Keeping production servers up-to-date with the latest security patches is critically important in the ongoing battle against would-be attackers. Installing Linux kernel patches typically requires a server reboot to fully install and reload key components, which can be a problem for production servers, especially if it's a public-facing Web site or mission-critical data center.
Ksplice has recently announced their subscription-based Uptrack service providing rebootless updates for a wide range of Linux distributions including Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, Virtuozzo Containers and OpenVZ. Uptrack provides hosting and data center customers the ability to keep systems updated with new security patches almost as soon as they're released without the need to reboot.
How Ksplice Uptrack works
Installing the software consists of loading the client software on the server you wish to have managed. In the case of Virtuozzo or OpenVZ, this would be a one-time install on the host as these solutions use a shared kernel approach to virtualization. Other virtualization solutions such as Xen or KVM require loading the software on the guest OS as they don't share a kernel. This is true for any traditional server running directly on dedicated hardware.
Behind the scenes is a two-step process. First, Ksplice Uptrack compiles the kernel twice – once without patches and then with patches applied. These kernel images are then compared to detect the changes. It's essentially a diff of the two images resulting in a set of binary chunks. The changes are then packaged into a rebootless update by inserting jump instructions into the locations where code changed to execute the patched code.
The client software on the server runs periodically as determined by the system administrator. It does not hang around in memory but will run as frequently as necessary. It checks for any available updates and then applies them if needed. The client software runs with root privileges and does a series of checks to ensure that the patch has been properly received. Once the checks have been verified, it takes exclusive control of the machine, copies the patches into the proper memory locations and then exits.
Receiving the update packages assumes the machine has direct access to the Ksplice servers. This can be configured to operate via a proxy or by opening up specific ports in the company firewall. Ksplice works directly with each customer to determine the most secure way to provide access to their update servers.
Using Ksplice Uptrack: Customer perspective
The most obvious target for this type of product is hosting providers with Web-facing, always-on applications. Taking a revenue generating website offline for maintenance with any regularity translates into potential lost customers. Web-facing systems must also be kept up-to-date with the latest security patches unless you want to leave the system open to an attack. Ksplice Uptrack addresses both of these problems in a way that makes the life of the hosting provide much simpler.
Alexander McMillen is President and CEO of Sliqua Enterprise Hosting in Burke, VA. "We've been trial testing five OpenVZ-based systems and so far it works great. We loaded the software on one system that had been up for around twenty days, and it promptly patched something like twenty security holes," says McMillen. Sliqua provides hosting services for small-to-medium sized customers needing an always-on Web presence. Their focus is on companies with websites as their primary source of income, and thus have a high uptime requirement.
"We also loaded the software on a server that had been up for around 200 days, and it didn't miss a beat," says McMillen. Keeping the machines running without any hiccups is the key feature of Ksplice Uptrack. The Ksplice Uptrack tool and service specifically targets the kernel and doesn't apply any updates to applications. Because these typically don't require a system reboot they can be applied in the normal fashion.
Ksplice Uptrack provides a truly rebootless kernel update solution that should meet the needs of even the most demanding environment. It does the job of keeping your systems patched up-to-date with for security automatically so you don't have to.
ABOUT THE AUTHOR: Paul Ferrill has a BS and MS in electrical engineering and has been writing about computers for over twenty years. He's had articles published in PC Magazine, PC Computing, InfoWorld, Computer World, Network World, Network Computing, Federal Computer Week, Information Week, and multiple Web sites.