This topic describes how to obtain a kernel live patch for Alibaba Cloud Linux 3 and how to enable or disable the kernel live patch or disable the kpatch service on Elastic Compute Service (ECS) instances that run Alibaba Cloud Linux 3.

Background information

The following section describes the operations related to kernel live patches:
  • For information about how to obtain a kernel live patch and view its details, see Obtain a kernel live patch.
  • For information about how to enable a kernel live patch in the operating system, see Enable a kernel live patch.
  • If errors exist in a kernel live patch of the operating system, you can disable the patch. For more information, see Disable a kernel live patch.
  • If Kernel Live Patching (KLP) is enabled in the operating system, but you do not want the operating system to load all the kernel modules of your live patches when you restart your server, you can disable the kpatch service. For more information, see Disable the kpatch service.

Obtain a kernel live patch

Each kernel live patch is released by using an RPM package. You can use one of the following methods to obtain the installation package of a live patch:
  • Use the CVE announcement platform of Alibaba Cloud Linux 3
    1. Access the common vulnerabilities and exposures (CVE) announcement platform.

      All the released live patches are displayed on the CVE announcement platform. You can go to Alibaba Cloud Linux 3 Security Advisories to view them.

    2. Click the Advisory ID column to resort the information in the list. Arrange the live patches in descending order of time.

      Advisory IDs starting with HOTFIX are kernel live patches, as shown in the following figure.

      Security updates sorting
      The following table describes the information on the CVE announcement platform.
      Column Description
      Affected Packages The package name of a kernel live patch. The name is prefixed by kernel-hotfix- and suffixed by the minor version number of the Alibaba Cloud Linux operating system.
      You can determine whether a patch is applicable to your Alibaba Cloud Linux 3 operating system based on the suffix of the package name of the patch. Examples:
      • kernel-hotfix-5928799-5.al8 is displayed in the Affected Packages column.
      • After you run the uname -r command in Alibaba Cloud Linux 3, 5.10.23-5.al8.x86_64 is returned.
      The 5.al8 minor version number indicates that the live patch is applicable to your Alibaba Cloud Linux 3 operating system.
      Advisory ID The release sequential number of a live patch. Live patches are classified into CVE live patches and Bugfix live patches. The following section describes the naming conventions of live patches:
      • CVE live patches are prefixed by HOTFIX-SA-.
      • Bugfix live patches are prefixed by HOTFIX-BA-.
      You can click the advisory ID of a live patch to view its details and download the RPM package of this patch.
      CVE ID(s) The ID of the CVE to be fixed. For a Bugfix live patch, the CVE ID(s) column is empty.
    3. Click the release sequential number of a live patch in the Advisory ID column to go to the details page of the patch.
      On the details page that appears, you can view details about the patch and the name of the RPM package corresponding to the patch. Updated packages

      The RPM package name is in the following format: kernel-hotfix-{hotfix_id}-{Minor version number of the operating system}-{Version number of the hotfix}-{Timestamp of the hotfix}.{Major version number of the operating system}.{System architecture}.rpm.

      The following section describes the RPM package name in the preceding figure:
      • 5928799: the ID of the live patch.
      • 5.al8: the minor version number of Alibaba Cloud Linux 3. You can use this live patch only when the kernel version of your Alibaba Cloud Linux 3 is consistent with this version. You can run the uname -r command in your ECS instance to view the kernel version of the operating system.
      • 1.0: the version number of the RPM package for the live patch.
      • 20210720165816: the time when the live patch was created. The live patch was created at 16:58:16 on July 20, 2021. An invalid value may be displayed in this field for some patches of earlier versions.
      • al8: the version number of Alibaba Cloud Linux 3. The version number of all Alibaba Cloud Linux 3 operating systems is al8.
      • x86_64: the architecture of the operating system.
  • Use a YUM repository

    You can run the yum list command to check the installation package of a kernel live patch. For more information, see Enable a kernel live patch.

Enable a kernel live patch

  1. Connect to an Alibaba Cloud Linux instance that requires live patches.
    For more information, see Overview.
  2. Run the following command to install the kpatch utility:
    sudo yum -y install kpatch
  3. Install a live patch.
    1. Run the following command to view the kernel version of the operating system:
      sudo uname -r
      In this example, a command output similar to the following one is returned. The minor version number of the operating system is 5.al8.
      5.10.23-5.al8.x86_64
    2. Run the yum list command to query the kernel live patches that are applicable to the operating system.
      Command syntax:
      sudo yum list | grep "kernel-hotfix" | grep "<Minor version number of the operating system>"
      In this example, the minor version number of the operating system is 21.al7. Run the following command:
      sudo yum list | grep "kernel-hotfix" | grep "5.al8"
      A command output similar to the following one is returned:
      kernel-hotfix-5928799-5.al8.x86_64           1.0-20210720165816.al8                    alinux3-plus      
      kernel-hotfix-5956925-5.al8.x86_64           1.0-20210726171200.al8                    alinux3-plus 
    3. Install the specified live patch.
      In this example, kernel-hotfix-5928799-5.al8.x86_64 is used to demonstrate how to run the yum command to install a live patch.
      Note When you use a YUM repository to install live patches, you do not need to specify the .rpm suffix for the RPM package.
      sudo yum -y install kernel-hotfix-5928799-5.al8.x86_64
  4. Run the following command to use the kpatch utility to check the status of the patch:
    sudo kpatch list
    A command output similar to the following one indicates that the kernel live patch is installed and takes effect:
    Loaded patch modules:
    kpatch_5928799 [enabled]
    
    Installed patch modules:
    kpatch_5928799 (5.10.23-5.al8.x86_64)

Disable a kernel live patch

If errors exist in your live patch, such as when your live patch does not take effect, you can perform the following steps to disable the kernel live patch: In this example, the yum commands are used.

  1. Run the following command to view the live patch that can be disabled:
    sudo yum list installed | grep kernel-hotfix
    A command output similar to the following one is returned:
    kernel-hotfix-5928799-5.al8.x86_64  1.0-20210720165816.al8            @alinux3-plus
  2. Run the following command to delete the live patch package in which errors exist:
    In this example, the kernel-hotfix-5928799-5.al8.x86_64 live patch is used.
    sudo yum -y remove kernel-hotfix-5928799-5.al8.x86_64
  3. Run the following command to check whether the live patch in which errors exist has been deleted:
    sudo kpatch list
    A command output similar to the following one indicates that no live patches are installed and take effect:
    Loaded patch modules:
    
    Installed patch modules:

Disable the kpatch service

If your live patch is installed and in effect, but you do not want the operating system to load all the kernel modules of your live patch when you restart your server, you can perform the following steps to disable the kpatch service:

  1. Run the following command to check whether the kpatch service is enabled:
    sudo systemctl is-enabled kpatch.service
    enabled in the command output indicates that the kpatch service is enabled.
  2. Run the following command to disable the kpatch service:
    sudo systemctl disable kpatch.service
    A command output similar to the following one indicates that the kpatch service is disabled:
    Removed symlink /etc/systemd/system/multi-user.target.wants/kpatch.service.
  3. Run the following command to check the status of the kpatch service:
    sudo systemctl status kpatch.service
    A command output similar to the following one indicates that the kpatch service is disabled:
     kpatch.service - "Apply kpatch kernel patches"
       Loaded: loaded (/usr/lib/systemd/system/kpatch.service; disabled; vendor preset: disabled)
    Note You can run the sudo systemctl enable kpatch.service command to enable the kpatch service again.