Introduzione
Per gli amministratori di sistema, l' uptime del server è fondamentale, i server in produzione necessitano di rimanere online il più a lungo possibile. Ma dall'altra parte, l'amministratore di sistema deve applicare le patch ai loro server per mantenere l'affidabilità e la sicurezza del server. Se le patch sono per delle applicazioni, potrebbe non essere necessario riavviare il server. Se le patch sono per il kernel, potrebbe essere necessario riavviare il server.
Ksplice è una tecnologia in Linux che permette di effettuare aggiornamenti di sicurezza, patch diagnostiche e correzioni di errori critici senza dover riavviare il server Linux. Questa tecnologia garantisce che il tempo di attività del server sia intoccabile. Il tuo server può ancora essere eseguito mentre le attività di aggiornamento del kernel sono in esecuzione allo stesso tempo.
Se il vostro intento è installare Ksplice su di un server in remoto continuate a leggere, altrimenti se volete installare Ksplice sul vostro computer locale saltate il primo paragrafo "Connessione al Server" e leggere il successivo.
Connessione al Server
Per accedere al server, è necessario conoscere l'indirizzo IP. Avrai anche bisogno della password per l'autenticazione.
Per connettersi al server come utente root digitare questo comando:
ssh root@IP_DEL_SERVER
Successivamente vi verrà chiesto di inserire la password dell'utente root.
Se non utilizzate l'utente root potete connettervi con un'altro nome utente utilizzando lo stesso comando, quindi modificare il primo parametro:
ssh VOSTRO_UTENTE@IP_DEL_SERVER
Successivamente vi verrà chiesto di inserire la password del vostro utente.
Siete ora connessi al vostro server, siete pronti per iniziare l'installazione di Ksplice su Ubuntu 18.04 LTS.
Installazione Ksplice
Ksplice è una funzionalità di Oracle Linux gratuita per Ubuntu Desktop.
Scaricare Ksplice dal sito ufficiale aprire il terminale e dare il seguente comando:
wget https://www.ksplice.com/uptrack/dist/bionic/ksplice-uptrack.deb
Assicurarsi che l'indice dei pacchetti sia aggiornato:
sudo apt update
Installare curl, pacchetto fondamentale per il corretto funzionamento di Ksplice:
sudo apt install curl
Installare Ksplice:
sudo dpkg -i ksplice-uptrack.deb
Potreste riscontrare degli errori di dipendenze non soddisfatte, simili ai seguenti:
(Reading database ... 172559 files and directories currently installed.)
Unpacking ksplice-uptrack (from ksplice-uptrack.deb) ...
dpkg: dependency problems prevent configuration of ksplice-uptrack:
ksplice-uptrack depends on python-support (>= 0.90.0); however:
Package python-support is not installed.
ksplice-uptrack depends on python-yaml; however:
Package python-yaml is not installed.
ksplice-uptrack depends on python-glade2; however:
Package python-glade2 is not installed.
dpkg: error processing ksplice-uptrack (--install):
dependency problems - leaving unconfigured
Processing triggers for ureadahead ...
Processing triggers for hicolor-icon-theme ...
Processing triggers for desktop-file-utils ...
Processing triggers for bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Processing triggers for gnome-menus ...
Processing triggers for man-db ...
Errors were encountered while processing:
ksplice-uptrack
Assicurarsi di avere il pacchetto libgtk2-perl installato, quindi:
sudo apt libgtk2-perl
Dare il seguente comando per installare ulteriori dipendenze non soddisfatte:
sudo apt-get -f install
Quindi provare ad installare Ksplice:
sudo dpkg -i ksplice-uptrack.deb
Accettare i termini di servizio di Ksplice durante l'installazione.
Utilizzare Ksplice
Verificare la versione del kernel attualmente installata:
uname -a
Dovreste ricevere un messaggio di output simile al seguente:
Linux TEST-SERVER-1 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Visualizzare gli aggiornamenti disponibili:
sudo uptrack-show --available
Dovreste ricevere un messaggio di output simile al seguente:
Available updates:
[kx439ww7] Provide an interface to freeze tasks.
[ska01ssl] Denial-of-service in ipip tunnel netlink interface.
[3go6oyo5] CVE-2019-6133: Permission bypass of userspace Policykit protection.
[5x7jayi4] CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
[tadv3mdg] Spurious signals during TTY reopen.
[hrgzfvxu] Kernel panic in IPv6 GRE tunneling driver.
[cwn4w1tx] Additional Spectre v1 hardening for ZeitNet ZN1221/ZN1225 driver.
[6w6untra] Use-after-free when receiving tpacket with virtio header over a TCP socket.
[s8m7k83y] NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.
[t7pvhabl] Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.
[2jn5t59w] Denial-of-service when connecting to an access point with Realtek rtlwifi family of devices.
[hpg0sjg7] Use-after-free in ebtables evaluation loop.
[dfhcrq5b] Buffer overflow in warning messages of Reiser filesystem.
[nxuemv9f] Use-after-free when sending messages over Transport Layer Security socket.
[4t1q9dbs] Out-of-bounds access when using Kernel automounter version 4.
[4748t4sq] Denial-of-service in Virtio while executing XDP_REDIRECT.
[mp1720yp] Denial-of-service in KVM KVM_IRQFD ioctl().
[t2138itw] Denial-of-service in FAT filesystem option parsing.
[alo13e2i] Denial-of-service in non-hierarchical memory cgroup iteration.
[nsqtf220] Improved fix for Spectre v1: Information leak in VFIO PCI ioctl.
[nfx5ryuo] Memory corruption with Nouveau Multi-Stream Transport connectors.
[me66xx4j] Denial-of-service in IPv4 TCP socket close.
[8bq1elhn] Denial-of-service in kernel rhashtable destruction.
[nwdyay0t] NULL pointer dereference in FQ_CODEL net scheduling initialization.
[5uhi3qqt] CVE-2018-18397: Permission bypass when using userfaultd to write temp or hugetlb filesystem files.
[i4cqjpq7] NULL pointer dereference when running fstrim on Bcache driver.
[bo3gpwwc] Use-after-free when creating a iscsi session fails.
[o29ijq6p] CVE-2019-8912: Use-after-free when releasing a socket.
[2va3g4vv] CVE-2019-6974: Use-after-free in KVM device creation.
[exix2vth] CVE-2019-7221: Use-after-free in nested KVM preemption timer.
[4c8w2sub] CVE-2019-7222: Information disclosure in KVM VMX emulation.
[dhc6pw7v] Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.
[px693rkb] Denial-of-service in IP skbuff error handling.
[nu0bq4d7] Denial-of-service in Linux Screen Reader speakup read.
[tv5gdze2] Information leak when forking a process.
[bfefb52d] Denial-of-service in event trigger tracing.
[7i5gdnxd] Information leak in trace code when creating kthreads.
[c7xipqkt] Use-after-free in NFSv4 device info decode.
[9f1950wo] Information leak in /proc pagemap swap entries.
[evcotpkc] Denial-of-service in Intel Wireless driver receive buffer allocation.
[adxtq4is] Denial-of-service in sysfs PCI device disable.
[lj8jg0ac] Use-after-free in NVMe RDMA admin queue start.
[s38k6thv] Denial-of-service in Marvell mwifiex histogram data.
[j35zym55] Denial-of-service in pty character insert with multiple threads.
[7kxo5p4w] Denial-of-service in SCSI 3ware chrdev ioctl.
[9p989jth] Denial-of-service in SCSI QLogic QEDF Virtual Port removal.
[f5qe0qat] Information leak in crypto IPsec authenc key setting.
[1ldd018g] Denial-of-service with corrupt squashfs image.
[e2mwqj3y] Denial-of-service in PMEM namespace removal.
[796dz10q] Denial-of-service in fork with large number of Virtual Memory Areas.
[ek9hohzk] Use-after-free in ceph statfs.
[jygbe5rb] Denial-of-service in LightNVM pblk error handling.
[dmfrtx8h] Denial-of-service while reading TPC stats in the ath10k driver.
[f21r8k2b] CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
[lm2si9ya] CVE-2018-19824: Use-after-free when registering a malicious USB audio device.
[ks1hrpy0] KPTI enablement for Ksplice.
[2gj5rs2m] CVE-2018-14678: Privilege escalation in Xen PV guests.
[qe2pfubx] CVE-2019-8980: Denial-of-service in kernel read file implementation.
[cdhfokdm] CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
[neh6fj14] CVE-2019-9213: Bypass of mmap_min_addr restriction.
[tz0lc6j1] Use-after-free of socket buffer in crypto API core.
[9mg1vjt4] Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.
[7hhwei9c] CVE-2019-7308: Out-of-bounds speculation in BPF verifier.
[qe6dqeir] Information leak when doing pointer subtraction in eBPF.
[9hncdlm9] Denial-of-services when creating new ipsets.
Effective kernel version is 4.15.0-45.48
Per installare gli aggiornamenti dare il seguente comando:
sudo uptrack-upgrade
Dovreste ricevere un messaggio di output simile al seguente:
The following steps will be taken:
Install [kx439ww7] Provide an interface to freeze tasks.
Install [ska01ssl] Denial-of-service in ipip tunnel netlink interface.
Install [3go6oyo5] CVE-2019-6133: Permission bypass of userspace Policykit protection.
Install [5x7jayi4] CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
Install [tadv3mdg] Spurious signals during TTY reopen.
Install [hrgzfvxu] Kernel panic in IPv6 GRE tunneling driver.
Install [cwn4w1tx] Additional Spectre v1 hardening for ZeitNet ZN1221/ZN1225 driver.
Install [6w6untra] Use-after-free when receiving tpacket with virtio header over a TCP socket.
Install [s8m7k83y] NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.
Install [t7pvhabl] Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.
Install [2jn5t59w] Denial-of-service when connecting to an access point with Realtek rtlwifi family of devices.
Install [hpg0sjg7] Use-after-free in ebtables evaluation loop.
Install [dfhcrq5b] Buffer overflow in warning messages of Reiser filesystem.
Install [nxuemv9f] Use-after-free when sending messages over Transport Layer Security socket.
Install [4t1q9dbs] Out-of-bounds access when using Kernel automounter version 4.
Install [4748t4sq] Denial-of-service in Virtio while executing XDP_REDIRECT.
Install [mp1720yp] Denial-of-service in KVM KVM_IRQFD ioctl().
Install [t2138itw] Denial-of-service in FAT filesystem option parsing.
Install [alo13e2i] Denial-of-service in non-hierarchical memory cgroup iteration.
Install [nsqtf220] Improved fix for Spectre v1: Information leak in VFIO PCI ioctl.
Install [nfx5ryuo] Memory corruption with Nouveau Multi-Stream Transport connectors.
Install [me66xx4j] Denial-of-service in IPv4 TCP socket close.
Install [8bq1elhn] Denial-of-service in kernel rhashtable destruction.
Install [nwdyay0t] NULL pointer dereference in FQ_CODEL net scheduling initialization.
Install [5uhi3qqt] CVE-2018-18397: Permission bypass when using userfaultd to write temp or hugetlb filesystem files.
Install [i4cqjpq7] NULL pointer dereference when running fstrim on Bcache driver.
Install [bo3gpwwc] Use-after-free when creating a iscsi session fails.
Install [o29ijq6p] CVE-2019-8912: Use-after-free when releasing a socket.
Install [2va3g4vv] CVE-2019-6974: Use-after-free in KVM device creation.
Install [exix2vth] CVE-2019-7221: Use-after-free in nested KVM preemption timer.
Install [4c8w2sub] CVE-2019-7222: Information disclosure in KVM VMX emulation.
Install [dhc6pw7v] Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.
Install [px693rkb] Denial-of-service in IP skbuff error handling.
Install [nu0bq4d7] Denial-of-service in Linux Screen Reader speakup read.
Install [tv5gdze2] Information leak when forking a process.
Install [bfefb52d] Denial-of-service in event trigger tracing.
Install [7i5gdnxd] Information leak in trace code when creating kthreads.
Install [c7xipqkt] Use-after-free in NFSv4 device info decode.
Install [9f1950wo] Information leak in /proc pagemap swap entries.
Install [evcotpkc] Denial-of-service in Intel Wireless driver receive buffer allocation.
Install [adxtq4is] Denial-of-service in sysfs PCI device disable.
Install [lj8jg0ac] Use-after-free in NVMe RDMA admin queue start.
Install [s38k6thv] Denial-of-service in Marvell mwifiex histogram data.
Install [j35zym55] Denial-of-service in pty character insert with multiple threads.
Install [7kxo5p4w] Denial-of-service in SCSI 3ware chrdev ioctl.
Install [9p989jth] Denial-of-service in SCSI QLogic QEDF Virtual Port removal.
Install [f5qe0qat] Information leak in crypto IPsec authenc key setting.
Install [1ldd018g] Denial-of-service with corrupt squashfs image.
Install [e2mwqj3y] Denial-of-service in PMEM namespace removal.
Install [796dz10q] Denial-of-service in fork with large number of Virtual Memory Areas.
Install [ek9hohzk] Use-after-free in ceph statfs.
Install [jygbe5rb] Denial-of-service in LightNVM pblk error handling.
Install [dmfrtx8h] Denial-of-service while reading TPC stats in the ath10k driver.
Install [f21r8k2b] CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
Install [lm2si9ya] CVE-2018-19824: Use-after-free when registering a malicious USB audio device.
Install [ks1hrpy0] KPTI enablement for Ksplice.
Install [2gj5rs2m] CVE-2018-14678: Privilege escalation in Xen PV guests.
Install [qe2pfubx] CVE-2019-8980: Denial-of-service in kernel read file implementation.
Install [cdhfokdm] CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
Install [neh6fj14] CVE-2019-9213: Bypass of mmap_min_addr restriction.
Install [tz0lc6j1] Use-after-free of socket buffer in crypto API core.
Install [9mg1vjt4] Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.
Install [7hhwei9c] CVE-2019-7308: Out-of-bounds speculation in BPF verifier.
Install [qe6dqeir] Information leak when doing pointer subtraction in eBPF.
Install [9hncdlm9] Denial-of-services when creating new ipsets.
Go ahead [y/N]? y
Premere "y" per confermare l'installazione.
Al termine dovreste ricevere un messaggio di output simile al seguente:
Your kernel is fully up to date.
Effective kernel version is 4.15.0-47.50
Verificare la versione del kernel aggiornata:
uptrack-uname -a
Dovreste ricevere un messaggio di output simile al seguente:
Linux TEST-SERVER-1 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
L'aggiornamento del kernel è stato effettuato senza aver riavviato il server.
Aggiornamenti automatici
È possibile abilitare gli aggiornamenti automatici.
Abilitando questa funzione si installeranno automaticamente gli aggiornamenti senza dover effettuare manualmente i passaggi precedenti ogni volta che vengono rilasciati degli aggiornamenti.
Il client Uptrack verrà eseguito periodicamente (tramite cron) per verificare la presenza di nuovi aggiornamenti. Nel file /etc/uptrack/uptrack.conf, è possibile configurare Uptrack per installare automaticamente nuovi aggiornamenti, o semplicemente notificarti quando sono disponibili.
Per abilitare questa funzione aprire il seguente file:
sudo nano /etc/uptrack/uptrack.conf
Andare alla file del file, cercare la voce autoinstall, modificare no in yes, quindi:
autoinstall = yes
Salvare e chiudere il file.
L'installazione di Ksplice su Ubuntu 18.04 LTS è terminata.