Live/online patching in Linux Enterprise deployment

Service interruptions such as updates or patches are indeed common procedures in corporate IT divisions. But actually they are not wanted. Not frequently, and not with disproportionately long downtimes or with a use of resources that is not justified.

Suse, as a Linux pioneer and innovator, has dealt with the topic of Linux kernel patches very intensively for quite some time and has undertaken considerable development work.

The result: Suse Linux Enterprise Live Patching, a component of SLES for SAP Applications that in effect supports a kind of non-stop IT usage. The solution was first made available for x86-64 servers (Hana-on-Intel servers) in SLES 12 for SAP Applications (SP1), and has recently become available for IBM Power (Hana-on-Power servers) (SP3).

One aspect of the developments was to extend the classic Dynamic Software Updating (DSU), primarily used for security patches (CVEs) and patches with limited size. The result is a standard live patching solution for Linux Enterprise use with high automation.

State-of-the-art Linux technologies were taken into account. For example INT3/IPI-NMI (with self-modifying code), an RCU-like update mechanism, mount-based NOP space allocation or standard kernel loading/linking mechanisms.

The Suse-Live-Patching functionality in SLES for SAP Applications significantly improves risk/security management and compliance by, for example, automatically (proactively) suggesting and - if desired - (automatically) implementing Linux patches. And this without a typical stop-and-go.

Combined with the system management

Ideally, live patching, like all the other building function blocks in Suse Linux Enterprise Server for SAP Applications, is managed, controlled and monitored via Suse Manager.

Among other things, Suse Manager audits the software patch status. Configuration changes can be detected, modified or reset to a certain state in the past, if necessary.

In principle, the complexity of Hana environments can be significantly minimized with Suse Manager. This is because all components and elements of the infrastructure and their patch/update status, as well as the overall systems themselves, can only be managed from a central location.

It can also be used to precisely control individual environments required for enterprise operations (for example, for development, test, integration and production systems).

Furthermore, with Suse Manager it is possible to implement compliance requirements in a simplified manner, for example in the security environment, or to prove adherence to compliance requirements.

Last, but not least, there are significant cost advantages, because above all manual and recurring work and the necessary costly capacities/resources for platform management are reduced.

Management is possible across all hardware x86 Intel vendors, across all Hana-on-Power systems, across all hypervisors and also in mixed environments - native and virtualized. Of course, Suse Manager also takes cloud computing or DevOps models into account.

Conclusion

Live or online patching supports non-stop IT operations and, ultimately, non-stop business continuity. Suse Manager helps to manage, automate and control both online patching and all other Suse Function Building Blocks in Hana deployment, and thus achieve significant cost benefits.