308.20.1.el5
rhel-2.6.18-308.24.1.el5
rhel-2.6.18-348.el5
rhel-2.6.18-348.1.1.el5
rhel-2.6.18-348.2.1.el5
rhel-2.6.18-348.3.1.el5
rhel-2.6.18-348.4.1.el5
rhel-2.6.18-348.6.1.el5
rhel-2.6.18-348.12.1.el5
rhel-2.6.18-348.16.1.el5
rhel-2.6.18-348.18.1.el5
rhel-2.6.18-371.el5
rhel-2.6.18-371.1.2.el5
rhel-2.6.18-371.3.1.el5
rhel-2.6.18-371.4.1.el5
rhel-2.6.18-371.6.1.el5
rhel-2.6.18-371.8.1.el5
rhel-2.6.18-371.9.1.el5
rhel-2.6.18-371.11.1.el5
rhel-2.6.18-371.12.1.el5
rhel-2.6.18-398.el5
rhel-2.6.18-400.el5
rhel-2.6.18-400.1.1.el5
rhel-2.6.18-402.el5
rhel-2.6.18-404.el5
rhel-2.6.18-406.el5
rhel-2.6.18-407.el5
rhel-2.6.18-408.el5
rhel-2.6.18-409.el5
rhel-2.6.18-410.el5
rhel-2.6.18-411.el5
rhel-2.6.18-412.el5
rhel-2.6.18-416.el5
rhel-2.6.18-417.el5
rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

Yes

Fri, 2016-11-04 16:22
More Linux work :)

Yes

Fri, 2016-11-04 16:22
More Linux work :)

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux and Database Smart Flash Cache

Tue, 2015-02-24 14:07
One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb/dev/sdb$ sqlplus '/ as sysdba'SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015Copyright (c) 1982, 2014, Oracle. All rights reserved.Connected to:Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionWith the Partitioning, OLAP, Advanced Analytics and Real Application Testing optionsSQL> alter system set db_flash_cache_file='/dev/sdb' scope=spfile;System altered.SQL> alter system set db_flash_cache_size=1G scope=spfile;System altered.SQL> shutdown immediate;Database closed.Database dismounted.ORACLE instance shut down.SQL> startupORACLE instance started.Total System Global Area 4932501504 bytesFixed Size

2934456 bytesVariable Size

1023412552 bytesDatabase Buffers

3892314112 bytesRedo Buffers

13840384 bytesDatabase mounted.Database opened.SQL> show parameters flashNAME

TYPE

VALUE------------------------------------ ----------- ------------------------------db_flash_cache_file

string

/dev/sdbdb_flash_cache_size

big integer 1Gdb_flashback_retention_target

integer

1440SQL> select * from v$flashfilestat; FLASHFILE#----------NAME-------------------------------------------------------------------------------- BYTES ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO CON_ID---------- ---------- ------------ -------------------- ----------

1/dev/sdb1073741824

1

0

0

0

You can get more information on configuration and guidelines/tuning here.If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option. alter table foo storage (flash_cache none);This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

Oracle Linux and Database Smart Flash Cache

Tue, 2015-02-24 14:07
One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb
/dev/sdb

$ sqlplus '/ as sysdba'

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>  alter system set db_flash_cache_file='/dev/sdb' scope=spfile;

System altered.

SQL> alter system set db_flash_cache_size=1G scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup
ORACLE instance started.

Total System Global Area 4932501504 bytes
Fixed Size		    2934456 bytes
Variable Size		 1023412552 bytes
Database Buffers	 3892314112 bytes
Redo Buffers		   13840384 bytes
Database mounted.
Database opened.

SQL> show parameters flash

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
db_flash_cache_file		     string	 /dev/sdb
db_flash_cache_size		     big integer 1G
db_flashback_retention_target	     integer	 1440

SQL> select * from v$flashfilestat; 

FLASHFILE#
----------
NAME
--------------------------------------------------------------------------------
     BYTES    ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO     CON_ID
---------- ---------- ------------ -------------------- ----------
	 1
/dev/sdb
1073741824	    1		 0		      0 	 0

You can get more information on configuration and guidelines/tuning here. If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option.

alter table foo storage (flash_cache none);
This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

New features in ksplice uptrack-upgrade tools for Oracle Linux

Mon, 2014-12-22 14:03
We have many, many happy Oracle Linux customers that use and rely on the Oracle Ksplice service to keep their kernels up to date with all the critical CVEs/bugfixes that we release as zero downtime patches.

There are 2 ways to use the Ksplice service :

  • Online edition/client
  • The uptrack tools (the Ksplice utilities you install on an Oracle Linux server to start applying ksplice updates) connect directly with the Oracle server to download updates. This model gives the most flexibility in terms of providing information of patches and detail of what is installed because we have a website on which you can find your servers and detailed patch status.

  • Offline edition/client
  • Many companies cannot or do not register all servers remotely with our system so they can rely on the offline client to apply updates. In this mode, the ksplice patches are packaged in RPMs for convenience. For each kernel that is shipped by Oracle for Oracle Linux, we provide a corresponding uptrack-update RPM for that specific kernel version. This RPM contains all the updates that have been released since that version was released.

    The RPM is updated whenever a new ksplice patch becomes available. So you always have 1 RPM installed for a given kernel, and this RPM gets updated. This was standard yum / rpm commands can be used to update your server(s) with ksplice patches as well and everything is nicely integrated.

    The standard model is that an uptrack-upgrade command will apply all updates to current/latest on your server. This is of course the preferred way of applying security fixes on your running system, it's best to be on the latest version. However, in some cases, customers want more fine-grained control than latest.

    We just did an update of the ksplice offline tools to add support for updating to a specific "kernel version". This way, if you are on kernel version x, you would like to go to kernel version y (effective patches/security fixes) but latest is kernel version z, you can tell uptrack-upgrade to go to kernel version y. Let me give a quick and simple example below. I hope this is a useful addition to the tools.

    happy holidays and happy ksplicing!

    To install the tools, make sure that your server(s) has access to the ol6_x86_64_ksplice channel (if it's OL6) :$ yum install uptrack-offline

    Now, in my example, I have Oracle Linux 6 installed with the following version of UEK3 :

    $ uname -r3.8.13-44.1.1.el6uek.x86_64

    Let's check if updates are available :

    $ yum search uptrack-updates-3.8.13-44.1.1Loaded plugins: rhnplugin, securityThis system is receiving updates from ULN.=========== N/S Matched: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 ===========uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch : Rebootless updates for the ...: Ksplice Uptrack rebootless kernel update service

    As I mentioned earlier, for each kernel there's a corresponding ksplice update RPM. Just install that. In this case, I run 3.8.13-44.1.1.

    $ yum install uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarchLoaded plugins: rhnplugin, securityThis system is receiving updates from ULN.Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 will be installed--> Finished Dependency ResolutionDependencies Resolved================================================================================ Package Arch Version Repository Size================================================================================Installing: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 noarch 20141216-0 ol6_x86_64_ksplice 39 MTransaction Summary================================================================================Install 1 Package(s)Total download size: 39 MInstalled size: 40 MIs this ok [y/N]: yDownloading Packages:uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.n | 39 MB 00:29 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 The following steps will be taken:Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.......Installing [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.Your kernel is fully up to date.Effective kernel version is 3.8.13-55.1.1.el6uek Verifying : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 Installed: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 Complete!

    There have been a ton of updates released since 44.1.1, and the above update gets me to effectively running 3.8.13-55.1.1. Of course, without a reboot.

    $ uptrack-uname -r3.8.13-55.1.1.el6uek.x86_64

    Now we get to the new feature. There's a new option in uptrack-upgrade that lists all effective kernel versions from the installed kernel to the latest based on the ksplice rpm installed.

    $ uptrack-upgrade --list-effectiveAvailable effective kernel versions:3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 20143.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 20143.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 20143.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 20143.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 20143.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014

    So as an example, let's say I want to update from 44.1.1 to 44.1.5 instead of to 55.1.1 (for whatever reason I might have). All I have to do, is run uptrack-upgrade to go to that effective kernel version.

    Let's start with removing the installed updates and go back from 55.1.1 to 44.1.1 and then upgrade again to 44.1.5 :

    $ uptrack-remove --all...$ uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014"......Effective kernel version is 3.8.13-44.1.5.el6uek

    And that's it.

    Pages