Home
Tokyo University of Technology - server sponsor
Flexible Distributed Linux Kernel Live Patching
[https://www.kernel.org/doc/Documentation/livepatch/livepatch.txt livepatch] is a Linux kernel facility that allows to build a kernel module to update a running kernel without requiring a reboot.
Elivepatch is a client-server infrastructure to automate the creation and distribution of those modules.
- Resource-constrained updates ** Distributed live patch building ** Incremental live patch (You can build live patch over the previous one)
- Automatic no-reboot updates for [https://github.com/nluedtke/linux_kernel_cves security CVE]
The software is mainly two components:
- elivepatch-client: Client to be run on the machines to be updated.
- elivepatch-server: Server in charge of building the livepatch modules.
The two use a RESTful API for receiving the kernel ''configuration'' and a source 'diff' and generate a livepatch module out of it using kpatch
emerge -1 sys-apps/elivepatch-server
This will install the init.d file under {{Path|/etc/init.d/elivepatch}} and the conf.d under {{Path|/etc/conf.d/elivepatch}}.
From the conf.d file you can change the elivepatch daemon user and permission (by default is {{c|root}}).
You can start elivepatch-server on machine startup with:
{{RootCmd|rc-config add elivepatch-server default}}
The machine will need to have enough space to build several kernels and the toolchains used to build the original kernel.
{{Emerge|sys-apps/elivepatch-client}}
The client is as well a Python program.
{{RootCmd|elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>}}
The '''example.patch''' is a diff from the original kernel sources the '''file.config''' belongs to (the elivepatch-client figures out the kernel version from it).
The command will contact the elivepatch server and request a livepatch module matching the patch provided.
{{RootCmd|elivepatch --cve --kernel <kernel_version> --url elivepatch-server-url:port}}
It will automatically produce a '''cve.patch''' from the CVE advisories for the current running kernel and request a ''livepatch'' module.
It could be used as a cron job command to keep an always-on machine up to date security-wise.
''elivepatch'' uses '''kpatch''' under the hood and the system has the following limitations:
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#change-the-code-which-uses-the-data-structure Patch that change data structure]
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#use-a-kpatch-load-hook Change content of existing variable]
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#use-a-shadow-variable Add field to existing data structure]
- Init code changes are incompatible with kpatch
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#header-file-changes Header file changes]
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#dealing-with-unexpected-changed-functions Dealing with unexpected changed functions]
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#removing-references-to-static-local-variables Removing references to static local variables]
- [https://github.com/dynup/kpatch/blob/master/doc/patch-author-guide.md#code-removal Code removal]
The '''livepatch''' generation process needs a toolchain matching the one used to build the original kernel. Depending on the number of system to serve, this will require a large collection of gcc.
Automated live patching creation needs to trust the '''diff''' provided. It is advised to keep the process containerized. For this purpose Docker images are being worked on.
This project is part of GSoC 2017 and the code is written by User:Alicef mentored by User:Gokturk
Written code:
- kpatch ebuild merged in the Gentoo official repository
- elivepatch client
- elivepatch server
- Official Gentoo repository elivepatch merge pull-request
Reports: