Recommended Practices for using Kernel Live Patching in RHEL High Availability or Resilient Storage Clusters

Updated

What is kernel live patching

Kernel live patching (kpatch) is a mechanism to address select important and critical Common Vulnerabilities and Exposures (CVEs) related to the Linux kernel in Red Hat Enterprise Linux (RHEL) without rebooting the node or restarting any processes immediately. For more information about kpatch, scope and limitations as well as further documentation see Is live kernel patch (kpatch) supported in Red Hat Enterprise Linux ?.

Red Hat does not provide provide live patches for eligible CVE's for all Red Hat shipped kernels, rather only for a select set of kernels (see Kernel Live Patch Support Cadence Update for information about the release cadence of live patches). For information about the lifecyle of live patches, end of life (EOL) dates and which CVE's they address, please refer to Kernel Live Patch life cycles.

Note: Red Hat kernel live patching is not a general-purpose kernel upgrade mechanism. It is used for addressing select CVE's when rebooting the node is not immediately possible. After installing and applying live patches, make sure to plan ahead for updating the kernel package and a reboot on all cluster nodes because live patches do not address all applicable CVE's nor bug fixes that regular kernels do.

Note: Kernel live patching in RHEL High Availability or Resilient Storage Clusters is supported since following versions:

  • RHEL 9.0: kernel-5.14.0-70.13.1.el9_0, kpatch-patch-5_14_0-70_13_1-1-5.el9_0
  • RHEL 8.4: kernel-4.18.0-305.30.1.el8_4, kpatch-patch-4_18_0-305_30_1-1-6.el8_4

Similar as with non High Availability Cluster nodes, when using kpatch, make sure to plan ahead and create a design how to use kpatch on a High Availability Cluster and take the following into account:

  • At installation of a High Availability Cluster but also when updating the Cluster, make sure to install and run a kernel for which Red Hat provides live patches
  • Make sure all prerequisites for using kpatch are being met.
  • Define a procedure for the installation of live patches and regular patch cycles.
  • Kernel live patches are applied in the background and in a non-blocking way to minimize the impact on the workload.
  • Apply kernel live patches only to one node at a time and ensure that node survived installing the patch before continuing to the next node
  • Create your own test scenario and execute installing a kpatch in a test environment to ensure the installation of them work with your setup / configuration.
  • Ensure that all packages on all nodes are the same as Red Hat only supports clusters with mixed package releases for a limited time.
SBR
Product(s)
Category
Components
Tags
Article Type