On Fri, Oct 4, 2019 at 9:24 AM Stephen John Smoogen smooge@gmail.com wrote:
On Fri, 4 Oct 2019 at 08:18, Phelps, Matthew mphelps@cfa.harvard.edu wrote:
On Fri, Oct 4, 2019 at 6:33 AM Jim Perrin jperrin@centos.org wrote:
On 10/3/19 9:35 PM, Stephen John Smoogen wrote:
On Thu, 3 Oct 2019 at 13:52, Phelps, Matthew <
mphelps@cfa.harvard.edu>
wrote:
On Thu, Oct 3, 2019 at 1:42 PM Jim Perrin jperrin@centos.org
wrote:
On 10/3/19 1:32 PM, Phelps, Matthew wrote: > Forgive me if this has been answered before and I've missed it. > > This https://access.redhat.com/solutions/2206511 says live kernel patches > will be available via yum updates as of RHEL 7.7. Is this carried
over to
> CentOS 7.7.1908? >
The functionality should be available, but we don't provide
patches in
this way, no.
What would it take to make this happen? This would be a huge help to
those
of us running servers. Not to mention it would make the world a more
secure
place :)
The short answer is "a team of kernel engineers, which we don't have". Smooge's overview which I've left below is great at explaining some of this:
I don't understand. If RHEL is putting out patches, and CentOS is a recompile of RHEL, hasn't that "team of kernel engineers " already done
the
work?
No. because most of the work on making a patch is after the kernel is compiled and working. Thus even though you have the same source code, similar compilers etc.. there are going to be differences which have to be looked at to make sure it is really working. A CentOS kernel is not exactly the same as a RHEL kernel is not the same as a Oracle kernel is not the same as the one you recompiled locally. From most operational points they seem the same, but kernel patching is where those differences really show up.
Yes it would be easy to set up some automated tool which 'made' kpatches.. and I expect they may 'work' for most systems. But I also expect that they would also eat babies more times than people would like. If sites really need them, they can set up the tooling themselves and make them work when they know they want it. Trying to make it a general purpose answer for something which may corrupt data 5 or 20% or 40% of the time.. is just waiting to be on Slashdot daily (wait do we do Slashdot anymore.. Reddit? nope the kids aren't there anymore either.. ok someplace daily) in a bad way.
Thanks for the explanation(s).
I'm still puzzled why RedHat is doing it then, and making it more generally available (to paying customers even), if it's so dire a proposition that it will fail so badly, so often. That seems counter-intuitive to me.
Anyway, I again point out that the CentOS documentation should be made clear that this functionality won't ever be coming to CentOS.
-Matt