livepatch-mgr is a kernel hotfix management tool provided by Alibaba Cloud Linux operating systems (OSs). You can use livepatch-mgr to view, install, or uninstall kernel hotfixes in Alibaba Cloud Linux OSs.
Background information
To ensure system stability and security, Alibaba Cloud Linux distributions stay up-to-date on common vulnerabilities and exposures (CVEs) discovered by the Linux community and the industry and are updated with the latest versions of software packages (including kernels), bug fixes, and CVE fixes in a timely manner. For information about security updates for Alibaba Cloud Linux, see the following documents:
You can choose based on the security updates to use hotfixes or coldfixes to update your software packages. This topic describes how to use livepatch-mgr.
Install and view livepatch-mgr
- Connect to an Alibaba Cloud Linux Elastic Compute Service (ECS) instance that requires hotfixes. For information about how to connect to an ECS instance, see Connection methods .
- Run the following command to install livepatch-mgr:
yum install livepatch-mgr -y
- After livepatch-mgr is installed, run the following command to view the features supported by livepatch-mgr:
livepatch-mgr -h
The following command output is returned.livepatch-mgr provides the following commands:- update: installs and applies applicable hotfixes to the instance. For more information, see the Install and apply hotfixes section.
- list: queries all hotfixes of the instance. For more information, see the Query hotfixes section.
- load: loads or applies hotfixes that are installed on the instance. For more information, see the Load or apply hotfixes section.
- unload: uninstalls hotfixes from the instance. For more information, see the Uninstall hotfixes section.
Install and apply hotfixes
To install and apply all applicable hotfixes to the instance, run the following command:
livepatch-mgr update
livepatch-mgr provides the --bugfix
, --security
, and -cves <CVEs>
parameters for your use of commands in different scenarios. - To install and apply applicable hotfixes for bugs, run the following command:
livepatch-mgr update --bugfix
- To install and apply applicable hotfixes for CVEs, run the following command:
livepatch-mgr update --security
- To install and apply hotfixes for specified CVEs, run the following command:
The <CVEs> variable specifies CVE IDs. CVE IDs are case-sensitive. If you specify multiple CVE IDs, separate them with commas (,). Example:livepatch-mgr update -cves <CVEs>
livepatch-mgr update -cves CVE-2021-33909,CVE-2021-22555
Note You can obtain CVE IDs from Alibaba Cloud Linux 2.1903 Security Advisories or Alibaba Cloud Linux 3 Security Advisories.
In this example, the
livepatch-mgr update
command is run to install and apply all applicable hotfixes to the instance. The following command output is returned:Plug-ins loaded: fastestmirror, langpacks, releasever-adapter, update-motd
Loading mirror speeds from cached hostfile
Resolving dependencies
--> Running transaction check
---> To install the kernel-hotfix-4121479-21.al7.x86_64.0.1.0-1.al7 software package
--> Dependency resolving complete
Dependencies resolved
================================================================================
Package Architecture Version Source Size
================================================================================
Software package being installed:
kernel-hotfix-4121479-21.al7 x86_64 1.0-1.al7 plus 244 k
Transaction overview
================================================================================
Install 1 software package.
Total download size: 244 k
Installation package size: 1.0 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1
installing /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko (4.19.91-21.al7.x86_64)
loading patch module: /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko
Verifying : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1
Installed:
kernel-hotfix-4121479-21.al7.x86_64 0:1.0-1.al7
Done.
Query hotfixes
To query all hotfixes applicable to the instance, run the following command:
livepatch-mgr list
livepatch-mgr provides the --installed
, --bugfix
, --security
, --running
, and --available
parameters for your use of commands in different scenarios. - To query hotfixes installed on the instance, run the following command:
livepatch-mgr list --installed
- To query installed hotfixes for bugs on the instance, run the following command:
livepatch-mgr list --installed --bugfix
- To query installed hotfixes for CVEs on the instance, run the following command:
livepatch-mgr list --installed --security
- To query all hotfixes that are in effect on the instance, run the following command:
livepatch-mgr list --running
- To query hotfixes that are in effect for bugs on the instance, run the following command:
livepatch-mgr list --running --bugfix
- To query hotfixes that are in effect for CVEs on the instance, run the following command:
livepatch-mgr list --running --security
- To query all available hotfixes on the instance, run the following command:
livepatch-mgr list --available
- To query available hotfixes for bugs on the instance, run the following command:
livepatch-mgr list --available --bugfix
- To query available hotfixes for CVEs on the instance, run the following command:
livepatch-mgr list --available --security
In this example, the
livepatch-mgr list
command is run to query all hotfixes applicable to the instance. The following command output is returned. The queried hotfixes can be classified into the following categories:- Loaded patch modules: hotfixes that are loaded or applied
- Installed patch modules: hotfixes that are installed
- Available and not installed patch modules: hotfixes that are available but not installed
Loaded patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
Installed patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
Available and not installed patch modules:
CVE-2020-14386 kernel-hotfix-3768348-21.al7.x86_64 Using tp_reserve to calculate netoff can overflow as tp_rese...(more)
kernel-hotfix-5902278-21.al7.x86_64 We notice that hung task happens in a conner but practical ...(more)
Load or apply hotfixes
To load all hotfixes that are installed on the instance, run the following commands:
livepatch-mgr load
livepatch-mgr tool provides the --security
, --bugfix
, and load <hotfix package>
parameters for your use of commands in different scenarios. - To load installed hotfixes for CVEs on the instance, run the following command:
livepatch-mgr load --security
- To load installed hotfixes for bugs on the instance, run the following command:
livepatch-mgr load --bugfix
- To load a specific hotfix that is installed on the instance, run the following command:
The <hotfix package> value specifies the hotfix that you want to load. You can set the value to the absolute path or name of the kernel module (.ko file) in a hotfix. Examples:livepatch-mgr load <hotfix package>
- To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
Sample command output:livepatch-mgr load /var/khotfix/4.19.91-21.al7.x86_64/5956925/kpatch-5956925.ko
loading kernel-hotfix-5956925 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
- To specify a hotfix package by using the name of the kernel module without the .ko suffix in a hotfix, run the following command:
Sample command output:livepatch-mgr load kpatch-5260815
loading kernel-hotfix-5260815 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko
- To specify a hotfix package by using the name of the kernel module with the .ko suffix in a hotfix, run the following command:
Sample command output:livepatch-mgr load kpatch-4121479.ko
loading kernel-hotfix-4121479 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/4121479/kpatch-4121479.ko
- To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
In this example. the
livepatch-mgr load
command is run to load all hotfixes that are installed on the instance. The following command output is returned:loading kernel-hotfix-5956925-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
loading kernel-hotfix-5902278-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko
loading kernel-hotfix-5260815-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko
loading kernel-hotfix-5928799-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko
loading kernel-hotfix-5577959-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko
Uninstall hotfixes
To uninstall all hotfixes from the instance, run the following command:
livepatch-mgr unload
livepatch-mgr provides the --security
, --bugfix
, and unload <hotfix package>
parameters for your use of commands in different scenarios. - To uninstall hotfixes for CVEs from the instance, run the following command:
livepatch-mgr unload --security
- To uninstall hotfixes for bugs from the instance, run the following command:
livepatch-mgr unload --bugfix
- To uninstall a specific hotfix from the instance, run the following command:
The <hotfix package> value specifies the hotfix that you want to uninstall. You can set the value to the absolute path or name of the kernel module (.ko file) in a hotfix. Examples:livepatch-mgr unload <hotfix package>
- To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
Sample command output:livepatch-mgr unload /var/khotfix/4.19.91-21.al7.x86_64/5928799/kpatch-5928799.ko
unloading kernel-hotfix-5928799 disabling patch module: kpatch_5928799 unloading patch module: kpatch_5928799
- To specify a hotfix package by using the name of the kernel module without the .ko suffix in a hotfix, run the following command:
Sample command output:livepatch-mgr unload kpatch_5692820
unloading kernel-hotfix-5692820 disabling patch module: kpatch_5692820 unloading patch module: kpatch_5692820
- To specify a hotfix package by using the name of the kernel module with the .ko suffix in a hotfix, run the following command:
Sample command output:livepatch-mgr unload kpatch_5000697.ko
unloading kernel-hotfix-5000697 disabling patch module: kpatch_5000697 unloading patch module: kpatch_5000697
- To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
In this example, the
livepatch-mgr unload
command is run to uninstall all hotfixes from an instance. The following command output is returned:unloading kernel-hotfix-5956925-23.x86_64
disabling patch module: kpatch_5956925
unloading patch module: kpatch_5956925
unloading kernel-hotfix-5902278-23.x86_64
disabling patch module: kpatch_5902278
unloading patch module: kpatch_5902278
unloading kernel-hotfix-5260815-23.x86_64
disabling patch module: kpatch_5260815
unloading patch module: kpatch_5260815
unloading kernel-hotfix-5928799-23.x86_64
disabling patch module: kpatch_5928799
unloading patch module: kpatch_5928799
unloading kernel-hotfix-5577959-23.x86_64
disabling patch module: kpatch_5577959
unloading patch module: kpatch_5577959