Alibaba Cloud Linux provides the Kernel Live Patching (KLP) feature for fixing the common vulnerabilities and exposures (CVEs) and critical bugs of a kernel. You can update hotfixes for the operating system kernel without restarting the server. This ensures the stability and security of the kernel. This topic describes the KLP feature and its benefits and limits.

Introduction

You can use KLP to update hotfixes for the kernel of Alibaba Cloud Linux in a timely manner. KLP consists of the following components:
  • RPM package: an RPM package that contains the kernel module (.ko file) and description file of a hotfix. The kernel loads the kernel module in the hotfix to fix kernel bugs.
  • kpatch utility: a command-line utility used to manage kernel modules in hotfixes.
  • kpatch service: a KLP systemd service. This service loads the kernel module of each hotfix during the operating system initialization and is used to fix kernel bugs.

Benefits

KLP can update hotfixes for CVEs or critical bugs of a kernel in a smooth and quick manner without compromising server security and stability. You do not need to restart servers or other business-related task processes, wait until time-consuming tasks are completed, log off, or migrate business.

Limits

The following limits apply to KLP:
  • For Alibaba Cloud Linux operating systems,
    • KLP applies to Alibaba Cloud Linux 2.1903 whose kernel version is kernel-4.19.24-9.al7.x86_64 or later.
    • KLP applies to Alibaba Cloud Linux 3.2104 whose kernel version is 5.10.23-4.al8.x86_64 or later.
  • For each updated kernel version of Alibaba Cloud Linux operating systems, Alibaba Cloud provides one-year KLP support. After the one-year period ends, you must upgrade the kernels of the operating systems to the latest version.
  • Not all CVEs or critical bugs can be fixed by using KLP. KLP is intended to reduce server restarts due to hotfix updates but cannot prevent server restarts all the time. KLP applies to CVEs of high and critical severity levels as well as critical bugs.
  • KLP is not a general solution to upgrade kernels. It is applicable to updating hotfixes for CVEs or critical bugs only when it is inconvenient to immediately restart servers.
  • During the process of updating hotfixes or after the hotfixes take effect, you cannot use SystemTap or kprobe to test or track functions involved in the hotfixes. Otherwise, the hotfixes become invalid.

Related operations

For information about how to obtain, enable, or disable kernel hotfixes for Alibaba Cloud Linux, see Operations related to kernel hotfixes.