Ksplice: Upgrade / Patch Your Linux Kernel Without Reboots

by on April 9, 2010 · 10 comments· LAST UPDATED April 11, 2010

in

Generally, all Linux distributions needs a scheduled reboot once to stay up to date with important kernel security updates. RHN (or other distro vendors) provides Linux kernel security updates. You can apply kernel updates using yum command or apt-get command line options. After each upgrade you need to reboot the server. Ksplice service allows you to skip reboot step and apply hotfixes to kernel without rebooting the server. In this post I will cover a quick installation of Ksplice for RHEL 5.x and try to find out if service is worth every penny.

The technology and hack behind this looks pretty cool. This is useful if you've a small number of Linux based servers and/or you want avoid unscheduled reboot just to apply hotfix to Linux kernel.

How Do I Install Ksplice?

First, you need to register with Ksplice. Type the following command to install rpm repo under RHEL 5:
# rpm -ivh https://www.ksplice.com/yum/uptrack/centos/ksplice-uptrack-release.noarch.rpm
To install Ksplice, enter:
# yum install uptrack
Edit /etc/uptrack/uptrack.conf, enter:
# vi /etc/uptrack/uptrack.conf
Update it as follows (input your access key):

[Auth]
accesskey = ADD-YOUR-ACCESS-KEY-HERE
[Network]
# Proxy to use when accessing the Uptrack server, of the form
# [protocol://][:port]
# The proxy must support making HTTPS connections. If this is unset,
# Uptrack will look for the https_proxy, HTTPS_PROXY, and http_proxy
# environment variables in that order, and then finally look for a
# proxy setting in the system-wide GConf database, if available.
https_proxy =
[Settings]
# Automatically install updates at boot time. If this is set, on
# reboot into the same kernel, Uptrack will re-install the same set of
# updates that were present before the reboot.
install_on_reboot = yes
# Options configuring the Uptrack cron job.
#
# GUI users will get all notices via the GUI and likely want to set
# the following cron options to "no".
# Cron job will install updates automatically
autoinstall = no
# Cron job will print a message when new updates are installed.
# This option is only relevant if autoinstall = yes
cron_output_install = no
# Cron job will print a message when new updates are available
cron_output_available = no
# Cron job will print a message when it encounters errors
cron_output_error = no

Save and close the file.

How Do I Apply Rebootless Kernel Updates?

You need to first download and apply updates via RHN:
# yum -y update
OR
# yum update kernel kernel-headers kernel-devel
Don't reboot the box, simply type the following command to apply hotfix:
# uptrack-upgrade
To see a list of updates that are currently installed, enter:
# uptrack-show -y

Sample Email Notification

You will get an email as follows when updates are available:

Fig.01: Ksplice Update Notification

Fig.01: Ksplice Update Notification


The web interface also provides information about your server and installed kernel updates:
Fig.02: Uptrack Web Interface

Fig.02: Uptrack Web Interface

Conclusion

The pricing is as follows:

  • Monthly price per system First 20 servers : $3.95
  • Beyond 20 servers: $2.95
  • Currently it is free for all Ubuntu users.

Ksplice is a pretty good and stable software. This is useful for Linux admin or business who can not accept downtime for patching. A few business comes in my mind:

  • Small shop, say 8-12 Linux based servers.
  • Pro-blogging or webmaster servers (a typical setup included one web server and one db server). Avoiding downtime means more ad revenue for webmasters.
  • Hosting companies - again avoiding downtime means good customer satisfactions and less work for sys admins. If you run VM based hosting (OpenVZ or XEN based vps) you can avoid downtime too.
  • Small cluster of Linux system, say 6 system - If cluster is using 80% of capacity and if one of node rebooted for kernel upgrade, load will up for rest of 5 systems. In such case, this service can help to keep load under control without rebooting the box. However, this is NOT very useful for very large Linux based cluster redundant load-balanced servers, routers, switches, firewalls etc. Since your cluster is so large that 4-5 servers failing makes no difference to the remaining nodes. In some cases it is possible to do geo load balancing too.

But I've HA Failover Solution In Place...

100% uptime depends upon lots of factors and and HA solution handles hardware or other failures very well. However, Ksplice service is not all about 100% uptime, it is about not rebooting your server for a Linux kernel upgrade. You can easily combine Ksplice with HA solution (such as keepalived+nginx reverse proxy) and try to get perfect five 9s. I highly recommend this service for small to medium size business or professional webmasters.

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 10 comments… read them below or add one }

1 Firas April 9, 2010 at 12:12 pm

Thanks Vivek, but it’s look that we will have trouble when we finish upgrading the kernel with csf iptables, in somehow “i think” we should reboot the server again after fixing the header’s with iptables, right ?

Thanks!-j0

Reply

2 nixCraft April 9, 2010 at 1:10 pm

@Firas,

Why do you need to reboot server when you finish upgrading the kernel with csf iptables? Does it loads and compile additional modules? I don’t think so, but I never used csf.

Reply

3 Anonymous April 9, 2010 at 2:06 pm

Excellent post. Tonight will try it on Ubuntu :)

Reply

4 Damijan April 11, 2010 at 11:53 am

Hi,

Ksplice seems useless if you have your customized kernel. It needs to be ‘official’ kernel from e.g. Ubuntu or RHEL. I am running customized kernel on Debian Squeeze …

So this technology is pretty useless to me (at least for now) ….

Cheers,

D.

Reply

5 Fiber Optic Converter April 12, 2010 at 6:43 am

thanks for your sharing, it’s very helpful to me

Reply

6 Jalal Hajigholamali July 22, 2010 at 1:16 pm

Hi,
Thanks a lot…… Excellent post.

Reply

7 Nick B August 2, 2010 at 9:18 pm

Can’t you just do the same thing with kexec?

Actually – wouldn’t kexec let you load even a custom kernel?

Reply

8 nixCraft August 3, 2010 at 9:17 am

Kexec only works on x86 32-bit platform only. I don’t have a single server running 32bit version here. Second kexec will overwrite memory. What will happen to existing files and process in memory?

Reply

9 Bart September 26, 2010 at 12:28 pm

Are you sure? Because the package kexec-tools exists in Ubuntu amd64.

I did try it out but the kernel restart time seems to be same as a normal reboot. I don’t know how to debug further remotely.
On my Debian i386 server it reboots much more quickly than before.

It’s true that for a high availability server Ksplice can wok well but for other, low traffic servers kexec is still useful because there should be fewer network timeouts (if at all).

Reply

10 Philippe Petrinko January 7, 2011 at 1:10 pm

I had to STFW, because I used to think it was all FOSS, but it is now only OSS.

At least, free utility is available for X86-64/32bits ( http://www.ksplice.com/software )

Pricing for Professional users seems to be today affordable for most businesses, but I would like to know what the basic OpenSource part ( http://www.ksplice.com/software ) can do and why.

On the Web site, Ksplice org. give big and scary warnings not to use free utility, but it seems to be counter-productive to advertise in the same time reliability of commercial version towards dangers of free utility..

You wrote down: “Currently it is free for all Ubuntu users.”
To be precise, UBUNTU desktop is free, UBUNTU server is not. Thanks for updating your post.

I enjoyed this topic.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: