Elivepatch

From Gentoo Wiki
(Redirected from User:Aliceinwire/elivepatch)
Jump to: navigation, search
This page contains changes which are not marked for translation.


Introduction

elivepatch is a distributed application for building live patch, is also supporting automatic installing of security CVE live patch for any gentoo-sources recent than 4.1

elivepatch diagram

Features

  • Distributed live patch building
    • Works as client server live patch build model
  • Incremental live patch
    • You can build live patch over the previous one
  • Automatic live patch for security CVE

Implementation

  • elivepatch-client
    • Client to be run on the machine where we want to install the live patch.
  • elivepatch-server
    • RESTful API for building the live patch. Using kpatch for building the live patch object.

Usage

Elivepatch-server

This is for the machine that will build the live patch.

Installation:

root #emerge --ask elivepatch-server

This will install the init.d file under /etc/init.d/elivepatch and the conf.d under /etc/conf.d/elivepatch.
From the conf.d file you can change the elivepatch daemon user and permission (by default is root).
You can start elivepatch-server on machine startup with:

root #rc-config add elivepatch-server default
Elivepatch-client

This is for the machine that will request to build the live patch.

Installation:

root #emerge --ask elivepatch-client
One time livepatch build
root #elivepatch --config <file.config> --patch <example.patch> --url <elivepatch-server_url:elivepatch-server_port>
CVE livepatch

CVE live patch is the command for live patching the current kernel with last security cve.

root #elivepatch --cve --kernel <kernel_version> --url <elivepatch-server-url:port>

Can also be used as a cronjob command.

Creating Live patch

Not all patch can be converted to live patch using kpatch.

GSoC 2017

This project is part of GSoC 2017 and the code is written by User:Aliceinwire mentored by User:Gokturk

Written code:

Reports: