The recent Dirty COW vulnerability (CVE-2016-5195) highlighted the need for zero-downtime updates - this was a vulnerability that has been present in the Linux kernel for many years, was actively being exploited and could result in a system being easily compromised. The traditional means of closing this vulnerability would be to install a new kernel and reboot it, but new kernels take time to release, and the disruption of rebooting and the time spent to roll this out across an entire network can be very expensive.
Zero-downtime technologies like Ksplice solve this problem by patching the OS in-memory, without any intervention or downtime required. Since 2008, Ksplice has pioneered the patching of Linux kernel security vulnerabilities and critical bugs in-memory, and Oracle has continued to invest in Ksplice, keeping it the leading technology for keeping your Linux distribution up-to-date. Users understand the value of Ksplice, and in recent years other vendors have started offering solutions to avoid downtime, but Ksplice on Oracle Linux still offers the best patch coverage, stability and feature-set.
A key differentiator between Ksplice on Oracle Linux and other distributions is user-space patching. Unlike Oracle Linux, other Linux distributions require all of user-space to be patched on-disk and then every service using updated packages needs to be restarted to use the latest versions. For essential packages like glibc and OpenSSL, this is often equivalent to rebooting the whole system - and a reboot is the only way to achieve that in many cases. Oracle Linux is different - with Ksplice, glibc and OpenSSL can be patched using the same, stable technology to patch processes in-memory, without any downtime or intervention.
When it comes to avoiding downtime, it is essential that the technology is stable itself, and Ksplice has a number of critical safety checks that other solutions do not offer. It safely handles use-cases such as running alternative drivers, subtle race conditions when applying patches, the handling of unloaded modules and many more edge cases.
We recognize that different organizations have different requirements, and Ksplice caters for these. In the simplest configuration, Ksplice can be installed quickly and can automatically download new zero-downtime updates, install them on your system and take care of patching. For systems without Internet access there is the offline mode where Ksplice updates can be downloaded from a local ULN mirror or SpaceWalk server and can even upgrade to a specific effective kernel version, providing users with a way to easily validate their application against a specific release.
This all becomes especially important once you run systems hosting multiple virtual machines or containers. In a densely packed container host, rebooting for a critical security bug can result in disruption for potentially hundreds of different applications and many users. More importantly, on a container host, each container is using the same, shared kernel, and making sure that the kernel is fully patched with security updates is key to maintaining isolation between containers.
Finally, Ksplice is battle tested. Since the inception of Ksplice, we have released over 1 million rebootless updates, patched highly complex, critical security vulnerabilities that have protected organizations from attackers, and are able to offer rapid turnaround on critical bugs. For the Dirty COW vulnerability, Ksplice patched over 5,000 supported kernels - with the oldest supported kernel a 2008 vintage!
We continue to innovate with Ksplice, extending it to patch more of the Linux OS, making sure that we can patch every important vulnerability and deliver the features that customers require. Find out more about Ksplice and Oracle Linux
and stop rebooting!