[ Pobierz całość w formacie PDF ]
a file with the --diffext option in which the changes have already been completed. On top of this, the program
needs a ksplice subdirectory in the kernel tree, where the administrator stores both the kernel configuration
and the symbol table (see Figure 3).
Figure 3: To prepare Ksplice, the administrator types ksplice-create in the kernel source directory and specifies
the patch type. Ksplice then builds the old and new kernels and bundles the changes into an update module.
Depending on what kind of system you are using, the first phase can take a while because Ksplice needs to
build two complete kernels: one in ksplice/pre and one in ksplice/post. After doing so, the program searches
for differences and merges the results to create two kernel modules.
Piece of Cake 3
By calling ksplice-apply, you can apply the hotfix. The program first loads a module that takes care of
trampoline management, then waits for the right moment. When the moment occurs, Ksplice loads the
changes into the kernel, executes them, then removes itself to save memory.
Patch Management
Ksplice can also change a patched kernel. To do so, the patches from the first phase must reside in the source
code's pre tree. ksplice-create and ksplice-apply take the trampolines into consideration and modify them
correspondingly. The same mechanism makes it possible to undo changes by calling ksplice-undo because the
system "remembers" the vector addresses. ksplice-view shows the changes performed by Ksplice.
On his website, Ksplice author Jeffrey Brian Arnold shows another potential application scenario for the tool:
debugging the active kernel. If you just want to add a couple of printk() calls at various points to view data
structures that are otherwise difficult to access, Ksplice gives you a simple approach to injecting them into a
running system. However, this approach does not lend itself to more complex applications, for which
dynamically loadable modules, Kprobes, or Systemtap are more useful.
Patented Approach?
Developers have pointed out that Microsoft posted a patent application with the US Patent Office (USPO) in
December 2002 titled "Patching of In-Use Functions on a Running Computer System." USPO had refused the
application, and Microsoft had appealed and posted a whole bunch of additional applications, including one
for Efficient Patching (USPO reference 20050257208).
In response to this, half a dozen developers piped up in various forums pointing out that this technology was
public knowledge on various platforms from PDP-11 through a state-of-the-art PC long before the software
patent application was filed.
Clever Helper for Some Scenarios
Ksplice includes clever mechanisms to support hot kernel updates at the binary level. Despite intelligent code
pushing and vector analysis, administrators should be aware that they do need to check manually on a
case-by-case basis to determine whether the tool is useful. Ksplice is useful for simple cases, but it is no
replacement for a hardware failover solution in situations that require high system availability.
INFO
[1] "Ksplice: An Automatic System for Rebootless Linux Kernel Security Updates" by Jeffrey Brian Arnold,
Massachusetts Institute of Technology, http://web.mit.edu/ksplice/doc/ksplice.pdf
[2] Ksplice download and installation: http://web.mit.edu/ksplice/
[3] GNU binutils and BFD library: http://sourceware.org/binutils/
[4] Announcement and discussion on the Linux Kernel mailing list:
http://thread.gmane.org/gmane.linux.kernel/669951
Piece of Cake 4
[ Pobierz całość w formacie PDF ]