Linux 4.0 Getting No-Reboot Patching

An anonymous reader writes: ZDNet reports that the latest changes to the Linux kernel include the ability to apply patches without requiring a reboot. From the article: "Red Hat and SUSE both started working on their own purely open-source means of giving Linux the ability to keep running even while critical patches were being installed. Red Hat's program was named kpatch, while SUSE' is named kGraft. ... At the Linux Plumbers Conference in October 2014, the two groups got together and started work on a way to patch Linux without rebooting that combines the best of both programs. Essentially, what they ended up doing was putting both kpatch and kGraft in the 4.0 Linux kernel." Note: "Simply having the code in there is just the start. Your Linux distribution will have to support it with patches that can make use of it."

Starting to feel old

[Gumbercules!!]

I'm starting to feel old. I'm still on 2.6.x on my boxes.

Re:Starting to feel old

[TFlan91]

Just curious, why?

Re:Starting to feel old

[Flavianoep]

No worries! Since Torvalds decided to number the successor of kernel 2.4.x as 2.6.x, in spite of major changes, the kernel numbering system stopped being just technical.

Re:Starting to feel old

[Gumbercules!!]

Coz all my servers are production or purpose defined, and based on CentOS or VyOS. They all work. They all do their jobs - so I haven't had a compelling reason to upgrade. I did put one server briefly on CentOS 7.0 (Kernel 3.10 or something) and the client couldn't figure out how to use it, so I rolled it back.

Re:Starting to feel old

[NatasRevol]

Only people without servers in production/critical environments ask 'why haven't you upgraded already?'

Re: Starting to feel old

[TheGavster]

He's on CentOS; they have this absurd scheme for kernels where they freeze the reported version and apply "selected patches" for 5+ years, so you never know what bugs are fixed.

Re:Starting to feel old

[gweihir]

Senile and demented people typically think the problem is with others...

Re:Starting to feel old

[theburp]

At my place of work we're still running the 2.6.35 kernel. Reason: It's the latest kernel supported by our hardware (Freescale i.MX53).

Re:Starting to feel old

[haruchai]

And that's how my team ended up supporting 10 - 25 yr old fossilized gear running all kinds of old, insecure shit that almost noone can remember what's the login or sometimes what's it for.

Re:Starting to feel old

No, your workplaces complete lack of enforcing a documentation policy is why you have that mess. You're job isn't to run shiny new OS installs, your job is to keep everything running smoothly. Good documentation is a part of that.

Re:Starting to feel old

No, that's due to your lack of documentation about their function and owner.

Re:Starting to feel old

[NatasRevol]

There's a huge difference between 'why haven't you upgraded?' and 'why haven't you upgraded already?'.

Re:Starting to feel old

[dwywit]

And that's why my hourly rate goes up, up, and away when the client can't supply documentation. It doesn't decrease the frustration, but helps to make it bearable.

Re:Starting to feel old

[haruchai]

Perhaps.
But depending on the system or product, that difference may not be large.
One vendor allowed us to run fully supported on a particular product version for 5+ yrs but now requires us to upgrade again, after only 2 years, by the end of 2015.

Upgrading this system affects about 5000 users & 35 external partners and required almost 4 months of preparation & co-ordination.

Re:Starting to feel old

[Carnildo]

$ uname -a
Linux snail 2.4.37.11 #2 Tue Dec 28 14:55:32 PST 2010 i586 Pentium MMX GenuineIntel GNU/Linux

Re:Starting to feel old

And that's how my team ended up supporting 10 - 25 yr old fossilized gear running all kinds of old, insecure shit that almost noone can remember what's the login or sometimes what's it for.

Guess you don't have to worry about PCI compliance. Your also vulnerable to the first script kiddie to hit your net.
Jesus upgrade your shit or don't claim to be a Sysadmin.

Re:Starting to feel old

If you're a sysadmin who can upgrade systems at your whim, you must work for very simple outfits.
The likely reason why these old systems are still in place is probably due to complexity, cost & internal politics.

Finally...

[reverieee]

I remember being surprised when I found out Ksplice costs money.

Re:Finally...

[Zan+Lynx]

The kernel parts have always been free under GPL2.

The part of this that is worth money is creating patches to apply with this system. Patches that won't crash the machine or corrupt data.

Re:Finally...

[Bacon+Bits]

Oracle bought it. Still surprised?

Not only that, but Oracle bought it on July 21, 2011. The current version of Ksplice? Released on July 28, 2011. The major feature of the current release? The changelog says the only change was "Removed unnecessary zlib detection from configure." But now only Oracle Linux is supported.

It's still available through source code, which you can find with a bit of digging (you can't navigate to it from the top level page, as far as I can tell... Ksplice isn't listed as a project). I think the amount of investment and effort put in that site makes it clear what Oracle's stance is.

At least Microsoft extends before they extinguish....

Now it sounds like 4.x

[Flavianoep]

Finally, they gave us a thing for the change from 3.x to 4.x make sense.

Re:Systemd in 4.0-era, for or against?

Against being for for or against. Why can't we just all get along?

Again?

Wasn't this posted a week or two ago?

Re:Again?

[OzPeter]

Wasn't this posted a week or two ago?

Yep, it was discussed in Linux Kernel Switching To Linux v4.0, Coming With Many New Addons

Re:Systemd in 4.0-era, for or against?

[Ol+Olsoc]

Isn't there a Women in STEM or global warming thread for you to infest?

Re:Systemd in 4.0-era, for or against?

[sumdumass]

Wow, not only is the story a dupe, so is the lame attenpt to hijack it and.make it about/ whine about systemd.

Now all we need is for aa bunch of dupes pointing this out and we can just take off for a mini vacation before we all fork the kernel and role our own and try to hijack every other linux story.

I do not know what to think about systemd other than it seens to work but i do know i'm about sick with the people trying to inject it inti any linux related story. Perhaps someone should just move to BSD or something.

Chicken, meet egg

[Marginal+Coward]

"Simply having the code in there is just the start. Your Linux distribution will have to support it with patches that can make use of it."

Darn. It looks like I'm gonna have to patch and reboot so I won't have to reboot after I patch.

Re:Chicken, meet egg

[wonkey_monkey]

Yo dawg, I heard you

Ah, screw it.

Re:Chicken, meet egg

[Ol+Olsoc]

Yo Dawg! We heard you liked to patch. So we got you a patch to patch your patches while you're patching.

Re:Chicken, meet egg

"Simply having the code in there is just the start. Your Linux distribution will have to support it with patches that can make use of it."

Darn. It looks like I'm gonna have to patch and reboot so I won't have to reboot after I patch.

FTFS: Essentially, what they ended up doing was putting both kpatch and kGraft in the 4.0 Linux kernel.

In other words the RedHat and OpenSuse teams decided no compromise is the best compromise. GNU/Linux used to stand on principles, now it is all about corporate control and marketing.

Re:Chicken, meet egg

Yo Dawg! We heard you liked to patch. So we got you a patch to patch your patches while you're patching.

And gamification will be forthcoming so you can earn badges and stickers if you successfully complete each rebootless patch patch patch. Damn hipsters!

Mr. Torvalds please return Linux to its principled roots and forbid corporate control.

Re:Chicken, meet egg

[Marginal+Coward]

Patches? We ain't got no patches. We don't need no patches. I don't have to show you any stinking patches.

Re:Chicken, meet egg

[Ol+Olsoc]

And gamification will be forthcoming so you can earn badges and stickers if you successfully complete each rebootless patch patch patch. Damn hipsters!

Mr. Torvalds please return Linux to its principled roots and forbid corporate control.

I like the pretty gold round ones! Yay- me for stickers!

Re:Chicken, meet egg

[Ol+Olsoc]

Patches? We ain't got no patches. We don't need no patches. I don't have to show you any stinking patches.

"He said, "Patches

I'm dependin' on you, son

I tried to do my best

It's up to you to do the rest"......"

We'll see how many get that reference....

Re:Chicken, meet egg

Okay, so how exactly is kernel patching a matter of principles? Are we bad people for picking one tech or the other? Every time you use it, one of RMS's puppies dies?

This isn't about control, it's about ability. The people who can create new kernel/OS features do, to scratch their own itches. Linux's defining characteristic is not adherence to whatever set of principles you imagine, it's that developers can do with it whatever they want. Big corporations are far more able to produce code than anyone else: them that has, gets. You don't have to use their code. If you feel there are some important principles that aren't being adhered to, then the onus is on you to either involve yourself in the decision making or to fork the code and develop your own version. No one but you is going to represent your interests, for anything, ever.

Quit complaining and start coding. Actions speak louder than entitlement.

Re:Chicken, meet egg

[jellomizer]

Without reboots, how am I to know if I setup my rc.d scripts correctly? Or kill that background app a user ran nohup myscript.sh &
I mean without having to reboot the system, I am expected to do real systems administration work, not just a blanket refresh everything, once in a while. Patches gave me a good excuse to do such.

Re:Chicken, meet egg

[cthulhu11]

It's like Sun's Live Upgrade -- apply patches / updates to a copy of the running environment, then reboot into it. Nice enough idea. Ironically there was always a long list of patches that needed to be applied traditionally, often entailing a reboot, before LU could be run.

Re:Chicken, meet egg

No, rather than just putting one or the other in, they came up with a framework that allows for 9 different methods (https://lkml.org/lkml/2014/11/7/354) of live patching the kernel and software can use any of those nine. The most interesting part of the discussions between them is that that there is actually been new talk about both adopting a third method: https://lkml.org/lkml/2015/2/9/534 In any case, they are now working together and getting rid of a lot of duplicate effort and adding stability now.

scientific computing

[e**(i+pi)-1]

will be important for scientific computing. One of the weak points of OSX is the necessity to reboot even for minor stuff (but its also getting better there. Most upgrades in linux already do not require any reboot which is nice when having jobs running for weeks.

Re:scientific computing

That's one place where very long uptimes make sense, but, if you can get some free slave labor from a CS masters student to get the code to be in survivable chunks so that a reboot doesn't lose 2 weeks of processing. If you're not at a university, well, forget it; no chance on getting a little funding for a good programmer to save hundreds of thousands in researcher and computer time.

Re:scientific computing

[chuckymonkey]

If you have weeks long running jobs on your desktop you're doing it wrong. There's a reason servers exist in datacenters. I work in scientific computing and people running jobs on their desktop is a huge problem, they spend ridiculous amounts of money for something like a Mac Prol to run this stuff on when they should be buying actual servers instead. Then complain when their desktop is running like shit or their job fails because the building took an intermittent power hit. You can even put GPU compute in servers and have a lot less concern for your systems going down.

Re:scientific computing

[bill_mcgonigle]

scientific computing. One of the weak points of OSX

I would have guessed that the high price per unit work for their proprietary hardware would be the limiting factor. Can't you hire for "free" a dedicated linux admin for the cost difference between clusters?

Or is there a specific advantage OSX is bringing to the table? XGrid is long dead, right?

Re:scientific computing

[MachineShedFred]

On OS X the reboot is for user convenience. If you use the command line software update tools, you can install them as you wish, and not reboot. Then you can restart services with launchctl or reload patched kexts and save yourself a reboot. Does this take a lot of extra time and testing? Sure - thus the reboot.

Re:scientific computing

1) OSX updates are purely optional, and yes kernel updates (bundled in the 'OS X x.x.x' updates) do require a reboot. If you're doing work, don't update until the job finishes

2) Why are you running week long jobs on desktop systems. You or your sysadmin team are doing it completely wrong.

Re:scientific computing

[serviscope_minor]

If you have weeks long running jobs on your desktop you're doing it wrong.

I disagree, speaking as someone who has in fact had a weeks long job running on my desktop before. I mean if you have a fast PC (desktop processors are often faster per core, at the expense of fewer cores) and it's a single threaded job (sadly, not all workloads are parallelisable) then it makes sense to run it locally.

If power outages happen once per year (I think that's pessimistic), and the job lasts a month then that's an average of 5 of compute days wasted per year due to power outages. And that's assuming the job doesn't checkpoint itself to allow for continuation (mine did).

That was an excessive case. Even so, a few-day job or an overnighter or so on is completely fine, but you'd still find reboots annoying.

Then complain when their desktop is running like shit

I've never had a problem with that on Linux. Even if you load up the CPU with one full job per core, the system stays very responsive. Hell even with one job per hyper-thread on Intel, which is overloaded by a factor of nearly 2 and it's pretty responsive, especially if you renice the jobs.

You have to go waayyy over the capacity of the machine to make it run like crap.

You can even put GPU compute in servers and have a lot less concern for your systems going down.

True, but there are fewer options for those and they're often much more expensive and less good in servers compared to desktops, depending on the workload.

Re:scientific computing

[bored]

I disagree, speaking as someone who has in fact had a weeks long job running on my desktop before. I mean if you have a fast PC (desktop processors are often faster per core, at the expense of fewer cores)

Well you have to differentiate whether your talking about an intel desktop machine or a "workstation" class machine. The difference at this point is the "workstation" is using xeon class processors, and has ECC. The problem is that the "workstation" has exactly the same processors as the rack mount machine running in the server room with a much better power and cooling environment.

That said, it is possible to get something like the Xeon E5-2637 v3 which is a quad core, 3.5 Ghz (+turbo) CPU. Sure its not the the 4+Ghz you can get on a "desktop" CPU but it does have a LGA 2011v3 which will give you significantly more memory bandwidth and ECC.

Frankly, while I think running anything besides a desktop workload on a "desktop" is silly because those kinds of workloads tend to be better handed with servers. It does seem that intel has lost its way a little when it comes to extreme single threaded performance. Particularly in the server space. Why they don't offer a 200+ watt pig clocked a few percent higher seems strange. Pretty much everyone else does it (POWER8, z13 (@ 5.2 Ghz), AMD, etc).

Re:scientific computing

I've used "softwareupdate -ai" remotely before without adding a reboot inline. Mistake. It stopped sshd and ARD. Had no way to connect to the machine until I got to work the next day. Now every Mac update gets a reboot.

Re:scientific computing

Any job that runs for weeks should be designed to record state, pause and resume.

Re:scientific computing

In some environments, they still use desktop workstations where all the major heavy-hitting that doesn't go to the supercomputer winds up on the people's desks. Especially true in some settings where departmental politics can come into play [1].

[1]: Departmental politics in a university can get extremely vicious, especially fights over the few grants that remain, and where one prof will go and steal or change another professor's results in order to take their work or try to discredit them.

Re:scientific computing

[danbob999]

If you have weeks long running jobs on your desktop you're doing it wrong. There's a reason servers exist in datacenters. I work in scientific computing and people running jobs on their desktop is a huge problem, they spend ridiculous amounts of money for something like a Mac Prol to run this stuff on when they should be buying actual servers instead.

I agree the Mac Pro is a bad choice (overpriced), but most servers are more expensive than a fast desktop with similar performance. Given that you need a desktop PC anyway, it often make sense to invest an extra $500 or even $1000 in it to save the costs of a server.

Re:scientific computing

[Penguinisto]

If you have weeks long running jobs on your desktop you're doing it wrong.

Some of us cannot afford our very own personal render farm, or justify the cost of renting time on one, merely to satisfy our little hobbies. ;)

Personally though, it's not just work that keeps us from rebooting. On my part, it's usually a month or two between reboots on my MBP laptop, and even then patching is usually the only reason... why bother waiting for a full boot process to finish when I don't have to? Close the lid and let it go to sleep... it's only a few seconds waiting for it to wake up when I want to use it again.

Re:scientific computing

[Penguinisto]

scientific computing. One of the weak points of OSX

I would have guessed that the high price per unit work for their proprietary hardware would be the limiting factor.

Not really - you can still buy old XServe boxes for a relatively reasonable price, pack them with RAM, and load ESXi on each one so that you can run a buttload of little OSX VMs on each one. Yes, it's perfectly legit to do exactly that under the Apple EULA (I did it for a former employer who wanted rack-mounted OSX instances for testing - it was its own little cluster in a vSphere farm, and it was far easier to clone off replacements or new VMs.)

Re:scientific computing

[nine-times]

Yeah, it's also like, "In order for the update to full take effect and work correctly, we need to restart a bunch of services and applications. You should save all your work, since various things might close or stop working for a little bit." You can explain that to users, have them not pay attention, and then get pissed off because the update closed their document that they didn't save. Or you can just tell them that you're going to reboot.

Users understand rebooting better.

Re:scientific computing

ECC is hit and miss. Google has some research from 2009 showing "up to" 1 bit error per year, but that was pathological. The same systems seemed to be the only ones to have any errors, and those were only 1/3 of the machines.

You could say that on average, you have a 33% chance of getting 1 bit error per year and a 66% chance to never see a bit error ever.

Re:scientific computing

Google rowhammer.

Re:scientific computing

[Chalnoth]

If you have a weeks-running job and it isn't fault-tolerant, you're doing it wrong, period. As long as it's fault-tolerant, it isn't a big deal where it's run.

That said, if you have a job that takes days to run on a single computer, it'd be a good idea to either invest in a compute cluster or get some time on one.

Re:scientific computing

[dissy]

If you have weeks long running jobs on your desktop you're doing it wrong. There's a reason servers exist in datacenters.
*SNIP*
when they should be buying actual servers instead.
*SNIP*
You can even put GPU compute in servers and have a lot less concern for your systems going down.

Well since you offered, could you make your paypal payment to me about $6000 USD for a mid-range server?
Or since you're being so generous offering to pay for servers for us, how about a nice even $10000 and I'll get one of those newfangled blade systems!

Re:scientific computing

Or get a desktop because the idiots who do the overall IT don't know what they are doing.

Done that before. Suddenly those week long jobs (because the University Computing department was a relic from probably the 1970s) turned into 12 hour jobs. Note these were supposed to be the fastest things available according to them.

Re: scientific computing

And if you want to visualize intermed8ate results, and steer the computation?

What could possibly go wrong?

[gb7djk]

Is it just me that is rather uncomfortable about the ability to do seamless, run time, patching on (any) operating system? Isn't there a rather large elephant of a precedent out there somewhere for the sorts of things that this facility this feature could be misused for?

Re:What could possibly go wrong?

If you have malicious intent you can already do it on all three major OSes: Loadable kernel module. In linux you can disable that though.

Re:What could possibly go wrong?

[MachineShedFred]

It's been used for decades everywhere except the PC and it's server variants. It's no more a risk than current patching that requires a reboot, except that you don't have the downtime of a reboot.

A bad patch is a bad patch. Have backups, have redundancy.

Re:What could possibly go wrong?

[gb7djk]

Yes, it's been around in server environments for years. Whilst one can see a case for adding this facility to linux servers in properly wrangled environments, my concern is on yer actual PCs, such as the one I am typing this on at the moment.

Re:What could possibly go wrong?

[swillden]

It's no more a risk than current patching that requires a reboot, except that you don't have the downtime of a reboot.

Sure, if your concern is error, rather than malice. An attacker who gains root could use this to dynamically patch a backdoor into the running kernel. Rebooting the machine would potentially enable someone to notice.

As another poster noted, though, you can already dynamically patch the kernel for malicious purposes by loading a malicious module, assuming that hasn't been disabled. In contexts where security is crucial, I would disable both dynamic module loading and run-time patching.

Re:What could possibly go wrong?

[ledow]

At all points you can modify the kernel, there's a potential for mischief, of course.

But what you're saying is that rebooting is somehow a magic cure-all that guarantees the system isn't infected somehow, or that there's a user (or SecureBoot) there to "notice" something amiss.

If SecureBoot can be fooled into loading an older kernel that can then be upgraded on-the-fly, it can be fooled into doing that at boot too.

How often do you check your machine boot-up process to ensure it's on the version that grub etc. says it's loading? Anyone could fake that and then replace on-the-fly once the OS was loaded.

Once you're into a system at that level, persistence of the underlying system is not a defence mechanism and can be subverted. Anyone could boot up the old, insecure kernel via SecureBoot, show you boot options that claim to load the latest kernel, then when running and the live-patching facility is up and running malicious code can run and claim it's the latest version number and you'd never know.

Live-patching is not a security mechanism, but neither is it a lack of one.

Re:What could possibly go wrong?

[swillden]

But what you're saying is that rebooting is somehow a magic cure-all that guarantees the system isn't infected somehow

Don't be condescending. I'm not saying rebooting is a magic anything.

Whether or not this matters depends on the threat model and why the attacker is interested in patching the kernel. For example, one purpose would be to disable other kernel security features, such as SELinux, or dm-verity. Most SELinux rules are configured and the configuration can be altered by root, but some are compiled into the kernel and can only be modified by modifying the kernel. Altering the persistent kernel image may not be possible for a variety of reasons (read-only media, SecureBoot, etc.). In addition, in security-sensitive and mission-critical contexts an unexpected reboot may well be noticed.

I don't understand your assertion about SecureBoot. Are you referring to some known vulnerability of some particular secure boot system? Given a decent implementation of secure/verified boot, an attacker should not be able to convince the system to boot a modified kernel image, which means that run-time modification of the kernel is the only option if the attacker needs to bypass some kernel security enforcement.

In general, the security model of a high-security Linux system assumes that the kernel is more trustworthy than root. The ability for root to modify the running kernel invalidates this assumption, which most definitely is a security issue.

In the context of a system without mandatory access controls there may not be any reason to care, since once an attacker has obtained root there probably isn't any limit to what he can do.

Re:What could possibly go wrong?

If someone gains root, they can swap out the on-disk boot image that contains the kernel, and wait for someone else to reboot it as part of normal maintenance.

Your point?

Re:What could possibly go wrong?

[swillden]

If someone gains root, they can swap out the on-disk boot image that contains the kernel, and wait for someone else to reboot it as part of normal maintenance.

Assuming there isn't something that prevents the boot image from being replaced. See my other, more extensive, comment in this thread.

Re:Pfff.

perfectly secure and [MY CLEAN PC] free of viruses.

I bet you use a HOSTS file.

Re:Systemd in 4.0-era, for or against?

Sure, just put your guard down first before me and it will all be OK

So basically we're finally catching up to Novell..

15 years later...
Novel was such an amazing product to work with, I had servers with 300 some days up time.
We also had Lanmanager, up time, a few days, a week at best.

Re:Pfff.

Usually that kind of claim would bring apk out of the woodwork.

Maybe he's incapacitated or dead.

We can only hope.

In a world...

In a world, where slashdot stories get repeated at least twice per week, one man had finally had enough.

Dilbert Smith was your average computer programmer, until one day, it happened, and the world would never be the same.

Jean Claude Van Damme is .... The UNDUPLICATOR.

Re:In a parallel world.

What's it like in your parallel world? I'm running an investment and billing platform, as well as the testing and development environments on ~60 Linux instances far more securely than if it was on Windows. We have 4 Windows servers in our platform for AD and because someone requires reporting in MS SQL, and they spend far more time patching and rebooting than the ~60 Linux instances do. That OS *is* profitable enough for someone to want to fix it, and yet it still hasn't been.

Go spread your FUD elsewhere.

Getting control

They should have left it out of the Kernel.
Fork it private after server farms and enterprises and distros adopt it
and you have a weaponized paradigm for private leverage of the kernel, as a whole.

new path for virus.

Seriously, this is as bad as when we allowed compile, static link from code. Useful for education, but also for crackers.

Re:new path for virus.

[ledow]

To live-patch, you'd need to run code as root.

If a malicious executable ever gets root, it can persist itself in any fashion it likes. Live-patching isn't a necessity, nor a hole in this sense.

Even with SecureBoot, there's nothing stopping such code going through boot up again, and exploiting the same hole again through any of the millions of ways a root-running-executable could make something start at startup.

So long as this works in tandem with facilities like cryptographic module signatures, I don't see how its any more a risk than the alternative.

And, as always, you can always turn it off.

BOYCOTT LINUS! FORK LINUX!

Time to fork the kernel and take control back from this zealot that only thinks about progress. Where did the kernel go wrong? Around the time we introduced USB support I think.

Let's roll back to that one and kick ass these 'desktop' miscreants out of our community once and for all. Fuck progress!

Re:BOYCOTT LINUS! FORK LINUX!

[halivar]

Hear, hear! Let's throttle that shit back to the 386, and the hell with these new-fangled 32-bit processors!

Re:BOYCOTT LINUS! FORK LINUX!

Haha the 386 is 32-bit!

Re:BOYCOTT LINUS! FORK LINUX!

The 386 is a 32-bit processor. And long did it reign.

Why both?

[tecker]

Was there general consensus that both methods complemented each other or was it one of those "ours is best so we want it in"? Having looked at how they work each has its pluses and minuses but they couldn't have come up with one? Seems to me like they were sitting around going "yea these are so different there is no way to combine them to make one... and we dont want ours to be left out so fuck it, use em both."

Ummm

[kdub007]

Didn't Torvalds talk about this last week? This is hardly news.

Re:Ummm

A week? Holy shit you're right, it's downright ancient. Where did they find this info, on stone tablets?

You're kidding, right?

[SIGBUS]

He's on CentOS; they have this absurd scheme for kernels where they freeze the reported version and apply "selected patches" for 5+ years, so you never know what bugs are fixed.

You can get the kernel changelog easily enough:

rpm --changelog kernel

Re: You're kidding, right?

[TheGavster]

Yes, but vulnerabilities are generally described as "introduced in x" or "fixed in y". Range checking a version is much easier than searching a change log.

Not going to get any better

If you were lost in the 3.0 kernels just wait until you try 4.0. Gone are the days of simply using ifconfig or adding a shell script to run on startup. Move to some form of BSD where the development process is sane. Changing for the sake of change is not a good idea.

Re: Not going to get any better

What's ifconfig? Is running ifconfig reproducible?

Re:So basically we're finally catching up to Novel

[decsnake]

sorry AC, I've got no mod points for you, but you are exactly right, except in the good old days of NW 3.x , netware admins would laugh at someone bragging about 300 days of uptime. I worked with NW sites that had servers with years of uptime. I've had unix servers that had years of uptime, not that that was a smart thing. It just meant they were running on reliable HW and hadn't been patched for years. With NW you could have servers with years of uptime and up to date SW.

The last NW site I worked at (late 90s maybe?) was shutting down NW servers that had been up non-stop since they were deployed years before to replace them with Windows servers as part of some lame-brained management driven "server consolidation" plan. Wonder how much money they "saved" with that?

We already had this with the modules...

[Lumpy]

Very cool that you can now patch and reload the core without a reboot, I just wonder how they handle when data structures change dramatically between major versions, will they replace the running data with predefined?

Re:We already had this with the modules...

[ledow]

Don't quote me on it, but from my understanding of the trampoline kernel patches there's a point at which the calls to old system calls are blocked and the calls to the new replacement system calls are demanded.

There's a lot of logic involved in determining when the system is in a state to do that such that you don't end up feeding new structures to old syscalls, or old structures to new syscalls mid-way through (by checking that their dependent / source syscalls are all upgraded by that point, etc.)

But, mostly, things tend to stay the same. You can do an awful lot to the running kernel just by loading kernel modules. I know I added in DRBD devices to a kernel that I couldn't modify the source too (running under a Xen hypervisor that I don't have control of) just by compiling and inserting a kernel module for it.

Re:So basically we're finally catching up to Novel

[Lumpy]

One place I worked at we had a horribly out of date NW server on the network that nobody knew where it was... I searched for weeks and could not find it. Finally years later it was found inside a wall because of previous construction it was placed out of the way and covered with a plastic tarp.

So it was running all those years WITH NO AIRFLOW and no reboots. A testament to old SCSI hard drives.

oops

[SIGBUS]

Make that: rpm -q --changelog kernel

Re: In a parallel world.

[jd2112]

If the hatered of systemd was channeled into something positive we would have world peace, a cure for cancer, a dirt cheap environmentaly friendly energy source, AND the mos kick-ass operating system the world has ever seen.

Re:So basically we're finally catching up to Novel

[ledow]

Such datacentre-level facilities often take decades to come down to consumer hardware and consumer OS.

Virtualisation is, to x86 PC's, relatively new. But we've been doing it on the proper hardware for decades.

It's not that some things were so brilliant, it's that the features are rarely needed and take a long time to filter down to commodity OS and hardware.

Hell, I've never needed a cluster-based filesystem, and you don't see me complaining that Windows didn't introduce one to Windows until decades after they existed.

On-the-fly patching, like a lot of features, isn't something needed on commodity OS. Virtualised infrastructure and distributed systems and high-availability features have largely made such things pointless up until now.

But now that we're pushing for zero downtime clouds and mobile devices that can stay on for months at a time, it's good to revisit, re-purpose and use the established technology to do so. Before? Why did we need it when Linux would barely resume from suspend reliably?

Great for servers, not that much for desktops

[Parker+Lewis]

While the kernel can be live patched, still some fundamentals pieces will lack live patch in the desktop, like X.org and libc. Ok, reboot a desktop is not that terrible task and not inconvenient like for a server. But it'd be nice to have.

Re:In a parallel world.

Thanks for your CV but we're not recruiting right now.

Re:In a parallel world.

Why is it that any criticism of Linux must be viewed as troll bait from the other team. Why did you mention Windows? I didn't. Do you feel the need to feel superior to the majority of the population. Actually your whole post smacks of that so don't bother replying.

Re:Systemd in 4.0-era, for or against?

[serviscope_minor]

Isn't there a Women in STEM or global warming thread for you to infest?

If systemd has any bearing on women in STEM or global warming, then truly its scope has become more vast than any dared to dream or dread.

Re:If you still use Linux, you ARE old.

OSX on the desktop is only for people who are too stupid to understand anything....

systemd-hatred is a positive in itself

If the hatered of systemd was channeled into something positive we would have world peace, a cure for cancer, a dirt cheap environmentaly friendly energy source, AND the mos kick-ass operating system the world has ever seen.

It is being channeled into something positive. Preventing the infestation of systemd into all distros to the exclusion of all else, including superior alternatives such as openrc. In that the resulting systems are thus more transparent (whether debian, gentoo, calculate or funtoo), the software running on them is more reliable, and unless those searching for world peace, a cure for cancer, or dirt cheap environment energy are foolish enough to choose RedHat or another systemd-infested distroy, they are likely to find their answers with less downtime, and therefore sooner.

So you see, systemd-hatred yields positive results simply by strengthening the backbone of those distros still resisting the infestation, and thus the world is made a much better place even before cancer is cured, cheap energy abounds, and global peace is achieved.

Re: Systemd in 4.0-era, for or against?

[sumdumass]

lol.. Just like sysV is an inherent discussion topic for anything related to linux? How about X11 or whatever it is now? Grep, and VI I guess should always be on topic too.

I think you have too much emotionally invested in something and and it's clouding your judgement.

Re:Pfff.

Sending him a postcard seemed to shut him up real quick in one case I remember reading about on here a year or so back.

Re: Systemd in 4.0-era, for or against?

Have you ever even used a modern Linux distro?

X11 is optional, and can be easily removed without preventing the entire OS installation from booting. The same goes for vi. Even grep could probably be removed relatively safely. On any decent distro, this can be done with a single package manager command.

Good luck doing that with systemd. You likely won't even have a choice about whether or not systemd will be installed in the first place. And there's no easy way to uninstall it, either. Yeah, you can spend days trying to manually remove systemd and use something else, but you'll likely trash your installation. Plus doing that defeats the purpose of using a Linux distro in the first place.

In practice, systemd is the kernel these days, with the Linux kernel merely being a device driver of sorts that systemd uses to interface with the hardware.

The fact that systemd only runs on Linux proves this. While X11, vi and grep can run on the BSDs, OS X and even Windows, the same is not true for systemd. It is one with the Linux kernel, and only the Linux kernel. They are the two mutually-depended halves of what is called "Linux".

Re:Systemd in 4.0-era, for or against?

[Chalnoth]

At least women in STEM and global warming are important issues....

Re:Pfff.

[serviscope_minor]

Wow, I get the joke wasn't funny, but it's on topic, not off topic. An "overrated" mod would be more appropriate than an "off topic" one.

Re:In a parallel world.

What's it like in your parallel world? I'm running an investment and billing platform, as well as the testing and development environments on ~60 Linux instances far more securely than if it was on Windows. We have 4 Windows servers in our platform for AD and because someone requires reporting in MS SQL, and they spend far more time patching and rebooting than the ~60 Linux instances do. That OS *is* profitable enough for someone to want to fix it, and yet it still hasn't been.

Go spread your FUD elsewhere.

Nice to hear that it works for you, but of the big PC operating systems (Win/Mac/Lin/BSD), Linux is clearly the most buggy one.

Re: Systemd in 4.0-era, for or against?

Install gentoo. Lay off the caffeine and try being happy for a while.

Re:Systemd in 4.0-era, for or against?

[Ol+Olsoc]

Isn't there a Women in STEM or global warming thread for you to infest?

If systemd has any bearing on women in STEM or global warming, then truly its scope has become more vast than any dared to dream or dread.

Does seem to be trolls that try ot turn every topic into a referendum on systemd.

And those three topics generate a lot of activity.

ORACLE is a dick

this will give users less reason to use them.

Re:So basically we're finally catching up to Novel

[Smauler]

sorry AC, I've got no mod points for you, but you are exactly right, except in the good old days of NW 3.x , netware admins would laugh at someone bragging about 300 days of uptime.

I've had over 200 days uptime on my Vista desktop system, and that was ended by a power cut. Uptime isn't really anything to brag about any more.

Re: Systemd in 4.0-era, for or against?

You suggested Gentoo? Really? Sorry, aside from a few basement-dwelling neckbeards, nobody wants to wait a week for their installation to finish compiling. Gentoo is not an option.

Re:Pfff.

The freak was unnerved by being doxxed? Sweet. Also, amusing given that he has had so many public faildoxes on others.

Application restart

[manu0601]

We are heading to the situation where patching the kernel will be faster than patching applications:

Kernel upgrade: no downtime

Adjusting a parameter in Java application: wait for 4 minutes for Glassfish to restart

Year of the GNU/Linux Desktop

Once again, the glorious GNU/Linux master race leads in fabulous innovation and putting Windows itself to shame.

root has always been able to patch the kernel

Through /dev/kmem, loadable modules, and whatever. Nothing new.

Excellent news...

[chris_clay]

Even though the technology has been there for some time, it's good that these organizations have collaborated together and implemented this. Awesome stuff. GNU/Linux is probably the only OS that is able to accomplish this. Windows can't even touch a no-reboot OS like this. So, those using Microsoft will continue to patch and reboot their systems on a regular basis, which takes a LOT of resources. Obviously, GNU/Linux will and should excel in various markets, because it truly is better and more stable. And not having to reboot is a huge deal in the datacenter. Now, we can get this technology without various licensing requirements even though the technology has been free up until now anyway.

Re:So basically we're finally catching up to Novel

[x_t0ken_407]

This...this is amazing!