Ostd.ksplice.talk

350 views

Published on

Talk about Ksplice at OpenSource Trend Days 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
350
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ostd.ksplice.talk

  1. 1. OpenSource Trends Days 2012KspliceLinux kernel patching without a rebootUdo Seidel
  2. 2. OpenSource Trends Days 2012Agenda● Who?● Why?● How?● Show!● And?
  3. 3. OpenSource Trends Days 2012Me :-)● Teacher of mathematicsand physics● PhD in experimental physics● Started with Linux in 1996● Linux/UNIX trainer● Solution engineer in HPCand CAx environment● Head of a international distributed sysadmin team
  4. 4. OpenSource Trends Days 2012Why?
  5. 5. OpenSource Trends Days 2012Why kernel updates?● Business critical applications on Linux● Bug fixing● New functions or improvements● External requirements● Importance of security, e.g. PCI-DSS
  6. 6. OpenSource Trends Days 2012What is wrong with reboots?● Missing HA● Procedures, Operations, ...● External requirements
  7. 7. OpenSource Trends Days 2012Do we really need a reboot?Question ....
  8. 8. OpenSource Trends Days 2012Looking back and around● Not new● mainframes● hot updates for Unix● Early days of Linux● Picked up recently● Rootkits
  9. 9. OpenSource Trends Days 2012How?Hotfix preparation
  10. 10. OpenSource Trends Days 2012Source code comparison● One approach for generation of hot updates● Looks simple ... but● High programming language skills needed● Analysis complex● Code replacement unclear
  11. 11. OpenSource Trends Days 2012Object code comparison● New approach for generation of hot updates● Advantages● Reduced need for developing skills● Implicit patch analysis● Can be automated● Challenges● Object code generation● Code replacement
  12. 12. OpenSource Trends Days 2012Ksplice arises ...● 2008/2009● 4 students @ MIT– Thesis from Jeff Arnolds● Ksplice Inc. founded– GPLv2– Supported: Debian, Ubuntu, Fedora, CentOS, RHEL● July 2011● Acquired by Oracle
  13. 13. OpenSource Trends Days 2012Ksplice – high level● Patching original source code● Generation of new object code● Comparison of old and new object code● Load of the delta code● Address redirection to activate new object code
  14. 14. OpenSource Trends Days 2012Ksplice – how it works part I
  15. 15. OpenSource Trends Days 2012Ksplice – some first details● Creation of dedicated sections for functions andstructures of source code● Identical compiler recommended● Unnecessary replacement code possible● Memory addresses?
  16. 16. OpenSource Trends Days 2012Address determination – first trial● Symbol to address translation● Known from core dump analysis● /boot/System.map● Does not work here :-(
  17. 17. OpenSource Trends Days 2012Address determination by Ksplice● Pair up object code on disk (PRE) with objectcode in memory (RUN)● Filter of wrong symbols● Analysis of unknown address in PRE objectsvia RUN objects
  18. 18. OpenSource Trends Days 2012Address determination by Ksplice
  19. 19. OpenSource Trends Days 2012Ksplice - more details● Cancel if unexpected event during PRE-RUNcomparison● PRE-RUN comparison => kernel module
  20. 20. OpenSource Trends Days 2012Ksplice – how it works part I
  21. 21. OpenSource Trends Days 2012Ksplice – how it works part II
  22. 22. OpenSource Trends Days 2012Last step● Tell the kernel to use the new object code● Kernel module ksplice.ko● Load the new object code● Kernel module ksplice­new.ko
  23. 23. OpenSource Trends Days 2012What else● Limitations● Scalability● Patch context● Patch size● Unclear● Patent violation?● license
  24. 24. OpenSource Trends Days 2012How?Hotfix application
  25. 25. OpenSource Trends Days 2012Client side● Download via Ksplice client● Modification of depmod and modprobe● Update of initial ram disk● Automation via SysV init scripts
  26. 26. OpenSource Trends Days 2012Client commandsCommand descriptionuptrack­install Install available patch(es)uptrack­remove Remove installedpatch(es)uptrack­show Status of installed and/oravailable patchesuptrack­uname Effective/patched kernelversionuptrack­upgrade Install all availabepatches
  27. 27. OpenSource Trends Days 2012Show!
  28. 28. OpenSource Trends Days 2012Example● CVE-2012-0207● Kernel 2.6.36● Bug in IGMP code● Simple source code fix   diff ­­git a/net/ipv4/igmp.c b/net/ipv4/igmp.c ...   @@ ­875,6 +875,8 @@ static void igmp_heard_query ...   ...        max_delay = IGMPV3_MRC(ih3>code)*...   +    if (!max_delay)   + max_delay = 1; /* cant mod w/ 0 */     } else { /* v3 */
  29. 29. OpenSource Trends Days 2012And?
  30. 30. OpenSource Trends Days 2012Summary● Promising technology● Available for selected Linux distributions only● Open questions on license/patent
  31. 31. OpenSource Trends Days 2012References● http://www.ksplice.com● http://kerneltrap.org/mail-archive/linux-kernel/2008/4/23/1570474● http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207
  32. 32. OpenSource Trends Days 2012Thank you!
  33. 33. OpenSource Trends Days 2012KspliceLinux kernel patching without a rebootUdo Seidel

×