Reboot adieu! Online Linux kernel patching. Udo Seidel

Similar documents
Reboot Reloaded. Patching the Linux Kernel Online. Vojtěch Pavlík. Dr. Udo Seidel. Director SUSE Labs SUSE

Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi

March 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion

kpatch Have your security and eat it too!

Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi Takanori Suzuki

Obstacles & Solutions for Livepatch Support on ARM64 Architecture

Live Kernel Patching status update. Jiri Kosina SUSE Labs

Distributed Storage with GlusterFS

Rebootless kernel updates

VMware s (Open Source) Way of Container. Dr. Udo Seidel

FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap

Live Patching: The long road from Kernel to User Space. João Moreira Toolchain Engineer - SUSE Labs

Digitizer operating system support

Rebootless Kernel Updates

Linux Foundation Collaboration Summit 2010

ACTIAN PRODUCTS by Platform - Vector, Vector in Hadoop as of October 18, 2017

An introduction to checkpointing. for scientific applications

Inside WebSphere Application Server

Getting Started with Phalcon

How To Manually Install Driver Ubuntu Server On Virtualbox

Ksplice Is Rebooting Your Oracle Linux Database Server Now Obsolete?

Open World Forum 2013

Are you Really Helped by Upstream Kernel Code?

Linux sles 11. Linux sles 11.zip

Systemtap times April 2009

Kernel driver maintenance : Upstream vs. Industry

Mechanic v. Surgeon (photos from istockphoto.com)

LTSI Project update Long Term Support Ini0a0ve. Tsugikazu SHIBATA, NEC 23, Oct Embedded Linux Conference Europe Hilton Prague

Be smart. Think open source.

Five Key Steps to Automating your Workload Migration to the Cloud SUN6469

Maintaining Linux Long Term & Adding Specific Features in Telecom Systems. Keika Kobayashi NEC Communication Systems Sep 29, Japan2010

DPDK Roadmap. Tim O Driscoll & Chris Wright Open Networking Summit 2017

Welcome to Linux Foundation E-Learning Training

VA Smalltalk Update. 24 th ESUG Conference Prague, Czech Republic August 23, John O Keefe Chief Technical Officer Instantiations, Inc.

Install Oracle 11g Client On Linux Command Line

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

Manual Of Virtualbox Additions Ubuntu Server 12.04

InstallAnywhere: Requirements

Fedora Linux Toolbox: Commands For Fedora, CentOS And Red Hat Power Users By Christopher Negus;Francois Caen READ ONLINE

Frédéric Crozat SUSE Linux Enterprise Release Manager

Lecture 2 Fundamental OS Concepts. Bo 2018, Spring

Open Enterprise & Open Community opensuse & SLE Empowering Each Other. Richard Brown opensuse Chairman

Debugging Kernel without Debugger

Oracle Ksplice for Oracle Linux

Checkpointing using DMTCP, Condor, Matlab and FReD

Process Time. Steven M. Bellovin January 25,

Welcome to Linux Foundation E-Learning Training

Outline. Threads. Single and Multithreaded Processes. Benefits of Threads. Eike Ritter 1. Modified: October 16, 2012

Lecture 1 Niyaz M. Salih

Flush Dns Settings Linux Redhat 5 Step Step

Aix Power 7 Admin Guide READ ONLINE

Carbonite Availability 8.2, Carbonite Migrate 8.2 and Carbonite Cloud Migration Supported Platforms Chart

Linux Distribution - a Linux OS platform information API

R packages from a Fedora perspective

Enterprise Linux vs. Embedded Linux

PyWBEM Python WBEM Client: Overview #2

Hint #1. Define a syscall

Upgrading & Updating Your Computer

Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads Linux Threads Java Threads. Operating System Concepts

Why Oracle Linux. Hans Forbrich Forbrich Consulting Ltd. Why Oracle Linux

Veritas NetBackup Enterprise Server and Server 6.x OS Software Compatibility List

2/12/2013. System Call Tracing WHAT S THAT PROGRAM DOING?

System Wide Tracing User Need

SCAP Security Guide Questions / Answers. Contributor WorkShop Volume #2

OPERATING SYSTEM. Chapter 4: Threads

MICROSOFT VIRTUAL MACHINE CONVERTER

1. Install a Virtual Machine Download Ubuntu Create a New Virtual Machine Seamless Operation between Windows an Linux...

Red Hat Enterprise Linux 6.4 Security-enhanced. Linux User Guide >>>CLICK HERE<<<

MCAFEE FOUNDSTONE FSL UPDATE

Open Enterprise & Open Community

HTTP/2 Out Of The Box

INITIAL EVALUATION BIGSQL FOR HORTONWORKS (Homerun or merely a major bluff?)

Intel Cache Acceleration Software (Intel CAS) for Linux* v2.9 (GA)

How To Install Java Manually Linux Terminal Server 2008

How to decide Linux Kernel for Embedded Products. Tsugikazu SHIBATA NEC 20, Feb Embedded Linux Conference 2013 SAN FRANCISCO

Ksplice: An Automatic System for Rebootless Kernel Security Updates. Jeffrey Brian Arnold

CSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018

CNT 5605, Fall 2009: Introduction

Managing build infrastructure of a Debian derivative

Normal and Exotic use cases. of NUMA features. in the Linux Kernel. Christopher Lameter, Ph.D. Collaboration Summit, Napa Valley, 2014

Operating System Structure

LinuxCon North America 2012

Linux Fundamentals (L-120)

Basic Concepts & OS History

Review of the Stable Realtime Release Process

Let s manage agents. Tom Sightler, Principal Solutions Architect Dmitry Popov, Product Management

The Procedure Abstraction Part I Basics

Keeping Up With The Linux Kernel. Marc Dionne AFS and Kerberos Workshop Pittsburgh

Automated Kernel SECURITY UPDATES Without Reboots. Safe Kernel. Safer Linux.

Overhead Evaluation about Kprobes and Djprobe (Direct Jump Probe)

CSCI 8530 Advanced Operating Systems

Comparison.

SALOME Maintenance Procedure. Frédéric Pons (Open Cascade) Roman Nikolaev (Open Cascade)

Linux Foundation Onsite Classroom Requirements

Introduction to OS. Introduction MOS Mahmoud El-Gayyar. Mahmoud El-Gayyar / Introduction to OS 1

CS197U: A Hands on Introduction to Unix

SUSE. High Performance Computing. Eduardo Diaz. Alberto Esteban. PreSales SUSE Linux Enterprise

Expert Days SUSE Manager

LifeKeeper for Linux 7.3. Linux Configuration

Fedora Astronomy. The benefits for astronomical software from integration into Linux distributions. Christian Dersch.

Transcription:

Reboot adieu! Online Linux kernel patching Udo Seidel

Agenda Who & Why? How? Players & Show! And?

Me :-) Teacher of mathematics and physics PhD in experimental physics Started with Linux in 1996 Linux/UNIX trainer Solution engineer in HPC and CAx environment Head of the Linux Strategy and Server Automation @Amadeus

BMC Exchange Berlin 2013

Why?

Why kernel updates? Business critical applications on Linux Bug fixing New functions improvements External requirements Importance of security, e.g. PCI-DSS

What is 'wrong' with reboots? Missing HA Procedures, Operations,... External requirements

Question... Do we really need a reboot?

Looking back and around Not new mainframes hot updates for Unix Early days of Linux Picked up by the 'dark side' Rootkits

How?

Source code comparison One approach for generation of hot updates Looks simple... but High programming language skills needed Analysis complex Code replacement unclear

Object code comparison Advantages Reduced need for developing skills Implicit patch analysis Can be automated Used already in that context Challenges Object code generation Code replacement

Open questions Creation in general Detect and cover dependencies Activation Deactivation(?) Management

Players!

Ksplice arises... 2008/2009 4 students @ MIT Thesis from Jeff Arnolds Ksplice Inc. founded GPLv2 Supported: Debian, Ubuntu, Fedora, CentOS, RHEL July 2011 Acquired by Oracle

Ksplice high level Patching original source code Generation of new object code Comparison of 'old' and new object code Load of the delta code Address redirection to activate new object code

Ksplice more details See OSTD 2012 ;-)

The newcomers Opensource SUSE Red Hat Partially Opensource CloudLinux

Red Hat's kpatch

kpatch History Not picked up for a long time Big surprise in FEB2014 dynup-kpatch project on Github Quite advanced Tools Scripts Documentation

kpatch How Object code comparison New function per kernel module Jump address manipulation BUT Out of scope Constantly used system calls virtual Dynamic Share Objects (vdso) Change (of handling) of data allocation

kpatch Object Code Comparison 2 kernel compilations With & without patch Speedup by CCACHE Compiler flags ffunction sections fdata sections O/S tools objcopy readelf

kpatch New Function to Kernel No kernel code change needed Two modules Base/Core Patch Function name unchanged

kpatch Jump Address Challenge ftrace Function TRACEr mcount() kpatch-handler stop_machine() Under discussion See Masami Hiramatsu's fork

kpatch Toolbox 2 sets Builder Loader http://github.com/dynup/kpatch/

SUSE's kgraft

kgraft - History 'talks' since spring/summer 2012 Announcement at SUSECon 2012 Very quiet at SUSECon 2013 Surprising news in FEB2014 Source code not immediately available Presentation at Linux Collaboration Summit Git repository public since MAR2014

kgraft How Object code comparison New function per kernel module Jump address manipulation BUT Out of scope Nothing?? See later

kgraft Object Code Comparison 2 kernel compilations With & without patch Compiler flags ffunction sections fdata sections O/S tools objcopy nm readelf

kgraft New Function to Kernel Requires intra-kernel infrastructure kernel code change Plan ahead One module Function name changed

kgraft Jump Address Challenge Ftrace Similar to kpatch INT3 instruction stop_machine() Reality check function + kernel thread flag schedule_on_each_cpu() kill/pkill

kgraft Toolbox Not really existing Part of the kernel Sample code Helper scripts (earlier versions only) http://git.kernel.org/cgit/linux/kernel/git/\ jirislaby/kgraft.git/ http://github.com/useidel/kgraft-tools

Show!

Example uptime_proc_show Base: Linux kernel with enabled kgraft http://youtu.be/_iq44jqjdiq :-)

And?

Ongoing Patch stacking New/different functions Already patched functions Clean patch removal Combination with Tracers ftrace Systemtap LTTng

Open items Technical 'Highlander' mode Kernel Summit AUG2014 Again @ LinuxCon Europe OCT2014 Supported architectures Enterprise readiness Support Framework RHEL7 & SLES12

Summary Both: advantages and disadvantages kpatch: more flexible and better tooling kgraft: potentially more powerful (?) Continued development Vanilla Kernel approach (still) unclear Keep on watching

References http://www.ksplice.com http://rhelblog.redhat.com/2014/02/26/kpatch/ http://www.suse.com/communities/conversations/\ kgraft-live-kernel-patching/

Thank you!

Reboot adieu! Online Linux kernel patching Udo Seidel

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback