User: Password:
|
|
Subscribe / Log in / New account

Ksplice: kernel patches without reboots

Ksplice: kernel patches without reboots

Posted Apr 30, 2008 20:53 UTC (Wed) by dlang (subscriber, #313)
In reply to: Ksplice: kernel patches without reboots by droundy
Parent article: Ksplice: kernel patches without reboots

any system like this should be isolated anyway, so delaying the security update for a week or
a month to let your job finish should not be a big problem.

remember that if a box is not exposed it doesn't need a security update.


(Log in to post comments)

Ksplice: kernel patches without reboots

Posted May 1, 2008 0:22 UTC (Thu) by gdt (subscriber, #6284) [Link]

any system like this should be isolated anyway

In practice that's increasingly difficult. Datasets are growing so large that the last thing you want is two copies of them, so you end up with the input data being remotely hosted and pulled across the Internet on demand. It's this sort of use that the academic community created the Internet for.

The other problem with scientific computing is simply that I might not want to reboot the system at this moment. Imagine that I've concurrently booked four radiotelescopes, which is about a six-month wait. I've got them streaming into my processing cluster. A security patch arrives. If I apply the patch and reboot then I lose resolution, and thus my experiment may be inconclusive. If I don't apply the patch and the machine is subverted then there are data integrity issues and again the experiment is inconclusive. In both cases I wait another six months and try again. My favoured choice would be to apply the patch whilst still running the telescope correlation.

I'm not saying the ksplice is the best thing since sliced bread. But it does have some use, particularly outside of the typical server application that Linux is generally used for.

Ksplice: kernel patches without reboots

Posted May 1, 2008 0:36 UTC (Thu) by dlang (subscriber, #313) [Link]

if you don't have more then one copy of your data you run the serious risk of loosing it. 

even for huge datasets, it's cheaper to keep an extra copy then to recreate the data.

I'm not saying that ksplice is worthless, I'm disagreeing with the idea that was posted that
it's required for these situations.

Ksplice: kernel patches without reboots

Posted May 1, 2008 12:57 UTC (Thu) by nix (subscriber, #2304) [Link]

Yeah, but using an extra copy for failover requires that it be online 
*now*. Using an extra copy for redundancy only does not require that (and 
is much cheaper: how will you keep an extra online copy of the ATLAS 
detector's collected data? It's far too large to keep even *one* copy at 
any one site: keeping an extra online copy means doubling the size of an 
already large collaboration...)

Ksplice: kernel patches without reboots

Posted May 8, 2008 11:40 UTC (Thu) by anandsr21 (guest, #28562) [Link]

Do you know how much data Google keeps. And they keep three copies not too. And in
Geographically separated locations. So the solution is essentially to make multiple copies.
Actually as Google has shown even two copies are not enough.

Ksplice: kernel patches without reboots

Posted May 1, 2008 13:04 UTC (Thu) by richardr (guest, #14799) [Link]

But the point about academic workloads is that often we use every desktop in the department as
a distributed supercomputer, so the nodes are both exposed to every possible attack because
people want their desktops accessible from outside (at least via ssh) and want to be able to
surf the web, and may be running background jobs for weeks at a time belonging to other people
who don't want them to be restarted. The conflict between these two factors is where this kind
of technology becomes important.

Ksplice: kernel patches without reboots

Posted May 1, 2008 21:20 UTC (Thu) by dlang (subscriber, #313) [Link]

if you are running on random desktops that are used for other things, your software had better
be able to handle reboots/crashes/power outages anyway as those events will happen.

while I see some use for live patching, I really don't see where it becomes a killer feature


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds