Linux is famous for uptime, but even it has to reboot when a new kernel vulnerability is fixed. Or does it? Now there's Ksplice, technology that applies patches directly into the running kernel. And thanks to their free Uptrack service it's free for users of Ubuntu!
Linux is famous for its stability and for having computers which have been online without being rebooted for years at a time. Indeed, among the geek community the longer your computer has been online the more “respect” you get. It’s called “uptime”, the amount of time your computer has been up for without needing a reboot.
Due to its open source nature, new security holes are found and fixed constantly on Linux distributions. Many of these updates are for user space applications such as web servers, databases, office programs and the wider desktop environment. Distributions will package these fixes and distribute them via the standard package management system, however via this method applications and daemons need to be restarted in order to load the new safe program.
When it comes to the Linux kernel itself, the usual way to achieve this is to reboot the computer. Naturally, this also means that all of the applications will be closed and daemons stopped, before being restarted after a successful reboot. Uptime is especially important for servers, as they need to be online and accessible as much as possible.
So what’s the problem? Well in order to provide maximum uptime, many users and administrators will not restart their systems in order to load the new kernel because of the inconvenience of having to stop the system. It’s a trade-off that can be dangerous because the system is still vulnerable! Just six days after a particular vulnerability in the kernel was discovered, many servers had been compromised including one in use by the Debian GNU/Linux project.
It’s simply just not feasible to reboot a machine every time a kernel vulnerability is discovered. There has to be a better way.
Enter Ksplice, a solution to the problem. Ksplice is a suite of tools which can apply patches directly into a running kernel resulting in an instantly patched system without a single interruption. No need to reboot the system or restart any services! If Debian had been running Ksplice they could have patched that vulnerable system live, not long after the vulnerability was found and fixed, without a single moment of downtime. The beauty of this method is that any number of patches can be applied. If there was a vulnerability found every hour, Ksplice could patch the kernel every hour also, all without skipping a beat. Left to the old ways, the server would need to be rebooted every hour or left vulnerable and rebooted later!
Work on Ksplice is currently focusing on the Linux kernel, but the technology could be taken and applied to user space applications also. The project has just announced the availability of a free service called Uptrack, for users of the latest Ubuntu offering, Jaunty Jackalope 9.04. That’s right, you can take advantage of this great project right on your own machine. But would users really want such a product?
The Ksplice team has done a great job at integrating their Uptrack service with an easy to use graphical interface. Installation is simple, just download the package from their website and open it with the GDebi installer (the default option). Users must agree to a terms of service, which includes a reference to the GPLv2 – the free software license the software is released under. Upon completion of the installation, the Uptrack manager will be run automatically. It looks similar to the system update-manager and is very easy to use. The application connects to the online service to determine what updates are available for the running kernel. The list is then presented and the user can install them at the click of a button. It all works very well and was very fast. Each time you log onto the system, the Ksplice updater will start with an icon present in the system tray and automatically check for updates in the background, prompting you when new ones are available.
Ksplice Uptrack Manager
Kernel updates under Ubuntu currently involve a delayed release system. Individual fixes are not released and installed separately, but rather are grouped together in a whole new kernel release. The issue with this is that the system will be vulnerable from the time the security flaw exists, until the new kernel is released through the update system. Not only this, but once you have downloaded and installed the new kernel update, you still need to reboot your computer for the fixes to take effect. If you’re busy, this would further increase the amount of time your system is vulnerable.
Using Ksplice however, it doesn’t matter whether the new kernel update from Ubuntu is downloaded or not. In fact, doesn’t matter if the computer is rebooted ever again! The system will always be patched with the latest fixes. Ksplice does this by determining what kernel is running and then after talking to the online Uptrack service, it downloads and patches any new fixes directly into the running kernel. These fixes are based on those sitting in Ubuntu’s Git source tree, waiting to be rolled into the next kernel update.
If a new kernel from Ubuntu is downloaded and installed via the system’s update service, then Ksplice will detect this after a reboot and then install any new fixes for that kernel too. It’s a simple as that. No matter which way you want to work, Ksplice will ensure that your kernel is always secure and up-to-date.
Upon a reboot the Ksplice boot time service starts up (just after Apparmor) and applies all of the patches for the kernel before your computer continues to boot any further. On an Intel Core2 machine this delayed the boot process by about eight seconds for nine patches, but considering the amount of time saved for future updates (and reboots) it’s a small price to pay! All future updates for the kernel will be applied in realtime via the graphical interface, naturally without a reboot.
The implementation so far appears to work very well, but only for the current kernel version that’s running. While it is possible to have a completely rebootless update system because Ksplice will always individually patch what Ubuntu releases as a whole new kernel update, the current updating system in Ubuntu makes it appear as though updates are required. In fact, installing a new kernel in Ubuntu prompts the user to tell them they must reboot. With Ksplice that’s actually no longer required. Perhaps this is an area that the Ksplice team could work on more closely with Canonical? Either way, the first step is to get as many people using the system as possible! Nevertheless this technology is nothing to be sneezed at. What it does, it does very well indeed and the team are to be congratulated on such an amazing project and implementation. It’s truly first class!
It might be great on servers, but why would a desktop user care? Many users switch their computer off at night anyway, so updates which come in during the day requiring a reboot won’t be a hassle. The biggest advantage comes from servers where uptime is important, but it does have a purpose for desktops too. Firstly, by using Ksplice you don’t have to reboot straight away when you get a new kernel update – you can take your time. Secondly, you are protected with all updates for the time between official kernel updates from Ubuntu.
Certainly most desktop users will probably feel that their system is secure enough and not feel the need for such a service. After all, most desktops rarely face the Internet directly like a server might. Even so, the more layers of security and protection one can have on their system the better. Finally, the Ksplice team really has done a first class job at implementing the technology. It’s just so easy for end users to install and use. So if you’re on Ubuntu Jaunty, why not give it a try? It’s a free service which helps to keep your system all that much more secure, without getting in the way of your work.
The technology used in Ksplice is very exciting. It makes a lot of sense and one has to wonder why it’s only being “discovered” now. One day in the future when Ksplice becomes the norm, we’ll look back and wonder what we ever used to do before rebootless updates came on the scene.