Paradigm shift in patching

Any downtime - planned or unplanned - always means an unfortunate circumstance for SAP data center teams and also for business departments or users in companies.

In terms of planned downtimes, we still average an estimated five days per year - not a bad figure. Over the years, patching processes have become more or less ritualized and standard scripts are followed: patching intervals are relatively fixed, and patches often take place on weekends.

Virtually all IT operations departments are involved and planned downtimes are coordinated with business departments.

There are no fixed dates for unplanned downtimes in SAP data centers, and it is not possible to switch to weekends. Coordination with the departments is not possible.

As a rule, only one specific problem can be fixed during an unplanned downtime. To minimize unplanned downtimes, a number of concepts and solutions - individually or in combination - are available: RAS (Reliability, Availability, Serviceability), virtualization, HA/GEO clusters, system rollback or live/online patching.

In times of real-time business, we are urged to strive for true 7X24 operation or "Towards Zero Downtime". It is in the nature of things that software updates (and from time to time hardware updates) have to be performed in an SAP data center.

The focus here is more on security than in the past. Common Vulnerabilities and Exposures (CVEs) also affect operating systems.

CVEs describe security holes and other vulnerabilities based on uniform conventions; in this case: the vulnerability of operating system platforms including the kernel. Linux is not exempt from this.

For example, 24 CVEs categorized as serious were identified for Linux in 2014. There were more for other operating systems. It must be assumed that CVEs will continue to increase overall.

Security patching has an impact on planned and unplanned downtimes. It must not be the case that, for example, security updates or a type of CVE therapy result in a quasi full IT or SAP slowdown.

The goal must be: Patching without system rebooting, including agreements with departments about downtimes, for example, with SAP not being used for a certain period of time.

Live patching, which gives conventional concepts the boot and, in essence, sustainably increases the IT service availability of critical SAP applications, has to come into play. For years, Suse has been working on providing live or online patching of the Linux kernel in the enterprise environment - without the typical system stop-and-go.

In the kGraft development project, the classic Dynamic Software Updating (DSU), primarily used for security patches and patches with limited size, was extended - with the aim of providing a standard live patching solution for Linux Enterprise deployment.

kGraft is based on state-of-the-art Linux technologies, including INT3/IPI-NMI self-modifying code, an RCU-like update mechanism, mount-based NOP space allocation, and standard kernel module loading/linking mechanisms.

As part of this year's Sapphire, Suse introduced its SAP-certified Suse Linux Enterprise Live Patching solution, which has since been available for x86-64 servers. In addition, it is shipped with SLES 12 Service Pack 1 for SAP Applications (Hana, NetWeaver and other SAP platforms).

With Suse Linux Enterprise Live Patching, Suse gives companies a lever to turn their back on outdated patching concepts. To implement security operation concepts without planned downtimes and minimized unplanned downtimes (through CVEs).

At the same time, risk management can be improved, the potential for attack by malware can be proactively minimized and, in particular, IT service quality can be increased.