Achieve a 0-downtime CERN Database infrastructure
Summer Student: Varsha Rao Supervisor: Borja Aparicio Cotarelo IT-DB-IMS 1 Why is it required?
• Security vulnerabilities • Difficulty in scheduling downtime • Hardware consolidation
Varsha Rao, Borja Aparicio Cotarelo 2 What can be done?
Varsha Rao, Borja Aparicio Cotarelo 3 What can be done?
Varsha Rao, Borja Aparicio Cotarelo 4 Live Kernel Patching
“Hot patching, also known as live patching or dynamic software updating, is the application of patches without shutting down and restarting the system or the program concerned.” - Wikipedia Definition
Varsha Rao, Borja Aparicio Cotarelo 5 Comparison Use Cases
Ksplice • Runtime security vulnerabilities and stability bugs.
Kpatch • Urgent security and stability fixes, CVEs, driver issues and kernel development.
Varsha Rao, Borja Aparicio Cotarelo 6 Comparison License
Ksplice • It was originally GPLV2, after Oracle acquisition it is no longer.
Kpatch • GPLV2
Varsha Rao, Borja Aparicio Cotarelo 7 Comparison Is it merged into Kernel Mainline?
Ksplice • No Live Patching Technology
Kpatch Ksplice kGraft Kpatch • Yes Oracle - 2009 SUSE - 2014 RedHat - 2014
Varsha Rao, Borja Aparicio Cotarelo 8 Comparison Status
Ksplice • Production ready
Kpatch • Not production ready
Varsha Rao, Borja Aparicio Cotarelo 9 Comparison Operating System
Ksplice • Support available only for Oracle Linux. • Community Edition is provided for Fedora and Ubuntu.
Kpatch • Support is only available for RHEL. • Available on major Linux distros.
Varsha Rao, Borja Aparicio Cotarelo 10 Comparison Installation
For both of them, the installation process is • Easy and quick • Well documented
Varsha Rao, Borja Aparicio Cotarelo 11 What did we do
• Understand both Kpatch and Ksplice
Varsha Rao, Borja Aparicio Cotarelo 12 What did we do
• Understand both Kpatch and Ksplice • Install both of them
Varsha Rao, Borja Aparicio Cotarelo 13 What did we do
• Understand both Kpatch and Ksplice • Install both of them • Test and Verify the features
Varsha Rao, Borja Aparicio Cotarelo 14 Features
Ksplice Kpatch License Initially GPLV2 GPLV2
Patch Provisioning Lacks transparency Patch can be built easily Dependency Yes, Oracle Updates Optional, RedHat Updates
Varsha Rao, Borja Aparicio Cotarelo 15 Ksplice
{ Install Command }
Varsha Rao, Borja Aparicio Cotarelo 16 Kpatch
{ Builds Patch Module}
{ Loads Patch Module }
Varsha Rao, Borja Aparicio Cotarelo 17 Conclusion
• Live Kernel Patching Works • Requires long term evaluation • General Kernel Upgrade is not possible • Depends on sysadmin requirements
Varsha Rao, Borja Aparicio Cotarelo 18 Thanks!! [email protected] [email protected]
Varsha Rao, Borja Aparicio Cotarelo 19