Live Linux Kernel Patching To Extend Server Uptime
In my day job I have received repeated questions from customers wanting to understand more about the possibility of using Linux live kernel patching to extend server uptime. There has been recent interest in Linux patching and two projects are (sort of) competing to provide this functionality. One headed by Red Hat called kpatch and one by Suse called kgraft.
So far the techniques by each of those tools are slightly different. One would at least hope both projects would cooperate and cherry-pick pieces of the innovation created by both parties. For my first test, I decided to demo kpatch. I designed a slightly interesting use case where I exploit a vulnerability in the default Fedora 20 kernel. I then successfully get the kernel to “oops” and require a reboot. Afterwards, I grab a source patch, build that into a live kernel patch module and instruct the running kernel to load it. And lo and behold, the vulnerability has been plugged! Look ma, no reboot required.
Live kernel patching is always interesting, so I thought The New Stack readers certainly deserve this treat. Have any questions? Shoot me a comment below, or tweet @ak_kim0.
Ahmed Kamal (@ak_kim0) is the cloud infrastructure director at Cloud Niners (www.cloud9ers.com). Cloud Niners specializes in large scale Linux operations, private and public cloud deployments. DevOps style automation and consulting work