Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

kpatch.kgraft

990 views

Published on

Overview of Online Linux Kernel Patching

Published in: Technology
  • If you’re looking for a great essay service then you should check out ⇒ www.HelpWriting.net ⇐. A friend of mine asked them to write a whole dissertation for him and he said it turned out great! Afterwards I also ordered an essay from them and I was very happy with the work I got too.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I can advise you this service - ⇒ www.WritePaper.info ⇐ Bought essay here. No problem.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

kpatch.kgraft

  1. 1. Reboot adieu! Online Linux kernel patching Udo Seidel
  2. 2. Cebit - Opensource Forum 2015 Agenda ● Who & Why? ● How? ● Players & Show! ● And?
  3. 3. Cebit - Opensource Forum 2015 Me :-) ● Teacher of mathematics and physics ● PhD in experimental physics ● Started with Linux in 1996 ● Linux/UNIX trainer ● Solution engineer in HPC and CAx environment ● Head of the Linux Strategy and Server Automation @Amadeus
  4. 4. Cebit - Opensource Forum 2015 Why?
  5. 5. Cebit - Opensource Forum 2015 Why kernel updates? ● Business critical applications on Linux ● Bug fixing ● New functions ● improvements ● External requirements ● Importance of security, e.g. PCI-DSS
  6. 6. Cebit - Opensource Forum 2015 What is 'wrong' with reboots? ● Missing HA ● Procedures, Operations, ... ● External requirements
  7. 7. Cebit - Opensource Forum 2015 Do we really need a reboot? Question ....
  8. 8. Cebit - Opensource Forum 2015 Looking back and around ● Not new ● mainframes ● hot updates for Unix ● Early days of Linux ● Picked up by the 'dark side' ● Rootkits
  9. 9. Cebit - Opensource Forum 2015 How?
  10. 10. Cebit - Opensource Forum 2015 Source code comparison ● One approach for generation of hot updates ● Looks simple ... but ● High programming language skills needed ● Analysis complex ● Code replacement unclear
  11. 11. Cebit - Opensource Forum 2015 Object code comparison ● Advantages ● Reduced need for developing skills ● Implicit patch analysis ● Can be automated ● Used already in that context ● Challenges ● Object code generation ● Code replacement
  12. 12. Cebit - Opensource Forum 2015 Open questions ● Creation in general ● Detect and cover dependencies ● Activation ● Deactivation(?) ● Management
  13. 13. Cebit - Opensource Forum 2015 Players!
  14. 14. Cebit - Opensource Forum 2015 Ksplice arises ... ● 2008/2009 ● 4 students @ MIT – Thesis from Jeff Arnolds ● Ksplice Inc. founded – GPLv2 – Supported: Debian, Ubuntu, Fedora, CentOS, RHEL ● July 2011 ● Acquired by Oracle
  15. 15. Cebit - Opensource Forum 2015 Ksplice – high level ● Patching original source code ● Generation of new object code ● Comparison of 'old' and new object code ● Load of the delta code ● Address redirection to activate new object code
  16. 16. Cebit - Opensource Forum 2015 The newcomers ● Opensource ● SUSE ● Red Hat ● Partially Opensource ● CloudLinux
  17. 17. Cebit - Opensource Forum 2015 Red Hat's kpatch
  18. 18. Cebit - Opensource Forum 2015 kpatch – History ● Not picked up for a long time ● Big surprise in FEB2014 ● dynup-kpatch project on Github ● Quite advanced – Tools – Scripts – Documentation
  19. 19. Cebit - Opensource Forum 2015 kpatch – How ● Object code comparison ● New function per kernel module ● Jump address manipulation BUT ● Out of scope ● Constantly used system calls ● virtual Dynamic Share Objects (vDSO) ● Change (of handling) of data allocation
  20. 20. Cebit - Opensource Forum 2015 kpatch – Object Code Comparison ● 2 kernel compilations ● With & without patch ● Speedup by CCACHE ● Compiler flags – ­ffunction­sections – ­fdata­sections ● O/S tools ● objcopy ● readelf
  21. 21. Cebit - Opensource Forum 2015 kpatch – New Function to Kernel ● No kernel code change needed ● Two modules ● Base/Core ● Patch ● Function name unchanged
  22. 22. Cebit - Opensource Forum 2015 kpatch – Jump Address Challenge ● ftrace ● Function TRACEr ● mcount() ● kpatch-handler ● stop_machine() ● Under discussion ● See Masami Hiramatsu's fork
  23. 23. Cebit - Opensource Forum 2015 kpatch – Toolbox ● 2 sets ● Builder ● Loader ● http://github.com/dynup/kpatch/
  24. 24. Cebit - Opensource Forum 2015 SUSE's kGraft
  25. 25. Cebit - Opensource Forum 2015 kGraft - History ● 'talks' since spring/summer 2012 ● Announcement at SUSECon 2012 ● Very quiet at SUSECon 2013 ● Surprising news in FEB2014 ● Source code not immediately available ● Presentation at Linux Collaboration Summit ● Git repository public since MAR2014
  26. 26. Cebit - Opensource Forum 2015 kGraft – How ● Not really object code comparison ● DWARF ● Function lists ● New function per kernel module ● Jump address manipulation BUT ● Out of scope ● ??? ...See later
  27. 27. Cebit - Opensource Forum 2015 kGraft – Object Code Comparison ● 1-2 kernel compilation(s) ● With (and without) the patch ● Compiler flags – ­ffunction­sections – ­fdata­sections ● O/S tools ● objcopy ● nm ● readelf
  28. 28. Cebit - Opensource Forum 2015 kGraft – New Function to Kernel ● Requires intra-Kernel infrastructure ● kernel code change ● Plan ahead ● One module ● Function name changed
  29. 29. Cebit - Opensource Forum 2015 kGraft – Jump Address Challenge ● Ftrace ● Similar to kpatch ● INT3 instruction ● stop_machine() ● Reality check function + kernel thread flag ● schedule_on_each_cpu() ● kill/pkill
  30. 30. Cebit - Opensource Forum 2015 kGraft – Toolbox ● Not really existing ● Part of the kernel ● Sample code ● Helper scripts (earlier versions only) ● http://git.kernel.org/cgit/linux/kernel/git/ jirislaby/kgraft.git/ ● http://github.com/useidel/kgraft-tools
  31. 31. Cebit - Opensource Forum 2015 kGraft – Enterprise Version ● Announced at SUSECon 2014 ● 'SLES Live Patching' ● Subset of kGraft project ● Separate subscription ● One year life cycle per maintenance kernel ● http://www.suse.com/products/live-patching
  32. 32. Cebit - Opensource Forum 2015 Show!
  33. 33. Cebit - Opensource Forum 2015 Example ● uptime_proc_show ● Base: Linux kernel with enabled kGraft ● http://youtu.be/_IQ44jqJdIQ :-)
  34. 34. Cebit - Opensource Forum 2015 And?
  35. 35. Cebit - Opensource Forum 2015 Ongoing ● Patch stacking ● New/different functions ● Already patched functions ● Clean patch removal ● Combination with Tracers ● ftrace ● Systemtap ● LTTng
  36. 36. Cebit - Opensource Forum 2015 Kernel Live Patching ● Discussed ● @Kernel Summit AUG2014 ● @LinuxCon Europe OCT2014 ● Upstream ● Joined effort of SUSE & Red Hat ● Merged for 4.0 (aka 3.20 :-)) ● Outstanding ● Consistency model solution ● Integration in (Enterprise) Linux distributions
  37. 37. Cebit - Opensource Forum 2015 Sneak Preview ● uptime_proc_show … again ● Base: Linux kernel with KLP ● http://youtu.be/Tvfabm3m9hg :-)
  38. 38. Cebit - Opensource Forum 2015 Summary ● Both: advantages and disadvantages ● kpatch: more flexible and better tooling ● kGraft: potentially more powerful (?) ● Continued development ● Vanilla Kernel approach almost there ● Keep on watching
  39. 39. Cebit - Opensource Forum 2015 References ● http://www.ksplice.com ● http://rhelblog.redhat.com/2014/02/26/kpatch/ ● http://www.suse.com/communities/conversations/ kgraft-live-kernel-patching/ ● http://lkml.iu.edu/hypermail/ linux/kernel/1502.1/00753.html
  40. 40. Cebit - Opensource Forum 2015 Thank you!
  41. 41. Cebit - Opensource Forum 2015 Reboot adieu! Online Linux kernel patching Udo Seidel

×