LinuxDevices.com Archive Index (1999-2012) | 2013-current at LinuxGizmos.com | About  

Hot-patch service boasts reboot-free server updates

Feb 10, 2010 — by Eric Brown — from the LinuxDevices Archive

Ksplice announced the availability of a subscription service that updates Linux servers with upgrades and security patches without rebooting. Based on an MIT-bred utility that has been considered for merging into the Linux mainline kernel, Ksplice Uptrack is claimed to reduce costly downtime, and speed installation of security patches.

Based on "Ksplice" technology developed at the Massachusetts Institute of Technology (MIT), Uptrack enables IT administrators to keep Linux servers up-to-date without the scheduling, disruptions, and downtime required with a reboot, says Ksplice. As a result, servers can more quickly be protected against security threats system administration, and costs can be reduced considerably, says the company.

Ksplice Uptrack builds upon the Ksplice hot-patching utility for the Linux kernel that was developed by Jeffrey Arnold, a graduate student at MIT. Announced in 2008, Ksplice was for a time actively being considered for merging into the mainline Linux kernel source code tree, but momentum for the merge seems to have faded, in part due to potential conflicts with a 2002 Microsoft patent.

Reboots required for kernel updates by major Linux distributions, 2009 to present (Source: Ksplice)
(Click to enlarge)

Carrier Grade Linux and high-availability Linux distributions typically include hot-patching implementations, but the mainline kernel and major Linux distributions do not. As a result, downtime for kernel and security updates is a growing drain on IT departments, according to Ksplice. In 2009, major Linux vendors asked customers to install a kernel update roughly once each month, says the company. The chart above is said to show typical update schedules for major Linux distros.

Ksplice operates at the object code layer, transforming many traditional source code patches into hot updates that require little or no programmer involvement, according to an MIT paper written by MIT researchers Arnold and M. Frans Kaashoek, which is posted on the Ksplice site. Typically a patch does not change the semantics of persistent data structures, providing an opportunity to create a hot update without writing new code, says the paper.

Ksplice process for creating a hot update
Source: Jeffrey Brian Arnold, MIT, " Ksplice: An automatic system for rebootless Linux kernel security updates"
(Click to enlarge)

Ksplice compiles the system's kernel from source, with and without the patch, creating a kind of binary diff. It then inserts "trampolines" inside of functions affected by the patch. The trampolines simply bounce processing over to newly instantiated, patched object code.

The paper cites research involving significant x86-32 Linux security patches between 2005 and 2008. Some 88 percent of patches were said to have required no new code in order to be performed as a Ksplice update. In addition, with the addition of a small amount of code (about 17 lines per patch) to assist with the remaining patches, the Ksplice technology could apply 100 percent of the security patches without rebooting, claims the paper.

Because Ksplice Uptrack does not require a persistently running process, updates do not slow performance, claims Ksplice. The technology is said to have no machine limits, and can reverse updates without rebooting.

Uptrack can update systems in virtualization environments including VMware, Virtuozzo, and Xen, both as hosts and guests, says the company. The technology is also claimed to play nice with third-party kernel modules such as cPanel and R1Soft CDP. A web management tool enables remote monitoring of Uptrack tasks, and cryptography authenticates the Uptrack update feed, says Ksplice.

Background and testimonials

Ksplice was founded as a Cambridge, Mass.-based MIT technology spinoff in 2008. In 2009, the company was named the most innovative security company of the year by the Wall Street Journal, says the company. More than 40 Web hosting and IT infrastructure companies have deployed Ksplice Uptrack as early adopters, so far saving tens of thousands of reboots, says Ksplice. Three have provided testimonials, below.

Stated Joshua Barratt, CTO of Media Temple, "Like other hosting providers, we've needed this capability for a long time, but we didn't think that it was possible to apply these updates without a reboot until we saw Ksplice in action."

Stated David Collins, CTO of HostGator, "It reduces one of the biggest costs associated with any server — system administrator maintenance time — and helps us improve the quality of service we can provide to our customers."

Stated Dallas Kashuba, co-founder and CTO of DreamHost, "Using Ksplice has improved our response time to critical kernel exploits from a few days to only minutes."

Availability

Ksplice Uptrack is now available for Red Hat Enterprise Linux, Ubuntu, Debian GNU/Linux, CentOS, Parallels Virtuozzo Containers, and OpenVZ distributions. The subscription fee starts at $4 per month per system, after a 30-day free trial. The company uses metered billing, charging only for the systems Uptrack runs on, says Ksplice.

A free version is also available for Ubuntu, and the company makes its raw Ksplice 0.9.9 utilities available for open source download, says the company. Ksplice strongly cautions against using the raw Ksplice utilities on production systems, however.

More information may be found here.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.