[CentOS] kpatch (live kernel patching) in CentOS 7.7?

Fri Oct 4 13:23:55 UTC 2019
Stephen John Smoogen <smooge at gmail.com>

On Fri, 4 Oct 2019 at 08:18, Phelps, Matthew <mphelps at cfa.harvard.edu> wrote:
>
> On Fri, Oct 4, 2019 at 6:33 AM Jim Perrin <jperrin at centos.org> wrote:
>
> >
> >
> > On 10/3/19 9:35 PM, Stephen John Smoogen wrote:
> > > On Thu, 3 Oct 2019 at 13:52, Phelps, Matthew <mphelps at cfa.harvard.edu>
> > wrote:
> > >>
> > >> On Thu, Oct 3, 2019 at 1:42 PM Jim Perrin <jperrin at centos.org> wrote:
> > >>
> > >>>
> > >>>
> > >>> On 10/3/19 1:32 PM, Phelps, Matthew wrote:
> > >>>> Forgive me if this has been answered before and I've missed it.
> > >>>>
> > >>>> This https://access.redhat.com/solutions/2206511 says live kernel
> > >>> patches
> > >>>> will be available via yum updates as of RHEL 7.7. Is this carried
> > over to
> > >>>> CentOS 7.7.1908?
> > >>>>
> > >>>
> > >>> The functionality should be available, but we don't provide patches in
> > >>> this way, no.
> > >
> > >>
> > >> What would it take to make this happen? This would be a huge help to
> > those
> > >> of us running servers. Not to mention it would make the world a more
> > secure
> > >> place :)
> > >>
> >
> > The short answer is "a team of kernel engineers, which we don't have".
> > Smooge's overview which I've left below is great at explaining some of
> > this:
> >
> >
> I don't understand. If RHEL is putting out patches, and CentOS is a
> recompile of RHEL, hasn't that "team of kernel engineers " already done the
> work?
>

No. because most of the work on making a patch is after the kernel is
compiled and working. Thus even though you have the same source code,
similar compilers etc.. there are going to be differences which have
to be looked at to make sure it is really working. A CentOS kernel is
not exactly the same as a RHEL kernel is not the same as a Oracle
kernel is not the same as the one you recompiled locally. From most
operational points they seem the same, but kernel patching is where
those differences really show up.

Yes it would be easy to set up some automated tool which 'made'
kpatches.. and I expect they may 'work' for most systems. But I also
expect that they would also eat babies more times than people would
like. If sites really need them, they can set up the tooling
themselves and make them work when they know they want it. Trying to
make it a general purpose answer for something which may corrupt data
5 or 20% or 40% of the time.. is just waiting to be on Slashdot daily
(wait do we do Slashdot anymore.. Reddit? nope the kids aren't there
anymore either.. ok someplace daily) in a bad way.





-- 
Stephen J Smoogen.