On Fri, Oct 4, 2019 at 9:24 AM Stephen John Smoogen <smooge at gmail.com> wrote: > On Fri, 4 Oct 2019 at 08:18, Phelps, Matthew <mphelps at cfa.harvard.edu> > wrote: > > > > On Fri, Oct 4, 2019 at 6:33 AM Jim Perrin <jperrin at centos.org> wrote: > > > > > > > > > > > On 10/3/19 9:35 PM, Stephen John Smoogen wrote: > > > > On Thu, 3 Oct 2019 at 13:52, Phelps, Matthew < > mphelps at cfa.harvard.edu> > > > wrote: > > > >> > > > >> On Thu, Oct 3, 2019 at 1:42 PM Jim Perrin <jperrin at centos.org> > wrote: > > > >> > > > >>> > > > >>> > > > >>> On 10/3/19 1:32 PM, Phelps, Matthew wrote: > > > >>>> Forgive me if this has been answered before and I've missed it. > > > >>>> > > > >>>> This https://access.redhat.com/solutions/2206511 says live kernel > > > >>> patches > > > >>>> will be available via yum updates as of RHEL 7.7. Is this carried > > > over to > > > >>>> CentOS 7.7.1908? > > > >>>> > > > >>> > > > >>> The functionality should be available, but we don't provide > patches in > > > >>> this way, no. > > > > > > > >> > > > >> What would it take to make this happen? This would be a huge help to > > > those > > > >> of us running servers. Not to mention it would make the world a more > > > secure > > > >> place :) > > > >> > > > > > > The short answer is "a team of kernel engineers, which we don't have". > > > Smooge's overview which I've left below is great at explaining some of > > > this: > > > > > > > > I don't understand. If RHEL is putting out patches, and CentOS is a > > recompile of RHEL, hasn't that "team of kernel engineers " already done > the > > work? > > > > No. because most of the work on making a patch is after the kernel is > compiled and working. Thus even though you have the same source code, > similar compilers etc.. there are going to be differences which have > to be looked at to make sure it is really working. A CentOS kernel is > not exactly the same as a RHEL kernel is not the same as a Oracle > kernel is not the same as the one you recompiled locally. From most > operational points they seem the same, but kernel patching is where > those differences really show up. > > Yes it would be easy to set up some automated tool which 'made' > kpatches.. and I expect they may 'work' for most systems. But I also > expect that they would also eat babies more times than people would > like. If sites really need them, they can set up the tooling > themselves and make them work when they know they want it. Trying to > make it a general purpose answer for something which may corrupt data > 5 or 20% or 40% of the time.. is just waiting to be on Slashdot daily > (wait do we do Slashdot anymore.. Reddit? nope the kids aren't there > anymore either.. ok someplace daily) in a bad way. > > > Thanks for the explanation(s). I'm still puzzled why RedHat is doing it then, and making it more generally available (to paying customers even), if it's so dire a proposition that it will fail so badly, so often. That seems counter-intuitive to me. Anyway, I again point out that the CentOS documentation should be made clear that this functionality won't ever be coming to CentOS. -Matt -- *Matt Phelps* *Information Technology Specialist, Systems Administrator* (Computation Facility, Smithsonian Astrophysical Observatory) Center for Astrophysics | Harvard & Smithsonian 60 Garden Street | MS 39 | Cambridge, MA 02138 email: mphelps at cfa.harvard.edu cfa.harvard.edu | Facebook <http://cfa.harvard.edu/facebook> | Twitter <http://cfa.harvard.edu/twitter> | YouTube <http://cfa.harvard.edu/youtube> | Newsletter <http://cfa.harvard.edu/newsletter>