Live Patching not working

SUSE Linux Enterprise Server SLES Updates
1

Just after installing and registering the system via:

SUSEConnect -e email@address -r SLES_CODE SUSEConnect -p sle-live-patching/12.3/x86_64 -r Live_PATCH_CODE

installed the kgraft:

node2:~ # zypper install kgraft-patch-4_4_73-5-default
.
.
(1/5) Installing: kgraft-1.0-23.9.1.x86_64 .......................................................................................................................[done]
(2/5) Installing: wireless-regdb-2019.06.03-4.22.1.noarch ........................................................................................................[done]
(3/5) Installing: kernel-default-4.4.73-5.1.x86_64 ...............................................................................................................[done]
(5/5) Installing: kgraft-patch-4_4_73-5-default-2-2.3.2.x86_64 ...................................................................................................[done]
Output of kgraft-patch-4_4_73-5-default-2-2.3.2.x86_64.rpm %posttrans script:
.
.

And then

node2:~ # zypper install kgraft-patch-4_4_180-94_103-default
.
.
The following 2 NEW packages are going to be installed:
  kernel-default-4.4.180-94.103.1 kgraft-patch-4_4_180-94_103-default

(1/2) Installing: kernel-default-4.4.180-94.103.1.x86_64 .........................................................................................................[done]
(2/2) Installing: kgraft-patch-4_4_180-94_103-default-1-4.3.1.x86_64 .............................................................................................[done]

i.e the newer kernel(kernel-default-4.4.180-94.103.1) is installed, but still system is running on the old kernel(the one that comes with SLES 12 SP 3 media)
running ‘uname -r’ is still showing node2:~ # uname -r 4.4.73-7-default

Output of kgr commands:

node2:~ # kgr status
ready
node2:~ # kgr patches
node2:~ # kgr blocking
node2:~ #

Please help me know what I am missing, why the latest kernel is not loading ?

2

Hi,

the safest way is to reboot your system in order to use the newly installed kernel.

Regards,
Eugen

3

[QUOTE=eblock;58541]Hi,

the safest way is to reboot your system in order to use the newly installed kernel.

Regards,
Eugen[/QUOTE]

Live Patching(Kgraft) is used to apply kernel updates without reboot. Please help me know what I am missing

4

The installed kernel version (and SLES Service Pack) is EoL (end of life). The installed kernel version (=> output of “uname -r”) must be listed on this web page:
https://www.suse.com/products/live-patching/current-patches/

https://www.suse.com/lifecycle/

5

Please read carefully chapter 4 “patch lifecycle” of “Live Kernel Patching Using kGraft”:
https://documentation.suse.com/

6

On another system where before installing the kgraft, the installed kernel version was ‘4.4.180-94.97’, I installed the:

kgraft-1.0-23.9.1.x86_64 kgraft-patch-4_4_180-94_97-default-3-2.1.x86_64

then reboot the system.

Once the system was back(after installing the kgraft), only then again I installed the latest version of kgraft via:

zypper install kgraft-patch-4_4_180-94_103-default
by running the above command, kernel version 4.4.180-94.102.1 got installed too.

The system is almost idle and more than 3 hours are passed but still ‘uname -r’ is showing me the old(4.4.180-94.97) kernel.
kgr command gives the following output:

[CODE]# kgr status
ready

kgr patches

kgraft_patch_3_2_1

kgr blocking

#[/CODE]

7

kGraft patches your kernel only “in RAM” (with kgraft-patch_3_2_1). kGraft don’t install any kernel updates “on disk”.
If your machine run a supported kernel version, you can safely stay with kGraft on this kernel version until EoL (end of life).

With kGraft:
=> the running kernel is fully patched “in RAM”. => receive all necessary security updates by kgraft-patch
=> Your kernel images file on hard disc don’t receive any security updates (by kgraft-patch)

8

[QUOTE=AndreasMeyer;58563]kGraft patches your kernel only “in RAM” (with kgraft-patch_3_2_1). kGraft don’t install any kernel updates “on disk”.
If your machine run a supported kernel version, you can safely stay with kGraft on this kernel version until EoL (end of life).

With kGraft:
=> the running kernel is fully patched “in RAM”. => receive all necessary security updates by kgraft-patch
=> Your kernel images file on hard disc don’t receive any security updates (by kgraft-patch)[/QUOTE]

Does it mean that ‘uname -r’ would keep reporting the old kernel ? if so how can I justify Auditors that system is running on patched/updated kernel ?
Also does kGraft only address the security bugs i.e only receives the security updates ? or non-security updates too ?

9

uname -r reports the actual running kernel. Uname is unaware of the runtime patches from kgraft. So fully correct is:

running kernel: <uname -r output> +

https://en.wikipedia.org/wiki/KGraft

https://documentation.suse.com/sles/12-SP4/html/SLES-kgraft/art-kgraft.html#sec-kgraft-scope-patching