* [gentoo-soc] [GSoC 2017 - week 03] Report summary
@ 2017-06-17 23:36 Alice Ferrazzi
0 siblings, 0 replies; only message in thread
From: Alice Ferrazzi @ 2017-06-17 23:36 UTC (permalink / raw
To: gentoo-soc; +Cc: Mike Pagano, Gokturk Yuksek
[-- Attachment #1: Type: text/plain, Size: 6462 bytes --]
day 09 ~ day 13
This week short summary:
kpatch:
- Minor fixes and cleaning
- Installation path fix
- Testing live patch with different gcc versions
elivepatch:
- Designed and wrote the first draft of elivepatch server and client
- Made server anc client communicate togheter with RESTful api
- Wrote the CVE downloader
- Wrote the kernel version reader
- Wrote the command line argument parser
What to do next week:
- Finalizing a simple elivepatch prototype demo
- Create the target side software that will manage the live patching
Day 09
---
The parallel build issue looks solved with the new kpatch ebuild.
---
kpatch ebuild update still working on.
dropped yum dependency.
---
Kpatch core module is the part that will handle the injection of the
patch and verify procedure safety.
it have 4 states as is detailed in the source code.
from the source code:
+-----------------------------------------------------+
| |
| +
v +---> KPATCH_STATE_SUCCESS
KPATCH_STATE_IDLE +---> KPATCH_STATE_UPDATING |
^ +---> KPATCH_STATE_FAILURE
| +
| |
+-----------------------------------------------------+
---
elivepatch
for checking for CVE security problems we can use this repository
https://github.com/nluedtke/linux_kernel_cves
As now elivepatch diagram
+-------------------------------------------------------+
| |
| |
| Search CVE |
| ^ |
| +-----> Request new patch |
| | |
| + |
|elivepatch_client<-------------->elivepatch_server |
| + RESTful + |
| | | |
| | | |
| | | |
| v v |
| Live patch Kernel Get patch from |
| Linux Git Hash |
| String. |
| Live patch success rate|
+-------------------------------------------------------+
Updated the client structure for following the diagram:
https://github.com/aliceinwire/elivepatch/commit/43a75cbe6712cda90d0bc163c01f42e5358ec7b2
Day 10
added einstalldocs to kpatch ebuild
Fixed incorrect installation to /usr/local/
about the elivepatch design after talking with gokturk I need to:
- Have a way for know which patch are already applyied and which are
not. https://wiki.gentoo.org/wiki/GLEP:42#Client_Side
- Place for keeping the applied patches. (local database)
- Find a way for reapply patch on reboot and know which patch are for which
kernel. (but for now is user responsability to invoke the tool on reboot)
- Keep up on kernel upgrade.
Day 11
Definine command line arguments.
elivepatch --help will print the help output
elivepatch --cve will check for security problem in the kernel
elivepatch --patch will test a premade patch
elivepatch --kernel will set a manual kernel
elivepatch --debug will set the debug option
elivepatch --verbose will print debug log
elivepatch --version will print the version
push command line parser first draft
revision number 7c6cf4682ef05782d8e126ea6b7d64a707c59015
kpatch ebuild:
pushed new revision
Day 12
Finished the argument and configuration parser.
Defaulted the cve repository folder in /tmp/kernel_cve/
Return kernel Version
Did the summary of what we need to do and we have done.
Next time we will need to work on the patching creation and deploy
system.
Day 13
Checked patching with different GCC versions 5.8.2 and 4.9.4
and it worked.
I could make the elivepatch client and server communicating each
other with RESTful API and basic auth.
For communicating with the server, the client is using the requests
library.
The server is using flask RESTful.
As now we are getting only the server version:
kernel_dev elivepatch_client (master*) # PYTHONPATH=/root/elivepatch/ python3 bin/elivepatch --cve --url http://192.168.122.6:5000
Namespace(conf_file=None, config='/proc/config.gz', cve=True, debug=False, patch=None, url='http://192.168.122.6:5000', version=False)
('4', '9', '16')
{
"agent": [
{
"module": "elivepatch",
"version": "0.01"
}
]
}
{'agent': [{'version': '0.01', 'module': 'elivepatch'}]}
I tried the text version and the JSON version and was both working
we probably need to add the url_pass and url_user for basic auth to the
client arguments.
Today I added the url argument for setting the elivepatch server url.
Also wrote the first draft for sending the configuration file but not tested yet.
------
def send_config(self, config_path, config_file):
url = self.server_url
headers = {'elivepatch': 'password'}
files = {'file': (config_file, open(config_path, 'rb'), 'multipart/form-data', {'Expires': '0'})}
r = requests.post(url, files=files, headers=headers)
------
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-06-17 23:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-17 23:36 [gentoo-soc] [GSoC 2017 - week 03] Report summary Alice Ferrazzi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox