Live-patching QEMU with QEMUCare

Rebooting is a pain, and in some organizations, downright tedious. Shuffling virtual machines between hosts in a cluster is even more tedious, and when it’s time to install patches, that’s what many administrators are forced to do. In this video, I check out QEMUCare, which aims to live-patch QEMU to avoid VM shuffling. In particular, we’ll look at installing ePortal (which deploys the patches) and also an example scenario.

YouTube player

Setting up ePortal

The following commands were used in the video. These commands were pulled from the official documentation. For more specific information, check out the official documentation for ePortal.

Add NGINX repository

cat > /etc/yum.repos.d/nginx.repo <<EOL
[nginx]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOL

Add ePortal repository

cat > /etc/yum.repos.d/kcare-eportal.repo <<EOL
[kcare-eportal]
name=KernelCare ePortal
baseurl=https://www.repo.cloudlinux.com/kcare-eportal/\$releasever/\$basearch/
enabled=1
gpgkey=https://repo.cloudlinux.com/kernelcare/RPM-GPG-KEY-KernelCare
gpgcheck=1
EOL

Configure SELinux to allow port 8000

dnf install policycoreutils-python-utils
semanage port -m --type http_port_t --proto tcp 8000

Allow proxying with NGINX

setsebool -P httpd_can_networkconnect

Enable port 80 in the firewall


firewall-cmd --zone=public --permanent --add-port 80/tcp

Install eportal

yum install kcare-eportal

Add a user for eportal

kc.eportal -a admin -p

Note: Be sure to clear your shell history after adding the user

Access ePortal

Navigate to ePortal in your browser:

http://<IP_or_DNS_NAME>/admin

Installing KernelCare

Note: These commands are taken from the official documentation for KernelCare. Feel free to check out the documentation for more specific information.

export KCARE_PATCH_SERVER=http://10.1.10.115/
export KCARE_REGISTRATION_URL=http://10.1.10.115/admin/api/kcare
export KCARE_MAILTO=admin@mycompany.com
curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
kcarectl --register <activation key>

reproducer.c

#include <stdlib.h>
#include <unistd.h>
#include <sys/io.h>
#include <stdio.h>
#include <limits.h>

int main(int argc, char **argv)
{
    FILE *fh = fopen("testnum", "w");
    int start = argc > 1 ? atoi(argv[1]) : 0;
    int stop = argc > 2 ? atoi(argv[2]) : INT_MAX;
    int iter;

    iopl(3);
    for (iter = start; iter < stop; iter++) {
        int i;

        fprintf(fh, "%d\n", iter);
        fprintf(stderr, "%d\n", iter);
        fflush(fh);
        fdatasync(fileno(fh));

        srand(iter);
        for (i=0; i< 100000; i++) {
            int a, b;
            a = rand()%0x100;
            b = 0x3c0 + (rand()%0x20);
            outb(a,b);

        }

    }
    return 0;

}

Relevant links