Ksplice Offers Rebootless Updates For Ubuntu Systems 211
sdasher writes "Ksplice has started offering Ksplice Uptrack for Ubuntu Jaunty, a free service that delivers rebootless versions of all the latest Ubuntu kernel security updates. It's currently available for both the 32 and 64-bit generic kernel, and they plan to add support for the virtual and server kernels by the end of the month, according to their FAQ. This makes Ubuntu the first OS that doesn't need to be rebooted for security updates. (We covered Ksplice's underlying technology when it was first announced a year ago.)"
Re:GPL "terms of service"? (Score:5, Informative)
So, they're doing the common "commercial open source" thing where the software (the application, the kernel patcher) is open source, but it's also tied to a service (the actual kernel patches) which is not so (free for Jaunty, but if you want a different kernel you'll have to pay Ksplice for support). So the Terms of Service applies to the service, which is really quite sensible.
Fedora doing this since F9.. (Score:5, Informative)
https://admin.fedoraproject.org/pkgdb/packages/name/fedora-ksplice [fedoraproject.org]
Re:Fedora doing this since F9.. (Score:5, Informative)
Re:Windows has NOT been doing this for 6 years (Score:4, Informative)
I did read up on this (via your links) and discovered:
and
So Windows does not even theoretically support this to the extent of the ksplice offering and in practice I still (and have since it's release and for the forseeable future) have to reboot 2003 and more recent releases when I apply MS patches.
Re:GPL "terms of service"? (Score:3, Informative)
Re:Difference between Linux and Windows (Score:3, Informative)
Well, let's look at the issues raised in the article.
Windows actually can replace a DLL that is in use by renaming the original then copying the new file into place. However, the Windows world prefers not to do this.
Ksplice updates the running code of your kernel (by waiting until no thread is using the function to be patched, then calling the kernel's stop_machine_run function -- the same thing it uses when loading a new module -- while it edits the object code); it doesn't touch your /vmlinuz file on disk. If you want the patches next time you reboot, either recompile /vmlinuz, or have an initscript (like Uptrack's) apply the patches at boot.
Even if you're updating just a single DLL with no dependencies, there are still potential problems since the DLL has to interoperate with previous versions of itself.
One reason Ksplice wins here is that it updates the kernel, which is a single thing, but more fundamentally it avoids this problem by atomically patching every piece of affected code at once. You could actually port the Ksplice technology to userspace, provided you do some userspace equivalent of stop_machine is and patch every process at the same time.
Even if you haven't changed the structure itself, you may have changed the meaning of some fields in the structure. If the structure has an enumeration and the new version adds a new value to that enumeration, that's still an incompatibility between the old and new.
Again, Ksplice has the advantage of updating everything atomically. But there is explicit support for having a hook to be called at patch time, that either updates all existing structures, or does something fancy to mark structures that have been updated, so you know that any unmarked structure needs to be updated before being used.
The Ksplice paper (PDF) [ksplice.com] outlines about how you'd go about writing a data structure transformer to address this (as well as talks about how to solve a host of other problems). See also the CVE evaluation [ksplice.com], which links to some examples.
So it's not that Windows has to restart after replacing a file that is in use. It's just that it would rather not deal with the complexity that results if it doesn't. Engineering is a set of trade-offs.
which is why this engineering problem is not something Linus Torvalds personally does, but a separate company, Ksplice Inc., is working on full-time. :-)
Re:Great! (Score:5, Informative)
What more do you want? Specific examples are key if you actually do care about trying to fix the UI.
Out of the box after you install Ubuntu from the LiveCD, by clicking the Applications (you know, the things you run?) menu:
Firefox: Good internet browser.
Evolution: Email client and reminders.
Tomboy (oops it uses mono): Keep track of notes, can load specific notes for a day. Helpful for Todo lists.
Calculator: Normal 4 function calculator with scientific mode if needed.
CD/DVD Burner: works well.
Screenshot Tool: press printscreen, save picture. Much better than Windows where you press the printscreen button and open up Paint to save it.
Pidgin: All in one IM client. Very customizable.
OpenOffice Word: can open all MS Office documents and is a good Office clone.
Rhythmbox Music Player: Keep track of music, works with lots of USB MP3 players (including iPods).
Totem Movie Player: Limited at first, but when you can't play something, it will prompt you to install the needed codec.
Add/Remove: Miles ahead of anything MacOSX and Microsoft has EVER done. Takes care of everything FOR you: downloading, updating, installing, etc. Just search for what you want through the left side or in the search tab.
It's so easy my girlfriend uses it by herself.
Drivers are handled automatically out of the box. No other OS can actually brag about having the highest device support. If it does not work instantly, chances are there will be a prompt to download and install the driver.
The only issues I think are the most common AND frustrating are installing WiFi drivers through ndiswrapper (ndiswrapper is finicky, but when you get it working it works perfect), relearning all the programs you want to use to do the same things you want to do, Windows games and using Wine, and the fact you will have to do a lot of Googling to do advanced stuff. Luckily more and more WiFi cards are being supported out of the box and Wine is getting much better.
Oh, and it's all free.
Microsoft's excuse for not updating (Score:5, Informative)
After reading Windows Can but Won't [microsoft.com] I am still unimpressed. This article tries to hide a substantial feature preset in Linux but not in Windows. Call it a misfeature, a bug, an engineering decision or a precaution but, as it seems, Microsoft's filesystems do not support file removal well. If a DLL is in use you can't remove it without dire consequence, you are left with modifying the original file.
On Linux, you can remove the DLL without destabilizing running applications. This is because the file is unlinked from the directory structure, appearing as if it was removed, and the old file contents is still accessible to running applications. On Linux, an update mechanism can remove the DLL and put a new DLL in its place without affecting any running applications. Running applications continue using the old DLL, posing no substantial stability risk.
The Linux way isn't perfect either because running applications do not benefit from the update. Such an application will effectively use the old DLL until it is restarted giving a false sense of security. If an affected service is not restarted, then the computer is still at risk.
Re:load of wank (Score:3, Informative)
This is about patching the kernel, it usually doesn't need to change the kernel structures, but it changes the functions. So it put the new function in kernel space and changes a pointer to the function. When doing this it temporarily slows down the kernel and calls the same function as is done when loading a module. That's what I think it does, but if you must know, read the PDF: http://www.ksplice.com/doc/ksplice.pdf [ksplice.com]
For all those that think this company is doomed because they released all their code as open source, let me tell you that they released the automated tooling, but the automated tooling could in the time they tested it (from the article last year) 'only' handle 84% of the time. All the other times, on average about 17 lines of code needed to be written.
I think it would be cool if the distribution makers actually paid this company to do these patches for the distribution-kernels. Although I guess that means something like Debian may be left out ? Then again, a little more then 80% isn't bad either. ;-) And I think I've read on lwn.net they have actually improved on that number in the past year, but I'm not sure. Anyway we also have kexec to shorted the reboot time.
Re:GPL "terms of service"? (Score:3, Informative)
why do you think it is called click through licensing. 99.9% of the population doesn't read them, it is there to try and force a legality that doesn't really exist.
Re:GPL "terms of service"? (Score:1, Informative)
Orange peel is edible. It's not especially nice, but it's edible. Note also that the pith (the white bit between the interior and the skin) is the bitter part (still edible), not the peel.
Beware that a lot of oranges in supermarkets are "waxed" to make them shiny, sometimes with bug repellent in the wax too, so it's often not safe to eat the peel unless you wash off the wax with boiling water (you can typically also buy unwaxed oranges for home marmalade making), but that's not because orange peel is inedible as such, it's just wierd crap humans have done to the fruit.
Re:Difference between Linux and Windows (Score:1, Informative)
Actually, Linux (along with regular UNIX) performs this using inodes to replace files in use. Each file on a UNIX file system is associated with an inode. The directory entry that you see, such as "libqt-ms.so" points to a particular inode, which is a particular instance of a file.
Typical a package management system (such as the case with rpm, which I have trussed before to confirm) will unpack the new library as libqt-ms.so.tmp in the same directory. It'll then 'mv' the tmp file to the original filename. What 'mv' actually does is change the directory entry of libqt-ms.so to point to the new inode that was given to libqt-ms.so.tmp. This approach can be used on any file in UNIX/Linux to replace any file that is currently open. Only when all the open file handles to the old inode are closed, is the file/inode marked as deleted in the filesystem.
Fruity (Score:3, Informative)
I hear this occasionally, that tomatoes are technically fruit, that something else is or isn't, so I took the time to look it up a year or so ago.
It turns out that the term fruit means "the ripened ovary of a flowering plant" and "Any sweet, edible part of a plant that resembles seed-bearing fruit, even if it does not develop from a floral ovary" and "a product of plant growth (as grain, vegetables, or cotton." (Wikipeida, Wiktionary, Merriam-Webster)
Interesting too, my first two references are driven by Open Source and pretty good, but for authoritative information, it is the closed source system of Merriam-Webster that I turn to.
I also checked out the OED definition: "1 the sweet and fleshy product of a tree or other plant that contains seed and can be eaten as food. 2 Botany the seed-bearing structure of a plant, e.g. an acorn. 3 the result or reward of work or activity. 4 informal, derogatory, chiefly N. Amer. a male homosexual."
Re:I don't think this is accurate (Score:3, Informative)
You would be correct. Linux isn't the first "hot patch" system.
Multics (1965) was designed for 24/7/365 operation, and could replace any component by design. Hardware or software.
http://www.multicians.org/ [multicians.org]
Re:The GPL states it is not a EULA (Score:3, Informative)