The global and independent platform for the SAP community.
The opinion of the SAP community, Linux column, MAG 16-09

Paradigm shift in patching

Is it possible that the entire IT system comes to a standstill when security patches are applied and that important business-critical applications cannot be used for a while? A plea for the use of new patching concepts.
Friedrich Krey, Suse
September 1, 2016
Content:
Penguin on the TVs with inscription "Linux
avatar
This text has been automatically translated from German to English.

Any downtime - planned or unplanned - always means an unfortunate circumstance for SAP data center teams and also for business departments or users in companies.

In terms of planned downtimes, we still average an estimated five days per year - not a bad figure. Over the years, patching processes have become more or less ritualized and standard scripts are followed: patching intervals are relatively fixed, and patches often take place on weekends.

Virtually all IT operations departments are involved and planned downtimes are coordinated with business departments.

There are no fixed dates for unplanned downtimes in SAP data centers, and it is not possible to switch to weekends. Coordination with the departments is not possible.

As a rule, only one specific problem can be fixed during an unplanned downtime. To minimize unplanned downtimes, a number of concepts and solutions - individually or in combination - are available: RAS (Reliability, Availability, Serviceability), virtualization, HA/GEO clusters, system rollback or live/online patching.

In times of real-time business, we are urged to strive for true 7X24 operation or "Towards Zero Downtime". It is in the nature of things that software updates (and from time to time hardware updates) have to be performed in an SAP data center.

The focus here is more on security than in the past. Common Vulnerabilities and Exposures (CVEs) also affect operating systems.

CVEs describe security holes and other vulnerabilities based on uniform conventions; in this case: the vulnerability of operating system platforms including the kernel. Linux is not exempt from this.

For example, 24 CVEs categorized as serious were identified for Linux in 2014. There were more for other operating systems. It must be assumed that CVEs will continue to increase overall.

Security patching has an impact on planned and unplanned downtimes. It must not be the case that, for example, security updates or a type of CVE therapy result in a quasi full IT or SAP slowdown.

The goal must be: Patching without system rebooting, including agreements with departments about downtimes, for example, with SAP not being used for a certain period of time.

Live patching, which gives conventional concepts the boot and, in essence, sustainably increases the IT service availability of critical SAP applications, has to come into play. For years, Suse has been working on providing live or online patching of the Linux kernel in the enterprise environment - without the typical system stop-and-go.

In the kGraft development project, the classic Dynamic Software Updating (DSU), primarily used for security patches and patches with limited size, was extended - with the aim of providing a standard live patching solution for Linux Enterprise deployment.

kGraft is based on state-of-the-art Linux technologies, including INT3/IPI-NMI self-modifying code, an RCU-like update mechanism, mount-based NOP space allocation, and standard kernel module loading/linking mechanisms.

As part of this year's Sapphire, Suse introduced its SAP-certified Suse Linux Enterprise Live Patching solution, which has since been available for x86-64 servers. In addition, it is shipped with SLES 12 Service Pack 1 for SAP Applications (Hana, NetWeaver and other SAP platforms).

With Suse Linux Enterprise Live Patching, Suse gives companies a lever to turn their back on outdated patching concepts. To implement security operation concepts without planned downtimes and minimized unplanned downtimes (through CVEs).

At the same time, risk management can be improved, the potential for attack by malware can be proactively minimized and, in particular, IT service quality can be increased.

avatar
Friedrich Krey, Suse

Friedrich Krey is Head of SAP Alliances and Partners EMEA Central SUSE Linux GmbH and one of our esteemed E3 SAP Community Magazine columnists.


All articles of the author

Write a comment

FUE: Estimate for new Rise-with-SAP contracts

Security for the SAP landscape

SAP Cuckoo's Egg

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.