User: Password:
|
|
Subscribe / Log in / New account

Red Hat's dynamic kernel patching project

It seems that Red Hat, too, has a project working on patching running kernels. "kpatch allows you to patch a Linux kernel without rebooting or restarting any processes. This enables sysadmins to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, users to log off, or scheduled reboot windows. It gives more control over uptime without sacrificing security or stability." It looks closer to ksplice than to SUSE's kGraft in that it patches out entire functions at a time.
(Log in to post comments)

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 15:43 UTC (Tue) by jcpunk (subscriber, #95796) [Link]

I wonder, how does this compare to kgraft from Suse?

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 16:54 UTC (Tue) by vstinner (subscriber, #42675) [Link]

I read on Wikipedia that Ksplice is released under the GPL license. A company sold support for various Linux distrubutions including RHEL. The company was acquired by Oracle and the support is now restricted to Oracle Linux (Oracle is opposed to support RHEL).

Since Ksplice and Kgraft are released under a GPL license, why Red Hat decided to write new code?

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 17:06 UTC (Tue) by SEJeff (subscriber, #51588) [Link]

Well for one, there are some patents that Oracle has on ksplice. Oracle is known as a patent aggressor AND isn't super fond of Redhat. It just about goes without saying that Oracle wouldn't be above suing Redhat for shipping their tech (ksplice).

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 18:37 UTC (Tue) by pizza (subscriber, #46) [Link]

> Well for one, there are some patents that Oracle has on ksplice. Oracle is known as a patent aggressor AND isn't super fond of Redhat. It just about goes without saying that Oracle wouldn't be above suing Redhat for shipping their tech (ksplice).

This is one of those cases where the GPLv3's vastly superior patent clauses would have greatly aided Redhat here. That said, Oracle would be quite foolish to sue Redhat over GPL code, because that could trigger an avalanche of Oracle automatically losing licenses to other patented stuff, opening themselves to lots and lots of potential liability.

Then again, Oracle has demonstrated quite a lot of foolish activity...

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 7:27 UTC (Wed) by bangert (subscriber, #28342) [Link]

if the amount of money they expect to make from a patent lawsuit is greater than their current (and foreseeable) income off oracle enterprise linux, this whole idea might not even be so foolish (to them).

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 9:18 UTC (Wed) by rodgerd (guest, #58896) [Link]

I'm pretty sure Oracle's end game is to end up owning Red Hat, shutting down JBoss (a major thorn in their side), and migrating RHEL to OEL.

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 19:01 UTC (Tue) by nmav (subscriber, #34036) [Link]

GPLv2 prohibits distribution of software unless a patent license is available globally and royalty free. So if Oracle is distributing GPLv2 software it is essentially protected from any patent threats.

See http://en.swpat.org/wiki/GPLv2_and_patents

Red Hat's dynamic kernel patching project

Posted Mar 7, 2014 21:23 UTC (Fri) by jhhaller (subscriber, #56103) [Link]

If I remember, from the time before Oracle bought ksplice, the patents were mostly related to how the patches were generated, not how they were applied.

The patch installation mechanisms have much pre-existing art. The 5ESS telephone switching system used online patching of a Unix kernel and shared libraries since the early 1980s, and there were earlier non-Unix predecessors which had similar functionality.

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 17:21 UTC (Tue) by dave_malcolm (guest, #15013) [Link]

Has kgraft actually been released yet? All I see is a blog post that announces a plan to "release in March":
https://www.suse.com/communities/conversations/kgraft-liv...

(disclosure: I work for RH, though not on the kernel)

Red Hat's dynamic kernel patching project

Posted Mar 4, 2014 19:51 UTC (Tue) by cyperpunks (subscriber, #39406) [Link]

Why did not RH buy ksplice in the first place? Has ksplice any users?

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 1:20 UTC (Wed) by jpoimboe (subscriber, #23893) [Link]

Josh from the kpatch team here. Just wanted to respond to a few of the common questions we're getting.

Ksplice is apparently no longer GPL. The last source code release was in July 2011 when Oracle acquired them, and I think the code was already out of date at that time.

kpatch and kGraft are completely separate projects. We've been working on kpatch on and off for quite a while, and didn't know about kGraft until it was announced on SUSE's blog.

We don't know yet what all the differences are between kpatch and kGraft, but we hope to work together with the kGraft team to find a common solution for upstream kernel support.

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 1:31 UTC (Wed) by jpoimboe (subscriber, #23893) [Link]

Also, there are no plans to deliver live kernel hot patches for RHEL at this point. We still have a lot of work to do before kpatch could be considered ready for production.

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 17:24 UTC (Wed) by Baylink (guest, #755) [Link]

Do you have one sentence for us on what security provisions something like this has, and how hard it is to leave out if an admin decides those provisions aren't sufficiently secure for them?

Red Hat's dynamic kernel patching project

Posted Mar 5, 2014 17:38 UTC (Wed) by jpoimboe (subscriber, #23893) [Link]

The hot patches are loaded in kernel modules, so a user must have the CAP_SYS_MODULE capability (which typically means root access) to apply them.

Also, the plan is to define a "hot patch" kernel taint flag, which would be set when a hot patch is loaded.

Linux Collaboration Summit

Posted Mar 5, 2014 9:54 UTC (Wed) by Lennie (guest, #49641) [Link]

Linda Wang said the RedHat developers will be at the Linux Collaboration Summit:

https://www.youtube.com/watch?v=xJmD3TfJEO4

I hope the Suse developers will be there too.

Red Hat's dynamic kernel patching project

Posted Mar 20, 2014 18:48 UTC (Thu) by dev (guest, #34359) [Link]

Our partner, CloudLinux has recently released a similar service in production - KernelCare, http://kernelcare.com. Seems to be a hot topic!


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds