Re: Kernel Live Patching
- Date: Thu, 28 Jun 2018 18:04:06 +0200
- From: Emmanuel Gelati <emi2fast@xxxxxxxxx>
- Subject: Re: Kernel Live Patching
The answer is High Availability
2018-06-28 17:40 GMT+02:00 Darac Marjal <mailinglist@xxxxxxxxxxxx>:
On Thu, Jun 28, 2018 at 10:53:58AM -0400, Gene Heskett wrote:
On Thursday 28 June 2018 09:23:43 Aleksey Kravchenko wrote:
Is there a free alternative to ksplce / livepatch / kernelcare for
debian systems? We're interested in the complete solution when we
install the agent on the server and the agent upgrades the system by
itself. Thank you.
Given the history of ksplice, and my innate paranoia, I don't have a pole
long enough to reach it. You shouldn't either. I have a mental picture
of the keys to whatever merchandising operation you may be involved in,
hanging on a nail beside the front door.
If something is patched and a reboot is needed to make it 100%
functional, and you can't stand the thought of 2 minutes downtime while
its rebooting, its time to mirror your app to a second machine and
configure an automatic failover. There are some OS's that can do that,
QNX comes to mind, but they aren't free. Even the QNX microkernel has a
dead time of 15 or 20 seconds for a full reload of everything else.
2 minutes? I presume you've not interacted much with modern servers? HPe ProLiant servers, for example, take several minutes to reboot (a couple of minutes initialsing the processor/BMC, then they switch to graphical mode and initialise RAM, sensors, devices etc, then they begin to boot. And then you've got whatever time is needed to get, say, your storage in order...)
I think that the closest that Debian comes to ksplice is kexec. kexec is the kernel equivalent of the shell's exec function; that is, "execute that process in place of this one". To use kexec, you still need to run through your init scripts to shutdown the system and restart it but, instead of asking the system firmware to reboot the system, the kernel calls the kexec function and executes the new kernel in place. All your RAM stays "hot", all your devices remain initialised etc, but you do need to restart the OS. So it's a compromise.--
I think the applicable keyword here is TANSTAAFL. Its a universal law,
and there are no shortcuts around it. IOW, if you think the lunch is
free, check the price of the beer.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309
For more information, please reread.