Live/Online Patching for Suse Linux Enterprise

Service interruptions such as updates or patching are common procedures in IT divisions in companies. But you don’t really want them, not often and particularly not with disproportionately long downtimes or with an unjustified use of resources.

As a Linux pioneer and innovator, Suse has put a lot of work into Linux kernel patches for some time and has undertaken considerable development effort. The result: Suse Linux Enterprise Live Patching, a component of SLES for SAP Applications that actually supports non-stop IT usage.

The solution was first deployed for x86-64 servers (Hana-on-Intel servers) in SLES 12 for SAP Applications (SP1), and was recently also made available for IBM Power (Hana-on-Power servers) (SP3). One aspect of the development was to extend the classic Dynamic Software Updating (DSU), which is mainly used for security patches (CVEs) and patches of limited size. The result is a standard live patching solution for Linux Enterprise with a high degree of automation. In addition, the latest Linux technologies were taken into account. For example INT3/IPI-NMI (with self-modifying code), an RCU-like update mechanism, mount-based NOP space allocation or standard kernel loading/linking mechanisms.

Suse Live Patching functionality in SLES for SAP Applications significantly improves risk/security management and compliance by automatically and proactively proposing and automatically implementing Linux patches. Most importantly, all this is achieved without the typical stop-and-go.

Combined with system management

Ideally, live patching is managed, controlled and monitored by Suse Manager because, among other things, Suse Manager audits the software patch status. Configuration changes can be recognized, changed or reset to a certain state in the past, if necessary.

In principle, the complexity of Hana environments can be significantly reduced with the Suse Manager, because all components and elements of the infrastructure and their patch/update status and overall systems can be managed from a single, central location. It can also be used to precisely control individual system environments required for enterprise operation (for example, for development, testing, integration and production systems). Furthermore, the Suse Manager makes it possible to implement compliance requirements in a simplified manner, for example in the security environment, or to demonstrate compliance requirements.

Last but not least, there are significant cost advantages because manual and recurring work and the necessary resources for platform management are reduced. Management is possible across all x86 Intel hardware vendors, across all Hana-on-Power systems, across all hypervisors and also in mixed environments – native and virtualized. Of course, Suse Manager also takes into account cloud computing or DevOps models.

Conclusion

Live or online patching supports non-stop IT operations and thus ultimately also non-stop business continuity. The Suse Manager helps to manage, automatically control and monitor both the online patching and all other Suse functions during Hana deployment, thereby achieving significant cost advantages.