DOCSLIB.ORG

Reducing Downtime Due to System Maintenance and Upgrades Shaya Potter and Jason Nieh – Columbia University

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Reducing Downtime Due to System Maintenance and Upgrades Shaya Potter and Jason Nieh – Columbia University Reducing Downtime Due to System Maintenance and Upgrades Shaya Potter and Jason Nieh – Columbia University ABSTRACT Patching, upgrading, and maintaining operating system software is a growing management complexity problem that can result in unacceptable system downtime. We introduce AutoPod, a system that enables unscheduled operating system updates while preserving application service availability. AutoPod provides a group of processes and associated users with an isolated machine- independent virtualized environment that is decoupled from the underlying operating system instance. This virtualized environment is integrated with a novel checkpoint-restart mechanism which allows processes to be suspended, resumed, and migrated across operating system kernel versions with different security and maintenance patches. AutoPod incorporates a system status service to determine when operating system patches need to be applied to the current host, then automatically migrates application services to another host to preserve their availability while the current host is updated and rebooted. We have implemented AutoPod on Linux without requiring any application or operating system kernel changes. Our measurements on real world desktop and server applications demonstrate that AutoPod imposes little overhead and provides sub-second suspend and resume times that can be an order of magnitude faster than starting applications after a system reboot. AutoPod enables systems to autonomically stay updated with relevant maintenance and security patches, while ensuring no loss of data and minimizing service disruption. Introduction a system administrator chooses to fix an operating sys- tem security problem immediately, he risks upsetting As computers become more ubiquitous in large corporate, government, and academic organizations, his users because of loss of data. Therefore, a system the total cost of owning and maintaining them is administrator must schedule downtime in advance and becoming unmanageable. Computers are increasingly in cooperation with users, leaving the computer vul- networked, which only complicates the management nerable until repaired. If the operating system is problem, given the myriad of viruses and other attacks patched successfully, the system downtime may be commonplace in today’s networks. Security problems limited to just a few minutes during the reboot. Even can wreak havoc on an organization’s computing in- then, users are forced to incur additional inconve- frastructure. To prevent this, software vendors fre- nience and delays in starting applications again and quently release patches that can be applied to address attempting to restore their sessions to the state they security and maintenance issues that have been dis- were in before being shutdown. If the patch is not suc- covered. This creates a management nightmare for cessful, downtime can extend for many hours while administrators who take care of large sets of machines. the problem is diagnosed and a solution is found. For these patches to be effective, they need to be Downtime due to security and maintenance problems applied to the machines. It is not uncommon for sys- is not only inconvenient but costly as well. tems to continue running unpatched software long We present AutoPod, a system that provides an after a security exploit has become well-known [22]. easy-to-use autonomic infrastructure [11] for operat- This is especially true of the growing number of server ing system self-maintenance. AutoPod uniquely appliances intended for very low-maintenance opera- enables unscheduled operating system updates of tion by less skilled users. Furthermore, by reverse commodity operating systems while preserving appli- engineering security patches, exploits are being cation service availability during system maintenance. released as soon as a month after the fix is released, AutoPod provides its functionality without modifying, whereas just a couple of years ago, such exploits took recompiling, or relinking applications or operating closer to a year to create [12]. system kernels. This is accomplished by combining Even when software updates are applied to three key mechanisms: a lightweight virtual machine address security and maintenance issues, they com- isolation abstraction that can be used at the granularity monly result in system services being unavailable. of individual applications, a checkpoint-restart mecha- Patching an operating system can result in the entire nism that operates across operating system versions system having to be down for some period of time. If with different security and maintenance patches, and 19th Large Installation System Administration Conference (LISA ’05) 47 Reducing Downtime Due to System Maintenance and Upgrades Potter and Nieh an autonomic system status service that monitors the machine is maintained and rebooted, further minimiz- system for system faults as well as security updates. ing application service downtime. This enables secu- AutoPod provides a lightweight virtual machine rity patches to be applied to operating systems in a abstraction called a POD (PrOcess Domain) that timely manner with minimal impact on the availability encapsulates a group of processes and associated users of application services. Once the original machine has in an isolated machine-independent virtualized envi- been updated, applications can be returned and can ronment that is decoupled from the underlying operat- continue to execute even though the underlying oper- ing system instance. A pod mirrors the underlying ating system has changed. Similarly, if the service operating system environment but isolates processes detects an imminent system fault, AutoPod can check- from the system by using host-independent virtual point the processes, migrate, and restart them on a new identifiers for operating system resources. Pod isola- machine before the fault can cause the processes’ exe- tion not only protects the underlying system from cution to fail. compromised applications, but is crucial for enabling We have implemented AutoPod in a prototype applications to migrate across operating system system as a loadable Linux kernel module. We have instances. Unlike hardware virtualization approaches used this prototype to securely isolate and migrate a that require running multiple operating system wide range of unmodified legacy and network applica- instances [4, 29, 30], pods provide virtual application tions. We measure the performance and demonstrate execution environments within a single operating sys- the utility of AutoPod across multiple systems running tem instance. By operating within a single operating different Linux 2.4 kernel versions using three real- system instance, pods can support finer granularity world application scenarios, including a full KDE desk- isolation and can be administered using standard oper- top environment with a suite of desktop applications, ating system utilities without sacrificing system man- an Apache/MySQL web server and database server ageability. Furthermore, since it does not run an oper- environment, and a Exim/Procmail e-mail processing ating system instance, a pod prevents potentially mali- environment. Our performance results show that Auto- cious code from making use of an entire set of operat- Pod can provide secure isolation and migration func- ing system resources. tionality on real world applications with low overhead. AutoPod combines its pod virtualization with a This paper describes how AutoPod can enable novel checkpoint-restart mechanism that uniquely operating system self-maintenance by suspending, decouples processes from dependencies on the under- resuming, and migrating applications across operating lying system and maintains process state semantics to system kernel changes to facilitate kernel maintenance enable processes to be migrated across different and security updates with minimal application down- machines. The checkpoint-restart mechanism intro- time. Subsequent sections describe the AutoPod virtu- duces a platform-independent intermediate format for alization abstractions, present the virtualization archi- saving the state associated with processes and Auto- tecture to support the AutoPod model, discuss the Pod virtualization. AutoPod combines this format with AutoPod checkpoint-restart mechanisms used to facili- the use of higher-level functions for saving and restor- tate migration across operating system kernels that ing process state to provide a high degree of portabil- may differ in maintenance and security updates, pro- ity for process migration across different operating vide a brief overview of the AutoPod system status system versions that was not possible with previous service, provide a security analysis of the AutoPod approaches. In particular, the checkpoint-restart mech- system as well as examples of how to use AutoPod, anism relies on the same kind of operating system and present experimental results evaluating the over- semantics that ensure that applications can function head associated with AutoPod virtualization and quan- correctly across operating system versions with differ- tifying the performance benefits of AutoPod migration ent security and maintenance patches. versus a traditional maintenance approach for several AutoPod combines the pod virtual machine with application scenarios. We discuss related work before an autonomous system status service. The service some concluding remarks. monitors the system for system faults as well as secu- AutoPod
Load more

Recommended publications
  • Run-Commands-Windows-10.Pdf
    Run Commands Windows 10 by Bettertechtips.com Command Action Command Action documents Open Documents Folder devicepairingwizard Device Pairing Wizard videos Open Videos Folder msdt Diagnostics Troubleshooting Wizard downloads Open Downloads Folder tabcal Digitizer Calibration Tool favorites Open Favorites Folder dxdiag DirectX Diagnostic Tool recent Open Recent Folder cleanmgr Disk Cleanup pictures Open Pictures Folder dfrgui Optimie Drive devicepairingwizard Add a new Device diskmgmt.msc Disk Management winver About Windows dialog dpiscaling Display Setting hdwwiz Add Hardware Wizard dccw Display Color Calibration netplwiz User Accounts verifier Driver Verifier Manager azman.msc Authorization Manager utilman Ease of Access Center sdclt Backup and Restore rekeywiz Encryption File System Wizard fsquirt fsquirt eventvwr.msc Event Viewer calc Calculator fxscover Fax Cover Page Editor certmgr.msc Certificates sigverif File Signature Verification systempropertiesperformance Performance Options joy.cpl Game Controllers printui Printer User Interface iexpress IExpress Wizard charmap Character Map iexplore Internet Explorer cttune ClearType text Tuner inetcpl.cpl Internet Properties colorcpl Color Management iscsicpl iSCSI Initiator Configuration Tool cmd Command Prompt lpksetup Language Pack Installer comexp.msc Component Services gpedit.msc Local Group Policy Editor compmgmt.msc Computer Management secpol.msc Local Security Policy: displayswitch Connect to a Projector lusrmgr.msc Local Users and Groups control Control Panel magnify Magnifier
    [Show full text]
  • PCI DSS Virtualization Guidelines
    Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011 Author: Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines Information Supplement • PCI DSS Virtualization Guidelines • June 2011 Table of Contents 1 Introduction ....................................................................................................................... 3 1.1 Audience ................................................................................................................ 3 1.2 Intended Use .......................................................................................................... 4 2 Virtualization Overview .................................................................................................... 5 2.1 Virtualization Concepts and Classes ..................................................................... 5 2.2 Virtual System Components and Scoping Guidance ............................................. 7 3 Risks for Virtualized Environments .............................................................................. 10 3.1 Vulnerabilities in the Physical Environment Apply in a Virtual Environment ....... 10 3.2 Hypervisor Creates New Attack Surface ............................................................. 10 3.3 Increased Complexity of Virtualized Systems and Networks .............................. 11 3.4 More Than One Function per Physical System ................................................... 11 3.5 Mixing VMs of
    [Show full text]
  • Disk Cleanup
    LESSON 6 . 1 98-349 Windows Operating System Fundamentals Understand Backup and Recovery Methods LESSON 6 . 1 98-349 Windows Operating System Fundamentals Lesson Overview Understand backup and recovery methods. In this lesson, you will explore: . Backup management . Backup options . Recovery methods LESSON 6 . 1 98-349 Windows Operating System Fundamentals Backup Management . Windows backup tools: Tool Description File Backup Windows Backup enables you to make copies of the data files for all the users on the computer. System Image Backup Windows Backup enables you to create a system image, which is an exact image of a drive. A system image includes Windows and your system settings, programs, and files. Previous Versions Previous Versions are copies of files and folders that Windows automatically saves as part of system protection. System Restore System Restore reestablishes the computer's system files to their state at an earlier point in time. LESSON 6 . 1 98-349 Windows Operating System Fundamentals Backup Management . Use Windows Backup and Restore to back up and recover files and folders. o Open Backup and Restore by clicking Start, Control Panel, System And Security, and then Backup And Restore. LESSON 6 . 1 98-349 Windows Operating System Fundamentals Backup Management (continued) . It is recommended to save backups to an external drive. You cannot save backups to the system drive. You can save backups to a network location. Windows will issue a warning if there is not enough drive space to store a system image. LESSON 6 . 1 98-349 Windows Operating System Fundamentals Backup Options . Let Windows Choose (Recommended)—Windows backs up data saved in libraries, desktop, and default Windows folders.
    [Show full text]
  • Security Program Blocking Driver Download a Driver Can't Load on This Device
    security program blocking driver download A driver can't load on this device. You are receiving this message because the Memory integrity setting in Windows Security is preventing a driver from loading on your device. Here are a few options you can try if you want to be able to use this driver: See if an updated and compatible driver is available through Windows Update or from the driver manufacturer. If that doesn’t work, try turning off the Memory integrity setting in Windows Security. Warning: If you choose to continue using your device without addressing the driver problem, you might discover that the functionality the driver supports does not work any longer, which could have consequences ranging from negligible to severe. To turn off the memory integrity setting. Go to the Core isolation page in Windows Security. Turn the Memory integrity setting Off if it isn’t already. You'll need to restart your computer for the changes to take effect. You can also open the Core isolation page by selecting Start > Settings > Update & Security > Windows Security > Device Security and then under Core isolation , selecting Core isolation details . Though the driver has a minor vulnerability that’s preventing it from loading, it’s most likely not malicious in any way. The driver name and company name that appear in the notification are the only reliable pieces of information that we have been able to gather about the driver. If an updated driver is unavailable from the driver manufacturer, it might be a good idea to contact them and inquire whether a fix is coming soon.
    [Show full text]
  • Optimizing Windows 10, Build 2004, for a Virtual Desktop Role
    Optimizing Windows 10, Build 2004, for a Virtual Desktop role Written by Robert M. Smith, Program Manager, Azure Global Customer Engineering Date Created: May 12, 2020 Date Updated: July 08, 2020 Date Published: tbd Contributors: Tim Muessig, Senior Premier Field Engineer; Narklis Engler, Principal Program Manager Version 1.2 Document Change History Version Changes 1.0 Adding verbiage for Windows Virtual Desktop, and Windows 10 build 2004 specifically 1.1 Additional updates for 2004 1.2 Final pass, updated group policy, services, tasks, and added info about Storage Sense for disk cleanup. Introduction This article is intended to provide suggestions for configurations for Windows 10, build 2004, for optimal performance in Virtualized Desktop environments, including Virtual Desktop Infrastructure (VDI) and Windows Virtual Desktop (WVD). All settings in this guide are suggested optimization settings only and are in no way requirements. The information in this guide is pertinent to Windows 10, version 2004, operating system (OS) build 19041. The guiding principles to optimize performance of Windows 10 in a virtual desktop environment are to minimize graphic redraws and “effects”, background activities that have no major benefit to the virtual desktop environment, and generally reduce running processes to the bare minimum. A secondary goal is to reduce disk space usage in the base image to the bare minimum. With virtual desktop implementations, the smallest possible base, or “gold” image size, can slightly reduce memory utilization on the host system, as well as a small reduction in overall network operations required to deliver the desktop environment to the consumer. No optimizations should reduce the user experience.
    [Show full text]
  • Windows 10 for Beginners
    Windows 10 for beginners Windows 10 is the latest version of the Windows operating system. New PCs will typically come with Windows 10 installed. If you have an older computer and would like to purchase Windows 10, it starts at $119. Find out more at: https://www.microsoft.com/en-us/windows/get- windows-10 Signing in There are two ways to sign in to your Windows 10 computer: with a local account or a Microsoft account. A local account means all of your files and settings are only accessible on the computer you log into. (Just like usual, to many of us!) A Microsoft account (Outlook, Hotmail, Live, MSN) allows you to sync your information between multiple devices, and would even let you sign into your account from a friend’s Windows 10 device. You need a Microsoft account to use features like Cortana, download from the Windows Store, and activate Find My Device. If you don’t have a Microsoft account, Windows 10 will walk you through setting one up. You can switch between a local and Microsoft account at any time. Windows 10 desktop screen Icons and shortcuts Start menu Cortana Task View Edge File Explorer Store Internet signal Sound Action Center La Crosse Public Library Windows 10 for beginners p.1 Start menu Microsoft now calls most things “apps”. Click on the Windows logo in the lower left corner to open your Start menu and see your apps. Get to your most These are called tiles. If they are used apps. If you’re animated, they’re called live tiles.
    [Show full text]
  • PC Maintenance and Security-Forecast
    PC Security and Maintenance by IMRAN GHANI © Imran Ghani, 2006, [email protected] PC Maintenance and Security-Forecast. • Major sources of danger. • Important steps to protect your PC. • PC Security Tools. • PC Maintenance Tools. •Tips. © Imran Ghani, 2006, [email protected] PC Security- Major sources of danger • Running malicious codes on your computer due to system or application vulnerabilities or improper user action. • Virus, Worms, Trojans. • Spam or unsolicited e-mails. • Spyware and Phishing. • Unauthorized access. • Faulty system configuration. • Malfunctioning of PC hardware. © Imran Ghani, 2006, [email protected] PC Security- Facts Facts about PC Security Management: • Computer Security is not an add-on or something external, it is part of everything you do with computer. • Not “one-size-fits-all”, but appropriate for the needs and vulnerabilities of each system. • In most of cases, it is simple common sense plus a little information and care. © Imran Ghani, 2006, [email protected] PC Security- Steps to protect your PC 1. Prevent unauthorized access. 2. Implement strong security policies. 3. Block, detect or disable computer Viruses and Worms. 4. Block dangerous e-mail attachments. 5. Block spam or unsolicited e-mails. 6. Update operating system, application, and antivirus regularly. 7. Create and analyze security logs. © Imran Ghani, 2006, [email protected] PC Security- Common Security Tools for PC 1. Windows Logon (Password and User Accounts) 2. Local Security Policy 3. Windows Firewall 4. Security Settings in Internet Explorer 5. Antivirus 6. Anti Spam and E-mail security 7. Windows Updates 8.
    [Show full text]
  • HP Server Automation Virtual Appliance (Aka SA Standard) Secure, Simplified, and Lower-Cost Edition of HP Server Automation for Small to Medium Size Deployments
    Technical white paper HP Server Automation Virtual Appliance (aka SA Standard) Secure, simplified, and lower-cost edition of HP Server Automation for small to medium size deployments Table of contents A solution for automated server configuration management ........................................................................................ 2 HP Server Automation Virtual Appliance (SAVA) feature overview ............................................................................... 2 Server Automation Virtual Appliance design and architecture overview ..................................................................... 3 Server automation client ....................................................................................................................................................... 4 OS provisioning and configuration ....................................................................................................................................... 4 Patch management ................................................................................................................................................................. 7 Software management .......................................................................................................................................................... 9 Audit and compliance management .................................................................................................................................... 9 Virtualization management ...............................................................................................................................................
    [Show full text]
  • Windows 10 Directx 12 Update Download Game Bar Says Directx 12 Incompatible, but DXDIAG Says Is Compatible
    windows 10 directx 12 update download Game Bar Says DirectX 12 Incompatible, But DXDIAG Says Is Compatible. My Microsoft Game Bar says that my system isn't compatible with DirectX 12 Ultimate. However, when I run DXDIAG, that says it IS compatible. So I'm not sure why Game Bar is wrong. I have an NVIDEA 3070, which should be compatible with DirectX 12, so I'm not sure what to believe right now and I want to make sure I am compatible. Here are some screen shots. Subscribe Subscribe to RSS feed. Report abuse. I didn't translate your Win10 build number earlier, and I see your Win10 build is not quite up to date. Mine is currently at build 19042 (AKA - v20H2) Some things can be fussy about having the latest version of Win10. DX12 ultimate is fairly new, and. may have come after your last Win10 version update. If you have not done version updates in the past, use the Update Assistant . Download Windows 10. For a quicker update download, it's best to avoid doing much on line, if you don't have a high speed internet connection. - Curious. Is the Window in your first image a Win10 Settings > Gaming Window ? Mine is totally different to that. How to Download, Install or Update all DirectX Versions in Windows 10. DirectX is a set of Application Programming Interface developed by Microsoft to run on the Windows and Xbox based systems. What DirectX does is that it creates an efficient medium between the graphic intense programs like games and the hardware like graphics processor that are needed to run those programs.
    [Show full text]
  • Module 5 Microsoft Windows Security Tools
    Presented by In partnership with Module 5 Microsoft Windows security tools cybertaipan.csiro.au Learning objectives Participants will understand where basic Windows operating system security tools are located: • Control Panel and Windows Settings • Administrative tools • Security and maintenance • Windows Defender security centre • Windows Defender firewall • Windows update Participants will learn how to manage Windows accounts and how accounts can affect security. 2 | Module 5| Microsoft Windows security tools CyberTaipan Section 1 Basic security policies and tools 3 | Module 5| Microsoft Windows security tools CyberTaipan Note on Windows security tools Windows has several versions (Professional, Home, etc.) Each version has sets of security tools with different looks, capabilities, and ways to access them. This training unit has several options for accessing almost all the security tools to perform specific tasks. In any case, the search capability in the Windows versions will assist users and administrators in finding the appropriate tool for a task. 4 | Module 5| Microsoft Windows security tools CyberTaipan Security and administration tools Windows has several components with groups of security and administration tools. You must be an administrator to use most of the tools. Some of the components are: Control Panel • Windows Settings • Control Panel • Microsoft Management Console (MMC) for advanced settings MMC 5 | Module 5| Microsoft Windows security tools CyberTaipan Windows search bar Windows 10 has a search bar that can bring up anything you need on your system. You can use the search bar to find any of these upcoming areas if you don’t know the direct path. 6 | Module 5| Microsoft Windows security tools CyberTaipan Windows Settings Where many of the basic system changes and configurations can be set within a Windows 10 operating system is a little different depending on the version of the operating system.
    [Show full text]
  • Windows Virus and Malware Troubleshooting Andrew Bettany (MVP) Microsoft, York, North Yorkshire, UK
    Andrew Bettany and Mike Halsey Windows Virus and Malware Troubleshooting Andrew Bettany (MVP) Microsoft, York, North Yorkshire, UK Mike Halsey (MVP) Sheffield, South Yorkshire, UK Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the book’s product page, located at www.apress.com/9781484226063 . For more detailed information, please visit www.apress.com/source-code/ . ISBN 978-1-4842-2606-3 e-ISBN 978-1-4842-2607-0 DOI 10.1007/978-1-4842-2607-0 Library of Congress Control Number: 2017934653 © Andrew Bettany and Mike Halsey 2017 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image, we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
    [Show full text]
  • Copyrighted Material
    30_045763 bindex.qxp 1/2/07 10:46 PM Page 607 Index Symbols & Numerics Add a Contact Wizard, 386 3D stack, 97, 98 Add a wireless device feature, 348 512MB of RAM minimum, 30 add extender option, 310 802.11 wireless protocols, 337, 355 Add Hardware Wizard, 473 /? (help switch), 510, 511 Add Newsgroup Wizard, 378–379 Add or remove a program window, 260 Add or Remove Effects dialog box, 329 Add or Remove Snap-ins window, 187 A Add Printer Wizard, 410–413 access check, 448 Additional Drivers window, 415 access policies, auditing, 275–276, Add/Remove Snap-in command, 186 278–279 address bar, 202, 399 accessibility Address toolbar, 125 improved for all users, 130–134 Adm folder, 193 from a single location, 15 Administrative log, 481 account(s) administrative settings, 133 creating passwords for, 162–165 administrator deleting, 167–168 adding new accounts, 154 maintaining separate for users, advanced tasks, 161–162 152–154 compared to Standard user, 157 naming, 157, 158 controlling standard user Account management window, 165–166 accounts, 252 account names role of, 253 changing, 162, 163 Administrator account maximum characters for, 157 changing to a Standard user account types, 151, 154, 166–167 account, 166 ACT (Application Compatibility modifiable parameters, 159–160 Toolkit), 144 one always required, 167 Action menu for a snap-in, 188 options available to, 174–180 actions in Task Scheduler, 504 Parental Controls not allowed, 169 Actions pane Adminstrators group, 180 in Console Root window, 186 Advanced Security firewall, 237, in Event Viewer,
    [Show full text]