Live Patching on SLES 12

On SLES 12 systems, live patching is managed by kGraft. For in depth information covering kGraft use, see https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-kgraft.html.

Before you begin, ensure:

  • Uyuni is fully updated.

  • You have one or more Salt clients running SLES 12 (SP1 or later).

  • Your SLES 12 Salt clients are registered with Uyuni.

  • You have access to the SLES 12 channels appropriate for your architecture, including the live patching child channel (or channels).

  • The clients are fully synchronized.

  • Assign the clients to the cloned channels prepared for live patching. For more information on preparation, see administration:live-patching-channel-setup.adoc.

Procedure: Setting up for Live Patching
  1. Select the client you want to manage with Live Patching from Systems  Overview, and on the system details page navigate to the Software  Packages  Install tab. Search for the kgraft package, and install it.

    enable live patching kgraft install
  2. Apply the highstate to enable Live Patching, and reboot the client.

  3. Repeat for each client that you want to manage with Live Patching.

  4. To check that live patching has been enabled correctly, select the client from Systems  System List, and ensure that Live Patching appears in the Kernel field.

Procedure: Applying Live Patches to a Kernel
  1. In the Uyuni Web UI, select the client from Systems  Overview. A banner at the top of the screen shows the number of critical and non-critical packages available for the client:

    live patching criticalupdates
  2. Click Critical to see a list of the available critical patches.

  3. Select any patch with a synopsis reading Important: Security update for the Linux kernel. Security bugs also include their CVE number, where applicable.

  4. OPTIONAL: If you know the CVE number of a patch you want to apply, you can search for it in Audit  CVE Audit, and apply the patch to any clients that require it.

Not all kernel patches are Live Patches. Non-Live kernel patches are represented by a Reboot Required icon located next to the Security shield icon. These patches always require a reboot.

Not all security issues can be fixed by applying a live patch. Some security issues can only be fixed by applying a full kernel update and require a reboot. The assigned CVE numbers for these issues are not included in live patches. A CVE audit displays this requirement.