Introducción
Para los administradores de sistemas, el tiempo de actividad del servidor es fundamental, los servidores de producción deben permanecer en línea el mayor tiempo posible. Pero, por otro lado, el administrador del sistema tiene que parchear sus servidores para mantener la confiabilidad y seguridad del servidor. Si los parches son para aplicaciones, puede que no sea necesario reiniciar el servidor. Si los parches son para el kernel, es posible que deba reiniciar el servidor.
Ksplice es una tecnología de Linux que le permite realizar actualizaciones de seguridad, parches de diagnóstico y correcciones de errores críticos sin tener que reiniciar el servidor Linux. Esta tecnología asegura que el tiempo de actividad del servidor sea intocable. Su servidor puede seguir ejecutándose mientras las tareas de actualización del kernel se ejecutan al mismo tiempo.
Si su intención es instalar Ksplice en un servidor remoto, continúe leyendo; de lo contrario, si desea instalar Ksplice en su computadora local, omita el primer párrafo "Conexión al servidor" y lea el siguiente.
Conexión al servidor
Para acceder al servidor, necesita conocer la dirección IP. También necesitará la contraseña para la autenticación.
Para conectarse al servidor como root, escriba este comando:
ssh root@IP_DEL_SERVER
A continuación, se le pedirá que ingrese la contraseña del usuario root.
Si no usa el usuario root, puede iniciar sesión con otro nombre de usuario usando el mismo comando, luego cambie el primer parámetro:
ssh VOSTRO_UTENTE@IP_DEL_SERVER
Luego se le pedirá que ingrese su contraseña de usuario.
Ahora está conectado a su servidor, está listo para comenzar a instalar Ksplice en Ubuntu 18.04 LTS.
Instalación de Ksplice
Ksplice es una función gratuita de Oracle Linux para Ubuntu Desktop.
Descarga Ksplice del sitio oficial, abre la terminal y da el siguiente comando:
wget https://www.ksplice.com/uptrack/dist/bionic/ksplice-uptrack.deb
Asegúrese de que el índice del paquete esté actualizado:
sudo apt update
Instala curl, un paquete fundamental para el correcto funcionamiento de Ksplice:
sudo apt install curl
Instale Ksplice:
sudo dpkg -i ksplice-uptrack.deb
Puede encontrar errores de dependencia no satisfechos, similares a los siguientes:
(Reading database... 172559 files and directories currently installed.)
Unpacking ksplice-uptrack (from ksplice-uptrack.deb)...
dpkg: dependency problems prevent configuration of ksplice-uptrack:
ksplice-uptrack depends on python-support (>= 0.90.0); however:
Package python-support is not installed.
ksplice-uptrack depends on python-yaml; however:
Package python-yaml is not installed.
ksplice-uptrack depends on python-glade2; however:
Package python-glade2 is not installed.
dpkg: error processing ksplice-uptrack (--install):
dependency problems - leaving unconfigured
Processing triggers for ureadahead...
Processing triggers for hicolor-icon-theme...
Processing triggers for desktop-file-utils...
Processing triggers for bamfdaemon...
Rebuilding /usr/share/applications/bamf.index...
Processing triggers for gnome-menus...
Processing triggers for man-db...
Errors were encountered while processing:
ksplice-uptrack
Asegúrese de tener instalado el paquete libgtk2-perl, luego:
sudo apt libgtk2-perl
Emita el siguiente comando para instalar dependencias insatisfechas adicionales:
sudo apt-get -f install
Luego intente instalar Ksplice:
sudo dpkg -i ksplice-uptrack.deb
Acepte los términos de servicio de Ksplice durante la instalación.
Utilice Ksplice
Verifique la versión del kernel instalada actualmente:
uname -a
Debería recibir un mensaje de salida similar al siguiente:
Linux TEST-SERVER-1 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Ver actualizaciones disponibles:
sudo uptrack-show --available
Debería recibir un mensaje de salida similar al siguiente:
Available updates:
[kx439ww7] Provide an interface to freeze tasks.
[ska01ssl] Denial-of-service in ipip tunnel netlink interface.
[3go6oyo5] CVE-2019-6133: Permission bypass of userspace Policykit protection.
[5x7jayi4] CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
[tadv3mdg] Spurious signals during TTY reopen.
[hrgzfvxu] Kernel panic in IPv6 GRE tunneling driver.
[cwn4w1tx] Additional Spectre v1 hardening for ZeitNet ZN1221/ZN1225 driver.
[6w6untra] Use-after-free when receiving tpacket with virtio header over a TCP socket.
[s8m7k83y] NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.
[t7pvhabl] Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.
[2jn5t59w] Denial-of-service when connecting to an access point with Realtek rtlwifi family of devices.
[hpg0sjg7] Use-after-free in ebtables evaluation loop.
[dfhcrq5b] Buffer overflow in warning messages of Reiser filesystem.
[nxuemv9f] Use-after-free when sending messages over Transport Layer Security socket.
[4t1q9dbs] Out-of-bounds access when using Kernel automounter version 4.
[4748t4sq] Denial-of-service in Virtio while executing XDP_REDIRECT.
[mp1720yp] Denial-of-service in KVM KVM_IRQFD ioctl().
[t2138itw] Denial-of-service in FAT filesystem option parsing.
[alo13e2i] Denial-of-service in non-hierarchical memory cgroup iteration.
[nsqtf220] Improved fix for Spectre v1: Information leak in VFIO PCI ioctl.
[nfx5ryuo] Memory corruption with Nouveau Multi-Stream Transport connectors.
[me66xx4j] Denial-of-service in IPv4 TCP socket close.
[8bq1elhn] Denial-of-service in kernel rhashtable destruction.
[nwdyay0t] NULL pointer dereference in FQ_CODEL net scheduling initialization.
[5uhi3qqt] CVE-2018-18397: Permission bypass when using userfaultd to write temp or hugetlb filesystem files.
[i4cqjpq7] NULL pointer dereference when running fstrim on Bcache driver.
[bo3gpwwc] Use-after-free when creating a iscsi session fails.
[o29ijq6p] CVE-2019-8912: Use-after-free when releasing a socket.
[2va3g4vv] CVE-2019-6974: Use-after-free in KVM device creation.
[exix2vth] CVE-2019-7221: Use-after-free in nested KVM preemption timer.
[4c8w2sub] CVE-2019-7222: Information disclosure in KVM VMX emulation.
[dhc6pw7v] Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.
[px693rkb] Denial-of-service in IP skbuff error handling.
[nu0bq4d7] Denial-of-service in Linux Screen Reader speakup read.
[tv5gdze2] Information leak when forking a process.
[bfefb52d] Denial-of-service in event trigger tracing.
[7i5gdnxd] Information leak in trace code when creating kthreads.
[c7xipqkt] Use-after-free in NFSv4 device info decode.
[9f1950wo] Information leak in /proc pagemap swap entries.
[evcotpkc] Denial-of-service in Intel Wireless driver receive buffer allocation.
[adxtq4is] Denial-of-service in sysfs PCI device disable.
[lj8jg0ac] Use-after-free in NVMe RDMA admin queue start.
[s38k6thv] Denial-of-service in Marvell mwifiex histogram data.
[j35zym55] Denial-of-service in pty character insert with multiple threads.
[7kxo5p4w] Denial-of-service in SCSI 3ware chrdev ioctl.
[9p989jth] Denial-of-service in SCSI QLogic QEDF Virtual Port removal.
[f5qe0qat] Information leak in crypto IPsec authenc key setting.
[1ldd018g] Denial-of-service with corrupt squashfs image.
[e2mwqj3y] Denial-of-service in PMEM namespace removal.
[796dz10q] Denial-of-service in fork with large number of Virtual Memory Areas.
[ek9hohzk] Use-after-free in ceph statfs.
[jygbe5rb] Denial-of-service in LightNVM pblk error handling.
[dmfrtx8h] Denial-of-service while reading TPC stats in the ath10k driver.
[f21r8k2b] CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
[lm2si9ya] CVE-2018-19824: Use-after-free when registering a malicious USB audio device.
[ks1hrpy0] KPTI enablement for Ksplice.
[2gj5rs2m] CVE-2018-14678: Privilege escalation in Xen PV guests.
[qe2pfubx] CVE-2019-8980: Denial-of-service in kernel read file implementation.
[cdhfokdm] CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
[neh6fj14] CVE-2019-9213: Bypass of mmap_min_addr restriction.
[tz0lc6j1] Use-after-free of socket buffer in crypto API core.
[9mg1vjt4] Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.
[7hhwei9c] CVE-2019-7308: Out-of-bounds speculation in BPF verifier.
[qe6dqeir] Information leak when doing pointer subtraction in eBPF.
[9hncdlm9] Denial-of-services when creating new ipsets.
Effective kernel version is 4.15.0-45.48
Para instalar las actualizaciones da el siguiente comando:
sudo uptrack-upgrade
Debería recibir un mensaje de salida similar al siguiente:
The following steps will be taken:
Install [kx439ww7] Provide an interface to freeze tasks.
Install [ska01ssl] Denial-of-service in ipip tunnel netlink interface.
Install [3go6oyo5] CVE-2019-6133: Permission bypass of userspace Policykit protection.
Install [5x7jayi4] CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
Install [tadv3mdg] Spurious signals during TTY reopen.
Install [hrgzfvxu] Kernel panic in IPv6 GRE tunneling driver.
Install [cwn4w1tx] Additional Spectre v1 hardening for ZeitNet ZN1221/ZN1225 driver.
Install [6w6untra] Use-after-free when receiving tpacket with virtio header over a TCP socket.
Install [s8m7k83y] NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.
Install [t7pvhabl] Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.
Install [2jn5t59w] Denial-of-service when connecting to an access point with Realtek rtlwifi family of devices.
Install [hpg0sjg7] Use-after-free in ebtables evaluation loop.
Install [dfhcrq5b] Buffer overflow in warning messages of Reiser filesystem.
Install [nxuemv9f] Use-after-free when sending messages over Transport Layer Security socket.
Install [4t1q9dbs] Out-of-bounds access when using Kernel automounter version 4.
Install [4748t4sq] Denial-of-service in Virtio while executing XDP_REDIRECT.
Install [mp1720yp] Denial-of-service in KVM KVM_IRQFD ioctl().
Install [t2138itw] Denial-of-service in FAT filesystem option parsing.
Install [alo13e2i] Denial-of-service in non-hierarchical memory cgroup iteration.
Install [nsqtf220] Improved fix for Spectre v1: Information leak in VFIO PCI ioctl.
Install [nfx5ryuo] Memory corruption with Nouveau Multi-Stream Transport connectors.
Install [me66xx4j] Denial-of-service in IPv4 TCP socket close.
Install [8bq1elhn] Denial-of-service in kernel rhashtable destruction.
Install [nwdyay0t] NULL pointer dereference in FQ_CODEL net scheduling initialization.
Install [5uhi3qqt] CVE-2018-18397: Permission bypass when using userfaultd to write temp or hugetlb filesystem files.
Install [i4cqjpq7] NULL pointer dereference when running fstrim on Bcache driver.
Install [bo3gpwwc] Use-after-free when creating a iscsi session fails.
Install [o29ijq6p] CVE-2019-8912: Use-after-free when releasing a socket.
Install [2va3g4vv] CVE-2019-6974: Use-after-free in KVM device creation.
Install [exix2vth] CVE-2019-7221: Use-after-free in nested KVM preemption timer.
Install [4c8w2sub] CVE-2019-7222: Information disclosure in KVM VMX emulation.
Install [dhc6pw7v] Information leak in IPv6 raw sockets with IP(V6)_ORIGDSTADDR.
Install [px693rkb] Denial-of-service in IP skbuff error handling.
Install [nu0bq4d7] Denial-of-service in Linux Screen Reader speakup read.
Install [tv5gdze2] Information leak when forking a process.
Install [bfefb52d] Denial-of-service in event trigger tracing.
Install [7i5gdnxd] Information leak in trace code when creating kthreads.
Install [c7xipqkt] Use-after-free in NFSv4 device info decode.
Install [9f1950wo] Information leak in /proc pagemap swap entries.
Install [evcotpkc] Denial-of-service in Intel Wireless driver receive buffer allocation.
Install [adxtq4is] Denial-of-service in sysfs PCI device disable.
Install [lj8jg0ac] Use-after-free in NVMe RDMA admin queue start.
Install [s38k6thv] Denial-of-service in Marvell mwifiex histogram data.
Install [j35zym55] Denial-of-service in pty character insert with multiple threads.
Install [7kxo5p4w] Denial-of-service in SCSI 3ware chrdev ioctl.
Install [9p989jth] Denial-of-service in SCSI QLogic QEDF Virtual Port removal.
Install [f5qe0qat] Information leak in crypto IPsec authenc key setting.
Install [1ldd018g] Denial-of-service with corrupt squashfs image.
Install [e2mwqj3y] Denial-of-service in PMEM namespace removal.
Install [796dz10q] Denial-of-service in fork with large number of Virtual Memory Areas.
Install [ek9hohzk] Use-after-free in ceph statfs.
Install [jygbe5rb] Denial-of-service in LightNVM pblk error handling.
Install [dmfrtx8h] Denial-of-service while reading TPC stats in the ath10k driver.
Install [f21r8k2b] CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
Install [lm2si9ya] CVE-2018-19824: Use-after-free when registering a malicious USB audio device.
Install [ks1hrpy0] KPTI enablement for Ksplice.
Install [2gj5rs2m] CVE-2018-14678: Privilege escalation in Xen PV guests.
Install [qe2pfubx] CVE-2019-8980: Denial-of-service in kernel read file implementation.
Install [cdhfokdm] CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
Install [neh6fj14] CVE-2019-9213: Bypass of mmap_min_addr restriction.
Install [tz0lc6j1] Use-after-free of socket buffer in crypto API core.
Install [9mg1vjt4] Improved fix to CVE-2017-5753: Speculative execution in eBPF programs.
Install [7hhwei9c] CVE-2019-7308: Out-of-bounds speculation in BPF verifier.
Install [qe6dqeir] Information leak when doing pointer subtraction in eBPF.
Install [9hncdlm9] Denial-of-services when creating new ipsets.
Go ahead [y/N]? y
Presione " y " para confirmar la instalación. Cuando termine, debería recibir un mensaje de salida similar al siguiente:
Your kernel is fully up to date.
Effective kernel version is 4.15.0-47.50
Verifique la versión actualizada del kernel:
uptrack-uname -a
Debería recibir un mensaje de salida similar al siguiente:
Linux TEST-SERVER-1 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
La actualización del kernel se realizó sin reiniciar el servidor.
Actualizaciones automáticas
Puede habilitar las actualizaciones automáticas. Al habilitar esta función, las actualizaciones se instalarán automáticamente sin tener que seguir manualmente los pasos anteriores cada vez que se publiquen actualizaciones.
El cliente Uptrack se ejecutará periódicamente (a través de cron ) para buscar nuevas actualizaciones. En el archivo /etc/uptrack/uptrack.conf, puede configurar Uptrack para que instale automáticamente nuevas actualizaciones o simplemente le notifique cuando estén disponibles. Para habilitar esta función abra el siguiente archivo:
sudo nano /etc/uptrack/uptrack.conf
Vaya al archivo de archivo, busque la entrada de instalación automática, cambie no a sí, luego:
autoinstall = yes
Guarde y cierre el archivo.
La instalación de Ksplice en Ubuntu 18.04 LTS ha finalizado.
