LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 02-22-2011, 06:32 PM   #1
akelder
Member
 
Registered: Jan 2007
Distribution: debian on servers, ubuntu on desktops/laptops
Posts: 45

Rep: Reputation: 16
Anyone using ksplice to patch kernel without reboot?


Got a few multiuser systems for which scheduling an occasional reboot is a major PITA. Wondering if the ksplice solution is as painless as it sounds or there are tradeoffs I just haven't learned of yet...
 
Old 02-22-2011, 07:01 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680
I think that you need to subscribe to a service to use it. Also there may be security concerns. If you enable live patching of the kernel, couldn't a blackhat do the same to install his custom rootkit?
 
Old 02-27-2011, 12:18 PM   #3
wdaher
LQ Newbie
 
Registered: Feb 2011
Location: Cambridge, MA
Posts: 5

Rep: Reputation: 8
(Disclaimer: I work for Ksplice)

Quote:
Originally Posted by jschiwal View Post
I think that you need to subscribe to a service to use it.
That's correct.

We have a completely free version for Ubuntu Desktop and Fedora (https://www.ksplice.com/uptrack/download), and then the other distributions have a 30-day free trial.

Quote:
Also there may be security concerns. If you enable live patching of the kernel, couldn't a blackhat do the same to install his custom rootkit?
This isn't correct. You don't need to boot into a custom kernel or enable some sort of live patching feature to use Ksplice. We can start running on the system you already have -- the ability to live patch the kernel is one that's inherent to being root and being able to load modules on the system.

So in short, no, there is no security concern here. If anything, your security is much improved, since you're now able to apply important security patches much sooner than you would otherwise have been able to.
 
Old 02-28-2011, 12:42 AM   #4
akelder
Member
 
Registered: Jan 2007
Distribution: debian on servers, ubuntu on desktops/laptops
Posts: 45

Original Poster
Rep: Reputation: 16
Hi, thanks for the reply. One part I don't understand is how does getting kernel patches from ksplice coexist with patches coming through standard channels (APT/YUM)?
 
Old 03-01-2011, 08:13 AM   #5
wdaher
LQ Newbie
 
Registered: Feb 2011
Location: Cambridge, MA
Posts: 5

Rep: Reputation: 8
Yeah, that's a good question.
Ksplice Uptrack only updates the kernel, and only does so in memory.
The package manager continues to be responsible for updating all of your packages on disk (including the kernel image on disk).

So they're complementary.

Most of our customers will:
- Use the package manager to upgrade the kernel (but they don't reboot afterwards)
- Then also use "uptrack-upgrade" to upgrade the kernel in memory

Now you're secure and up-to-date in your running system, and if you later have to reboot for some reason, you have the option of booting into the new, "traditionally updated" kernel image on disk.
 
Old 03-01-2011, 04:05 PM   #6
akelder
Member
 
Registered: Jan 2007
Distribution: debian on servers, ubuntu on desktops/laptops
Posts: 45

Original Poster
Rep: Reputation: 16
Thanks for that, it's starting to make sense to me now.

All "official" kernel patches come from kernel.org, right? So there would never be a situation where the patch one gets through Ksplice Uptrack is different from what one gets from the distribution maintainers, correct?
 
Old 03-02-2011, 09:16 AM   #7
wdaher
LQ Newbie
 
Registered: Feb 2011
Location: Cambridge, MA
Posts: 5

Rep: Reputation: 8
Actually, it's even better: we ONLY take the patches that your vendor has released.

For example, on RHEL: When Red Hat releases a new kernel, only then do we go and look at that kernel and make the important security and bugfix updates rebootless (and then we deliver them to you). So you're actually getting the same updates as released by your vendor, but you're getting them in rebootless form.

(In other words, you're not getting some patches we're making up, or anything like that - they all come from the vendor.)
 
Old 03-02-2011, 01:46 PM   #8
akelder
Member
 
Registered: Jan 2007
Distribution: debian on servers, ubuntu on desktops/laptops
Posts: 45

Original Poster
Rep: Reputation: 16
Sounds good, thanks. The machines I'm researching this is for are running Debian Lenny and I probably won't get around to upgrading to Squeeze till later this year. Will Ksplice continue to support Lenny as long as Debian will continue releasing security patches for it?
 
Old 03-02-2011, 01:50 PM   #9
akelder
Member
 
Registered: Jan 2007
Distribution: debian on servers, ubuntu on desktops/laptops
Posts: 45

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by wdaher View Post
Actually, it's even better: we ONLY take the patches that your vendor has released.

For example, on RHEL: When Red Hat releases a new kernel, only then do we go and look at that kernel and make the important security and bugfix updates rebootless (and then we deliver them to you). So you're actually getting the same updates as released by your vendor, but you're getting them in rebootless form.

(In other words, you're not getting some patches we're making up, or anything like that - they all come from the vendor.)
One other question on this. What's the typical delay between when the vendor releases a patch and when it becomes available through Ksplice? Does it depend on how much programming effort is involved on your part and varies from patch to patch or there's a fixed release schedule of +1 day, etc?
 
Old 03-02-2011, 11:35 PM   #10
wdaher
LQ Newbie
 
Registered: Feb 2011
Location: Cambridge, MA
Posts: 5

Rep: Reputation: 8
Quote:
Originally Posted by akelder View Post
Will Ksplice continue to support Lenny as long as Debian will continue releasing security patches for it?
That's the plan, yep.

Quote:
Originally Posted by akelder View Post
One other question on this. What's the typical delay between when the vendor releases a patch and when it becomes available through Ksplice?
Typically about 24 hours.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ksplice: Upgrade / Patch Your Linux Kernel Without Reboots LXer Syndicated Linux News 0 04-10-2010 11:10 AM
LXer: Installing Kernel Updates Without Reboot With Ksplice Uptrack On Ubuntu 9.10 LXer Syndicated Linux News 0 02-14-2010 01:00 PM
LXer: Ksplice Boots the Reboot LXer Syndicated Linux News 0 06-26-2009 03:50 PM
LXer: Ksplice automates hot patching Linux kernel with no reboot needed LXer Syndicated Linux News 0 04-29-2008 11:00 PM
LXer: Ksplice, Rebootless Linux Kernel Security Updates LXer Syndicated Linux News 0 04-26-2008 12:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration