Most often companies scheduling downtime for patching of the Linux kernel in a production environment follow strict ITIL processes and make arrangements to be fail-safe in order to keep the production environment up and running. Patching is an important part of server management and servers often need to be up and running all the time; however, one of the unavoidable exceptions has always been kernel patches, which require a reboot to effect new patch changes. The newly released Red Hat Enterprise Linux (RHEL) 8.1, 7.7 and 7.6 EUS or kernel-3.10.0.957.35.1.el7 and onwards have a new feature to patch live kernel updates without rebooting Linux servers and it can be added without any additional subscription requirements. This is very important and useful when the web has encountered security flaws such as
shellshock, heartbleed, etc. Currently, the scope of the Kpatches is limited to important and critical CVEs only. Centos systems should also be receiving similar updates from the official repositories. Other distributions like Oracle Linux and SUSE have a similar feature added via Kpslice and Kgraft, respectively. The Kpatch feature is implemented by the kernel module Kmod and Kpatch is shipped as RPM.
How to’s
Kpatch’s patch Red Hat Package Manager (RPM) will be delivered via the Red Hat CDN network for specific kernel versions. Check the current kernel version and its kpatch-patch availability:
# uname -r
# yum search "kpatch-patch = $(uname -r)"
Install Kpatch for the installed kernel:
# yum install "kpatch-patch = $(uname -r)"
If no Kpatch updates are available, then Kpatch RPM will have the trailing name of 0-0 while a 1_1 pattern indicates active patches to be patched. For a 0-0 name package, an empty package (without any changes or effect ) will be installed. Verify kernel live patch is installed:
# kpatch list
Loaded patch modules:
kpatch_3_10_0_1062_1_1 [enabled]
Installed patch modules:
kpatch_3_10_0_1062_1_1 (3.10.0-1062.el7.x86_64)
1_1 indicates active patches installed in the above kernel. The above process needs to be installed for every new kernel or new Kpatch per specific Kpatch released. Whenever the system reboots with the same kernel, it will be patched again with the patches from the /var/lib/kpatch/ directory by Kpatch service. Kpatch RPM can be updated with cumulative kernel patch modules just like any other RPM package.
# yum update kpatch-patch-*
To disable live kernel patching, remove kpatch-patch package for the specific kernel. Existing patches will remain active in the loaded kernel until the next reboot. Once modules or the RPM are removed, they will no longer be patched after the reboot by Kpatch service. To remove a specific Kpatch module from the loaded kernel, the below commands can be used:
# kpatch list
Loaded patch modules:
kpatch_3_10_0_1062_1_1 [enabled]
Installed patch modules:
kpatch_3_10_0_1062_1_1 (3.10.0-1062.el7.x86_64)
# kpatch uninstall kpatch_3_10_0_1062_1_1
uninstalling kpatch_3_10_0_1062_1_1 (3.10.0-1062.el7.x86_64)
A Reboot is required to unload modules completely from the running kernel. To disable the Kpatch patching solution, you can disable Kpatch service by systemctl. This will disable the loading of Kpatches on reboot globally.
# systemctl disable kpatch.service
Removed /etc/systemd/system/multi-user.target.wants/kpatch.service.
A reboot is required to unload the module completely from the running kernel after disabling the service.
.svg){kind=small}
.svg){kind=small}