Re: PATCH v6 6/6] livepatch: Add atomic replace

From: Evgenii Shatokhin
Date: Thu Feb 01 2018 - 03:16:00 EST


On 01.02.2018 00:55, Josh Poimboeuf wrote:
On Fri, Jan 26, 2018 at 01:33:04PM +0300, Evgenii Shatokhin wrote:
+ The callbacks from the replaced patches are not called. It would be
pretty hard to define a reasonable semantic and implement it.

At least, it surely simplifies error handling, if these callbacks are not
called.

Anyway, I guess, this restriction should be mentioned explicitly in the
docs. I think this is not obvious for the patch developers (esp. those
familiar with RPM spec files and such ;-) ).

What concerns me is that downgrading of the cumulative patches with
callbacks becomes much more difficult this way.

I mean, suppose a user has v1 of a cumulative patch installed. Then a newer
version, v2, is released. They install it and find that it is buggy (very
unfortunate but might still happen). Now they cannot atomically replace v2
back with v1, because the callbacks from v1 cannot clean up after v2.

It will be needed to unload v2 explicitly and then load v1 back, which is
more fragile. The loading failures are much more unlikely with livepatch
than with the old kpatch, but they are still possible.

I have no good solution to this though.

I think the solution is to build a v3, which is basically identical to
v1, except it also has callbacks for cleaning up after v2, if necessary.

It should also be smart enough to deal with the case that v2 was not
installed beforehand.


I thought about this, but such patches would be very difficult to maintain. It seems better to explicitly unload v2 and then load v1 back in such cases.

In addition, releasing v3 takes some time (build + appropriate QA procedures) while the users may want to do something about the faulty patch "right here, right now". This is what "downgrade" option is for.

Anyway, livepatch is much more likely to apply the patches successfully than the old kpatch core. So it should be OK to simply unload v2 and then load v1 in such (hopefully rare) scenarios.

As I said, the current behaviour is acceptable, esp. when it is documented. Implementation of livepatch is already complex enough.

Regards,
Evgenii