Nmmapper.com

Menu

Last update on .

Kpatch dynamic kernel patching Use kpatch to dynamically patch your Debian, Ubuntu or any linux system

Kpatch dynamic kernel patching Use kpatch to dynamically patch your Debian, Ubuntu or any linux system. kpatch is a Linux dynamic kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes

 

kpatch: dynamic kernel patching

Kpatch dynamic kernel patching Use kpatch to dynamically patch your Debian, Ubuntu or any linux system. kpatch is a Linux dynamic kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes. It enables sysadmins to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, for users to log off, or for scheduled reboot windows. It gives more control over uptime without sacrificing security or stability.

WARNING: Use with caution! Kernel crashes, spontaneous reboots, and data loss may occur!

How to install Kpatch on Debian  or Debian 9 (Stretch) and Debian 8 (Jessie)

Since Debian 9 (Stretch) the stock kernel can be used without changes, however the version of kpatch in Stretch is too old so you still need to build it manually. Follow the instructions for Debian Jessie (next section) but skip building a custom kernel/rebooting.

Debian 8 (Jessie)

NOTE: You'll need about 15GB of free disk space for the kpatch-build cache in ~/.kpatch and for ccache.

Install the dependencies for compiling kpatch:

apt-get install make gcc libelf-dev build-essential

Now install and prepare the kernel sources:

apt-get install linux-source-$(uname -r)
cd /usr/src && tar xvf linux-source-$(uname -r).tar.xz && ln -s linux-source-$(uname -r) linux && cd linux
cp /boot/config-$(uname -r) .config
for OPTION in CONFIG_KALLSYMS_ALL CONFIG_FUNCTION_TRACER ; do sed -i "s/# $OPTION is not set/$OPTION=y/g" .config ; done
sed -i "s/^SUBLEVEL.*/SUBLEVEL =/" Makefile
make -j`getconf _NPROCESSORS_CONF` deb-pkg KDEB_PKGVERSION=$(uname -r).9-1

 

Also let's install the kernel packages and reboot

dpkg -i /usr/src/*.deb
reboot

The following installs the dependencies for the "kpatch-build" command:

apt-get install dpkg-dev
apt-get build-dep linux

# required on ppc64le
# e.g., on stretch for gcc-6.3
apt-get install gcc-6-plugin-dev

# optional, but highly recommended
apt-get install ccache
ccache --max-size=5G

 

How to install Kpatch on Ubuntu

NOTE: You'll need about 15GB of free disk space for the kpatch-build cache in ~/.kpatch and for ccache.

Install the dependencies on ubuntu for compiling kpatch:

apt-get install make gcc libelf-dev

Install the dependencies for the "kpatch-build" command:

apt-get install dpkg-dev devscripts elfutils
apt-get build-dep linux

# required on ppc64le
# e.g., on Ubuntu 18.04 for gcc-7.3
apt-get install gcc-7-plugin-dev

# optional, but highly recommended
apt-get install ccache
ccache --max-size=5G

 

Install kernel debug symbols:

# Add ddebs repository
codename=$(lsb_release -sc)
sudo tee /etc/apt/sources.list.d/ddebs.list << EOF
deb http://ddebs.ubuntu.com/ ${codename} main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-security main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-proposed main restricted universe multiverse
EOF

# add APT key
wget -Nq http://ddebs.ubuntu.com/dbgsym-release-key.asc -O- | sudo apt-key add -
apt-get update && apt-get install linux-image-$(uname -r)-dbgsym

If there are no packages published yet to the codename-security pocket, the apt update may report a "404 Not Found" error, as well as a complaint about disabling the repository by default. This message may be ignored (see issue #710).

 

Quick start Guide

NOTE: While kpatch is designed to work with any recent Linux kernel on any distribution, the kpatch-build command has ONLY been tested and confirmed to work on Fedora 20 and later, RHEL 7, Oracle Linux 7, CentOS 7 and Ubuntu 14.04.

First, make a source code patch against the kernel tree using diff, git, or quilt.

As a contrived example, let's patch /proc/meminfo to show VmallocChunk in ALL CAPS so we can see it better:

$ cat meminfo-string.patch
Index: src/fs/proc/meminfo.c
===================================================================
--- src.orig/fs/proc/meminfo.c
+++ src/fs/proc/meminfo.c
@@ -95,7 +95,7 @@ static int meminfo_proc_show(struct seq_
 		"Committed_AS:   %8lu kB\n"
 		"VmallocTotal:   %8lu kB\n"
 		"VmallocUsed:    %8lu kB\n"
-		"VmallocChunk:   %8lu kB\n"
+		"VMALLOCCHUNK:   %8lu kB\n"
 #ifdef CONFIG_MEMORY_FAILURE
 		"HardwareCorrupted: %5lu kB\n"
 #endif

 

Let's not build the patch module:

$ kpatch-build -t vmlinux meminfo-string.patch
Using cache at /home/jpoimboe/.kpatch/3.13.10-200.fc20.x86_64/src
Testing patch file
checking file fs/proc/meminfo.c
Building original kernel
Building patched kernel
Detecting changed objects
Rebuilding changed objects
Extracting new and modified ELF sections
meminfo.o: changed function: meminfo_proc_show
Building patch module: kpatch-meminfo-string.ko
SUCCESS

 

NOTE: The -t vmlinux option is used to tell kpatch-build to only look for changes in the vmlinux base kernel image, which is much faster than also compiling all the kernel modules. If your patch affects a kernel module, you can either omit this option to build everything, and have kpatch-build detect which modules changed, or you can specify the affected kernel build targets with multiple -t options.

That outputs a patch module named kpatch-meminfo-string.ko in the current directory. Now apply it to the running kernel:

$ sudo kpatch load kpatch-meminfo-string.ko
loading core module: /usr/local/lib/modules/3.13.10-200.fc20.x86_64/kpatch/kpatch.ko
loading patch module: kpatch-meminfo-string.ko

 

That's it we done! The kernel is now patched.

$ grep -i chunk /proc/meminfo
VMALLOCCHUNK:   34359337092 kB

 

From our friends

Similar entries

Comments

Comments are closed.