DOCSLIB.ORG

Ksplice: an Automatic System for Rebootless Kernel Security Updates

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ksplice: an Automatic System for Rebootless Kernel Security Updates Ksplice: An automatic system for rebootless kernel security updates Jeffrey Brian Arnold Massachusetts Institute of Technology [email protected] Abstract of many kernels), they create and distribute a patch, Ksplice∗ allows system administrators to apply security which consists of a set of changes to the source code. In patches to their operating system kernels without hav- the case of a kernel change, software vendors or system ing to reboot. Based on a source code patch and the administrators apply the patch to their copy of the source kernel source code to be patched, Ksplice applies the code, build a new kernel, and then distribute that new patch to the corresponding running kernel, without re- binary kernel to servers and end-user machines, which quiring work from a programmer. To be fully automatic, must be rebooted in order to run the new kernel. Ksplice’s design is limited to patches that do not intro- Safely performing a hot update, instead of a traditional duce semantic changes to data structures, but a study of update, on an unmodified C program currently requires all significant x86-32 Linux security patches from May significant programmer involvement. Existing hot up- 2005 to May 2008 finds that only nine patches of 65 date practices, described in Section 5, rely on a program- make semantic changes. An evaluation with Debian and mer to write source code files with certain properties kernel.org Linux kernels shows that Ksplice can auto- (e.g., [7, 20]) or require manual inspection of the running matically apply the remaining 56 patches, which means binary to achieve safety guarantees and resolve ambigu- that 86% of the Linux kernel vulnerabilities from this in- ous symbols (e.g., [1]). terval can be corrected by Ksplice without the need for Requiring significant programmer involvement in cre- rebooting. ating a hot update increases both the cost and the risk of the update, which discourages the adoption of hot up- dates. Ideally, we would like to be able to safely con- 1 Introduction struct hot updates, with no human involvement, from ex- isting information, such as the patch used to correct the Several contemporary operating systems release kernel security vulnerability. security patches many times per year. Some of these kernel patches repair vulnerabilities which would other- Although performing an arbitrary source code change wise potentially allow an attacker to gain full adminis- as a hot update is not feasible without a programmer trator privileges on the operating system. Applying these writing new code to perform the transition, some patches security patches typically requires rebooting the kernel, can safely be performed as a hot update based solely on which results in downtime and loss of state (e.g., all ac- the source code differences. Specifically, we have suf- tive network connections). Since rebooting can cause ficient information for a hot update when a patch does disruption, system administrators often delay perform- not make semantic changes to data structures—that is, ing security updates, despite the risk of compromises. changes that would require existing instances of kernel This paper describes and evaluates Ksplice, a system for data structures to be transformed (e.g., a patch that adds performing hot updates, which change a running kernel a field to a global data structure would require the ex- without rebooting it. isting data structures to change). Since kernel security When software developers correct a security problem patches tend to make as few software modifications as in the source code of a C program (which is the language possible, we can expect many of these patches to make no semantic changes to data structures. ∗ Ksplice is free software, and its documentation is free. This paper focuses on developing techniques for safely You can redistribute and/or modify this document under the terms of the GNU General Public License, version 2. See performing hot updates without programmer involve- <http://web.mit.edu/ksplice> for more information. ment, in the common case that the security patch does 1 not make semantic changes to data structures. This prob- approach for constructing hot updates and an evalua- lem contains several challenges that have not been solved tion of this system against Linux security patches. This by previous hot update systems, and effectively solving Ksplice evaluation is, to our knowledge, the first eval- these problems helps many hot update systems (not just uation of any kernel hot update system against a com- systems that focus on patches without semantic changes prehensive list of the significant security vulnerabilities to data structures). The techniques that we describe are, within a commodity operating system over a period of compared to previous work, oriented much more towards time. We believe that this evaluation clearly demon- analysis at the object code level, which offers various ad- strates that hot updates currently have the potential to vantages, as described in Section 2 and Section 5. eliminate most kernel security reboots, while requiring Ksplice can, without restarting the kernel, apply any little additional work from any programmer. source code patch that only needs to modify the kernel The rest of this paper is organized as follows: The next text (including patches to kernel modules and assembly section presents Ksplice’s design for performing hot ker- files). Unlike other hot update systems, Ksplice takes as nel updates. Section 3 describes Linux-specific imple- input only a source code patch and the original kernel mentation considerations. Section 4 tests Ksplice against source code, and it updates the running kernel correctly, security patches from May 2005 to May 2008. Section 5 with no further human assistance required. and Section 6 relate Ksplice to previous work and ker- Ksplice does not require any preparation before the nel developer community discussions. Section 7 sum- system is originally booted. The running kernel does marizes our conclusions and directions for future work. not need to have been specially compiled, for example. Other hot update systems require a special kernel de- sign [3, 4], require a customized compiler [1, 21], or re- 2 Design quire a virtual machine monitor [7]. The performance impact of inserting a Ksplice update To apply a patch, Ksplice replaces all of the functions into a kernel is minimal. A small amount of additional that the patch changes. If any code within a function kernel memory, proportional to the size of the replace- is patched, then Ksplice will replace the entire function. ment functions, will be expended, and function calls to Ksplice replaces a function by linking the patched ver- the replaced functions will take a few cycles longer be- sion of the function into the kernel’s address space and cause of inserted jump instructions. On modern systems, by causing all callers of the original function to invoke this overhead should be negligible in most situations. the patched version. Ksplice replaces entire functions Although generating a Ksplice hot update from a com- since they tend to have a well-defined entry point, at the patible patch requires no human effort, Ksplice requires beginning of the function, which is convenient for redi- a person to perform a single check before invoking recting execution flow away from an obsolete function to Ksplice: a person is expected to confirm that the target a replacement function. security patch does not make any semantic changes to Although replacing entire functions is relatively con- data structures. Performing this check requires only sec- venient, this replacement must be done with care. It onds or a few minutes for most security patches. This involves generating the object code for the patched check is much simpler than the programmer work re- function, resolving symbols in the object code of the quired by other hot update systems. patched function, stopping the kernel temporarily, rewrit- We implemented Ksplice for Linux, but the techniques ing the initial instructions in the obsolete function to that Ksplice employs apply to other operating systems. point callers at the patched function, and starting the ker- To evaluate Ksplice’s approach, we applied Ksplice to nel again. The rest of the section discusses how Ksplice 65 Linux patches for kernel security vulnerabilities from performs these operations. May 2005 to May 2008. The 65 include all documented x86-32 Linux kernel vulnerabilities from this time inter- 2.1 Overview val with greater consequences than denial of service. We applied the patches to five different running Debian ker- Ksplice accepts as input the original kernel source code nels and six different running kernel.org kernels. Of the and a source code patch. Through a multi-stage process, 65 patches, nine make semantic changes and cannot be Ksplice uses this input to create a kernel module that con- applied by Ksplice. The remaining 56 of the 65 patches tains the patched functions (see Figure 1). Most of the can be applied using Ksplice without the need for re- stages of this process make few assumptions about the booting, which is a significant advance over the current underlying operating system. The design assumes a rea- state in which system administrators always have to re- sonable binary format for object code and a basic facility boot their systems. for kernel modules. In order to make our examples spe- The contributions of this paper are a new binary-level cific, we assume in our discussion that the object code 2 function signature changes, changes to functions with static local variables, and changes to assembly files, fea- tures which are notably missing from other hot update work [1]. Third, Ksplice’s binary comparison techniques avoid a subtle problem with inline functions. This problem af- fects other hot update systems that, like Ksplice, are de- signed to update programs that were compiled without foresight of the update system.
Load more

Recommended publications
  • Oracle® Linux Administrator's Solutions Guide for Release 6
    Oracle® Linux Administrator's Solutions Guide for Release 6 E37355-64 August 2017 Oracle Legal Notices Copyright © 2012, 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
    [Show full text]
  • Adaptive Android Kernel Live Patching
    Adaptive Android Kernel Live Patching Yue Chen Yulong Zhang Zhi Wang Liangzhao Xia Florida State University Baidu X-Lab Florida State University Baidu X-Lab Chenfu Bao Tao Wei Baidu X-Lab Baidu X-Lab Abstract apps contain sensitive personal data, such as bank ac- counts, mobile payments, private messages, and social Android kernel vulnerabilities pose a serious threat to network data. Even TrustZone, widely used as the se- user security and privacy. They allow attackers to take cure keystore and digital rights management in Android, full control over victim devices, install malicious and un- is under serious threat since the compromised kernel en- wanted apps, and maintain persistent control. Unfortu- ables the attacker to inject malicious payloads into Trust- nately, most Android devices are never timely updated Zone [42, 43]. Therefore, Android kernel vulnerabilities to protect their users from kernel exploits. Recent An- pose a serious threat to user privacy and security. droid malware even has built-in kernel exploits to take Tremendous efforts have been put into finding (and ex- advantage of this large window of vulnerability. An ef- ploiting) Android kernel vulnerabilities by both white- fective solution to this problem must be adaptable to lots hat and black-hat researchers, as evidenced by the sig- of (out-of-date) devices, quickly deployable, and secure nificant increase of kernel vulnerabilities disclosed in from misuse. However, the fragmented Android ecosys- Android Security Bulletin [3] in recent years. In ad- tem makes this a complex and challenging task. dition, many kernel vulnerabilities/exploits are publicly To address that, we systematically studied 1;139 An- available but never reported to Google or the vendors, droid kernels and all the recent critical Android ker- let alone patched (e.g., exploits in Android rooting nel vulnerabilities.
    [Show full text]
  • Protecting Your Linux Systems with Oracle Ksplice
    Staying Ahead of Cyberthreats: Protecting Your Linux Systems with Oracle Ksplice The Advantages Of Zero-Downtime Patching April 23, 2020 Copyright © 2020, Oracle and/or its affiliates Public TABLE OF CONTENTS Introduction 2 Why Patching Matters 2 About Oracle Ksplice 3 Other Benefits 3 Conclusion 4 Learn More 4 1 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems Copyright © 2020, Oracle and/or its affiliates |Public INTRODUCTION IT systems require regular patching for security, performance, and compliance reasons. For Linux operating system (OS) kernel updates, which include “Availability requirements important new security enhancements and bug fixes, releases happen about 1 are on the rise for once per month. These updates help keep systems current with the latest organizations undergoing innovations. However, manually patching systems has many inherent digital transformations. challenges and difficulties which tends to delay their timely application. For this Downtimes are costly, reason, zero-downtime patching solutions for Linux, like Oracle Ksplice, are with unplanned becoming essential tools. In this paper, Oracle Ksplice’s capabilities and many infrastructure downtimes advantages are explained. costing $100,000 per hour on an average. With Why Patching Matters the possibility of every organization being a Inadequate patch management can leave loopholes in the IT infrastructure leading to target for cyberattacks various security and performance issues. Ideally, patches should be applied shortly after and attackers moving very release to ensure the latest system protections. Patching typically requires downtime quickly to exploit system which, depending on operations, can require weeks or months of advanced planning. vulnerabilities, IDC Most Linux patching also traditionally happens at the disk level for file systems, which has recommends several disadvantages.
    [Show full text]
  • Kshot: Live Kernel Patching with SMM and SGX
    KShot: Live Kernel Patching with SMM and SGX Lei Zhou∗y, Fengwei Zhang∗, Jinghui Liaoz, Zhengyu Ning∗, Jidong Xiaox Kevin Leach{, Westley Weimer{ and Guojun Wangk ∗Department of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, China, zhoul2019,zhangfw,ningzy2019 @sustech.edu.cn f g ySchool of Computer Science and Engineering, Central South University, Changsha, China zDepartment of Computer Science, Wayne State University, Detroit, USA, [email protected] xDepartment of Computer Science, Boise State University, Boise, USA, [email protected] Department of Computer Science and Engineering, University of Michigan, Ann Arbor, USA, kjleach,weimerw @umich.edu { f g kSchool of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou, China, [email protected] Abstract—Live kernel patching is an increasingly common kernel vulnerabilities also merit patching. Organizations often trend in operating system distributions, enabling dynamic up- use rolling upgrades [3], [6], in which patches are designed dates to include new features or to fix vulnerabilities without to affect small subsystems that minimize unplanned whole- having to reboot the system. Patching the kernel at runtime lowers downtime and reduces the loss of useful state from running system downtime, to update and patch whole server systems. applications. However, existing kernel live patching techniques However, rolling upgrades do not altogether obviate the need (1) rely on specific support from the target operating system, to restart software or reboot systems; instead, dynamic hot and (2) admit patch failures resulting from kernel faults. We patching (live patching) approaches [7]–[9] aim to apply present KSHOT, a kernel live patching mechanism based on patches to running software without having to restart it.
    [Show full text]
  • Porting Linux Embedded Linux Conference (Europe)
    Porting Linux Embedded Linux Conference (Europe) Porting Linux About Jon Masters ● Been playing with Linux for 14 years (and the kernel for 13 of those), since the age of 13. ● Built embedded NMR scientific instruments, worked with Montavista UK, now at Red Hat. ● Author of the LKML Summary Podcast and the kernel column in Linux User & Developer. ● Co-author of Building Embedded Linux Systems (second edition) – O'Reilly (2008) ● My car still has an empeg :) Porting Linux Overview ● Why port Linux anyway? ● Background pre-requisities ● Early board work ● Bootloader bringup ● Initial kernel bringup ● Debugging ● Working with Upstream ● Trends Porting Linux Why port Linux anyway? ● Linux is very portable ● Supports 23 architectures in the upstream “mainline” kernel tree of Linus Torvalds. ● Kernel is mostly written in C, with some assembly (most architectures only need a dozen such files) ● Split between high-level generic functions and low- level functions to abstract architectural differences. Porting Linux Why port Linux anyway? ● Linux is competitive ● The number of Linux kernel developers contributing to the official kernel has tripled since 2005. ● Feature growth continues with an average of 10K new lines of source code added every day. ● In the hour you spend here 5.45 patches will on average be added to the upstream Linux kernel. ● Source: Linux Foundation analysis Porting Linux Why port Linux anyway? ● Linux is cost effective. ● A large amount of code to build upon. ● Large (growing) community of developers. ● I think we all know the rest. Porting Linux Background pre-requisities ● Hardware ● Development board or simulator – Optional debugger, some kind of UART – Boards range in value from $200-$crazy – Implement the same architecture and platform as the final design but maybe with a number of hacks.
    [Show full text]
  • Oracle Linux System Administration I
    Oracle Linux System Administration I Dieser Kurs im Web Die Schulung hilft Ihnen, eine Reihe von Fähigkeiten zu entwickeln, einschließlich der Installation, der Verwendung des Unbreakable Enterprise Kernel, der Alle tagesaktuellen Informationen Konfiguration von Linux-Diensten, der Vorbereitung des Systems für die Oracle- und Möglichkeiten zur Bestellung finden Sie unter dem folgenden Link: Datenbank, der Überwachung und der Fehlerbehebung. www.experteach.de/go/026S Nach diesem Kurs verfügen Sie über das Wissen und die Fähigkeiten, typische Vormerkung Probleme von Administratoren zu lösen, und verstehen das Kernel- Sie können auf unserer Website einen Platz Entwicklungsmodell und die Linux-Distributionen. Machen Sie sich damit vertraut, kostenlos und unverbindlich für 7 Tage reservieren. wie Oracle Linux Ihnen die neuesten Linux-Innovationen bietet, die extreme Dies geht auch telefonisch unter 06074 4868-0. Leistung, erweiterte Skalierbarkeit und Zuverlässigkeit für Garantierte Kurstermine Unternehmensanwendungen und -systeme ermöglichen. Für Ihre Planungssicherheit bieten wir stets eine große Auswahl garantierter Kurstermine an. Kursinhalt • Course Introduction Ihr Kurs maßgeschneidert • Introduction to Oracle Linux Diesen Kurs können wir für Ihr Projekt exakt an • Installing Oracle Linux 7 Ihre Anforderungen anpassen. • Oracle Linux 7 Boot Process • System Configuration • Package Management • Ksplice • Automate Tasks • Kernel Module Configuration • User and Group Administration • Partitions, File Systems, and Swap • Implementing the XFS File System • Implementing the Btrfs File System • Storage Administration • Network Configuration • File Sharing • OpenSSH Service • Security Administration • Oracle on Oracle • System Monitoring E-Book Sie erhalten die englischsprachigen Original-Unterlagen in Form eines Oracle University eKits. Zielgruppe • System Administrator • Linux Administrator • Entwickler Voraussetzungen • Arten von Benutzerkonten & Arbeiten mit Dateien und Verzeichnissen unter Unix • Textbearbeitung mit vi & Unix-Prozesskontrolle Training Preise zzgl.
    [Show full text]
  • Oracle Ksplice for Oracle Linux
    Oracle Ksplice for Oracle Linux Oracle Corporation Oracle Corporation Oracle Ksplice Oracle Ksplice is an exciting new addition to the Oracle Linux Premier Support subscription. The Oracle Ksplice technology allows customers to update their systems with new kernel security errata (CVEs) without the need to reboot the system. This allows customers to remain current with their OS vulnerability patches while at the same time minimizing downtime. Oracle Ksplice actually actively applies these updates to the running kernel image, not just an on-disk change that would only take effect after a subsequent reboot. As a general rule, the Linux kernel receives security updates approximately once a month. For any general purpose Operating System on the market today, applying these updates requires the system administrator to schedule downtime and reboot the server into the new OS kernel with the security updates. As system setups become more and more complex with multi-system interdependencies, the ability to schedule reboots is becoming more and more difficult and costly. Oracle Ksplice is available as part of the Oracle Linux Premier and Premier Limited support subscriptions. It is also part of the Oracle Premier Support for Systems and Operating Systems subscriptions offering. Oracle Linux Basic, Basic Limited and Network Support subscribers can contact their sales representatives to discuss potential upgrade of their subscription to a Premier Support plan. Another requirement for the Oracle Ksplice updates, is the use of the Oracle Unbreakable Enterprise Kernel(UEK). The lowest Linux kernel version at time of writing is 2.6.32-100.28.9. This kernel (and newer) can be installed on both Oracle Linux(OL) 5 and 6 distribution versions.
    [Show full text]
  • Oracle Linux and the Unbreakable Enterprise Kernel, Including Premier
    ORACLE DATA SHEET Oracle Linux The Oracle Linux operating system is engineered for open cloud infrastructure. It delivers leading performance, scalability, reliability and security for enterprise SaaS and PaaS workloads as well as traditional enterprise applications. Oracle Linux Support offers access to award-winning Oracle support resources and Linux support specialists, zero-downtime updates using Ksplice, additional management tools such as Oracle Enterprise Manager and lifetime support, all at a low cost. Unlike many other commercial Linux distributions, Oracle Linux is easy to download and completely free to use, distribute and update. KEY FEATURES Latest Linux Innovations • Free to use, free to distribute, free to Oracle Linux comes with a choice of two kernels, the Unbreakable Enterprise Kernel update (UEK), which is installed and enabled by default, and the Red Hat Compatible Kernel. • Zero-downtime kernel, hypervisor UEK tracks the latest Linux kernel releases, supplying more innovation than other and user space updates with Ksplice commercial Linux kernels while providing binary compatibility with applications certified • Comprehensive kernel and to run on Red Hat Enterprise Linux. UEK is designed for enterprise workloads requiring application tracing with DTrace stability, scalability and performance, such as Oracle Database. • Linux management and high availability included at no additional Oracle Linux delivers advanced features for supporting and optimizing the latest charge for Oracle Linux Support enterprise hardware and software. For example: customers • Optimized for Oracle, including Ksplice Zero Downtime Updates – Available to Oracle Linux Premier Support Oracle Database and Oracle customers, Ksplice technology updates the kernels, hypervisors and critical user Applications space libraries without requiring a reboot or interruption.
    [Show full text]
  • Oracle Linux Ksplice Hands‑On LAB
    Oracle Linux Ksplice Hands‑on LAB This hands‑on lab takes you through several steps on how‑to provide zero downtime kernel updates to your Oracle Linux server thanks to Oracle Ksplice, the service and utility capable of introducing hot‑patch capabilities for Kernel, Hypervisor and User‑Space components like glibc and openssl. The entire hands‑on lab runs on an Oracle VM VirtualBox virtual machine based on Oracle Linux 7.4, it receives the Ksplice updates from a local repository. In the lab we do the following steps: Inspect the kernel and search for vulnerabilities Perform Local Denial of Service attack based on found vulnarability (CVE‑14489) Apply Ksplice kernel patches as rebootless updates The Ksplice client is available in online or offline mode, in this hands‑on lab we use the offline Ksplice client. The offline version of the Ksplice client removes the requirement that a server on your intranet has a direct connection to the Oracle Ksplice server or to Unbreakable Linux Network (ULN). All available Ksplice updates for each supported kernel version or user‑space package are bundled into an RPM that is specific to that version. This package is updated every time a new Ksplice patch becomes available for the kernel. Preparation First, import the Virtual Machine template in VirtualBox on your laptop, use the preconfigured OVA template from the instructor. There are two versions: oraclelinux-7.4-kspliceoffline (CLI version) oraclelinux-7.4-gui_kspliceoffline (GUI version) Depending on your preference install one of the VMs and when imported start the VM with a normal start.
    [Show full text]
  • Ksplice – Is Rebooting Your Oracle Linux Database Server Now Obsolete?
    Ksplice – Is Rebooting Your Oracle Linux Database Server Now Obsolete? Robert Bialek Trivadis GmbH Munich, DE Keywords: Ksplice, Ksplice Uptrack, Uptrack API, Oracle Enterprise Linux, Zero Downtime Kernel Patches, High Availability, Dynamic Software Updating, ELSA, ELBA. Introduction Applying important Linux kernel patches and security updates might be a painful task. While many operating system updates are online and might be applied without disrupting the running services, the operating system kernel is always an exception. To activate the new version of the installed patched kernel a reboot is required, which leads to a service outage as well as loss of all software states on that server. Moreover, in case of a problem with the new version, a fallback to the old kernel would again lead to a server downtime. Ksplice patches are mostly well-known as a way to address very efficiently and quickly a kernel security bug. But actually, they are more than that. A detailed look at the released Ksplice patches reveals that they also include many fixes for critical kernel bugs. Furthermore, Ksplice technology is not only limited to security or critical kernel bugs – it can also be used by Oracle Support to create online kernel diagnostic patches which help to turn, on demand, the running kernel into a debug mode. For kernel bugs or CVEs (Common Vulnerabilities and Exposures) classified by Oracle as important, appropriate Ksplice patches will be created and made available via ULN (Unbreakable Linux Network). This paper will describe how to use and configure Ksplice to apply or rollback Oracle Enterprise Linux kernel patches without rebooting.
    [Show full text]
  • Oracle and Lenovo X6 Validated Configuration Guide
    Front cover Oracle and Lenovo X6 Validated Configuration Guide Read about the validated Take advantage of the bold, configurations you can use in your cost-effective benefits of scale-up environment today topology Understand the significant value of Save energy, time, and more, by configurations validated by applying these validations in your industry leaders environment Randall Lundin Ajay Dholakia John Encizo Karen Lawrence Abstract This paper describes a validated reference configuration to successfully implement Oracle Database 12c running on Oracle Linux 7.2 and Oracle Unbreakable Enterprise Kernel (UEK), and hosted on a clustered pair of Lenovo System x3950 X6 servers. This configuration is intended for enterprise-level businesses with scaled-up, converged infrastructures, in which cost-effectiveness and productivity are a must. This paper explains the benefits of a scale-up Oracle database solution based on the 8-socket System x3950 X6 servers. It describes the validation process and the exact configuration used in the testing. The paper also provides additional information on the testing methodology and the tools used. This paper and the validated configuration it describes is for enterprise customers looking to implement a high-performance fault-tolerant Oracle solution. Contents Executive summary . 3 Key takeaways . 3 The cost-effective benefits of scale-up topology . 4 Scope of the Oracle Validated Configuration Program . 6 Key configurations, products, and tools . 6 Key validation tool: Oracle Linux Test . 10 Validated configuration. 11 Additional guidance . 13 Conclusions . 16 About the authors. 16 Notices . 17 Trademarks . 18 2 Oracle and Lenovo X6 Validated Configuration Guide Executive summary This paper describes a collaboration by subject matter experts from Lenovo® and Oracle.
    [Show full text]
  • Oracle Linux Virtualization Manager
    Oracle Linux Virtualization Manager Oracle Linux Virtualization Manager is a server virtualization management platform that can be easily deployed to configure, monitor, and manage an Oracle Linux Kernel-based Virtual Machine (KVM) environment. Oracle Linux Key Features KVM and Oracle Linux Virtualization Manager provide a modern, open source, Leading high performance alternative to proprietary server virtualization solutions price/performance with zero licensing costs. using a modern, low overhead An Oracle Linux Premier Support subscription provides customers access to architecture based award-winning Oracle support resources for Oracle Linux Virtualization on the KVM hypervisor Manager, KVM, Oracle Linux, zero-downtime patching with Ksplice, cloud Self-Hosted native tools such as Kubernetes and Kata Containers, clustering tools, Oracle Engine offers a Linux Manager, and Oracle Enterprise Manager. All this and lifetime software hyper-converged management support is included in a single cost-effective support offering. For customers solution with high with an Oracle Cloud Infrastructure subscription, Oracle Linux Premier availability for the support is included at no additional cost. Unlike many other commercial Linux Manager distributions, Oracle Linux is easy to download and completely free to use, Full REST API allows greater distribute, and update. automation and interoperability Oracle Linux KVM Support for secure live migration and Starting with Oracle Linux Release 7 with the Unbreakable Enterprise Kernel (UEK) Release storage live 5, Oracle Linux KVM has been enhanced to deliver leading performance and security for migration hybrid and multi-cloud deployments. Users can take a previously deployed Oracle Linux VM high system and turn the operating environment into a KVM host, or a KVM configuration can availability be set up from a base Oracle Linux installation.
    [Show full text]