After my first blog post there were a few comments as to why such a thing would be required. I'll be the first to admit that when Ksplice was still around I felt it better to have a redundant setup which you could perform rolling reboots on. That is still true in many cases. But with OpenStack based public clouds a reboot means that customers sitting on top of that hardware will have their virtual machines shut down or suspended. This is not ideal when with big iron machine you can have 20 or more customers to one server. A good live kernel patching solution means that in such a scenario the worst case would be a kernel pause for a few seconds.
In all cases my initial testing was to create a patch which would modify the output of /proc/meminfo. This is very simple and doesn't go as far as testing what would happen patching a busy function under load but at least gets the basics out of the way.
Ksplice
As previously discussed, Ksplice was really the only toolkit to do live kernel patching in Linux for a long time. Unfortunately since the Oracle acquisition there have been no Open Source updates to the Ksplice codebase. In my research I found a Git repository for kSplice which had recent updates to it. I tried using the with Fedora 20 but my guess is either Fedora does something unique with the kernels or it is just too outdated for modern 3.x Linux kernels. My attempts to compile the patches hit several problems inside the toolset which could not easily be resolved.
kGraft
After Ksplice I moved on to kGraft. This takes on a similar approach to Ksplice but uses much newer techniques. Of all the solutions I believe the technology in kGraft is the most advanced. It is the only solution that is capable of patching a kernel without pausing it first. To use this solution there is a requirement for now to use SUSE's kGraft kernel tree. I tested this on an OpenSUSE installation so I could be close to the systems it was designed on. Unfortunately whilst the internals are quite well documented, the toolset is not. After several attempts I could not find a way to get this solution to work end-to-end. I do think this solution has massive potential, especially if it gets added to the mainline kernel. I hope in the future the documentation is improved and I can revisit this.
kpatch
Finally I tried Red Hat's kpatch. This solution was released around the same time as kGraft and likewise is in a development stage with warnings that it probably shouldn't be used in production yet. The technology again is similar to Ksplice with more modern approaches but what really impressed me is the ease-of-use. The kpatch source does not require compiling as part of the kernel, it can be compiled separately and is just a case of 'make && make install'. The toolset will take a standard unified diff file and using this will compile the required parts of the kernel to create the patch module. Whilst this sounds complex it is a single command to do this. Applying the patch to the kernel is equally as easy. Running a single command will do all the required steps and apply the patch.
Conclusion
If public clouds with shared hardware and going to continue to grow this should be a technology that is invested in. I was very quickly drawn to Red Hat's solution because they have put a high priority on how the user would interact with the toolset. I'm sure many Devops engineers will appreciate that. What I would love to see is kGraft's technology combined with kpatch's toolset. This will certainly be an interesting field to watch as both projects mature.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.