Kpatch • Urgent Security and Stability Fixes, Cves, Driver Issues and Kernel Development

Achieve a 0-downtime CERN Database infrastructure

Summer Student: Varsha Rao Supervisor: Borja Aparicio Cotarelo IT-DB-IMS 1 Why is it required?

• Security vulnerabilities • Difficulty in scheduling downtime • Hardware consolidation

Varsha Rao, Borja Aparicio Cotarelo 2 What can be done?

Varsha Rao, Borja Aparicio Cotarelo 3 What can be done?

Varsha Rao, Borja Aparicio Cotarelo 4 Live Kernel Patching

“Hot patching, also known as live patching or dynamic software updating, is the application of patches without shutting down and restarting the system or the program concerned.” - Wikipedia Definition

Varsha Rao, Borja Aparicio Cotarelo 5 Comparison Use Cases

Ksplice • Runtime security vulnerabilities and stability bugs.

Kpatch • Urgent security and stability fixes, CVEs, driver issues and kernel development.

Varsha Rao, Borja Aparicio Cotarelo 6 Comparison License

Ksplice • It was originally GPLV2, after Oracle acquisition it is no longer.

Kpatch • GPLV2

Varsha Rao, Borja Aparicio Cotarelo 7 Comparison Is it merged into Kernel Mainline?

Ksplice • No Live Patching Technology

Kpatch Ksplice kGraft Kpatch • Yes Oracle - 2009 SUSE - 2014 RedHat - 2014

Varsha Rao, Borja Aparicio Cotarelo 8 Comparison Status

Ksplice • Production ready

Kpatch • Not production ready

Varsha Rao, Borja Aparicio Cotarelo 9 Comparison Operating System

Ksplice • Support available only for Oracle Linux. • Community Edition is provided for Fedora and Ubuntu.

Kpatch • Support is only available for RHEL. • Available on major Linux distros.

Varsha Rao, Borja Aparicio Cotarelo 10 Comparison Installation

For both of them, the installation process is • Easy and quick • Well documented

Varsha Rao, Borja Aparicio Cotarelo 11 What did we do

• Understand both Kpatch and Ksplice

Varsha Rao, Borja Aparicio Cotarelo 12 What did we do

• Understand both Kpatch and Ksplice • Install both of them

Varsha Rao, Borja Aparicio Cotarelo 13 What did we do

• Understand both Kpatch and Ksplice • Install both of them • Test and Verify the features

Varsha Rao, Borja Aparicio Cotarelo 14 Features

Ksplice Kpatch License Initially GPLV2 GPLV2

Patch Provisioning Lacks transparency Patch can be built easily Dependency Yes, Oracle Updates Optional, RedHat Updates

Varsha Rao, Borja Aparicio Cotarelo 15 Ksplice

{ Install Command }

Varsha Rao, Borja Aparicio Cotarelo 16 Kpatch

{ Builds Patch Module}

{ Loads Patch Module }

Varsha Rao, Borja Aparicio Cotarelo 17 Conclusion

• Live Kernel Patching Works • Requires long term evaluation • General Kernel Upgrade is not possible • Depends on sysadmin requirements

Varsha Rao, Borja Aparicio Cotarelo 18 Thanks!! [email protected] [email protected]

Varsha Rao, Borja Aparicio Cotarelo 19