ksplice für oracle linux: kernel patching ohne reboot · ksplice vs. upstream live kernel patching...

of 33/33

Post on 04-Apr-2020

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Ksplice für Oracle Linux: Kernel Patching ohne Reboot

    Fritz Weinhappl Presales Consultant Oracle Linux, Oracle VM & Virtual Box 29.1.2019

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Safe Harbor Statement

    The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    1998 2006 2002 2004 2000

    Lin

    ux D

    ata

    Cen

    ter

    Wo

    rklo

    ad

    s

    Lin

    ux H

    isto

    ry

    at

    Ora

    cle

    2008 2010 2012

    1998

    First Commercial RDBMS for Linux

    2000

    First x64 Linux Port

    2002

    Launch of Unbreakable Linux

    Asynch I/O, OCFS v1

    2005

    On Demand Adopts x64 Linux

    OCFS2 Accepted Into Mainline

    9,000 Developers Switch to Oracle Supported Linux

    2007

    Validated Configurations Launched

    2008-9

    Btrfs, Xen Contributions

    42,000 Oracle Linux Servers Deployed at Oracle

    2010

    Oracle Linux Enhanced with Mainline-based Kernel

    Oracle Linux Undergoes 80,000 QA Hours Per Day

    Exadata Engineered with Oracle Linux

    2006

    Oracle Linux Support Announced

    Oracle Joins Linux Foundation as Board Member

    Development Systems

    Single Use Production

    Deployments

    General Purpose

    ERP/CRM

    Data Warehouse

    Cloud

    Computing

    Big Data

    2016

    2014

    12,000 customers

    OpenStack announced

    Oracle and Linux 20 Years of Investment

    2016

    14,000 customers

    Ksplice Enhancements

    Docker

    OpenStack Release 2

    Software collections

    Ceph Storage Tech preview

    2011

    7,000 Oracle Linux Support Customers

    Oracle Buys Ksplice

    2012 Support Lifecycle

    Extended to 10 Yrs

    DTrace GA

    2014 2018

    2018

    OL Cloud Native Env.

    OL7.6 / OL6.10

    Ksplice glibc/OpenSSL

    Kubernetes Support

    Ceph Storage/FS Support

    Software collections 3.2

    Corosync/Pacemaker Supp.

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    • A platform for innovation – truly open, less restrictive, maximum freedom

    Oracle Linux - Innovate

    –Oracle Linux is always free to use, free to distribute and free to update

    – ISOs are publicly available

    – Source code is directly and completely published in public git repos with all patches and commit logs left intact

    – All errata is publicly available • Customers choose which systems to cover by support subscriptions

    • No complicated migration from free to paid

    • No restrictive contracts or agreements

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux - Collaborate

    Community

    Partners

    Customers

    – Oracle is an active contributor to multiple open source projects, including kernel.org

    – The Oracle Linux playground publishes complete kernel builds that can be used in development environments by customers and partners to evaluate the latest upstream kernel features with real applications, such as the Oracle Database on production releases of Oracle Linux

    – We work with partners leveraging emerging open source projects to provide the maximum amount of choice for end users

    – Binary compatibility means applications developed for Red Hat Enterprise Linux do not need to be recompiled for Oracle Linux, simplifying our collaboration with partners and allowing our ecosystem to grow year over year

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux - Create

    –Oracle Linux is ready to drive the next generation data center.

    – Physical

    – Virtual

    – Public Cloud

    – Private Cloud

    – Hybrid Cloud

    – Embedded

    – Engineered Systems

    – 3rd party solutions

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    • Nobody owns Linux – not Oracle, not Red Hat, not SUSE

    • Linux receives contributions from a variety of sources representing hardware and software vendors, as well as community supporters for a variety of solutions

    • Oracle Linux will focus on features important to enterprise customers

    Just for The Record…

    Linux Distributions

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux

    • Always binary compatible with the corresponding Red Hat Enterprise Linux (RHEL) release.

    – We build from the same source used to build RHEL.

    • We keep the same options, and specifications (SPEC files) delivered in the source

    • We sign the packages with our own key

    • The only changes we make are changes needed to account for trademark issues

    – Simplifies migrations for customers – no costly migration planning and complicated implementation

    – Easy for partners – no need to recompile their application to work with Oracle Linux. If it runs on RHEL it will run on Oracle Linux. Keeps certifications simple.

    – No Oracle products are developed or certified using RHEL, they use Oracle Linux and Oracle provides a pass-through certification to Red Hat

  • Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

    Choice of Oracle Linux Kernels

    Maintains Application Compatibility with RHEL

    Oracle Linux

    Unbreakable Enterprise Kernel RHEL Compatible Kernel

    • 100% binary compatible kernel • Oracle supplies patches and updates • Useful for customers that require 100%

    binary compatibility with the RHEL kernel

    • Developed using latest stable kernel release from mainline / upstream

    • Latest features and innovations • No risky backports of new features into an

    old kernel • Supported across multiple major versions

    of Oracle Linux • Powers Oracle Engineered Systems and

    Oracle Cloud

    OR

    RHEL Application Binary Compatible Userspace

    • 10+ years with no reported incompatibility

    • 1000’s of applications available

    • Running on 100,000’s systems

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Unbreakable Enterprise Kernel The Latest Innovations from the Mainline Linux Kernel

    • Developed using latest stable kernel release from mainline/upstream

    • Latest features and innovations

    • No risky backports of new features into an old kernel

    • Does not break application-level compatibility in userspace

    • Used in all x86 Engineered Systems

    • Actual release UEKR5 based on MainLine Kernel 4.14 LTS

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux Cloud Native Environment

    • Open source software that tracks the Cloud Native Computing Foundation

    – Rich set of software components for cloud native application devops

    – Integrated into a unified operating environment

    – Run in Oracle Cloud, other clouds, or on premises

    • Available at Oracle Linux yum server or Oracle Container Registry

    – Free to download and use on-premises and in the cloud

    • Premier Support

    – Backed by an industry-leading engineering and QA team

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Continually enhanced as the technology evolves

    App Definition & Development:

    Observability & Analysis Prometheus Fluentd Crashcart

    Jenkins X Helm MySQL Spark Kafka

    Orchestration & Management:

    Runtime: Docker Kata CRI-O CNI: Calico & Flannel Ceph Gluster

    Provisioning: Terraform Vagrant Ansible Chef Puppet Clair Notary

    Kubernetes Istio Envoy

    Oracle Linux Cloud Native Environment

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Industrialization of Hacking and Cybercrime

    $445 BILLION GLOBAL

    CYBERCRIME COSTS In 2016

    $2 TRILLION In 2019

    DATA RECORDS STOLEN IN 2016 NUMBER OF DATA BREACHES IN 2016

    $40* US Fullz

    24/7 CUSTOMER

    SERVICE

    FREE TRIAL

    ATTACKS

    NO PRE- PAYMENT

    $7* DDoS Attack

    $1250 Health

    Insurance Data

    Source: breachlevelindex.com; havocscope.com

    7 9 2 1 , 3 7 8 5 0 9 2 6 1 , , 1 ,

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    No one is Immune Major Sectors Getting Hacked Everyday

    35% Healthcare

    9% Other

    16% Financial Services

    8% Professional Services

    14% Education

    13% Retail

    5% Government

    55M Philippines Voters Data

    Mar ‘16

    191M US Voter Database

    Dec ‘15

    50M Turkish

    Citizenship April ‘16

    25M US Office of Personnel

    Management Dec ‘15

    275,000 Syrian

    Government Mar ‘16

    100,000 IRS – US

    Tax Services Mar ‘16

    Percentage of Incidents by Industry in 2016 Recent Breaches in Government Sector

    Source: BakerHostetler Data Security Incident Response Report, 2016

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Business Case: Reboots are Disruptive, incur Downtime and cause Delays

    Why use Ksplice? Avoid Traditional Patching Procedures

    Security Update Released

    1. System administrator negotiates with management to schedule outage windows

    2. System administrator schedules downtime the following week

    3. System administrator notifies users of planned downtime

    …And Another 4 Hours Later

    1. Updates applied and tested

    2. Back in business after first notification of security update - typically over one week has passed

    1. Shut down application server

    2. Shut down database

    3. Apply Linux OS update

    4. Start up database

    5. Start up application server

    6. Sanity check application

    …One Week Later

  • Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

    Ksplice Hot Patching

    • Easily diagnose issues without impacting running systems

    • Apply updates without rebooting the system

    • Only Ksplice applies userspace, kernel, and hypervisor patches

    • Rapidly patch zero-day vulnerabilities with no downtime

    • Enforce security standards: Keep critical systems patched with latest errata with no downtime

    • Flexible deployment options to complement existing operational processes

    • Ksplice is installed/configured by default for Oracle Linux instances in Oracle Cloud Infrastructure

    • Battle tested: 1 million+ patches delivered – all Linux security patches delivered through Ksplice

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Ksplice vs. Upstream Live Kernel Patching

    • Ksplice is a complete service providing patches, management, and features that allow adaptation to many different customer workloads

    – Ksplice updates do not change the kernel or system library ABIs, your running system is unaffected

    – The updates are transparent to both running applications and third-party kernel modules

    • Kernel live patching feature was introduced in the mainline Linux kernel since 4.0 as a technology, and it’s not a service to actually provide the patches

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    • Check your kernel for required security updates and apply instantly

    • Ksplice has delivered all security patches

    • Ksplice does not take the place of major kernel upgrades, but can prevent headaches from intermediate downtime

    ksplice.oracle.com/inspector - Check it yourself!

    http://ksplice.oracle.com/inspector

  • Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

    Ksplice – Hypervisor, Kernel and Userspace Zero Downtime Patching

    Continuous Security for Your Cloud Infrastructure

    Security Fix

    Stability Fix

    Security Fix

    Security Fix

    Stability Fix

    Automatic Security & Compliance – 24x7

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    The system-call jump-table

    • The jump table contains function-pointers accessed by: #define _NR_### function

    • It is in RAM; RAM can be changed

    • Ksplice exploits the fact pointers to functions/modules can be altered.

    Memory Kernel New

    Old

    Insert jump to

    Insert jump to

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Demo

    Live Demo:

    Oracle Linux 7.4 – UEKR4 4.1.12-94.3.9 (Release Date: Aug. 2017)

    ~300 Kernel Patches available

    Demo with CVE 14489 (DoS crashes OS)

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Enterprise-Class Linux Support

    • 24x7 global coverage

    • 145 countries

    • 29 local languages

    • Feature rich interface “My Oracle Support”

    • Administer issues through traditional web browser or via mobile access portal

    • Proactive support program

    • Advanced Customer Service Features

    • Technical Account Manager (TAM)

    • Onsite or remote consulting services

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux

    • 24x7 Enterprise-class Linux Support

    –Modeled after Unix

    – Defined to provide support for not only mission critical applications, such as the Oracle Database, but any workload

    – Support by experts who not only understand the Linux operating platform, but also specialist who know Database, Middleware and other application solutions • When using Oracle products, customers receive a single point of contact for all their Oracle-related

    issues

    – Backed by the Oracle Linux engineering, QA and product teams • We have no dependency on Red Hat to provide support and code fixes to end users.

    • If a customer reports an issue in Oracle Linux, we fix it. Period.

  • Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Oracle Linux Support

    • Oracle only counts physical sockets

    • No limit on cores or number of virtual guests

    Level

    Premier Limited (24x7, unlimited support) (2 or less CPUs)

    Premier (24x7, unlimited support) (More than 2 CPUs)

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.

    Program Agenda

    [email protected]

    Features of Oracle Linux

    Ksplice – Kernel Patching without downtime

    Oracle Linux Premier Support

    Discussion, Q & A

    1

    2

    3

    4

    5

  • Copyright © 2019, Oracle and/or its affiliates. All rights reserved.