Ksplice Offers Rebootless Updates For Ubuntu Systems

sdasher writes "Ksplice has started offering Ksplice Uptrack for Ubuntu Jaunty, a free service that delivers rebootless versions of all the latest Ubuntu kernel security updates. It's currently available for both the 32 and 64-bit generic kernel, and they plan to add support for the virtual and server kernels by the end of the month, according to their FAQ. This makes Ubuntu the first OS that doesn't need to be rebooted for security updates. (We covered Ksplice's underlying technology when it was first announced a year ago.)"

GPL "terms of service"?

[innocent_white_lamb (151825)]

They appear to be releasing this licensed as GPL v2, but they have a "terms of service" click-through, according to their screenshot.

That doesn't give me great confidence that they really understand the GPL....

The technology looks pretty cool, though.

Re:GPL "terms of service"?

[Ambush Commander (871525)]

So, they're doing the common "commercial open source" thing where the software (the application, the kernel patcher) is open source, but it's also tied to a service (the actual kernel patches) which is not so (free for Jaunty, but if you want a different kernel you'll have to pay Ksplice for support). So the Terms of Service applies to the service, which is really quite sensible.

Re:GPL "terms of service"?

[KDR_11k (778916)]

Some installers are simply built to force an EULA on the user so programs that use those are tempted to put something like the GPL in there.

Re:

[peragrin (659227)]

why do you think it is called click through licensing. 99.9% of the population doesn't read them, it is there to try and force a legality that doesn't really exist.

Re:

[Philip_the_physicist (1536015)]

It seems to have been generally established that it is the uploader who is copying, not the downloader, at least from the RIAA cases (and similar ones outside the USA), where people are being sued for uploading files. IANAL, but I think the idea is that if you get a copy of something, you aren't expected to know if it is legit or not, and that it is the distributor who is harming the copyright holder, not the recipient.

Re:

[by Anonymous Coward]

In the broadest strokes, the GPL isn't that different from a EULA. The main difference is the scope of the agreement. When you use a typical EULA'd piece of software, you have to agree only to run it under certain conditions and not to redistribute it. When you use a GPL'd piece of software, you have to agree only to redistribute it only under certain conditions. You don't have to agree to anything to run it, but there are still terms and conditions for your use of the software (if "use" encompasses redistr

Re:GPL "terms of service"?

[_Sprocket_ (42527)]

In the broadest strokes, the GPL isn't that different from a EULA.

In the broadest strokes, an apple isn't that much different than an orange.

Re:GPL "terms of service"?

[_Sprocket_ (42527)]

No kidding. This thread and the original topic is like apples and oranges.

Re:GPL "terms of service"?

[x2A (858210)]

It's not even tangerinely related?

Re:GPL "terms of service"?

[iggymanz (596061)]

this thread is really persimmony off.

Re:GPL "terms of service"?

[_Sprocket_ (42527)]

Kinda makes that whole "comparing apples to oranges" argument pretty stupid sounding.

Right up to the point that you bake a pie.

Fruity

[ancientt (569920)]

I hear this occasionally, that tomatoes are technically fruit, that something else is or isn't, so I took the time to look it up a year or so ago.

It turns out that the term fruit means "the ripened ovary of a flowering plant" and "Any sweet, edible part of a plant that resembles seed-bearing fruit, even if it does not develop from a floral ovary" and "a product of plant growth (as grain, vegetables, or cotton." (Wikipeida, Wiktionary, Merriam-Webster)

Interesting too, my first two references are driven by O

Re:

[by Anonymous Coward]

DLA != EULA The GPL is a Distributors License Agreement not an End User License Agreement.

Great!

[jbacon (1327727)]

This could actually be really awesome if it's truly production ready. What's that? 100% uptime?! AWRIGHT!

Re:

[Shikaku (1129753)]

This can be great advertising:

"Ubuntu: updating and restarting is cliche. Continue to work while staying updated and secure."

I'm not a marketing person so let someone else handle that part. But the idea is clear though.

Re:

[MichaelSmith (789609)]

Constructive suggestions would be helpful. For the record I am sure you are right about that but I couldn't say for sure where the users expect to see improvements.

Re:

[FishWithAHammer (957772)]

Well, OK. Let's start with X.

X really is a pain in the ass to deal with. Ever tried to get dual monitors working? OK, ever tried to get dual monitors with differing resolutions working? My standard work configuration when at my desk is two widescreen monitors, one 1280x800 (my laptop panel--I don't use a desktop right now) and a 1440x900 LCD monitor, oriented vertically (great for reading or code listings, I can't recommend that enough!). I spent far too much time trying to make this system work under Linux

Re:

[FishWithAHammer (957772)]

KDE 4 really isn't as bad as you're making it out to be. There are some changes I don't necessarily agree with, but all things considered I'm pleased with the direction it's taking and look forward to when the release a feature-complete version (4.2 is getting close, though!).

It is as bad, and I'm not going near it while the current bunch of idiots is running the show.

Your last sentence is kind of comical. Have you ever _read_ the Gnome mailing lists? If you want condescending, disdainful discourse, that's a great place to start.

The GNOME mailing lists are immaterial as long as they treat their users with respect in normal discourse. I don't care what assholes they are to each other. Meanwhile, KDE insists that "they don't need users." I have contributed to KDE applications in the past, and there are two 3.5 themes on KDELook that I have authored. Fuck 'em. They don't want users, they don't want me, because I'm a user first and a contribut

Re:Great!

[Shikaku (1129753)]

What more do you want? Specific examples are key if you actually do care about trying to fix the UI.

Out of the box after you install Ubuntu from the LiveCD, by clicking the Applications (you know, the things you run?) menu:

Firefox: Good internet browser.

Evolution: Email client and reminders.

Tomboy (oops it uses mono): Keep track of notes, can load specific notes for a day. Helpful for Todo lists.

Calculator: Normal 4 function calculator with scientific mode if needed.

CD/DVD Burner: works well.

Screenshot Tool: press printscreen, save picture. Much better than Windows where you press the printscreen button and open up Paint to save it.

Pidgin: All in one IM client. Very customizable.

OpenOffice Word: can open all MS Office documents and is a good Office clone.

Rhythmbox Music Player: Keep track of music, works with lots of USB MP3 players (including iPods).

Totem Movie Player: Limited at first, but when you can't play something, it will prompt you to install the needed codec.

Add/Remove: Miles ahead of anything MacOSX and Microsoft has EVER done. Takes care of everything FOR you: downloading, updating, installing, etc. Just search for what you want through the left side or in the search tab.

It's so easy my girlfriend uses it by herself.

Drivers are handled automatically out of the box. No other OS can actually brag about having the highest device support. If it does not work instantly, chances are there will be a prompt to download and install the driver.

The only issues I think are the most common AND frustrating are installing WiFi drivers through ndiswrapper (ndiswrapper is finicky, but when you get it working it works perfect), relearning all the programs you want to use to do the same things you want to do, Windows games and using Wine, and the fact you will have to do a lot of Googling to do advanced stuff. Luckily more and more WiFi cards are being supported out of the box and Wine is getting much better.

Oh, and it's all free.

Re:Great!

[darkpixel2k (623900)]

I can see it now... "Kid. This was your fathers laptop. Cherish it as he did. It currently has just over 6 decades of uptime. With any luck, you'll be able to reach 13 or 14..."

Re:Great!

[smallfries (601545)]

Watched Pulp Fiction too many times but I can't help but read that in a Christopher Walken voice and expect you to continue:

"when he was shot down over Hanoi he had this laptop with him..."

Re:

[Anrego (830717)]

It's a cool piece of kit, but I wouldn't use this in a production environment.

If you are relying on one server to maintain 100% uptime in a high availability (which most production environments are) situation, you are probably doing it wrong.

It's my opinion that in a ha environment, you _should_ be able to reboot a box with no loss of uptime to the system as a whole.

I would even go as far as recommending a reboot every 3 months or so to test your clustering/failover setup (because I think a lot of people se

Fedora doing this since F9..

[gzipped_tar (1151931)]

https://admin.fedoraproject.org/pkgdb/packages/name/fedora-ksplice [fedoraproject.org]

fedora-ksplice
Script Collection for Using KSplice on Fedora Linux

fedora-ksplice is a collection of shell scripts to use ksplice in a Fedora environment.

The scripts allow to prepare a kernel for use it with ksplice.

fedora-ksplice-prepare will download the source rpm of the current installed kernel. After this the kernel sources will be created in the rpm build directory. Additional the ksplice subdirectory with the System.map file will be created.

Fedora-ksplice-create will apply a patch given as an argument to the kernel sources prepared by fedora-ksplice-prepare.

Re:Fedora doing this since F9..

[Ambush Commander (871525)]

That's a collection of shell scripts around the free software Ksplice tool that merely automates the task of downloading the Fedora kernel. (The Ksplice software has been released for over a year, and is also packaged in Ubuntu [ubuntu.com] and in Debian [debian.org], although the ksplice.com apt repo has newer versions.) Ksplice's Uptrack service is a way to automatically apply Ksplice updates that have been vetted for safety by the Ksplice developers, which is a much more convenient thing unless you like reading every kernel patch daily and testing the resulting Ksplice patch yourself.

Left are the Zombies..

[htiawe (973440)]

Now we need a ksplice for zombies instead of having to reboot to clear some of the nasty zombie processes.

Re:

[pintpusher (854001)]

someone just posted on debian-user that the way to kill zombies is to have the parent processes try to reap them and if that fails, they should get reparented up the chain until their parent becomes init. Then doing `telinit u` will cause init to restart (while maintaining state) and all the zombies will be dropped. I haven't had the chance to try it.

Re:Left are the Zombies..

[onefriedrice (1171917)]

Actually, it's simpler than that. A child process whose parent dies will be adopted by init immediately (not re-parented up the chain). If the process is a zombie (because of a bad-behaving parent process), removing the zombie is as simple as killing the parent, at which point init will adopt and reap the zombie because init always waits on its children. Running "telinit u" might make init reap the zombie quicker, but it will happen eventually anyway so that command is very much optional (and not recommended since zombies are harmless anyway).

Re:

[MrNaz (730548)]

Zombies are not harmless! You obviously don't watch enough movies.

Re:

[Tumbleweed (3706)]

Zombies are not harmless! You obviously don't watch enough movies.

Look, _clearly_ there are dangers inherent to zombies, but if YOU had watched enough movies, like, say, Shaun of the Dead, you'd realize they can be made into productive members of society (well, videogame consumers, anyway) if handled appropriately.

As the tshirt says, "Reduce - Reuse - Reanimate. Reduce our dependency on the funerary industrial complex." Get with the program!

Difference between Linux and Windows

[nmb3000 (741169)]

This is something I've wondered for a while. Both Linux and Windows have the ability to modify images (executables and libraries) on the fly without rebooting, and most Linux updates do this but Windows usually doesn't. Now we're looking at not only that, but some pretty low level mucking around in the kernel, all while the machine is running.

I know partly why Microsoft doesn't normally do this for Windows [microsoft.com], but why is it that Linux doesn't have the same problems described in that article? If you replace an executable you can restart it, sure, but what happens if you update libraries with various inter-dependencies?

Yes, rebooting is annoying, especially for important servers, but doesn't it make more sense to be 100% sure that the changes you're making aren't destabilizing the system (doubly for servers) than that few minutes of down time rebooting costs? Just wondering.

Re:Difference between Linux and Windows

[644bd346996 (1012333)]

Most of the people who would want to patch a system without rebooting aren't upgrading to get new features - they're applying security fixes, which seldom break binary compatibility. That makes it pretty safe to replace an in-use library. Once the update has been installed, you can restart the affected services on a schedule of your choosing, rather than have several minutes of complete downtime. I would expect that the reason this isn't attempted as often under Windows is that DLLs don't follow any system-wide rigorous versioning system like what most Linux package managers impose. This, and the presence of closed-source software, makes it much harder to do this with confidence under Windows.

Re:

[FishWithAHammer (957772)]

This is basically the reason, yes. Windows itself is not subject to being unable to move or replace a code image on-disk, of course (although it can cause some weird issues if forced--I've seen applications supposedly paged to disk try to hit up the new image from disk rather than from the page file and puke all over themselves), but really, for most uses it's just not worth the risk. .NET applications can, however, leverage the GAC to do essentially the same thing. As we see more and more movement toward t

Re:

[Geoffreyerffoeg (729040)]

Well, let's look at the issues raised in the article.

Windows actually can replace a DLL that is in use by renaming the original then copying the new file into place. However, the Windows world prefers not to do this.

Ksplice updates the running code of your kernel (by waiting until no thread is using the function to be patched, then calling the kernel's stop_machine_run function -- the same thing it uses when loading a new module -- while it edits the object code); it doesn't touch your /vmlinuz file on disk

Microsoft's excuse for not updating

[Mask (87752)]

After reading Windows Can but Won't [microsoft.com] I am still unimpressed. This article tries to hide a substantial feature preset in Linux but not in Windows. Call it a misfeature, a bug, an engineering decision or a precaution but, as it seems, Microsoft's filesystems do not support file removal well. If a DLL is in use you can't remove it without dire consequence, you are left with modifying the original file.

On Linux, you can remove the DLL without destabilizing running applications. This is because the file is unlinked from the directory structure, appearing as if it was removed, and the old file contents is still accessible to running applications. On Linux, an update mechanism can remove the DLL and put a new DLL in its place without affecting any running applications. Running applications continue using the old DLL, posing no substantial stability risk.

The Linux way isn't perfect either because running applications do not benefit from the update. Such an application will effectively use the old DLL until it is restarted giving a false sense of security. If an affected service is not restarted, then the computer is still at risk.

Re:

[by Anonymous Coward]

> Windows actually can replace a DLL that is in use by renaming the original then copying the new file into place. However, the Windows world prefers not to do this. Why?

Linux solves this with links. To pick a random example:

lrwxrwxrwx 1 root root 17 2009-06-21 19:04 /usr/lib/libqt-mt.so.3 -> libqt-mt.so.3.3.7
lrwxrwxrwx 1 root root 17 2009-06-21 19:04 /usr/lib/libqt-mt.so.3.3 -> libqt-mt.so.3.3.7
-rw-r--r-- 1 root root 7534253 2008-03-02 12:04 /usr/lib/libqt-mt.so.3.3.7

I'm showing here an

Interesting start

[ErikTheRed (162431)]

It's nice to see them running it on Ubuntu 9.04, but if they want to make money they should go after the LTS releases and SLES / RedHat.

Looks cool though.

Re:

[Ambush Commander (871525)]

I'm sure if you talk to them, they can set you up with a pricing model for update streams for these distributions. :-)

For you geeks that don't "need" 100% uptime...

[Ambush Commander (871525)]

Ksplice is still pretty neat, and worth playing around with (it's very very quick: after installing it's a little like boom boom boom, patches are applied). It also means that you can keep a fully patched kernel without having to compile one yourself every time a new patch comes out; a little different from being rebootless, but eminently useful for us mere mortals.

Less that 20 second reboot.

[yourassOA (1546173)]

Isn't that kinda the big thing with Jaunty other that the cooler looking login? They make the boot time real short and two months later "Oh hey you don't need to reboot." This is pointless.

Re:

[Ambush Commander (871525)]

Pointless or improvement?

Ubuntu

[physburn (1095481)]

Actually I haven't found i had to reboot ubuntu many times from updates, maybe 4 times a year, after a heavy patch of the Hal or the video drivers. Haven't said that i still haven't upgraded to jaunty. I waited when It was fresh upgrade, then didn't fine the time. Guess i've no excuse now, should be quick, but you have to leave the time, just in case it buggers up your live services.

---

Question is Ksplice reliable enough for online servers. I'd rather manually upgrade and be there to fix the systems, th

load of wank

[timmarhy (659436)]

if the fix affects a service i'm currently running, you still have to restart the service, so all this is doing is perpetuating the usual stupid uptime measurment of performance, which isn't indicative of the systems avaliablity.

get back to me when you have found a way to patch my network service without dropping the current open sessions, then i'll be really impressed.

Re:

[Geoffreyerffoeg (729040)]

Actually, Ksplice provides live patches. The ones Uptrack distributes are all to the kernel, and obviously not restarting the system requires not restarting the kernel.

The Ksplice technology [ksplice.com] itself is free software, and can be ported to userspace (but that hasn't been implemented yet by the Ksplice people). But if your network service is an NFS server or something, or you're fixing a security bug in the kernel, then Ksplice can apply it to a running system without affecting existing sessions / connections.

Re:

[Lennie (16154)]

This is about patching the kernel, it usually doesn't need to change the kernel structures, but it changes the functions. So it put the new function in kernel space and changes a pointer to the function. When doing this it temporarily slows down the kernel and calls the same function as is done when loading a module. That's what I think it does, but if you must know, read the PDF: http://www.ksplice.com/doc/ksplice.pdf [ksplice.com]

For all those that think this company is doomed because they released all their code as op

Re:

[Ambush Commander (871525)]

That is an interesting question, no? After all, this company has made all of its software open-source, and if someone else is able generate update, they can "cut in" on Ksplice's market share. (This is forking the service, you're speaking of, not really the software.)

But this is not really a problem unique to Ksplice; it applies to any service based open-source model. And as such, what Ksplice has going for it is expertise: they were the ones who developed the Ksplice tools, they have an intimate understand

Re:

[Ambush Commander (871525)]

Note: Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates.

Yeah. Rebootless updates. Uh-huh. [ksplice.com]

Re:Windows has NOT been doing this for 6 years

[by Anonymous Coward]

I did read up on this (via your links) and discovered:

Note Not all security updates support HotPatching, and some security updates that support HotPatching might require that you restart the server after you install the security updates.

and

HotPatching is compatible with security updates that provide isolated fixes for individual functions. HotPatching is not compatible with security updates that update several interdependent functions.

    So Windows does not even theoretically support this to the extent of the ksplice offering and in practice I still (and have since it's release and for the forseeable future) have to reboot 2003 and more recent releases when I apply MS patches.

Re:

[by Anonymous Coward]

Well - that explains the reboots.

Re:

[Ambush Commander (871525)]

As a typical geek, I don't care much about AIX's concurrent updates. If I were a corporate dude, I probably wouldn't care too much about AIX's concurrent updates (I'd have to have a lot of other good reasons for switching to AIX). As a geek who runs Jaunty, I care a lot about Ksplice. It's awesome. I can run it on all of my boxen. If I were a geek who runs another distro, I don't care much about Ksplice, except maybe for the fact that we're starting to get rebootless updates into mainstream. But if I were

Re:

[ratboy666 (104074)]

You would be correct. Linux isn't the first "hot patch" system.

Multics (1965) was designed for 24/7/365 operation, and could replace any component by design. Hardware or software.

http://www.multicians.org/ [multicians.org]