Using SysCare
This chapter describes how to use SysCare on openEuler, including patch creation, application, activation, deactivation, acceptation, uninstallation, save and restore, conflict detection, overwriting, and query.
Prerequisites
openEuler 22.03 LTS SP3 has been installed.
Live Patch Creation
Run syscare build to create kernel- and user-mode live patches from RPM packages. Patches are encapsulated into RPM packages.
Command Parameters
USAGE:
syscare build [OPTIONS] --patch-name <PATCH_NAME> --source <SOURCE>... --debuginfo <DEBUGINFO>... --patch <PATCH>...
OPTIONS:
-n, --patch-name <PATCH_NAME> Patch name
--patch-arch <PATCH_ARCH> Patch architecture [default: aarch64]
--patch-version <PATCH_VERSION> Patch version [default: 1]
--patch-release <PATCH_RELEASE> Patch release [default: 1]
--patch-description <PATCH_DESCRIPTION> Patch description [default: (none)]
--patch-requires <PATCH_REQUIRES>... Patch requirements
-s, --source <SOURCE>... Source package(s)
-d, --debuginfo <DEBUGINFO>... Debuginfo package(s)
-p, --patch <PATCH>... Patch file(s)
--work-dir <WORK_DIR> Working directory [default: /var/run/syscare]
--build-root <BUILD_ROOT> Build temporary directory [default: .]
-o, --output <OUTPUT> Output directory [default: .]
-j, --jobs <JOBS> Parallel build jobs [default: 64]
--skip-compiler-check Skip compiler version check (not recommended)
--skip-cleanup Skip post-build cleanup
-v, --verbose Provide more detailed info
-h, --help Print help information
-V, --version Print version information
Command Options
| Name | Description | Type | Note |
|---|---|---|---|
| -n, --patch-name <PATCH_NAME> | Patch name | String | Mandatory. The value must comply with the RPM package naming convention. |
| --patch-arch <PATCH_ARCH> | Patch architecture | String | The default value is the current architectures. The value must comply with the RPM package naming convention. |
| --patch-version <PATCH_VERSION> | Patch version | String | The default value is 1. The value must comply with the RPM package naming convention. |
| --patch-release <PATCH_RELEASE> | Patch release | Integer | The default value is 1. The value must comply with the RPM package naming convention. |
| --patch-description <PATCH_DESCRIPTION> | Patch description | String | The default value is none. |
| --patch-requires <PATCH_REQUIRES> | Additional patch dependencies | String | The default value is empty. The name must meed RPM specifications. |
| -s, --source <SOURCE> | Target software src.rpm package path | String | Mandatory. The value must be a valid path. |
| -d, --debuginfo <DEBUGINFO> | Target software debuginfo package path | String | Mandatory. The value must be a valid path. |
| -p, --patch <PATCH> | Patch file | String | This option is mandatory. The value must be a valid path. |
| --workdir <WORKDIR> | Temporary directory | String | The default value is /var/run/syscare. The value must be a valid path. |
| --build-root <BUILD_ROOT> | Temporary build path | String | The default value is the current directory. The value must be a valid path. |
| -o, --output <OUTPUT> | Patch output directory | String | The default value is the current directory. The value must be a valid path. |
| -j, --jobs <N> | Number of parallel compilation jobs | Integer | The default value is the number of CPU threads |
| --skip-compiler-check | Skip compiler check | Flag | - |
| --skip-cleanup | Skip temporary file cleanup | Flag | - |
| -v, --verbose | Print detail information | Flag | - |
| -h, --help | Print help information | Flag | - |
| -V, --version | Print version information | Flag | - |
An example command is as follows:
syscare build \
--patch-name "HP001" \
--patch-description "CVE-2021-32675 - When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users." \
--source ./redis-6.2.5-1.src.rpm \
--debuginfo ./redis-debuginfo-6.2.5-1.x86_64.rpm \
--output ./output \
Live Patch Making Process
Prepare the source package (source RPM) and debugging information package (debuginfo RPM) of the target software.
Example:
yumdownloader kernel --source yumdownloader kernel --debuginfoEnsure that the related software build dependencies are installed.
Example:
dnf install make gcc bison flex openssl-devel dwarves python3-devel elfutils-libelf-develRun the
syscare-buildcommand.Example:
syscare build \ --patch-name HP001 \ --source kernel-5.10.0-60.66.0.91.oe2203.src.rpm \ --debuginfo kernel-debuginfo-5.10.0-60.66.0.91.oe2203.x86_64.rpm \ --output output \ --patch 001-kernel-patch-test.patchDuring patch making, a temporary folder whose name starts with syscare-build is created in the directory specified by
--workdir(the current directory by default) to store temporary files and build logs.Example:
$ ls -l syscare-build.111602/ total 100 -rw-r--r--. 1 dev dev 92303 Nov 12 00:00 build.log drwxr-xr-x. 6 dev dev 4096 Nov 12 00:00 package drwxr-xr-x. 4 dev dev 4096 Nov 12 00:00 patchBuild logs (build.log) are generated in the temporary folder.
$ cat syscare-build.111602/build.log | less ...If the patch is created successfully and
--skip-compiler-checkis not specified, the temporary folder will be deleted after patch making.Check the build result.
Example:
$ ls -l total 189680 -rw-r--r--. 1 dev dev 194218767 Nov 12 00:00 kernel-5.10.0-60.91.0.115.oe2203-HP001-1-1.x86_64.src.rpm -rw-r--r--. 1 dev dev 10937 Nov 12 00:00 patch-kernel-5.10.0-60.91.0.115.oe2203-HP001-1-1.x86_64.rpmIn the output:
patch-kernel-5.10.0-60.91.0.115.oe2203-HP001-1-1.x86_64.rpm is the live patch package.
kernel-5.10.0-60.91.0.115.oe2203-HP001-1-1.x86_64.src.rpm is the live patch source package.
Install the patch.
dnf install patch-xxx.rpmAfter the patch is installed, files in the patch are stored in the /usr/lib/syscare/patches/target_software_package_name/patch_name directory
Uninstall the patch.
dnf remove patch-xxxThe patch package will be uninstalled when the patch is in the ACTIVED or ACCEPTED state.
Patch Output
Two RPM packages are generated:
A live patch package that contains the binary file of the live patch and meta information. This package is used to install the live patch.
A live patch source package that contains the target software source code and the new patch. This package is used to create live patches for new versions.
Naming rules:
- Live patch package: patch-TARGET_SOFTWARE_FULL_NAME-PATCH_NAME-PATCH_VERSION-PATCH_RELEASE.ARCHITECTURE.rpm
- Live patch source code package: TARGET_SOFTWARE_FULL_NAME-PATCH_NAME-PATCH_VERSION-PATCH_RELEASE.ARCHITECTURE.src.rpm
Error Handling
If an error occurs, see the build logs:
Error output example:
...
Building patch, this may take a while
ERROR: Process '/usr/libexec/syscare/upatch-build' exited unsuccessfully, exit_code=255
Live Patch Management
Run the syscare command to manage patches. SysCare searches for the patch that matches the input description and performs operations as instructed.
The search pattern is package_name/patch_name, where package_name can be omitted if patch_name is unique. UUID can also be used.
Querying Live Patches
Run syscare list to query all installed live patches.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
d81bce18-04bd-499f-91e9-8b9d7b94a76b glibc-2.34-112.oe2203/HP001-1-1/libc.so.6 NOT-APPLIED
3e7cb90d-9a4c-4fdf-a389-29d5e863f4b0 kernel-5.10.0-153.12.0.92.oe2203sp2/ACC-1-1/vmlinux NOT-APPLIED
64fa88bd-def5-4994-85de-a7903c526109 kernel-5.10.0-60.91.0.115.oe2203/HP-50801-1-1/vmlinux NOT-APPLIED
78268c3b-39a2-4d5c-ae96-206d8c62977a kernel-5.10.0-60.91.0.115.oe2203/HP-50802-1-1/vmlinux NOT-APPLIED
c568f31d-acfb-4fdb-8d2c-bde3facab5a2 kernel-5.10.0-60.91.0.115.oe2203/HP001-1-1/vmlinux NOT-APPLIED
35b5ece6-8b67-407e-93fe-d576a78ab499 nginx-1.21.5-4/HP001-1-1/nginx NOT-APPLIED
074734fc-034f-4e40-b943-6a76d766939b openssl-libs-1.1.1m-22.oe2203/HP001-1-1/libcrypto.so.1.1.1m NOT-APPLIED
ae124f00-206a-4385-a341-c7b2f7e19482 qemu-7.0.0-2/HP001-1-1/qemu-system-aarch64 NOT-APPLIED
11316483-dc62-4caf-bd5d-c51801dcb032 qemu-7.0.0-2/HP001-1-1/qemu-system-arm NOT-APPLIED
b382ea35-6713-4cfc-bb72-038feefb8173 qemu-7.0.0-2/HP001-1-1/qemu-system-i386 NOT-APPLIED
6aaec566-a220-4b60-8020-8077b6adc6a6 qemu-7.0.0-2/HP001-1-1/qemu-system-mips NOT-APPLIED
2bc0158e-fc42-4ea1-8f5c-e6891d10098b qemu-7.0.0-2/HP001-1-1/qemu-system-mips64 NOT-APPLIED
17e00bf0-b389-46d3-a036-933aeb41e0cb qemu-7.0.0-2/HP001-1-1/qemu-system-mips64el NOT-APPLIED
8481a911-d80b-4099-b9a2-a4d3c63de06d qemu-7.0.0-2/HP001-1-1/qemu-system-mipsel NOT-APPLIED
d8305d00-6f45-4c38-b7a4-844b4a667d89 qemu-7.0.0-2/HP001-1-1/qemu-system-ppc NOT-APPLIED
d10dc5f8-1692-4da4-8908-d2075c47d62b qemu-7.0.0-2/HP001-1-1/qemu-system-ppc64 NOT-APPLIED
77dbfd01-dee4-405b-930f-9711a0ad43c4 qemu-7.0.0-2/HP001-1-1/qemu-system-x86_64 NOT-APPLIED
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark NOT-APPLIED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli NOT-APPLIED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server NOT-APPLIED
789f0052-b932-4d9d-961d-7003bece1a3a redis-6.2.5-1/HP002-1-1/redis-benchmark NOT-APPLIED
e4aee980-1596-43d9-be9a-07fc6f668970 redis-6.2.5-1/HP002-1-1/redis-cli NOT-APPLIED
feb13c9a-02b3-4109-a2f3-c3e9fe41e9ad redis-6.2.5-1/HP002-1-1/redis-server NOT-APPLIED
Querying Live Patch Metadata
Run syscare info to query the metadata of one or more live patches.
The following information is included in the live patch metadata:
| Field | Description |
|---|---|
| name | Live patch name |
| version | Live patch version |
| release | Live patch release |
| arch | Live patch architecture |
| type | Live patch type |
| target | Target software |
| license | Target software license |
| description | Live patch description |
| entities | Target binary file of the live patch |
| patch | Live patch file list |
Example:
root@dev:[~]$ syscare info redis-6.2.5-1/HP001-1-1
-------------------------------------------
Patch: redis-6.2.5-1/HP001-1-1
-------------------------------------------
name: HP001
version: 1
release: 1
arch: x86_64
type: UserPatch
target: redis-6.2.5-1
license: BSD and MIT
description: CVE-2021-32675 - When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users.
entities:
* redis-server
* redis-benchmark
* redis-cli
patches:
* 0001-Prevent-unauthenticated-client-from-easily-consuming.patch
-------------------------------------------
Querying Live Patch Status
Run syscare status to query the status of one or more live patches.
Example:
root@dev:[~]$ syscare status status redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-server: NOT-APPLIED
redis-6.2.5-1/HP001-1-1/redis-benchmark: NOT-APPLIED
redis-6.2.5-1/HP001-1-1/redis-cli: NOT-APPLIED
Loading and Activating Live Patches
Run syscare apply to load and activate one or more live patches in the NOT-APPLIED state.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark NOT-APPLIED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli NOT-APPLIED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server NOT-APPLIED
root@dev:[~]$ syscare apply redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-cli: ACTIVED
redis-6.2.5-1/HP001-1-1/redis-benchmark: ACTIVED
redis-6.2.5-1/HP001-1-1/redis-server: ACTIVED
Activating Live Patches
Run syscare active to activate one or more live patches in the DEACTIVED state.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark DEACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli DEACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server DEACTIVED
root@dev:[~]$ syscare active redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-cli: ACTIVED
redis-6.2.5-1/HP001-1-1/redis-benchmark: ACTIVED
redis-6.2.5-1/HP001-1-1/redis-server: ACTIVED
Deactivating Live Patches
Run syscare deactive to deactivate one or more live patches in the ACTIVED state.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
root@dev:[~]$ syscare deactive redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-cli: DEACTIVED
redis-6.2.5-1/HP001-1-1/redis-benchmark: DEACTIVED
redis-6.2.5-1/HP001-1-1/redis-server: DEACTIVED
Accepting Live Patches
Run syscare accept to accept one or more live patches in the ACTIVED state.
Accepted live patches are activated automatically after the system is restarted.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
root@dev:[~]$ syscare accept redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-cli: ACCEPTED
redis-6.2.5-1/HP001-1-1/redis-benchmark: ACCEPTED
redis-6.2.5-1/HP001-1-1/redis-server: ACCEPTED
Uninstalling Live Patches
Run syscare remove to uninstall one or more live patches in any state.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark DEACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server ACCEPTED
root@dev:[~]$ syscare remove redis-6.2.5-1/HP001-1-1
redis-6.2.5-1/HP001-1-1/redis-cli: NOT-APPLIED
redis-6.2.5-1/HP001-1-1/redis-benchmark: NOT-APPLIED
redis-6.2.5-1/HP001-1-1/redis-server: NOT-APPLIED
Supporting Multiple Live Patches
SysCare allows multiple live patches to be applied to one user-mode binary file.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
789f0052-b932-4d9d-961d-7003bece1a3a redis-6.2.5-1/HP002-1-1/redis-benchmark ACTIVED
e4aee980-1596-43d9-be9a-07fc6f668970 redis-6.2.5-1/HP002-1-1/redis-cli ACTIVED
feb13c9a-02b3-4109-a2f3-c3e9fe41e9ad redis-6.2.5-1/HP002-1-1/redis-server ACTIVED
Detecting Live Patch Conflicts
If one or more live patches to be applied have functions that conflict with existing patches, a message indicating the patch conflict is displayed.
Example:
root@dev:[~]$ syscare apply redis-6.2.5-1/HP002-1-1
Error: Operation failed
Caused by:
1. Transaction "Apply patch 'redis-6.2.5-1/HP002-1-1'" failed
Caused by:
0: Driver: Patch "redis-6.2.5-1/HP002-1-1/redis-cli" check failed
1: Upatch: Patch is conflicted with "0e776e26-58cd-42ce-85e4-046481acad09"
Run syscare check to determine the live patch to be applied conflict with existing live patches.
Example:
root@dev:[~]$ syscare check redis-6.2.5-1/HP002-1-1
Error: Operation failed
Caused by:
1. Driver: Patch "redis-6.2.5-1/HP002-1-1/redis-server" check failed
Caused by:
Upatch: Patch is conflicted with "d9432f08-65cf-4849-a9af-ba20e9b6c7dc"
Overwriting Live Patches
Use the --force option to overwrite existing live patches with the current one in case of a live patch conflict.
Example:
root@dev:[~]$ syscare list
Uuid Name Status
777f15fe-cfc8-4b7a-96af-808a4518859f redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
0e776e26-58cd-42ce-85e4-046481acad09 redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
d9432f08-65cf-4849-a9af-ba20e9b6c7dc redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
789f0052-b932-4d9d-961d-7003bece1a3a redis-6.2.5-1/HP002-1-1/redis-benchmark NOT-APPLIED
e4aee980-1596-43d9-be9a-07fc6f668970 redis-6.2.5-1/HP002-1-1/redis-cli NOT-APPLIED
feb13c9a-02b3-4109-a2f3-c3e9fe41e9ad redis-6.2.5-1/HP002-1-1/redis-server NOT-APPLIED
root@dev:[~]$ syscare apply redis-6.2.5-1/HP002-1-1
Error: Operation failed
Caused by:
1. Transaction "Apply patch 'redis-6.2.5-1/HP002-1-1'" failed
Caused by:
0: Driver: Patch "redis-6.2.5-1/HP002-1-1/redis-cli" check failed
1: Upatch: Patch is conflicted with "0e776e26-58cd-42ce-85e4-046481acad09"
root@dev:[~]$ syscare apply redis-6.2.5-1/HP002-1-1 --force
redis-6.2.5-1/HP002-1-1/redis-cli: ACTIVED
redis-6.2.5-1/HP002-1-1/redis-benchmark: ACTIVED
redis-6.2.5-1/HP002-1-1/redis-server: ACTIVED
Saving and Restoring Live Patches
SysCare supports saving and restoring of live patch status.
Example:
[root@2203sp2-85 syscare]# syscare list
Uuid Name Status
eebc3155-9a5b-4a09-9561-6a94080de2ce redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
96666521-4606-4aa0-b663-1b455fe586da redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
1e98d692-cc51-4f83-9176-c547ed1db20b redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
beffae33-1e1a-4bd5-8758-ab6a5f2f1a7c redis-6.2.5-1/HP002-1-1/redis-benchmark NOT-APPLIED
24b01b18-5132-4cae-a379-71d2b0e6d832 redis-6.2.5-1/HP002-1-1/redis-cli NOT-APPLIED
a84934de-4a89-4e77-b646-125d1e2c98b4 redis-6.2.5-1/HP002-1-1/redis-server ACTIVED
[root@2203sp2-85 syscare]# syscare save
[root@2203sp2-85 syscare]# systemctl restart syscare
[root@2203sp2-85 syscare]# syscare list
Uuid Name Status
eebc3155-9a5b-4a09-9561-6a94080de2ce redis-6.2.5-1/HP001-1-1/redis-benchmark NOT-APPLIED
96666521-4606-4aa0-b663-1b455fe586da redis-6.2.5-1/HP001-1-1/redis-cli NOT-APPLIED
1e98d692-cc51-4f83-9176-c547ed1db20b redis-6.2.5-1/HP001-1-1/redis-server NOT-APPLIED
beffae33-1e1a-4bd5-8758-ab6a5f2f1a7c redis-6.2.5-1/HP002-1-1/redis-benchmark NOT-APPLIED
24b01b18-5132-4cae-a379-71d2b0e6d832 redis-6.2.5-1/HP002-1-1/redis-cli NOT-APPLIED
a84934de-4a89-4e77-b646-125d1e2c98b4 redis-6.2.5-1/HP002-1-1/redis-server NOT-APPLIED
[root@2203sp2-85 syscare]# syscare restore
[root@2203sp2-85 syscare]# syscare list
Uuid Name Status
eebc3155-9a5b-4a09-9561-6a94080de2ce redis-6.2.5-1/HP001-1-1/redis-benchmark ACTIVED
96666521-4606-4aa0-b663-1b455fe586da redis-6.2.5-1/HP001-1-1/redis-cli ACTIVED
1e98d692-cc51-4f83-9176-c547ed1db20b redis-6.2.5-1/HP001-1-1/redis-server ACTIVED
beffae33-1e1a-4bd5-8758-ab6a5f2f1a7c redis-6.2.5-1/HP002-1-1/redis-benchmark NOT-APPLIED
24b01b18-5132-4cae-a379-71d2b0e6d832 redis-6.2.5-1/HP002-1-1/redis-cli NOT-APPLIED
a84934de-4a89-4e77-b646-125d1e2c98b4 redis-6.2.5-1/HP002-1-1/redis-server ACTIVED
Bug Catching
