Re: live kernel upgrades (was: live kernel patching design)

From: Jiri Kosina
Date: Mon Feb 23 2015 - 03:18:08 EST


On Sun, 22 Feb 2015, Arjan van de Ven wrote:

> There's a lot of logistical issues (can you patch a patched system... if
> live patching is a first class citizen you end up with dozens and dozens
> of live patches applied, some out of sequence etc etc).

I can't speak on behalf of others, but I definitely can speak on behalf of
SUSE, as we are already basing a product on this.

Yes, you can patch a patched system, you can patch one function multiple
times, you can revert a patch. It's all tracked by dependencies.

Of course, if you are random Joe User, you can do whatever you want, i.e.
also compile your own home-brew patches and apply them randomly and brick
your system that way. But that's in no way different to what you as Joe
User can do today; there is nothing that will prevent you from shooting
yourself in a foot if you are creative.

Regarding "out of sequence", this is up to the vendor providing/packaging
the patches to make sure that this is guaranteed not to happen. SUSE for
example always provides "all-in-one" patch for each and every released and
supported kernel codestream in a cummulative manner, which takes care of
the ordering issue completely.

It's not really too different from shipping external kernel modules and
making sure they have proper dependencies that need to be satisfied before
the module can be loaded.

> There's the "which patches do I have, and if the first patch for a
> security hole was not complete, how do I cope by applying number two.
> There's the "which of my 50.000 servers have which patch applied"
> logistics.

Yes. That's easy if distro/patch vendors make reasonable userspace and
distribution infrastructure around this.

Thanks,

--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/