Alibaba Cloud Linux 2 provides live patches for common vulnerabilities and exposures (CVE) and critical bugs of a kernel. You can update patches for the operating system kernel without restarting the server. This ensures the stability and security of the kernel. This topic describes the Kernel Live Patching feature and its benefits and limits.

Introduction

You can use Kernel Live Patching to update patches for the kernel of Alibaba Cloud Linux 2 in a timely manner. Kernel Live Patching consists of the following components:
  • RPM package: An RPM package contains the kernel module (.ko file) and description file of a patch. The kernel loads the kernel module in the patch to fix bugs.
  • kpatch utility: a command-line utility used to manage patch modules.
  • kpatch service: a systemd service of Kernel Live Patching. This service loads the kernel patch module of each patch during the operating system initialization phase and is used to fix bugs in the kernel.

Benefits

Kernel Live Patching can update patches for CVE or critical bugs of a kernel while ensuring server security and stability in a smooth and quick manner. You do not need to restart servers or other business-related task processes, wait until time-consuming tasks are completed, log off, or migrate business.

Limits

The following limits apply to Kernel Live Patching:
  • Kernel Live Patching applies to Alibaba Cloud Linux 2.1903 whose kernel version is kernel-4.19.24-9.al7.x86_64 or later.
  • For each updated kernel version of Alibaba Cloud Linux 2.1903, Alibaba Cloud provides one-year Kernel Live Patching support. After the one-year period ends, you must upgrade the kernel of the operating system to the latest version.
  • Not all CVE or critical bugs can be fixed by using Kernel Live Patching. Kernel Live Patching is intended to reduce server restart operations due to patch updates, but cannot completely avoid server restart. Kernel Live Patching applies to critical and higher-level CVE as well as critical bugs.
  • Kernel Live Patching is not a general solution to upgrade kernels and applicable to updating patches for CVE or critical bugs only when an immediate restart of servers is inconvenient.
  • During the process of updating patches or after the patches take effect, you cannot use SystemTap or kprobe to test or track functions involved in the patches. Otherwise, the patches become invalid.

Related operations

For information about how to obtain, enable, or disable Kernel Live Patching for Alibaba Cloud Linux 2, see Operations about Kernel Live Patching.