World Library  
Flag as Inappropriate
Email this Article

Kpatch

Article Id: WHEBN0041947333
Reproduction Date:

Title: Kpatch  
Author: World Heritage Encyclopedia
Language: English
Subject: Linux kernel, Evdev, Kernel same-page merging, Compute Node Linux, Epoll
Collection:
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Kpatch

kpatch is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system uptime and availability. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to scheduled downtimes.[1][2] Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed.[3]

kpatch is developed by Red Hat, and the source code is licensed under the GNU General Public License version 2 (GPLv2).[1] In May 2014, kpatch was submitted for inclusion into the Linux kernel mainline,[4] and the minimalistic foundations for live patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015.[5]

Internals

With live patching in place, calls to patched kernel functions invoke their replacement counterparts.[6]:2:07

Internally, kpatch consists of two parts – the core kernel module executes the live patching mechanism by altering kernel's inner workings, while a set of userspace utilities prepares individual hot patch kernel modules from source diffs and manages their application. Live kernel patching is performed at the function level, meaning that kpatch can replace entire functions in the running kernel with their patched versions by using facilities provided by ftrace to "route around" old versions of functions; that way, hot patches can also easily be undone. No changes to the kernel's internal data structures are possible; however, security patches, which are one of the natural candidates to be used with kpatch, rarely contain changes to the kernel's data structures.[3][4][6]

kpatch ensures that hot patches are applied atomically and safely by stopping all running processes while the hot patch is applied, and by ensuring that none of the stopped processes is running inside the functions that are to be patched. Such an approach simplifies the whole live patching mechanism and prevents certain issues associated with the way data structures are used by original and patched versions of functions. As the downside, this approach also leaves the possibility for a hot patch to fail, and introduces a small amount of latency required for stopping all running processes.[3][4][6]

History

Red Hat announced and publicly released kpatch in February 2014 under the GNU General Public License version 2 (GPLv2),[1] shortly before SUSE released its own live kernel patching implementation called kGraft.[7] kpatch aims to become merged into the Linux kernel mainline, and it was submitted for the inclusion in May 2014.[4][8]

kpatch has been included in Red Hat Enterprise Linux 7.0, released on June 10, 2014, as a technology preview.[9][10]

Minimalistic foundations for live kernel patching were merged into the Linux kernel mainline in kernel version 4.0, which was released on April 12, 2015. Those foundations, based primarily on the kernel's ftrace functionality, form a common core capable of supporting hot patching by both kpatch and kGraft, by providing an application programming interface (API) for kernel modules that contain hot patches and an application binary interface (ABI) for the userspace management utilities. However, the common core included into Linux kernel 4.0 supports only the x86 architecture and does not provide any mechanisms for ensuring function-level consistency while the hot patches are applied.[5][11][12]

Since April 2015, there is ongoing work on porting kpatch to the common live patching core provided by the Linux kernel mainline.[12] However, implementation of the required function-level consistency mechanisms has been delayed because the call stacks provided by the Linux kernel may be unreliable in situations that involve assembly code without proper stack frames; as a result, the porting work remains in progress as of September 2015. In an attempt to improve the reliability of kernel's call stacks, a specialized sanity-check stacktool userspace utility has also been developed.[13][14]

See also

  • Dynamic software updating – a field of research focusing on upgrading programs while they are running
  • kexec – a method for loading a whole new Linux kernel from a running system
  • Ksplice and KernelCare – other Linux kernel live patching technologies developed by Ksplice, Inc. (later acquired by Oracle) and CloudLinux, respectively

References

  1. ^ a b c
  2. ^
  3. ^ a b c
  4. ^ a b c d
  5. ^ a b
  6. ^ a b c
  7. ^
  8. ^
  9. ^
  10. ^
  11. ^
  12. ^ a b
  13. ^
  14. ^

External links

  • kpatch source code on GitHub
  • Live Patching the Kernel with kpatch on YouTube, January 14, 2015, by Seth Jennings
  • New Kernel Live Patching Combines kGraft & Kpatch, Phoronix, November 7, 2014, by Michael Larabel
  • Live Kernel Patching Support Called For Linux 3.20 Kernel, Phoronix, February 9, 2015, by Michael Larabel
  • Linux kernel set to get live patching in release 3.20, The Register, February 11, 2015, by Richard Chirgwin
  • No reboot patching comes to Linux 4.0, ZDNet, March 3, 2015, by Steven J. Vaughan-Nichols
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.