Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi Takanori Suzuki

Similar documents
Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi

Live Kernel Patching status update. Jiri Kosina SUSE Labs

kpatch Have your security and eat it too!

Reboot adieu! Online Linux kernel patching. Udo Seidel

Rebootless Kernel Updates

March 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion

Obstacles & Solutions for Livepatch Support on ARM64 Architecture

FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap

Live Patching: The long road from Kernel to User Space. João Moreira Toolchain Engineer - SUSE Labs

Open Enterprise & Open Community opensuse & SLE Empowering Each Other. Richard Brown opensuse Chairman

Enterprise Linux vs. Embedded Linux

Ubuntuを利用した世界最高のOSSプラットフォーム. Takaaki Suzuki Canonical - Solutions Architect

InstallAnywhere: Requirements

Systemtap times April 2009

Reboot Reloaded. Patching the Linux Kernel Online. Vojtěch Pavlík. Dr. Udo Seidel. Director SUSE Labs SUSE

Digitizer operating system support

LIVEPATCH MODULE CREATION. LPC 2016 Josh Poimboeuf

RHEL Packaging. (making life easier with RPM) Jindr ich Novy Ph.D., June 26, 2012

Automated Kernel SECURITY UPDATES Without Reboots. Safe Kernel. Safer Linux.

Flatpak and your distribution. Simon McVittie

Manual Java For Mac Developer Package

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

How to decide Linux Kernel for Embedded Products. Tsugikazu SHIBATA NEC 20, Feb Embedded Linux Conference 2013 SAN FRANCISCO

Getting started with LXD

Frédéric Crozat SUSE Linux Enterprise Release Manager

Introduction to Linux

TOSS - A RHEL-based Operating System for HPC Clusters

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

IT Optimization Trends. Summary Results January 2018

Digitalization of Kernel Diversion from the Upstream

How & Why We Embraced Open-Source 20 years ago And What We Learned!! Amit Bhutani Linux & Open Source Technologist Dell EMC

Deep Security 9.6 SP1. Supported Features by Platform

Why Oracle Linux. Hans Forbrich Forbrich Consulting Ltd. Why Oracle Linux

Modern and Fast: A New Wave of Database and Java in the Cloud. Joost Pronk Van Hoogeveen Lead Product Manager, Oracle

Reproducible Builds. Valerie Young (spectranaut) Linux Conf Australia 2016

Deep Security 9.6 Supported Features by Platform

Fouad Riaz Bajwa. Co-Founder & FOSS Advocate FOSSFP - ifossf International Free and open Source Software Foundation, MI, USA.

MariaDB: Community Driven SQL Server. Kristian Nielsen MariaDB developer Monty Program AB


Oracle Ksplice for Oracle Linux

Introduction to Operating Systems. Note Packet # 1. CSN 115 Operating Systems. Genesee Community College. CSN Lab Overview

Operating system hardening

Linux Datacenter Guide READ ONLINE

Define Your Future with SUSE

Deep Security 9.6 SP1 Supported Features by Platform

Zero Install. Decentralised cross-platform package management

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

Red Hat Roadmap for Containers and DevOps

Going to production with snaps and Ubuntu Core

OPNFV overview and Edge Cloud

Systems Programming. The Unix/Linux Operating System

Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

User Manual Web Meetings

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

Welcome to SUSE Expert Days 2017 Digital Transformation

Qualys Release Notes

Harbor Registry. VMware VMware Inc. All rights reserved.

R packages from a Fedora perspective

From Zero to Hero. IBM Client for Smart Work

Veritas NetBackup Enterprise Server and Server 6.x OS Software Compatibility List

Lecture 1 Niyaz M. Salih

Table of Contents. GEEK GUIDE Deploying Kubernetes with Security and Compliance in Mind. About the Sponsor...4 Introduction...5. Orchestration...

Linux Datacenter Guide

Manual Install Package Rpm Linux Command Line

Bioshadock. O. Sallou - IRISA Nettab 2016 CC BY-CA 3.0

SUSE Linux Enterprise Server 12 Modules

HKG18-TR01: Open Source Philosophy. Daniel Lezcano

IT S COMPLICATED: THE ENTERPRISE OPEN SOURCE VENDOR RELATIONSHIP. Red Hat s POV

Rebootless kernel updates

The world's leading Provider of open source Enterprise IT products and services Rainer Liedtke

Trends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team

#jenkinsconf. Managing jenkins with multiple components project. Jenkins User Conference Israel. Presenter Name Ohad Basan

PCS Cloud Solutions. Create highly-available, infinitely-scalable applications and APIs

TEN LAYERS OF CONTAINER SECURITY

Good Enough: Virtualisation on a Budget

IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion.

Fast, Flexible Future Agile IT-Organisation: Von der Infrastruktur bis zur Anwendung. WERNER KNOBLICH SVP and General Manager, Red Hat EMEA

SYMANTEC DATA CENTER SECURITY

Open Enterprise & Open Community

Support Lifecycle Policy

Participating in the kernel development process

Expert Days SUSE Manager

Multi-Arch Layered Image Build System

5 Reasons to Choose Parallels RAS Over Citrix Solutions

Eclipse on Linux Distributions Project

ServerReady and Open Standards Accelerating Delivery

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

Virtualization Introduction

Nexenta, OpenStorage and Commercial Open Source. Anil Gulecha Developer / Community Lead, Nexenta Core Platform

Tango - Icalepcs 2009 ESRF

openqa Helping SUSE Linux Enterprise with Automated Testing Richard Brown openqa Technical Lead

The tools used in the development of Life Is Strange

SOFTWARE UNIT 1 PART B C O M P U T E R T E C H N O L O G Y ( S 1 O B J A N D O B J 3-2)

Chapter 4: Threads. Chapter 4: Threads

Continuous integration & continuous delivery. COSC345 Software Engineering

RTI Analyzer. Release Notes

Oracle Container Natve Applicaton Development Platorm. Edgars Ruņģis Cloud Soluton Architect

Transcription:

Elivepatch Flexible distributed Linux Kernel live patching Alice Ferrazzi Takanori Suzuki 1

kernel :~ $ whoami Alice Ferrazzi Gentoo Gentoo Kernel Project Leader Gentoo Google Summer of Code administrator and mentor for rust Gentoo project Cybertrust Japan OSS Embedded Software Engineer 2

kernel :~ $ whoami Takanori Suzuki Gentoo Gentoo study meeting co-organizer Cybertrust Japan OSS Monitoring Software Developer CI Developer 3

Summary Live patch explanation Current live patch services Motivation for elivepatch Elivepatch solution Implementation Challenge Status Future Work Conclusion 4

At first this project was part of Google Summer of Code 2017 for the Gentoo organization. 5

Live patch explanation 6

Live patch Modify the kernel without the need to reboot. 7

Why - Downtime is expensive (containers, supercomputers) - Security (vulnerability time shorter) 8

Where - Embedded - Desktops - HPC (complex scientific computations) - Cloud - Any computer under heavy load 9

What 10

Kgraft Suse Open Source live patching system that is routing the old function gradually. 11

Kpatch Red Hat Open Source live patching system and use ftrace and stop_machine() for route functions toward the new function version. 12

Livepatch Livepatch is a hybrid of kpatch and kgraft. Livepatch has been merged into the kernel upstream. Kpatch-build can work with both kpatch and livepatch for creating the live patch. 13

Livepatch is just a module 14

... 15

Livepatch module problem A module that takes just about 1+ hour to compile in a modern server 16

At Gentoo, we know what means to compile something for more than 1 hour 17

18

Gentoo solution to compile for 1+ hour compilation problem Gentoo binary host Pre-compiled binary 19

What options do we have for compiling livepatch modules? 20

Current existing livepatch services 21

Current vendor solutions Oracle, Ksplice (support only Oracle Linux kernels) Suse Linux Enterprise Live Patching (support only Suse Kernels for one year) Canonical Live Patch (support only Ubuntu 16.04 LTS and Ubuntu 14.04 LTS) Red Hat live patch (Support only Red Hat kernel) 22

Motivation for elivepatch 23

Problems of vendor solutions trusting on third-party vendors Lacking support for custom kernel configurations Lacking support for request-driven costumization Lacking long term support Closed source 24

elivepatch solution 25

elivepatch A web service framework to deliver Linux kernel live patches Supports custom kernel configurations User participation via request-driven customization Open source 26

Vendor solutions representation 27

Elivepatch solution 28

Implementation 29

Elivepatch-server (Main language: Python) Flask + Flask-Restful + Werkzeug (not dependent) Elivepatch-client (Main language: Python) Requests + GitPython 30

Challenges 31

Challenges with elivepatch Some patches require manual modification to be converted to live patches Reproducing the build environment can be difficult: Differences in compiler versions Variations in the compiler and optimization flags Incompatible machine architectures (solaris, hpc) 32

Incompatibility with GCC CCFLAGS and non vanilla gcc, can sometime broke elivepatch. 33

Current status 34

Elivepatch status First open source release 0.1 on 2017/9/06 Packaged for Gentoo Kpatch version 0.6.2 in Gentoo Presented as poster at SOSP 2017 Close collaboration with kpatch mainteiners 35

Future work 36

Future work Toward livepatch automatization Increasing scalability using containers and virtual machines Livepatch signing Kernel CI\CD check 37

Toward livepatch automatization - Priority is to automatize the livepatch creation when there are no semantic changes. For example, we need to detect inlined functions and optimizations that require including more functions into the livepatch. - Need a tool for creating the extra relocations entries. 38

Linux Plumbers 2018 - Architecture support - objtool for ppc (**Miroslav Benes, Kamalesh Babulal, Josh Poimboeuf**) - s390x (**Joe Lawrence, Miroslav Benes**) - Dealing with gcc optimizations intefering with livepatches (**Miroslav Benes**) - userspace tooling for automating patch generation (**Alice Ferrazzi, Miroslav Benes, Nicolai Stange**) - elivepatch presentation / discussion (**Alice Ferrazzi**) - How to implement a sane notion of global consistency (**Nicolai Stange**) - compatibility of livepatches between framework versions (**Joe Lawrence, Petr Mladek, Nicolai Stange**) - general experience sharing after 1+ years of livepatching being [comercially] supported in distributions (**Josh Poimboeuf?, Jiri Kosina,...?**) 39

Multi distribution Solve distributions compatibility issues Current target: Debian Fedora Gentoo Android 40

Elivepatch client on Debian Work in progress https://asciinema.org/a/187738 p.s. Gentoo kernel is still needed 41

Livepatch signing Implementing livepatch module signing in the server Implementing signing verification for the client 42

Kernel CI/CD checking Implement a buildbot plugin for testing elivepatch Implementing elivepatch-server on docker, for a ready to use livepatch building instance [You can test your livepatch with the same settings and hardware as where you want to deploy it] 43

Conclusion 44

Epilogue Live patch is a module that takes time compiling Live patch vendor service solutions solving the compilation problem Elivepatch solution 45

Conclusion With the diffusion of embedded systems and robotics, Livepatch services will become always more important 46

If you are interested in contributing, Elivepatch is welcoming every form of contribution. 47

https://github.com/gentoo/elivepatch-client 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback