livepatch-mgr is a kernel hotfix management tool provided by Alibaba Cloud Linux operating systems (OSs). You can use livepatch-mgr to view, install, or uninstall kernel hotfixes in Alibaba Cloud Linux OSs.

Background information

To ensure system stability and security, Alibaba Cloud Linux distributions stay up-to-date on common vulnerabilities and exposures (CVEs) discovered by the Linux community and the industry and are updated with the latest versions of software packages (including kernels), bug fixes, and CVE fixes in a timely manner. For information about security updates for Alibaba Cloud Linux, see the following documents:

You can choose based on the security updates to use hotfixes or coldfixes to update your software packages. This topic describes how to use livepatch-mgr.

Install and view livepatch-mgr

  1. Connect to an Alibaba Cloud Linux Elastic Compute Service (ECS) instance that requires hotfixes.
    For information about how to connect to an ECS instance, see Connection methods .
  2. Run the following command to install livepatch-mgr:
    yum install livepatch-mgr -y
  3. After livepatch-mgr is installed, run the following command to view the features supported by livepatch-mgr:
    livepatch-mgr -h
    The following command output is returned.Use of livepatch-mgrlivepatch-mgr provides the following commands:
    • update: installs and applies applicable hotfixes to the instance. For more information, see the Install and apply hotfixes section.
    • list: queries all hotfixes of the instance. For more information, see the Query hotfixes section.
    • load: loads or applies hotfixes that are installed on the instance. For more information, see the Load or apply hotfixes section.
    • unload: uninstalls hotfixes from the instance. For more information, see the Uninstall hotfixes section.

Install and apply hotfixes

To install and apply all applicable hotfixes to the instance, run the following command:
livepatch-mgr update
livepatch-mgr provides the --bugfix, --security, and -cves <CVEs> parameters for your use of commands in different scenarios.
  • To install and apply applicable hotfixes for bugs, run the following command:
    livepatch-mgr update --bugfix
  • To install and apply applicable hotfixes for CVEs, run the following command:
    livepatch-mgr update --security
  • To install and apply hotfixes for specified CVEs, run the following command:
    livepatch-mgr update -cves <CVEs>
    The <CVEs> variable specifies CVE IDs. CVE IDs are case-sensitive. If you specify multiple CVE IDs, separate them with commas (,). Example:
    livepatch-mgr update -cves CVE-2021-33909,CVE-2021-22555
In this example, the livepatch-mgr update command is run to install and apply all applicable hotfixes to the instance. The following command output is returned:
Plug-ins loaded: fastestmirror, langpacks, releasever-adapter, update-motd
Loading mirror speeds from cached hostfile
Resolving dependencies
--> Running transaction check
---> To install the kernel-hotfix-4121479-21.al7.x86_64.0.1.0-1.al7 software package
--> Dependency resolving complete

Dependencies resolved

================================================================================
 Package                           Architecture        Version             Source         Size
================================================================================
Software package being installed:
 kernel-hotfix-4121479-21.al7      x86_64      1.0-1.al7        plus      244 k

Transaction overview
================================================================================
Install  1 software package.

Total download size: 244 k
Installation package size: 1.0 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing    : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64               1/1
installing /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko (4.19.91-21.al7.x86_64)
loading patch module: /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko
  Verifying      : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64               1/1

Installed:
  kernel-hotfix-4121479-21.al7.x86_64 0:1.0-1.al7

Done. 

Query hotfixes

To query all hotfixes applicable to the instance, run the following command:
livepatch-mgr list
livepatch-mgr provides the --installed, --bugfix, --security, --running, and --available parameters for your use of commands in different scenarios.
  • To query hotfixes installed on the instance, run the following command:
    livepatch-mgr list --installed
  • To query installed hotfixes for bugs on the instance, run the following command:
    livepatch-mgr list --installed --bugfix
  • To query installed hotfixes for CVEs on the instance, run the following command:
    livepatch-mgr list --installed --security
  • To query all hotfixes that are in effect on the instance, run the following command:
    livepatch-mgr list --running
  • To query hotfixes that are in effect for bugs on the instance, run the following command:
    livepatch-mgr list --running --bugfix
  • To query hotfixes that are in effect for CVEs on the instance, run the following command:
    livepatch-mgr list --running --security
  • To query all available hotfixes on the instance, run the following command:
    livepatch-mgr list --available
  • To query available hotfixes for bugs on the instance, run the following command:
    livepatch-mgr list --available --bugfix
  • To query available hotfixes for CVEs on the instance, run the following command:
    livepatch-mgr list --available --security
In this example, the livepatch-mgr list command is run to query all hotfixes applicable to the instance. The following command output is returned. The queried hotfixes can be classified into the following categories:
  • Loaded patch modules: hotfixes that are loaded or applied
  • Installed patch modules: hotfixes that are installed
  • Available and not installed patch modules: hotfixes that are available but not installed
Loaded patch modules:
               5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925  seq_file: disallow extremely large seq buffer allocations;
               4375449  ovl: fix dentry leak in ovl_get_redirect;
               5260815  ext4: Avoid freeing inodes on dirty list;
               5000697  mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799  netfilter: x_tables: fix compat match/target pad out-of-bound write;
               4121479  fix XDP socket queue descriptor entries overflow;

Installed patch modules:
               5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925  seq_file: disallow extremely large seq buffer allocations;
               4375449  ovl: fix dentry leak in ovl_get_redirect;
               5260815  ext4: Avoid freeing inodes on dirty list;
               5000697  mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799  netfilter: x_tables: fix compat match/target pad out-of-bound write;
               4121479  fix XDP socket queue descriptor entries overflow;

Available and not installed patch modules:
CVE-2020-14386 kernel-hotfix-3768348-21.al7.x86_64 Using tp_reserve to calculate netoff can overflow as tp_rese...(more)
               kernel-hotfix-5902278-21.al7.x86_64  We notice that hung task happens in a conner but practical ...(more)

Load or apply hotfixes

To load all hotfixes that are installed on the instance, run the following commands:
livepatch-mgr load
livepatch-mgr tool provides the --security, --bugfix, and load <hotfix package> parameters for your use of commands in different scenarios.
  • To load installed hotfixes for CVEs on the instance, run the following command:
    livepatch-mgr load --security
  • To load installed hotfixes for bugs on the instance, run the following command:
    livepatch-mgr load --bugfix
  • To load a specific hotfix that is installed on the instance, run the following command:
    livepatch-mgr load <hotfix package>
    The <hotfix package> value specifies the hotfix that you want to load. You can set the value to the absolute path or name of the kernel module (.ko file) in a hotfix. Examples:
    • To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
      livepatch-mgr load /var/khotfix/4.19.91-21.al7.x86_64/5956925/kpatch-5956925.ko
      Sample command output:
      loading kernel-hotfix-5956925
      loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
    • To specify a hotfix package by using the name of the kernel module without the .ko suffix in a hotfix, run the following command:
      livepatch-mgr load kpatch-5260815
      Sample command output:
      loading kernel-hotfix-5260815
      loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko
    • To specify a hotfix package by using the name of the kernel module with the .ko suffix in a hotfix, run the following command:
      livepatch-mgr load kpatch-4121479.ko
      Sample command output:
      loading kernel-hotfix-4121479
      loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/4121479/kpatch-4121479.ko
In this example. the livepatch-mgr load command is run to load all hotfixes that are installed on the instance. The following command output is returned:
loading kernel-hotfix-5956925-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko

loading kernel-hotfix-5902278-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko

loading kernel-hotfix-5260815-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko

loading kernel-hotfix-5928799-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko

loading kernel-hotfix-5577959-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko

Uninstall hotfixes

To uninstall all hotfixes from the instance, run the following command:
livepatch-mgr unload
livepatch-mgr provides the --security, --bugfix, and unload <hotfix package> parameters for your use of commands in different scenarios.
  • To uninstall hotfixes for CVEs from the instance, run the following command:
    livepatch-mgr unload --security
  • To uninstall hotfixes for bugs from the instance, run the following command:
    livepatch-mgr unload --bugfix
  • To uninstall a specific hotfix from the instance, run the following command:
    livepatch-mgr unload <hotfix package>
    The <hotfix package> value specifies the hotfix that you want to uninstall. You can set the value to the absolute path or name of the kernel module (.ko file) in a hotfix. Examples:
    • To specify a hotfix package by using the absolute path of the kernel module (.ko file) in a hotfix, run the following command:
      livepatch-mgr unload /var/khotfix/4.19.91-21.al7.x86_64/5928799/kpatch-5928799.ko
      Sample command output:
      unloading kernel-hotfix-5928799
      disabling patch module: kpatch_5928799
      unloading patch module: kpatch_5928799
    • To specify a hotfix package by using the name of the kernel module without the .ko suffix in a hotfix, run the following command:
      livepatch-mgr unload kpatch_5692820
      Sample command output:
      unloading kernel-hotfix-5692820
      disabling patch module: kpatch_5692820
      unloading patch module: kpatch_5692820
    • To specify a hotfix package by using the name of the kernel module with the .ko suffix in a hotfix, run the following command:
      livepatch-mgr unload kpatch_5000697.ko
      Sample command output:
      unloading kernel-hotfix-5000697
      disabling patch module: kpatch_5000697
      unloading patch module: kpatch_5000697
In this example, the livepatch-mgr unload command is run to uninstall all hotfixes from an instance. The following command output is returned:
unloading kernel-hotfix-5956925-23.x86_64
disabling patch module: kpatch_5956925
unloading patch module: kpatch_5956925

unloading kernel-hotfix-5902278-23.x86_64
disabling patch module: kpatch_5902278
unloading patch module: kpatch_5902278

unloading kernel-hotfix-5260815-23.x86_64
disabling patch module: kpatch_5260815
unloading patch module: kpatch_5260815

unloading kernel-hotfix-5928799-23.x86_64
disabling patch module: kpatch_5928799
unloading patch module: kpatch_5928799

unloading kernel-hotfix-5577959-23.x86_64
disabling patch module: kpatch_5577959
unloading patch module: kpatch_5577959