Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 8 hours 42 min ago

Oracle Container Registry mirrors in Oracle Cloud Infrastructure

Sat, 2017-09-30 19:56

Just in time for Oracle OpenWorld 2017!

For quite some time now, we have had a Container Registry available for users with an Oracle Single-Signon account. This registry contains a large number of Docker images to make it really easy to get started with Oracle Products such as the Oracle Database, MySQL, Oracle Linux, Java, Weblogic etc...No need to create or register a new account. Many of you already have an Oracle SSO account for use with OTN, My Oracle Support or Oracle Software Delivery Cloud.

The first time, you have to log in to the website hosted at http://container-registry.oracle.com (use your SSO account) and accept the licences for the products you want to download/pull with the Docker client. Once you have accepted the licenses, unless a license changes, or you want to access a product for which you have not yet accepted the license, you do not have to login to the website any more. From here on, you can use docker pull container-registry.oracle.com/<repository>/<product> to pull down the images you are interested in. 

Well, the above is not new, really but I wanted to give a very quick overview of what we have on our container registry.

What IS new:

Lots of our customers are using Oracle Cloud Infrastructure and there is a big interest in using Docker images for new projects. Since we want our customers/developers to have the best experience, we created / will create local mirrors of the central Container Registry in each OCI region. As of right now, the Ashburn and Phoenix OCI regions mirrors are online, Frankfurt will follow shortly. Why does this help? Well, first of all, performance. A few examples: timing a pull (and extract) of an Oracle Linux 7-slim image is just over 3 seconds. MySQL Community server 8 seconds, Oracle Database Standard or Enteprise Edition 3 minutes (full downloaded and extracted in your local OCI instance). And secondly, all network traffic stays within the Oracle Datacenters so you are not consuming Internet Traffic bandwidth.

The process remains the same: the main website to accept licenses is still http://container-registry.oracle.com. When you use docker on the command line in your instance, use either container-registry-phx.oracle.com or container-registry-ash.oracle.com. In the near future we will enable container-registry-fra.oracle.com. 

First you have to login on the command line:

 

# docker login container-registry-ash.oracle.com
Username: wim.coekaerts@oracle.com
Password: 
Login Succeeded

 

Next you can pull one of the many images:

 

# docker pull container-registry-ash.oracle.com/os/oraclelinux:7-slim
7-slim: Pulling from os/oraclelinux
d9ca67fed2e2: Pull complete 
Digest: sha256:2c4be3230da36933e1e9961909ed40c7fc3cc36107f86c2ed6c1775ea1c884fc
Status: Downloaded newer image for container-registry-ash.oracle.com/os/oraclelinux:7-slim

These registries are also accessible from outside of the OCI regions over the internet so if you experience slow access to container-registry.oracle.com, try one of these new ones.

We have a number of product categories available. You can find all the details on how to use them, which tags (versions of images such as 7.1 7.4, latest,...) on the registry website:

We are working on providing a mirror for http://yum.oracle.com inside OCI as well. Stay tuned for more Oracle Linux goodies in Oracle Cloud Infrastructure.

 

 

Quickly create a high performance NFS server in Oracle Cloud Infrastructure using Oracle Linux

Wed, 2017-09-13 11:13

To make it easy for customers that rely heavily on an NFS server for their on-premises applications, we created an Oracle Linux Storage Appliance image for Oracle Cloud Infrastructure.

There are times where you want to be able to provide a really fast shared filesystem to multiple instances. eg. a shared 'Oracle Home'  or in the applications world a shared APPLTOP. It is really easy to set up a Linux NFS server but we decided to go beyond DIY and we created one for you.

The Linux Storage Appliance image available in Oracle Cloud Infrastructure uses Oracle Linux 7 on your choice of either a BM dense IO (28.8TB NVMe/512G) node or BM high IO (12.8TB NVMe/512G) node. When you deploy the LSA image, at first boot, it automatically detects the NVMe volumes, creates a big raid with filesystems on top and starts a simple webserver that lets you create new shares, see log files,  see the status of the server etc.

We have a roadmap of items that we are working on, such as auto-restart, backup to object storage, iscsi volume support as an alternative to NVMe to create smaller setups, etc...

The Linux Storage Appliance image is provided for everyone to use, it runs within your own tenancy and with your own resource quota for the servers it is deployed on.

You can find more details here

Here are a few screenshots to give you an idea:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Running Oracle Linux 5 applications in Oracle Cloud Infrastructure using lxc.

Thu, 2017-09-07 15:42

Oracle Cloud Infrastructure bare-metal servers and virtual machines require an EFI capable OS and as such we offer Oracle Linux 6 and Oracle Linux 7 images for customers to deploy their instances. Most applications are certified and support with these OS versions however in some rare cases a customer has an older application that requires something like Oracle Linux 4 or 5. While we currently cannot run these versions as native instances, it is possible to run Linux Containers on Oracle Linux with an OL4 or OL5 environment.

We have, for many years, supported lxc (https://blogs.oracle.com/wim/oracle-linux-containers) with Oracle Linux. lxc is great for system-containers, if you want to call it that, an entire OS environment ( basically "start /bin/init" ) whereas docker is more an application-container, start your app. Sure you can run /bin/init as your 'app' but lxc is a bit more tuned towards this model, I think. The generic lxc documentation can be found here.

lxc is fully supported on Oracle Linux 6 and Oracle Linux 7 and Oracle Linux 5 is fully supported as a container OS on top. So for customers that have a need to run older applications on older versions  of Linux in OCI, this is a great option.

To get started with lxc in Oracle Cloud Infrastructure, you first need to create a bare-metal server or VM instance using Oracle Linux 7 as the OS image, create your virtual cloud network, create a block volume, attach the block volume etc. I will assume that you are familiar with these steps.  I make one additional assumption around VNICs. The easiest way to set up the networking is by allocating a separate secondary VNIC for each container and pass this VNIC into the container. A quick tutorial is here.

In summary:

- Create a compartment, virtual cloud network and subnet

- Create an instance (BM or VM)

- Create and attach a block volume that will host the containers

- Create a number of  VNICs (1 per container)

- Install lxc

- Create and mount a filesystem on the block volume that holds the containers

- Create a container.

 

To install lxc, simply use yum on your Oracle Linux instance:

# yum install lxc

...

Dependencies Resolved

================================================================================
 Package         Arch          Version                  Repository         Size
================================================================================
Updating:
 lxc             x86_64        1.1.5-2.0.9.el7          ol7_latest        231 k
Updating for dependencies:
 lxc-libs        x86_64        1.1.5-2.0.9.el7          ol7_latest        219 k

Transaction Summary
================================================================================
Upgrade  1 Package (+1 Dependent package)

Total download size: 450 k
Is this ok [y/d/N]:

Make sure you use the latest version of lxc (1.1.5-2.0.9 or newer)

I suggest using btrfs as the container filesystem.

Assuming you created a block volume, it should show up as /dev/sdb:

$ cat /proc/partitions
major minor  #blocks  name

   8        0   48838656 sda
   8        1     556988 sda1
   8        2    8420348 sda2
   8        3   39808260 sda3
   8       16  134217728 sdb

Create a partition using fdisk, simply create 1 partition that uses the entire volume

$ fdisk /dev/sdb

Enter n (new partition), p (primary partition) 1 (first partition on new volume) and hit enter twice if you want to use the entire Block Volume.
Enter w to write the partition table out to disk.

This should now show up:

$ cat /proc/partitions
major minor  #blocks  name

   8        0   48838656 sda
   8        1     556988 sda1
   8        2    8420348 sda2
   8        3   39808260 sda3
   8       16  134217728 sdb
   8       17  134216704 sdb1

Next create your btrfs volume and mount it under /container:

$ mkfs.btrfs /dev/sdb1

$ echo "/dev/sdb1 /container btrfs defaults,noatime,_netdev 0 2" > /etc/fstab

$ mount -a

The installation of lxc already created the /container directory on your server.

Next up,  configure your secondary VNICs using the scripts referenced here. It is slightly different in a VM instance versus a BM instance.

Create your first lxc container. The syntax is as follows:

 lxc-create -n <container name> -t <template> -- -R <release>
- Specify a container name that you want to use, for instance "ol5".
- To create Oracle Linux containers use the "oracle" template.
- Release specifies which release of the container OS you want to use. We are creating an Oracle Linux 5 container so we use -R 5.latest
- For Oracle Linux 4,6 or 7, use the same "oracle" template and change <release> to 4.latest, 6.latest or 7.latest

$ lxc-create -n ol5 -t oracle -- -R 5.latest
Host is OracleServer 7.3
Create configuration file /container/ol5/config
Yum installing release 5.latest for x86_64
...
Added container user:oracle password:oracle
Added container user:root password:root
Container : /container/ol5/rootfs
Config    : /container/ol5/config
Network   : eth0 (veth) on lxcbr0

There is an additional configuration step required. The network configuration of the newly created container needs to be modified.

Modify the container configuration file
$ vi /container/ol5/config

change the following lines:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:xx:xx:xx <- where xx:xx:xx has assigned values

to

lxc.network.type = phys
lxc.network.link = ens2f0.vlan.1  or ens4 or whatever name of the secondary vnic interface created earlier was called
 

comment out or remove the lxc.network.hwaddr line
#lxc.network.hwaddr =

It is important to comment out the hwaddr line because we want to use the mac address of the interface created by the scripts.

veth gets changed to phys because we are effectively passing through the network interface directly to the container


Start the container

$ lxc-start -n ol5.1

Connect to the console

$ lxc-console -n ol5.1

The default root password is root. Please modify this after creating your container.

To exit the console, type ctrl-a q

Configure the network inside the container. To find the IP configuration for your VNICs from inside your instance, you can view this URL:

$ wget http://169.254.169.254/opc/v1/vnics/

Manually:

$ ifconfig eth0 10.0.2.3 netmask 255.255.255.0
$ route add default gw 10.0.2.1

Configure the network at start time by creating a new ifcfg script :

edit /etc/sysconfig/network-scripts/ifcfg-eth0

example:

DEVICE="eth0"
BOOTPROTO=none
ONBOOT=yes
TYPE="Ethernet"
IPADDR=10.0.2.3
PREFIX=24
GATEWAY=10.0.2.1
DEFROUTE=yes

 

To see which lxc containers are actively running type

$ lxc-ls --active

This container would be a supported Oracle Linux 5 environment running on Oracle Linux 7.

NOTE: Oracle Linux 5 has entered extended support. See here. Keep in mind that for Oracle Cloud subscription customers, Extended support is included with your subscription without any additional cost/fees.

 

 

More packages for Oracle Linux to make life easier.

Wed, 2017-09-06 11:13

A lot of development work we do for Oracle Linux is focused around Oracle Cloud. Work with the infrastructure team to provide the best OS for them, work on new features that can help in various areas (NVMe, kvm, GPU, security, containers...) and so on. But we also put a lot of effort into making Oracle Linux run extremely well for customers on Oracle Cloud. Pre-built images which we try to make as efficient as possible and configured out of the box to just work seamlessly. For instance, a few weeks ago we added the Oracle Ksplice package to the base image and pre-configured them so that Ksplice works without any additional steps. Want to use it? Just type uptrack-upgrade. The latest kernel version is typically installed, latest fixes for drivers. Anything that every customer would have to do themselves we try to pre-emptively take care of.

Another aspect of running Oracle Linux in Oracle Cloud is providing the right packages and make it easy to get to them. We are working on a mirror of  yum.oracle.com  and the Oracle Container Registry inside the Oracle Cloud regions for super highspeed access to packages without having to go outside of the datacenters. And we are building packages that are not part of the base Oracle Linux but are certainly very useful and frequently asked for by customers. For instance, we released RPMs for Terraform with the Oracle Bare Metal cloud provider so that you don't have to manually download binaries, but just use a local pre-configured yum repo.

We also released fluentd and collectd packages here and here . Oracle Managed Cloud works with collectd for instance for its data collection to do analytics. While customers or developers can certainly go and download these packages elsewhere, it would require extra steps. We're just doing it to ensure that they're all in the same place. They're mirrored inside the datacenters, they're signed by our key, preconfigured yum.repo files, and all the dependencies have been verified to ensure we don't break anything when they are published. Of course all the source code is also available in the usual place. As we get more requests to add more packages these _developer, _preview and _developer_epel channels will get more content. The biggest focus area here will be developers, container services and providing all the packages to easily get going.

And remember, all this is included with every instance of Oracle Linux you run in Oracle Cloud, no additional charges. Oracle Ksplice, full support, everything we have is out of the box, included.

 

Oracle Linux support in Oracle Cloud

Sun, 2017-07-30 13:00

This is a topic that comes up every now and again with customers or users of Oracle Cloud: Is Oracle Linux support included with our IaaS services and if so, which parts of Oracle Linux support are included?

The answer is very straightforward. Any customer in Oracle Cloud that creates new, creates their own or  uses existing "Oracle Linux" images, in both Oracle Public Cloud and Oracle Bare Metal Cloud Services, have full Oracle Linux Premier Support included at no additional cost. There is no extra hourly surcharge on top of the IaaS subscriptions. This includes access to Oracle Support, access to the My Oracle Support portal, Oracle Ksplice, use of Oracle Enterprise Manager Cloud Control to manage and monitor Oracle Linux instances and of course the packages and updates for Oracle Linux.  

Oracle Ksplice for Oracle Linux in Bare Metal Cloud Services

Sun, 2017-07-30 12:39

A few weeks ago I wrote a blog post that talked about setting up Oracle Ksplice in Oracle Cloud (specifically Bare Metal Cloud Services). At the time, the instructions included editing the uptrack.conf file and adding a specific auth key. We have since automated that part as well.

For existing instances or newly created instances (any VM.* and BM.* shapes with Oracle Linux) you can just simply download a new installation script that takes care of it all for you. As mentioned in the previous post, we are going to include the uptrack tools by default as well in a future image version of Oracle Linux but that's not completed yet.

The simple steps to follow now:

Connect to your BMCS instance

# ssh -l opc <public ip address of your instance>

sudo to root

# sudo bash

# cd

Download the ksplice installation script   

# wget -N https://www.ksplice.com/uptrack/install-uptrack-oc

--2017-07-30 17:27:59--  https://www.ksplice.com/uptrack/install-uptrack-oc

Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32

Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 10154 (9.9K) [text/plain]

Saving to: ‘install-uptrack-oc’

100%[======================================>] 10,154      --.-K/s   in 0.06s   

2017-07-30 17:28:00 (179 KB/s) - ‘install-uptrack-oc’ saved [10154/10154]

Run the installation script   

# sh install-uptrack-oc

[ Release detected: ol ]

--2017-07-30 17:30:36--  https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm

Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32

Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 6876 (6.7K) [application/x-rpm]

Saving to: ‘ksplice-uptrack-release.noarch.rpm’

100%[======================================>] 6,876       --.-K/s   in 0s      

2017-07-30 17:30:36 (46.5 MB/s) - ‘ksplice-uptrack-release.noarch.rpm’ saved [6876/6876]

[ Installing Uptrack ]

warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 16c083cd: NOKEY

Preparing packages...

ksplice-uptrack-release-1-3.noarch

Loaded plugins: langpacks, ulninfo

ksplice-uptrack                                          |  951 B     00:00     

ol7_UEKR4                                                | 1.2 kB     00:00     

ol7_addons                                               | 1.2 kB     00:00     

ol7_latest                                               | 1.4 kB     00:00     

ol7_optional_latest                                      | 1.2 kB     00:00     

(1/7): ol7_UEKR4/x86_64/updateinfo                         |  83 kB   00:00     

(2/7): ol7_latest/x86_64/updateinfo                        | 1.3 MB   00:00     

(3/7): ksplice-uptrack/7Server/x86_64/primary              | 2.0 kB   00:00     

(4/7): ol7_optional_latest/x86_64/primary                  | 4.0 MB   00:00     

(5/7): ol7_optional_latest/x86_64/updateinfo               | 940 kB   00:00     

(6/7): ol7_latest/x86_64/primary                           |  26 MB   00:00     

(7/7): ol7_UEKR4/x86_64/primary                            |  19 MB   00:00     

ksplice-uptrack                                                             7/7

ol7_UEKR4                                                               396/396

ol7_latest                                                          19362/19362

ol7_optional_latest                                                 13397/13397

Resolving Dependencies

--> Running transaction check

---> Package uptrack.noarch 0:1.2.41-0.el7 will be installed

--> Processing Dependency: perl(Fatal) for package: uptrack-1.2.41-0.el7.noarch

--> Processing Dependency: perl-autodie for package: uptrack-1.2.41-0.el7.noarch

--> Running transaction check

---> Package perl-autodie.noarch 0:2.16-2.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package            Arch         Version            Repository             Size

================================================================================

Installing:

 uptrack            noarch       1.2.41-0.el7       ksplice-uptrack       298 k

Installing for dependencies:

 perl-autodie       noarch       2.16-2.el7         ol7_latest             77 k

Transaction Summary

================================================================================

Install  1 Package (+1 Dependent package)

Total download size: 375 k

Installed size: 996 k

Downloading packages:

(1/2): perl-autodie-2.16-2.el7.noarch.rpm                  |  77 kB   00:00     

(2/2): uptrack-1.2.41-0.el7.noarch.rpm                     | 298 kB   00:00     

--------------------------------------------------------------------------------

Total                                              689 kB/s | 375 kB  00:00     

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Warning: RPMDB altered outside of yum.

  Installing : perl-autodie-2.16-2.el7.noarch                               1/2 

  Installing : uptrack-1.2.41-0.el7.noarch                                  2/2 

There are no existing modules on disk that need basename migration.

  Verifying  : perl-autodie-2.16-2.el7.noarch                               1/2 

  Verifying  : uptrack-1.2.41-0.el7.noarch                                  2/2 

Installed:

  uptrack.noarch 0:1.2.41-0.el7                                                 

Dependency Installed:

  perl-autodie.noarch 0:2.16-2.el7                                              

Complete!

Effective kernel version is 4.1.12-94.3.6.el7uek

The following steps will be taken:

Install [nq2lixsa] Improve the interface to freeze tasks.

Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

[ Installation Complete! ]

[ Please run '/usr/sbin/uptrack-upgrade -y' to bring your system up to date ]

To install the available Ksplice patches on your running kernel, just run the uptrack-upgrade tool (as root)  

# uptrack-upgrade 

The following steps will be taken:

Install [nq2lixsa] Improve the interface to freeze tasks.

Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

Go ahead [y/N]? y

Installing [nq2lixsa] Improve the interface to freeze tasks.

Installing [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Installing [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Installing [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Installing [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

Your kernel is fully up to date.

Effective kernel version is 4.1.12-94.3.9.el7uek

 

CVE-2017-1000364

Thu, 2017-06-29 02:00

As I am sure many of you have heard/read about CVE-2017-1000364.

If not, you can find some information here:

https://blog.qualys.com/tag/cve-2017-1000364

https://nvd.nist.gov/vuln/detail/CVE-2017-1000364

http://www.securityfocus.com/bid/99130

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

This CVE has a very high CVSS score of 9.8.

There are a number of packages release for Oracle Linux to deal with this CVE.

An updated glibc: https://linux.oracle.com/cve/CVE-2017-1000366.html

An updated kernel:  https://linux.oracle.com/cve/CVE-2017-1000364.html

A very important additional detail is that we also have an online fix available through Ksplice. So for Oracle Linux users/customers with a support subscription, you can simply run uptrack-upgrade on a running kernel. No reboot required.

# uptrack-upgrade
The following steps will be taken:
Install [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Go ahead [y/N]? y
Installing [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.7.el7uek

 

 

Oracle Ksplice on Oracle Linux in Bare Metal Cloud

Wed, 2017-06-21 09:58

One of the great advantages of using Oracle Cloud is the fact that it includes full Oracle Linux support. All the services that you get with Oracle Linux Premier support are included without additional cost when you use Oracle Cloud.

Oracle Ksplice is such a service. (see: http://www.ksplice.com/ ). In order to use Oracle Ksplice outside of Oracle Cloud you configure it at install time when registering your Oracle Linux server with ULN (http://linux.oracle.com ) and you then use the generated access key to configure the uptrack tools.

With Oracle Cloud, both Oracle Public Cloud and Oracle Bare Metal Cloud Services ( http://cloud.oracle.com ), we have made it very easy. Any instance that runs inside our infrastructure has immediate access to the ksplice servers.

For customers or users with existing Oracle Linux instances in BMCS, you have to do a few simple steps to enable Ksplice. We are in the process of adding the uptrack tools to the image by default so, soon, you don't have to do any configuration at all.

Enable Ksplice today:

Log into your Oracle Linux instance as user opc (or as root)

# sudo bash

Download the uptrack client:

# wget -N https://www.ksplice.com/uptrack/install-uptrack

or if you prefer to use curl

# curl -O https://www.ksplice.com/uptrack/install-uptrack

Install the client, make sure you use this exact key, it will only work inside BMCS and is a generic identifier.

# sh install-uptrack dfc21b3ced9af52f6a8760c1b1860f928ba240970a3612bb354c84bb0ce5903e --autoinstall
 

This command unpacks the downloaded script and install the uptrack utilities (Ksplice client tools). Ignore the connect error, you need the step below.

One more step. In order for the above key to work, you have to point the uptrack tools to a specific update server.

edit /etc/uptrack/uptrack.conf:

# The location of the Uptrack updates repository.

update_repo_url=https://oraclecloud-updates-ksplice.oracle.com/update-repository

and that's it.

# uptrack-upgrade
Nothing to be done.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.6.el6uek

 

For instances that are Bring Your Own we will automate the above steps as well. But at least this gets you going right away.

 

Introducing UEK4 and DTrace on Oracle Linux for SPARC

Fri, 2017-05-26 13:18

About 2 months ago we released the first version of Oracle Linux 6, Update 7 for SPARC. That was the same version of Oracle Linux used in Exadata SL6. OL6 installed on T4, T5 and T7 systems but it did not yet support the S7 processors/systems. It contained support for the various M7 processor features (DAX, ADI, crypto,...), gcc optimizations to support better code generation for SPARC, important optimizations in functions like memcpy() etc.

We also introduced support for Linux as the control domain (guest domain worked before). So this was the first time one could use Linux as the control domain with a vdiskserver, vswitch and virtual console driver. For this release we based the kernel on UEK2 (2.6.39).

The development team has been hard at work doing a number of things:

- continue to work with upstream Linux  and gcc/glibc/binutils development to submit all the code changes for inclusion. Many SPARC features have already been committed upstream and many are pending/Work in Progress.

- part of the work is  to forward port, so to speak, a lot of the uek2/sparc/exadata features into uek4, alongside upstream/mainline development.

- performance work, both in kernel and userspace (glibc, gcc in particular)

Today, we released an updated version of the ISO image that contains UEK4 QU4 (4.1.12-94.3.2). The main reason for updating the ISO is to introduce support for the S7 processor and S7-based servers. It contains a ton of improvements over UEK2,  we also added support for DTrace.

You can download the latest version of the ISO here :  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-sparc-3665558.html

The DTrace utilities can be downloaded here : http://www.oracle.com/technetwork/server-storage/linux/downloads/linux-dtrace-2800968.html

As we add more features we will update the kernel and we will also publish a new version of the software collections for Oracle Linux for SPARC with newer versions of gcc (6.x etc) so more coming!

We are working on things like gccgo, valgrind, node... and the yum repo on http://yum.oracle.com/ contains about 5000 RPMs.

Download it, play with it, have fun.

 

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "c", 2);

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

FILE *result = fopen (file, newmode);
As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:

- char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

+ char newmode[modelen + 3];

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 3);
The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
Wed Mar 22 *17:19:51* 2017 *ORA-00210: cannot open the specified control file* ORA-00202: control file:'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_001' ORA-27054: NFS file system where the file is created or resides is not mounted with correct options *Linux-x86_64 Error: 13: Permission denied* Additional information: 2 ORA-205 signalled during: ALTER DATABASE MOUNT... Shutting down instance (abort)

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

 	
	     char newmode[modelen + 2];
	  -  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
	  +  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	     FILE *result = fopen (file, newmode);

As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:
	-  char newmode[modelen + 2];
	-  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	+  char newmode[modelen + 3];
	+  memcpy (mempcpy (newmode, mode, modelen), "ce", 3);

The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
  Wed Mar 22 *17:19:51* 2017
  *ORA-00210: cannot open the specified control file*
  ORA-00202: control file:
  
'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_0
01'
  ORA-27054: NFS file system where the file is created or resides is
  not mounted with correct options
  *Linux-x86_64 Error: 13: Permission denied*
  Additional information: 2
  ORA-205 signalled during: ALTER DATABASE   MOUNT...
  Shutting down instance (abort) 


Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :scl enable rh-python35 -- bash

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :

scl enable rh-python35 -- bash 

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade The following steps will be taken:Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Go ahead [y/N]? yInstalling [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Your kernel is fully up to date.Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.# uptrack-showInstalled updates:[cct5dnbf] Clear garbage data on the kernel stack when handling signals.[ektd95cj] Reduce usage of reserved percpu memory.[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.[b4ljcwin] Message corruption in pseudo terminal output.[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5oracle-2.6.18-238.1.1.0.1.el5oracle-2.6.18-238.5.1.0.1.el5oracle-2.6.18-238.9.1.0.1.el5oracle-2.6.18-238.12.1.0.1.el5oracle-2.6.18-238.19.1.0.1.el5oracle-2.6.18-274.0.0.0.1.el5oracle-2.6.18-274.3.1.0.1.el5oracle-2.6.18-274.7.1.0.1.el5oracle-2.6.18-274.12.1.0.1.el5oracle-2.6.18-274.17.1.0.1.el5oracle-2.6.18-274.18.1.0.1.el5oracle-2.6.18-308.0.0.0.1.el5oracle-2.6.18-308.1.1.0.1.el5oracle-2.6.18-308.4.1.0.1.el5oracle-2.6.18-308.8.1.0.1.el5oracle-2.6.18-308.8.2.0.1.el5oracle-2.6.18-308.11.1.0.1.el5oracle-2.6.18-308.13.1.0.1.el5oracle-2.6.18-308.16.1.0.1.el5oracle-2.6.18-308.20.1.0.1.el5oracle-2.6.18-308.24.1.0.1.el5oracle-2.6.18-348.0.0.0.1.el5oracle-2.6.18-348.1.1.0.1.el5oracle-2.6.18-348.2.1.0.1.el5oracle-2.6.18-348.3.1.0.1.el5oracle-2.6.18-348.4.1.0.1.el5oracle-2.6.18-348.6.1.0.1.el5oracle-2.6.18-348.12.1.0.1.el5oracle-2.6.18-348.16.1.0.1.el5oracle-2.6.18-348.18.1.0.1.el5oracle-2.6.18-371.0.0.0.1.el5oracle-2.6.18-371.1.2.0.1.el5oracle-2.6.18-371.3.1.0.1.el5oracle-2.6.18-371.4.1.0.1.el5oracle-2.6.18-371.6.1.0.1.el5oracle-2.6.18-371.8.1.0.1.el5oracle-2.6.18-371.9.1.0.1.el5oracle-2.6.18-371.11.1.0.1.el5oracle-2.6.18-371.12.1.0.1.el5oracle-2.6.18-398.0.0.0.1.el5oracle-2.6.18-400.0.0.0.1.el5oracle-2.6.18-400.1.1.0.1.el5oracle-2.6.18-402.0.0.0.1.el5oracle-2.6.18-404.0.0.0.1.el5oracle-2.6.18-406.0.0.0.1.el5oracle-2.6.18-407.0.0.0.1.el5oracle-2.6.18-408.0.0.0.1.el5oracle-2.6.18-409.0.0.0.1.el5oracle-2.6.18-410.0.0.0.1.el5oracle-2.6.18-411.0.0.0.1.el5oracle-2.6.18-412.0.0.0.1.el5oracle-2.6.18-416.0.0.0.1.el5oracle-2.6.18-417.0.0.0.1.el5oracle-2.6.18-418.0.0.0.1.el5oracle-2.6.32-642.0.0.0.1.el6oracle-3.10.0-514.6.1.0.1.el7oracle-3.10.0-514.6.2.0.1.el7oracle-uek-2.6.39-100.5.1oracle-uek-2.6.39-100.6.1oracle-uek-2.6.39-100.7.1oracle-uek-2.6.39-100.10.1oracle-uek-2.6.39-200.24.1oracle-uek-2.6.39-200.29.1oracle-uek-2.6.39-200.29.2oracle-uek-2.6.39-200.29.3oracle-uek-2.6.39-200.31.1oracle-uek-2.6.39-200.32.1oracle-uek-2.6.39-200.33.1oracle-uek-2.6.39-200.34.1oracle-uek-2.6.39-300.17.1oracle-uek-2.6.39-300.17.2oracle-uek-2.6.39-300.17.3oracle-uek-2.6.39-300.26.1oracle-uek-2.6.39-300.28.1oracle-uek-2.6.39-300.32.4oracle-uek-2.6.39-400.17.1oracle-uek-2.6.39-400.17.2oracle-uek-2.6.39-400.21.1oracle-uek-2.6.39-400.21.2oracle-uek-2.6.39-400.23.1oracle-uek-2.6.39-400.24.1oracle-uek-2.6.39-400.109.1oracle-uek-2.6.39-400.109.3oracle-uek-2.6.39-400.109.4oracle-uek-2.6.39-400.109.5oracle-uek-2.6.39-400.109.6oracle-uek-2.6.39-400.209.1oracle-uek-2.6.39-400.209.2oracle-uek-2.6.39-400.210.2oracle-uek-2.6.39-400.211.1oracle-uek-2.6.39-400.211.2oracle-uek-2.6.39-400.211.3oracle-uek-2.6.39-400.212.1oracle-uek-2.6.39-400.214.1oracle-uek-2.6.39-400.214.3oracle-uek-2.6.39-400.214.4oracle-uek-2.6.39-400.214.5oracle-uek-2.6.39-400.214.6oracle-uek-2.6.39-400.215.1oracle-uek-2.6.39-400.215.2oracle-uek-2.6.39-400.215.3oracle-uek-2.6.39-400.215.4oracle-uek-2.6.39-400.215.6oracle-uek-2.6.39-400.215.7oracle-uek-2.6.39-400.215.10oracle-uek-2.6.39-400.215.11oracle-uek-2.6.39-400.215.12oracle-uek-2.6.39-400.215.13oracle-uek-2.6.39-400.215.14oracle-uek-2.6.39-400.215.15oracle-uek-2.6.39-400.243.1oracle-uek-2.6.39-400.245.1oracle-uek-2.6.39-400.246.2oracle-uek-2.6.39-400.247.1oracle-uek-2.6.39-400.248.3oracle-uek-2.6.39-400.249.1oracle-uek-2.6.39-400.249.3oracle-uek-2.6.39-400.249.4oracle-uek-2.6.39-400.250.2oracle-uek-2.6.39-400.250.4oracle-uek-2.6.39-400.250.5oracle-uek-2.6.39-400.250.6oracle-uek-2.6.39-400.250.7oracle-uek-2.6.39-400.250.9oracle-uek-2.6.39-400.250.10oracle-uek-2.6.39-400.250.11oracle-uek-2.6.39-400.264.1oracle-uek-2.6.39-400.264.4oracle-uek-2.6.39-400.264.5oracle-uek-2.6.39-400.264.6oracle-uek-2.6.39-400.264.13oracle-uek-2.6.39-400.276.1oracle-uek-2.6.39-400.277.1oracle-uek-2.6.39-400.278.1oracle-uek-2.6.39-400.278.2oracle-uek-2.6.39-400.278.3oracle-uek-2.6.39-400.280.1oracle-uek-2.6.39-400.281.1oracle-uek-2.6.39-400.282.1oracle-uek-2.6.39-400.283.1oracle-uek-2.6.39-400.283.2oracle-uek-2.6.39-400.284.1oracle-uek-2.6.39-400.284.2oracle-uek-2.6.39-400.286.2oracle-uek-2.6.39-400.286.3oracle-uek-2.6.39-400.290.1oracle-uek-2.6.39-400.290.2oracle-uek-2.6.39-400.293.1oracle-uek-2.6.39-400.293.2oracle-uek-2.6.39-400.294.1oracle-uek-2.6.39-400.294.2oracle-uek-2.6.39-400.128.21oracle-uek-3.8.13-16oracle-uek-3.8.13-16.1.1oracle-uek-3.8.13-16.2.1oracle-uek-3.8.13-16.2.2oracle-uek-3.8.13-16.2.3oracle-uek-3.8.13-16.3.1oracle-uek-3.8.13-26oracle-uek-3.8.13-26.1.1oracle-uek-3.8.13-26.2.1oracle-uek-3.8.13-26.2.2oracle-uek-3.8.13-26.2.3oracle-uek-3.8.13-26.2.4oracle-uek-3.8.13-35oracle-uek-3.8.13-35.1.1oracle-uek-3.8.13-35.1.2oracle-uek-3.8.13-35.1.3oracle-uek-3.8.13-35.3.1oracle-uek-3.8.13-35.3.2oracle-uek-3.8.13-35.3.3oracle-uek-3.8.13-35.3.4oracle-uek-3.8.13-35.3.5oracle-uek-3.8.13-44oracle-uek-3.8.13-44.1.1oracle-uek-3.8.13-44.1.3oracle-uek-3.8.13-44.1.4oracle-uek-3.8.13-44.1.5oracle-uek-3.8.13-55oracle-uek-3.8.13-55.1.1oracle-uek-3.8.13-55.1.2oracle-uek-3.8.13-55.1.5oracle-uek-3.8.13-55.1.6oracle-uek-3.8.13-55.1.8oracle-uek-3.8.13-55.2.1oracle-uek-3.8.13-68oracle-uek-3.8.13-68.1.2oracle-uek-3.8.13-68.1.3oracle-uek-3.8.13-68.2.2oracle-uek-3.8.13-68.2.2.1oracle-uek-3.8.13-68.2.2.2oracle-uek-3.8.13-68.3.1oracle-uek-3.8.13-68.3.2oracle-uek-3.8.13-68.3.3oracle-uek-3.8.13-68.3.4oracle-uek-3.8.13-68.3.5oracle-uek-3.8.13-98oracle-uek-3.8.13-98.1.1oracle-uek-3.8.13-98.1.2oracle-uek-3.8.13-98.2.1oracle-uek-3.8.13-98.2.2oracle-uek-3.8.13-98.4.1oracle-uek-3.8.13-98.5.2oracle-uek-3.8.13-98.6.1oracle-uek-3.8.13-98.7.1oracle-uek-3.8.13-98.8.1oracle-uek-3.8.13-118oracle-uek-3.8.13-118.2.1oracle-uek-3.8.13-118.2.2oracle-uek-3.8.13-118.2.4oracle-uek-3.8.13-118.2.5oracle-uek-3.8.13-118.3.1oracle-uek-3.8.13-118.3.2oracle-uek-3.8.13-118.4.1oracle-uek-3.8.13-118.4.2oracle-uek-3.8.13-118.6.1oracle-uek-3.8.13-118.6.2oracle-uek-3.8.13-118.7.1oracle-uek-3.8.13-118.8.1oracle-uek-3.8.13-118.9.1oracle-uek-3.8.13-118.9.2oracle-uek-3.8.13-118.10.2oracle-uek-3.8.13-118.11.2oracle-uek-3.8.13-118.13.2oracle-uek-3.8.13-118.13.3oracle-uek-3.8.13-118.14.1oracle-uek-3.8.13-118.14.2oracle-uek-3.8.13-118.15.1oracle-uek-3.8.13-118.15.2oracle-uek-3.8.13-118.15.3oracle-uek-3.8.13-118.16.2oracle-uek-3.8.13-118.16.3oracle-uek-4.1.12-32oracle-uek-4.1.12-32.1.2oracle-uek-4.1.12-32.1.3oracle-uek-4.1.12-32.2.1oracle-uek-4.1.12-32.2.3oracle-uek-4.1.12-37.2.1oracle-uek-4.1.12-37.2.2oracle-uek-4.1.12-37.3.1oracle-uek-4.1.12-37.4.1oracle-uek-4.1.12-37.5.1oracle-uek-4.1.12-37.6.1oracle-uek-4.1.12-37.6.2oracle-uek-4.1.12-37.6.3oracle-uek-4.1.12-61.1.6oracle-uek-4.1.12-61.1.9oracle-uek-4.1.12-61.1.10oracle-uek-4.1.12-61.1.13oracle-uek-4.1.12-61.1.14oracle-uek-4.1.12-61.1.16oracle-uek-4.1.12-61.1.17oracle-uek-4.1.12-61.1.18oracle-uek-4.1.12-61.1.19oracle-uek-4.1.12-61.1.21oracle-uek-4.1.12-61.1.22oracle-uek-4.1.12-61.1.23oracle-uek-4.1.12-61.1.24oracle-uek-4.1.12-61.1.25oracle-uek-4.1.12-61.1.27rhel-2.6.32-71.el6rhel-2.6.32-71.7.1.el6rhel-2.6.32-71.14.1.el6rhel-2.6.32-71.18.1.el6rhel-2.6.32-71.18.2.el6rhel-2.6.32-71.24.1.el6rhel-2.6.32-71.29.1.el6rhel-2.6.32-131.0.15.el6rhel-2.6.32-131.2.1.el6rhel-2.6.32-131.4.1.el6rhel-2.6.32-131.6.1.el6rhel-2.6.32-131.12.1.el6rhel-2.6.32-131.17.1.el6rhel-2.6.32-131.21.1.el6rhel-2.6.32-220.el6rhel-2.6.32-220.2.1.el6rhel-2.6.32-220.4.1.el6rhel-2.6.32-220.4.2.el6rhel-2.6.32-220.7.1.el6rhel-2.6.32-220.13.1.el6rhel-2.6.32-220.17.1.el6rhel-2.6.32-220.23.1.el6rhel-2.6.32-279.el6rhel-2.6.32-279.1.1.el6rhel-2.6.32-279.2.1.el6rhel-2.6.32-279.5.1.el6rhel-2.6.32-279.5.2.el6rhel-2.6.32-279.9.1.el6rhel-2.6.32-279.11.1.el6rhel-2.6.32-279.14.1.el6rhel-2.6.32-279.19.1.el6rhel-2.6.32-279.22.1.el6rhel-2.6.32-358.el6rhel-2.6.32-358.0.1.el6rhel-2.6.32-358.2.1.el6rhel-2.6.32-358.6.1.el6rhel-2.6.32-358.6.2.el6rhel-2.6.32-358.6.2.el6.x86_64.crt1rhel-2.6.32-358.11.1.el6rhel-2.6.32-358.14.1.el6rhel-2.6.32-358.18.1.el6rhel-2.6.32-358.23.2.el6rhel-2.6.32-431.el6rhel-2.6.32-431.1.2.el6rhel-2.6.32-431.3.1.el6rhel-2.6.32-431.5.1.el6rhel-2.6.32-431.11.2.el6rhel-2.6.32-431.17.1.el6rhel-2.6.32-431.20.3.el6rhel-2.6.32-431.20.5.el6rhel-2.6.32-431.23.3.el6rhel-2.6.32-431.29.2.el6rhel-2.6.32-504.el6rhel-2.6.32-504.1.3.el6rhel-2.6.32-504.3.3.el6rhel-2.6.32-504.8.1.el6rhel-2.6.32-504.12.2.el6rhel-2.6.32-504.16.2.el6rhel-2.6.32-504.23.4.el6rhel-2.6.32-504.30.3.el6rhel-2.6.32-573.el6rhel-2.6.32-573.1.1.el6rhel-2.6.32-573.3.1.el6rhel-2.6.32-573.7.1.el6rhel-2.6.32-573.8.1.el6rhel-2.6.32-573.12.1.el6rhel-2.6.32-573.18.1.el6rhel-2.6.32-573.22.1.el6rhel-2.6.32-573.26.1.el6rhel-2.6.32-642.el6rhel-2.6.32-642.1.1.el6rhel-2.6.32-642.3.1.el6rhel-2.6.32-642.4.2.el6rhel-2.6.32-642.6.1.el6rhel-2.6.32-642.6.2.el6rhel-2.6.32-642.11.1.el6rhel-2.6.32-642.13.1.el6rhel-2.6.32-642.13.2.el6rhel-3.10.0-123.el7rhel-3.10.0-123.1.2.el7rhel-3.10.0-123.4.2.el7rhel-3.10.0-123.4.4.el7rhel-3.10.0-123.6.3.el7rhel-3.10.0-123.8.1.el7rhel-3.10.0-123.9.2.el7rhel-3.10.0-123.9.3.el7rhel-3.10.0-123.13.1.el7rhel-3.10.0-123.13.2.el7rhel-3.10.0-123.20.1.el7rhel-3.10.0-229.el7rhel-3.10.0-229.1.2.el7rhel-3.10.0-229.4.2.el7rhel-3.10.0-229.7.2.el7rhel-3.10.0-229.11.1.el7rhel-3.10.0-229.14.1.el7rhel-3.10.0-229.20.1.el6.x86_64.knl2rhel-3.10.0-229.20.1.el7rhel-3.10.0-327.el7rhel-3.10.0-327.3.1.el7rhel-3.10.0-327.4.4.el7rhel-3.10.0-327.4.5.el7rhel-3.10.0-327.10.1.el7rhel-3.10.0-327.13.1.el7rhel-3.10.0-327.18.2.el7rhel-3.10.0-327.22.2.el7rhel-3.10.0-327.28.2.el7rhel-3.10.0-327.28.3.el7rhel-3.10.0-327.36.1.el7rhel-3.10.0-327.36.2.el7rhel-3.10.0-327.36.3.el7rhel-3.10.0-514.el7rhel-3.10.0-514.2.2.el7rhel-3.10.0-514.6.1.el7rhel-3.10.0-514.6.2.el7rhel-2.6.18-92.1.10.el5rhel-2.6.18-92.1.13.el5rhel-2.6.18-92.1.17.el5rhel-2.6.18-92.1.18.el5rhel-2.6.18-92.1.22.el5rhel-2.6.18-128.el5rhel-2.6.18-128.1.1.el5rhel-2.6.18-128.1.6.el5rhel-2.6.18-128.1.10.el5rhel-2.6.18-128.1.14.el5rhel-2.6.18-128.1.16.el5rhel-2.6.18-128.2.1.el5rhel-2.6.18-128.4.1.el5rhel-2.6.18-128.7.1.el5rhel-2.6.18-149.el5rhel-2.6.18-164.el5rhel-2.6.18-164.2.1.el5rhel-2.6.18-164.6.1.el5rhel-2.6.18-164.9.1.el5rhel-2.6.18-164.10.1.el5rhel-2.6.18-164.11.1.el5rhel-2.6.18-164.15.1.el5rhel-2.6.18-194.el5rhel-2.6.18-194.3.1.el5rhel-2.6.18-194.8.1.el5rhel-2.6.18-194.11.1.el5rhel-2.6.18-194.11.3.el5rhel-2.6.18-194.11.4.el5rhel-2.6.18-194.17.1.el5rhel-2.6.18-194.17.4.el5rhel-2.6.18-194.26.1.el5rhel-2.6.18-194.32.1.el5rhel-2.6.18-238.el5rhel-2.6.18-238.1.1.el5rhel-2.6.18-238.5.1.el5rhel-2.6.18-238.9.1.el5rhel-2.6.18-238.12.1.el5rhel-2.6.18-238.19.1.el5rhel-2.6.18-274.el5rhel-2.6.18-274.3.1.el5rhel-2.6.18-274.7.1.el5rhel-2.6.18-274.12.1.el5rhel-2.6.18-274.17.1.el5rhel-2.6.18-274.18.1.el5rhel-2.6.18-308.el5rhel-2.6.18-308.1.1.el5rhel-2.6.18-308.4.1.el5rhel-2.6.18-308.8.1.el5rhel-2.6.18-308.8.2.el5rhel-2.6.18-308.11.1.el5rhel-2.6.18-308.13.1.el5rhel-2.6.18-308.16.1.el5rhel-2.6.18-308.20.1.el5rhel-2.6.18-308.24.1.el5rhel-2.6.18-348.el5rhel-2.6.18-348.1.1.el5rhel-2.6.18-348.2.1.el5rhel-2.6.18-348.3.1.el5rhel-2.6.18-348.4.1.el5rhel-2.6.18-348.6.1.el5rhel-2.6.18-348.12.1.el5rhel-2.6.18-348.16.1.el5rhel-2.6.18-348.18.1.el5rhel-2.6.18-371.el5rhel-2.6.18-371.1.2.el5rhel-2.6.18-371.3.1.el5rhel-2.6.18-371.4.1.el5rhel-2.6.18-371.6.1.el5rhel-2.6.18-371.8.1.el5rhel-2.6.18-371.9.1.el5rhel-2.6.18-371.11.1.el5rhel-2.6.18-371.12.1.el5rhel-2.6.18-398.el5rhel-2.6.18-400.el5rhel-2.6.18-400.1.1.el5rhel-2.6.18-402.el5rhel-2.6.18-404.el5rhel-2.6.18-406.el5rhel-2.6.18-407.el5rhel-2.6.18-408.el5rhel-2.6.18-409.el5rhel-2.6.18-410.el5rhel-2.6.18-411.el5rhel-2.6.18-412.el5rhel-2.6.18-416.el5rhel-2.6.18-417.el5rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade 
The following steps will be taken:
Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Go ahead [y/N]? y
Installing [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.

# uptrack-show
Installed updates:
[cct5dnbf] Clear garbage data on the kernel stack when handling signals.
[ektd95cj] Reduce usage of reserved percpu memory.
[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.
[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.
[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.
[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.
[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.
[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.
[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.
[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.
[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.
[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.
[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.
[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.
[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.
[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.
[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.
[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.
[b4ljcwin] Message corruption in pseudo terminal output.
[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.
[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.
[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.
[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.
[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.
[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.
[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.
[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.
[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.
[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5
oracle-2.6.18-238.1.1.0.1.el5
oracle-2.6.18-238.5.1.0.1.el5
oracle-2.6.18-238.9.1.0.1.el5
oracle-2.6.18-238.12.1.0.1.el5
oracle-2.6.18-238.19.1.0.1.el5
oracle-2.6.18-274.0.0.0.1.el5
oracle-2.6.18-274.3.1.0.1.el5
oracle-2.6.18-274.7.1.0.1.el5
oracle-2.6.18-274.12.1.0.1.el5
oracle-2.6.18-274.17.1.0.1.el5
oracle-2.6.18-274.18.1.0.1.el5
oracle-2.6.18-308.0.0.0.1.el5
oracle-2.6.18-308.1.1.0.1.el5
oracle-2.6.18-308.4.1.0.1.el5
oracle-2.6.18-308.8.1.0.1.el5
oracle-2.6.18-308.8.2.0.1.el5
oracle-2.6.18-308.11.1.0.1.el5
oracle-2.6.18-308.13.1.0.1.el5
oracle-2.6.18-308.16.1.0.1.el5
oracle-2.6.18-308.20.1.0.1.el5
oracle-2.6.18-308.24.1.0.1.el5
oracle-2.6.18-348.0.0.0.1.el5
oracle-2.6.18-348.1.1.0.1.el5
oracle-2.6.18-348.2.1.0.1.el5
oracle-2.6.18-348.3.1.0.1.el5
oracle-2.6.18-348.4.1.0.1.el5
oracle-2.6.18-348.6.1.0.1.el5
oracle-2.6.18-348.12.1.0.1.el5
oracle-2.6.18-348.16.1.0.1.el5
oracle-2.6.18-348.18.1.0.1.el5
oracle-2.6.18-371.0.0.0.1.el5
oracle-2.6.18-371.1.2.0.1.el5
oracle-2.6.18-371.3.1.0.1.el5
oracle-2.6.18-371.4.1.0.1.el5
oracle-2.6.18-371.6.1.0.1.el5
oracle-2.6.18-371.8.1.0.1.el5
oracle-2.6.18-371.9.1.0.1.el5
oracle-2.6.18-371.11.1.0.1.el5
oracle-2.6.18-371.12.1.0.1.el5
oracle-2.6.18-398.0.0.0.1.el5
oracle-2.6.18-400.0.0.0.1.el5
oracle-2.6.18-400.1.1.0.1.el5
oracle-2.6.18-402.0.0.0.1.el5
oracle-2.6.18-404.0.0.0.1.el5
oracle-2.6.18-406.0.0.0.1.el5
oracle-2.6.18-407.0.0.0.1.el5
oracle-2.6.18-408.0.0.0.1.el5
oracle-2.6.18-409.0.0.0.1.el5
oracle-2.6.18-410.0.0.0.1.el5
oracle-2.6.18-411.0.0.0.1.el5
oracle-2.6.18-412.0.0.0.1.el5
oracle-2.6.18-416.0.0.0.1.el5
oracle-2.6.18-417.0.0.0.1.el5
oracle-2.6.18-418.0.0.0.1.el5
oracle-2.6.32-642.0.0.0.1.el6
oracle-3.10.0-514.6.1.0.1.el7
oracle-3.10.0-514.6.2.0.1.el7
oracle-uek-2.6.39-100.5.1
oracle-uek-2.6.39-100.6.1
oracle-uek-2.6.39-100.7.1
oracle-uek-2.6.39-100.10.1
oracle-uek-2.6.39-200.24.1
oracle-uek-2.6.39-200.29.1
oracle-uek-2.6.39-200.29.2
oracle-uek-2.6.39-200.29.3
oracle-uek-2.6.39-200.31.1
oracle-uek-2.6.39-200.32.1
oracle-uek-2.6.39-200.33.1
oracle-uek-2.6.39-200.34.1
oracle-uek-2.6.39-300.17.1
oracle-uek-2.6.39-300.17.2
oracle-uek-2.6.39-300.17.3
oracle-uek-2.6.39-300.26.1
oracle-uek-2.6.39-300.28.1
oracle-uek-2.6.39-300.32.4
oracle-uek-2.6.39-400.17.1
oracle-uek-2.6.39-400.17.2
oracle-uek-2.6.39-400.21.1
oracle-uek-2.6.39-400.21.2
oracle-uek-2.6.39-400.23.1
oracle-uek-2.6.39-400.24.1
oracle-uek-2.6.39-400.109.1
oracle-uek-2.6.39-400.109.3
oracle-uek-2.6.39-400.109.4
oracle-uek-2.6.39-400.109.5
oracle-uek-2.6.39-400.109.6
oracle-uek-2.6.39-400.209.1
oracle-uek-2.6.39-400.209.2
oracle-uek-2.6.39-400.210.2
oracle-uek-2.6.39-400.211.1
oracle-uek-2.6.39-400.211.2
oracle-uek-2.6.39-400.211.3
oracle-uek-2.6.39-400.212.1
oracle-uek-2.6.39-400.214.1
oracle-uek-2.6.39-400.214.3
oracle-uek-2.6.39-400.214.4
oracle-uek-2.6.39-400.214.5
oracle-uek-2.6.39-400.214.6
oracle-uek-2.6.39-400.215.1
oracle-uek-2.6.39-400.215.2
oracle-uek-2.6.39-400.215.3
oracle-uek-2.6.39-400.215.4
oracle-uek-2.6.39-400.215.6
oracle-uek-2.6.39-400.215.7
oracle-uek-2.6.39-400.215.10
oracle-uek-2.6.39-400.215.11
oracle-uek-2.6.39-400.215.12
oracle-uek-2.6.39-400.215.13
oracle-uek-2.6.39-400.215.14
oracle-uek-2.6.39-400.215.15
oracle-uek-2.6.39-400.243.1
oracle-uek-2.6.39-400.245.1
oracle-uek-2.6.39-400.246.2
oracle-uek-2.6.39-400.247.1
oracle-uek-2.6.39-400.248.3
oracle-uek-2.6.39-400.249.1
oracle-uek-2.6.39-400.249.3
oracle-uek-2.6.39-400.249.4
oracle-uek-2.6.39-400.250.2
oracle-uek-2.6.39-400.250.4
oracle-uek-2.6.39-400.250.5
oracle-uek-2.6.39-400.250.6
oracle-uek-2.6.39-400.250.7
oracle-uek-2.6.39-400.250.9
oracle-uek-2.6.39-400.250.10
oracle-uek-2.6.39-400.250.11
oracle-uek-2.6.39-400.264.1
oracle-uek-2.6.39-400.264.4
oracle-uek-2.6.39-400.264.5
oracle-uek-2.6.39-400.264.6
oracle-uek-2.6.39-400.264.13
oracle-uek-2.6.39-400.276.1
oracle-uek-2.6.39-400.277.1
oracle-uek-2.6.39-400.278.1
oracle-uek-2.6.39-400.278.2
oracle-uek-2.6.39-400.278.3
oracle-uek-2.6.39-400.280.1
oracle-uek-2.6.39-400.281.1
oracle-uek-2.6.39-400.282.1
oracle-uek-2.6.39-400.283.1
oracle-uek-2.6.39-400.283.2
oracle-uek-2.6.39-400.284.1
oracle-uek-2.6.39-400.284.2
oracle-uek-2.6.39-400.286.2
oracle-uek-2.6.39-400.286.3
oracle-uek-2.6.39-400.290.1
oracle-uek-2.6.39-400.290.2
oracle-uek-2.6.39-400.293.1
oracle-uek-2.6.39-400.293.2
oracle-uek-2.6.39-400.294.1
oracle-uek-2.6.39-400.294.2
oracle-uek-2.6.39-400.128.21
oracle-uek-3.8.13-16
oracle-uek-3.8.13-16.1.1
oracle-uek-3.8.13-16.2.1
oracle-uek-3.8.13-16.2.2
oracle-uek-3.8.13-16.2.3
oracle-uek-3.8.13-16.3.1
oracle-uek-3.8.13-26
oracle-uek-3.8.13-26.1.1
oracle-uek-3.8.13-26.2.1
oracle-uek-3.8.13-26.2.2
oracle-uek-3.8.13-26.2.3
oracle-uek-3.8.13-26.2.4
oracle-uek-3.8.13-35
oracle-uek-3.8.13-35.1.1
oracle-uek-3.8.13-35.1.2
oracle-uek-3.8.13-35.1.3
oracle-uek-3.8.13-35.3.1
oracle-uek-3.8.13-35.3.2
oracle-uek-3.8.13-35.3.3
oracle-uek-3.8.13-35.3.4
oracle-uek-3.8.13-35.3.5
oracle-uek-3.8.13-44
oracle-uek-3.8.13-44.1.1
oracle-uek-3.8.13-44.1.3
oracle-uek-3.8.13-44.1.4
oracle-uek-3.8.13-44.1.5
oracle-uek-3.8.13-55
oracle-uek-3.8.13-55.1.1
oracle-uek-3.8.13-55.1.2
oracle-uek-3.8.13-55.1.5
oracle-uek-3.8.13-55.1.6
oracle-uek-3.8.13-55.1.8
oracle-uek-3.8.13-55.2.1
oracle-uek-3.8.13-68
oracle-uek-3.8.13-68.1.2
oracle-uek-3.8.13-68.1.3
oracle-uek-3.8.13-68.2.2
oracle-uek-3.8.13-68.2.2.1
oracle-uek-3.8.13-68.2.2.2
oracle-uek-3.8.13-68.3.1
oracle-uek-3.8.13-68.3.2
oracle-uek-3.8.13-68.3.3
oracle-uek-3.8.13-68.3.4
oracle-uek-3.8.13-68.3.5
oracle-uek-3.8.13-98
oracle-uek-3.8.13-98.1.1
oracle-uek-3.8.13-98.1.2
oracle-uek-3.8.13-98.2.1
oracle-uek-3.8.13-98.2.2
oracle-uek-3.8.13-98.4.1
oracle-uek-3.8.13-98.5.2
oracle-uek-3.8.13-98.6.1
oracle-uek-3.8.13-98.7.1
oracle-uek-3.8.13-98.8.1
oracle-uek-3.8.13-118
oracle-uek-3.8.13-118.2.1
oracle-uek-3.8.13-118.2.2
oracle-uek-3.8.13-118.2.4
oracle-uek-3.8.13-118.2.5
oracle-uek-3.8.13-118.3.1
oracle-uek-3.8.13-118.3.2
oracle-uek-3.8.13-118.4.1
oracle-uek-3.8.13-118.4.2
oracle-uek-3.8.13-118.6.1
oracle-uek-3.8.13-118.6.2
oracle-uek-3.8.13-118.7.1
oracle-uek-3.8.13-118.8.1
oracle-uek-3.8.13-118.9.1
oracle-uek-3.8.13-118.9.2
oracle-uek-3.8.13-118.10.2
oracle-uek-3.8.13-118.11.2
oracle-uek-3.8.13-118.13.2
oracle-uek-3.8.13-118.13.3
oracle-uek-3.8.13-118.14.1
oracle-uek-3.8.13-118.14.2
oracle-uek-3.8.13-118.15.1
oracle-uek-3.8.13-118.15.2
oracle-uek-3.8.13-118.15.3
oracle-uek-3.8.13-118.16.2
oracle-uek-3.8.13-118.16.3
oracle-uek-4.1.12-32
oracle-uek-4.1.12-32.1.2
oracle-uek-4.1.12-32.1.3
oracle-uek-4.1.12-32.2.1
oracle-uek-4.1.12-32.2.3
oracle-uek-4.1.12-37.2.1
oracle-uek-4.1.12-37.2.2
oracle-uek-4.1.12-37.3.1
oracle-uek-4.1.12-37.4.1
oracle-uek-4.1.12-37.5.1
oracle-uek-4.1.12-37.6.1
oracle-uek-4.1.12-37.6.2
oracle-uek-4.1.12-37.6.3
oracle-uek-4.1.12-61.1.6
oracle-uek-4.1.12-61.1.9
oracle-uek-4.1.12-61.1.10
oracle-uek-4.1.12-61.1.13
oracle-uek-4.1.12-61.1.14
oracle-uek-4.1.12-61.1.16
oracle-uek-4.1.12-61.1.17
oracle-uek-4.1.12-61.1.18
oracle-uek-4.1.12-61.1.19
oracle-uek-4.1.12-61.1.21
oracle-uek-4.1.12-61.1.22
oracle-uek-4.1.12-61.1.23
oracle-uek-4.1.12-61.1.24
oracle-uek-4.1.12-61.1.25
oracle-uek-4.1.12-61.1.27
rhel-2.6.32-71.el6
rhel-2.6.32-71.7.1.el6
rhel-2.6.32-71.14.1.el6
rhel-2.6.32-71.18.1.el6
rhel-2.6.32-71.18.2.el6
rhel-2.6.32-71.24.1.el6
rhel-2.6.32-71.29.1.el6
rhel-2.6.32-131.0.15.el6
rhel-2.6.32-131.2.1.el6
rhel-2.6.32-131.4.1.el6
rhel-2.6.32-131.6.1.el6
rhel-2.6.32-131.12.1.el6
rhel-2.6.32-131.17.1.el6
rhel-2.6.32-131.21.1.el6
rhel-2.6.32-220.el6
rhel-2.6.32-220.2.1.el6
rhel-2.6.32-220.4.1.el6
rhel-2.6.32-220.4.2.el6
rhel-2.6.32-220.7.1.el6
rhel-2.6.32-220.13.1.el6
rhel-2.6.32-220.17.1.el6
rhel-2.6.32-220.23.1.el6
rhel-2.6.32-279.el6
rhel-2.6.32-279.1.1.el6
rhel-2.6.32-279.2.1.el6
rhel-2.6.32-279.5.1.el6
rhel-2.6.32-279.5.2.el6
rhel-2.6.32-279.9.1.el6
rhel-2.6.32-279.11.1.el6
rhel-2.6.32-279.14.1.el6
rhel-2.6.32-279.19.1.el6
rhel-2.6.32-279.22.1.el6
rhel-2.6.32-358.el6
rhel-2.6.32-358.0.1.el6
rhel-2.6.32-358.2.1.el6
rhel-2.6.32-358.6.1.el6
rhel-2.6.32-358.6.2.el6
rhel-2.6.32-358.6.2.el6.x86_64.crt1
rhel-2.6.32-358.11.1.el6
rhel-2.6.32-358.14.1.el6
rhel-2.6.32-358.18.1.el6
rhel-2.6.32-358.23.2.el6
rhel-2.6.32-431.el6
rhel-2.6.32-431.1.2.el6
rhel-2.6.32-431.3.1.el6
rhel-2.6.32-431.5.1.el6
rhel-2.6.32-431.11.2.el6
rhel-2.6.32-431.17.1.el6
rhel-2.6.32-431.20.3.el6
rhel-2.6.32-431.20.5.el6
rhel-2.6.32-431.23.3.el6
rhel-2.6.32-431.29.2.el6
rhel-2.6.32-504.el6
rhel-2.6.32-504.1.3.el6
rhel-2.6.32-504.3.3.el6
rhel-2.6.32-504.8.1.el6
rhel-2.6.32-504.12.2.el6
rhel-2.6.32-504.16.2.el6
rhel-2.6.32-504.23.4.el6
rhel-2.6.32-504.30.3.el6
rhel-2.6.32-573.el6
rhel-2.6.32-573.1.1.el6
rhel-2.6.32-573.3.1.el6
rhel-2.6.32-573.7.1.el6
rhel-2.6.32-573.8.1.el6
rhel-2.6.32-573.12.1.el6
rhel-2.6.32-573.18.1.el6
rhel-2.6.32-573.22.1.el6
rhel-2.6.32-573.26.1.el6
rhel-2.6.32-642.el6
rhel-2.6.32-642.1.1.el6
rhel-2.6.32-642.3.1.el6
rhel-2.6.32-642.4.2.el6
rhel-2.6.32-642.6.1.el6
rhel-2.6.32-642.6.2.el6
rhel-2.6.32-642.11.1.el6
rhel-2.6.32-642.13.1.el6
rhel-2.6.32-642.13.2.el6
rhel-3.10.0-123.el7
rhel-3.10.0-123.1.2.el7
rhel-3.10.0-123.4.2.el7
rhel-3.10.0-123.4.4.el7
rhel-3.10.0-123.6.3.el7
rhel-3.10.0-123.8.1.el7
rhel-3.10.0-123.9.2.el7
rhel-3.10.0-123.9.3.el7
rhel-3.10.0-123.13.1.el7
rhel-3.10.0-123.13.2.el7
rhel-3.10.0-123.20.1.el7
rhel-3.10.0-229.el7
rhel-3.10.0-229.1.2.el7
rhel-3.10.0-229.4.2.el7
rhel-3.10.0-229.7.2.el7
rhel-3.10.0-229.11.1.el7
rhel-3.10.0-229.14.1.el7
rhel-3.10.0-229.20.1.el6.x86_64.knl2
rhel-3.10.0-229.20.1.el7
rhel-3.10.0-327.el7
rhel-3.10.0-327.3.1.el7
rhel-3.10.0-327.4.4.el7
rhel-3.10.0-327.4.5.el7
rhel-3.10.0-327.10.1.el7
rhel-3.10.0-327.13.1.el7
rhel-3.10.0-327.18.2.el7
rhel-3.10.0-327.22.2.el7
rhel-3.10.0-327.28.2.el7
rhel-3.10.0-327.28.3.el7
rhel-3.10.0-327.36.1.el7
rhel-3.10.0-327.36.2.el7
rhel-3.10.0-327.36.3.el7
rhel-3.10.0-514.el7
rhel-3.10.0-514.2.2.el7
rhel-3.10.0-514.6.1.el7
rhel-3.10.0-514.6.2.el7
rhel-2.6.18-92.1.10.el5
rhel-2.6.18-92.1.13.el5
rhel-2.6.18-92.1.17.el5
rhel-2.6.18-92.1.18.el5
rhel-2.6.18-92.1.22.el5
rhel-2.6.18-128.el5
rhel-2.6.18-128.1.1.el5
rhel-2.6.18-128.1.6.el5
rhel-2.6.18-128.1.10.el5
rhel-2.6.18-128.1.14.el5
rhel-2.6.18-128.1.16.el5
rhel-2.6.18-128.2.1.el5
rhel-2.6.18-128.4.1.el5
rhel-2.6.18-128.7.1.el5
rhel-2.6.18-149.el5
rhel-2.6.18-164.el5
rhel-2.6.18-164.2.1.el5
rhel-2.6.18-164.6.1.el5
rhel-2.6.18-164.9.1.el5
rhel-2.6.18-164.10.1.el5
rhel-2.6.18-164.11.1.el5
rhel-2.6.18-164.15.1.el5
rhel-2.6.18-194.el5
rhel-2.6.18-194.3.1.el5
rhel-2.6.18-194.8.1.el5
rhel-2.6.18-194.11.1.el5
rhel-2.6.18-194.11.3.el5
rhel-2.6.18-194.11.4.el5
rhel-2.6.18-194.17.1.el5
rhel-2.6.18-194.17.4.el5
rhel-2.6.18-194.26.1.el5
rhel-2.6.18-194.32.1.el5
rhel-2.6.18-238.el5
rhel-2.6.18-238.1.1.el5
rhel-2.6.18-238.5.1.el5
rhel-2.6.18-238.9.1.el5
rhel-2.6.18-238.12.1.el5
rhel-2.6.18-238.19.1.el5
rhel-2.6.18-274.el5
rhel-2.6.18-274.3.1.el5
rhel-2.6.18-274.7.1.el5
rhel-2.6.18-274.12.1.el5
rhel-2.6.18-274.17.1.el5
rhel-2.6.18-274.18.1.el5
rhel-2.6.18-308.el5
rhel-2.6.18-308.1.1.el5
rhel-2.6.18-308.4.1.el5
rhel-2.6.18-308.8.1.el5
rhel-2.6.18-308.8.2.el5
rhel-2.6.18-308.11.1.el5
rhel-2.6.18-308.13.1.el5
rhel-2.6.18-308.16.1.el5
rhel-2.6.18-308.20.1.el5
rhel-2.6.18-308.24.1.el5
rhel-2.6.18-348.el5
rhel-2.6.18-348.1.1.el5
rhel-2.6.18-348.2.1.el5
rhel-2.6.18-348.3.1.el5
rhel-2.6.18-348.4.1.el5
rhel-2.6.18-348.6.1.el5
rhel-2.6.18-348.12.1.el5
rhel-2.6.18-348.16.1.el5
rhel-2.6.18-348.18.1.el5
rhel-2.6.18-371.el5
rhel-2.6.18-371.1.2.el5
rhel-2.6.18-371.3.1.el5
rhel-2.6.18-371.4.1.el5
rhel-2.6.18-371.6.1.el5
rhel-2.6.18-371.8.1.el5
rhel-2.6.18-371.9.1.el5
rhel-2.6.18-371.11.1.el5
rhel-2.6.18-371.12.1.el5
rhel-2.6.18-398.el5
rhel-2.6.18-400.el5
rhel-2.6.18-400.1.1.el5
rhel-2.6.18-402.el5
rhel-2.6.18-404.el5
rhel-2.6.18-406.el5
rhel-2.6.18-407.el5
rhel-2.6.18-408.el5
rhel-2.6.18-409.el5
rhel-2.6.18-410.el5
rhel-2.6.18-411.el5
rhel-2.6.18-412.el5
rhel-2.6.18-416.el5
rhel-2.6.18-417.el5
rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

Yes

Fri, 2016-11-04 16:22
More Linux work :)

Yes

Fri, 2016-11-04 16:22
More Linux work :)

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

Pages