Plans for live patching Rocky kernel?

georgez · July 26, 2024, 8:30am

We have migrated our AWS ec2 instances from Centos 7 to Rocky 8. After all the effort to migrate our infrastructure, we have experienced for 2-3 months an overhead when applying security updates the kernel has required servers to be rebooted. Something that we didn’t face so often on Centos 7. Due to PCI-DSS, our live application servers and live systems need to be patched every month. Do you have plans to develop a tool for live patching, something like a kpatch from RedHat? This would give us zero downtime when updating critical security updates for our infrastructure.
thanks in advance!

maverick · July 26, 2024, 8:42am

If I recall correctly you can enable Live Kernel patching easily using Cockpit.

relevant packages are dnf-automatic, kpatch-dnf and kpatch

georgez · July 26, 2024, 9:04am

If I’m not wrong dnf-automatic is for automated updates and is not our case… The kpatch is working without RedHat Enterprise license on Rocky Linux? Somewhere i saw that requires an Enterprise license to download patches from official repos. Cockpit supports Rocky Linux 8?

maverick · July 26, 2024, 9:09am

Cockpit is supported iirc in all EL distros, which includes RockyLinux, Alma, Oracle Linux and so on.

On a Rocky9 system:

$ dnf info kpatch
Last metadata expiration check: 0:02:18 ago on Fri 26 Jul 2024 09:44:17 WEST.
Installed Packages
Name         : kpatch
Version      : 0.9.7
Release      : 2.el9
Architecture : noarch
Size         : 18 k
Source       : kpatch-0.9.7-2.el9.src.rpm
Repository   : @System
From repo    : baseos
Summary      : Dynamic kernel patch manager
URL          : https://github.com/dynup/kpatch
License      : GPLv2
Description  : kpatch is a live kernel patch module manager.  It allows the user to manage
             : a collection of binary kernel patch modules which can be used to dynamically
             : patch the kernel without rebooting.

$ dnf info kpatch-dnf
Last metadata expiration check: 0:02:32 ago on Fri 26 Jul 2024 09:44:17 WEST.
Installed Packages
Name         : kpatch-dnf
Version      : 0.9.7_0.4
Release      : 2.el9
Architecture : noarch
Size         : 15 k
Source       : kpatch-0.9.7-2.el9.src.rpm
Repository   : @System
From repo    : baseos
Summary      : kpatch-patch manager plugin for DNF
URL          : https://github.com/dynup/kpatch
License      : GPLv2
Description  : kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates.
             : When enabled, kernel packages are automatically subscribed to corresponding
             : kpatch-patch packages updates.

On base repo

georgez · July 26, 2024, 9:32am

Thanks for the suggestion! I will check and get back with an update!

gerry666uk · July 26, 2024, 6:27pm

One option is simply don’t do it. Do you really want a “blue screen of death” the first time you do a reboot is six months time?

system · September 24, 2024, 6:28pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.