Slashdot Mirror

KSplice is only available to Oracle Linux customers with Oracle Linux Premier Support, which is $1.3k/year+ http://www.ksplice.com/

That's been taken care of by modern file systems.

Also, do you apply security patches to your kernel on-the-fly somehow, or how come you don't have to reboot?

What is this bait? I mean, really? Every damn time someone mentions uptime? Fine. I'll bite.

Does ksplice ensure that libraries already loaded by running processes get updated to so you don't have vulnerable code active in memory? And the need to update drivers that require reboot?

That's been taken care of by modern file systems.

Also, do you apply security patches to your kernel on-the-fly somehow, or how come you don't have to reboot?

What is this bait? I mean, really? Every damn time someone mentions uptime?
Fine. I'll bite.

Impressive if you can do that on the kernel and still be confident of stability.

You can actually do that with Oracle Ksplice for Linux.

http://www.ksplice.com/

You can even swap kernels without a reboot.

You are confusing surprise restarts and updates.

You can *always* push off a restart in Ubuntu and other Linux distros. This is by design. The system doesn't suddenly say "herp, restarting now! HAHAHAH" like Windows can. Especially when Windows has this nasty habit of stealing focus, you hit return while thinking you're in some other window and *bam* restart.

In sane systems, you can do the update and then do the restart when you get around to it. And in sane systems, only kernel updates truly require a restart of the whole computer.

And in sane systems, there are ways of doing a "restart" without doing a restart even with a kernel update.

http://www.ksplice.com/uptrack/download-ubuntu

There is no excuse for a *surprise* restart.

--
BMO

Who needs to reboot for kernel changes these days?
http://www.ksplice.com/
^_^ lol

You don't even need to reboot to patch your kernel if you use ksplice.

http://www.ksplice.com/
http://tech.slashdot.org/story/08/04/24/1334234/Patch-the-Linux-Kernel-Without-Reboots - Apr 2008

When you install Windows 7 or a new Linux kernel, do you have to restart? Why? OS X Lion don't require that.

We haven't "had" to reboot linux for more than 3 years now, where have you been?

But I think what you say about Lion is incorrect. "Mac OS X Lion's new Resume feature lets users get back to where they left off after a shutdown or restart" - CNet

That is significant, but it's not the same as not having to rebooting. If you didn't reboot, then it's just sleep/hybernate, and Windows has done that for many years. So, where are you getting that info that it never has to reboot, even with new kernel? If you've run Snow Leopard, you will be familiar with restarting after updates, desktop AND server (I run both, btw, and I have a server asking for reboot right now, and it's not even a kernel update). Linux usually never needs a restart unless you specifically update the kernel. But even then, you don't have to. It will continue to run on the previous kernel until you decide to restart. With other tools like KSplice, we don't have to ever reboot. But, I highly doubt you can do all updates, including kernel, without restarting Lion.

The same goes for iPhone/iPad. If it updates the kernel, you're going to have to reboot the device. But, maybe they are changing this, just wanna know where you read it?

This is tired old FUD that you Microsoft shills trot out all the time.

Can you name one technology that Microsoft innovated? And by the way, it doesn't count if they bought it from someone else.

Ok, now to your original question:
1. Alchemy
2. Bespin
3. Bitcoin
4. eyeOS
5. KDE Social Desktop
6. Ksplice
7. Unity
8. HTTP, the Web, TCP/IP, and ARPAnet
9. X Windows
10. Perl
11. Slashdot
12. Google keeps playing with open source, but can't make up their minds. Here are some
13. Microsoft plays with open source, here are some. This must just eat you up. Too bad, Open Source is everywhere.
14. Here are some more innovative open source projects.

Now, I expect you to provide at least 5 innovative projects Microsoft created within the last 10 years. (Sorry, you can't count Windows or Office, since those ideas are much older, and are no longer considered innovative.)

Failing that, at least read what I wrote.

http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/ Which can be viewed here. You know, the first link in the article.

It's not magic, it's called ksplice.

I'd really like to know, I'd love to run such a system myself. All the systems that I run, need kernel updates a few times a year; and thus needs to be rebooted.

http://www.ksplice.com/

If you don't reboot that means you didn't patched the kernel (Seriously, how many of you uses ksplice?) If you didn't patch the kernel you have security vulnerabilities. If you have security vulnerabilities, you can be pwnd.

Isn't scary that I can know remotely your uptime and then I know exactly which exploit use against you? Go ahead, brag about your uptime all that you want, but it is not a good thing.

I don't suspect the author was aware of Ksplice. You can actually perform kernel upgrades without a reboot.

The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Yes it does.

I recall this article that hypothetically starts by using the BIOS extension ROM function to hook into GRUB and modify it, then the modified GRUB loads and patches the kernel to host a rootkit, then runs that.

So instead of a smart peripheral with onboard processor and firmware, the dumb ones are affected as well (which only requires the BIOS extension ROM interface).

Even though BIOS is on its way out (we can't MBR-boot >2TiB drives anymore, so we have to use GPT) and EFI is on its way in, we're still stuck because EFI has similar features. Apple's video cards for Mac Pros have both BIOS extension ROMs and EFI ROMs.

Did you forget "static void put_your_hands_up_hooker(int argc, char *argv[])"??? That's actually IN the "diagnose" code. Well, if you check both the exploit and the diagnose, they are quite the same and obviously the diagnose code inherited most of the code from it.
Now, the question is: do you trust ksplice or even (as cited below) the naive http download?

Run the tool in TFA ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.32-24-generic !!! Not a RHEL kernel, will skip LSM method $$$ Backdoor in LSM (1/3): not available. $$$ Backdoor in timer_list_fops (2/3): checking...not present. $$$ Backdoor in IDT (3/3): checking...not present. If you're suspicious of the binary, download the source, examine it to satisfy yourself that it's not malicious, and compile it. It's not hard to figure out if you're affected - even a dummy like me can do it!

Does anybody know what this means? The system is already patched. I just wanted to know if someone left a backdoor before I could apply the patch and reboot. $ ./diagnose-security-issue-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.35.4 !!! Error in setting cred shellcodes

Ksplice.

Oh wait, it's been running on my Debian box for months... For $3.95/mo.

Q. How long will Ksplice Uptrack for Ubuntu Desktop be freely supported? A. Ksplice Uptrack for Ubuntu Desktop 10.04 Lucid is now available and will be freely supported for as long as Ubuntu Lucid is the newest version of Ubuntu. When the next version of Ubuntu Desktop (10.10 Meerkat) is released, we anticipate freely supporting that next version for as long as it is the newest version of Ubuntu.

kexec restarts the entire software stack while leaving hardware running.

From what I can tell, ksplice does not require a software restart or hardware restart. This isn't explicitly stated, but it is implied by the usage instructions: http://www.ksplice.com/uptrack/using

Given that we can store almost 525 bytes of data in a single twit (I refuse to call them tweets), which is enough for a sector of data plus metadata, could it now mean we can store our data permanently at taxpayer's expense?

I call it TwitterShare as a play on RapidShare to send files easily... and now those files will be forever archived. Sounds like a good way to backup data to me! Other than letting everyone else in the world see your files...

Note that most modern systems actually specifically disallow mapping the NULL page, out of security concerns. To run the following example on a recent Linux machine at home, you'll need to run # echo 0 > /proc/sys/vm/mmap_min_addr as root, first.

So under normal circumstances, even with a NULL dereference in the running kernel, this method would not allow you to gain root privileges.

My question is, what legitimate reason might there be for a system to allow applications to map the NULL pointer? Is there a class or role of machines where this might be expected to work?

While most programs do use libc others try to either avoid libc altogether (for example: http://blog.ksplice.com/2010/03/libc-free-world/ ) or use other "diet" versions of libc (for example: http://www.fefe.de/dietlibc/ )

What about those programs? Will they get to enjoy what the article talks about?

She found that gcc was including libc even when you don't ask for it.

This is basic knowledge that ANYONE using c should know - that the startup library is linked to so it can find main.

This is almost as lame as their previous slashvertisement/product_whoring - where they claimed to have gotten around the Mythical Man-Month and quadrupled output - and it turned out that neither claim was true.

And their lame excuse, which I derided in this comment:

Greg Price wrote:

"what I hoped to get across in this post is that that's not true--in the right circumstances, adding people to a software project can get a lot done, even in a short time"

As many people have pointed out, you did NOT add people to a software project. You created a dozen small, one-person projects. Your self-serving reply to all that is just one more mis-representation. Have you no shame?

I'm sure we're not the only ones to have used embedded assembler in c programs.

She found that gcc was including libc even when you don't ask for it.

This is basic knowledge that ANYONE using c should know - that the startup library is linked to so it can find main.

This is almost as lame as their previous slashvertisement/product_whoring - where they claimed to have gotten around the Mythical Man-Month and quadrupled output - and it turned out that neither claim was true.

And their lame excuse, which I derided in this comment:

Greg Price wrote:

"what I hoped to get across in this post is that that's not true--in the right circumstances, adding people to a software project can get a lot done, even in a short time"

As many people have pointed out, you did NOT add people to a software project. You created a dozen small, one-person projects. Your self-serving reply to all that is just one more mis-representation. Have you no shame?

I'm sure we're not the only ones to have used embedded assembler in c programs.

She found that gcc was including libc even when you don't ask for it.

This is basic knowledge that ANYONE using c should know - that the startup library is linked to so it can find main.

This is almost as lame as their previous slashvertisement/product_whoring - where they claimed to have gotten around the Mythical Man-Month and quadrupled output - and it turned out that neither claim was true.

And their lame excuse, which I derided in this comment:

Greg Price wrote:

"what I hoped to get across in this post is that that's not true--in the right circumstances, adding people to a software project can get a lot done, even in a short time"

As many people have pointed out, you did NOT add people to a software project. You created a dozen small, one-person projects. Your self-serving reply to all that is just one more mis-representation. Have you no shame?

I'm sure we're not the only ones to have used embedded assembler in c programs.

It was only submitted because the author has a vagina between her legs, and geeks go ga-ga over anybody with a cunt. The author has been identified as the sitting cumdumpster on the far left of this picture.

I knew her when she went to high school. She was popular for taking random dudes into her daddy's bedroom, unzipping their flys, and fellating them through their still-buttoned pants! She has a distinctive giggle that was often muffled from the come in her mouth and on her lips. She also liked to wear her shirts all day, especially if they were stained with her partners' jissom.

Daddy: " What's that all over your chest, Jessie? "
Jessica: " It's, um, glue from my popsicle-stick project. Hnnhnnhnnhnnhnnheehee! "
Daddy: " Aww, how cute. You're so adorable, precious "

True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?

The comparison I was making was to downloaded .exe files in Windows, which by default are executable.

The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.

A regular release upgrade in Ubuntu is not equivalent to a ServicePack in Windows. Nor is an LTS release upgrade necessarily equivalent to a regular release upgrade in Windows. But either way, Ubuntu releases will continue to be free, where as you'll eventually run out of SP upgrades on your version of Windows.

Ksplice costs 48 USD per year [ksplice.com] unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all.

KSplice Uptrack is a service that costs money. KSplice itself is open source, and available for free.

Also true, with the caveat that on GNU/Linux, a downloaded virus doesn't automatically have the ability to be run.

True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?

Number of upgrades is meaningless, cost of upgrades, in both time and money, is meaningful.

Windows service packs are free of charge to all licensees of genuine Windows OS. The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.

rebooting for a kernel update isn't strictly necessary in Linux if you use KSplice.

Ksplice costs 48 USD per year unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all. And guess what company employs the inventors who applied for a patent on the method used by Ksplice.

It's no wonder they succeeded. There were no offshore Indian developers on their team to fuck things up!

Team photo: http://blog.ksplice.com/wp-content/uploads/2010/03/ksplice-iap-21.jpg

That's a cool idea... until the motivation for efficient computing dwindles because the more "user time" the software burns, the more the vendor will charge.

In the case of VMWare, perhaps they could charge you based on the number of startup instances per time period. (But then every time you reboot a VM for maintenance, you get charged, so the incentive for security is diminished. Though one could try ksplice.)

Better yet, it should be like Linux -- you only have to reboot if there's there's an update to the kernel.

Nowadays, it's technically possible to update the Linux kernel while it runs using Ksplice. Actually, I find that the biggest update annoyance on Linux is Firefox. A new version of Firefox comes out about once a week, and upgrading requires Firefox to be restarted. Not only do I lose session state in my windows and tabs, the whole browser becomes unstable if Firefox is already running when the upgrade occurs.

Especially since their utilities are already open source: http://www.ksplice.com/git/ksplice.git/ But ya, you're essentially paying for their subscription service. It would make a nice addition to RHEL subscriptions, I wouldn't be surprised if Red Hat acquired them.

Does Ksplice Uptrack use cryptography?

        Yes. All network traffic is encrypted, and all updates are
            cryptographically signed.

http://www.ksplice.com/uptrack/faq

Look harder next time.

Most distros now push kernel updates more often - and they require reboots.

You should check out and install ksplice, as you already have a system with apt.

Between the two, you can do seamless full upgrades to user-space AND the kernel in memory. Fully up to date system with no rebooting required (At least until you upgrade to the 2.8.0 kernel... Maybe not even then)

http://www.ksplice.com/

http://www.ksplice.com/

I've yet to see a good Linux/Unix distribution that offers centralized patch management in an easily administered manner to compare with WSUS.

Kernel issues still require a reboot.

apt is far far superior to any tool that claims to be package management for windows, including WSUS which btw is for Microsoft updates ONLY.
Yes you can install .MSI installers using group policy and a shared folder, but sadly not much software outside of Microsoft products (and even then occasionally) use that format. (Setup.exe needs to die, or gain full support for domain pushes)

Ksplice lets you upgrade the running linux kernel with no reboots needed as well. In fact if you install Ksplice in Ubuntu, it integrates the live kernel patching in with apt!

One of my colo servers has an 826 day uptime, yet is running the latest kernel and user-land as of Wednesday night.

Now, if you know of any tools for windows domains to do the same thing as apt and ksplice (and isn't a php+perl mess) to push out packages (preferably more than just .MSI), and to install MS patches without needing to reboot, I will _gladly_ eat my words and thank you profusely.

(Please please have such tools to suggest!)

It keeps a failure of the network stack from forcing a restart of the filesystems, and vice versa.

You have a valid point, but this can be alleviated by careful usage of user-space fs mounts. Other techniques exist that work around this, too. And in my limited experience, it's been a very long time since I lost control of a machine to the point of not being able to rmmod / insmod an offending driver. YMMV. Calling an overall 'failure' what amounts mostly to a 'good enough' approach is gross over reaction in my book.

It also allows the the upgrade of almost all of the drivers without calling for a complete hardware reboot.[...]System reboots are _bad_ in high-reliability or even in normal user environments.

I beg to differ. Most sys admins I know do planned reboots as part of a normal, scheduled maintenance, even on high-availability systems. What's a liability is un-planed, forced-reboots. Then again, there's a kernel level tool to avoid most of these : Ksplice.

Unless they use ksplice

Within a few days, patches will be released to all the OSS vendors. Admins will be inconvenienced by a reboot.

Even that last bit is avoidable, if you have Ksplice installed :D

Explain to me again why I would like my OS developers to work on speeding up reboot times rather than working on making an OS that does not require reboots?

You mean like this:

http://www.ksplice.com/

In theory combined with suspend/resume one would never need to reboot.

This is about patching the kernel, it usually doesn't need to change the kernel structures, but it changes the functions. So it put the new function in kernel space and changes a pointer to the function. When doing this it temporarily slows down the kernel and calls the same function as is done when loading a module. That's what I think it does, but if you must know, read the PDF: http://www.ksplice.com/doc/ksplice.pdf

For all those that think this company is doomed because they released all their code as open source, let me tell you that they released the automated tooling, but the automated tooling could in the time they tested it (from the article last year) 'only' handle 84% of the time. All the other times, on average about 17 lines of code needed to be written.

I think it would be cool if the distribution makers actually paid this company to do these patches for the distribution-kernels. Although I guess that means something like Debian may be left out ? Then again, a little more then 80% isn't bad either. ;-) And I think I've read on lwn.net they have actually improved on that number in the past year, but I'm not sure. Anyway we also have kexec to shorted the reboot time.

Actually, Ksplice provides live patches. The ones Uptrack distributes are all to the kernel, and obviously not restarting the system requires not restarting the kernel.

The Ksplice technology itself is free software, and can be ported to userspace (but that hasn't been implemented yet by the Ksplice people). But if your network service is an NFS server or something, or you're fixing a security bug in the kernel, then Ksplice can apply it to a running system without affecting existing sessions / connections.

Well, let's look at the issues raised in the article.

Windows actually can replace a DLL that is in use by renaming the original then copying the new file into place. However, the Windows world prefers not to do this.

Ksplice updates the running code of your kernel (by waiting until no thread is using the function to be patched, then calling the kernel's stop_machine_run function -- the same thing it uses when loading a new module -- while it edits the object code); it doesn't touch your /vmlinuz file on disk. If you want the patches next time you reboot, either recompile /vmlinuz, or have an initscript (like Uptrack's) apply the patches at boot.

Even if you're updating just a single DLL with no dependencies, there are still potential problems since the DLL has to interoperate with previous versions of itself.

One reason Ksplice wins here is that it updates the kernel, which is a single thing, but more fundamentally it avoids this problem by atomically patching every piece of affected code at once. You could actually port the Ksplice technology to userspace, provided you do some userspace equivalent of stop_machine is and patch every process at the same time.

Even if you haven't changed the structure itself, you may have changed the meaning of some fields in the structure. If the structure has an enumeration and the new version adds a new value to that enumeration, that's still an incompatibility between the old and new.

Again, Ksplice has the advantage of updating everything atomically. But there is explicit support for having a hook to be called at patch time, that either updates all existing structures, or does something fancy to mark structures that have been updated, so you know that any unmarked structure needs to be updated before being used.

The Ksplice paper (PDF) outlines about how you'd go about writing a data structure transformer to address this (as well as talks about how to solve a host of other problems). See also the CVE evaluation, which links to some examples.

So it's not that Windows has to restart after replacing a file that is in use. It's just that it would rather not deal with the complexity that results if it doesn't. Engineering is a set of trade-offs.

which is why this engineering problem is not something Linus Torvalds personally does, but a separate company, Ksplice Inc., is working on full-time. :-)

Well, let's look at the issues raised in the article.

Windows actually can replace a DLL that is in use by renaming the original then copying the new file into place. However, the Windows world prefers not to do this.

Ksplice updates the running code of your kernel (by waiting until no thread is using the function to be patched, then calling the kernel's stop_machine_run function -- the same thing it uses when loading a new module -- while it edits the object code); it doesn't touch your /vmlinuz file on disk. If you want the patches next time you reboot, either recompile /vmlinuz, or have an initscript (like Uptrack's) apply the patches at boot.

Even if you're updating just a single DLL with no dependencies, there are still potential problems since the DLL has to interoperate with previous versions of itself.

One reason Ksplice wins here is that it updates the kernel, which is a single thing, but more fundamentally it avoids this problem by atomically patching every piece of affected code at once. You could actually port the Ksplice technology to userspace, provided you do some userspace equivalent of stop_machine is and patch every process at the same time.

Even if you haven't changed the structure itself, you may have changed the meaning of some fields in the structure. If the structure has an enumeration and the new version adds a new value to that enumeration, that's still an incompatibility between the old and new.

Again, Ksplice has the advantage of updating everything atomically. But there is explicit support for having a hook to be called at patch time, that either updates all existing structures, or does something fancy to mark structures that have been updated, so you know that any unmarked structure needs to be updated before being used.

The Ksplice paper (PDF) outlines about how you'd go about writing a data structure transformer to address this (as well as talks about how to solve a host of other problems). See also the CVE evaluation, which links to some examples.

So it's not that Windows has to restart after replacing a file that is in use. It's just that it would rather not deal with the complexity that results if it doesn't. Engineering is a set of trade-offs.

which is why this engineering problem is not something Linus Torvalds personally does, but a separate company, Ksplice Inc., is working on full-time. :-)

Note: Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates.

Yeah. Rebootless updates. Uh-huh.