FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap

Similar documents
Live Kernel Patching status update. Jiri Kosina SUSE Labs

Welcome to SUSE Expert Days 2017 Digital Transformation

Reboot Reloaded. Patching the Linux Kernel Online. Vojtěch Pavlík. Dr. Udo Seidel. Director SUSE Labs SUSE

Live Patching: The long road from Kernel to User Space. João Moreira Toolchain Engineer - SUSE Labs

FUT92716 SUSE Linux Enterprise Server for SAP Applications Roadmap

Calendar PPF Production Cycles Non-Production Activities and Events

Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi Takanori Suzuki

Reboot adieu! Online Linux kernel patching. Udo Seidel

kpatch Have your security and eat it too!

March 10, Linux Live Patching. Adrien schischi Schildknecht. Why? Who? How? When? (consistency model) Conclusion

Rebootless Kernel Updates

Elivepatch Flexible distributed Linux Kernel live patching. Alice Ferrazzi

Expert Days SUSE Manager

AIMMS Function Reference - Date Time Related Identifiers

Scheduling. Scheduling Tasks At Creation Time CHAPTER

Security: A year of Red Hat Enterprise Linux 4. Mark J Cox

Obstacles & Solutions for Livepatch Support on ARM64 Architecture

Product Versioning and Back Support Policy

ACTIAN PRODUCTS by Platform - Vector, Vector in Hadoop as of October 18, 2017

Troop calendar

Grade 4 Mathematics Pacing Guide

SUSE Linux Entreprise Server for ARM

CIMA Certificate BA Interactive Timetable

Manual Java 6 Update 31 For Windows 7 32 Bit

What's New with SUSE Linux Enterprise Server for z Systems

CS Programming I: Arrays

MONITORING REPORT ON THE WEBSITE OF THE STATISTICAL SERVICE OF CYPRUS DECEMBER The report is issued by the.

PrairieCat Governing Bodies, Committees and Meetings for FY2019

Keeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services

Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates

CIMA Asia. Interactive Timetable Live Online

Digitizer operating system support

Manual Update Java 7 Version 11 Not Working In Chrome

Status of the Project

Freedom of Information Act 2000 reference number RFI

Undergraduate Admission File

Manual Update Java 7 25 Mac Not Working

Open Enterprise & Open Community opensuse & SLE Empowering Each Other. Richard Brown opensuse Chairman

2018 IT Academy Program. December 2017

EOS: An Extensible Operating System

INFORMATION TECHNOLOGY SPREADSHEETS. Part 1

DATE OF BIRTH SORTING (DBSORT)

Manual Update Java 7 25 Mac 32 Bit Offline

ACTIVE MICROSOFT CERTIFICATIONS:

QI TALK TIME. Run Charts. Speaker: Dr Michael Carton. Connect Improve Innovate. 19 th Dec Building an Irish Network of Quality Improvers

Manually Java 7 Update Bit Windows 8

Conditional Formatting

Example. Section: PS 709 Examples of Calculations of Reduced Hours of Work Last Revised: February 2017 Last Reviewed: February 2017 Next Review:

Sun java 5 update 22 ibm java 5 sr11. Sun java 5 update 22 ibm java 5 sr11.zip

How It All Stacks Up - or - Bar Charts with Plotly. ISC1057 Janet Peterson and John Burkardt Computational Thinking Fall Semester 2016

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

Manual Update Java 7 25 Mac 32 Bit

I.A.C. - Italian Activity Contest.

Intel Cache Acceleration Software (Intel CAS) for Linux* v2.9 (GA)

CIMA Asia. Interactive Timetable Live Online

Pushing the Limits. ADSM Symposium Sheelagh Treweek September 1999 Oxford University Computing Services 1

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

IAB Internet Advertising Revenue Report

LTSI Project update Long Term Support Ini0a0ve. Tsugikazu SHIBATA, NEC 23, Oct Embedded Linux Conference Europe Hilton Prague

IT Services Performance Report

Digital Test. Coverage Index

IAB Internet Advertising Revenue Report

BHARATI VIDYAPEETH`S INSTITUTE OF MANAGEMENT STUDIES AND RESEARCH NAVI MUMBAI ACADEMIC CALENDER JUNE MAY 2017

Cucumber Linux Distribution

Brocade Fabric OS DATA CENTER. Target Path Selection Guide October 17, 2017


INSPIRE. User Screen Guide: MST, Administrative

Best Practices in CIS Implementation. TECO s CRB Implementation

SWAN Technology Users Group. Thursday, September 21 st at 10am Oak Brook Public Library Steven Schlewitt, SWAN IT Manager

Contents:

Release Notes for Snare Linux Agent Release Notes for Snare for Linux

ITIC Global Server Hardware, Server OS Reliability Survey. March Laura DiDio. Principal. Copyright 2018 ITIC All Rights Reserved

Ksplice Is Rebooting Your Oracle Linux Database Server Now Obsolete?

Next Steps for WHOIS Accuracy Global Domains Division. ICANN June 2015

2017 Sponsorship Opportunities

NMOSE GPCD CALCULATOR

Council, 26 March Information Technology Report. Executive summary and recommendations. Introduction

You ve Got Mail! List Offer Creative. Timely insights & trends. Katie Parker Editorial Director. Zach Christensen Creative Director

INTERTANKO Vetting seminar 24 th October 2017

Release Notes SMART Product Drivers 10. About These Release Notes. Product Information

INTRODUCING CISCO SECURITY FOR AWS

DOSEMU and FreeDOS: past, present and future

Data Miner 2 Release Notes Release 18.09

Optimizing Field Operations. Jeff Shaner

Schedule/BACnet Schedule

June 2012 First Data PCI RAPID COMPLY SM Solution

All King County Summary Report

Q3 FY18 Connections Update 13 April 2018

Operating System Support Plan for Test Delivery System

Operating System Support Plan for Test Delivery System

The Mobile Landscape in France and Europe

Brocade Network OS DATA CENTER. Target Path Selection Guide August 7, 2017

REPORT ON TELECOMMUNICATIONS SERVICE QUALITY WINDSTREAM FLORIDA, INC.

SWIFT 7.2 & Customer Security. Providing choice, flexibility & control.

TPTP 4.7 Release Review -- One Quick Foil What s new

Hitachi Vantara Hitachi Dynamic Link Manager Software Interoperability Support Matrix

OBJECT ORIENTED PROGRAMMING USING C++

Status Update February 2007

Auction Calendar 2017/2018 for Capacity Allocation Mechanism Network Code

SME License Order Working Group Update - Webinar #3 Call in number:

Transcription:

FUT92715 Solve the Paradox SUSE Linux Enterprise Live Patching Roadmap Tuesday, Nov 8, 11:30 AM - 12:30 PM Friday, Nov 11, 9:00 AM - 10:00 AM Hannes Kühnemund SUSE Product Management Vojtěch Pavlík Director SUSE Labs

Sound familiar? [ Streaming Service hosted by 3rd party] LIVE SERVER DOWNTIME - 2.15 IS HERE! UPDATE Update: We continue to work on server maintenance in advance of upgrading the game version. Update 2: The issue with our server maintenance continues to take longer than expected. Update 4: So it turns out that it's a bit harder than we all wished. [ Hoster of an online game ] [ Hosting Service for Developers ] 2

Downtime Quiz planned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 3

Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with - SUSE Manager 4

Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with No cadence - SUSE Manager 5

Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with No cadence Usually on Christmas Day - SUSE Manager 6

Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with No cadence Usually on Christmas Day No alignment with stakeholders - SUSE Manager 7

Downtime Quiz planned unplanned Regular cadence - monthly - quarterly - yearly On the weekend In alignment with all stakeholders Combination of Taks - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with No cadence Usually on Christmas Day No alignment with stakeholders Only one particular problem fixed - SUSE Manager 8

Downtime Quiz planned unplanned Regular cadence No cadence - monthly - quarterly - yearly On the weekend Usually on Christmas Day In alignment with all stakeholders No alignment with stakeholders Combination of Taks Only one particular problem fixed - software updates / configuration - hardware exchange of defect parts - datacenter maintenance / AC Optimizable with Optimizable with - SUSE Manager - Various technologies available 9

Minimize Unplanned Downtime UPS RAS System Rollback RAID High Availability and GEO Virtualization Load Balancer? 10

Strike the balance? 11

Strike the balance? No Downtime Security 12

Since 2005, more than 75 data breaches in which 1,000,000 or more records were compromised have been publicly disclosed. But what about the non-disclosed ones? 13

Vulnerabilities Year # vulnerabilities 2010 4258 2011 3532 2012 4347 2013 4794 2014 7038 2015 8822 10000 8000 6000 4000 2000 2010 2011 2012 2013 2014 2015 28% Vulnerability type 2015 38% Operating System Browsers Mobile Devices Rank Operating System # vulnerabilities 2015 1 Apple OS X 384 2 Microsoft Windows Server 2012 155 3 Canonical Ubuntu Linux 152 4 Microsoft Windows 8.1 151 18% 16% Applications... 11 The 77 Source: [http://www.cvedetails.com] & [https://nvd.nist.gov/] & [http://www.gfi.com/blog/2015s-mvps-the-most-vulnerable-players/] 14

In a data center, not so long ago 15

In a data center, not so long ago Nov-11, 2015 December 2015 January February March April May June July August September 16

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 December 2015 January February March April May June July August September 17

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE: NVD: Common Vulnerabilities and Exposures It is a standard naming scheme used by the NVD National Vulnerability Database (https://nvd.nist.gov/) December 2015 January February March April May June July August September 18

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 December 2015 January February March April May June July August September 19

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 Reboot Dec-11, 2015 December 2015 January February March April May June July August September 20

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 Dec-11, 2015 CVE--0728 December 2015 January February March April May June July August September 21

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 Dec-11, 2015 CVE--0728 Jan-15, Reboot December 2015 January February March April May June July August September 22

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 Dec-11, 2015 CVE--0728 Jan-15, December 2015 January February March April May June July August September 23

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 Dec-11, 2015 CVE--0728 Jan-15, Reboot Feb-10, December 2015 January February March April May June July August September 24

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--2384 Dec-11, 2015 CVE--0728 CVE--0774 CVE--2384 Jan-15, CVE--0774 CVE--2384 Feb-10, CVE--0774 CVE--2384 December 2015 January February March April May June July August September 25

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--2384 Dec-11, 2015 CVE--0728 CVE--0774 CVE--2384 Jan-15, CVE--0774 CVE--2384 Feb-10, CVE--0774 CVE--2384 Reboot Mar-22, December 2015 January February March April May June July August September 26

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 Dec-11, 2015 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 Jan-15, CVE--0774 CVE--1583 CVE--2384 CVE--3134 Feb-10, CVE--0774 CVE--1583 CVE--2384 CVE--3134 Mar-22, CVE--1583 CVE--3134 December 2015 January February March April May June July August September 27

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 Dec-11, 2015 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 Jan-15, CVE--0774 CVE--1583 CVE--2384 CVE--3134 Feb-10, CVE--0774 CVE--1583 CVE--2384 CVE--3134 Mar-22, CVE--1583 CVE--3134 Jun-09, Reboot December 2015 January February March April May June July August September 28

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Dec-11, 2015 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Jan-15, CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Feb-10, CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Mar-22, CVE--1583 CVE--3134 CVE--4997 Jun-09, CVE--4997 December 2015 January February March April May June July August September 29

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Dec-11, 2015 CVE--0728 CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Jan-15, CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Feb-10, CVE--0774 CVE--1583 CVE--2384 CVE--3134 CVE--4997 Mar-22, CVE--1583 CVE--3134 CVE--4997 Jun-09, CVE--4997 Aug-16, Reboot December 2015 January February March April May June July August September 30

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Dec-11, 2015 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Jan-15, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Feb-10, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Mar-22, CVE--0758 CVE--1583 CVE--2053 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Jun-09, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Aug-16, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 December 2015 January February March April May June July August September 31

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Dec-11, 2015 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Jan-15, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Feb-10, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Mar-22, CVE--0758 CVE--1583 CVE--2053 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Jun-09, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--4997 CVE--5829 Aug-16, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Reboot Sep-12, December 2015 January February March April May June July August September 32

In a data center, not so long ago Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Dec-11, 2015 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Jan-15, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Feb-10, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Mar-22, CVE--0758 CVE--1583 CVE--2053 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Jun-09, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Aug-16, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 CVE--6480 Sample data taken on Sept-15, Sep-12, CVE--6480 December 2015 January February March April May June July August September 33

That reminds me of... 34

CVEs...? So what...? CVE--0728 gain privileges or cause a denial of service local users can bypass intended access restrictions gain privileges or cause a denial of service CVE-2015-7990 allows local users to cause a denial of service CVE-2015-7872 local users can cause a denial of service (OOPS) CVE-2015-6937 local users can cause a denial of service (NULL pointer dereference and system crash) local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic)... 35

Can t we patch software while it runs? Mankind already flew to the moon 36

Minimize Unplanned Downtime UPS RAS System Rollback RAID High Availability and GEO Virtualization Load Balancer Live Patching 37

Dynamic Software Updates Trinity Test 1945 (Manhattan Project) IBM punch card automatic calculators were used to crunch the numbers A month before the Trinity nuclear device test, the question was: What will the yield be, how much energy will be released? The calculation would normally take three months to complete recalculating any batches with errors Multiple colored punch cards introduced to fix errors in calculations while the calculator was running 38

Modern history of kgraft and other DSU technologies DSU: Dynamic Software Updates the goal is to be able to fix bugs and add features either by - changing some functions or - replacing the whole program kgraft developed as Open Source project by SUSE Labs Upstream project klp Takes best of both kgraft (SUSE) and kpatch (Red Hat) Still in catch up w.r.t. to features required by enterprises PoDUS Gupta Erlang Ginseng UpStare kpatch Ksplice Kitsune kgraft klp 1990 1995 2000 2005 2010 2015 39

ftrace: return address modification mechanism 40

Common Pitfalls Function Inlining DWARF to the rescue Static Symbols kernel keeps list: kallsyms IPA-SRA (optimization like -O2) gcc optimization log Multiple functions / dependencies consistency model Eternal sleepers (getty console 10) send fake signal SIGKGRAFT / ignore State transformation (req. for complex fixes) not in kgraft right now 3rd party kernel modules depends on what the modules does... 41

Consistency Requirement: ensure system consistency when deploying live patches Freezing the system (kpatch, ksplice) Lazy migration (kgraft) 42

Consistency Requirement: ensure system consistency when deploying live patches Freezing the system (kpatch, ksplice) Lazy migration (kgraft) stop_kernel(); check all stacks, whether any thread is stopped within a patched function If yes, resume kernel and try again later If not, flip the switch on all functions and resume the kernel 43

Consistency Requirement: ensure system consistency when deploying live patches Freezing the system (kpatch, ksplice) Lazy migration (kgraft) stop_kernel(); For each thread separately: check all stacks, whether any thread is stopped within a patched function Present the old version of functions to the thread until it leaves the kernel then give it the updated version If yes, resume kernel and try again later Wake sleeping threads up by a special signal. Prevent the signal from reaching userspace If not, flip the switch on all functions and resume the kernel Once all threads have exited the kernel at least once we're DONE 44

Consistency Requirement: ensure system consistency when deploying live patches Freezing the system (kpatch, ksplice) Lazy migration (kgraft) stop_kernel(); For each thread separately: check all stacks, whether any thread is stopped within a patched function Present the old version of functions to the thread until it leaves the kernel then give it the updated version If yes, resume kernel and try again later Wake sleeping threads up by a special signal. Prevent the signal from reaching userspace If not, flip the switch on all functions and resume the kernel Once all threads have exited the kernel at least once we're DONE Do you have better ideas that those two? Join SUSE as Live Patching developer https://jobs.suse.com/job/prague/live-patching-developer/3486/2529381 45

Consistency model for KLP? The chosen model is a merge of kpatch and kgraft Combines stack checking and per-thread changes Non-intrusive, fast finishing Works well already but requires both: Reliable stack unwinder (needed by kpatch) Worked on by Josh Poimboeuf @ Red Hat Currently needs FRAME POINTER up 10% slowdown of kernel execution Could use DWARF complex, being developed by SUSE speed is a concern initial implementation removed from upstream Kernel thread model cleanup (needed by kgraft) Worked on by Petr Mladek @ SUSE Touches both kthreads and workqueues These parts are the critical core Needs a lot of good planning and review Takes time Takes time 46

Live Patching on ppc64le? [ http://mpe.github.io/posts//05/23/kernel-live-patching-for-ppc64le/ ] 47

In a SUSE data center, today ;-) 48

In a SUSE data center, today ;-) Nov-11, 2015 December 2015 January February March April May June July August September 49

In a SUSE data center, today ;-) Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 December 2015 January February March April May June July August September 50

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 December 2015 January February March April May June July August September 51

In a SUSE data center, today ;-) Nov-11, 2015 CVE--0728 Dec-11, 2015 CVE--0728 December 2015 January February March April May June July August September 52

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, December 2015 January February March April May June July August September 53

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, December 2015 January February March April May June July August September 54

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, Feb-10, December 2015 January February March April May June July August September 55

In a SUSE data center, today ;-) Nov-11, 2015 CVE--0774 CVE--2384 Dec-11, 2015 CVE--0774 CVE--2384 Jan-15, CVE--0774 CVE--2384 Feb-10, CVE--0774 CVE--2384 December 2015 January February March April May June July August September 56

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, Feb-10, Mar-22, December 2015 January February March April May June July August September 57

In a SUSE data center, today ;-) Nov-11, 2015 CVE--1583 CVE--3134 Dec-11, 2015 CVE--1583 CVE--3134 Jan-15, CVE--1583 CVE--3134 Feb-10, CVE--1583 CVE--3134 Mar-22, CVE--1583 CVE--3134 December 2015 January February March April May June July August September 58

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, Feb-10, Mar-22, Jun-09, December 2015 January February March April May June July August September 59

In a SUSE data center, today ;-) Nov-11, 2015 CVE--4997 Dec-11, 2015 CVE--4997 Jan-15, CVE--4997 Feb-10, CVE--4997 Mar-22, CVE--4997 Jun-09, CVE--4997 December 2015 January February March April May June July August September 60

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, Feb-10, Mar-22, Jun-09, Aug-16, December 2015 January February March April May June July August September 61

In a SUSE data center, today ;-) Nov-11, 2015 CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Dec-11, 2015 CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Jan-15, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Feb-10, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Mar-22, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Jun-09, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 Aug-16, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 December 2015 January February March April May June July August September 62

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Jan-15, Feb-10, Mar-22, Jun-09, Aug-16, Sep-12, December 2015 January February March April May June July August September 63

In a SUSE data center, today ;-) Nov-11, 2015 CVE--6480 Dec-11, 2015 Sample data taken on Sept-15, CVE--6480 Jan-15, CVE--6480 Feb-10, CVE--6480 Mar-22, CVE--6480 Jun-09, CVE--6480 Aug-16, CVE--6480 Sep-12, CVE--6480 December 2015 January February March April May June July August September 64

In a SUSE data center, today ;-) Nov-11, 2015 Dec-11, 2015 Sample data taken on Sept-15, Jan-15, Feb-10, Mar-22, Jun-09, Aug-16, Sep-12, December 2015 January February March April May June July August September 65

In a SUSE data center, today ;-) Nov-11, 2015 CVE-2015-6937 CVE-2015-7872 CVE-2015-7990 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Dec-11, 2015 CVE--0728 CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Jan-15, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Feb-10, CVE--0758 CVE--0774 CVE--1583 CVE--2053 CVE--2384 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Mar-22, CVE--0758 CVE--1583 CVE--2053 CVE--3134 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Jun-09, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--4997 CVE--5829 CVE--6480 Aug-16, CVE--0758 CVE--2053 CVE--4470 CVE--4565 CVE--5829 CVE--6480 Sample data taken on Sept-15, Sep-12, CVE--6480 December 2015 January February March April May June July August September 66

Key Solution Highlights Available for SLES 12 onwards (x86-64) Provides fixes for Kernel bugs which affect Security Stability Data Integrity No runtime performance impact No interruption of applications while patching Allows full review of patch source code Build-in PTF support Patches available for most recent maintenance kernels (last 12 months) Currently based on kgraft OpenSource project 67

Where does SLE Live Patching make most sense?... and where not? What s your guess? 68

Where does SLE Live Patching make most sense?... and where not? What s your guess? (c) creativecommons.org/licenses/by/3.0 69

Where does SLE Live Patching make most sense?... and where not? What s your guess? (c) creativecommons.org/licenses/by/3.0 http://cdn.slashgear.com/wpcontent/uploads/2012/10/google-datacenter-tech-21.jpg 70

Where does SLE Live Patching make most sense?... and where not? What s your guess? (c) creativecommons.org/licenses/by/3.0 http://cdn.slashgear.com/wpcontent/uploads/2012/10/google-datacenter-tech-21.jpg (c) opensuse.org 71

Where does SLE Live Patching make most sense?... and where not? What s your guess? (c) creativecommons.org/licenses/by/3.0 http://cdn.slashgear.com/wpcontent/uploads/2012/10/google-datacenter-tech-21.jpg SAP HANA (c) opensuse.org FUJITSU PRIMEQUEST 2800B, (c) Fujitsu 72

Outlook SLE Live Patching for ppc64le SLE Live Patching for IBM z Systems SLE Live Patching for Aarch64 User Space Live Patching Virtualization Live Patching 73

Your chance to win a 3ft (!) SUSE plush chameleon Receive Live Patching 60 day code for FREE here at SUSECON Register & logon to http://scc.suse.com Activate code (60 day counter starts) Add Live Patching to your SLES 12 SPx server by December 31st using eval code This lets you join a drawing for the SUSE chameleon Drawing happens on February 28 Winner will be contacted by email Chameleon will go on a journey After receiving the chameleon, winner sends selfie with chameleon back to SUSE ;-) 74

References One hour of downtime costs $100k for 95% of all enterprises http://itic-corp.com/blog/2013/07/one-hour-of-downtime-costs-100k-for-95-of-enterprises/ Kernel Live Patching for ppc64le http://mpe.github.io/posts//05/23/kernel-live-patching-for-ppc64le/ Forrester Linux vs. Unix Hot Patching have we reached the tipping point? http://blogs.forrester.com/richard_fichera/16-05-20-linux_vs_unix_hot_patching_have_we_reached_the_tipping_point Using Live Patching to patch a running SAP HANA system with zero interruption https://www.youtube.com/watch?v=e9kwtfwevlg 75

Thank you Hannes Kühnemund SUSE Product Management hkuehnemund@suse.com @hakuehnemund www.linkedin.com/in/hanneskuehnemund Vojtěch Pavlík Director SUSE Labs vojtech@suse.com 76

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback