SUSE Linux Live Patching for Power – A key tool for availability
All system outages are bad. They result in lost revenue, reputation damage, lost productivity and other impacts to the business. Outages of enterprise applications such as SAP HANA can have an even greater impact on a business due to the pervasive nature of those applications. One reason you choose the IBM Power platform is the excellent hardware reliability of Power servers. Similarly, you choose SUSE Linux as the infrastructure for your SAP HANA deployments because of its track record of providing a reliable, secure computing environment.
SUSE Linux for SAP Applications includes a broad set of tools to manage unplanned software outages for SAP HANA environments, including the High Availability Extension, automated failover of SAP HANA, and specialized monitoring to detect problems before they result in an outage. SUSE also built specific features into SUSE Linux to provide higher availability for SAP HANA such as support for 512TB virtual address space size to avoid outages caused by address space fragmentation.
Unfortunately, there are some outages that are difficult to avoid. Outages are often required install patches for critical or security exposures that affect the Linux kernel. These patches must be installed to avoid potentially more severe outages. In 2017 there were more than 400 Common Vulnerabilities and Exposures (CVE) identified for the Linux Kernel. While not all of those vulnerabilities may be applicable to every environment, outages to install kernel security patches can significantly impact overall system availability.
SUSE has been a pioneer in developing technology to address this issue. SUSE first introduced SUSE Linux Enterprise Live Patching as a product in 2014. This product uses technology called kGraft, allowing you to install kernel patches with no outage. SUSE developed kGraft with the Linux Community because it does not require the system being patched to pause execution during the patch process. This gives customers great flexibility to use SUSE Live Patching to address serious vulnerabilities quickly. SAP has supported live patching since 2016.
The SUSE Live Patching process works by redirecting calls to kernel functions to a new, patched version of that function. Multiple live patches can be installed to a kernel function. SUSE recommends that customers reboot their system at least yearly.
SUSE can provide live patches for SUSE CVSS (Common Vulnerability Scoring System) level 6+ vulnerabilities as well as bug fixes related to system stability or data corruption. For more information on CVSS, see http://nvd.nist.gov/cvss.cfm/. It is not possible to produce a live patch for all kernel bugs.
SUSE released support for Kernel Live Patching on the IBM Power platform in January 2018 https://www.suse.com/c/live-patching-helps-deliver-nonstop-ibm-power-systems/ and requires at least SLES 12 Service Pack 2 for the ppc64le platform. Live Patching is a separate product that must be purchased in addition to SLES for SAP Applications for Power.
In summary, SUSE and IBM provide a number of tools to help you keep your SAP HANA system running smoothly and reliability on IBM Power systems. Live Patching provides an important tool for customers that need the ultimate level of availability for their SAP HANA systems.