[CentOS] Kernel live patching on CentOS Stream 9

Fri Jan 14 12:17:25 UTC 2022
Josh Boyer <jwboyer at redhat.com>

On Thu, Jan 13, 2022 at 2:13 PM Valeri Galtsev
<galtsev at kicp.uchicago.edu> wrote:
>
>
>
> On 1/13/22 1:01 PM, Gordon Messmer wrote:
> > On 1/13/22 09:32, Valeri Galtsev wrote:
> >> In layman's language summary: RedHat Enterprise features (including
> >> "live" kernel patching) are to be expected _only_ in RedHat Enterprise
> >> "binary replica" distributions, which CentOS Stream is not.
> >
> >
> > I don't think that's true, exactly.  As far as I know, rebuild
> > distributions never had the "Enterprise" features*.  Critically, I think
> > that a lot of people mistakenly believed that CentOS *did* have
> > Enterprise features, because it was rebuilt from RHEL code, and that
> > misunderstanding underlies a great deal of the negative response toward
> > CentOS Stream.
> >
>
> Thanks for correcting my layman's representation. It should have better
> said that "binary replica" is "binary compatible" in a sense whatever
> software distributed as binary for RHEL will work the same on "binary
> replica". I guess my views and wordings got skewed by latest changes of
> CentOS paradigms.
>
> >
> > *: "Enterprise" features include but are not limited to:
> >
> > 1. Minor releases with independent life cycles / Extended Update Support
> > 2. Classification for updates (security, bugfix, enhancement)
> > 3. Live patching for kernel security vulnerabilities
>
> We never had it in CentOS in the past, but I'm just curious: is live
> patching proprietary piece of RHEL? I know there are several solutions,
> way back there was paid one called splice, my Boss's son was one of the
> developers of that. Just curious, as, if it is paid, it is stripped off
> as part of CentOS composition, but if it is not paid, open source, then
> it would "just work", or not?

RHEL's kernel live patching uses upstream open source kpatch.  The
sources to the kpatches are delivered in customer facing CDN repos at
the same time as the kpatch itself.  We do not use proprietary code to
produce or apply the kpatches.

I can only speculate on whether RHEL kpatches would work on a CentOS
kernel, but my assumption is that they would not due to how they are
signed.

josh