Kernel Live Patch Support Cadence
Overview
Active Red Hat Enterprise Linux (RHEL) versions receive errata updates every 2-6 weeks. Live patching is supported on a subset of errata release Red Hat calls kpatch-eligible base errata kernels once every quarter. This kernel is always the currently released errata kernel for each active RHEL release on January 1, March 1, June 1, and September 1. For information on which kernels have kpatch support please see the Kernel Live Patch life cycles page. Look here to get a better sense of Red Hat version lifecycles. For each kpatch-eligible errata base kernel, users will get live patches for critical and important CVEs for up to a full year.
Every minor RHEL release that supports EUS (RHEL 9.6, for example) will remain eligible for live patch updates for a full four years after its release. Non-EUS minor releases (RHEL 9.7, for example) will be supported for their six-month lifecycle.
A DNF plug-in you can install on systems using live patching will filter the errata kernel list to available RHEL errata kernels - limiting update to only errata kernels that support live patching.
How it works
As an example: If a user installs RHEL 9.6 on a system they want to use with live patching, they can install the DNF plug-in to help select the most recent available kernel that has live patching support. Once the eligible kernel is installed, they can then install the latest cumulative live patch set (if there is one). From that point forward, live patches will be available for that kernel for at least the next year. Refer to Applying patches with kernel live patching for more information on using live patching.
The user can update the base kernel any time. Once they're using the latest kpatch-eligible RHEL 9.6 errata kernel, the one-year clock for live patches resets.
You can use this cadence as you see fit to meet their security SLAs. Here's an example of a common SLA:
- critical CVEs patched within 48 hours of a patch release
- important CVEs patched within two weeks of a patch release
- moderates and below patched within 6 months of a patch release
In this case, the user could use live patches within the SLA window for their critical and important CVEs, and then update and reboot to a new kpatch-eligible kernel every 3 to 6 months to patch moderate and below CVEs (and also get any bug fixes added in the interim).
A DNF plug-in filters which kernels support live patching
Red Hat introduced the concept of kpatch-eligible kernels because users consuming live patches don’t need as many kernel updates. They are typically trying to reduce reboots, and their critical and important CVEs are remediated using kpatch. Because of this, Red Hat only supports a new kpatch-eligible errata kernel once per quarter, and uses kpatch to protect the systems in the interim.
The risk on systems running kpatch is DNF could accidentally installing one of the many errata kernels that doesn’t support live patches. The DNF filter plug-in prevents this from happening by only displaying and installing kernels that support kpatch.
DNF Plug-in Installation and Use Instructions
Once the filter plug-in is installed and enabled, DNF will automatically download and install the most recent kpatch-eligible kernel.
These DNF plug-in packages will need to be installed and enabled on every system running live patching, but this doesn’t create a unique challenge because kpatch itself has to be installed on those machines.
The packages need to be installed using dnf:
$ dnf install -y kpatch-0.9.7-3.el9_4.noarch.rpm kpatch-dnf-0.9.7_0.4-3.el9_4.noarch.rpm
Once installed, use the following command to enable filtering:
$ dnf kpatch auto-filter
These are the kernel related packages that are being filtered:
kernel, kernel-core, kernel-modules, kernel-modules-core, kernel-modules-extra
These kernel related packages are not being filtered and could be installed:
kernel-debug-*, kernel-devel, kernel-doc, kernel-headers, kernel-tools
New kpatch dnf plugin options have been added:
$ dnf auto-filter = filter kpatch-unsupported kernels
$ dnf no-filter = (default) do not filter kernels
To check that the new filtering functionality is set run:
$ dnf kpatch status | grep setting
Kpatch update setting: manual-update
Kpatch filter setting: auto-filter <--- filtering is on
Checking the current kpatch-eligible kernels list
For information on which kernels have kpatch support please see the Kernel Live Patch life cycles page.