Live Patching with SUSE Manager
Introduction
Under normal circumstances a system needs to be rebooted after a kernel update. SLE Live Patching allows you skipping the reboot by applying a subset of Linux kernel releases injected via kGraft live patching technology.
In the following sections you will learn how to use SLE Live Patching to avoid the typical reboot requirement after updating a system kernel.
For in depth information covering kGraft use, see https://www.suse.com/documentation/sles-12/singlehtml/book_sle_admin/book_sle_admin.html#cha.kgraft.
Initial Setup Requirements
To work with SLE Live Patching the following expectations are assumed:
-
SUSE Manager fully updated.
-
At least 1 Salt Minion running SLES 12 SP1 or later and registered with SUSE Manager .
-
The matching SLES 12 SPx channels including the SLE Live Patching child channel fully synced.
Live Patching Setup
-
Subscribe all systems to be managed via live patching to your fully synced live patching child channels within your systems base channel by browsing to . Select both live patching channels and change subscription.
When subscribing to a channel that contains a product, the product package will automatically be installed on traditionaly registered systems and added to the package state on Salt managed systems. For Salt managed systems please apply the highstate to push these changes to your systems.
-
Use the search field listed under to install the latest
kgraftpackage to all systems to be managed via live patching.
-
Apply the highstate to enable live patching:
-
Once the highstate has been applied on Salt systems or the package has been installed on traditional systems browse to the systems details page for confirmation that live patching has been enabled. You can check the live patching state listed under the table field:
Cloning Channels
It is considered best practice to clone a vendor channel that will be modified into a new channel with one of the following prefix names: dev, testing, and prod.
In the following procedure you will clone the default vendor channel into a new channel named dev-sles12-sp3-pool-x86_64
using the command line.
-
Open a terminal and as root enter:
# spacewalk-manage-channel-lifecycle --list-channels Spacewalk Username: admin Spacewalk Password: Channel tree: 1. sles{sles-version}-sp{sp-ver}-pool-x86_64 \__ sle-live-patching{sles-version}-pool-x86_64-sp{sp-ver}\__ sle-live-patching{sles-version}-updates-x86_64-sp{sp-ver}\__ sle-manager-tools{sles-version}-pool-x86_64-sp{sp-ver}\__ sle-manager-tools{sles-version}-updates-x86_64-sp{sp-ver}\__ sles{sles-version}-sp{sp-ver}-updates-x86_64 -
Now use the --init argument to automatically create a new development clone of the original vendor channel:
spacewalk-manage-channel-lifecycle --init -c sles{sles-version}-sp{sp-ver}-pool-x86_64
Removing Non-live Kernel Patches from the Cloned Channels
In the following procedure you will remove all kernel patch updates located in the dev-sles12 -spSP3 -updates-x86_64 channel that require a reboot. You created dev-sles12 -spSP3 -updates-x86_64 during [proc.live.patching.clones].
-
Check the current kernel version in use on your client:
# uname -r 3.12.62-60.64.8-default
-
From the SUSE Manager Web UI select . Type
kernelin the search field. Find the kernel version that matches the kernel in use on your minion. -
Remove all kernel update versions that are later than the current kernel.
-
Your channel is now ready to promote for testing SLE Live Patching.
Promoting Channels
The following procedure will guide you through promoting and cloning a development channel to a testing channel. You will change the subscription from the dev repositories on your client to the new testing channel repositories. You will also add the SLE Live Patching child channels to your client.
-
Promote and clone the
dev-sles12 -spSP3 -pool-x86_64to a new testing channel:{prompt.root}spacewalk-manage-channel-lifecycle -promote -c dev-sles{sles-version}-sp{sp-ver}-pool-x86_64 -
From the SUSE Manager Web UI under the page. Select . From the Software Channels page you can edit which channels a system is subscribed to. Select the new base software channel, in this case it should be
test-sles12-sp3-pool-x86_64. Click the button. -
From the button.
Applying Live Patches to a Kernel
The following procedure will guide you through selecting and viewing available CVE Patches (Common Vulnerabilities and Exposures) then applying these kernel updates using the new SLE Live Patching feature.
-
Select your SLES 12 SPSP3 minion from the . Once you have added the SLES 12 SPSP3 Updates child channel to your client, you should see several
Criticalsoftware updates available. Click onCriticalto see a list of available patches. Select any of these patches listed with the following synopsis: Important: Security update for the Linux kernel. All fixed security bugs will be listed along with their number. For example:(CVE-2016-8666)Reboot IconNormal or non-live kernel patches always require a reboot. In SUSE Manager these are represented by aReboot Requiredicon located next to theSecurityshield icon. -
You can search for individual CVE’s by selecting the Audit tab from the navigation menu. Try searching for
CVE-2016-8666. You will see that the patch is available in the vendor update channel and the systems it applies to will be listed.
|
CVE Availability
Not all security issues can be fixed by applying a live patch. Some security issues can only be fixed by applying a full kernel update and will required a reboot. The assigned CVE numbers for these issues are not included in live patches. A CVE audit will display this requirement. |