Linux Patching

Infra

UNIX

Linux

Linux Lifecycle

Bibliography & References

Live Patching

None of the main live patching solutions (Ksplice, kpatch, kGraft) are really "zero downtime", just "deferred downtime"... patch now, reboot later (i.e. an outage window is mandatory, Ksplice/kpatch/kGraft does not avoid it)... if it's a 24/7 system and patching can't wait until a regular/scheduled outage window then you probably want live patching... but then, if it's a 24/7 system why doesn't it have some redundancy designed in?... innodb clusters (MySQL), Data Guard or RAC (Oracle), AlwaysOn (MS-SQL)... or, for non-database servers, redundant webservers and file servers fronted by load balancers etc...

InnoDB Cluster

Oracle Data Guard

MSSQL Availability

Ksplice

Cost

Ksplice is available for Oracle Linux, free of charge, for Oracle Linux customers with a Premier support subscription (3)

Advantages

Ksplice can patch almost any part of the kernel, while kpatch can only patch functions. (2)
Ksplice offers user space patching, which allows users to patch critical components such as glibc and openssl. (2)
Ksplice also offers more comprehensive safety checks to ensure that users cannot call removed functions. (2)

Limitations

Ksplice cannot patch applications that use either setcontext or swapcontext from glibc to perform user space context switching between process threads. (1)
Because of certain kernel limitations, Ksplice does not patch the init process (PID 1 ). (1)

kpatch

Limitations

Only patches kernel functions

Bibliography & References

https://unix.stackexchange.com/questions/32611/how-to-update-kernel-without-reboot-ksplice-alternativehttps://www.redhat.com/en/topics/linux/what-is-linux-kernel-live-patching
Oracle Autonomous Linux 8https://blogs.oracle.com/cloud-infrastructure/post/self-patching-autonomous-linux-8
ksplice (Oracle Linux)https://support.oracle.comOracle Linux Ksplice Support with Oracle Database (Doc ID 2312257.1)http://www.oracle.com/us/technologies/linux/ksplice-datasheet-487388.pdfhttps://www.oracle.com/a/ocom/docs/oracle-ksplice-flier.pdfhttp://www.oracle.com/us/technologies/linux/product/comparisons/index.html(2) https://www.techtarget.com/searchdatacenter/tip/How-to-choose-a-live-kernel-patching-extension(3) https://www.oracle.com/linux/technologies/updating-system-with-ksplice.html
Livepatch (Ubuntu/Amazon Linux)
kexec
kpatch (Red Hat)http://rhelblog.redhat.com/2014/02/26/kpatch/https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/applying_patches_with_kernel_live_patchinghttps://www.admin-magazine.com/Articles/Live-Kernel-Update-Tools (2014)
kgraft (SUSE)http://www.zdnet.com/suse-gets-live-patching-7000036126/https://www.suse.com/products/live-patching/https://www.admin-magazine.com/Articles/Live-Kernel-Update-Tools (2014)
KernelCare (CentOS, RHEL, Oracle Linux, Debian, Ubuntu, Amazon Linux)