Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 13 hours 27 min ago

The magic of ksplice

Wed, 2014-10-15 16:09
I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -yThe following steps will be taken:Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Install [qdlkztzx] Kernel crash forwarding network traffic.Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstall [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Install [xem0m4sg] Floating point state corruption after signal.Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Install [3ulklysv] CVE-2010-0307: Denial of service on amd64Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstall [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstall [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstall [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstall [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstall [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstall [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstall [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstall [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Install [5mgd1si0] Improved fix to CVE-2010-1173.Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Install [ff1wrijq] Buffer overflow in icmpmsg_put.Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Install [usukkznh] Mitigate denial of service attacks with large argument lists.Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Install [ifgdet83] Use-after-free in MPT driver.Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Install [jz43fdgc] Denial of service in NFS server via reference count leak.Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstall [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Install [ofrder8l] Hangs using direct I/O with XFS filesystem.Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Install [uknrp2eo] Denial of service in filesystem unmounting.Install [97u6urvt] Soft lockup in USB ACM driver.Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Install [bvoz27gv] Arithmetic overflow in clock source calculations.Install [lzwurn1u] ext4 filesystem corruption on fallocate.Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Install [9do532u6] Kernel panic when overcommiting memory with NFSd.Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Install [l093jvcl] Kernel panic in SMB extended attributes.Install [qlzoyvty] Kernel panic in ext3 indirect blocks.Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Install [pz65qqpk] Panic in GFS2 filesystem locking code.Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Installing [qdlkztzx] Kernel crash forwarding network traffic.Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstalling [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Installing [xem0m4sg] Floating point state corruption after signal.Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstalling [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstalling [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstalling [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstalling [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstalling [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstalling [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstalling [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstalling [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Installing [5mgd1si0] Improved fix to CVE-2010-1173.Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Installing [ff1wrijq] Buffer overflow in icmpmsg_put.Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [usukkznh] Mitigate denial of service attacks with large argument lists.Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Installing [ifgdet83] Use-after-free in MPT driver.Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Installing [jz43fdgc] Denial of service in NFS server via reference count leak.Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstalling [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Installing [uknrp2eo] Denial of service in filesystem unmounting.Installing [97u6urvt] Soft lockup in USB ACM driver.Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Installing [bvoz27gv] Arithmetic overflow in clock source calculations.Installing [lzwurn1u] ext4 filesystem corruption on fallocate.Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Installing [l093jvcl] Kernel panic in SMB extended attributes.Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Installing [pz65qqpk] Panic in GFS2 filesystem locking code.Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Your kernel is fully up to date.Effective kernel version is 2.6.18-398.el5real

0m59.447suser

0m22.640ssys

0m22.611s1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

The magic of ksplice

Wed, 2014-10-15 16:09
I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -y
The following steps will be taken:
Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Install [qdlkztzx] Kernel crash forwarding network traffic.
Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Install [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Install [xem0m4sg] Floating point state corruption after signal.
Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Install [3ulklysv] CVE-2010-0307: Denial of service on amd64
Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Install [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Install [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Install [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Install [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Install [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Install [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Install [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Install [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Install [5mgd1si0] Improved fix to CVE-2010-1173.
Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Install [ff1wrijq] Buffer overflow in icmpmsg_put.
Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Install [usukkznh] Mitigate denial of service attacks with large argument lists.
Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Install [ifgdet83] Use-after-free in MPT driver.
Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Install [jz43fdgc] Denial of service in NFS server via reference count leak.
Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Install [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Install [ofrder8l] Hangs using direct I/O with XFS filesystem.
Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Install [uknrp2eo] Denial of service in filesystem unmounting.
Install [97u6urvt] Soft lockup in USB ACM driver.
Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Install [bvoz27gv] Arithmetic overflow in clock source calculations.
Install [lzwurn1u] ext4 filesystem corruption on fallocate.
Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [9do532u6] Kernel panic when overcommiting memory with NFSd.
Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Install [l093jvcl] Kernel panic in SMB extended attributes.
Install [qlzoyvty] Kernel panic in ext3 indirect blocks.
Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Install [pz65qqpk] Panic in GFS2 filesystem locking code.
Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Installing [qdlkztzx] Kernel crash forwarding network traffic.
Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Installing [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Installing [xem0m4sg] Floating point state corruption after signal.
Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64
Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Installing [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Installing [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Installing [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Installing [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Installing [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Installing [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Installing [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Installing [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Installing [5mgd1si0] Improved fix to CVE-2010-1173.
Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Installing [ff1wrijq] Buffer overflow in icmpmsg_put.
Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [usukkznh] Mitigate denial of service attacks with large argument lists.
Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Installing [ifgdet83] Use-after-free in MPT driver.
Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Installing [jz43fdgc] Denial of service in NFS server via reference count leak.
Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Installing [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.
Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Installing [uknrp2eo] Denial of service in filesystem unmounting.
Installing [97u6urvt] Soft lockup in USB ACM driver.
Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Installing [bvoz27gv] Arithmetic overflow in clock source calculations.
Installing [lzwurn1u] ext4 filesystem corruption on fallocate.
Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.
Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [l093jvcl] Kernel panic in SMB extended attributes.
Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.
Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Installing [pz65qqpk] Panic in GFS2 filesystem locking code.
Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Your kernel is fully up to date.
Effective kernel version is 2.6.18-398.el5

real	0m59.447s
user	0m22.640s
sys	0m22.611s
1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

MySQL 5.6.20-4 and Oracle Linux DTrace

Thu, 2014-07-31 10:57
The MySQL team just released MySQL 5.6.20. One of the cool new things for Oracle Linux users is the addition of MySQL DTrace probes. When you use Oracle Linux 6, or 7 with UEKr3 (3.8.x) and the latest DTrace utils/tools, then you can make use of this. MySQL 5.6 is available for install through ULN or from public-yum. You can just install it using yum.

# yum install mysql-community-server

Then install dtrace utils from ULN.

# yum install dtrace-utils

As root, enable DTrace and allow normal users to record trace information:

# modprobe fasttrap
# chmod 666 /dev/dtrace/helper

Start MySQL server.

# /etc/init.d/mysqld start

Now you can try out various dtrace scripts. You can find the reference manual for MySQL DTrace support here.

Example1

Save the script below as query.d.

#!/usr/sbin/dtrace -qws
#pragma D option strsize=1024


mysql*:::query-start /* using the mysql provider */
{

  self->query = copyinstr(arg0); /* Get the query */
  self->connid = arg1; /*  Get the connection ID */
  self->db = copyinstr(arg2); /* Get the DB name */
  self->who   = strjoin(copyinstr(arg3),strjoin("@",
     copyinstr(arg4))); /* Get the username */

  printf("%Y\t %20s\t  Connection ID: %d \t Database: %s \t Query: %s\n", 
     walltimestamp, self->who ,self->connid, self->db, self->query);

}

Run it, in another terminal, connect to MySQL server and run a few queries.

# dtrace -s query.d 
dtrace: script 'query.d' matched 22 probes
CPU     ID                    FUNCTION:NAME
  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:21 root@localhost	  Connection ID: 5 	 Database:  	 
    Query: select @@version_comment limit 1

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database:  	 
    Query: SELECT DATABASE()

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: show databases

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: show tables

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:31 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: select * from foo

Example 2

Save the script below as statement.d.

#!/usr/sbin/dtrace -s

#pragma D option quiet

dtrace:::BEGIN
{
   printf("%-60s %-8s %-8s %-8s\n", "Query", "RowsU", "RowsM", "Dur (ms)");
}

mysql*:::update-start, mysql*:::insert-start,
mysql*:::delete-start, mysql*:::multi-delete-start,
mysql*:::multi-delete-done, mysql*:::select-start,
mysql*:::insert-select-start, mysql*:::multi-update-start
{
    self->query = copyinstr(arg0);
    self->querystart = timestamp;
}

mysql*:::insert-done, mysql*:::select-done,
mysql*:::delete-done, mysql*:::multi-delete-done, mysql*:::insert-select-done
/ self->querystart /
{
    this->elapsed = ((timestamp - self->querystart)/1000000);
    printf("%-60s %-8d %-8d %d\n",
           self->query,
           0,
           arg1,
           this->elapsed);
    self->querystart = 0;
}

mysql*:::update-done, mysql*:::multi-update-done
/ self->querystart /
{
    this->elapsed = ((timestamp - self->querystart)/1000000);
    printf("%-60s %-8d %-8d %d\n",
           self->query,
           arg1,
           arg2,
           this->elapsed);
    self->querystart = 0;
}

Run it and do a few queries.

# dtrace -s statement.d 
Query                                                        RowsU    RowsM    Dur (ms)
select @@version_comment limit 1                             0        1        0
SELECT DATABASE()                                            0        1        0
show databases                                               0        6        0
show tables                                                  0        2        0
select * from foo                                            0        1        0

Openstack with Oracle Linux and Oracle VM

Fri, 2014-05-16 13:48
The OpenStack Summit has been an exciting event. We announced the Oracle OpenStack Distribution with support for Oracle Linux and Oracle VM, and support included with Oracle Linux and Oracle VM Premier Support at no additional cost. The announcement was well received by our customers and partners. We’re pleased to continue the Oracle tradition of translating our enterprise experience into community contributions as we’ve done with Linux and Xen. Oracle is committed to ensuring choice for both our partners and customers.

A preview of OpenStack distribution (Havana) is now available on oracle.com for Oracle Linux (controller + compute) and Oracle VM (compute). We will follow this up with the production (GA) release in the next several months, including an update to IceHouse and later Juno. (whitepaper)

An OpenStack distribution contains several components that can be grouped into 2 major buckets (a) controller components, such as keystone, horizon, glance, cinder,.... (b) compute components such as nova and neutron. We provide support for the controller components on top of Oracle Linux and as part of Oracle Linux Premier Support. We provide support for the compute components on top of either Oracle Linux or Oracle VM (as part of Premier Support for both products).

By adding the Oracle OpenStack Distribution to Oracle Linux and Oracle VM, we can provide integrated support for all components in the stack including applications, database, middleware, guest OS, host OS, virtualization, and OpenStack – plus servers and storage. Our experience attacking the world’s toughest enterprise workloads means we focus on OpenStack stability, availability, performance, debugging and diagnostics. Oracle OpenStack customers and partners can immediately benefit from advanced features like Ksplice and DTrace from Oracle Linux and the hardening, testing, performance and stability of Oracle VM.

If you have chosen an OpenStack distribution other than Oracle’s, rest assured. Oracle will not attempt to force you to choose our OpenStack distribution by withholding support; we will provide the same high quality Oracle Linux and Oracle VM support no matter which OpenStack distribution you choose.

Furthermore, Oracle will continue to collaborate with Oracle’s OpenStack partners validating with Oracle Linux and Oracle VM. Our goal remains the same: jointly deliver great solutions and support experience for our mutual customers. We also look forward to working with other vendors to certify networking, storage, hypervisor and other plugins into the Oracle OpenStack Distribution.

Finally, we plan to follow a development model similar to the approach we use with Linux and the Unbreakable Enterprise Kernel. Our development work is focused on contributing upstream to the OpenStack community and we will pick up new releases of OpenStack after testing and validation.

It is an exciting time for OpenStack developers and users. We are thrilled that Oracle and our customers are part of it!

A good use-case for Oracle Ksplice

Thu, 2014-05-15 12:34
One of the advantages of Oracle Ksplice is that you can stick to a given version of a kernel for a very long time. We provide you with the security updates through our Ksplice technology for all the various kernels released so that there's no need for a reboot and also no need to install a newer kernel version that typically also contains new drivers or even new features. Zero downtime yet you are current. Ksplice updates are always based on critical bugfixes or security fixes, things you really want to apply. We do not use Ksplice to provide new driver updates or new features, it's purely focused on those patches that you really want to apply on your environment without downtime and risk of change.

The typical model for providing kernel errata (security/critical fixes) is through providing a newer version of the latest kernel in a "dot dot" release. For instance, for Oracle Linux 6 if the current latest "Red Hat Compatible kernel" is 2.6.32-431.1.2 and a security issue gets fixed, there will be a 2.6.32-431.3.1 (or so). The sysadmin then has to install the new kernel and reboot the server(s) in order to get that fix to be active. Now these "dot dot" release versions typically only contain security fixes or critical bugfixes so while a reboot is annoying and can have a significant time impact, the actual updates are very specific.

When updated versions of the OS are released (such as OL6 update 1, OL6 update 2,...) however, the change in the kernel can be more significant. For instance when you look at the lifecycle of Oracle Linux 6 with the "RHCK" versions. OL6 GA was shipping with kernel 2.6.32-71, update 1 2.6.32-131, update 2 2.6.32-220, update 3 2.6.32-279, update 4 2.6.32-358, update 5 2.6.32-431. Each of these kernels will have pretty significant changes. Aside from carrying forward the security fixes and critical bugfixes, they typically also contain new device drivers, new features backported into older kernels. In fact, if you look at the changelog of the RHCKs you will see features from kernels as current as 3.x backported into 2.6.32.

In this case, going from one version to another is a bigger deal for some customers that have a very conservative upgrade policy. However to be current with security updates one typically has to go to a newer version in order to get the errata. Security fixes are not backported to all older versions by default, while some vendors have a support option where they will support one or 2 other kernel versions, it's relatively selective.

With Ksplice however, we make the security/critical fix errata available for all the various kernels. Not just one or 2 selective versions. So you can be on any of these kernels, and without the need for a reboot, have the fixes available. That's choice and flexibility. It reduces risk of upgrading to newer kernels to get a fix, it reduces down time to zero and increases the security of your servers.

By the way, 2.6.32-71 was released 03-Jan-2011. Since then there were 45 kernels released (RHCK), with vulnerability fixes and critical fixes, so if you wanted to remain current, that would have resulted in 44 reboots for each server since 2011 (so 3.5 years). With Oracle Ksplice, you could still be running that 2.6.32-71 kernel from January 2011, without any reboot and be current with your CVEs. Imagine having 100's, if not 1000's of servers... time saved, cost saved...

To give you a concrete example, here is a list of all the different kernel versions (RHCK) for Oracle Linux 6 :

kernel-2.6.32-71
kernel-2.6.32-71.14.1
kernel-2.6.32-71.18.1
kernel-2.6.32-71.18.2
kernel-2.6.32-71.24.1
kernel-2.6.32-71.29.1
kernel-2.6.32-131.0.15
kernel-2.6.32-131.2.1
kernel-2.6.32-131.4.1
kernel-2.6.32-131.6.1
kernel-2.6.32-131.12.1
kernel-2.6.32-131.17.1
kernel-2.6.32-131.21.1
kernel-2.6.32-220.2.1
kernel-2.6.32-220.4.1
kernel-2.6.32-220.4.2
kernel-2.6.32-220.7.1
kernel-2.6.32-220.13.1
kernel-2.6.32-220.17.1
kernel-2.6.32-220.23.1
kernel-2.6.32-220
kernel-2.6.32-279.1.1
kernel-2.6.32-279.2.1
kernel-2.6.32-279.5.1
kernel-2.6.32-279.5.2
kernel-2.6.32-279.9.1
kernel-2.6.32-279.11.1
kernel-2.6.32-279.14.1
kernel-2.6.32-279.19.1
kernel-2.6.32-279.22.1
kernel-2.6.32-279
kernel-2.6.32-358.0.1
kernel-2.6.32-358.2.1
kernel-2.6.32-358.6.1
kernel-2.6.32-358.6.2
kernel-2.6.32-358.11.1
kernel-2.6.32-358.14.1
kernel-2.6.32-358.18.1
kernel-2.6.32-358.23.2
kernel-2.6.32-358
kernel-2.6.32-431.1.2
kernel-2.6.32-431.3.1
kernel-2.6.32-431.5.1
kernel-2.6.32-431.11.2
kernel-2.6.32-431.17.1
kernel-2.6.32-431

With Oracle Linux and Ksplice you could be running -any- of the above kernel versions in your production environments when a security vulnerability gets fixed, we will make a fix available for all of the above.

Here is a list of the latest Ksplice update packages for Oracle Linux 6 with RHCK, as you can see, all the kernels are there :

uptrack-updates-2.6.32-131.0.15.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.12.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.17.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.21.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.4.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.6.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.13.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.17.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.23.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.4.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.4.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.7.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.11.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.1.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.19.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.22.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.5.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.5.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.9.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.0.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.11.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.18.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.23.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.6.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.6.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.11.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.1.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.3.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.5.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.18.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.18.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.24.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.29.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.el6.x86_64.20140331-0

Unbreakable Linux Network APIs example

Thu, 2014-05-15 12:24
I posted a short blog entry about the recently released ULN APIs the other day with a sample of how to call the different APIs. Here is a concrete example to use the API to find a package in a channel and download it.

$ ./ulnget.py kernel-headers.2.6.32-71.29 ol6_x86_64_latest
Searching for 'kernel-headers.2.6.32-71.29' in channel 'ol6_x86_64_latest'

Logging in...
Logged in...
Retrieving all packages...
Found kernel-headers.2.6.32-71.29.1.el6
Getting package details...
Downloading https://uln.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/
kernel-headers-2.6.32-71.29.1.el6.x86_64.rpm...

Logged out...

The code for the above is pasted below, this is just a very simplistic example...

#!/usr/bin/python
try:
    import os
    import sys
    import getpass
    import datetime
    import xmlrpclib

except ImportError, e:
    raise ImportError (str(e) + ': Module  not found')

if len(sys.argv) != 3:
   print "Usage : ulnget.py [packagename] [channelname]"
   exit(1) 

search = str(sys.argv[1])
channelLabel = str(sys.argv[2])

print "Searching for '%s' in channel '%s'" % (search, channelLabel)

SERVER_URL = 'https://linux-update.oracle.com/rpc/api'

USERNAME = 'username'
PASSWORD = 'password'

# channelLabel = 'ol6_x86_64_latest'

client = xmlrpclib.Server(SERVER_URL)

print ""

# login
print "Logging in..."
sessionKey = client.auth.login(USERNAME,PASSWORD)
if len(sessionKey) != 43:
   print "Invalid %d sessionKey : '%s'" % sessionKey
   exit(1)

print "Logged in..." 

print "Retrieving all packages..."
packageList = client.channel.software.listAllPackages(sessionKey, channelLabel)

for package in packageList:
   packageName = '%s.%s-%s' % (package['package_name'],package['package_version']
      ,package['package_release'])
   if search in packageName:
      print "Found %s" % packageName
      pid = package['package_id']
      print "Getting package details..."
      packageDetail = client.packages.getDetails(sessionKey, pid)
      url = packageDetail['download_urls'][0]
      import  urllib2
      req = urllib2.Request(url,headers={'X-ULN-API-User-Key': sessionKey})
      try:
          print "Downloading %s..." %url
          response = urllib2.urlopen(req)
          contents = response.read()
      except urllib2.HTTPError, e:
          print
          print "HTTP error code  : %d" %e.code
      except Exception, e:
          print
          print str(e)

print ""

retval = client.auth.logout(sessionKey)
if retval == 1:
  print "Logged out..."
else:
  print "Failed to log out..."

Unbreakable Linux Network APIs available

Tue, 2014-05-13 15:37
Aside from the uln_channel tool that we recently released, we are now also supporting a number of webservices on ULN. A handful of useful APIs are available. Below is a little simple python example that works out of the box on Oracle Linux 6 (when you have an account on ULN) and a description of the currently available APIs. Note that the python code is very simplistic... I know no exception handling, wasn't the point ;)...

Additionally, the ULN integration with Spacewalk uses these APIs as well. See here

APIs :

client.auth.login(username,password) returns sessionKey 
client.errata.listCves(sessionKey, advisory) returns cveList
client.errata.applicableToChannels(sessionKey, advisory) returns channelList
client.channel.software.listLatestPackages(sessionKey, channelLabel) returns packageList
client.channel.software.listErrata(sessionKey, channelLabel) returns errataList
client.packages.listProvidingErrata(sessionKey, pid) returns errataList
client.channel.listSoftwareChannels(sessionKey) returns channelList
client.channel.software.listAllPackages(sessionKey, channelLabel) returns packageList
client.errata.listPackages(sessionKey, advisory) returns packageList
client.errata.getDetails(sessionKey, advisory) returns errataDetail
client.channel.software.getDetails(sessionKey, channelLabel) returns channelDetail
client.packages.getDetails(sessionKey, pid) returns packageDetail
client.auth.logout(sessionKey) returns retval

sample output of the code :

$ ./sample.py
Login : client.auth.login(username,password) returns sessionKey
Logged in...

List CVEs for a particular advisory : client.errata.listCves(sessionKey, advisory) returns cveList
Example : CVEs for advisory 'ELSA-2013-1100' : ['CVE-2013-2231']

List channels applicable to advisory : client.errata.applicableToChannels(sessionKey, advisory) returns channelList
Example : Channels applicable to advisory 'ELSA-2013-1100' : [{'channel_name': 'Oracle Linux 6 Latest (i386)', 'channel_label': 'ol6_i386_latest', 'parent_channel_id': ' ', 'channel_id': 941}, {'channel_name': 'Oracle Linux 6 Latest (x86_64)', 'channel_label': 'ol6_x86_64_latest', 'parent_channel_id': ' ', 'channel_id': 944}, {'channel_name': 'Oracle Linux 6 Update 4 Patch (i386)', 'channel_label': 'ol6_u4_i386_patch', 'parent_channel_id': ' ', 'channel_id': 1642}, {'channel_name': 'Oracle Linux 6 Update 4 Patch (x86_64)', 'channel_label': 'ol6_u4_x86_64_patch', 'parent_channel_id': ' ', 'channel_id': 1644}]

List latest packages in a given channel : client.channel.software.listLatestPackages(sessionKey, channelLabel) returns packageList
Example : Packages for channel 'ol6_x86_64_latest' returns 6801 packages

List errata in a given channel : client.channel.software.listErrata(sessionKey, channelLabel) returns errataList
Example : Errata in channel 'ol6_x86_64_latest' returns 1403 errata

List errata for a given package : client.packages.listProvidingErrata(sessionKey, pid) returns errataList
Example :
[{'errata_update_date': '2011-06-08 00:00:00', 'errata_advisory_type': 'Security Advisory', 'errata_synopsis': 'subversion security update', 'errata_advisory': 'ELSA-2011-0862', 'errata_last_modified_date': '2011-06-08 00:00:00', 'errata_issue_date': '2011-06-08 00:00:00'}]

List software channels available : client.channel.listSoftwareChannels(sessionKey) returns channelList
Example : List of channels returns '253' channels

List all packages for a given channel : client.channel.software.listAllPackages(sessionKey, channelLabel) returns packageList
Example : All packages for channel 'ol6_x86_64_latest' returns 25310 packages

List packages for a given advisory : client.errata.listPackages(sessionKey, advisory) returns packageList
Example : Packages for advisory 'ELSA-2013-1100' returns 12 packages

Details for a specific advisory : client.errata.getDetails(sessionKey, advisory) returns errataDetail
Example :
{'errata_update_date': '7/22/13', 'errata_topic': ' ', 'errata_type': 'Security Advisory', 'errata_severity': 'Important', 'errata_notes': ' ', 'errata_synopsis': 'qemu-kvm security update', 'errata_references': ' ', 'errata_last_modified_date': '2013-07-22 00:00:00', 'errata_issue_date': '7/22/13', 'errata_description': '[qemu-kvm-0.12.1.2-2.355.el6_4.6]\n- kvm-qga-cast-to-int-for-DWORD-type.patch [bz#980758]\n- kvm-qga-remove-undefined-behavior-in-ga_install_service.patch [bz#980758]\n- kvm-qga-diagnostic-output-should-go-to-stderr.patch [bz#980758]\n- kvm-qa_install_service-nest-error-paths-more-idiomatically.patch [bz#980758]\n- kvm-qga-escape-cmdline-args-when-registering-win32-service.patch [bz#980758]\n- Resolves: bz#980758\n (qemu-kvm: CVE-2013-2231 qemu: qemu-ga win32 service unquoted search path [rhel-6.4.z])'}

Details for a given channel : client.channel.software.getDetails(sessionKey, channelLabel) returns channelDetail
Example :
{'channel_description': 'All packages released for Oracle Linux 6 (x86_64), including the very latest updated packages', 'channel_summary': 'Oracle Linux 6 Latest (x86_64)', 'channel_arch_name': 'x86_64', 'metadata_urls': {'group': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/comps.xml', 'checksum': '08ec74da7552f56814bc7f94d60e6d1c3d8d9ff9', 'checksum_type': 'sha', 'file_name': 'repodata/comps.xml'}], 'filelists': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/filelists.xml.gz', 'checksum': '2fb7fe60c7ee4dc948bbc083c18ab065384e990f', 'checksum_type': 'sha', 'file_name': 'repodata/filelists.xml.gz'}], 'updateinfo': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/updateinfo.xml.gz', 'checksum': '15b889640ad35067d99b15973bb71aa1dc33ab00', 'checksum_type': 'sha', 'file_name': 'repodata/updateinfo.xml.gz'}], 'primary': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/primary.xml.gz', 'checksum': '21f7115120c03a9dbaf25c6e1e9e3d6288bf664f', 'checksum_type': 'sha', 'file_name': 'repodata/primary.xml.gz'}], 'repomd': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/repomd.xml', 'file_name': 'repodata/repomd.xml'}], 'other': [{'url': 'https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/repodata/other.xml.gz', 'checksum': '30a176c8509677b588863bf21d7b196941e866af', 'checksum_type': 'sha', 'file_name': 'repodata/other.xml.gz'}]}}

Details for a given package : client.packages.getDetails(sessionKey, pid) returns packageDetail
Example :
{'package_size': 5855337, 'package_arch_label': 'i686', 'package_cookie': '1307566435', 'package_md5sum': 'e74525b5bbaa9e637fe818f3f5777c02', 'package_name': 'subversion', 'package_summary': 'A Modern Concurrent Version Control System', 'package_epoch': ' ', 'package_checksums': [{'md5': 'e74525b5bbaa9e637fe818f3f5777c02'}], 'package_payload_size': 5857988, 'package_version': '1.6.11', 'package_license': 'ASL 1.1', 'package_vendor': 'Oracle America', 'package_release': '2.el6_1.4', 'package_last_modified_date': '2011-06-08 15:53:55', 'package_description': 'Subversion is a concurrent version control system which enables one\nor more users to collaborate in developing and maintaining a\nhierarchy of files and directories while keeping a history of all\nchanges. Subversion only stores the differences between versions,\ninstead of every complete file. Subversion is intended to be a\ncompelling replacement for CVS.', 'package_id': 2814035, 'providing_channels': ['ol6_x86_64_latest'], 'package_build_host': 'ca-build44.us.oracle.com', 'package_build_date': '2011-06-08 15:53:55', 'download_urls': ['https://uln-qa.oracle.com/XMLRPC/GET-REQ/ol6_x86_64_latest/subversion-1.6.11-2.el6_1.4.src.rpm'], 'package_file': 'subversion-1.6.11-2.el6_1.4.src.rpm'}

Logout : client.auth.logout(sessionKey) returns retval
Logged out...

Sample code :

#!/usr/bin/env python
try:
    import os
    import sys
    import getpass
    import datetime
    import xmlrpclib

except ImportError, e:
    raise ImportError (str(e) + ': Module  not found')

SERVER_URL = 'https://linux-update.oracle.com/rpc/api'

USERNAME = 'myusername@company.com'
PASSWORD = 'mypassword'

client = xmlrpclib.Server(SERVER_URL)


# login
print "Login : client.auth.login(username,password) returns sessionKey "
sessionKey = client.auth.login(USERNAME,PASSWORD)
if len(sessionKey) != 43:
   print "Invalid %d sessionKey : '%s'" % sessionKey
   exit(1)

print "Logged in..."

print ""
print ""
print ""


# list CVEs for an advisory
print "List CVEs for a particular advisory : client.errata.listCves(sessionKey, advisory)\
 returns cveList"
advisory = "ELSA-2013-1100"
cveList = client.errata.listCves(sessionKey, advisory)
print "Example : CVEs for advisory '%s' : %s" % (advisory, cveList)


print ""
print ""
print ""

# list channels for CVE
print "List channels applicable to advisory : \
client.errata.applicableToChannels(sessionKey, advisory) returns channelList"
channelList = client.errata.applicableToChannels(sessionKey, advisory)
print "Example : Channels applicable to advisory '%s' : %s" % (advisory, channelList)


print ""
print ""
print ""

# list latest packages in a channel
print "List latest packages in a given channel : \
client.channel.software.listLatestPackages(sessionKey, channelLabel) returns\
 packageList"
channelLabel= 'ol6_x86_64_latest'
packageList = client.channel.software.listLatestPackages(sessionKey, channelLabel)
print "Example : Packages for channel '%s' returns %d packages" %(channelLabel, 
 len(packageList))

print ""
print ""
print ""


# list errata in a channel
print "List errata in a given channel : \
client.channel.software.listErrata(sessionKey, channelLabel) returns errataList"
errataList = client.channel.software.listErrata(sessionKey, channelLabel)
print "Example : Errata in channel '%s' returns %d errata" %(channelLabel, len(errataList))

print ""
print ""
print ""

# list errata for a package with a specific id
print "List errata for a given package : client.packages.listProvidingErrata(sessionKey,
 pid) returns errataList"
pid = '2814035'
errataList = client.packages.listProvidingErrata(sessionKey, pid)
print "Example : \n%s\n" % errataList

print ""
print ""
print ""


# list software channels
print "List software channels available : client.channel.listSoftwareChannels(sessionKey)\
 returns channelList"
channelList = client.channel.listSoftwareChannels(sessionKey)
print "Example : List of channels returns '%d' channels" %(len(channelList))

print ""
print ""
print ""



# list all packages of a channel
print "List all packages for a given channel : \
client.channel.software.listAllPackages(sessionKey, channelLabel) returns packageList"
packageList = client.channel.software.listAllPackages(sessionKey, channelLabel)
print "Example : All packages for channel '%s' returns %d packages" %(channelLabel, 
len(packageList))

print ""
print ""
print ""


# list packages for an errata
print "List packages for a given advisory : client.errata.listPackages(sessionKey,
 advisory) returns packageList"
packageList = client.errata.listPackages(sessionKey, advisory)
print "Example : Packages for advisory '%s' returns %d packages" %(advisory, 
len(packageList))

print ""
print ""
print ""


# get errata details
print "Details for a specific advisory  : \
client.errata.getDetails(sessionKey, advisory) returns errataDetail"
errataDetail = client.errata.getDetails(sessionKey, advisory)
print "Example : \n%s\n" %errataDetail

print ""
print ""
print ""


# get channel details
print "Details for a given channel : \
client.channel.software.getDetails(sessionKey, channelLabel) returns channelDetail"
channelDetail = client.channel.software.getDetails(sessionKey, channelLabel)
print "Example : \n%s\n" % channelDetail

print ""
print ""
print ""


# get package details from package with an id
print "Details for a given package : client.packages.getDetails(sessionKey, pid) \
returns packageDetail"
packageDetail = client.packages.getDetails(sessionKey, pid)
print "Example : \n%s\n" % packageDetail

print ""
print ""
print ""


print "Logout : client.auth.logout(sessionKey) returns retval"
retval = client.auth.logout(sessionKey)
if retval == 1:
  print "Logged out..."
else:
  print "Failed to log out..."

Channel subscription from command-line support added to the Unbreakable Linux Network(ULN)

Tue, 2014-05-13 12:41
Until recently, to add channels to a server or to register a server as a yum-repository server, one had to log into ULN and manually do this. First a server had to be tagged as a yum server and then any channels that would be included, would have to be added to this server. While this is an easy task, it does involve logging into the website, and manually following a few steps and it could not be automated.

We provided an updated rhn-setup RPM that now adds a new tool called uln-channel which allows users with ULN access to enable a server as a yum server and also add/remove/list channels for this server. This will allow for easy automation.

The latest version of the rhn-setup rpm is rhn-setup-1.0.0.1-16.0.9.el6.noarch. The uln-channel rpm is currently only supported with Oracle Linux version 6.

# uln-channel -h
Usage: uln-channel [options]

Options:
  -c CHANNEL, --channel=CHANNEL
                        name of channel you want to (un)subscribe
  -a, --add             subscribe to channel
  -r, --remove          unsubscribe from channel
  -l, --list            list channels
  -b, --base            show base channel of a system
  -L, --available-channels
                        list all available child channels
  -v, --verbose         verbose output
  -u USER, --user=USER  your user name
  -p PASSWORD, --password=PASSWORD
                        your password
  --enable-yum-server   enable yum server setting
  --disable-yum-server  disable yum server setting
  -h, --help            show this help message and exit

# uln-channel --list
Username: wim@company.com
Password:
ol6_i386_UEK_latest
ol6_i386_ksplice
ol6_i386_latest

# uln-channel --base
Username: wim@company.com
Password:
ol6_i386_ksplice
ol6_i386_latest
ol6_i386_UEK_latest

# uln-channel --enable-yum-server
Username: wim@company.com
Password:

# uln-channel --disable-yum-server
Username: wim@company.com
Password:


# uln-channel --available-channels
Username: wim@company.com
Password:
 el3_i386_latest
el3_u8_i386_patch
el3_u8_x86_64_patch
el3_u9_i386_base
el3_u9_i386_patch
el3_u9_x86_64_base
el3_u9_x86_64_patch
el3_x86_64_latest
...
ol6_x86_64_Dtrace_BETA
ol6_x86_64_Dtrace_latest
ol6_x86_64_Dtrace_userspace_latest
ol6_x86_64_MySQL
ol6_x86_64_MySQL56
ol6_x86_64_UEKR3_latest
ol6_x86_64_UEK_BETA
ol6_x86_64_UEK_base
ol6_x86_64_UEK_latest
ol6_x86_64_addons
ol6_x86_64_gdm_multiseat
ol6_x86_64_ksplice
ol6_x86_64_latest
ol6_x86_64_mysql-ha-utils
ol6_x86_64_ofed_UEK
ol6_x86_64_oracle
ovm22_2.2.0_i386_base
ovm22_2.2.0_i386_patch
ovm22_2.2.1_i386_base
ovm22_2.2.1_i386_patch
ovm22_2.2.2_i386_base
ovm22_2.2.2_i386_patch
ovm22_2.2.3_i386_base
ovm22_2.2.3_i386_patch
ovm22_i386_latest
ovm22_i386_oracle
ovm2_2.1.0_i386_base
ovm2_2.1.0_i386_patch
ovm2_2.1.1_i386_base
ovm2_2.1.1_i386_patch
ovm2_2.1.2_i386_base
ovm2_2.1.2_i386_patch
ovm2_2.1.5_i386_base
ovm2_2.1.5_i386_patch
ovm2_i386_latest
ovm3_3.0.2_x86_64_base
ovm3_3.0.3_x86_64_base
ovm3_3.0.3_x86_64_patch
ovm3_3.0_x86_64_base
ovm3_3.0_x86_64_patch
ovm3_3.1.1_x86_64_base
ovm3_3.1.1_x86_64_patch
ovm3_3.2.1_x86_64_base
ovm3_3.2.1_x86_64_patch
ovm3_x86_64_latest

# uln-channel --add --channel=ol6_x86_64_oracle
Username: wim@company.com
Password:

# uln-channel --list
Username: wim@company.com
Password:
ol6_i386_UEK_latest
ol6_i386_ksplice
ol6_i386_latest
ol6_x86_64_oracle

OpenStack for Oracle Linux and Oracle VM

Tue, 2014-05-13 12:32
We just made an announcement today about support for OpenStack with Oracle Linux and Oracle VM. The press release can be found here.

Oracle E-Business Suite R12 Pre-Install RPM available for Oracle Linux 5 and 6

Thu, 2014-04-17 18:44
One of the things we have been focusing on with Oracle Linux for quite some time now, is making it easy to install and deploy Oracle products on top of it without having to worry about which RPMs to install and what the basic OS configuration needs to be.

A minimal Oracle Linux install contains a really small set of RPMs but typically not enough for a product to install on and a full/complete install contains way more packages than you need. While a full install is convenient, it also means that the likelihood of having to install an errata for a package is higher and as such the cost of patching and updating/maintaining systems increases.

In an effort to make it as easy as possible, we have created a number of pre-install RPM packages which don't really contain actual programs but they 're more or less dummy packages and a few configuration scripts. They are built around the concept that you have a minimal OL installation (configured to point to a yum repository) and all the RPMs/packages which the specific Oracle product requires to install cleanly and pass the pre-requisites will be dependencies for the pre-install script.

When you install the pre-install RPM, yum will calculate the dependencies, figure out which additional RPMs are needed beyond what's installed, download them and install them. The configuration scripts in the RPM will also set up a number of sysctl options, create the default user, etc. After installation of this pre-install RPM, you can confidently start the Oracle product installer.

We have released a pre-install RPM in the past for the Oracle Database (11g, 12c,..) and Oracle Enterprise Manager 12c agent. And we now also released a similar RPM for E-Business R12.

This RPM is available on both ULN and public-yum in the addons channel.

Easy access to Java SE 7 on Oracle Linux

Tue, 2014-04-08 13:10
In order to make it very easy to install Java SE 7 on Oracle Linux, we added a Java channel on ULN (http://linux.oracle.com). Here is a brief description of how to enable the channel and install Java on your system.

Enable the Java SE 7 ULN channel for Oracle Linux 6

- Start with a server or desktop installed with Oracle Linux 6 and registered with ULN (http://linux.oracle.com) for updates

This is typically using uln_register on your system.

- Log into ULN, go to the Systems tab for your server/desktop and click on Manage Subscriptions

-> Ensure your system is registered to the "Oracle Linux 6 Add ons (x86_64)" channel (it should appear in the 'Subscribed channels' list)

if your system is not registered with the above channel, add it :

-> Click on "Oracle Linux 6 Add ons (x86_64)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels. -> Click on Save Subscriptions

- In order to register with the 'Java SE 7' channel, you first have to install a yum plugin to enable access to channels with licenses

# yum install yum-plugin-ulninfo
Loaded plugins: rhnplugin
This system is receiving updates from ULN.
ol6_x86_64_addons                                        | 1.2 kB     00:00     
ol6_x86_64_addons/primary                                |  44 kB     00:00     
ol6_x86_64_addons                                                       177/177
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-ulninfo.noarch 0:0.2-9.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                          Arch                 Version                    Repository                       Size
========================================================================================================================
Installing:
 yum-plugin-ulninfo               noarch               0.2-9.el6                  ol6_x86_64_addons                13 k

Transaction Summary
========================================================================================================================
Install       1 Package(s)

Total download size: 13 k
Installed size: 23 k
Is this ok [y/N]: y
Downloading Packages:
yum-plugin-ulninfo-0.2-9.el6.noarch.rpm                                                          |  13 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : yum-plugin-ulninfo-0.2-9.el6.noarch                                                                  1/1 
  Verifying  : yum-plugin-ulninfo-0.2-9.el6.noarch                                                                  1/1 

Installed:
  yum-plugin-ulninfo.noarch 0:0.2-9.el6                                                                                 

Complete!

- In future versions of Oracle Linux 6, this RPM will become part of the base channel and at that point you will no longer need to register with the Add ons channel to install yum-plugin-ulninfo

- Add the Java SE 7 channel subscription to your system in ULN

-> Click on "Java SE 7 for Oracle Linux 6 (x86_64) (Public)" in the Available Channels tab and click on the right arrow to move it to Subscribed channels

-> Click on Save Subscriptions

-> A popup will appear with the EULA for Java SE 7, click on Accept or Decline

- Now your system has access to the Java SE 7 channel. You can verify this by executing :

# yum repolist
Loaded plugins: rhnplugin, ulninfo
This system is receiving updates from ULN.
ol6_x86_64_JavaSE7_public:
By downloading the Java software, you acknowledge that your use of the Java software is 
subject to the Oracle Binary Code License Agreement for the Java SE Platform Products and 
JavaFX (which you acknowledge you have read and agree to) available 
at http://www.java.com/license.

ol6_x86_64_JavaSE7_public                                                                        | 1.2 kB     00:00     
ol6_x86_64_JavaSE7_public/primary                                                                | 1.9 kB     00:00     
ol6_x86_64_JavaSE7_public                                                                                           2/2
repo id                        repo name                                                                          status
ol6_x86_64_JavaSE7_public      Java SE 7 for Oracle Linux 6 (x86_64) (Public)                                          2
ol6_x86_64_UEKR3_latest        Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64) - Latest          122
ol6_x86_64_addons              Oracle Linux 6 Add ons (x86_64)                                                       177
ol6_x86_64_ksplice             Ksplice for Oracle Linux 6 (x86_64)                                                 1,497
ol6_x86_64_latest              Oracle Linux 6 Latest (x86_64)                                                     25,093
repolist: 26,891

- To install Java SE 7 on your system, simply us yum install :

# yum install jdk
Loaded plugins: rhnplugin, ulninfo
This system is receiving updates from ULN.
ol6_x86_64_JavaSE7_public:
By downloading the Java software, you acknowledge that your use of the Java software is 
subject to the Oracle Binary Code License Agreement for the Java SE Platform Products
 and JavaFX (which you acknowledge you have read and agree to) 
available at http://www.java.com/license.

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package jdk.x86_64 2000:1.7.0_51-fcs will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package           Arch                 Version                           Repository                               Size
========================================================================================================================
Installing:
 jdk               x86_64               2000:1.7.0_51-fcs                 ol6_x86_64_JavaSE7_public               117 M

Transaction Summary
========================================================================================================================
Install       1 Package(s)

Total download size: 117 M
Installed size: 193 M
Is this ok [y/N]: y
Downloading Packages:
jdk-1.7.0_51-fcs.x86_64.rpm                                                                                                         | 117 MB     02:27     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 2000:jdk-1.7.0_51-fcs.x86_64                                                                                                            1/1 
Unpacking JAR files...
	rt.jar...
	jsse.jar...
	charsets.jar...
	tools.jar...
	localedata.jar...
	jfxrt.jar...
  Verifying  : 2000:jdk-1.7.0_51-fcs.x86_64                                                                                                            1/1 

Installed:
  jdk.x86_64 2000:1.7.0_51-fcs                                                                                                                             

Complete!

- You now have a completely install Java SE 7 on your Oracle Linux environment.

# ls /usr/java/jdk1.7.0_51/
bin  COPYRIGHT  db  include  jre  lib  LICENSE  man  README.html  release  src.zip  
THIRDPARTYLICENSEREADME-JAVAFX.txt  THIRDPARTYLICENSEREADME.txt

OpenSCAP distributed with Oracle VM Server for x86

Sun, 2014-01-19 06:09
Security Compliance : true We recently released Oracle VM Server for x86 3.2.7. For more information you can go here. In addition we also recently released Oracle Linux 6.5. Find the press release here and the link to the release notes here.

You will notice that for Oracle Linux we have updated the version of OpenSCAP to use the NIST SCAP 1.2 specification.

We have also decided to distribute OpenSCAP with Oracle VM Server for x86 so you will be able to use the same utility for security compliance checks that you may use with Oracle Linux and Oracle Solaris. Initially, the OpenSCAP package we are distributing with Oracle VM Server for x86 is available on the Oracle Public Yum Server, so you may start by using the oscap(8) - OpenSCAP command line tool after you've installed the openscap-utils RPM on your Dom0 test environment. If you are working on the technical security controls that are required by your organization for the approval to operate Oracle VM Server for x86, then you should understand that OpenSCAP is an effective tool to demonstrate security compliance to your authorizing official. However, you should carefully examine your organizations SCAP content and the implementation details such as the use of OVAL for compliance checks.

We typically recommend that you do not directly execute additional utilities within the Oracle VM Server management domain (i.e. the Dom0 domain), but checking security compliance requires careful limited access by your authorized administrators to produce the reports. The Oracle VM Security Guide for Release 3 explains the philosophy of protection for the installation of the Oracle VM Server using a small footprint:

"Oracle VM Server runs a lightweight, optimized version of Oracle Linux. It is based upon an updated version of the Xen hypervisor technology and includes Oracle VM Agent. The installation of Oracle VM Server in itself is secure: it has no unused packages or applications and no services listening on any ports except for those required for the operation of the Oracle VM environment."

Please note that you should report any potential security vulnerabilities in Oracle products following the instructions found here.

We posted some helpful details about Oracle Linux Errata and CVE information this time last year and you may also review the notifications of Oracle VM errata here. For the examples we are reviewing now, the use of OVAL checks is a part the traditional ways you would show that your servers are all compliant (locked-down or hardened) with relevant security settings in your checklists that reference the product security guides.

The Oracle Software Security Assurance Secure Configuration Initiative has established Oracle product security goals for both Secure Configuration and Security Guides. We have built in the security features with Oracle VM Server for x86 and you should expect that the default installation follows the software security assurance guidelines. Using OpenSCAP for security compliance checks may help you to show that the Oracle VM Server for x86 configuration is up to date with the latest details documented in the security guides for operating systems and server virtualization.

A standardized approach to security compliance is a goal that many organizations are working toward and includes a broad set of security controls typically found within a complete Risk Management Framework provided by the NIST RMF and other standards bodies within the international IT security community. When you begin to use OpenSCAP you will find that the standard SCAP content contains product specific technical security controls that are expected to be unique and have version dependencies as well. You will notice the standard SCAP content used with OpenSCAP on Oracle VM Server for x86 can produce valid securty compliance reports, but you must still understand the technical nuances for measuring compliance that show results for each test:

    True
    False  
    Error  
    Unknown  
    Not Applicable  
    Not Evaluated

Advantages to using a standardized approach for security compliance include considerations of "what is measured" and "how it is measured" to improve the precision, accuracy and ultimate effectiveness required to mitigate risks. The initial results that are produced using OpenSCAP for security compliance checks must be further examined to truly understand the meaning of 'true' or 'false' so that you can demonstrate the rationalization for applying any fixes to re-mediate a verifiable problem. The effectiveness of OpenSCAP depends on the thorough understanding of all the technical details at the early stages of your testing, so you will benefit by the complete coverage that may be repeated for all of your production Oracle VM Servers.

Automating system administration activities is a fundamental objective for on-premise and cloud computing architectures and we are working to standardize as much of the enterprise infrastructure components as possible to produce the most cost effective solutions using Oracle VM Server. The security compliance requirements of many organizations have increased reporting cycles that must be continuously monitored. With careful planning, OpenSCAP may be an effective tool for reporting your organizations IT security controls, but we want to review some of the basic concepts that you should be aware of.

We noted earlier that Dom0 is a special purpose management domain that is based on Xen built with Oracle Linux. The Oracle Linux and Oracle Solaris configurations share a common set of technical security controls that are useful to measure consistently with Oracle VM Server. However, the results you analyse requires historic perspectives and current insight to determine the relevance and criticality that is important to convey to the decision makers or authorizing officials in your organization.

One random example of a security compliance check that illustrates a number of considerations is related to CWE-264: Permissions, Privileges, and Access Controls. More specifically, as an exercise, we want to drill down to both CWE-275: Permission Issues and CWE-426: Untrusted Search Path potential problems.

To demonstrate how OpenSCAP can be used to report the results of a check related to CWE-275 and CWE-426 we can start by viewing the Red Hat 5 STIG Benchmark, Version 1, Release 4 from DISA:

[root@ovm327 ~]# wget 
  http://iase.disa.mil/stigs/os/unix/u_redhat_5_v1r4_stig_benchmark.zip

For brevity, we have extracted out the OVAL compliance item for 'STIG ID: GEN000960' that we show using the DISA STIG Viewer:

If you also want to test this, here is the raw XML

This looks simple enough, so let's see the result using OpenSCAP on Oracle VM Server for x86:

[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

We think we understand the result but let's view this differently just to be sure:

[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`
ls: /root/bin: No such file or directory
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /bin
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /sbin
drwxr-xr-x 3 root root 16384 Jan  2 12:45 /usr/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/sbin
drwxr-xr-x 2 root root 12288 Jan  2 12:45 /usr/sbin
[root@ovm327 ~]#

This looks good to us, but let's make the '/root/bin' directory that we intentionally want to violate the compliance check to see what happens:

[root@ovm327 ~]# mkdir -m 0777 /root/bin
[root@ovm327 ~]# ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /bin
drwxrwxrwx 2 root root  4096 Jan  2 13:55 /root/bin
drwxr-xr-x 2 root root  4096 Jan  2 12:45 /sbin
drwxr-xr-x 3 root root 16384 Jan  2 12:45 /usr/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/bin
drwxr-xr-x 2 root root  4096 Feb 16  2010 /usr/local/sbin
drwxr-xr-x 2 root root 12288 Jan  2 12:45 /usr/sbin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
[root@ovm327 ~]#

We have reasonably good confirmation that the OVAL compliance check works the way we expect. However, if we look at the entire set of permissions that enforce the discretionary access control policy, we then realize that there are also permissions on the '/root' directory that prevent the write operations by 'others' in the '/root/bin' directory from succeeding:

[root@ovm327 ~]# ls -ldL /root /root/bin
drwxr-x--- 4 root root 4096 Jan  2 13:55 /root
drwxrwxrwx 2 root root 4096 Jan  2 13:55 /root/bin
[root@ovm327 ~]#

We are not suggesting that the mode '0777' permissions on the '/root/bin' are acceptable because we have safer permissions on the '/root' directory, but the example shows that the OVAL check does not completely test the security controls exactly how the kernel enforces the permissions. We should justifiably state that the result of the OVAL security compliance check '0777' permissions on the '/root/bin' directory is a 'condition negative' with a 'test outcome negative' (i.e. a true negative), but also continue to note our other observations related to the access control enforcement.

Before proceeding, we will clean up the problem we just temporarily created on our test server:

[root@ovm327 ~]# chmod 0700 /root/bin
[root@ovm327 ~]# ls -ldL /root /root/bin
drwxr-x--- 4 root root 4096 Jan  2 13:55 /root
drwx------ 2 root root 4096 Jan  2 13:55 /root/bin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

Hopefully you find this random security compliance check interesting and somewhat enlightening to illustrate what OpenSCAP can help you with. To continue, we decided to check a slightly different way to demonstrate the same security control:

[root@ovm327 ~]# wget
 https://git.fedorahosted.org/cgit/openscap.git/plain/dist/fedora/scap-fedora14-oval.xml

To simplify viewing the portion of the OVAL compliance entry we extracted it like we did with the DISA STIG item. If you also want to test this, here is the raw XML

Now we can show similar results using a slightly different implementation of the compliance check:

[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
[root@ovm327 ~]# chmod 0770 /root/bin
[root@ovm327 ~]# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
[root@ovm327 ~]#

But we can also see that it is indeed a different check because it includes the test for group write permissions and the 'STIG ID: GEN000960' does not:

[root@ovm327 ~]# chmod 0770 /root/bin
[root@ovm327 ~]# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
[root@ovm327 ~]#

Again, let's fix the problem we temporarily created on our test server:

[root@ovm327 ~]# chmod 0700 /root/bin
[root@ovm327 ~]#

You should also review the CIS Oracle Solaris 11.1 Benchmark v1.0.0 and the CIS Red Hat Enterprise Linux 6 Benchmark v1.2.0 to see that they both have the same entry to 'Ensure root PATH Integrity (Scored)' that has an audit section showing script commands that step through multiple potential security compliance issues to check. It is a common practice to combine similar checks in a group, but you may need to parse out the results to obtain a discrete value for a singular check.

As an additional consideration, let's shift our focus away from the differences within OVAL compliance definitions, to the different operating systems that the SCAP content was orignially written for. For this part of our testing we start up an Oracle Solaris 11.1 X86 instance running on a VM to demonstrate the OpenSCAP tests with the same OVAL compliance checks:

root@sol11:/root# pkg install security/compliance/openscap

root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
root@sol11:/root# oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
root@sol11:/root# export PATH=$PATH:/tmp
root@sol11:/root# ls -ldL `echo $PATH | tr ':' '\n'`
drwxrwxrwt   5 root     sys          432 Jan  2 14:09 /tmp
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
root@sol11:/root# oscap oval eval GEN000960.xmlDefinition
oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
root@sol11:/root# oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
root@sol11:/root#

Now let's repeat the same OpenSCAP checks with a non-root user account:

admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
admin@sol11:~$ oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: true
Evaluation done.
admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: true
Evaluation done.
admin@sol11:~$ export PATH=$PATH:/tmp
admin@sol11:~$ ls -ldL `echo $PATH | tr ':' '\n'`
drwxrwxrwt   5 root     sys          432 Jan  2 14:09 /tmp
drwxr-xr-x   4 root     bin         1126 Jan  2 14:05 /usr/bin
drwxr-xr-x   4 root     bin          445 Jan  2 13:54 /usr/sbin
admin@sol11:~$ oscap oval eval GEN000960.xml
Definition oval:mil.disa.fso.rhel:def:77: false
Evaluation done.
admin@sol11:~$ oscap oval eval fedora-accounts_root_path_dirs_no_write.xml
Definition oval:org.open-scap.f14:def:200855: false
Evaluation done.
admin@sol11:~$

We have discovered some additional interesting considerations when reviewing the OpenSCAP results executed on Oracle Solaris:

    The OVAL content appears to also work on Oracle Solaris 11.1
    The OVAL check is on the current PATH environment variable
    The OVAL check is for the current user shell or cron(1M) process running oscap(8)
    The OVAL check does not look for scripts that set the PATH for application run time environments
    The OVAL check does not account for more sophisticated access control technology

To further our understanding of the OVAL content, we decided to run the jOVAL tool which is not included with Oracle Solaris:

admin@sol11:~$ echo $PATH
/usr/bin:/usr/sbin:/tmp
admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m -o GEN000960.xml

----------------------------------------------------
jOVAL Definition Interpreter
Version: 5.10.1.2
Build date: Thursday, January  2, 2014 04:46:39 PM PST
Copyright (c) 2011-2013 - jOVAL.org

Plugin: Default Plugin
Version: 5.10.1.2
Copyright (C) 2011-2013 - jOVAL.org
----------------------------------------------------

Start Time: Fri Jan 02 16:50:05 2014

 ** parsing /home/admin/GEN000960.xml
     - validating xml schema.
 ** checking schema version
     - Schema version - 5.4
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                      
 ** saving data model to system-characteristics.xml.
 ** skipping Schematron validation
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                    
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:mil.disa.fso.rhel:def:77           true
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** skipping Schematron validation
 ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.

----------------------------------------------------
admin@sol11:~$ echo $PATH
/usr/bin:/usr/sbin:/tmp
admin@sol11:~$ /usr/share/jOVAL/jovaldi -l 1 -m
  -o fedora-accounts_root_path_dirs_no_write.xml

----------------------------------------------------
jOVAL Definition Interpreter
Version: 5.10.1.2
Build date: Thursday, January  2, 2014 04:46:39 PM PST
Copyright (c) 2011-2013 - jOVAL.org

Plugin: Default Plugin
Version: 5.10.1.2
Copyright (C) 2011-2013 - jOVAL.org
----------------------------------------------------

Start Time: Fri Jan 02 16:50:30 2014

 ** parsing /home/admin/fedora-accounts_root_path_dirs_no_write.xml
     - validating xml schema.
 ** checking schema version
     - Schema version - 5.5
 ** skipping Schematron validation
 ** creating a new OVAL System Characteristics file.
 ** gathering data for the OVAL definitions.
      Collecting object:  FINISHED                         
 ** saving data model to system-characteristics.xml.
 ** skipping Schematron validation
 ** running the OVAL Definition analysis.
      Analyzing definition:  FINISHED                        
 ** OVAL definition results.

    OVAL Id                                 Result
    -------------------------------------------------------
    oval:org.open-scap.f14:def:200855       false
    -------------------------------------------------------


 ** finished evaluating OVAL definitions.

 ** saving OVAL results to results.xml.
 ** skipping Schematron validation
 ** running OVAL Results xsl: /usr/share/jOVAL/xml/results_to_html.xsl.

----------------------------------------------------
admin@sol11:~$

For now, this concludes our initial investigation of OpenSCAP to show the potential effectiveness on Oracle VM Server for x86 with careful consideration of the results you may observe with your SCAP content. You will also want to understand the XCCDF security checklists that are most often used to perform more complete security compliance checks with OpenSCAP in the same way you can check for STIG compliance:

# oscap xccdf eval --profile stig-rhel6-server --report report.html 
   --results results.xml --cpe ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml

We hope that the random security compliance example we chose will help to illustrate that the use of OpenSCAP is not a substitute for adequately proficient expertise for analyzing IT security controls, but it allows for the repetitive checks in your production Oracle VM Servers after you have completed sufficient testing. Please contact your Oracle representitives if you have any quetions or place service requests with Oracle Support when you encounter problems.

Finally, please remember that you should report any potential security vulnerabilities in Oracle products following the instructions found here.

Oracle Linux containers continued

Fri, 2013-12-06 16:10
More on Linux containers... the use of btrfs in particular and being able to easily create clones/snapshots of container images. To get started : have an Oracle Linux 6.5 installation with UEKr3 and lxc installed and configured.

lxc by default uses /container as the directory to store container images and metadata. /container/[containername]/rootfs and /container/[containername]/config. You can specify an alternative pathname using -P. To make it easy I added an extra disk to my VM that I use to try out containers (xvdc) and then just mount that volume under /container.

- Create btrfs volume

If not yet installed, install btrfs-progs (yum install btrfs-progs)

# mkfs.btrfs /dev/xvdc1

# mount /dev/xvdc1 /container 
You can auto-mount this at startup by adding a line to /etc/fstab

/dev/xvdc1		/container		btrfs   defaults 0 0

- Create a container

# lxc-create -n OracleLinux59 -t oracle -- -R 5.9
This creates a btrfs subvolume /container/OracleLinux59/rootfs

Use the following command to verify :

# btrfs subvolume list /container/
ID 260 gen 33 top level 5 path OracleLinux59/rootfs

- Start/Stop container

# lxc-start -n OracleLinux59

This starts the container but without extra options your current shell becomes the console of the container.
Add -c [file] and -d for the container to log console output to a file and return control to the shell after starting the container.

# lxc-start -n OracleLinux59 -d -c /tmp/OL59console

# lxc-stop -n OracleLinux59

- Clone a container using btrfs's snapshot feature which is built into lxc

# lxc-clone -o OracleLinux59 -n OracleLinux59-dev1 -s
Tweaking configuration
Copying rootfs...
Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev1/rootfs'
Updating rootfs...
'OracleLinux59-dev1' created

# btrfs subvolume list /container/
ID 260 gen 34 top level 5 path OracleLinux59/rootfs
ID 263 gen 34 top level 5 path OracleLinux59-dev1/rootfs

This snapshot clone is instantaneous and is a copy on write snapshot.
You can test space usage like this :

# btrfs filesystem df /container
Data: total=1.01GB, used=335.17MB
System: total=4.00MB, used=4.00KB
Metadata: total=264.00MB, used=25.25MB

# lxc-clone -o OracleLinux59 -n OracleLinux59-dev2 -s
Tweaking configuration
Copying rootfs...
Create a snapshot of '/container/OracleLinux59/rootfs' in '/container/OracleLinux59-dev2/rootfs'
Updating rootfs...
'OracleLinux59-dev2' created

# btrfs filesystem df /container
Data: total=1.01GB, used=335.17MB
System: total=4.00MB, used=4.00KB
Metadata: total=264.00MB, used=25.29MB

- Adding Oracle Linux 6.5

# lxc-create -n OracleLinux65 -t oracle -- -R 6.5

lxc-create: No config file specified, using the default config /etc/lxc/default.conf
Host is OracleServer 6.5
Create configuration file /container/OracleLinux65/config
Downloading release 6.5 for x86_64
...
Configuring container for Oracle Linux 6.5
Added container user:oracle password:oracle
Added container user:root password:root
Container : /container/OracleLinux65/rootfs
Config    : /container/OracleLinux65/config
Network   : eth0 (veth) on virbr0
'oracle' template installed
'OracleLinux65' created

- Install an RPM in a running container

# lxc-attach -n OracleLinux59-dev1 -- yum install mysql
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mysql.i386 0:5.0.95-3.el5 set to be updated
..
Complete!

This connects to the container and executes # yum install mysql inside the container.

- Modify container resource usage

# lxc-cgroup -n OracleLinux59-dev1 memory.limit_in_bytes 53687091

# lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus
0-3

# lxc-cgroup -n OracleLinux59-dev1 cpuset.cpus 0,1

Assigns cores 0 and 1. You can also use a range 0-2,...

# lxc-cgroup -n OracleLinux59-dev1 cpu.shares
1024

# lxc-cgroup -n OracleLinux59-dev1 cpu.shares 100

# lxc-cgroup -n OracleLinux59-dev1 cpu.shares
100

# lxc-cgroup -n OracleLinux59-dev1 blkio.weight
500

# lxc-cgroup -n OracleLinux59-dev1 blkio.weight 20

etc...
A list of resource control parameters : http://docs.oracle.com/cd/E37670_01/E37355/html/ol_subsystems_cgroups.html#ol_cpu_cgroups

Lenz has created a Hands-on lab which you can find here : https://wikis.oracle.com/display/oraclelinux/Hands-on+Lab+-+Linux+Containers

Oracle Linux containers

Wed, 2013-12-04 14:24
So I played a bit with docker yesterday (really cool) and as I mentioned, it uses lxc (linux containers) underneath the covers. To create an image based on OL6, I used febootstrap, which works fine but Dwight Engen pointed out that I should just use lxc-create since it does all the work for you.

Dwight's one of the major contributors to lxc. One of the things he did a while back, was adding support in lxc-create to understand how to create Oracle Linux images. All you have to do is provide a version number and it will figure out which yum repos to connect to on http://public-yum.oracle.com and download the required rpms and install them in a local subdirectory. This is of course superconvenient and incredibly fast. So... I played with that briefly this morning and here's the very short summary.

Start out with a standard Oracle Linux 6.5 install and uek3. Make sure to add/install lxc if it's not yet there (yum install lxc) and you're good to go.

*note - you also have to create /container for lxc - so also do mkdir /container after you install lxc, thank Tony for pointing this out.

# lxc-create -n ol65 -t oracle -- -R 6.5.

That's it. lxc-create will know this is an Oracle Linux container, using OL6.5's repository to create the container named ol65.

lxc-create automatically connects to public-yum, figures out which repos to use for 6.5, downloads all required rpms and generates the container. At the end you will see :

Configuring container for Oracle Linux 6.5
Added container user:oracle password:oracle
Added container user:root password:root
Container : /container/ol65/rootfs
Config    : /container/ol65/config
Network   : eth0 (veth) on virbr0
'oracle' template installed
'ol65' created

Now all you need to do is :

lxc-start --name ol65

And you are up and running with a new container. Very fast, very easy.

If you want an OL5.9 container (or so) just do lxc-create -n ol59 -t oracle -- -R 5.9. Done. lxc has tons of very cool features, which I will get into more later. You can use this model to import images into docker as well, instead of using febootstrap.

#  lxc-create -n ol65 -t oracle -- -R 6.5
#  tar --numeric-owner -jcp -C /container/ol65/rootfs . | \
    docker import - ol6.5
#  lxc-destroy -n ol65

Oracle Linux 6.5 and Docker

Tue, 2013-12-03 23:21
I have been following the Docker project with great interest for a little while now but never got to actually try it out at all. I found a little bit of time tonight to at least try hello world.

Since docker relies on cgroups and lxc, it should be easy with uek3. We provide official support for lxc, we are in fact a big contributor to the lxc project (shout out to Dwight Engen) and the docker website says that you need to be on 3.8 for it to just work. So, OL6.5 + UEK3 seems like the perfect combination to start out with.

Here are the steps to do few very simple things:

- Install Oracle Linux 6.5 (with the default UEK3 kernel (3.8.13))

- To quickly play with docker you can just use their example

(*) if you are behind a firewall, set your HTTP_PROXY

-> If you start from a Basic Oracle Linux 6.5 installation, install lxc first. Your out-of-the-box OL should be configured to access the public-yum repositories.

# yum install lxc

-> ensure you mount the cgroups fs

# mkdir -p /cgroup ; mount none -t cgroup /cgroup

-> grab the docker binary

# wget https://get.docker.io/builds/Linux/x86_64/docker-latest -O docker
# chmod 755 docker

-> start the daemon

(*) again, if you are behind a firewall, set your HTTP_PROXY setting (http_proxy won't work with docker)

# ./docker -d &
-> you can verify if it works

# ./docker version
Client version: 0.7.0
Go version (client): go1.2rc5
Git commit (client): 0d078b6
Server version: 0.7.0
Git commit (server): 0d078b6
Go version (server): go1.2rc5

-> now you can try to download an example using ubuntu (we will have to get OL up there :))

# ./docker run -i -t ubuntu /bin/bash

this will go and pull in the ubuntu template and run bash inside

# ./docker run -i -t ubuntu /bin/bash
WARNING: IPv4 forwarding is disabled.
root@7ff7c2bae124:/# 

and now I have a shell inside ubuntu!

-> ok so now on to playing with OL6. Let's create and import a small OL6 image.

-> first install febootstrap so that we can create an image

# yum install febootstrap

-> now you have to point to a place where you have the repoxml file and the packages on an http server. I copied my ISO content over to a place

I will install some basic packages in the subdirectory ol6 (it will create an OL installed image - this is based on what folks did for centos so it works the same (https://github.com/dotcloud/docker/blob/master/contrib/mkimage-centos.sh)

# febootstrap -i bash -i coreutils -i tar -i bzip2 -i gzip \
-i vim-minimal -i wget -i patch -i diffutils -i iproute -i yum ol6 ol6 http://wcoekaer-srv/ol/

# touch ol6/etc/resolv.conf
# touch ol6/sbin/init

-> tar it up and import it

# tar --numeric-owner -jcpf ol6.tar.gz -C ol6 .
# cat ol6.tar.gz | ./docker import - ol6

Success!

List the image

# ./docker images

# ./docker images
REPOSITORY          TAG                 IMAGE ID      
      CREATED             SIZE
ol6                 latest              d389ed8db59d    
      8 minutes ago       322.7 MB (virtual 322.7 MB)
ubuntu              12.04               8dbd9e392a96     
      7 months ago        128 MB (virtual 128 MB)

And now I have a docker image with ol6 that I can play with!

# ./docker run -i -t ol6 ps aux
WARNING: IPv4 forwarding is disabled.
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  1.0  0.0  11264   656 ?        R+   23:58   0:00 ps aux

Way more to do but this all just worked out of the box!

# ./docker run ol6 /bin/echo hello world
WARNING: IPv4 forwarding is disabled.
hello world

That's it for now. Next time, I will try to create a mysql/ol6 image and various other things.

This really shows the power of containers on Linux and Linux itself. We have all these various Linux distributions but inside lxc (or docker) you can run ubuntu, debian, gentoo, yourowncustomcrazything and it will just run, old versions of OL, newer versions of OL, all on the same host kernel.

I can run OL6.5 and create OL4, OL5, OL6 containers or docker images but I can also run any old debian or slackware images at the same time.

Oracle Linux 6.5

Wed, 2013-11-27 11:21
Oracle Linux 6.5 has been uploaded to ULN and public-yum. OL6.5 includes UEKr3 based on Linux 3.8 alongside the base 2.6.32-based kernel.

The ISOs are available for download from My Oracle Support and will be available shortly(early December) from edelivery.

The ISOs are also being mirrored to public external mirror sites, one of them is my own mirror site.

Release notes are here.

Spacewalk 2.0 provided to manage Oracle Linux systems

Mon, 2013-11-11 15:33
Oracle Linux customers have a few options to manage and provision their servers. We provide a license to use Oracle Enterprise Manager's Linux OS management, monitoring and provisioning features without additional cost for every server that has an Oracle Linux support subscription. So there is no additional pack to license and no additional per server cost, it's all included in our Basic, Premier and Systems support subscriptions. The nice thing with Oracle Enterprise Manager is that you end up with a single management product that can manage all aspects of your software stack. You have complete insight into the applications running, you have roles and responsibilities, you have third party connectors for storage or other products and it makes it very easy and convenient to correlate data and events when something happens. If you use Oracle VM as well, you end up with a complete cloud portal with selfservice, chargeback, etc...

Another, much simpler option, is just using yum. It is very easy to take a server and create directories and expose these through apache as repositories. You can have a simple yum config on each server pointing to a few specific repositories. It requires some manual effort in terms of creating directories, downloading packages and creating local repo files but it's easy to do and for many people a preferred solution.

There are also a good number of customers that just connect their servers directly to ULN or to our free update server public-yum. Just to re-iterate, our public-yum servers have all the errata and updates available for free.

Now we added another option. Many of our customers have switched from a competing Linux vendor and they had familiarity with their management tools. Switching to Oracle for support is very easy since we don't require changes to the installed servers but we also want to make sure there is a very easy and almost transparent switch for the management tools as well. While Oracle Enterprise Manager is our preferred way of managing systems, we now are offering Spacewalk 2.0 to our customers. The community project can be found here. We have made a few changes to ensure easy and complete support for Oracle Linux, tested it with public-yum, etc.. You can find the rpms in our public-yum repos at http://public-yum.oracle.com/repo/OracleLinux/OL6/. There are repositories for spacewalk server and then for each version (OL5,OL6) and architecture (x86 and x86-64) we have the client repositories as well. Spacewalk itself is only made available for OL6 x86-64.

Documentation can be found here.

I set it up myself and here are some quick steps on how you can get going in just a matter of minutes:

Spacewalk Server Installation :

1) Installing an Oracle Database

Use an existing Oracle Database or install a new Oracle Database (Standard or Enterprise Edition) [at this time use 11g, we will add support for 12c in the near future]. This database can be installed on the spacewalk server or on a separate remote server.

While Oracle XE might work to create a small sample POC, we do not support the use of Oracle XE, spacewalk repositories can become large and create a significant database workload.

Customers can use their existing database licenses, they can download the database with a trial licence from http://edelivery.oracle.com or Oracle Linux subscribers (customers) will be allowed to use the Oracle Database as a spacewalk repository as part of their Oracle Linux subscription at no additional cost.

|NOTE : spacewalk requires the database to be configured with the UTF8 characterset.
|Installation will fail if your database does not use UTF8.
|To verify if your database is configured correctly, run the following command in sqlplus:
|
|select value from nls_database_parameters where parameter='NLS_CHARACTERSET';
|This should return 'AL32UTF8'

2) Configure the database schema for spacewalk

Ideally, create a tablespace in the database to hold the spacewalk schema tables/data;

create tablespace spacewalk datafile '/u01/app/oracle/oradata/orcl/spacewalk.dbf'
 size 10G autoextend on;

Create the database user spacewalk (or use some other schema name) in sqlplus.

example :

 create user spacewalk identified by spacewalk;
 grant connect, resource to spacewalk;
 grant create table, create trigger, create synonym, create view, 
 alter session to spacewalk;
 grant unlimited tablespace to spacewalk;
 alter user spacewalk default tablespace spacewalk;

4) Spacewalk installation and configuration

Spacewalk server requires an Oracle Linux 6 x86-64 system. Clients can be Oracle Linux 5 or 6, both 32- and 64bit. The server is only supported on OL6/64bit.

The easiest way to get started is to do a 'Minimal' install of Oracle Linux on a server and configure the yum repository to include the spacewalk repo from public-yum.

Once you have a system with a minimal install, modify your yum repo to include the spacewalk repo.

Example :

edit /etc/yum.repos.d/public-yum-ol.repo and add the following lines at the end of the file :

[spacewalk]
name=spacewalk
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/spacewalk20/server/$basearch/
gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
gpgcheck=1
enabled=1

Install the following pre-requisite packages on your spacewalk server :

oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64
oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64

rpm -ivh oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64 
rpm -ivh oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64
The above RPMs can be found on the Oracle Technology Network website :
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html

As the root user, configure the library path to include the Oracle Instant Client libraries :

cd /etc/ld.so.conf.d
echo /usr/lib/oracle/11.2/client64/lib > oracle-instantclient11.2.conf
ldconfig

Install spacewalk :

# yum install spacewalk-oracle
The above yum command should download and install all required packages to run spacewalk on your local server.

| NOTE : if you did a full, desktop or workstation installation, 
| you have to remove the JTA package
| BEFORE installing spacewalk-oracle (rpm -e --nodeps jta)

Once the installation completes, simply run the spacewalk configuration tool and you are all set. (make sure to run the command with the 2 arguments)

spacewalk-setup --disconnected --external-db

Answer the questions during the setup, ensure you provide the current database user (example : spacewalk) and password (example : spacewalk) and database server hostname (the standard hostname of the server on which you have deployed the Oracle database)

At the end of the setup script, your spacewalk server should be fully configured and you can log into the web portal. Use your favorite browser to connect to the website : http://[spacewalkserverhostname]

The very first action will be to create the main admin account.

Oracle Secure Global Desktop (SGD) 5.1

Tue, 2013-11-05 10:16
Last week, we released the latest update of Oracle Secure Global Desktop.

Release 5.1 introduces a number of bug fixes and smaller changes but the most interesting one is definitely increased support for html5-based client access. In SGD 5.0 we added support for Apple iPads using Safari to connect to SGD and display your session right inside the browser. The traditional model for SGD is that you connect using a webbrowser to the webtop and applications that are displayed locally using a local client (tta). This client gets installed the first time you connect. So in the traditional model (which works very well...) you need a webbrowser, java and the tta client. With the addition of html5 support, there's no longer a need to install a local client, in fact, there is also no longer a need to have java installed. We currently support Chrome as a browser to enable html5 clients. This allows us to enable html5 on the android devices and also on desktops running Chrome (Windows, MacOS X, Linux).

Connections will work transparently across proxy servers as well. So now you can run any SGD published app or desktop right from your webbrowser inside a browser window. This is very convenient and cool.

Oracle Linux and Oracle VM pricing guide

Wed, 2013-10-30 22:41
A few days ago someone showed me a pricing guide from a Linux vendor and I was a bit surprised at the complexity of it. Especially when you look at larger servers (4 or 8 sockets) and when adding virtual machine use into the mix.
I think we have a very compelling and simple pricing model for both Oracle Linux and Oracle VM. Let me see if I can explain it in 1 page, not 10 pages.

This pricing information is publicly available on the Oracle store, I am using the current public list prices. Also keep in mind that this is for customers using non-oracle x86 servers. When a customer purchases an Oracle x86 server, the annual systems support includes full use (all you can eat) of Oracle Linux, Oracle VM and Oracle Solaris (no matter how many VMs you run on that server, in case you deploy guests on a hypervisor). This support level is the equivalent of premier support in the list below.

Let's start with Oracle VM (x86) :
Oracle VM support subscriptions are per physical server on which you deploy the Oracle VM Server product.

  • (1) Oracle VM Premier Limited -> 1- or 2 socket server : $599 per server per year
  • (2) Oracle VM Premier -> more than 2 socket server (4, or 8 or whatever more) : $1199 per server per year

  • The above includes the use of Oracle VM Manager and Oracle Enterprise Manager Cloud Control's Virtualization management pack (including self service cloud portal, etc..)

    24x7 support, access to bugfixes, updates and new releases. It also includes all options, live migrate, dynamic resource scheduling, high availability, dynamic power management, etc

    If you want to play with the product, or even use the product without access to support services, the product is freely downloadable from edelivery.

    Next, Oracle Linux :
    Oracle Linux support subscriptions are per physical server.
    If you plan to run Oracle Linux as a guest on Oracle VM, VMWare or Hyper-v, you only have to pay for a single subscription per system, we do not charge per guest or per number of guests. In other words, you can run any number of Oracle Linux guests per physical server and count it as just a single subscription.

  • (1) Oracle Linux Network Support -> any number of sockets per server : $119 per server per year
  • Network support does not offer support services. It provides access to the Unbreakable Linux Network and also offers full indemnification for Oracle Linux.

  • (2) Oracle Linux Basic Limited Support -> 1- or 2 socket servers : $499 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem.

  • (3) Oracle Linux Basic Support -> more than 2 socket server (4, or 8 or more) : $1199 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management. It includes ocfs2 as a clustered filesystem

  • (4) Oracle Linux Premier Limited Support -> 1- or 2 socket servers : $1399 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.

  • (5) Oracle Linux Premier Support -> more than 2 socket servers : $2299 per server per year
  • This subscription provides 24x7 support services, access to the Unbreakable Linux Network and the Oracle Support portal, indemnification, use of Oracle Clusterware for Linux HA and use of Oracle Enterprise Manager Cloud control for Linux OS management, XFS filesystem support. It also offers Oracle Lifetime support, backporting of patches for critical customers in previous versions of package and ksplice zero-downtime updates.

  • (6) Freely available Oracle Linux -> any number of sockets
  • You can freely download Oracle Linux, install it on any number of servers and use it for any reason, without support, without right to use of these extra features like Oracle Clusterware or ksplice, without indemnification. However, you do have full access to all errata as well. Need support? then use options (1)..(5)

    So that's it. Count number of 2 socket boxes, more than 2 socket boxes, decide on basic or premier support level and you are done. You don't have to worry about different levels based on how many virtual instances you deploy or want to deploy. A very simple menu of choices. We offer, inclusive, Linux OS clusterware, Linux OS Management, provisioning and monitoring, cluster filesystem (ocfs), high performance filesystem (xfs), dtrace, ksplice, ofed (infiniband stack for high performance networking). No separate add-on menus.

    NOTE : socket/cpu can have any number of cores. So whether you have a 4,6,8,10 or 12 core CPU doesn't matter, we count the number of physical CPUs.

    Oracle Linux 5.10 channels are now published

    Mon, 2013-10-07 16:54
    We just released Oracle Linux 5.10 channels on both http://public-yum.oracle.com and on the Unbreakable Linux Network. ISO's are going to be updated on edelivery in a few days. The channels are available immediately.

    As many of you know, we are now using a CDN to distribute the RPMS for public-yum globally so you should have good bandwidth everywhere to freely access the RPMs.

    Pages