Achieve a 0-downtime CERN Database infrastructure Summer Student: Varsha Rao Supervisor: Borja Aparicio Cotarelo IT-DB-IMS 1 Why is it required? • Security vulnerabilities • Difficulty in scheduling downtime • Hardware consolidation Varsha Rao, Borja Aparicio Cotarelo 2 What can be done? Varsha Rao, Borja Aparicio Cotarelo 3 What can be done? Varsha Rao, Borja Aparicio Cotarelo 4 Live Kernel Patching “Hot patching, also known as live patching or dynamic software updating, is the application of patches without shutting down and restarting the system or the program concerned.” - Wikipedia Definition Varsha Rao, Borja Aparicio Cotarelo 5 Comparison Use Cases Ksplice • Runtime security vulnerabilities and stability bugs. Kpatch • Urgent security and stability fixes, CVEs, driver issues and kernel development. Varsha Rao, Borja Aparicio Cotarelo 6 Comparison License Ksplice • It was originally GPLV2, after Oracle acquisition it is no longer. Kpatch • GPLV2 Varsha Rao, Borja Aparicio Cotarelo 7 Comparison Is it merged into Kernel Mainline? Ksplice • No Live Patching Technology Kpatch Ksplice kGraft Kpatch • Yes Oracle - 2009 SUSE - 2014 RedHat - 2014 Varsha Rao, Borja Aparicio Cotarelo 8 Comparison Status Ksplice • Production ready Kpatch • Not production ready Varsha Rao, Borja Aparicio Cotarelo 9 Comparison Operating System Ksplice • Support available only for Oracle Linux. • Community Edition is provided for Fedora and Ubuntu. Kpatch • Support is only available for RHEL. • Available on major Linux distros. Varsha Rao, Borja Aparicio Cotarelo 10 Comparison Installation For both of them, the installation process is • Easy and quick • Well documented Varsha Rao, Borja Aparicio Cotarelo 11 What did we do • Understand both Kpatch and Ksplice Varsha Rao, Borja Aparicio Cotarelo 12 What did we do • Understand both Kpatch and Ksplice • Install both of them Varsha Rao, Borja Aparicio Cotarelo 13 What did we do • Understand both Kpatch and Ksplice • Install both of them • Test and Verify the features Varsha Rao, Borja Aparicio Cotarelo 14 Features Ksplice Kpatch License Initially GPLV2 GPLV2 Patch Provisioning Lacks transparency Patch can be built easily Dependency Yes, Oracle Updates Optional, RedHat Updates Varsha Rao, Borja Aparicio Cotarelo 15 Ksplice { Install Command } Varsha Rao, Borja Aparicio Cotarelo 16 Kpatch { Builds Patch Module} { Loads Patch Module } Varsha Rao, Borja Aparicio Cotarelo 17 Conclusion • Live Kernel Patching Works • Requires long term evaluation • General Kernel Upgrade is not possible • Depends on sysadmin requirements Varsha Rao, Borja Aparicio Cotarelo 18 Thanks!! [email protected] [email protected] Varsha Rao, Borja Aparicio Cotarelo 19.