Shadow patching: Minimizing maintenance windows in a virtualized enterprise environment

Abstract

Software is growing bigger and more complex, which results in bugs and defects being no longer dealt as exceptions, but rather as normal artifacts in a software's lifecycle. In fact, many patches are released by vendors on a preset schedule. This implies that managing patches in a correct and timely manner has become an important factor in smoothly running an IT environment. However, when a patch is applied, the affected software is often required to stop temporarily, which can cause a disruption of service. The down time is commonly called a maintenance window. Although sophisticated live patching techniques have been previously proposed, their applicability in practice is very limited. In this paper, we propose a novel patch management technique based on commonly available virtualization capabilities. It allows system administrators to perform a majority of the patch work outside of the maintenance window, such as downloading patches, installing them, and performing post-installation testing and fixes. By capturing the disk activities and replaying them during the actual maintenance window, we can transform a complex software patching operation to a series of more deterministic file I/O operations, and thus, reducing maintenance window from hours to minutes.