Browse Prior Art Database

Hot-Patching a VM/guest snapshot Disclosure Number: IPCOM000244666D
Publication Date: 2016-Jan-06
Document File: 2 page(s) / 29K

Publishing Venue

The Prior Art Database


Disclosed is a technique to hot-patch kernel or application instances inside the VM snapshot without restoring the VM. Hence later when the VM is restored from the snapshot it runs with the latest fixes and updates.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 2

Hot-Patching a VM/guest snapshot

Current virtualization techniques such as qemu/KVM provide functionality to save a Virtual Machine (VM) (aka guest). Saving a guest preserves the exact state of the guest's memory including the memory used by the guest kernel (text, data, vmalloc regions) and memory used by applications running inside the guest. The saved state is usually referred to as VM or guest snapshot. This operation is similar to hibernating a computer or check-pointing an application. Such saved guest can be quickly restored to its previously running state by restoring from the snapshot.

The VM snapshot consists of running instance of the VM including page by page copy of memory, CPU state and required meta-data to interpret the contents of the snapshot. Meta-data is mainly required to properly restore the guest from the snapshot. The restore operation reads the guest snapshot and restores the guest to the state it was running at the time of snapshotting. The guest is not booted during restore operation rather is resumed to the previous execution point with the registers and CPU state properly restored. The operation is similar to coming out of hibernation or resuming from check-point.

Snapshotting a VM guest is already available in production and serves for a lot of purposes: (i) the snapshot can be copied and restored on other systems effectively achieving guest migration (ii) an idle guest can be snapshotted to reclaim the resources such as memory used by the guest.

Due to complex nature of the computer, software bugs are unavoidable. Most commercial software distributors come up with patches to fix bugs in the current/released version of the software. Normally the code is upgraded and the application/kernel is restarted to bring into effect all the latest/critical patches. However, to apply such updates to the guests which are snapshotted either requires to restore the guest from the snapshot, update the patch, reboot and snapshot the guest again (this introduces unnecessary restoring and snapshotting steps) or requires updates to be performed sometime later in the future when the guest is actually restored. Importantly, in both the cases, patching is performed only when the guest is completely restored from the snapshot. Hence there is a time window between the guest is restored from the snapshot and a hot-patch is applied which is vulnerable in case of critical security patch.

Proposed is a technique to hot-patch the VM snapshot which contains the saved memory state and hence when the VM is restored it runs with the latest fixes and updates. This technique can be extended to check-pointed images of an application and in such cases applications run with the latest fixes and updates when resumed (and similarly can be extended to hibernation).

The adva...