Live Patching on SLES 12

On SLES 12 systems, live patching is managed by kGraft. For in depth information covering kGraft use, see https://www.suse.com/documentation/sles-12/singlehtml/book_sle_admin/book_sle_admin.html#cha.kgraft.

Before you begin, ensure:

  • SUSE Manager is fully updated

  • You have one or more Salt clients running SLES 12 (SP1 or later)

  • Your SLES 12 Salt clients are registered with SUSE Manager

  • You have access to the SLES 12 channels appropriate for your architecture, including the Live Patching child channel (or channels)

  • The clients are fully synchronized

Procedure: Setting up for Live Patching

  1. Select the client you want to manage with Live Patching from Systems  Overview, and on the system details page navigate to the Software  Packages  Install tab. Search for the kgraft package, and install it.

    enable live patching kgraft install

  2. Apply the highstate to enable Live Patching, and reboot the client.

  3. Repeat for each client that you want to manage with Live Patching.

  4. To check that Live Patching has been enabled correctly, select the client from Systems  System List, and ensure that Live Patching appears in the Kernel field.

When you have the Live Patching channel installed on the client, you can clone the default vendor channel. This cloned channel will be used to manage Live Patching on your clients.

Cloned vendor channels should be prefixed by dev for development, testing, or prod for production. In this procedure, you will create a dev cloned channel, and later, you will need to promote the channel to testing.

Procedure: Cloning Live Patching Channels

  1. At the command prompt on the client, as root, obtain the current package channel tree:

    # spacewalk-manage-channel-lifecycle --list-channels
Spacewalk Username: admin
Spacewalk Password:
Channel tree:

 1. sles12-sp4-pool-x86_64
      \__ sle-live-patching12-pool-x86_64-sp4
      \__ sle-live-patching12-updates-x86_64-sp4
      \__ sle-manager-tools12-pool-x86_64-sp4
      \__ sle-manager-tools12-updates-x86_64-sp4
      \__ sles12-sp4-updates-x86_64

  2. Use the spacewalk-manage-channel command with the init argument to automatically create a new development clone of the original vendor channel:

    spacewalk-manage-channel-lifecycle --init -c sles12-sp4-pool-x86_64

  3. Check that dev-sles12-sp4-updates-x86_64 is available in your channel list.

Check the dev cloned channel you created, and remove any kernel updates that require a reboot.

Procedure: Removing Non-Live Kernel Patches from Cloned Channels

  1. Check the current kernel version by selecting the client from Systems  System List, and taking note of the version displayed in the Kernel field.

  2. In the SUSE Manager Web UI, select the client from Systems  Overview, navigate to the Software  Manage  Channels tab, and select dev-sles12-sp4-updates-x86_64. Navigate to the Patches tab, and click List/Remove Patches.

  3. In the search bar, type kernel and identify the kernel version that matches the kernel currently used by your client.

  4. Remove all kernel versions that are newer than the currently installed kernel.

Your channel is now set up for Live Patching, and can be promoted to testing. In this procedure, you will also add the Live Patching child channels to your client, ready to be applied.

Procedure: Promoting Live Patching Channels

  1. At the command prompt on the client, as root, promote and clone the dev-sles12-sp4-pool-x86_64 channel to a new testing channel:

    # spacewalk-manage-channel-lifecycle --promote -c dev-sles12-sp4-pool-x86_64

  2. In the SUSE Manager Web UI, select the client from Systems  Overview, and navigate to the Software  Software Channels tab.

  3. Check the new test-sles12-sp4-pool-x86_64 custom channel to change the base channel, and check both corresponding Live Patching child channels.

  4. Click Next, confirm that the details are correct, and click Confirm to save the changes.

You can now select and view available CVE patches, and apply these important kernel updates with Live Patching.

Procedure: Applying Live Patches to a Kernel

  1. In the SUSE Manager Web UI, select the client from Systems  Overview. You will see a banner at the top of the screen showing the number of critical and non-critical packages available for the client:

    live patching criticalupdates

  2. Click Critical to see a list of the available critical patches.

  3. Select any patch with a synopsis reading Important: Security update for the Linux kernel. Security bugs will also include their CVE number, where applicable.

  4. OPTIONAL: If you know the CVE number of a patch you want to apply, you can search for it in Audit  CVE Audit, and apply the patch to any clients that require it.

Not all kernel patches are Live Patches! Non-Live kernel patches are represented by a Reboot Required icon located next to the Security shield icon. These patches will always require a reboot.

Not all security issues can be fixed by applying a live patch. Some security issues can only be fixed by applying a full kernel update and will require a reboot. The assigned CVE numbers for these issues are not included in live patches. A CVE audit will display this requirement.