Download - Ksplice für Oracle Linux: Kernel Patching ohne Reboot · Ksplice vs. Upstream Live Kernel Patching •Ksplice is a complete service providing patches, management, and features that

Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

Ksplice für Oracle Linux: Kernel Patching ohne Reboot

Fritz Weinhappl Presales Consultant Oracle Linux, Oracle VM & Virtual Box 29.1.2019


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda

Linux@Oracle

Features of Oracle Linux

Ksplice – Kernel Patching without downtime

Oracle Linux Premier Support

Discussion, Q & A

1

2

3

4

5


1998 2006 2002 2004 2000

Lin

ux D

ata

Cen

ter

Wo

rklo

ad

s

Lin

ux H

isto

ry

at

Ora

cle

2008 2010 2012

1998

First Commercial RDBMS for Linux

2000

First x64 Linux Port

2002

Launch of Unbreakable Linux

Asynch I/O, OCFS v1

2005

On Demand Adopts x64 Linux

OCFS2 Accepted Into Mainline

9,000 Developers Switch to Oracle Supported Linux

2007

Validated Configurations Launched

2008-9

Btrfs, Xen Contributions

42,000 Oracle Linux Servers Deployed at Oracle

2010

Oracle Linux Enhanced with Mainline-based Kernel

Oracle Linux Undergoes 80,000 QA Hours Per Day

Exadata Engineered with Oracle Linux

2006

Oracle Linux Support Announced

Oracle Joins Linux Foundation as Board Member

Development Systems

Single Use Production

Deployments

General Purpose

ERP/CRM

Data Warehouse

Cloud

Computing

Big Data

2016

2014

12,000 customers

OpenStack announced

Oracle and Linux 20 Years of Investment

2016

14,000 customers

Ksplice Enhancements

Docker

OpenStack Release 2

Software collections

Ceph Storage Tech preview

2011

7,000 Oracle Linux Support Customers

Oracle Buys Ksplice

2012 Support Lifecycle

Extended to 10 Yrs

DTrace GA

2014 2018

2018

OL Cloud Native Env.

OL7.6 / OL6.10

Ksplice glibc/OpenSSL

Kubernetes Support

Ceph Storage/FS Support

Software collections 3.2

Corosync/Pacemaker Supp.


• A platform for innovation – truly open, less restrictive, maximum freedom

Oracle Linux - Innovate

–Oracle Linux is always free to use, free to distribute and free to update

– ISOs are publicly available

– Source code is directly and completely published in public git repos with all patches and commit logs left intact

– All errata is publicly available • Customers choose which systems to cover by support subscriptions

• No complicated migration from free to paid

• No restrictive contracts or agreements


Oracle Linux - Collaborate

Community

Partners

Customers

– Oracle is an active contributor to multiple open source projects, including kernel.org

– The Oracle Linux playground publishes complete kernel builds that can be used in development environments by customers and partners to evaluate the latest upstream kernel features with real applications, such as the Oracle Database on production releases of Oracle Linux

– We work with partners leveraging emerging open source projects to provide the maximum amount of choice for end users

– Binary compatibility means applications developed for Red Hat Enterprise Linux do not need to be recompiled for Oracle Linux, simplifying our collaboration with partners and allowing our ecosystem to grow year over year


Oracle Linux - Create

–Oracle Linux is ready to drive the next generation data center.

– Physical

– Virtual

– Public Cloud

– Private Cloud

– Hybrid Cloud

– Embedded

– Engineered Systems

– 3rd party solutions


• Nobody owns Linux – not Oracle, not Red Hat, not SUSE

• Linux receives contributions from a variety of sources representing hardware and software vendors, as well as community supporters for a variety of solutions

• Oracle Linux will focus on features important to enterprise customers

Just for The Record…

Linux Distributions


Program Agenda

Linux@Oracle




Discussion, Q & A

1

2

3

4

5


Oracle Linux

• Always binary compatible with the corresponding Red Hat Enterprise Linux (RHEL) release.

– We build from the same source used to build RHEL.

• We keep the same options, and specifications (SPEC files) delivered in the source

• We sign the packages with our own key

• The only changes we make are changes needed to account for trademark issues

– Simplifies migrations for customers – no costly migration planning and complicated implementation

– Easy for partners – no need to recompile their application to work with Oracle Linux. If it runs on RHEL it will run on Oracle Linux. Keeps certifications simple.

– No Oracle products are developed or certified using RHEL, they use Oracle Linux and Oracle provides a pass-through certification to Red Hat


Choice of Oracle Linux Kernels

Maintains Application Compatibility with RHEL

Oracle Linux

Unbreakable Enterprise Kernel RHEL Compatible Kernel

• 100% binary compatible kernel • Oracle supplies patches and updates • Useful for customers that require 100%

binary compatibility with the RHEL kernel

• Developed using latest stable kernel release from mainline / upstream

• Latest features and innovations • No risky backports of new features into an

old kernel • Supported across multiple major versions

of Oracle Linux • Powers Oracle Engineered Systems and

Oracle Cloud

OR

RHEL Application Binary Compatible Userspace

• 10+ years with no reported incompatibility

• 1000’s of applications available

• Running on 100,000’s systems


Unbreakable Enterprise Kernel The Latest Innovations from the Mainline Linux Kernel

• Developed using latest stable kernel release from mainline/upstream

• Latest features and innovations

• No risky backports of new features into an old kernel

• Does not break application-level compatibility in userspace

• Used in all x86 Engineered Systems

• Actual release UEKR5 based on MainLine Kernel 4.14 LTS


Oracle Linux Cloud Native Environment

• Open source software that tracks the Cloud Native Computing Foundation

– Rich set of software components for cloud native application devops

– Integrated into a unified operating environment

– Run in Oracle Cloud, other clouds, or on premises

• Available at Oracle Linux yum server or Oracle Container Registry

– Free to download and use on-premises and in the cloud

• Premier Support

– Backed by an industry-leading engineering and QA team


Continually enhanced as the technology evolves

App Definition & Development:

Observability & Analysis Prometheus Fluentd Crashcart

Jenkins X Helm MySQL Spark Kafka

Orchestration & Management:

Runtime: Docker Kata CRI-O CNI: Calico & Flannel Ceph Gluster

Provisioning: Terraform Vagrant Ansible Chef Puppet Clair Notary

Kubernetes Istio Envoy

Oracle Linux Cloud Native Environment


Program Agenda

Linux@Oracle




Discussion, Q & A

1

2

3

4

5


Industrialization of Hacking and Cybercrime

$445 BILLION GLOBAL

CYBERCRIME COSTS In 2016

$2 TRILLION In 2019

DATA RECORDS STOLEN IN 2016 NUMBER OF DATA BREACHES IN 2016

$40* US Fullz

24/7 CUSTOMER

SERVICE

FREE TRIAL

ATTACKS

NO PRE- PAYMENT

$7* DDoS Attack

$1250 Health

Insurance Data

Source: breachlevelindex.com; havocscope.com

7 9 2 1 , 3 7 8 5 0 9 2 6 1 , , 1 ,


No one is Immune Major Sectors Getting Hacked Everyday

35% Healthcare

9% Other

16% Financial Services

8% Professional Services

14% Education

13% Retail

5% Government

55M Philippines Voters Data

Mar ‘16

191M US Voter Database

Dec ‘15

50M Turkish

Citizenship April ‘16

25M US Office of Personnel

Management Dec ‘15

275,000 Syrian

Government Mar ‘16

100,000 IRS – US

Tax Services Mar ‘16

Percentage of Incidents by Industry in 2016 Recent Breaches in Government Sector

Source: BakerHostetler Data Security Incident Response Report, 2016


Business Case: Reboots are Disruptive, incur Downtime and cause Delays

Why use Ksplice? Avoid Traditional Patching Procedures

Security Update Released

1. System administrator negotiates with management to schedule outage windows

2. System administrator schedules downtime the following week

3. System administrator notifies users of planned downtime

…And Another 4 Hours Later

1. Updates applied and tested

2. Back in business after first notification of security update - typically over one week has passed

1. Shut down application server

2. Shut down database

3. Apply Linux OS update

4. Start up database

5. Start up application server

6. Sanity check application

…One Week Later


Ksplice Hot Patching

• Easily diagnose issues without impacting running systems

• Apply updates without rebooting the system

• Only Ksplice applies userspace, kernel, and hypervisor patches

• Rapidly patch zero-day vulnerabilities with no downtime

• Enforce security standards: Keep critical systems patched with latest errata with no downtime

• Flexible deployment options to complement existing operational processes

• Ksplice is installed/configured by default for Oracle Linux instances in Oracle Cloud Infrastructure

• Battle tested: 1 million+ patches delivered – all Linux security patches delivered through Ksplice


Ksplice vs. Upstream Live Kernel Patching

• Ksplice is a complete service providing patches, management, and features that allow adaptation to many different customer workloads

– Ksplice updates do not change the kernel or system library ABIs, your running system is unaffected

– The updates are transparent to both running applications and third-party kernel modules

• Kernel live patching feature was introduced in the mainline Linux kernel since 4.0 as a technology, and it’s not a service to actually provide the patches


• Check your kernel for required security updates and apply instantly

• Ksplice has delivered all security patches

• Ksplice does not take the place of major kernel upgrades, but can prevent headaches from intermediate downtime

ksplice.oracle.com/inspector - Check it yourself!

http://ksplice.oracle.com/inspector


Ksplice – Hypervisor, Kernel and Userspace Zero Downtime Patching

Continuous Security for Your Cloud Infrastructure

Security Fix

Stability Fix

Security Fix

Security Fix

Stability Fix

Automatic Security & Compliance – 24x7


The system-call jump-table

• The jump table contains function-pointers accessed by: #define _NR_### function

• It is in RAM; RAM can be changed

• Ksplice exploits the fact pointers to functions/modules can be altered.

Memory Kernel New

Old

Insert jump to

Insert jump to


Demo

Live Demo:

Oracle Linux 7.4 – UEKR4 4.1.12-94.3.9 (Release Date: Aug. 2017)

~300 Kernel Patches available

Demo with CVE 14489 (DoS crashes OS)


Program Agenda

Linux@Oracle




Discussion, Q & A

1

2

3

4

5


Enterprise-Class Linux Support

• 24x7 global coverage

• 145 countries

• 29 local languages

• Feature rich interface “My Oracle Support”

• Administer issues through traditional web browser or via mobile access portal

• Proactive support program

• Advanced Customer Service Features

• Technical Account Manager (TAM)

• Onsite or remote consulting services


Oracle Linux

• 24x7 Enterprise-class Linux Support

–Modeled after Unix

– Defined to provide support for not only mission critical applications, such as the Oracle Database, but any workload

– Support by experts who not only understand the Linux operating platform, but also specialist who know Database, Middleware and other application solutions • When using Oracle products, customers receive a single point of contact for all their Oracle-related

issues

– Backed by the Oracle Linux engineering, QA and product teams • We have no dependency on Red Hat to provide support and code fixes to end users.

• If a customer reports an issue in Oracle Linux, we fix it. Period.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

Oracle Linux Support

• Oracle only counts physical sockets

• No limit on cores or number of virtual guests

Level

Premier Limited (24x7, unlimited support) (2 or less CPUs)

Premier (24x7, unlimited support) (More than 2 CPUs)


Program Agenda

Linux@Oracle




Discussion, Q & A

1

2

3

4

5

Download - Ksplice für Oracle Linux: Kernel Patching ohne Reboot · Ksplice vs. Upstream Live Kernel Patching •Ksplice is a complete service providing patches, management, and features that

Top Related