Is live kernel patch (kpatch) supported in Red Hat Enterprise Linux ?
Environment
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7.9
- Red Hat Enterprise Linux 7.7
- Red Hat Enterprise Linux 7.6
kpatch
- AMD64, Intel 64 and ppc64le architectures
Issue
- Does Red Hat offer a live kernel patching mechanism?
- What is
kpatch
, and when will it be available?
Resolution
Live kernel patches (kpatches
) avoid the need for a reboot when patching the kernel for select important and critical Common Vulnerabilities and Exposures (CVEs).
Scope and limitations of kpatch
- Starting with RHEL 8.1, RHEL 7.7; RHEL-7.6, and the
kernel-3.10.0-957.35.1.el7
-- live kernel patches are available on the Red Hat Content Delivery Network(CDN) and can be installed via theyum
command. - There are no live patches released for RHEL 8.3, 7.8, RHEL 6, and RHEL 5. Kernel live patches are not provided during Extended Life Phase(ELP) and are not provided with the Extended Life-cycle Support(ELS) add-on entitlement.
- Live kernel patch is supported for customers who have an active subscription.
- Live kernel patches will be available for selected Important and Critical CVEs.
- Live kernel patches are cumulative. It means that when you get a new live kernel patch for the kernel, it will have all the fixes of the previous live kernel patch, along with the new fixes. You can safely upgrade the loaded live kernel patch to a newer version.
- Live kernel patches for CVEs that occur between minor kernel releases are available with standard subscriptions. Customers who purchase Extended Update Support (EUS) will be able to use live patching for the entire EUS support window: 2 years for EUS subscriptions and 4 years for Update Services for SAP Solutions Add-on. Each kernel errata stops receiving live kernel patches 6 months after the kernel errata was released. In order to continue to receive kpatch updates, customers will need to upgrade the kernel and reboot at least twice per year.
- Unloading a
kpatch
from the running kernel is not supported. The workaround is to- first uninstall the kpatch-patch rpm
- and then reboot. This will lead to that
kpatch
module no longer be loaded after booting the system.
Access and delivery of live kernel patches
- The live kernel patch capability is implemented as a kernel module (
kmod
) that is delivered as an RPM.
For more information, see:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments