- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7.7
- Red Hat Enterprise Linux 7.6
- AMD64, Intel 64 and ppc64le architectures
- Does Red Hat offer a live kernel patching mechanism?
- What is
kpatch, and when will it be available?
Live kernel patches avoids the need for a reboot when patching the kernel for select important and critical CVEs. Live kernel patch is supported for customers who have an active subscription. Live kernel patches are cumulative, so when you get a new live kernel patch for a kernel, it will have all the fixes of the previous live kernel patch, along with new fixes. You can safely upgrade the loaded live kernel patch to a newer live patch.
Current scope and limitations of kpatch
Starting with RHEL 8.1, RHEL 7.7; RHEL-7.6, starting with
kernel-3.10.0-957.35.1.el7-- live kernel patches will be available on the Red Hat Content Delivery Network(CDN) and can be installed via the yum command.
Live patches will only release for minor releases where Extended Update Support (EUS) is planned. RHEL 7.7 is the last RHEL 7 EUS release. RHEL 7.8 will not receive live patches. There will be no live patches released for RHEL 8.3, 8.5, 8.7, etc.
There will be Live patches for the final minor release, so RHEL 7.9 and RHEL 8.10 will receive live patches.
Live kernel patches will be made available for selected Important and Critical CVEs.
Live Patches for CVEs that occur between minor kernel releases are available with standard subscriptions. Customers who purchase Extended Update Support will be able to use live patching for the entire EUS support window: 2 years for EUS subscriptions and 4 years for Update Services for SAP Solutions Add-on. However, each individual kernel is only supported for one year and therefore customers will need to upgrade the kernel and reboot at least once per year.
No support for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.
Unloading a kpatch from the kernel is not supported. The workaround is to uninstall the kpatch, and to reboot.
Access and Delivery of live kernel patches:
The live kernel patch capability is implemented as a kernel module (kmod) that is delivered as an RPM. The kpatch utility, currently available on RHEL 7 and RHEL 8, is used to install and remove the kernel modules for live kernel patch.
Customers with active subscriptions are eligible to receive live kernel patches via the Red Hat CDN.
For directions to enable live patching, see:
Enabling kernel live patching
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.