Comments on: Kernel Security vs Uptime

By: security and more » security vs. uptime

security and more » security vs. uptime — Mon, 30 Jun 2008 23:01:27 +0000

[...] Russel Coker have done some math about kernel security related reboots and some common uptime marketing gags. [...]

By: Interstellar Medium: the Free Software carnival » Blog Archive » Free Software carnival: 21 – 27 June 2008

Fri, 27 Jun 2008 15:59:03 +0000

[...] Russell Coker (Debian) notes that reboots due to kernel security patches result in a non-trivial amount of downtime. [...]

By: Gunnar

Gunnar — Fri, 27 Jun 2008 14:52:21 +0000

You say: If you don’t have redundant servers, then that is the case. I’ll be writing more about this in future posts.
Well… If you don’t have redundant servers, then you should not be buying marketspeak-grade irreal measures such as the many-nineness.

By: Neal Walfield

Neal Walfield — Fri, 27 Jun 2008 07:19:54 +0000

One way to mitigate these types of problems is by applying updates at run-time. There’s a nice paper on implementing this in the Linux kernel from EuroSys 2007:

Dynamic and Adaptive Updates of Non-Quiescent Subsystems in Commodity Operating System Kernels

Kristis Makris, Kyung Dong Ryu

http://citeseerx.ist.psu.edu/viewdoc/summary;jsessionid=01EF71F4576C25F6615F21E3D8A99DC6?cid=5563105

By: David Clarke

David Clarke — Fri, 27 Jun 2008 02:37:01 +0000

etbe: OpenBSD is the only one I know that can do both pfsync (firewall state sync) and sasync (IPsec security association sync). FreeBSD can currently only do the former, I believe. NetBSD I’ve never really touched, so don’t know.

By: daveg

daveg — Fri, 27 Jun 2008 01:06:07 +0000

One other method for saving time when reboots are required for new kernels is using kexec. This will save you time as the system doesn't need to do a full BIOS reboot.