Install software updates and security patches without rebooting

For server administrators, installing software updates and security patches is a critical part of the job. But it's also expensive and disruptive when a server must be rebooted to activate the update. A team of MIT engineers has developed technology that allows rebootless updates, and it's now available through a subscription service.

There's a real irony to my article this week. Just as I began to write, I got an e-mail from one of my hosted service providers. To paraphrase the message, it says: "Dear Customer, we will be performing maintenance on your application server for a few hours this weekend. We plan to install critical software updates and security patches. During this window you may experience brief interruptions in service. Sorry for the inconvenience."

You've seen similar messages before. Perhaps you even write them and send them out to your own customers when you need to install software updates and security fixes. While the process of installing software updates is disruptive and expensive -- Gartner estimates downtime for a critical system costs $42,000 an hour -- there's no getting around the need to apply updates. According to Microsoft, 90 percent of the attacks in the wild exploit known vulnerabilities.

It's essential to patch systems to keep them reliable and secure. But while you must patch, must you reboot the server to apply the patch? Not necessarily.

There's a new subscription service launching this week that provides rebootless updates. Ksplice has just announced the general availability of its Ksplice Uptrack service for Linux servers. When a vendor releases software updates, Ksplice makes those updates into a module that can be applied to a server without rebooting it. This saves you the hassle of notifying customers of downtime and planning for staff members to work at 2:00 a.m. on a Sunday morning. The update can be applied painlessly and without any disruption to anyone's work.

The company Ksplice was founded by four MIT engineers. The technology they've developed is based on thesis research, and it has received numerous accolades and honors, including The Wall Street Journal 2009 Technology Innovation Award. The technology can be applied to virtually any type of software, including operating systems and applications, running on a wide variety of devices, such as servers, network routers and switches, storage arrays, mobile devices and more. The potential for this technology is huge; if you aren't using it today, you might use it in the not-too-distant future.

In the life cycle of a software update, the process starts when someone discovers a bug or security hole in the code. The software vendor releases an update, which the administrator installs. To apply the update and have it take effect, you typically restart the software; in the case of an OS patch, this means rebooting the machine -- an inconvenience for you and all the users.

With the Ksplice service, when the software vendor releases an update, Ksplice makes the update rebootless and delivers it to customers where it can be installed and applied without any disruption. The software is up to date and secure.

Here's the recipe for the secret sauce -- how Ksplice makes an update rebootless. Ksplice has the source code for the software to be updated, say a Linux OS, as well as the source code for the update itself. The company then compiles the program twice, once without the patch and once with the patch. Ksplice compares the two versions and identifies the functions that have changed. Ksplice pulls out just these functions, packages them into a kernel module, and ships this module containing the replacement code to customers.

Customers then load the corrected version of the software module into memory. At a safe time, the old buggy version of the function has its first instruction replaced by a jump command. All callers to this function jump over to the corrected version of the code. Basically, it's a detour around the old code so that the new code is always executed in memory.

Since the changes are in memory only, they aren't persistent. This means an administrator still needs to apply the permanent fix at some point down the road. In the meantime, however, the Ksplice fix keeps the software secure without disrupting service.

Some 30 or so hosting companies have been early adopters of the technology, including SingleHop. Andrew Brooks is a security engineer at SingleHop, and he uses Ksplice Uptrack on about 500 (soon to be 600) Linux servers. "A zero-day exploit spreads like wildfire," Brooks says. "We use Uptrack because it's the fastest way to get a security patch applied to our servers. This gives us a competitive edge if we can reduce downtime for our customers." Brooks says he spends less time on administration by having the patches waiting for him via RSS feeds. He can install an update without rebooting and without having to coordinate reboot schedules with hundreds of customers.

You can sign up for a free trial of the Ksplice Uptrack subscription service. If you like it and find value in it, sign on as a customer and reduce the worry of patching your software.

Learn more about this topic

MIT recognizes startup Ksplice for rebootless OS updates

Ksplice debuts zero downtime service for Linux

Patch management tools
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.