SlideShare a Scribd company logo

Linux conna kpatch-without-stopmachine-fixed

Tommy Lee
Tommy Lee

Live Patch for kernel

Technology
1 of 43
Download to read offline
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Without Stop Machine The Next Step of Kernel Live Patching Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Linux Technology Research Center Yokohama Research Lab. Hitachi Ltd., LinuxCon NA 2014 (Aug. 2014) 1
© Hitachi, Ltd. 2014. All rights reserved. Speaker • Masami Hiramatsu – A researcher, working for Hitachi • Researching many RAS features – A linux kprobes-related maintainer • Ftrace dynamic kernel event (a.k.a. kprobe-tracer) • Perf probe (a tool to set up the dynamic events) • X86 instruction decoder (in kernel) 2
© Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story Kpatch internal Kpatch without stop_machine Conclusion and Discussion Note: this presentation is only focusing on the kernel-module side of kpatch. More generic design and implementation, please attend to - kpatch: Have Your Security And Eat It Too! – Josh Poimboeuf Aug. 22. pm2:30 3
© Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 4
© Hitachi, Ltd. 2014. All rights reserved. What’s Kpatch? • Kpatch is a LIVE patching function for kernel – This applys a binary patch to kernel on-line – Patching is done without shutdown • Only for a small and critical issues – Not for major kernel update 5
© Hitachi, Ltd. 2014. All rights reserved. Why Live Patching Required? • Live patching is important for appliances for mission critical systems – Some embedded appliances are hard to maintain frequently • Those are distributed widely in country side • Not in the big data center! – Some appliances can’t accept 10ms downtime • Factory control system etc. 6
© Hitachi, Ltd. 2014. All rights reserved. But for Major Updates? • M.C. systems have periodic maintenance – Major fixes can be applied and rebooted – In between the maintenance, live patching will be used • Live patching and major update are complement each other – Live patching temporarily fixes small critical incidents – Major update permanently fixes all bugs 7 Planned Maintenance Major UpdateLive Patching criticalminor
© Hitachi, Ltd. 2014. All rights reserved. The History of Live patching on Linux • Live patching is not new 8 Pannus Live Patch (2004-2006) http://pannus.sourceforge.net/ Livepatch (2005) http://ukai.jp/Slides/2005/1202-b2con/mop/livepatch.html ksplice (2007-) https://www.ksplice.com/ kGraft (2014) kpatch (2014) 2004 For applic ation For kernel 2014 Use ftrace to replace function Will be supported by major distributors Build from scratch Acquired and supported by Oracle Developed for CGL No distribution support Ptrace and mmap based one
© Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 9
© Hitachi, Ltd. 2014. All rights reserved. Kpatch: Overview • Kpatch has 2 components – Kpatch build: Build a binary patch module – Kpatch.ko: The kernel module of Kpatch 10 Original src Patched src Patch Build Current vmlinux Build Patched vmlinux Per-function diff Patch module A module which contains new functions Done by Kpatch build Running linux Kpatch.ko Done by kpatch.ko Do patch New functions On old functions Today’s talk
© Hitachi, Ltd. 2014. All rights reserved. Kpatch: How to Patch • Kpatch uses Ftrace to patch – Hook the target function entry with registers – Change regs->ip to new function (change the flow) 11 Call foo()Call foo() Call fentryCall fentry Save RegsSave Regs Call ftrace_opsCall ftrace_ops Get new IP from Hash table Get new IP from Hash table Restore RegsRestore Regs Change regs->ipChange regs->ip ReturnReturn …… ReturnReturn …… foo() New foo() Ret to regs->ipRet to regs->ip …… Ftrace hooks Foo() entry Find the new IP from hash table Ftrace returns To new foo() ReturnReturn Foo() is called even After patching. Function pointer is Available  ftrace kpatch.ko
© Hitachi, Ltd. 2014. All rights reserved. Conflict of Old and New Functions • Kpatch will update the execution path of a function – Q: What happen if the patched function is under executed? – A: Old and new functions are executed at the same time !!This should not happen!! • Kpatch ensures the old functions are not executed when patching – “Active Safeness Check” 12
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check • Executing functions are on the stack • And IP register points current function too • Active Safeness Check – Do stack dump to check the target functions are not executed, for each thread. – Need to be done when the process is stopped. – stop_machine is used 13 Func1Func1 Func2Func2 Func3Func3 Func1+XX Func2+YY Stack at here Func1+XX Stack at here
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 14 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Call old func1 Call old func2
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 15 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Call old func1 Call old func2 All running processes and interrupts are stopped Call Stop Machine
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 16 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Safeness Check Call old func1 Call old func2 Walk through the all Thread and check Old funcs on stacks All running processes and interrupts are stopped Call Stop Machine
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 17 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Update hash table Safeness Check Call old func1 Call old func2 Call New func2 Call New func2 Call New func1 Call New func1 Walk through the all Thread and check Old funcs on stacks Now switch to New functionsAll running processes and interrupts are stopped Call Stop Machine Return
© Hitachi, Ltd. 2014. All rights reserved. Stop_machine: Pros and Cons • Pros – Safe, simple and easy to review, Good for the 1st version • Cons – Stop_machine stops all processes a while • It is critical for control/network appliances – In virtual environment, this takes longer time • We need to wait all VCPUs are scheduled on the host machine 18
© Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch and Ftrace Kpatch and Safeness check Stop_machine Kpatch without stop_machine Live Patching Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 19
© Hitachi, Ltd. 2014. All rights reserved. Live Patching Rules • Live patching must follow the rules 1. All the new functions in a patch must be applied at once ● We need an atomic operation 2. After switching new function, the old function must not be executed ● We have to ensure no threads runs on old functions ● And no threads sleeps on them 20
© Hitachi, Ltd. 2014. All rights reserved. Two actions for the solution 1. Introduce an atomic reference counter 2. Active safeness check at the context switch 21
© Hitachi, Ltd. 2014. All rights reserved. Atomic Function Reference Counter 1. Introduce an atomic reference counter – Without stop_machine, functions can be called while patching • Ensure no one actually runs functions -> refcounter • Increment the refcounter at entry • Decrement the refcounter at exit – If refcounter is 0, update ALL function paths • We are sure there is no users 22
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Process Process1 Process2 Process3 Add Ftrace entry+1 Start patcing Refcnt = 1
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func1 +1 +1 +1 -1-1 -1 +1 Start patcing Refcnt = 1 Each function call Inc/dec refcnt While patching
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount 25 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func3 Call old func3 Call old func1 +1 +1 +1 +1 +1 -1 -1-1 -1 -1 +1 Patching process Is over, but refcnt Is not 0 Start patcing Refcnt = 1 Each function call Inc/dec refcnt While patching
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount 26 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func3 Call old func3 Call old func1 Call New func2 Call New func2 Call New func1 Call New func1 +1 +1 +1 +1 +1 -1 -1-1 -1 -1 -1 +1 Patching process Is over, but refcnt Is not 0 Refcnt is 0 Patch enabled on all funcs Start patcing Refcnt = 1 Don’t count refcnt anymore Each function call Inc/dec refcnt While patching
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 27 func call 00 Do not hook function Entry/exit before patching refcnt
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 28 1 2 1 0 atomic_dec_if_positiveatomic_inc_not_zero func call atomic_inc forcibly inc refcnt Patching atomic_dec func call 00 refcnt Do not hook function Entry/exit before patching
© Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 29 1 2 1 0 0 0 atomic_dec_if_ positive ->do nothing atomic_inc_not_zero -> do nothing func call atomic_dec_if_positiveatomic_inc_not_zero func call atomic_inc Patching atomic_dec func call 0 atomic_dec_if_ positive ->do nothing 0 refcnt Do not hook function Entry/exit before patching
© Hitachi, Ltd. 2014. All rights reserved. Active Safeness check without stop_machine 2. Active safeness check at the context switch – To find threads sleeping(or going to sleep) on the functions – For all running processes, hook the context switch and check stack entries safely. – For the sleeping tasks, we can check it safely. 30
© Hitachi, Ltd. 2014. All rights reserved. Safeness Check without Stop_machine • 2 stages safeness checking 31 Patching Process stack check if task is not running rculock rcuunlock check over all threads List up Running threads Time Stage1: Check sleeping tasks Running process A Running process B wait on runqRun Run context switch wait on runq
© Hitachi, Ltd. 2014. All rights reserved. Safeness Check without Stop_machine • 2 stages safeness checking 32 Patching Process stack check if task is not running rculock rcuunlock check over all threads running pid running pid running pid List up Running threads hook stack check for current process Update Wait for all running task is checked Time … Stage1: Check sleeping tasks Stage2: Check running tasks Running process A Running process B wait on runqRun Run context switch wait on runq
© Hitachi, Ltd. 2014. All rights reserved. How to add refcnt and context switch hook? • To hook the function entry/return – Use kretprobe to hook it – For each function entry/return, inc/dec refcount • To hook the context switch – Use kprobe to hook it – Do safeness check (on stack) and update running pid list • Both are dynamic probe – After checking the safeness, all kretprobes/kprobes are r emoved from the target functions – We have minimal overhead 33
© Hitachi, Ltd. 2014. All rights reserved. Demo • Demonstrating kpatching with/without stop_machine – Using ftrace to trace stop_machine() 34 (Setup ftrace) # echo stop_machine > /sys/kernel/debug/tracing/set_ftrace_filter # echo function_graph > /sys/kernel/debug/tracing/current_tracer (Run the kpatch) # kpatch load kpatch-test-patch.ko (Check the result) # echo 0 > /sys/kernel/debug/tracing/tracing_on # cat /sys/kernel/debug/tracing/trace (Setup ftrace) # echo stop_machine > /sys/kernel/debug/tracing/set_ftrace_filter # echo function_graph > /sys/kernel/debug/tracing/current_tracer (Run the kpatch) # kpatch load kpatch-test-patch.ko (Check the result) # echo 0 > /sys/kernel/debug/tracing/tracing_on # cat /sys/kernel/debug/tracing/trace
© Hitachi, Ltd. 2014. All rights reserved. Demo result • With stop_machine • Without stop_machine 35 cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 0) ! 6410.455 us | stop_machine(); cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 0) ! 6410.455 us | stop_machine(); cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | No stop_machine is executed
© Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Kpatch and Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 36
© Hitachi, Ltd. 2014. All rights reserved. Conclusion • Succeed to get rid of stop_machine() from kpatch – This is a proof of concept of stop_machine-free kpatch • This means kpatch CAN BE ready for mission critical systems • But still under discussion stage • Upstreaming could be a long way – At first, push current stop_machine-based kpatch to upstream – Stop_machine-free will be the next step 37
© Hitachi, Ltd. 2014. All rights reserved. Current Issues • Possible to miscount the function reference – Kretprobe has no error notification • Kretprobe can be failed to handle the function return because of return- address buffer shortage • Possible to fail patching with big patch – We have to monitor all the functions are safe in the patch – Big patch has many patched functions • Some of them can be always used in the system • Incremental patching could be better • Module unloading using stop_machine – This will happen if we replace old patch with new one – Incremental patching can avoid this. 38
© Hitachi, Ltd. 2014. All rights reserved. Future work • Use a generic return-hook mechanism – Kretprobe is for PoC, not for general use • It can’t detect the failure of hooking – Should be more safe (e.g. miss-hook handler) • Context switch hook can be more general – Tracepoint/traceevent makes it better. – This requires kpatch as embedded feature • Upstreaming 39
© Hitachi, Ltd. 2014. All rights reserved. Resources and Links • Get rid of the stop_machine from kpatch • https://github.com/dynup/kpatch/issues/138 • My no-stopmachine branch • https://github.com/mhiramathitachi/kpatch/tree/no-stop machine-v1 – This requires IPMODIFY flag patchset for kernel • http://thread.gmane.org/gmane.linux.kernel/1757201 40
© Hitachi, Ltd. 2014. All rights reserved. Questions?
© Hitachi, Ltd. 2014. All rights reserved. Trademarks 43 • Linux is a trademark of Linus Torvalds in the United States, other countries, or both. • Other company, product, or service names m ay be trademarks or service marks of others.

Recommended

Steve Singer - Managing PostgreSQL with Puppet @ Postgres Open
Steve Singer - Managing PostgreSQL with Puppet @ Postgres OpenSteve Singer - Managing PostgreSQL with Puppet @ Postgres Open
Steve Singer - Managing PostgreSQL with Puppet @ Postgres OpenPostgresOpen
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQLTommy Lee
 
Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...SaltStack
 
Nagios Conference 2012 - Mike Weber - Failover
Nagios Conference 2012 - Mike Weber - FailoverNagios Conference 2012 - Mike Weber - Failover
Nagios Conference 2012 - Mike Weber - FailoverNagios
 
[NYC Meetup] Docker at Nuxeo
[NYC Meetup] Docker at Nuxeo[NYC Meetup] Docker at Nuxeo
[NYC Meetup] Docker at NuxeoNuxeo
 
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...SaltStack
 
Experience Report: Cloud Foundry Open Source Operations | anynines
Experience Report: Cloud Foundry Open Source Operations | anyninesExperience Report: Cloud Foundry Open Source Operations | anynines
Experience Report: Cloud Foundry Open Source Operations | anyninesanynines GmbH
 

Recommended

Steve Singer - Managing PostgreSQL with Puppet @ Postgres Open
Steve Singer - Managing PostgreSQL with Puppet @ Postgres OpenSteve Singer - Managing PostgreSQL with Puppet @ Postgres Open
Steve Singer - Managing PostgreSQL with Puppet @ Postgres OpenPostgresOpen
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQLTommy Lee
 
Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...Spot Trading - A case study in continuous delivery for mission critical finan...
Spot Trading - A case study in continuous delivery for mission critical finan...SaltStack
 
Nagios Conference 2012 - Mike Weber - Failover
Nagios Conference 2012 - Mike Weber - FailoverNagios Conference 2012 - Mike Weber - Failover
Nagios Conference 2012 - Mike Weber - FailoverNagios
 
[NYC Meetup] Docker at Nuxeo
[NYC Meetup] Docker at Nuxeo[NYC Meetup] Docker at Nuxeo
[NYC Meetup] Docker at NuxeoNuxeo
 
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...
SaltConf14 - Anita Kuno, HP & OpenStack - Using SaltStack for event-driven or...SaltStack
 
Experience Report: Cloud Foundry Open Source Operations | anynines
Experience Report: Cloud Foundry Open Source Operations | anyninesExperience Report: Cloud Foundry Open Source Operations | anynines
Experience Report: Cloud Foundry Open Source Operations | anyninesanynines GmbH
 
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...SaltStack
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingopenstackindia
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 
Janice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsJanice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsNagios
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltStack
 
Delivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anyninesDelivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anyninesanynines GmbH
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareManaging Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareLeighton Nelson
 
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...SaltStack
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld
 
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...SaltStack
 
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and ServerspecVerifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and ServerspecEdmund Dipple
 
Serverspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collideServerspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collidem_richardson
 
Running Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesRunning Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesanynines GmbH
 
De-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic EnvironmentDe-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic EnvironmentPuppet
 
Nginx
NginxNginx
NginxGeeta Vinnakota
 
Etcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value StoreEtcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value StoreCoreOS
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStackSaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStackSaltStack
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltStack
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
NTTs Journey with Openstack-final
NTTs Journey with Openstack-finalNTTs Journey with Openstack-final
NTTs Journey with Openstack-finalshintaro mizuno
 

More Related Content

What's hot

SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...SaltStack
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingopenstackindia
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) 동현 김
 
Janice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsJanice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsNagios
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltStack
 
Delivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anyninesDelivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anyninesanynines GmbH
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareManaging Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareLeighton Nelson
 
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...SaltStack
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld
 
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...SaltStack
 
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and ServerspecVerifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and ServerspecEdmund Dipple
 
Serverspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collideServerspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collidem_richardson
 
Running Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesRunning Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesanynines GmbH
 
De-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic EnvironmentDe-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic EnvironmentPuppet
 
Etcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value StoreEtcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value StoreCoreOS
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
 
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStackSaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStackSaltStack
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltStack
 

What's hot (20)

SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
SaltConf14 - Matthew Williams, Flowroute - Salt Virt for Linux contatiners an...
 
OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testing
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
 
Janice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsJanice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios Plugins
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
 
Delivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anyninesDelivering a production Cloud Foundry Environment with Bosh | anynines
Delivering a production Cloud Foundry Environment with Bosh | anynines
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle ClusterwareManaging Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
 
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
Arnold Bechtoldt, Inovex GmbH Linux systems engineer - Configuration Manageme...
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
SaltConf14 - Ryan Lane, Wikimedia - Immediate consistency with Trebuchet Depl...
 
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and ServerspecVerifying your Ansible Roles using Docker, Test Kitchen and Serverspec
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
 
Serverspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collideServerspec and Sensu - Testing and Monitoring collide
Serverspec and Sensu - Testing and Monitoring collide
 
Running Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anyninesRunning Cloud Foundry for 12 months - An experience report | anynines
Running Cloud Foundry for 12 months - An experience report | anynines
 
De-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic EnvironmentDe-centralise and Conquer: Masterless Puppet in a Dynamic Environment
De-centralise and Conquer: Masterless Puppet in a Dynamic Environment
 
Nginx
NginxNginx
Nginx
 
Etcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value StoreEtcd- Mission Critical Key-Value Store
Etcd- Mission Critical Key-Value Store
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
 
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStackSaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
SaltConf14 - Oz Akan, Rackspace - Deploying OpenStack Marconi with SaltStack
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google Scale
 

Similar to Linux conna kpatch-without-stopmachine-fixed

淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
NTTs Journey with Openstack-final
NTTs Journey with Openstack-finalNTTs Journey with Openstack-final
NTTs Journey with Openstack-finalshintaro mizuno
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningYoshitake Kobayashi
 
Testing real-time Linux. What to test and how
Testing real-time Linux. What to test and how Testing real-time Linux. What to test and how
Testing real-time Linux. What to test and how Chirag Jog
 
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...Yuji Kubota
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr Linaro
 
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...Anne Nicolas
 
Real Time Application Interface for Linux
Real Time Application Interface for LinuxReal Time Application Interface for Linux
Real Time Application Interface for LinuxSarah Hussein
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
OpenStackユーザ会資料 - Masakari
OpenStackユーザ会資料 - MasakariOpenStackユーザ会資料 - Masakari
OpenStackユーザ会資料 - Masakarimasahito12
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Tackling Terraform at Ticketmaster
Tackling Terraform at TicketmasterTackling Terraform at Ticketmaster
Tackling Terraform at TicketmasterFastly
 
Pharo 11: A stabilization release
Pharo 11: A stabilization releasePharo 11: A stabilization release
Pharo 11: A stabilization releaseESUG
 
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on LinuxTommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linuxlinuxlab_conf
 

Similar to Linux conna kpatch-without-stopmachine-fixed (20)

淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
NTTs Journey with Openstack-final
NTTs Journey with Openstack-finalNTTs Journey with Openstack-final
NTTs Journey with Openstack-final
 
An Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource PartitioningAn Essential Relationship between Real-time and Resource Partitioning
An Essential Relationship between Real-time and Resource Partitioning
 
Testing real-time Linux. What to test and how
Testing real-time Linux. What to test and how Testing real-time Linux. What to test and how
Testing real-time Linux. What to test and how
 
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureObstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr
 
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
Kernel Recipes 2018 - Live (Kernel) Patching: status quo and status futurus -...
 
L2 and L3 agent restructure
L2 and L3 agent restructureL2 and L3 agent restructure
L2 and L3 agent restructure
 
Real Time Application Interface for Linux
Real Time Application Interface for LinuxReal Time Application Interface for Linux
Real Time Application Interface for Linux
 
Preempt_rt realtime patch
Preempt_rt realtime patchPreempt_rt realtime patch
Preempt_rt realtime patch
 
Linux Kernel Live Patching
Linux Kernel Live PatchingLinux Kernel Live Patching
Linux Kernel Live Patching
 
SRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdfSRE NL MeetUp - eBPF.pdf
SRE NL MeetUp - eBPF.pdf
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
OpenStackユーザ会資料 - Masakari
OpenStackユーザ会資料 - MasakariOpenStackユーザ会資料 - Masakari
OpenStackユーザ会資料 - Masakari
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup20221130 - Luxembourg HUG Meetup
20221130 - Luxembourg HUG Meetup
 
Tackling Terraform at Ticketmaster
Tackling Terraform at TicketmasterTackling Terraform at Ticketmaster
Tackling Terraform at Ticketmaster
 
Pharo 11: A stabilization release
Pharo 11: A stabilization releasePharo 11: A stabilization release
Pharo 11: A stabilization release
 
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on LinuxTommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
Tommaso Cucinotta - Low-latency and power-efficient audio applications on Linux
 

More from Tommy Lee

새하늘과 새땅-리차드 미들턴
새하늘과 새땅-리차드 미들턴새하늘과 새땅-리차드 미들턴
새하늘과 새땅-리차드 미들턴Tommy Lee
 
하나님의 아픔의신학 20180131
하나님의 아픔의신학 20180131하나님의 아픔의신학 20180131
하나님의 아픔의신학 20180131Tommy Lee
 
그리스도인의미덕 통합
그리스도인의미덕 통합그리스도인의미덕 통합
그리스도인의미덕 통합Tommy Lee
 
그리스도인의미덕 1장-4장
그리스도인의미덕 1장-4장그리스도인의미덕 1장-4장
그리스도인의미덕 1장-4장Tommy Lee
 
예수왕의복음
예수왕의복음예수왕의복음
예수왕의복음Tommy Lee
 
Grub2 and troubleshooting_ol7_boot_problems
Grub2 and troubleshooting_ol7_boot_problemsGrub2 and troubleshooting_ol7_boot_problems
Grub2 and troubleshooting_ol7_boot_problemsTommy Lee
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUITommy Lee
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM BluemixTommy Lee
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-RanchersTommy Lee
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AITommy Lee
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AsibleTommy Lee
 
제3회난공불락 오픈소스 인프라세미나 - lustre
제3회난공불락 오픈소스 인프라세미나 - lustre제3회난공불락 오픈소스 인프라세미나 - lustre
제3회난공불락 오픈소스 인프라세미나 - lustreTommy Lee
 
제3회난공불락 오픈소스 인프라세미나 - Nagios
제3회난공불락 오픈소스 인프라세미나 - Nagios제3회난공불락 오픈소스 인프라세미나 - Nagios
제3회난공불락 오픈소스 인프라세미나 - NagiosTommy Lee
 
제3회난공불락 오픈소스 인프라세미나 - MySQL Performance
제3회난공불락 오픈소스 인프라세미나 - MySQL Performance제3회난공불락 오픈소스 인프라세미나 - MySQL Performance
제3회난공불락 오픈소스 인프라세미나 - MySQL PerformanceTommy Lee
 
제3회난공불락 오픈소스 인프라세미나 - JuJu
제3회난공불락 오픈소스 인프라세미나 - JuJu제3회난공불락 오픈소스 인프라세미나 - JuJu
제3회난공불락 오픈소스 인프라세미나 - JuJuTommy Lee
 
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - PacemakerTommy Lee
 
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전새하늘과새땅 북톡-3부-우주적회복에대한신약의비전
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전Tommy Lee
 
새하늘과새땅 북톡-2부-구약에서의총체적구원
새하늘과새땅 북톡-2부-구약에서의총체적구원새하늘과새땅 북톡-2부-구약에서의총체적구원
새하늘과새땅 북톡-2부-구약에서의총체적구원Tommy Lee
 
새하늘과새땅 Part1
새하늘과새땅 Part1새하늘과새땅 Part1
새하늘과새땅 Part1Tommy Lee
 
제2회 난공불락 오픈소스 인프라 세미나 Kubernetes
제2회 난공불락 오픈소스 인프라 세미나 Kubernetes제2회 난공불락 오픈소스 인프라 세미나 Kubernetes
제2회 난공불락 오픈소스 인프라 세미나 KubernetesTommy Lee
 

More from Tommy Lee (20)

새하늘과 새땅-리차드 미들턴
새하늘과 새땅-리차드 미들턴새하늘과 새땅-리차드 미들턴
새하늘과 새땅-리차드 미들턴
 
하나님의 아픔의신학 20180131
하나님의 아픔의신학 20180131하나님의 아픔의신학 20180131
하나님의 아픔의신학 20180131
 
그리스도인의미덕 통합
그리스도인의미덕 통합그리스도인의미덕 통합
그리스도인의미덕 통합
 
그리스도인의미덕 1장-4장
그리스도인의미덕 1장-4장그리스도인의미덕 1장-4장
그리스도인의미덕 1장-4장
 
예수왕의복음
예수왕의복음예수왕의복음
예수왕의복음
 
Grub2 and troubleshooting_ol7_boot_problems
Grub2 and troubleshooting_ol7_boot_problemsGrub2 and troubleshooting_ol7_boot_problems
Grub2 and troubleshooting_ol7_boot_problems
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나- IBM Bluemix
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Ranchers
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-AI
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-Asible
 
제3회난공불락 오픈소스 인프라세미나 - lustre
제3회난공불락 오픈소스 인프라세미나 - lustre제3회난공불락 오픈소스 인프라세미나 - lustre
제3회난공불락 오픈소스 인프라세미나 - lustre
 
제3회난공불락 오픈소스 인프라세미나 - Nagios
제3회난공불락 오픈소스 인프라세미나 - Nagios제3회난공불락 오픈소스 인프라세미나 - Nagios
제3회난공불락 오픈소스 인프라세미나 - Nagios
 
제3회난공불락 오픈소스 인프라세미나 - MySQL Performance
제3회난공불락 오픈소스 인프라세미나 - MySQL Performance제3회난공불락 오픈소스 인프라세미나 - MySQL Performance
제3회난공불락 오픈소스 인프라세미나 - MySQL Performance
 
제3회난공불락 오픈소스 인프라세미나 - JuJu
제3회난공불락 오픈소스 인프라세미나 - JuJu제3회난공불락 오픈소스 인프라세미나 - JuJu
제3회난공불락 오픈소스 인프라세미나 - JuJu
 
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker제3회난공불락 오픈소스 인프라세미나 - Pacemaker
제3회난공불락 오픈소스 인프라세미나 - Pacemaker
 
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전새하늘과새땅 북톡-3부-우주적회복에대한신약의비전
새하늘과새땅 북톡-3부-우주적회복에대한신약의비전
 
새하늘과새땅 북톡-2부-구약에서의총체적구원
새하늘과새땅 북톡-2부-구약에서의총체적구원새하늘과새땅 북톡-2부-구약에서의총체적구원
새하늘과새땅 북톡-2부-구약에서의총체적구원
 
새하늘과새땅 Part1
새하늘과새땅 Part1새하늘과새땅 Part1
새하늘과새땅 Part1
 
제2회 난공불락 오픈소스 인프라 세미나 Kubernetes
제2회 난공불락 오픈소스 인프라 세미나 Kubernetes제2회 난공불락 오픈소스 인프라 세미나 Kubernetes
제2회 난공불락 오픈소스 인프라 세미나 Kubernetes
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Linux conna kpatch-without-stopmachine-fixed

  • 1. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Without Stop Machine The Next Step of Kernel Live Patching Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Linux Technology Research Center Yokohama Research Lab. Hitachi Ltd., LinuxCon NA 2014 (Aug. 2014) 1
  • 2. © Hitachi, Ltd. 2014. All rights reserved. Speaker • Masami Hiramatsu – A researcher, working for Hitachi • Researching many RAS features – A linux kprobes-related maintainer • Ftrace dynamic kernel event (a.k.a. kprobe-tracer) • Perf probe (a tool to set up the dynamic events) • X86 instruction decoder (in kernel) 2
  • 3. © Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story Kpatch internal Kpatch without stop_machine Conclusion and Discussion Note: this presentation is only focusing on the kernel-module side of kpatch. More generic design and implementation, please attend to - kpatch: Have Your Security And Eat It Too! – Josh Poimboeuf Aug. 22. pm2:30 3
  • 4. © Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 4
  • 5. © Hitachi, Ltd. 2014. All rights reserved. What’s Kpatch? • Kpatch is a LIVE patching function for kernel – This applys a binary patch to kernel on-line – Patching is done without shutdown • Only for a small and critical issues – Not for major kernel update 5
  • 6. © Hitachi, Ltd. 2014. All rights reserved. Why Live Patching Required? • Live patching is important for appliances for mission critical systems – Some embedded appliances are hard to maintain frequently • Those are distributed widely in country side • Not in the big data center! – Some appliances can’t accept 10ms downtime • Factory control system etc. 6
  • 7. © Hitachi, Ltd. 2014. All rights reserved. But for Major Updates? • M.C. systems have periodic maintenance – Major fixes can be applied and rebooted – In between the maintenance, live patching will be used • Live patching and major update are complement each other – Live patching temporarily fixes small critical incidents – Major update permanently fixes all bugs 7 Planned Maintenance Major UpdateLive Patching criticalminor
  • 8. © Hitachi, Ltd. 2014. All rights reserved. The History of Live patching on Linux • Live patching is not new 8 Pannus Live Patch (2004-2006) http://pannus.sourceforge.net/ Livepatch (2005) http://ukai.jp/Slides/2005/1202-b2con/mop/livepatch.html ksplice (2007-) https://www.ksplice.com/ kGraft (2014) kpatch (2014) 2004 For applic ation For kernel 2014 Use ftrace to replace function Will be supported by major distributors Build from scratch Acquired and supported by Oracle Developed for CGL No distribution support Ptrace and mmap based one
  • 9. © Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 9
  • 10. © Hitachi, Ltd. 2014. All rights reserved. Kpatch: Overview • Kpatch has 2 components – Kpatch build: Build a binary patch module – Kpatch.ko: The kernel module of Kpatch 10 Original src Patched src Patch Build Current vmlinux Build Patched vmlinux Per-function diff Patch module A module which contains new functions Done by Kpatch build Running linux Kpatch.ko Done by kpatch.ko Do patch New functions On old functions Today’s talk
  • 11. © Hitachi, Ltd. 2014. All rights reserved. Kpatch: How to Patch • Kpatch uses Ftrace to patch – Hook the target function entry with registers – Change regs->ip to new function (change the flow) 11 Call foo()Call foo() Call fentryCall fentry Save RegsSave Regs Call ftrace_opsCall ftrace_ops Get new IP from Hash table Get new IP from Hash table Restore RegsRestore Regs Change regs->ipChange regs->ip ReturnReturn …… ReturnReturn …… foo() New foo() Ret to regs->ipRet to regs->ip …… Ftrace hooks Foo() entry Find the new IP from hash table Ftrace returns To new foo() ReturnReturn Foo() is called even After patching. Function pointer is Available  ftrace kpatch.ko
  • 12. © Hitachi, Ltd. 2014. All rights reserved. Conflict of Old and New Functions • Kpatch will update the execution path of a function – Q: What happen if the patched function is under executed? – A: Old and new functions are executed at the same time !!This should not happen!! • Kpatch ensures the old functions are not executed when patching – “Active Safeness Check” 12
  • 13. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check • Executing functions are on the stack • And IP register points current function too • Active Safeness Check – Do stack dump to check the target functions are not executed, for each thread. – Need to be done when the process is stopped. – stop_machine is used 13 Func1Func1 Func2Func2 Func3Func3 Func1+XX Func2+YY Stack at here Func1+XX Stack at here
  • 14. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 14 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Call old func1 Call old func2
  • 15. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 15 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Call old func1 Call old func2 All running processes and interrupts are stopped Call Stop Machine
  • 16. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 16 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Safeness Check Call old func1 Call old func2 Walk through the all Thread and check Old funcs on stacks All running processes and interrupts are stopped Call Stop Machine
  • 17. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks 17 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Update hash table Safeness Check Call old func1 Call old func2 Call New func2 Call New func2 Call New func1 Call New func1 Walk through the all Thread and check Old funcs on stacks Now switch to New functionsAll running processes and interrupts are stopped Call Stop Machine Return
  • 18. © Hitachi, Ltd. 2014. All rights reserved. Stop_machine: Pros and Cons • Pros – Safe, simple and easy to review, Good for the 1st version • Cons – Stop_machine stops all processes a while • It is critical for control/network appliances – In virtual environment, this takes longer time • We need to wait all VCPUs are scheduled on the host machine 18
  • 19. © Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch and Ftrace Kpatch and Safeness check Stop_machine Kpatch without stop_machine Live Patching Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 19
  • 20. © Hitachi, Ltd. 2014. All rights reserved. Live Patching Rules • Live patching must follow the rules 1. All the new functions in a patch must be applied at once ● We need an atomic operation 2. After switching new function, the old function must not be executed ● We have to ensure no threads runs on old functions ● And no threads sleeps on them 20
  • 21. © Hitachi, Ltd. 2014. All rights reserved. Two actions for the solution 1. Introduce an atomic reference counter 2. Active safeness check at the context switch 21
  • 22. © Hitachi, Ltd. 2014. All rights reserved. Atomic Function Reference Counter 1. Introduce an atomic reference counter – Without stop_machine, functions can be called while patching • Ensure no one actually runs functions -> refcounter • Increment the refcounter at entry • Decrement the refcounter at exit – If refcounter is 0, update ALL function paths • We are sure there is no users 22
  • 23. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Process Process1 Process2 Process3 Add Ftrace entry+1 Start patcing Refcnt = 1
  • 24. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func1 +1 +1 +1 -1-1 -1 +1 Start patcing Refcnt = 1 Each function call Inc/dec refcnt While patching
  • 25. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount 25 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func3 Call old func3 Call old func1 +1 +1 +1 +1 +1 -1 -1-1 -1 -1 +1 Patching process Is over, but refcnt Is not 0 Start patcing Refcnt = 1 Each function call Inc/dec refcnt While patching
  • 26. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount 26 Time Patching Process Process1 Process2 Process3 Add Ftrace entry Prepare new Hash table Safeness Check Call old func1 Call old func2 Call old func3 Call old func3 Call old func1 Call New func2 Call New func2 Call New func1 Call New func1 +1 +1 +1 +1 +1 -1 -1-1 -1 -1 -1 +1 Patching process Is over, but refcnt Is not 0 Refcnt is 0 Patch enabled on all funcs Start patcing Refcnt = 1 Don’t count refcnt anymore Each function call Inc/dec refcnt While patching
  • 27. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 27 func call 00 Do not hook function Entry/exit before patching refcnt
  • 28. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 28 1 2 1 0 atomic_dec_if_positiveatomic_inc_not_zero func call atomic_inc forcibly inc refcnt Patching atomic_dec func call 00 refcnt Do not hook function Entry/exit before patching
  • 29. © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 29 1 2 1 0 0 0 atomic_dec_if_ positive ->do nothing atomic_inc_not_zero -> do nothing func call atomic_dec_if_positiveatomic_inc_not_zero func call atomic_inc Patching atomic_dec func call 0 atomic_dec_if_ positive ->do nothing 0 refcnt Do not hook function Entry/exit before patching
  • 30. © Hitachi, Ltd. 2014. All rights reserved. Active Safeness check without stop_machine 2. Active safeness check at the context switch – To find threads sleeping(or going to sleep) on the functions – For all running processes, hook the context switch and check stack entries safely. – For the sleeping tasks, we can check it safely. 30
  • 31. © Hitachi, Ltd. 2014. All rights reserved. Safeness Check without Stop_machine • 2 stages safeness checking 31 Patching Process stack check if task is not running rculock rcuunlock check over all threads List up Running threads Time Stage1: Check sleeping tasks Running process A Running process B wait on runqRun Run context switch wait on runq
  • 32. © Hitachi, Ltd. 2014. All rights reserved. Safeness Check without Stop_machine • 2 stages safeness checking 32 Patching Process stack check if task is not running rculock rcuunlock check over all threads running pid running pid running pid List up Running threads hook stack check for current process Update Wait for all running task is checked Time … Stage1: Check sleeping tasks Stage2: Check running tasks Running process A Running process B wait on runqRun Run context switch wait on runq
  • 33. © Hitachi, Ltd. 2014. All rights reserved. How to add refcnt and context switch hook? • To hook the function entry/return – Use kretprobe to hook it – For each function entry/return, inc/dec refcount • To hook the context switch – Use kprobe to hook it – Do safeness check (on stack) and update running pid list • Both are dynamic probe – After checking the safeness, all kretprobes/kprobes are r emoved from the target functions – We have minimal overhead 33
  • 34. © Hitachi, Ltd. 2014. All rights reserved. Demo • Demonstrating kpatching with/without stop_machine – Using ftrace to trace stop_machine() 34 (Setup ftrace) # echo stop_machine > /sys/kernel/debug/tracing/set_ftrace_filter # echo function_graph > /sys/kernel/debug/tracing/current_tracer (Run the kpatch) # kpatch load kpatch-test-patch.ko (Check the result) # echo 0 > /sys/kernel/debug/tracing/tracing_on # cat /sys/kernel/debug/tracing/trace (Setup ftrace) # echo stop_machine > /sys/kernel/debug/tracing/set_ftrace_filter # echo function_graph > /sys/kernel/debug/tracing/current_tracer (Run the kpatch) # kpatch load kpatch-test-patch.ko (Check the result) # echo 0 > /sys/kernel/debug/tracing/tracing_on # cat /sys/kernel/debug/tracing/trace
  • 35. © Hitachi, Ltd. 2014. All rights reserved. Demo result • With stop_machine • Without stop_machine 35 cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 0) ! 6410.455 us | stop_machine(); cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 0) ! 6410.455 us | stop_machine(); cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | cat trace # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | No stop_machine is executed
  • 36. © Hitachi, Ltd. 2014. All rights reserved. Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Kpatch and Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion 36
  • 37. © Hitachi, Ltd. 2014. All rights reserved. Conclusion • Succeed to get rid of stop_machine() from kpatch – This is a proof of concept of stop_machine-free kpatch • This means kpatch CAN BE ready for mission critical systems • But still under discussion stage • Upstreaming could be a long way – At first, push current stop_machine-based kpatch to upstream – Stop_machine-free will be the next step 37
  • 38. © Hitachi, Ltd. 2014. All rights reserved. Current Issues • Possible to miscount the function reference – Kretprobe has no error notification • Kretprobe can be failed to handle the function return because of return- address buffer shortage • Possible to fail patching with big patch – We have to monitor all the functions are safe in the patch – Big patch has many patched functions • Some of them can be always used in the system • Incremental patching could be better • Module unloading using stop_machine – This will happen if we replace old patch with new one – Incremental patching can avoid this. 38
  • 39. © Hitachi, Ltd. 2014. All rights reserved. Future work • Use a generic return-hook mechanism – Kretprobe is for PoC, not for general use • It can’t detect the failure of hooking – Should be more safe (e.g. miss-hook handler) • Context switch hook can be more general – Tracepoint/traceevent makes it better. – This requires kpatch as embedded feature • Upstreaming 39
  • 40. © Hitachi, Ltd. 2014. All rights reserved. Resources and Links • Get rid of the stop_machine from kpatch • https://github.com/dynup/kpatch/issues/138 • My no-stopmachine branch • https://github.com/mhiramathitachi/kpatch/tree/no-stop machine-v1 – This requires IPMODIFY flag patchset for kernel • http://thread.gmane.org/gmane.linux.kernel/1757201 40
  • 41. © Hitachi, Ltd. 2014. All rights reserved. Questions?
  • 42.
  • 43. © Hitachi, Ltd. 2014. All rights reserved. Trademarks 43 • Linux is a trademark of Linus Torvalds in the United States, other countries, or both. • Other company, product, or service names m ay be trademarks or service marks of others.