Image
How to enable live kernel patching on Linux
Kernel live patching is a great way to keep your infrastructure updated while minimizing manual work and avoiding system restarts
The core of the Linux operating system is the kernel. It handles the primary interaction between the hardware and the software. It also accomplishes tasks such as memory management, process management, system security, and hardware interactions, to name a few. Such an essential piece of the operating system inevitably has flaws or vulnerabilities that need to be patched and maintained.
As a key component of the operating system, updating the kernel traditionally required a system restart. That changed with the release of version 5.10 of the Linux kernel in December 2020. (Some Linux distributions supported live patching before version 5.10.)
If you're running a kernel version that supports it, you can (and should) take advantage of live kernel patching. This code execution method works alongside kernel probes and function tracing. Instead of relying on redirection using a breakpoint for kernel probes or a predefined location (in the case of function tracing), live patching is generally done by redirecting the code as close to the function entry as possible.
This new method allows for a function to be immediately redirected through a ftrace
handler, so instead of calling an older, vulnerable function, it is redirected to a patched version of the function.
Your patching cadence might involve running something like an Ansible playbook or manually patching servers with package commands like dnf
or apt
. No matter the circumstance, you'll probably appreciate live kernel patching.
How to enable live kernel patching
Enabling live kernel patching varies depending on your Linux distribution but is generally straightforward.
First, check your kernel version. You can do this with your package manager:
$ sudo dnf list kernel
Installed Packages
kernel.x86_64 3.10.0-1062.1.2.el7 @anaconda/7.7
Alternately, use the uname
command:
$ uname -r
3.10.0-1062.1.2.el7.x86_64
If you're on a version of Linux that supports live kernel patching, you can continue enabling live kernel patching.
[ Ready to move up? Download RHEL 9 for free through the Red Hat Developer program. ]
If you aren't on a supported kernel version, you must update the kernel and restart the server:
$ sudo dnf install -y kernel
...
$ sudo reboot
Live patching on RHEL 8.1+
Live kernel patching is already enabled in Red Hat Enterprise Linux (RHEL) versions starting with version 8.1. You can check by ensuring that kpatch
is installed:
$ sudo dnf install kpatch
...
Package kpatch-0.9.2-5.el8.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Next, install kpatch-dnf
, which enables the automated installation of kpatch
patches:
$ sudo dnf install kpatch-dnf
Installed:
kpatch-dnf-0.2-5.el8.noarch
[ Download the Linux commands cheat sheet. ]
With the plugin installed, enable the subscription to kernel live patches:
$ sudo dnf kpatch auto
Live patching on RHEL 7.7+
Live kernel patching is also ready to go on RHEL 7.7 and above, although kpatch-dnf
is not available. After installing kpatch
, you must manually install the kernel patches. Here's a quick method to install all live kernel patches for the current kernel:
$ sudo dnf install -y "kpatch-patch = $(uname -r)"
...
Installed:
kpatch-patch-3_10_0-1062_1_2.x86_64 0:1-9.el7
Complete!
Live kernel patching utilities
Between the dnf
and kpatch
commands, you have very good utilities for gathering information about which patches are installed and which CVEs have patches available.
The kpatch list
command displays loaded and installed live kernel patches. This is extremely valuable for auditing and tracking:
$ kpatch list
Loaded patch modules:
kpatch_3_10_0_1062_1_2_1_9 [enabled]
Installed patch modules:
kpatch_3_10_0_1062_1_2_1_9 (3.10.0-1062.1.2.el7.x86_64)
While this next command isn't solely related to kernel patching, it is a useful one to know. This command shows a list of CVEs, the severity of each, and the affected package (including the kernel):
$ dnf updateinfo list cves
With some filtering, you can display just what you care about:
$ sudo yum updateinfo list cves | grep -i kernel | grep CVE
CVE-2021-32399 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-33909 Important/Sec. kernel-4.18.0-305.10.2.el8_4.x86_64
CVE-2021-3609 Important/Sec. kernel-4.18.0-305.12.1.el8_4.x86_64
...
The dnf update --security
command does a dnf update
but only runs updates tied to security patching, including kernel patches.
The kpatch info
command along with a kpatch
module name as an argument displays details such as the full path for the patch, its license, whether it's a live patch, and more. This is another useful command when digging into details on specific patches applied to a system or for audit tracking.
Wrap up
As with any vulnerability fix, you need to either do the updates, schedule a cronjob, or use some other mechanism (such as systemd timers), to have the updates run. Live kernel patching just prevents the need for a reboot. An effective cron job can be a simple one-line script with the required update command, but it's up to you to schedule it. I recommend doing it weekly at least, although daily is even better. You can find some example code for regularly updating the kernel in my GitHub repo.
Leveraging kernel live patching is a great way to keep your infrastructure updated and minimize the amount of manual work required. You can learn more in the Linux Kernel's Livepatch documentation and in RHEL's Applying patches with kernel live patching documentation.
Image
Collaborate on file changes, with no Git hosting service necessary, using the Linux git diff and patch commands.
Image
Find out how to handle situations when patching your Linux systems doesn't go as planned.
Image
Every Linux user has a favorite single-line command. Here are the 20 Linux commands we can't live without.
Carlo Mencarelli
Carlo Mencarelli is a cloud engineer focusing on automation, security, and observability. He began his career as a network engineer before moving into systems engineering and focusing on cloud engineering in various startups. He holds an M.S. More about me