Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Ksplice für Oracle Linux: Kernel Patching ohne Reboot
Fritz Weinhappl Presales Consultant Oracle Linux, Oracle VM & Virtual Box 29.1.2019
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
1998 2006 2002 2004 2000
Lin
ux D
ata
Cen
ter
Wo
rklo
ad
s
Lin
ux H
isto
ry
at
Ora
cle
2008 2010 2012
1998
First Commercial RDBMS for Linux
2000
First x64 Linux Port
2002
Launch of Unbreakable Linux
Asynch I/O, OCFS v1
2005
On Demand Adopts x64 Linux
OCFS2 Accepted Into Mainline
9,000 Developers Switch to Oracle Supported Linux
2007
Validated Configurations Launched
2008-9
Btrfs, Xen Contributions
42,000 Oracle Linux Servers Deployed at Oracle
2010
Oracle Linux Enhanced with Mainline-based Kernel
Oracle Linux Undergoes 80,000 QA Hours Per Day
Exadata Engineered with Oracle Linux
2006
Oracle Linux Support Announced
Oracle Joins Linux Foundation as Board Member
Development Systems
Single Use Production
Deployments
General Purpose
ERP/CRM
Data Warehouse
Cloud
Computing
Big Data
2016
2014
12,000 customers
OpenStack announced
Oracle and Linux 20 Years of Investment
2016
14,000 customers
Ksplice Enhancements
Docker
OpenStack Release 2
Software collections
Ceph Storage Tech preview
2011
7,000 Oracle Linux Support Customers
Oracle Buys Ksplice
2012 Support Lifecycle
Extended to 10 Yrs
DTrace GA
2014 2018
2018
OL Cloud Native Env.
OL7.6 / OL6.10
Ksplice glibc/OpenSSL
Kubernetes Support
Ceph Storage/FS Support
Software collections 3.2
Corosync/Pacemaker Supp.
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
• A platform for innovation – truly open, less restrictive, maximum freedom
Oracle Linux - Innovate
–Oracle Linux is always free to use, free to distribute and free to update
– ISOs are publicly available
– Source code is directly and completely published in public git repos with all patches and commit logs left intact
– All errata is publicly available • Customers choose which systems to cover by support subscriptions
• No complicated migration from free to paid
• No restrictive contracts or agreements
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux - Collaborate
Community
Partners
Customers
– Oracle is an active contributor to multiple open source projects, including kernel.org
– The Oracle Linux playground publishes complete kernel builds that can be used in development environments by customers and partners to evaluate the latest upstream kernel features with real applications, such as the Oracle Database on production releases of Oracle Linux
– We work with partners leveraging emerging open source projects to provide the maximum amount of choice for end users
– Binary compatibility means applications developed for Red Hat Enterprise Linux do not need to be recompiled for Oracle Linux, simplifying our collaboration with partners and allowing our ecosystem to grow year over year
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux - Create
–Oracle Linux is ready to drive the next generation data center.
– Physical
– Virtual
– Public Cloud
– Private Cloud
– Hybrid Cloud
– Embedded
– Engineered Systems
– 3rd party solutions
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
• Nobody owns Linux – not Oracle, not Red Hat, not SUSE
• Linux receives contributions from a variety of sources representing hardware and software vendors, as well as community supporters for a variety of solutions
• Oracle Linux will focus on features important to enterprise customers
Just for The Record…
Linux Distributions
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux
• Always binary compatible with the corresponding Red Hat Enterprise Linux (RHEL) release.
– We build from the same source used to build RHEL.
• We keep the same options, and specifications (SPEC files) delivered in the source
• We sign the packages with our own key
• The only changes we make are changes needed to account for trademark issues
– Simplifies migrations for customers – no costly migration planning and complicated implementation
– Easy for partners – no need to recompile their application to work with Oracle Linux. If it runs on RHEL it will run on Oracle Linux. Keeps certifications simple.
– No Oracle products are developed or certified using RHEL, they use Oracle Linux and Oracle provides a pass-through certification to Red Hat
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Choice of Oracle Linux Kernels
Maintains Application Compatibility with RHEL
Oracle Linux
Unbreakable Enterprise Kernel RHEL Compatible Kernel
• 100% binary compatible kernel • Oracle supplies patches and updates • Useful for customers that require 100%
binary compatibility with the RHEL kernel
• Developed using latest stable kernel release from mainline / upstream
• Latest features and innovations • No risky backports of new features into an
old kernel • Supported across multiple major versions
of Oracle Linux • Powers Oracle Engineered Systems and
Oracle Cloud
OR
RHEL Application Binary Compatible Userspace
• 10+ years with no reported incompatibility
• 1000’s of applications available
• Running on 100,000’s systems
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Unbreakable Enterprise Kernel The Latest Innovations from the Mainline Linux Kernel
• Developed using latest stable kernel release from mainline/upstream
• Latest features and innovations
• No risky backports of new features into an old kernel
• Does not break application-level compatibility in userspace
• Used in all x86 Engineered Systems
• Actual release UEKR5 based on MainLine Kernel 4.14 LTS
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux Cloud Native Environment
• Open source software that tracks the Cloud Native Computing Foundation
– Rich set of software components for cloud native application devops
– Integrated into a unified operating environment
– Run in Oracle Cloud, other clouds, or on premises
• Available at Oracle Linux yum server or Oracle Container Registry
– Free to download and use on-premises and in the cloud
• Premier Support
– Backed by an industry-leading engineering and QA team
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Continually enhanced as the technology evolves
App Definition & Development:
Observability & Analysis Prometheus Fluentd Crashcart
Jenkins X Helm MySQL Spark Kafka
Orchestration & Management:
Runtime: Docker Kata CRI-O CNI: Calico & Flannel Ceph Gluster
Provisioning: Terraform Vagrant Ansible Chef Puppet Clair Notary
Kubernetes Istio Envoy
Oracle Linux Cloud Native Environment
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Industrialization of Hacking and Cybercrime
$445 BILLION GLOBAL
CYBERCRIME COSTS In 2016
$2 TRILLION In 2019
DATA RECORDS STOLEN IN 2016 NUMBER OF DATA BREACHES IN 2016
$40* US Fullz
24/7 CUSTOMER
SERVICE
FREE TRIAL
ATTACKS
NO PRE- PAYMENT
$7* DDoS Attack
$1250 Health
Insurance Data
Source: breachlevelindex.com; havocscope.com
7 9 2 1 , 3 7 8 5 0 9 2 6 1 , , 1 ,
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
No one is Immune Major Sectors Getting Hacked Everyday
35% Healthcare
9% Other
16% Financial Services
8% Professional Services
14% Education
13% Retail
5% Government
55M Philippines Voters Data
Mar ‘16
191M US Voter Database
Dec ‘15
50M Turkish
Citizenship April ‘16
25M US Office of Personnel
Management Dec ‘15
275,000 Syrian
Government Mar ‘16
100,000 IRS – US
Tax Services Mar ‘16
Percentage of Incidents by Industry in 2016 Recent Breaches in Government Sector
Source: BakerHostetler Data Security Incident Response Report, 2016
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Business Case: Reboots are Disruptive, incur Downtime and cause Delays
Why use Ksplice? Avoid Traditional Patching Procedures
Security Update Released
1. System administrator negotiates with management to schedule outage windows
2. System administrator schedules downtime the following week
3. System administrator notifies users of planned downtime
…And Another 4 Hours Later
1. Updates applied and tested
2. Back in business after first notification of security update - typically over one week has passed
1. Shut down application server
2. Shut down database
3. Apply Linux OS update
4. Start up database
5. Start up application server
6. Sanity check application
…One Week Later
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Ksplice Hot Patching
• Easily diagnose issues without impacting running systems
• Apply updates without rebooting the system
• Only Ksplice applies userspace, kernel, and hypervisor patches
• Rapidly patch zero-day vulnerabilities with no downtime
• Enforce security standards: Keep critical systems patched with latest errata with no downtime
• Flexible deployment options to complement existing operational processes
• Ksplice is installed/configured by default for Oracle Linux instances in Oracle Cloud Infrastructure
• Battle tested: 1 million+ patches delivered – all Linux security patches delivered through Ksplice
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Ksplice vs. Upstream Live Kernel Patching
• Ksplice is a complete service providing patches, management, and features that allow adaptation to many different customer workloads
– Ksplice updates do not change the kernel or system library ABIs, your running system is unaffected
– The updates are transparent to both running applications and third-party kernel modules
• Kernel live patching feature was introduced in the mainline Linux kernel since 4.0 as a technology, and it’s not a service to actually provide the patches
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
• Check your kernel for required security updates and apply instantly
• Ksplice has delivered all security patches
• Ksplice does not take the place of major kernel upgrades, but can prevent headaches from intermediate downtime
ksplice.oracle.com/inspector - Check it yourself!
Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Ksplice – Hypervisor, Kernel and Userspace Zero Downtime Patching
Continuous Security for Your Cloud Infrastructure
Security Fix
Stability Fix
Security Fix
Security Fix
Stability Fix
Automatic Security & Compliance – 24x7
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
The system-call jump-table
• The jump table contains function-pointers accessed by: #define _NR_### function
• It is in RAM; RAM can be changed
• Ksplice exploits the fact pointers to functions/modules can be altered.
Memory Kernel New
Old
Insert jump to
Insert jump to
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Demo
Live Demo:
Oracle Linux 7.4 – UEKR4 4.1.12-94.3.9 (Release Date: Aug. 2017)
~300 Kernel Patches available
Demo with CVE 14489 (DoS crashes OS)
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Enterprise-Class Linux Support
• 24x7 global coverage
• 145 countries
• 29 local languages
• Feature rich interface “My Oracle Support”
• Administer issues through traditional web browser or via mobile access portal
• Proactive support program
• Advanced Customer Service Features
• Technical Account Manager (TAM)
• Onsite or remote consulting services
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux
• 24x7 Enterprise-class Linux Support
–Modeled after Unix
– Defined to provide support for not only mission critical applications, such as the Oracle Database, but any workload
– Support by experts who not only understand the Linux operating platform, but also specialist who know Database, Middleware and other application solutions • When using Oracle products, customers receive a single point of contact for all their Oracle-related
issues
– Backed by the Oracle Linux engineering, QA and product teams • We have no dependency on Red Hat to provide support and code fixes to end users.
• If a customer reports an issue in Oracle Linux, we fix it. Period.
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Linux Support
• Oracle only counts physical sockets
• No limit on cores or number of virtual guests
Level
Premier Limited (24x7, unlimited support) (2 or less CPUs)
Premier (24x7, unlimited support) (More than 2 CPUs)
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Program Agenda
Linux@Oracle
Features of Oracle Linux
Ksplice – Kernel Patching without downtime
Oracle Linux Premier Support
Discussion, Q & A
1
2
3
4
5
Copyright © 2019, Oracle and/or its affiliates. All rights reserved.