Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi

Similar documents
Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi Takanori Suzuki

Live Kernel Patching status update. Jiri Kosina SUSE Labs

March 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion

Obstacles & Solutions for Livepatch Support on ARM64 Architecture

Reboot adieu! Online Linux kernel patching. Udo Seidel

kpatch Have your security and eat it too!

Rebootless Kernel Updates

Live Patching: The long road from Kernel to User Space. João Moreira Toolchain Engineer - SUSE Labs

Enterprise Linux vs. Embedded Linux

FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap

Digitizer operating system support

RHEL Packaging. (making life easier with RPM) Jindr ich Novy Ph.D., June 26, 2012

Systemtap times April 2009

Ubuntuを利用した世界最高のOSSプラットフォーム. Takaaki Suzuki Canonical - Solutions Architect

Open Enterprise & Open Community opensuse & SLE Empowering Each Other. Richard Brown opensuse Chairman

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

How to decide Linux Kernel for Embedded Products. Tsugikazu SHIBATA NEC 20, Feb Embedded Linux Conference 2013 SAN FRANCISCO

Frédéric Crozat SUSE Linux Enterprise Release Manager

Introduction to Linux

Deep Security 9.6 SP1. Supported Features by Platform

Why Oracle Linux. Hans Forbrich Forbrich Consulting Ltd. Why Oracle Linux

Automated Kernel SECURITY UPDATES Without Reboots. Safe Kernel. Safer Linux.

Modern and Fast: A New Wave of Database and Java in the Cloud. Joost Pronk Van Hoogeveen Lead Product Manager, Oracle

Manual Java For Mac Developer Package

Deep Security 9.6 Supported Features by Platform

Getting started with LXD

Flatpak and your distribution. Simon McVittie

Introduction to Operating Systems. Note Packet # 1. CSN 115 Operating Systems. Genesee Community College. CSN Lab Overview

Zero Install. Decentralised cross-platform package management

Deep Security 9.6 SP1 Supported Features by Platform

Going to production with snaps and Ubuntu Core

TOSS - A RHEL-based Operating System for HPC Clusters

IT Optimization Trends. Summary Results January 2018

Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

Systems Programming. The Unix/Linux Operating System

User Manual Web Meetings

How & Why We Embraced Open-Source 20 years ago And What We Learned!! Amit Bhutani Linux & Open Source Technologist Dell EMC

R packages from a Fedora perspective

Veritas NetBackup Enterprise Server and Server 6.x OS Software Compatibility List

Digitalization of Kernel Diversion from the Upstream

InstallAnywhere: Requirements

Reproducible Builds. Valerie Young (spectranaut) Linux Conf Australia 2016

The world's leading Provider of open source Enterprise IT products and services Rainer Liedtke

Rebootless kernel updates

Trends in Open Source Security. FOSDEM 2013 Florian Weimer Red Hat Product Security Team

Oracle Ksplice for Oracle Linux

Support Lifecycle Policy

Fouad Riaz Bajwa. Co-Founder & FOSS Advocate FOSSFP - ifossf International Free and open Source Software Foundation, MI, USA.

Eclipse on Linux Distributions Project

Expert Days SUSE Manager

ServerReady and Open Standards Accelerating Delivery

Linux Datacenter Guide READ ONLINE

SOFTWARE UNIT 1 PART B C O M P U T E R T E C H N O L O G Y ( S 1 O B J A N D O B J 3-2)


RTI Analyzer. Release Notes

Introduction To Linux. Rob Thomas - ACRC

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

From Zero to Hero. IBM Client for Smart Work

Advanced Supercomputing Hub for OMICS Knowledge in Agriculture. Help to Access Discovery Studio v- 4.1

Reboot Reloaded. Patching the Linux Kernel Online. Vojtěch Pavlík. Dr. Udo Seidel. Director SUSE Labs SUSE

MariaDB: Community Driven SQL Server. Kristian Nielsen MariaDB developer Monty Program AB

Vulnerability Management

Upgrading Software with IBM Content Manager Enterprise Edition Version 8.6

IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion.

Linux Datacenter Guide

Using DATA Files for IBIS-AMI Models. Lance Wang DesignCon IBIS Summit Santa Clara, CA, USA Feburary 3 rd, 2017

Open Enterprise & Open Community

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

Vembu BDR Suite v System Requirements

Nexenta, OpenStorage and Commercial Open Source. Anil Gulecha Developer / Community Lead, Nexenta Core Platform

#jenkinsconf. Managing jenkins with multiple components project. Jenkins User Conference Israel. Presenter Name Ohad Basan

Define Your Future with SUSE

Linux in the nuclear industry

PCS Cloud Solutions. Create highly-available, infinitely-scalable applications and APIs

Oracle Linux, Virtualization & OEM12 Discussion Sahil Mahajan / Sundeep Dhall

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

MRU Secure Remote Access Service (SRAS) External User Guide

Tango - Icalepcs 2009 ESRF

Uninstalling And Manually Install Vmware Tools Ubuntu Guest

Lecture 1 Niyaz M. Salih

Introduction to Standards based approach to Server

The only open-source type-1 hypervisor

Harbor Registry. VMware VMware Inc. All rights reserved.

OpenPrinting Plenary. 15 May 2017 Joint PWG/OpenPrinting Summit F2F Wild Palms Hotel in Sunnyvale, CA

WebApp S/MIME Manual. Release Kopano

How To Install Java Manually Linux Terminal Server 2008

OPERATING SYSTEMS AND APPLICATIONS

Good Enough: Virtualisation on a Budget

LINUX KERNEL UPDATES FOR AUTOMOTIVE: LESSONS LEARNED

Deep Security 9.5 SP1 Supported Features by Platform

ArcGIS Engine Developer Kit System Requirements

OPNFV overview and Edge Cloud

Introductory Visualizing Technology

Operating system hardening

Qualys Release Notes

Designing the Stable Infrastructure for Kernel-based Virtual Machine using VPN-tunneled VNC

T Multimedia Programming. Different Operating Systems and their Multimedia Support

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Fedora Linux Toolbox: Commands For Fedora, CentOS And Red Hat Power Users By Christopher Negus;Francois Caen READ ONLINE

Oracle Social Network

Transcription:

Elivepatch Flexible distributed Linux Kernel live patching Alice Ferrazzi 1

Summary Live patch explanation Current live patch services Motivation for elivepatch Elivepatch solution Implementation Challenge Status Future Work Conclusion 2

kernel :~ $ whoami Gentoo Gentoo Kernel Project Leader Gentoo Kernel Security Gentoo board member Gentoo Google Summer of Code administrator and mentor for rust Gentoo project Cybertrust Japan OSS Embedded Software Engineer Researcher ACM SIGOPS member Presented elivepatch as poster at SOSP 2017 3

This project was part of Google Summer of Code 2017 for the Gentoo organization. 4

Live patch explanation 5

Live patch Modify the kernel without the need to reboot. 6

Why - Downtime is expensive (containers, supercomputers) - Security (vulnerability time shorter) 7

Where - Embedded - Mobile - Desktops - HPC (complex scientific computations) - Cloud - Any computer under heavy load 8

What 9

Kgraft Suse Open Source live patching system that is routing the old function gradually. 10

Kpatch Red Hat Open Source live patching system and use ftrace and stop_machine() for route functions toward the new function version. 11

Livepatch Livepatch is a hybrid of kpatch and kgraft. Livepatch has been merged into the kernel upstream. Kpatch-build can work with both kpatch and livepatch for creating the live patch. 12

Livepatch is just a module 13

... 14

Livepatch module problem A module that takes just about 1+ hour to compile in a modern server 15

At Gentoo, we know what means to compile something for more than 1 hour 16

17

Gentoo solution to compile for 1+ hour compilation problem Gentoo binary host Pre-compiled binary 18

What options do we have for compiling livepatch modules? 19

Current existing livepatch services 20

Current vendor solutions Oracle, Ksplice (support only Oracle Linux kernels) Suse Linux Enterprise Live Patching (support only Suse Kernels for one year) Canonical Live Patch (support only Ubuntu 16.04 LTS and Ubuntu 14.04 LTS) Red Hat live patch (Support only Red Hat kernel) 21

Motivation for elivepatch 22

Problems of vendor solutions trusting on third-party vendors Lacking support for custom kernel configurations Lacking support for request-driven costumization Lacking long term support Closed source 23

elivepatch solution 24

elivepatch A web service framework to deliver Linux kernel live patches Supports custom kernel configurations User participation via request-driven customization Open source 25

Vendor solutions representation 26

Elivepatch solution 27

Implementation 28

Elivepatch-server (Main language: Python) Flask + Flask-Restful + Werkzeug (not dependent) Elivepatch-client (Main language: Python) Requests + GitPython 29

Challenges 30

Challenges with elivepatch Some patches require manual modification to converted to live patches Reproducing the build environment can be difficult: Differences in compiler versions Variations in the compiler and optimization flags Incompatible machine architectures (solaris, hpc) 31

Incompatibility with GCC CCFLAGS and non vanilla gcc, can sometime broke elivepatch. 32

Current status 33

Elivepatch status First open source release 0.1 on 2017/9/06 Packaged for Gentoo Presented as poster at SOSP 2017 Close collaboration with kpatch mainteiners 34

Future work 35

Future work Automate livepatch conversion Increasing scalability using containers and virtual machines Livepatch signing Kernel CI\CD check 36

Automate livepatch conversion - Check patch for problems during conversion - Suggest changes to patch for conversion - Interest also for upstream to kpatch https://github.com/aliceinwire/elivepatch_lintian 37

Multi distribution Solve distributions compatibility issues Current target: Debian Fedora Gentoo Android 38

Elivepatch client on Debian Work in progress https://asciinema.org/a/187738 p.s. Gentoo kernel is still needed 39

Livepatch signing Implementing livepatch module signing in the server Implementing signing verification for the client 40

Kernel CI/CD checking Implement a buildbot plugin for testing elivepatch [You can test your livepatch with the same settings and hardware as where you want to deploy it] 41

Conclusion 42

Epilogue Live patch is a module that takes time compiling Live patch vendor service solutions solving the compilation problem Elivepatch solution 43

Conclusion With the diffusion of embedded systems and robotics, Livepatch services will become always more important 44

If you are interested in contributing, Elivepatch is welcoming every form of contributions 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback