The core of the Linux operating system is the kernel. It handles the primary interaction between the hardware and the software. It also accomplishes tasks such as memory management, process management, system security, and hardware interactions, to name a few. Such an essential piece of the operating system inevitably has flaws or vulnerabilities that need to be patched and maintained.
As a key component of the operating system, updating the kernel traditionally required a system restart. That changed with the release of version 5.10 of the Linux kernel in December 2020. (Some Linux distributions supported live patching before version 5.10.)
If you're running a kernel version that supports it, you can (and should) take advantage of live kernel patching. This code execution method works alongside kernel probes and function tracing. Instead of relying on redirection using a breakpoint for kernel probes or a predefined location (in the case of function tracing), live patching is generally done by redirecting the code as close to the function entry as possible.
This new method allows for a function to be immediately redirected through a ftrace
handler, so instead of calling an older, vulnerable function, it is redirected to a patched version of the function.
Your patching cadence might involve running something like an Ansible playbook or manually patching servers with package commands like dnf
or apt
. No matter the circumstance, you'll probably appreciate live kernel patching.
How to enable live kernel patching
Enabling live kernel patching varies depending on your Linux distribution but is generally straightforward.
First, check your kernel version. You can do this with your package manager:
$ sudo dnf list kernel
Installed Packages
kernel.x86_64 3.10.0-1062.1.2.el7 @anaconda/7.7
Alternately, use the uname
command:
$ uname -r
3.10.0-1062.1.2.el7.x86_64
If you're on a version of Linux that supports live kernel patching, you can continue enabling live kernel patching.
[ Ready to move up? Download RHEL 9 for free through the Red Hat Developer program. ]
If you aren't on a supported kernel version, you must update the kernel and restart the server:
$ sudo dnf install -y kernel
...
$ sudo reboot
Live patching on RHEL 8.1+
Live kernel patching is already enabled in Red Hat Enterprise Linux (RHEL) versions starting with version 8.1. You can check by ensuring that kpatch
is installed:
$ sudo dnf install kpatch
...
Package kpatch-0.9.2-5.el8.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Next, install kpatch-dnf
, which enables the automated installation of kpatch
patches:
$ sudo dnf install kpatch-dnf
Installed:
kpatch-dnf-0.2-5.el8.noarch
[ Download the Linux commands cheat sheet. ]
With the plugin installed, enable the subscription to kernel live patches:
$ sudo dnf kpatch auto
Live patching on RHEL 7.7+
Live kernel patching is also ready to go on RHEL 7.7 and above, although kpatch-dnf
is not available. After installing kpatch
, you must manually install the kernel patches. Here's a quick method to install all live kernel patches for the current kernel:
$ sudo dnf install -y "kpatch-patch = $(uname -r)"
...
Installed:
kpatch-patch-3_10_0-1062_1_2.x86_64 0:1-9.el7
Complete!
Live kernel patching utilities
Between the dnf
and kpatch
commands, you have very good utilities for gathering information about which patches are installed and which CVEs have patches available.
The kpatch list
command displays loaded and installed live kernel patches. This is extremely valuable for auditing and tracking:
$ kpatch list
Loaded patch modules:
kpatch_3_10_0_1062_1_2_1_9 [enabled]
Installed patch modules:
kpatch_3_10_0_1062_1_2_1_9 (3.10.0-1062.1.2.el7.x86_64)
While this next command isn't solely related to kernel patching, it is a useful one to know. This command shows a list of CVEs, the severity of each, and the affected package (including the kernel):
$ dnf updateinfo list cves
With some filtering, you can display just what you care about:
$ sudo yum updateinfo list cves | grep -i kernel | grep CVE
CVE-2021-32399 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-33909 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-3609 Important/Sec. kernel-4.18.0-305.12.1.el8_4.x86_64
...
The dnf update --security
command does a dnf update
but only runs updates tied to security patching, including kernel patches.
The kpatch info
command along with a kpatch
module name as an argument displays details such as the full path for the patch, its license, whether it's a live patch, and more. This is another useful command when digging into details on specific patches applied to a system or for audit tracking.
Wrap up
As with any vulnerability fix, you need to either do the updates, schedule a cronjob, or use some other mechanism (such as systemd timers), to have the updates run. Live kernel patching just prevents the need for a reboot. An effective cron job can be a simple one-line script with the required update command, but it's up to you to schedule it. I recommend doing it weekly at least, although daily is even better. You can find some example code for regularly updating the kernel in my GitHub repo.
Leveraging kernel live patching is a great way to keep your infrastructure updated and minimize the amount of manual work required. You can learn more in the Linux Kernel's Livepatch documentation and in RHEL's Applying patches with kernel live patching documentation.
About the author
Carlo Mencarelli is a cloud engineer focusing on automation, security, and observability. He began his career as a network engineer before moving into systems engineering and focusing on cloud engineering in various startups. He holds an M.S. from Syracuse University and several professional certifications from Amazon.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit