Kpatch Gets Exposure This Week, kGraft Misses Out
This week at LinuxCon Chicago are two talks about Red Hat's Kpatch live kernel patching solution to reduce downtime. However, there aren't any scheduled talks about SUSE's kGraft solution with neither yet being in the mainline kernel.
On Thursday at the Sheraton in Chicago will be the "Kpatch Without Stop Machine" presentation by Hitachi's Masami Hiramatsu while on Friday afternoon will be "kpatch: Have Your Security And Eat It Too!" by Red Hat's Josh Poimboeuf.
Kpatch is still aiming to be an upstream Linux kernel feature for live kernel patching to reduce system downtime. Red Hat has already declared their solution "stable and useful" while being 100% self-contained with support for Fedora, Ubuntu, Debian, Arch, and (unofficially) on Red Hat Enterprise Linux 7 and other EL7 variants.
Kpatch features support for patch rollback, patch on reboot, stacking multiple patches, atomic patch upgrades, module patching, and other functionality, but right now it only works for about ~80% of the CVE security patches against the kernel and will only work on Intel/AMD x86_64 kernels.
Before those new to live kernel patching think this will mean never ever rebooting your system again or you'll be able to jump to new major revisions of the kernel without reboots, Red Hat cautions that Kpatch requires a human to analyze each patch prior to using it against Kpatch to ensure it's safe to apply in a live patching context -- the same safety procedure is also applicable to kGraft and Ksplice.
Those wishing to learn more about Kpatch but are unable to make it to LinuxCon North America this week in Chicago, the two Kpatch presentation slides have already been uploaded here and here.
On Thursday at the Sheraton in Chicago will be the "Kpatch Without Stop Machine" presentation by Hitachi's Masami Hiramatsu while on Friday afternoon will be "kpatch: Have Your Security And Eat It Too!" by Red Hat's Josh Poimboeuf.
Kpatch is still aiming to be an upstream Linux kernel feature for live kernel patching to reduce system downtime. Red Hat has already declared their solution "stable and useful" while being 100% self-contained with support for Fedora, Ubuntu, Debian, Arch, and (unofficially) on Red Hat Enterprise Linux 7 and other EL7 variants.
Kpatch features support for patch rollback, patch on reboot, stacking multiple patches, atomic patch upgrades, module patching, and other functionality, but right now it only works for about ~80% of the CVE security patches against the kernel and will only work on Intel/AMD x86_64 kernels.
Before those new to live kernel patching think this will mean never ever rebooting your system again or you'll be able to jump to new major revisions of the kernel without reboots, Red Hat cautions that Kpatch requires a human to analyze each patch prior to using it against Kpatch to ensure it's safe to apply in a live patching context -- the same safety procedure is also applicable to kGraft and Ksplice.
Those wishing to learn more about Kpatch but are unable to make it to LinuxCon North America this week in Chicago, the two Kpatch presentation slides have already been uploaded here and here.
Add A Comment