Git Product home page Git Product logo

rancher-kpatch's Introduction

rancher-kpatch

On a fresh RancherOS 0.7.0 system, we can live patch the kernel using a RancherOS service:

[root@ip-172-31-2-194 rancher]# ros service enable https://raw.githubusercontent.com/SvenDowideit/rancher-kpatch/master/os-mypatch/service.yml
Pulling mykpatch (roast/mykpatch:0.7.0)...
0.7.0: Pulling from roast/mykpatch
Digest: sha256:393183dd55f6d5a91b12e1e6a0c9ae561210078a76da7c635f3a9cc81a0ea3b3
Status: Image is up to date for roast/mykpatch:0.7.0
[root@ip-172-31-2-194 rancher]# ros service list
enabled  amazon-ecs-agent
disabled kernel-extras
disabled kernel-headers
disabled kernel-headers-system-docker
disabled open-vm-tools
enabled  https://raw.githubusercontent.com/SvenDowideit/rancher-kpatch/master/os-mypatch/service.yml
[root@ip-172-31-2-194 rancher]# ros service up mykpatch
WARN[0000] The ECS_AGENT_VERSION variable is not set. Substituting a blank string.
INFO[0000] Project [os]: Starting project
INFO[0000] [0/21] [mykpatch]: Starting
INFO[0000] [1/21] [mykpatch]: Started
INFO[0000] Project [os]: Project started
mykpatch_1 | + insmod /kpatch.ko
mykpatch_1 | + /kpatch load kpatch-mypatch.ko
mykpatch_1 | loading patch module: kpatch-mypatch.ko
[root@ip-172-31-2-194 rancher]# lsmod | head
Module                  Size  Used by    Tainted: G
kpatch_mypatch         16384  1
kpatch                 53248  0
xt_nat                 16384  1
veth                   16384  0
ipt_MASQUERADE         16384  2
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
xfrm_user              28672  1
xfrm_algo              16384  1 xfrm_user
iptable_nat            16384  1
[root@ip-172-31-2-194 rancher]# grep -i chunk /proc/meminfo
VMALLOCCHUNK:          0 kB

or without a RancherOS service file

[root@ip-172-31-2-194 rancher]# system-docker pull roast/mykpatch:0.7.0
0.7.0: Pulling from roast/mykpatch
af49a5ceb2a5: Already exists
8f9757b472e7: Already exists
e931b117db38: Already exists
47b5e16c0811: Already exists
9332eaf1a55b: Already exists
f11ca47706eb: Already exists
7448d2ce3de4: Pull complete
Digest: sha256:393183dd55f6d5a91b12e1e6a0c9ae561210078a76da7c635f3a9cc81a0ea3b3
Status: Downloaded newer image for roast/mykpatch:0.7.0
[root@ip-172-31-2-194 rancher]# system-docker run --rm -it roast/mykpatch:0.7.0
+ insmod /kpatch.ko
insmod: ERROR: could not insert module /kpatch.ko: Operation not permitted
[root@ip-172-31-2-194 rancher]# grep -i chunk /proc/meminfo
VmallocChunk:          0 kB
[root@ip-172-31-2-194 rancher]# system-docker run --rm -it --privileged roast/mykpatch:0.7.0 
+ insmod /kpatch.ko
+ /kpatch load kpatch-mypatch.ko
loading patch module: kpatch-mypatch.ko
[root@ip-172-31-2-194 rancher]# grep -i chunk /proc/meminfo                                  VMALLOCCHUNK:          0 kB

The output above uses shows the example patch from https://github.com/dynup/kpatch, which only modifies the output in /proc/meminfo

How it was built

This repo has 2 commands in it.

  1. build-original.sh, which rebuilds the kernel source used for RancherOS v0.7.0 with DEBUG_INFO on, You need to commit the resulting container image (35GB): docker commit <dapper-container> rancherbuild/os-kernel:linux-4.4.21-rancher-debug
  2. build-kpatch.sh, which then uses that build to create a kpatch module, and then builds a small ubuntu based container that when run in privileged mode will load the kernel patch module.

NOTE: the build-original.sh script uses an unreleased feature of dapper (--keep: don't delete the dapper container at the end of the build), so you need to use the version in this repository.

rancher-kpatch's People

Contributors

svendowideit avatar

Watchers

James Cloos avatar Nicholas Pace avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.