Reboot-less Xen patching


Recently there have been two sets of Xen vulnerabilities.  One being disclosed in September, the other earlier today.  Historically we have had to organize host updates which required downtime to reboot VMs.

For these last sets of vulnerabilities we have been able to use a recently introduced live patching feature in Xen to mitigate the vulnerabilities for most of our hosts.  The live patching swaps out an exploitable function, with a patched function.  It can do this without restarting the host or the VM.

Live patching will work for most (but not all) vulnerabilities.  Resulting in fewer VM restarts, and less client disruption.  Taking a little more hassle out of your hosting.