1 |
day 09 ~ day 13 |
2 |
|
3 |
This week short summary: |
4 |
kpatch: |
5 |
- Minor fixes and cleaning |
6 |
- Installation path fix |
7 |
- Testing live patch with different gcc versions |
8 |
elivepatch: |
9 |
- Designed and wrote the first draft of elivepatch server and client |
10 |
- Made server anc client communicate togheter with RESTful api |
11 |
- Wrote the CVE downloader |
12 |
- Wrote the kernel version reader |
13 |
- Wrote the command line argument parser |
14 |
|
15 |
What to do next week: |
16 |
- Finalizing a simple elivepatch prototype demo |
17 |
- Create the target side software that will manage the live patching |
18 |
|
19 |
Day 09 |
20 |
|
21 |
--- |
22 |
The parallel build issue looks solved with the new kpatch ebuild. |
23 |
--- |
24 |
kpatch ebuild update still working on. |
25 |
dropped yum dependency. |
26 |
--- |
27 |
Kpatch core module is the part that will handle the injection of the |
28 |
patch and verify procedure safety. |
29 |
|
30 |
it have 4 states as is detailed in the source code. |
31 |
|
32 |
from the source code: |
33 |
+-----------------------------------------------------+ |
34 |
| | |
35 |
| + |
36 |
v +---> KPATCH_STATE_SUCCESS |
37 |
KPATCH_STATE_IDLE +---> KPATCH_STATE_UPDATING | |
38 |
^ +---> KPATCH_STATE_FAILURE |
39 |
| + |
40 |
| | |
41 |
+-----------------------------------------------------+ |
42 |
|
43 |
--- |
44 |
elivepatch |
45 |
for checking for CVE security problems we can use this repository |
46 |
https://github.com/nluedtke/linux_kernel_cves |
47 |
|
48 |
|
49 |
As now elivepatch diagram |
50 |
+-------------------------------------------------------+ |
51 |
| | |
52 |
| | |
53 |
| Search CVE | |
54 |
| ^ | |
55 |
| +-----> Request new patch | |
56 |
| | | |
57 |
| + | |
58 |
|elivepatch_client<-------------->elivepatch_server | |
59 |
| + RESTful + | |
60 |
| | | | |
61 |
| | | | |
62 |
| | | | |
63 |
| v v | |
64 |
| Live patch Kernel Get patch from | |
65 |
| Linux Git Hash | |
66 |
| String. | |
67 |
| Live patch success rate| |
68 |
+-------------------------------------------------------+ |
69 |
|
70 |
Updated the client structure for following the diagram: |
71 |
https://github.com/aliceinwire/elivepatch/commit/43a75cbe6712cda90d0bc163c01f42e5358ec7b2 |
72 |
|
73 |
Day 10 |
74 |
|
75 |
added einstalldocs to kpatch ebuild |
76 |
Fixed incorrect installation to /usr/local/ |
77 |
|
78 |
about the elivepatch design after talking with gokturk I need to: |
79 |
- Have a way for know which patch are already applyied and which are |
80 |
not. https://wiki.gentoo.org/wiki/GLEP:42#Client_Side |
81 |
- Place for keeping the applied patches. (local database) |
82 |
- Find a way for reapply patch on reboot and know which patch are for which |
83 |
kernel. (but for now is user responsability to invoke the tool on reboot) |
84 |
- Keep up on kernel upgrade. |
85 |
|
86 |
Day 11 |
87 |
Definine command line arguments. |
88 |
|
89 |
elivepatch --help will print the help output |
90 |
elivepatch --cve will check for security problem in the kernel |
91 |
elivepatch --patch will test a premade patch |
92 |
elivepatch --kernel will set a manual kernel |
93 |
elivepatch --debug will set the debug option |
94 |
elivepatch --verbose will print debug log |
95 |
elivepatch --version will print the version |
96 |
|
97 |
push command line parser first draft |
98 |
revision number 7c6cf4682ef05782d8e126ea6b7d64a707c59015 |
99 |
|
100 |
|
101 |
kpatch ebuild: |
102 |
pushed new revision |
103 |
|
104 |
Day 12 |
105 |
Finished the argument and configuration parser. |
106 |
Defaulted the cve repository folder in /tmp/kernel_cve/ |
107 |
Return kernel Version |
108 |
|
109 |
Did the summary of what we need to do and we have done. |
110 |
|
111 |
Next time we will need to work on the patching creation and deploy |
112 |
system. |
113 |
|
114 |
Day 13 |
115 |
Checked patching with different GCC versions 5.8.2 and 4.9.4 |
116 |
and it worked. |
117 |
|
118 |
I could make the elivepatch client and server communicating each |
119 |
other with RESTful API and basic auth. |
120 |
|
121 |
For communicating with the server, the client is using the requests |
122 |
library. |
123 |
The server is using flask RESTful. |
124 |
|
125 |
As now we are getting only the server version: |
126 |
|
127 |
kernel_dev elivepatch_client (master*) # PYTHONPATH=/root/elivepatch/ python3 bin/elivepatch --cve --url http://192.168.122.6:5000 |
128 |
Namespace(conf_file=None, config='/proc/config.gz', cve=True, debug=False, patch=None, url='http://192.168.122.6:5000', version=False) |
129 |
('4', '9', '16') |
130 |
{ |
131 |
"agent": [ |
132 |
{ |
133 |
"module": "elivepatch", |
134 |
"version": "0.01" |
135 |
} |
136 |
] |
137 |
} |
138 |
|
139 |
{'agent': [{'version': '0.01', 'module': 'elivepatch'}]} |
140 |
|
141 |
I tried the text version and the JSON version and was both working |
142 |
|
143 |
we probably need to add the url_pass and url_user for basic auth to the |
144 |
client arguments. |
145 |
|
146 |
Today I added the url argument for setting the elivepatch server url. |
147 |
|
148 |
Also wrote the first draft for sending the configuration file but not tested yet. |
149 |
|
150 |
------ |
151 |
def send_config(self, config_path, config_file): |
152 |
url = self.server_url |
153 |
headers = {'elivepatch': 'password'} |
154 |
files = {'file': (config_file, open(config_path, 'rb'), 'multipart/form-data', {'Expires': '0'})} |
155 |
r = requests.post(url, files=files, headers=headers) |
156 |
------ |