On 04.09.19 21:03, Rick Troth wrote: > On 9/4/19 11:39 AM, Christian Borntraeger wrote: >> On 04.09.19 16:41, Scott Rohling wrote: >>> Let's start with who or what said it wasn't possible.... ? >> [...] >>>> Just to be sure, by "nss" I meant Named Saved System. >> [...] >>>>> what is the reason for nss not being possible with SLES from version 12? >> [...] >> >> The Linux kernel now makes use of self-patching in several places and >> several core >> features would no longer work without those. To make NSS possible, the NSS >> would >> need to have a copy-on-write semantics instead of being read-only. With >> global patching >> we would copy almost everything over time making the feature not useful. >> >> So the feature was not only removed in SLES but will go away in other future >> distros >> and it is no longer part of the upstream kernel. > > > What's this? a little uptime funk? That's cool as long as it _doesn't > break other things_. > > Seriously? You whacked NSS for live patching? Don't! (Too late.)
Sorry I was not clear enough. This is NOT about the live patching in terms of updating your kernel. This is about changing the code of the Linux kernel during runtime for several things like disabling trace points, applying CPU alternatives and choosing security related instructions. Not having life patching for some of these things would severely harm the overall performance as this would add additional branches in too many places (e.g. every C function in the kernel) or even in places that are not usable for a branch. EVERYBODY (power,x86,arm,...) now does live patching for these things that can be dynamically enabled/disabled for a good reason and not doing so would prevent us from using a big pile of these "smallish" features that will sum up over time. > https://www.youtube.com/watch?v=SYRlTISvjww > > > Bad enough all the PUTTERING around in userland, even INIT, but now the > kernel's borken too. Babies and bath-water both banished. Bummer! > > > Hey, hey, hey, HAY ... Stop! ... wait a minute ... I'm a fan of advances > (hallelujah!), but not at the cost of flexibility. > > I believe y'all killed XIP too, right? That was brilliant. (NOT) this is now called dax (direct access) and it still part of the dcssblk device driver. I have not tested that recently though, so I can not say that this still works but we have not removed that. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
