Slashdot Mirror

← Back to Stories (view on slashdot.org)

Live Patching Now Available For Linux

Posted by timothy on from the not-big-and-fancy dept.

New submitter cyranix writes "You may never have to reboot your Linux machine ever again, even for kernel patching," and excerpts from the long (and nicely human-readable) description of newly merged kernel code that does what Ksplice has for quite a while (namely, offer live updating for Linux systems, no downtime required), but without Oracle's control. It provides a basic infrastructure for function "live patching" (i.e. code redirection), including API for kernel modules containing the actual patches, and API/ABI for userspace to be able to operate on the patches (look up what patches are applied, enable/disable them, etc). It's relatively simple and minimalistic, as it's making use of existing kernel infrastructure (namely ftrace) as much as possible. It's also self-contained, in a sense that it doesn't hook itself in any other kernel subsystem (it doesn't even touch any other code). It's now implemented for x86 only as a reference architecture, but support for powerpc, s390 and arm is already in the works (adding arch-specific support basically boils down to teaching ftrace about regs-saving).

4 of 117 comments (clear)

  1. Discussed in the Kernel Report by rgbe · · Score: 5, Informative

    This, among other things was discussed in the Kernel Report, at the recent Linux Conf in Auckland, New Zealand:
      https://www.youtube.com/watch?...

    1. Re:Discussed in the Kernel Report by buchner.johannes · · Score: 4, Informative

      at 39:39

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  2. Re:No more downtime by fulldecent · · Score: 2, Informative

    Holy shitsnacks. There are more Archer seasons? I need to step up my piracy.

    We are talking about Archer, right?

    --

    -- I was raised on the command line, bitch

  3. Re:No more downtime by gavron · · Score: 5, Informative

    Ok, so here's the simple answer. Note: I'm generalizing a lot to make this simple.

    All functions have a known entry point which you can think of a name that you can call like
    print("hello world"); -- calls "print" so it knows where "print" is.

    Somewhere in the memory was loaded the function print(). There's also a symbol which allows everyone who wants to call print() to know where it is.

    The livepatch loads a new function into memory. Let's call it print2(). It then goes over and makes the symbol that used to let everyone know where print() is point to print2(). Anyone that comes after this patch will still think they are calling print() but in fact will be calling print().

    The stop_machine() is part of how ksplice (the proprietary-vendor method does it). That is not part of kernel live patch (klp).

    What klp does is ensure that a process is in a "good point" to be messed with, and then changes its pointer to e.g. print().

    That allows no changes to affect the process until that pointer to print() is changed at which point any subsequent call to print() will run print() instead.

    Ehud
    P.S. I have some code from the early 1990s where we used to do this on VMS/OpenVMS. We literally patched the running kernel (much as is done here) and allowed a system to run for years with newer kernel code.