SlideShare ist ein Scribd-Unternehmen logo

It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.

All Things Open
All Things Open

Presented by: Igor Seletskiy Presented at the All Things Open 2021 Raleigh, NC, USA Raleigh Convention Center Abstract: IT Teams know the drill. New security bulletins, new issues, new patches to deploy. Schedule another maintenance operation and prepare for system downtime. There is a better way to do things. Live patching has been around in the Linux Kernel for some time now, but adoption has not been ideal so far - either because of a lack of trust in the technology or just lack of awareness - or sysadmins just enjoy interrupting their workloads or users. Live patching consists of two aspects. First, there has to be a mechanism for function redirection in the kernel. As in many things, the kernel actually provides three different subset of tools that provide this functionality - kprobes, fprobes and Livepatching. Secondly, Live Patching relies on a set of tools to generate the actual patches to deploy, replacing the old code with new one. This is arguably the most involved part: you need to fit your new code in the proper space, you can’t overwrite other unrelated code and you need to maintain compatibility with other functions. If you change your parameter list, for example, its game over - something will break in the worst possible way. In this talk we’ll go over issues like Consistency model, patch generation, deployment mechanisms and identify situations that are ideal candidates for live patching instead of traditional patching operations.

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
A look at live patching It’s 2021. Why are we still rebooting for patches?
Live Patching - How it started ● In 2006, Jeff Arnold, a student at MIT, started working on what would eventually become ksplice ● A way to apply changes, specifically security patches, to running Linux kernels without interrupting processes or users ● The motivation was a hacked system while a patch existed but couldn’t be applied in a timely fashion
Live Patching - 15 years gone by, the same problem exists ● Deploying security patches on time is still heavily constrained by the availability of maintenance windows ● Patches for Critical or High-Priority vulnerabilities take, on average, 5 to 6 weeks to be deployed* ● That is a very large window of opportunity for malicious actors * “State of Enterprise Linux Security Management v2” - A study conducted by the Ponemom Institute, targeting IT leaders across different industries. This will be freely available for download at blog.tuxcare.com and other locations in the coming days.
The underlying issue ● The way patch operations are done has not changed, even when the technology available has ● The rate at which new vulnerabilities appear has been steadily growing year-on-year ● System downtime is one of the big friction points between IT teams and other business units
Compliance rules are changing • 30 days patch window is a "best practice" today o Shrunk from 6 months, to 3 months, to 1 month within a decade • Ransomware attacks are causing people to start questioning if that window is too long
Live patching to the rescue ● Live patching is a better way to deploy patches ● This was recognized by different teams when kSplice was acquired and became focused solely on Oracle’s own distribution ● Three new projects, kPatch, kGraft and KernelCare, were started as alternatives
The patches ● Replacing running code is not trivial, but simple function code changes are easier than bigger changes touching multiple functions ● Most vulnerabilities are fixed with one-liners: bounds-check, off-by-one, input validation ● As long as function signatures or data structures don’t change, live patching is easier
The different Kernel facilities for Live Patching ● There are usually multiple ways to do something in the Linux Kernel ● Live patching follows this trend: ○ Livepatch - patch creation/loading ○ Ftrace - tracing/debugging tool repurposed to aid live patching by adding custom code at specific instructions ○ Kprobes - debugging tool repurposed to aid live patching with breakpoints in specific functions ○ eBPF - A mechanism to attach logic at certain hook points in the kernel
Ftrace ● Tracing mechanism originally built to help developers writing code for the Kernel ● With it, you can add custom code handlers that run whenever a specific instruction is reached ● It can be used to redirect execution away from the “bad” function to the “corrected” version
Kprobes ● Generic way of adding breakpoints at any instruction ● By setting the breakpoint at strategic locations before applying a patch, you can check if the function you want to change is in use (for example, by checking the stack) ● It’s desirable that the function being patched is not in use. Some tools will wait for the right opportunity to apply a live patch For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html
How they all work together (or not) ● The most common way to use them is adding kprobe’s breakpoints inside of ftrace handler code at the start of the functions you want to change, then using livepatch to load the fixed code into the kernel memory space ● Some of their functionality conflicts with each other (some ftrace instructions can be overwritten by some livepatch calls, for example) ● Kprobes and ftrace are repurposed kernel facilities, not designed with live patching in mind ● Third-party live patching solutions will often have their own custom ways for achieving live patching
Livepatch ● Eventually, the kPatch and kGraft project’s common features were merged into “livepatch” and included in the Linux Kernel ● Livepatch contains basic functionality for live patch creation and loading ● Some third-party tools for live patching use livepatch functionality, while others have opted for their own implementation to achieve the same goal For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html
Patches - How they are created ● Like “regular” patches, it all starts with the code that fixes the problem ● Live patching specific issues are addressed: function signature changes, data structure changes, non maskable interrupts. These are some of the new concerns when creating these patches ● A binary “diff” between the running code and the new code has to be created and packaged in such a way that it can be deployed on different systems
Consistency model ● The code execution should be in a “safe” situation before applying a patch ● You don’t want to replace a function when it’s in use, or active locks are originating from it, or memory assignments are not yet released ● Live patching tools will have mechanisms that “wait” for this safe situation to appear, and may even refuse to apply a patch if they can’t find one ● Maintaining consistency is one of the trickier parts of the process For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html#consistency-model
Build environments ● Tiny differences in build environments can create big changes in binary outputs ● This means that binary “diffs” will be unusable ● Compiler, linker, and binutils changes like different versions or flags will all likely invalidate patch creation ● Every different kernel version or distribution supported by a live patching tool requires a different build environment
Testing ● Live patches, like traditional patches, need to be tested ● Not just for actually fixing what they are supposed to fix, but also for unexpected side-effects of being deployed live ● It’s desirable to use extensive test automation when creating live patches and to continually expand the tests with validation for every new fix introduced ● Traditional Kernel tests* often not suitable for live patching integration *For more information: https://www.kernel.org/doc/html/latest/dev-tools/testing-overview.html
Patch creation Loading into kernel memory space with a live patching provider-specific tool Enabling/activating the patch Maintaining the consistency of the kernel, the live patching tool will probably: Pause the process briefly Check if the function is in use or not If it’s safe, apply the code change to redirect the function to the new code. If not, retry later. Unpause the process Disabling/removing the patch Lifetime of a life patch
Other ways to 'update' kernel without reboot ● Kexec lets you replace the running kernel with another ○ Requires a whole new kernel to be loaded and restarts the existing user space processes
What about userspace? Patching one running process should be the same no matter what that process is Except: ● coroutines / schedulers need to be taken into account ● stack usage (exceptions?) need to be taken into account Services like databases or libraries like OpenSSL, glibc & QEMU would benefit from live patching.
Creating a patch - Example (1/5) For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Original code Patched code
Creating a patch - Example (2/5) We want to compare the assembly code obtained through: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Looking at the changes with diff, we can see the added text and the code changes.
Creating a patch - Example (3/5) Every live patching solution has its own scripts to aid in patch creation, and so does TuxCare’s. We use “kpatch_gensrc” to create a patch file from the binary diff: This will create a very long file with assembly code and special sections for the patch deployment tool. You can find the complete output at the github repository linked below. For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) (...)
Creating a patch - Example (4/5) Now moving from assembly to the compiled code, using the special linker flag “-q” to store relocation information: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) There is still a process for fixing relocations that is detailed in the github repository and not shown here. After that is done, the binary patch is finally obtained with: Some clean up is still needed:
Creating a patch - Example (5/5) Applying the patch: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Note that the actual file on disk for the original process has not been touched, so that a restart would bring back the original behavior.
Changing the status quo ● IT is usually very fast at adopting new technologies but rather slow at changing processes ● Live patching is reliable and proven — and a better way to deploy patches ● It doesn’t just shorten maintenance windows — it completely eliminates their use for patching
Get in touch: Thank you! i@tuxcare.com @iseletsk

Empfohlen

Building Good Containers for Python Applications
Building Good Containers for Python ApplicationsBuilding Good Containers for Python Applications
Building Good Containers for Python ApplicationsAll Things Open
 
Modern Tools for Building Progressive Web Apps
Modern Tools for Building Progressive Web AppsModern Tools for Building Progressive Web Apps
Modern Tools for Building Progressive Web AppsAll Things Open
 
FluentD vs. Logstash
FluentD vs. LogstashFluentD vs. Logstash
FluentD vs. LogstashAll Things Open
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016ManageIQ
 
Integrating Git, Gerrit and Jenkins/Hudson with Mylyn
Integrating Git, Gerrit and Jenkins/Hudson with MylynIntegrating Git, Gerrit and Jenkins/Hudson with Mylyn
Integrating Git, Gerrit and Jenkins/Hudson with MylynSascha Scholz
 
Hands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersHands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersWeaveworks
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 

Empfohlen

Building Good Containers for Python Applications
Building Good Containers for Python ApplicationsBuilding Good Containers for Python Applications
Building Good Containers for Python ApplicationsAll Things Open
 
Modern Tools for Building Progressive Web Apps
Modern Tools for Building Progressive Web AppsModern Tools for Building Progressive Web Apps
Modern Tools for Building Progressive Web AppsAll Things Open
 
FluentD vs. Logstash
FluentD vs. LogstashFluentD vs. Logstash
FluentD vs. LogstashAll Things Open
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016ManageIQ
 
Integrating Git, Gerrit and Jenkins/Hudson with Mylyn
Integrating Git, Gerrit and Jenkins/Hudson with MylynIntegrating Git, Gerrit and Jenkins/Hudson with Mylyn
Integrating Git, Gerrit and Jenkins/Hudson with MylynSascha Scholz
 
Hands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersHands-on GitOps Patterns for Helm Users
Hands-on GitOps Patterns for Helm UsersWeaveworks
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise ApplicationsDaniel Oh
 
Gerrit linuxtag2011
Gerrit linuxtag2011Gerrit linuxtag2011
Gerrit linuxtag2011thkoch
 
Intro to Git: a hands-on workshop
Intro to Git: a hands-on workshopIntro to Git: a hands-on workshop
Intro to Git: a hands-on workshopCisco DevNet
 
はじめての JFrog Artifactory
はじめての JFrog Artifactoryはじめての JFrog Artifactory
はじめての JFrog ArtifactoryTsuyoshi Miyake
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?Weaveworks
 
Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous DeliveryHervé Leclerc
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...CollabNet
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Writing Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future SelfWriting Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future SelfAll Things Open
 
CI is dead, long live CI
CI is dead, long live CICI is dead, long live CI
CI is dead, long live CIFrédéric Lepied
 
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...Puppet
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
 
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CloudBees
 
Build your android app with gradle
Build your android app with gradleBuild your android app with gradle
Build your android app with gradleSwain Loda
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwareAll Things Open
 
Dev ops using Jenkins
Dev ops using JenkinsDev ops using Jenkins
Dev ops using JenkinsSynergetics Learning and Cloud Consulting
 
Jenkins Reviewbot
Jenkins ReviewbotJenkins Reviewbot
Jenkins ReviewbotYardena Meymann
 
Gerrit Workshop
Gerrit WorkshopGerrit Workshop
Gerrit WorkshopSteffen Gebert
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"Daniel Bryant
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Andreas Rehn
 
Don't Fear the Autotools
Don't Fear the AutotoolsDon't Fear the Autotools
Don't Fear the AutotoolsScott Garman
 
Build and deploy scientific Python Applications
Build and deploy scientific Python Applications Build and deploy scientific Python Applications
Build and deploy scientific Python Applications Ramakrishna Reddy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Gerrit linuxtag2011
Gerrit linuxtag2011Gerrit linuxtag2011
Gerrit linuxtag2011thkoch
 
Intro to Git: a hands-on workshop
Intro to Git: a hands-on workshopIntro to Git: a hands-on workshop
Intro to Git: a hands-on workshopCisco DevNet
 
はじめての JFrog Artifactory
はじめての JFrog Artifactoryはじめての JFrog Artifactory
はじめての JFrog ArtifactoryTsuyoshi Miyake
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?Weaveworks
 
Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous DeliveryHervé Leclerc
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...CollabNet
 
Writing Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future SelfWriting Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future SelfAll Things Open
 
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...Puppet
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
 
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CloudBees
 
Build your android app with gradle
Build your android app with gradleBuild your android app with gradle
Build your android app with gradleSwain Loda
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwareAll Things Open
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"Daniel Bryant
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Andreas Rehn
 

Was ist angesagt? (20)

Gerrit linuxtag2011
Gerrit linuxtag2011Gerrit linuxtag2011
Gerrit linuxtag2011
 
Intro to Git: a hands-on workshop
Intro to Git: a hands-on workshopIntro to Git: a hands-on workshop
Intro to Git: a hands-on workshop
 
はじめての JFrog Artifactory
はじめての JFrog Artifactoryはじめての JFrog Artifactory
はじめての JFrog Artifactory
 
WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?WTF is GitOps and Why You Should Care?
WTF is GitOps and Why You Should Care?
 
Agnostic Continuous Delivery
Agnostic Continuous DeliveryAgnostic Continuous Delivery
Agnostic Continuous Delivery
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...
 
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
JavaCro'14 - Continuous delivery of Java EE applications with Jenkins and Doc...
 
Writing Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future SelfWriting Commits for You, Your Friends, and Your Future Self
Writing Commits for You, Your Friends, and Your Future Self
 
CI is dead, long live CI
CI is dead, long live CICI is dead, long live CI
CI is dead, long live CI
 
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
PuppetConf 2016: Using Puppet with Kubernetes and OpenShift – Diane Mueller, ...
 
Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
 
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
CI and CD Across the Enterprise with Jenkins (devops.com Nov 2014)
 
Build your android app with gradle
Build your android app with gradleBuild your android app with gradle
Build your android app with gradle
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source Software
 
Dev ops using Jenkins
Dev ops using JenkinsDev ops using Jenkins
Dev ops using Jenkins
 
Jenkins Reviewbot
Jenkins ReviewbotJenkins Reviewbot
Jenkins Reviewbot
 
Gerrit Workshop
Gerrit WorkshopGerrit Workshop
Gerrit Workshop
 
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
MJC 2021: "Debugging Java Microservices Running on Kubernetes with Telepresence"
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014
 

Ähnlich wie It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.

Don't Fear the Autotools
Don't Fear the AutotoolsDon't Fear the Autotools
Don't Fear the AutotoolsScott Garman
 
Build and deploy scientific Python Applications
Build and deploy scientific Python Applications Build and deploy scientific Python Applications
Build and deploy scientific Python Applications Ramakrishna Reddy
 
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)Per Henrik Lausten
 
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...Neil Armstrong
 
Programming Sessions KU Leuven - Session 01
Programming Sessions KU Leuven - Session 01Programming Sessions KU Leuven - Session 01
Programming Sessions KU Leuven - Session 01Rafael Camacho Dejay
 
DevOps presentation
DevOps presentationDevOps presentation
DevOps presentationAxsh Co. LTD
 
Jenkins_1679702972.pdf
Jenkins_1679702972.pdfJenkins_1679702972.pdf
Jenkins_1679702972.pdfMahmoudAlnmr1
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...ICS
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins UsersAndrew Bayer
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringSolano Labs
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...Linaro
 
LCE13: Test and Validation Summit: The future of testing at Linaro
LCE13: Test and Validation Summit: The future of testing at LinaroLCE13: Test and Validation Summit: The future of testing at Linaro
LCE13: Test and Validation Summit: The future of testing at LinaroLinaro
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligenceCarlos Toxtli
 
Version Uncontrolled - How to Manage Your Version Control (whitepaper)
Version Uncontrolled - How to Manage Your Version Control (whitepaper)Version Uncontrolled - How to Manage Your Version Control (whitepaper)
Version Uncontrolled - How to Manage Your Version Control (whitepaper)Revelation Technologies
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous IntegrationXPDays
 
Long Term Support the Eclipse Way
Long Term Support the Eclipse WayLong Term Support the Eclipse Way
Long Term Support the Eclipse WayRalph Mueller
 
What is the merge window?
What is the merge window?What is the merge window?
What is the merge window?Macpaul Lin
 

Ähnlich wie It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching. (20)

Don't Fear the Autotools
Don't Fear the AutotoolsDon't Fear the Autotools
Don't Fear the Autotools
 
Build and deploy scientific Python Applications
Build and deploy scientific Python Applications Build and deploy scientific Python Applications
Build and deploy scientific Python Applications
 
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)
Source Control with Domino Designer 8.5.3 and Git (DanNotes, November 28, 2012)
 
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...
ELC-E 2016 Neil Armstrong - No, it's never too late to upstream your legacy l...
 
Programming Sessions KU Leuven - Session 01
Programming Sessions KU Leuven - Session 01Programming Sessions KU Leuven - Session 01
Programming Sessions KU Leuven - Session 01
 
DevOps presentation
DevOps presentationDevOps presentation
DevOps presentation
 
Jenkins_1679702972.pdf
Jenkins_1679702972.pdfJenkins_1679702972.pdf
Jenkins_1679702972.pdf
 
jenkins.pdf
jenkins.pdfjenkins.pdf
jenkins.pdf
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
Software Update Mechanisms: Selecting the Best Solutin for Your Embedded Linu...
 
7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users7 Habits of Highly Effective Jenkins Users
7 Habits of Highly Effective Jenkins Users
 
The 10 Commandments of Release Engineering
The 10 Commandments of Release EngineeringThe 10 Commandments of Release Engineering
The 10 Commandments of Release Engineering
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...
LCE13: Test and Validation Mini-Summit: Review Current Linaro Engineering Pro...
 
LCE13: Test and Validation Summit: The future of testing at Linaro
LCE13: Test and Validation Summit: The future of testing at LinaroLCE13: Test and Validation Summit: The future of testing at Linaro
LCE13: Test and Validation Summit: The future of testing at Linaro
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligence
 
Version Uncontrolled - How to Manage Your Version Control (whitepaper)
Version Uncontrolled - How to Manage Your Version Control (whitepaper)Version Uncontrolled - How to Manage Your Version Control (whitepaper)
Version Uncontrolled - How to Manage Your Version Control (whitepaper)
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Long Term Support the Eclipse Way
Long Term Support the Eclipse WayLong Term Support the Eclipse Way
Long Term Support the Eclipse Way
 
What is the merge window?
What is the merge window?What is the merge window?
What is the merge window?
 

Mehr von All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Mehr von All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

It’s 2021. Why are we -still- rebooting for patches? A look at Live Patching.

  • 1. A look at live patching It’s 2021. Why are we still rebooting for patches?
  • 2. Live Patching - How it started ● In 2006, Jeff Arnold, a student at MIT, started working on what would eventually become ksplice ● A way to apply changes, specifically security patches, to running Linux kernels without interrupting processes or users ● The motivation was a hacked system while a patch existed but couldn’t be applied in a timely fashion
  • 3. Live Patching - 15 years gone by, the same problem exists ● Deploying security patches on time is still heavily constrained by the availability of maintenance windows ● Patches for Critical or High-Priority vulnerabilities take, on average, 5 to 6 weeks to be deployed* ● That is a very large window of opportunity for malicious actors * “State of Enterprise Linux Security Management v2” - A study conducted by the Ponemom Institute, targeting IT leaders across different industries. This will be freely available for download at blog.tuxcare.com and other locations in the coming days.
  • 4. The underlying issue ● The way patch operations are done has not changed, even when the technology available has ● The rate at which new vulnerabilities appear has been steadily growing year-on-year ● System downtime is one of the big friction points between IT teams and other business units
  • 5. Compliance rules are changing • 30 days patch window is a "best practice" today o Shrunk from 6 months, to 3 months, to 1 month within a decade • Ransomware attacks are causing people to start questioning if that window is too long
  • 6. Live patching to the rescue ● Live patching is a better way to deploy patches ● This was recognized by different teams when kSplice was acquired and became focused solely on Oracle’s own distribution ● Three new projects, kPatch, kGraft and KernelCare, were started as alternatives
  • 7. The patches ● Replacing running code is not trivial, but simple function code changes are easier than bigger changes touching multiple functions ● Most vulnerabilities are fixed with one-liners: bounds-check, off-by-one, input validation ● As long as function signatures or data structures don’t change, live patching is easier
  • 8. The different Kernel facilities for Live Patching ● There are usually multiple ways to do something in the Linux Kernel ● Live patching follows this trend: ○ Livepatch - patch creation/loading ○ Ftrace - tracing/debugging tool repurposed to aid live patching by adding custom code at specific instructions ○ Kprobes - debugging tool repurposed to aid live patching with breakpoints in specific functions ○ eBPF - A mechanism to attach logic at certain hook points in the kernel
  • 9. Ftrace ● Tracing mechanism originally built to help developers writing code for the Kernel ● With it, you can add custom code handlers that run whenever a specific instruction is reached ● It can be used to redirect execution away from the “bad” function to the “corrected” version
  • 10. Kprobes ● Generic way of adding breakpoints at any instruction ● By setting the breakpoint at strategic locations before applying a patch, you can check if the function you want to change is in use (for example, by checking the stack) ● It’s desirable that the function being patched is not in use. Some tools will wait for the right opportunity to apply a live patch For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html
  • 11. How they all work together (or not) ● The most common way to use them is adding kprobe’s breakpoints inside of ftrace handler code at the start of the functions you want to change, then using livepatch to load the fixed code into the kernel memory space ● Some of their functionality conflicts with each other (some ftrace instructions can be overwritten by some livepatch calls, for example) ● Kprobes and ftrace are repurposed kernel facilities, not designed with live patching in mind ● Third-party live patching solutions will often have their own custom ways for achieving live patching
  • 12. Livepatch ● Eventually, the kPatch and kGraft project’s common features were merged into “livepatch” and included in the Linux Kernel ● Livepatch contains basic functionality for live patch creation and loading ● Some third-party tools for live patching use livepatch functionality, while others have opted for their own implementation to achieve the same goal For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html
  • 13. Patches - How they are created ● Like “regular” patches, it all starts with the code that fixes the problem ● Live patching specific issues are addressed: function signature changes, data structure changes, non maskable interrupts. These are some of the new concerns when creating these patches ● A binary “diff” between the running code and the new code has to be created and packaged in such a way that it can be deployed on different systems
  • 14. Consistency model ● The code execution should be in a “safe” situation before applying a patch ● You don’t want to replace a function when it’s in use, or active locks are originating from it, or memory assignments are not yet released ● Live patching tools will have mechanisms that “wait” for this safe situation to appear, and may even refuse to apply a patch if they can’t find one ● Maintaining consistency is one of the trickier parts of the process For more information: https://www.kernel.org/doc/html/latest/livepatch/livepatch.html#consistency-model
  • 15. Build environments ● Tiny differences in build environments can create big changes in binary outputs ● This means that binary “diffs” will be unusable ● Compiler, linker, and binutils changes like different versions or flags will all likely invalidate patch creation ● Every different kernel version or distribution supported by a live patching tool requires a different build environment
  • 16. Testing ● Live patches, like traditional patches, need to be tested ● Not just for actually fixing what they are supposed to fix, but also for unexpected side-effects of being deployed live ● It’s desirable to use extensive test automation when creating live patches and to continually expand the tests with validation for every new fix introduced ● Traditional Kernel tests* often not suitable for live patching integration *For more information: https://www.kernel.org/doc/html/latest/dev-tools/testing-overview.html
  • 17. Patch creation Loading into kernel memory space with a live patching provider-specific tool Enabling/activating the patch Maintaining the consistency of the kernel, the live patching tool will probably: Pause the process briefly Check if the function is in use or not If it’s safe, apply the code change to redirect the function to the new code. If not, retry later. Unpause the process Disabling/removing the patch Lifetime of a life patch
  • 18. Other ways to 'update' kernel without reboot ● Kexec lets you replace the running kernel with another ○ Requires a whole new kernel to be loaded and restarts the existing user space processes
  • 19. What about userspace? Patching one running process should be the same no matter what that process is Except: ● coroutines / schedulers need to be taken into account ● stack usage (exceptions?) need to be taken into account Services like databases or libraries like OpenSSL, glibc & QEMU would benefit from live patching.
  • 20. Creating a patch - Example (1/5) For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Original code Patched code
  • 21. Creating a patch - Example (2/5) We want to compare the assembly code obtained through: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Looking at the changes with diff, we can see the added text and the code changes.
  • 22. Creating a patch - Example (3/5) Every live patching solution has its own scripts to aid in patch creation, and so does TuxCare’s. We use “kpatch_gensrc” to create a patch file from the binary diff: This will create a very long file with assembly code and special sections for the patch deployment tool. You can find the complete output at the github repository linked below. For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) (...)
  • 23. Creating a patch - Example (4/5) Now moving from assembly to the compiled code, using the special linker flag “-q” to store relocation information: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) There is still a process for fixing relocations that is detailed in the github repository and not shown here. After that is done, the binary patch is finally obtained with: Some clean up is still needed:
  • 24. Creating a patch - Example (5/5) Applying the patch: For more information and the complete test example: https://github.com/cloudlinux/libcare/blob/master/docs/internals.rst (under “Manual patch Creation”) Note that the actual file on disk for the original process has not been touched, so that a restart would bring back the original behavior.
  • 25. Changing the status quo ● IT is usually very fast at adopting new technologies but rather slow at changing processes ● Live patching is reliable and proven — and a better way to deploy patches ● It doesn’t just shorten maintenance windows — it completely eliminates their use for patching
  • 26. Get in touch: Thank you! i@tuxcare.com @iseletsk