Reboot after installing patches - NOT required anymore from Linux 4.0 kernel
Post by: hatt
If you are running Linux on your servers or in data-centre then its not required to reboot it after installing critical patches. This is possible after the latest changes to the Linux kernel, you may be able to go years between reboots.
Linux 2009 had this feature by the use of a program called Ksplice. Ksplice enables running systems to stay secure without the disruption of re-booting. Specifically, Ksplice creates re-bootless updates that are based on traditional source code patches. These updates are as effective as traditional updates, but they can be applied seamlessly, with no downtime.
Oracle acquired Ksplice in 2011, and kept it just for its own Oracle Linux, a Red Hat Enterprise Linux (RHEL)clone, and as a RHEL subscription service. That left all the other enterprise and server Linux back where they started.
Red Hat and SUSE both started working on their own purely open-source means of giving Linux the ability to keep running even while critical patches were being installed. Red Hat's program was named kpatch, while SUSE' is named kGraft.
Kpatch issues a stop_machine() command. After that it looks at the stack of existing processes using ftraceand, if the patch can be made safely, it redirects the running code to the patched functions and then removes the now outdated code.
Kgraft also uses ftrace, but it works on the thread level. When an old function is called it makes sure the thread reaches a point that it can switch to the new function.
While the end result is the same, the operating system keeps running while patches are made, there are significant differences in performance. Kpatch takes from one to forty milliseconds, while kGraft might take several minutes but there's never even a millisecond of down time.
