Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 3 hours 8 min ago

Using Let's Encrypt with Oracle Linux in Oracle Cloud Infrastructure

Tue, 2018-02-13 10:13

I stole Sergio's headline here and I am just going to link to his blog :)...

Sergio wrote up a how-to on using a let's encrypt cert and installing it on OL using nginx in an Oracle Cloud instance created and deployed with Terraform.

That 's a lot of words right there but it should demonstrate a few things:

  • All the extra packages we have been publishing of late in the Oracle Linux EPEL (Extra Packages for Enterprise Linux) mirror. (yes they're the same packages but they're built on Oracle Linux, the packages are signed by us and they're on the same yum repo so you don't have to install separate files to get to it.) This includes certbot etc.. that you need for this.
  • The convenience of having terraform, terraform-provider-oci RPMs to easily get going without downloading anything elsewhere.
  • Integration of Oracle Linux yum servers inside Oracle Cloud Infrastructure for fast and easy access with no external network traffic charges.

So you can find his blog here.

Oracle Linux kernel blogs

Mon, 2018-02-12 10:50

Don't forget to check the Linux kernel team's blog. We're having a regular cadence now to write up things that are hopefully interesting. Projects the developers are working on or have worked on etc...

 

public-yum.oracle.com / yum.oracle.com now support https

Sun, 2018-02-11 13:06

Might have taken us a while but you can now use https in your .repo files to connect to our yum repositories.

We will transition the repo files we ship over time but we don't want to break people that have customizations.

So in the meantime, if you have repo files in /etc/yum.repos.d that point to http://yum.oracle.com or http://public-yum.oracle.com you can just do a search/replace.

Something like:

sed 's/http:\/\/public-yum.oracle.com/https:\/\/public-yum.oracle.com/g; s/http:\/\/yum.oracle.com/https:\/\/yum.oracle.com/g' public-yum-ol7.repo > public-yum-ol7.repo.new

and then replace the repo file.

Using a BareMetal GPU shape in Oracle Cloud Infrastructure with Oracle Linux 7 and TensorFlow

Wed, 2018-02-07 13:32

A lot of developers are using TensorFlow for Machine Learning these days. In Oracle Cloud Infrastructure we provide some great GPU options. One of them is the BM.GPU2.2 shape which is an X7-based GPU system (contains 2 P100 Nvidia GPUs).

When you create an OCI instance using this shape with Oracle Linux 7, it comes pre-installed with the kernel modules to enable the GPUs. Ready to use.

Getting TensorFlow installed is very easy:

Install some prerequisite RPMs, some come from the EPEL yum repo which we provide as part of Oracle Linux and is enabled by default in your yum.repos file.

# sudo yum -y install python-pip python-devel atlas atlas-devel gcc-gfortran openssl-devel libffi-devel

# sudo pip install --upgrade virtualenv

# virtualenv --system-site-packages ~/venvs/tensorflow

# source ~/venvs/tensorflow/bin/activate

Now you can install TensorFlow using pip. use tensorflow-gpu if you want the GPU enabled version otherwise just use tensorflow.

(tensorflow) # pip install --upgrade tensorflow-gpu

or

(tensorflow) # pip install --upgrade tensorflow

To use tensorflow-gpu you have to install the Nvidia CUDA packages. This version of tensorflow depends on version 9.0

(tensorflow) # sudo yum -y install cuda-9-0

Run a TF example:

(tensorflow) #  pip install pandas

(tensorflow) # sudo yum -y install git

(tensorflow) # mkdir git

(tensorflow) # cd git

(tensorflow) # git clone https://github.com/tensorflow/models

(tensorflow) # cd models/samples/core/get_started/

(tensorflow) # python premade_estimator.py

and that's it. Super easy without any manual downloads.

this is a test

Oracle Solaris 11.4 Beta publicly available on Oracle Technology Network (OTN)

Tue, 2018-01-30 13:49

Oracle Solaris 11.4 Beta is downloadable from OTN as of right now.  This is a very exciting milestone. Go and download it and play with it!

 

For more information see:

https://blogs.oracle.com/solaris/oracle-solaris-114-open-beta-released

http://www.oracle.com/technetwork/server-storage/solaris11/114beta/solaris114beta-4257760.html

https://docs.oracle.com/cd/E37838_01/

RPMs for VirtualBox guest addition drivers for Oracle Linux now available

Sun, 2017-12-24 11:12

This has been a long time coming... but finally... for those that don't regularly check our 'What's new' page on yum.oracle.com...

We started building the kernel modules and guest additions for VirtualBox guests for Oracle Linux 6 and 7 (UEK4):

 

  • Packages Released on Fri Dec 22 2017 
    • VirtualBox-5.2-5.2.4_119785_el7-1 - Oracle VM VirtualBox (Update
    • vboxguest-tools-5.2.4-1.el7 - VirtualBox guest utilities (New
    • kmod-vboxguest-uek4-5.2.4-1.el7 - vboxguest kernel modules (New
    • VirtualBox-5.2-5.2.4_119785_el6-1 - Oracle VM VirtualBox (Update
    • vboxguest-tools-5.2.4-1.el6 - VirtualBox guest utilities (New
    • kmod-vboxguest-uek4-5.2.4-1.el6 - vboxguest kernel modules (New)

The main reason for doing this is to make it easy to have a guest with the additions installed. No need to install gcc and kernel-devel etc... it makes the image smaller or even if you remove gcc etc afterwards you have to compact the filesystem again and so on. Anyway... I hope people like this. I think it's pretty cool and I will use it a lot when building VirtualBox guest images.

On a side note, my previous blog post about yum in OCI... someone asked if we plan to do https as well as http. Yes, we plan to do that it's being worked on.

Oracle Linux yum repository mirrors inside Oracle Cloud Infrastructure

Fri, 2017-12-22 11:16

I mentioned in a previous post that this was coming... well it's here now! :)

We have local mirrors of yum.oracle.com inside the OCI regions:

http://yum-fra.oracle.com

http://yum-ash.oracle.com

http://yum-phx.oracle.com

Unlike our Oracle Container Registry mirrors, these yum repos are only available from inside the OCI regions. So if you have instances in a given region, you can point your yum.repo to your local server and you get (1) very fast yum installs and (2) no counting against your network bandwidth since it doesn't leave the datacenters. Oracle Linux 6 and 7 are mirrored, we are also adding Oracle Linux 5.

"Oracle Container Runtime for Docker" (17. ...

Thu, 2017-12-21 15:33

Basically - added 17.09.1 and 1.8.4-2.0.1 to http://yum.oracle.com/repo/OracleLinux/OL7/preview/x86_64/index.html

Enjoy.

node.js 4, node.js 6, nodejs 8, node-oracledb12, php7.0 php 7.1 - php-oci

Thu, 2017-12-21 02:00

Just in time for the holidays.

A bunch of new RPMs released in a bunch of new channels on http://yum.oracle.com.

- node.js 4, node.js 6 and node.js 8 for both OL6 and OL7 along with the node-oracledb-12c add-on that lets you connect to oracle Databases out of the box.

- php 7.0 and php 7.1

more stuff in EPEL

 

have fun...

 

New packages added to Oracle Linux (OCI SDK/CLI, more EPEL packages, GlusterFS server, Terraform,...

Fri, 2017-12-15 11:41

For the folks that don't check our awesomely cool what's new page :-) on yum.oracle.com : whats new here's a bit of a summary of some of the cool packages we just added in the last week or 2:

- latest version of terraform (0.11.1-1) and soon a new terraform-provider-oci

- VirtualBox-5.2-5.2.2 updates in the developer repo so you can just yum install it instead of downloading it manually

- a TON, and I mean a TON more packages in our EPEL clone (again, no forking or modifying we just want to make sure it comes from the same place and is signed by us and built by us and we also clone our yum repo inside Oracle Cloud so customers don't get charged for network bandwidth when they download packages for the OS. By having our EPEL clone it counts for all those packages as well of course). Last time I checked we had about 7500 RPMs in the EPEL repo.

- the latest tagged version of the OCI python SDK and CLI (1.3.11 and 2.4.13) - we had a bit of a delay in the past but that's resolved and we're caught up

- GlusterFS server is now in the developer repository for both OL6 and OL78

- we now have an em agent 13cr2 preinstall rpm for OL7 (in add ons) to make it easy to install em agent

- UEK4 update 6 was released yesterday.

More stuff coming soon...

 

Installing Visual Studio Code on Oracle Linux 7

Thu, 2017-11-30 17:43

Visual Studio Code is a popular editor. There is an RPM available for "el7" from the Microsoft yumrepo. This RPM can be manually downloaded on Oracle Linux 7 and installed with # yum localinstall code...  or # rpm -ivh code... but it's easier to just create a yum repo file so that you can just do # yum install code and # yum update code.

Here's an example. On Oracle Linux 7 (not 6), as user root:

# cd /etc/yum.repos.d

create a file, let's say vscode.repo with the following content:

[vscode]
name=vscode
baseurl=https://packages.microsoft.com/yumrepos/vscode/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc

 

and now you can just do

# yum install code
Loaded plugins: langpacks, ulninfo
vscode                                                   | 2.9 kB     00:00     
Resolving Dependencies
--> Running transaction check
---> Package code.x86_64 0:1.18.1-1510857496.el7 will be installed
y
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package      Arch           Version                       Repository      Size
================================================================================
Installing:
 code         x86_64         1.18.1-1510857496.el7         vscode          63 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 63 M
Installed size: 186 M
Is this ok [y/d/N]: Downloading packages:
code-1.18.1-1510857496.el7.x86_64.rpm                      |  63 MB   00:41     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : code-1.18.1-1510857496.el7.x86_64                            1/1
  Verifying  : code-1.18.1-1510857496.el7.x86_64                            1/1

Installed:
  code.x86_64 0:1.18.1-1510857496.el7                                           

Complete!

That's it.

 

ARM, YUM, Cloud, containers,...

Thu, 2017-11-30 11:43

It's been a while since my last post so a lot of stuff has been going on! This one will be a random collection of things that I want to point out. I will have to use a lot of tags to keep search engines happy here :-)

Where to start...

Preview release : Oracle Linux 7 for ARM64 (aarch64)

Given the growing interest in ARM64.  We created a publicly available, free download, no registration keys, no access codes, no authentication codes,version of OL7 for ARM64. You can go download it here:  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-arm-4072846.html

We have an ISO you can install on a few available ARM64 servers, more servers will be tested and added over time. (See release notes) and we also created a little runtime image for the RPI3. That way you can easily try it out in minutes on a cheap, readily available platform.

Tons of RPMs have been built and are on http://yum.oracle.com (specifically: http://yum.oracle.com/repo/OracleLinux/OL7/latest/aarch64/index.html ) We currently use a 4.13 kernel but that will soon move to 4.14 (basis for the next version of UEK).

One of the reasons we do a preview release right now and not GA is because it's still a fast moving target. Lots of kernel changes coming, we're looking at providing the latest toolchain, gcc7, create a good public developer program around Oracle Linux for ARM64 and the introduction of new platforms over the next several months that might require adding new drivers, compile the binaries with better optimizations etc... so right now I would not want  to call this Generally Available. It's certainly in a good state for developers to start using and get their feet wet, for partners that are interested in ARM to start porting apps and work with us as we improve performance and build out the developer ecosystem. It's certainly an exciting development. We're working on all the usual things, we are working on ksplice,  dtrace, lots of server side enhancements that are still missing, testing of kvm, seeing if we can build even the kernel with gcc7.2? Pick the right chip to target for optimizations...

New packages for Oracle Linux

Over the last several months we started adding a ton of new RPMs on yum to make it easier for admins and developers that want newer stuff that's just not typically available directly from the Enterprise Linux vendor side.

We track the latest versions of terraform (and the OCI-provider for terraform), we released dotnet2.0, powershell updates, over a 1000 RPMs added from the EPEL repository, docker 17.06. We packaged the OCI SDK and CLI into RPMs to make it easy (no need to run pip install).

For the nitpickers - as I mentioned previously, we are just replicating EPEL, we are not 'forking' it, we are not modifying source, the intent is to have it available from the same 'location', signed by us, built by us tested together in terms of dependencies. It's still EPEL. If we were to find bugs or whatever we'd get that fixed on the EPEL source side. No other intent... just to re-iterate that.

"What's new" on yum

Since we do a lot of packages updates on yum.oracle.com, we added a what's new page, it lists new RPMs that are published every day and we keep 6 months of history. This way  you can easily see if something got updated without having to run yum commands on a server.

Kernel Blog

In order to be more public about the type of development projects we have going on, we are finally back to writing regular articles about various kernel projects. You can find that here. It's a random collection of things developers will write up, stuff they worked on in the past or something like that. It gives a bit more context than just seeing commit messages. We started this way back when, then it went dormant but we picked it up again. Some good stuff can be found there.

Linux NFS appliance image for Oracle Cloud Infrastructure

Regular updates continue on our Linux NFS appliance image that can be found here. An easy way to create a Linux-based NFS server in your own tenancy. It's not an NFS service, it's just a standard Oracle Linux image that creates an NFS  server setup.

Oracle Container Registry

A reminder that we have replicas of the Oracle Container registry in each of the Oracle Cloud Infrastructure regions for fast, internal to the region access to our docker images.

container-registry-ash.oracle.com (Ashburn datacenter)

container-registry-phx.oracle.com (Phoenix datacenter)

container-registry-fra.oracle.com (Frankfurt datacenter)

These registries are also externally accessible so you can use it from wherever you are. Pick the one that's fastest for you.

We will introduce yum replicas soon as well.

 

 

 

 

 

 

 


 

 

Oracle Container Registry mirrors in Oracle Cloud Infrastructure

Sat, 2017-09-30 19:56

Just in time for Oracle OpenWorld 2017!

For quite some time now, we have had a Container Registry available for users with an Oracle Single-Signon account. This registry contains a large number of Docker images to make it really easy to get started with Oracle Products such as the Oracle Database, MySQL, Oracle Linux, Java, Weblogic etc...No need to create or register a new account. Many of you already have an Oracle SSO account for use with OTN, My Oracle Support or Oracle Software Delivery Cloud.

The first time, you have to log in to the website hosted at http://container-registry.oracle.com (use your SSO account) and accept the licences for the products you want to download/pull with the Docker client. Once you have accepted the licenses, unless a license changes, or you want to access a product for which you have not yet accepted the license, you do not have to login to the website any more. From here on, you can use docker pull container-registry.oracle.com/<repository>/<product> to pull down the images you are interested in. 

Well, the above is not new, really but I wanted to give a very quick overview of what we have on our container registry.

What IS new:

Lots of our customers are using Oracle Cloud Infrastructure and there is a big interest in using Docker images for new projects. Since we want our customers/developers to have the best experience, we created / will create local mirrors of the central Container Registry in each OCI region. As of right now, the Ashburn and Phoenix OCI regions mirrors are online, Frankfurt will follow shortly. Why does this help? Well, first of all, performance. A few examples: timing a pull (and extract) of an Oracle Linux 7-slim image is just over 3 seconds. MySQL Community server 8 seconds, Oracle Database Standard or Enteprise Edition 3 minutes (full downloaded and extracted in your local OCI instance). And secondly, all network traffic stays within the Oracle Datacenters so you are not consuming Internet Traffic bandwidth.

The process remains the same: the main website to accept licenses is still http://container-registry.oracle.com. When you use docker on the command line in your instance, use either container-registry-phx.oracle.com or container-registry-ash.oracle.com. In the near future we will enable container-registry-fra.oracle.com. 

First you have to login on the command line:

 

# docker login container-registry-ash.oracle.com
Username: wim.coekaerts@oracle.com
Password: 
Login Succeeded

 

Next you can pull one of the many images:

 

# docker pull container-registry-ash.oracle.com/os/oraclelinux:7-slim
7-slim: Pulling from os/oraclelinux
d9ca67fed2e2: Pull complete 
Digest: sha256:2c4be3230da36933e1e9961909ed40c7fc3cc36107f86c2ed6c1775ea1c884fc
Status: Downloaded newer image for container-registry-ash.oracle.com/os/oraclelinux:7-slim

These registries are also accessible from outside of the OCI regions over the internet so if you experience slow access to container-registry.oracle.com, try one of these new ones.

We have a number of product categories available. You can find all the details on how to use them, which tags (versions of images such as 7.1 7.4, latest,...) on the registry website:

We are working on providing a mirror for http://yum.oracle.com inside OCI as well. Stay tuned for more Oracle Linux goodies in Oracle Cloud Infrastructure.

 

 

Quickly create a high performance NFS server in Oracle Cloud Infrastructure using Oracle Linux

Wed, 2017-09-13 11:13

To make it easy for customers that rely heavily on an NFS server for their on-premises applications, we created an Oracle Linux Storage Appliance image for Oracle Cloud Infrastructure.

There are times where you want to be able to provide a really fast shared filesystem to multiple instances. eg. a shared 'Oracle Home'  or in the applications world a shared APPLTOP. It is really easy to set up a Linux NFS server but we decided to go beyond DIY and we created one for you.

The Linux Storage Appliance image available in Oracle Cloud Infrastructure uses Oracle Linux 7 on your choice of either a BM dense IO (28.8TB NVMe/512G) node or BM high IO (12.8TB NVMe/512G) node. When you deploy the LSA image, at first boot, it automatically detects the NVMe volumes, creates a big raid with filesystems on top and starts a simple webserver that lets you create new shares, see log files,  see the status of the server etc.

We have a roadmap of items that we are working on, such as auto-restart, backup to object storage, iscsi volume support as an alternative to NVMe to create smaller setups, etc...

The Linux Storage Appliance image is provided for everyone to use, it runs within your own tenancy and with your own resource quota for the servers it is deployed on.

You can find more details here

Here are a few screenshots to give you an idea:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Running Oracle Linux 5 applications in Oracle Cloud Infrastructure using lxc.

Thu, 2017-09-07 15:42

Oracle Cloud Infrastructure bare-metal servers and virtual machines require an EFI capable OS and as such we offer Oracle Linux 6 and Oracle Linux 7 images for customers to deploy their instances. Most applications are certified and support with these OS versions however in some rare cases a customer has an older application that requires something like Oracle Linux 4 or 5. While we currently cannot run these versions as native instances, it is possible to run Linux Containers on Oracle Linux with an OL4 or OL5 environment.

We have, for many years, supported lxc (https://blogs.oracle.com/wim/oracle-linux-containers) with Oracle Linux. lxc is great for system-containers, if you want to call it that, an entire OS environment ( basically "start /bin/init" ) whereas docker is more an application-container, start your app. Sure you can run /bin/init as your 'app' but lxc is a bit more tuned towards this model, I think. The generic lxc documentation can be found here.

lxc is fully supported on Oracle Linux 6 and Oracle Linux 7 and Oracle Linux 5 is fully supported as a container OS on top. So for customers that have a need to run older applications on older versions  of Linux in OCI, this is a great option.

To get started with lxc in Oracle Cloud Infrastructure, you first need to create a bare-metal server or VM instance using Oracle Linux 7 as the OS image, create your virtual cloud network, create a block volume, attach the block volume etc. I will assume that you are familiar with these steps.  I make one additional assumption around VNICs. The easiest way to set up the networking is by allocating a separate secondary VNIC for each container and pass this VNIC into the container. A quick tutorial is here.

In summary:

- Create a compartment, virtual cloud network and subnet

- Create an instance (BM or VM)

- Create and attach a block volume that will host the containers

- Create a number of  VNICs (1 per container)

- Install lxc

- Create and mount a filesystem on the block volume that holds the containers

- Create a container.

 

To install lxc, simply use yum on your Oracle Linux instance:

# yum install lxc

...

Dependencies Resolved

================================================================================
 Package         Arch          Version                  Repository         Size
================================================================================
Updating:
 lxc             x86_64        1.1.5-2.0.9.el7          ol7_latest        231 k
Updating for dependencies:
 lxc-libs        x86_64        1.1.5-2.0.9.el7          ol7_latest        219 k

Transaction Summary
================================================================================
Upgrade  1 Package (+1 Dependent package)

Total download size: 450 k
Is this ok [y/d/N]:

Make sure you use the latest version of lxc (1.1.5-2.0.9 or newer)

I suggest using btrfs as the container filesystem.

Assuming you created a block volume, it should show up as /dev/sdb:

$ cat /proc/partitions
major minor  #blocks  name

   8        0   48838656 sda
   8        1     556988 sda1
   8        2    8420348 sda2
   8        3   39808260 sda3
   8       16  134217728 sdb

Create a partition using fdisk, simply create 1 partition that uses the entire volume

$ fdisk /dev/sdb

Enter n (new partition), p (primary partition) 1 (first partition on new volume) and hit enter twice if you want to use the entire Block Volume.
Enter w to write the partition table out to disk.

This should now show up:

$ cat /proc/partitions
major minor  #blocks  name

   8        0   48838656 sda
   8        1     556988 sda1
   8        2    8420348 sda2
   8        3   39808260 sda3
   8       16  134217728 sdb
   8       17  134216704 sdb1

Next create your btrfs volume and mount it under /container:

$ mkfs.btrfs /dev/sdb1

$ echo "/dev/sdb1 /container btrfs defaults,noatime,_netdev 0 2" > /etc/fstab

$ mount -a

The installation of lxc already created the /container directory on your server.

Next up,  configure your secondary VNICs using the scripts referenced here. It is slightly different in a VM instance versus a BM instance.

Create your first lxc container. The syntax is as follows:

 lxc-create -n <container name> -t <template> -- -R <release>
- Specify a container name that you want to use, for instance "ol5".
- To create Oracle Linux containers use the "oracle" template.
- Release specifies which release of the container OS you want to use. We are creating an Oracle Linux 5 container so we use -R 5.latest
- For Oracle Linux 4,6 or 7, use the same "oracle" template and change <release> to 4.latest, 6.latest or 7.latest

$ lxc-create -n ol5 -t oracle -- -R 5.latest
Host is OracleServer 7.3
Create configuration file /container/ol5/config
Yum installing release 5.latest for x86_64
...
Added container user:oracle password:oracle
Added container user:root password:root
Container : /container/ol5/rootfs
Config    : /container/ol5/config
Network   : eth0 (veth) on lxcbr0

There is an additional configuration step required. The network configuration of the newly created container needs to be modified.

Modify the container configuration file
$ vi /container/ol5/config

change the following lines:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:xx:xx:xx <- where xx:xx:xx has assigned values

to

lxc.network.type = phys
lxc.network.link = ens2f0.vlan.1  or ens4 or whatever name of the secondary vnic interface created earlier was called
 

comment out or remove the lxc.network.hwaddr line
#lxc.network.hwaddr =

It is important to comment out the hwaddr line because we want to use the mac address of the interface created by the scripts.

veth gets changed to phys because we are effectively passing through the network interface directly to the container


Start the container

$ lxc-start -n ol5.1

Connect to the console

$ lxc-console -n ol5.1

The default root password is root. Please modify this after creating your container.

To exit the console, type ctrl-a q

Configure the network inside the container. To find the IP configuration for your VNICs from inside your instance, you can view this URL:

$ wget http://169.254.169.254/opc/v1/vnics/

Manually:

$ ifconfig eth0 10.0.2.3 netmask 255.255.255.0
$ route add default gw 10.0.2.1

Configure the network at start time by creating a new ifcfg script :

edit /etc/sysconfig/network-scripts/ifcfg-eth0

example:

DEVICE="eth0"
BOOTPROTO=none
ONBOOT=yes
TYPE="Ethernet"
IPADDR=10.0.2.3
PREFIX=24
GATEWAY=10.0.2.1
DEFROUTE=yes

 

To see which lxc containers are actively running type

$ lxc-ls --active

This container would be a supported Oracle Linux 5 environment running on Oracle Linux 7.

NOTE: Oracle Linux 5 has entered extended support. See here. Keep in mind that for Oracle Cloud subscription customers, Extended support is included with your subscription without any additional cost/fees.

 

 

More packages for Oracle Linux to make life easier.

Wed, 2017-09-06 11:13

A lot of development work we do for Oracle Linux is focused around Oracle Cloud. Work with the infrastructure team to provide the best OS for them, work on new features that can help in various areas (NVMe, kvm, GPU, security, containers...) and so on. But we also put a lot of effort into making Oracle Linux run extremely well for customers on Oracle Cloud. Pre-built images which we try to make as efficient as possible and configured out of the box to just work seamlessly. For instance, a few weeks ago we added the Oracle Ksplice package to the base image and pre-configured them so that Ksplice works without any additional steps. Want to use it? Just type uptrack-upgrade. The latest kernel version is typically installed, latest fixes for drivers. Anything that every customer would have to do themselves we try to pre-emptively take care of.

Another aspect of running Oracle Linux in Oracle Cloud is providing the right packages and make it easy to get to them. We are working on a mirror of  yum.oracle.com  and the Oracle Container Registry inside the Oracle Cloud regions for super highspeed access to packages without having to go outside of the datacenters. And we are building packages that are not part of the base Oracle Linux but are certainly very useful and frequently asked for by customers. For instance, we released RPMs for Terraform with the Oracle Bare Metal cloud provider so that you don't have to manually download binaries, but just use a local pre-configured yum repo.

We also released fluentd and collectd packages here and here . Oracle Managed Cloud works with collectd for instance for its data collection to do analytics. While customers or developers can certainly go and download these packages elsewhere, it would require extra steps. We're just doing it to ensure that they're all in the same place. They're mirrored inside the datacenters, they're signed by our key, preconfigured yum.repo files, and all the dependencies have been verified to ensure we don't break anything when they are published. Of course all the source code is also available in the usual place. As we get more requests to add more packages these _developer, _preview and _developer_epel channels will get more content. The biggest focus area here will be developers, container services and providing all the packages to easily get going.

And remember, all this is included with every instance of Oracle Linux you run in Oracle Cloud, no additional charges. Oracle Ksplice, full support, everything we have is out of the box, included.

 

Oracle Linux support in Oracle Cloud

Sun, 2017-07-30 13:00

This is a topic that comes up every now and again with customers or users of Oracle Cloud: Is Oracle Linux support included with our IaaS services and if so, which parts of Oracle Linux support are included?

The answer is very straightforward. Any customer in Oracle Cloud that creates new, creates their own or  uses existing "Oracle Linux" images, in both Oracle Public Cloud and Oracle Bare Metal Cloud Services, have full Oracle Linux Premier Support included at no additional cost. There is no extra hourly surcharge on top of the IaaS subscriptions. This includes access to Oracle Support, access to the My Oracle Support portal, Oracle Ksplice, use of Oracle Enterprise Manager Cloud Control to manage and monitor Oracle Linux instances and of course the packages and updates for Oracle Linux.  

Oracle Ksplice for Oracle Linux in Bare Metal Cloud Services

Sun, 2017-07-30 12:39

A few weeks ago I wrote a blog post that talked about setting up Oracle Ksplice in Oracle Cloud (specifically Bare Metal Cloud Services). At the time, the instructions included editing the uptrack.conf file and adding a specific auth key. We have since automated that part as well.

For existing instances or newly created instances (any VM.* and BM.* shapes with Oracle Linux) you can just simply download a new installation script that takes care of it all for you. As mentioned in the previous post, we are going to include the uptrack tools by default as well in a future image version of Oracle Linux but that's not completed yet.

The simple steps to follow now:

Connect to your BMCS instance

# ssh -l opc <public ip address of your instance>

sudo to root

# sudo bash

# cd

Download the ksplice installation script   

# wget -N https://www.ksplice.com/uptrack/install-uptrack-oc

--2017-07-30 17:27:59--  https://www.ksplice.com/uptrack/install-uptrack-oc

Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32

Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 10154 (9.9K) [text/plain]

Saving to: ‘install-uptrack-oc’

100%[======================================>] 10,154      --.-K/s   in 0.06s   

2017-07-30 17:28:00 (179 KB/s) - ‘install-uptrack-oc’ saved [10154/10154]

Run the installation script   

# sh install-uptrack-oc

[ Release detected: ol ]

--2017-07-30 17:30:36--  https://www.ksplice.com/yum/uptrack/ol/ksplice-uptrack-release.noarch.rpm

Resolving www.ksplice.com (www.ksplice.com)... 137.254.56.32

Connecting to www.ksplice.com (www.ksplice.com)|137.254.56.32|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 6876 (6.7K) [application/x-rpm]

Saving to: ‘ksplice-uptrack-release.noarch.rpm’

100%[======================================>] 6,876       --.-K/s   in 0s      

2017-07-30 17:30:36 (46.5 MB/s) - ‘ksplice-uptrack-release.noarch.rpm’ saved [6876/6876]

[ Installing Uptrack ]

warning: ksplice-uptrack-release.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 16c083cd: NOKEY

Preparing packages...

ksplice-uptrack-release-1-3.noarch

Loaded plugins: langpacks, ulninfo

ksplice-uptrack                                          |  951 B     00:00     

ol7_UEKR4                                                | 1.2 kB     00:00     

ol7_addons                                               | 1.2 kB     00:00     

ol7_latest                                               | 1.4 kB     00:00     

ol7_optional_latest                                      | 1.2 kB     00:00     

(1/7): ol7_UEKR4/x86_64/updateinfo                         |  83 kB   00:00     

(2/7): ol7_latest/x86_64/updateinfo                        | 1.3 MB   00:00     

(3/7): ksplice-uptrack/7Server/x86_64/primary              | 2.0 kB   00:00     

(4/7): ol7_optional_latest/x86_64/primary                  | 4.0 MB   00:00     

(5/7): ol7_optional_latest/x86_64/updateinfo               | 940 kB   00:00     

(6/7): ol7_latest/x86_64/primary                           |  26 MB   00:00     

(7/7): ol7_UEKR4/x86_64/primary                            |  19 MB   00:00     

ksplice-uptrack                                                             7/7

ol7_UEKR4                                                               396/396

ol7_latest                                                          19362/19362

ol7_optional_latest                                                 13397/13397

Resolving Dependencies

--> Running transaction check

---> Package uptrack.noarch 0:1.2.41-0.el7 will be installed

--> Processing Dependency: perl(Fatal) for package: uptrack-1.2.41-0.el7.noarch

--> Processing Dependency: perl-autodie for package: uptrack-1.2.41-0.el7.noarch

--> Running transaction check

---> Package perl-autodie.noarch 0:2.16-2.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package            Arch         Version            Repository             Size

================================================================================

Installing:

 uptrack            noarch       1.2.41-0.el7       ksplice-uptrack       298 k

Installing for dependencies:

 perl-autodie       noarch       2.16-2.el7         ol7_latest             77 k

Transaction Summary

================================================================================

Install  1 Package (+1 Dependent package)

Total download size: 375 k

Installed size: 996 k

Downloading packages:

(1/2): perl-autodie-2.16-2.el7.noarch.rpm                  |  77 kB   00:00     

(2/2): uptrack-1.2.41-0.el7.noarch.rpm                     | 298 kB   00:00     

--------------------------------------------------------------------------------

Total                                              689 kB/s | 375 kB  00:00     

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Warning: RPMDB altered outside of yum.

  Installing : perl-autodie-2.16-2.el7.noarch                               1/2 

  Installing : uptrack-1.2.41-0.el7.noarch                                  2/2 

There are no existing modules on disk that need basename migration.

  Verifying  : perl-autodie-2.16-2.el7.noarch                               1/2 

  Verifying  : uptrack-1.2.41-0.el7.noarch                                  2/2 

Installed:

  uptrack.noarch 0:1.2.41-0.el7                                                 

Dependency Installed:

  perl-autodie.noarch 0:2.16-2.el7                                              

Complete!

Effective kernel version is 4.1.12-94.3.6.el7uek

The following steps will be taken:

Install [nq2lixsa] Improve the interface to freeze tasks.

Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

[ Installation Complete! ]

[ Please run '/usr/sbin/uptrack-upgrade -y' to bring your system up to date ]

To install the available Ksplice patches on your running kernel, just run the uptrack-upgrade tool (as root)  

# uptrack-upgrade 

The following steps will be taken:

Install [nq2lixsa] Improve the interface to freeze tasks.

Install [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Install [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Install [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Install [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

Go ahead [y/N]? y

Installing [nq2lixsa] Improve the interface to freeze tasks.

Installing [4g8860bp] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Installing [iw78w90p] CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

Installing [5ct5a8wv] CVE-2017-7477: Remote Denial-of-service in 802.1AE implementation.

Installing [5v18x54y] Denial-of-service when bonding multiple IPOIB devices.

Your kernel is fully up to date.

Effective kernel version is 4.1.12-94.3.9.el7uek

 

CVE-2017-1000364

Thu, 2017-06-29 02:00

As I am sure many of you have heard/read about CVE-2017-1000364.

If not, you can find some information here:

https://blog.qualys.com/tag/cve-2017-1000364

https://nvd.nist.gov/vuln/detail/CVE-2017-1000364

http://www.securityfocus.com/bid/99130

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

This CVE has a very high CVSS score of 9.8.

There are a number of packages release for Oracle Linux to deal with this CVE.

An updated glibc: https://linux.oracle.com/cve/CVE-2017-1000366.html

An updated kernel:  https://linux.oracle.com/cve/CVE-2017-1000364.html

A very important additional detail is that we also have an online fix available through Ksplice. So for Oracle Linux users/customers with a support subscription, you can simply run uptrack-upgrade on a running kernel. No reboot required.

# uptrack-upgrade
The following steps will be taken:
Install [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Go ahead [y/N]? y
Installing [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.7.el7uek

 

 

Oracle Ksplice on Oracle Linux in Bare Metal Cloud

Wed, 2017-06-21 09:58

One of the great advantages of using Oracle Cloud is the fact that it includes full Oracle Linux support. All the services that you get with Oracle Linux Premier support are included without additional cost when you use Oracle Cloud.

Oracle Ksplice is such a service. (see: http://www.ksplice.com/ ). In order to use Oracle Ksplice outside of Oracle Cloud you configure it at install time when registering your Oracle Linux server with ULN (http://linux.oracle.com ) and you then use the generated access key to configure the uptrack tools.

With Oracle Cloud, both Oracle Public Cloud and Oracle Bare Metal Cloud Services ( http://cloud.oracle.com ), we have made it very easy. Any instance that runs inside our infrastructure has immediate access to the ksplice servers.

For customers or users with existing Oracle Linux instances in BMCS, you have to do a few simple steps to enable Ksplice. We are in the process of adding the uptrack tools to the image by default so, soon, you don't have to do any configuration at all.

Enable Ksplice today:

Log into your Oracle Linux instance as user opc (or as root)

# sudo bash

Download the uptrack client:

# wget -N https://www.ksplice.com/uptrack/install-uptrack

or if you prefer to use curl

# curl -O https://www.ksplice.com/uptrack/install-uptrack

Install the client, make sure you use this exact key, it will only work inside BMCS and is a generic identifier.

# sh install-uptrack dfc21b3ced9af52f6a8760c1b1860f928ba240970a3612bb354c84bb0ce5903e --autoinstall
 

This command unpacks the downloaded script and install the uptrack utilities (Ksplice client tools). Ignore the connect error, you need the step below.

One more step. In order for the above key to work, you have to point the uptrack tools to a specific update server.

edit /etc/uptrack/uptrack.conf:

# The location of the Uptrack updates repository.

update_repo_url=https://oraclecloud-updates-ksplice.oracle.com/update-repository

and that's it.

# uptrack-upgrade
Nothing to be done.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.6.el6uek

 

For instances that are Bring Your Own we will automate the above steps as well. But at least this gets you going right away.

 

Pages