System administrators are often expected to balance two opposing goals: security and convenience. If they want to maximize security and install kernel patches as soon as they're available, they may end up having to reboot the system frequently. But rebooting the system can be disruptive to many applications and users. As a result, system administrators are often forced to postpone kernel security updates, sometimes for long periods of time, leaving many systems vulnerable.
This talk introduces kpatch, a dynamic kernel patching infrastructure for Linux, which aims to resolve the conflict between security and convenience. Security patches can go from source code to patched kernel in minutes, without having to reboot or disrupt any applications. This makes both system administrators and their users happier!
Survey this Session