This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Elivepatch
Introduction
Flexible Distributed Linux Kernel Live Patching
Why?
- Distributed live patch building
- Works as client server live patch build model
- Incremental live patch
- You can build live patch over the previous one
- Automatic live patch for security CVE
- Getting kernel CVE from https://github.com/nluedtke/linux_kernel_cves
How?
- elivepatch-client
- Client to be run on the machine where we want to install the live patch.
- elivepatch-server
- RESTful API for building the live patch. Using kpatch for building the live patch object.
What?
Elivepatch-server
This is for the machine that will build the live patch.
Installation:
root #
emerge --ask elivepatch-server
This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:
root #
rc-config add elivepatch-server default
Elivepatch-client
This is for the machine that will request to build the live patch.
Installation:
root #
emerge --ask elivepatch-client
One time livepatch build
root #
elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>
CVE livepatch
CVE live patch is the command for live patching the current kernel with last security cve.
root #
elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>
Can also be used as a cronjob command.
Creating Live patch
Not all patch can be converted to live patch using kpatch.
- Patch that change data structure
- Change content of existing variable
- Add field to existing data structure
- Init code changes are incompatible with kpatch
- Header file changes
- Dealing with unexpected changed functions
- Removing references to static local variables
- Code removal
GSoC 2017
This project is part of GSoC 2017 and the code is written by User:Aliceinwire mentored by User:Gokturk
Written code:
- kpatch ebuild merged in the Gentoo official repository
- elivepatch client
- elivepatch server
- Official Gentoo repository elivepatch merge pull-request
Reports: