Operations related to kernel hotfixes - Alibaba Cloud Linux

Background information

The following sections describe the operations related to kernel hotfixes:

For information about how to obtain a kernel hotfix and view its details, see the Obtain a kernel hotfix section.
For information about how to enable a kernel hotfix in an operating system, see the Enable a kernel hotfix section.
For information about how to disable a kernel hotfix in an operating system when the hotfix is abnormal, see the Disable a kernel hotfix section.
If the Kernel Live Patching (KLP) feature is enabled in the operating system, but you do not want the operating system to load all the kernel modules of your hotfixes when you restart your server, you can disable the kpatch service. For more information, see the Disable the kpatch service section.

Obtain a kernel hotfix

Each kernel hotfix is released by using an RPM package. You can use one of the following methods to obtain the installation package of a hotfix:

Use the CVE announcement platform of Alibaba Cloud Linux

Access the common vulnerabilities and exposures (CVE) announcement platform.
All the released hotfixes are displayed on CVE announcement platforms. You can visit the following websites of CVE announcement platforms for Alibaba Cloud Linux distributions:
- Alibaba Cloud Linux 2.1903 Security Advisories
- Alibaba Cloud Linux 3 Security Advisories

Click Advisory ID to re-sort the information in the list. Arrange the hotfixes in descending order of time.

Advisory IDs starting with HOTFIX are kernel hotfixes, as shown in the following figure. Security updates sorting

The following table describes the information on each CVE announcement platform.


Column	Description
Affected Packages	The package name of a kernel hotfix. The name is prefixed by `kernel-hotfix-` and suffixed by the minor version number of Alibaba Cloud Linux operating systems. You can determine whether a hotfix is applicable to your Alibaba Cloud Linux operating system based on the suffix of the package name of the hotfix. Example: `kernel-hotfix-5928799-5.al8` is displayed in the Affected Packages column, which indicates that the hotfix is applicable to operating systems whose minor version number is 5.al8. After you run the uname -r command in your Alibaba Cloud Linux 3 operating system, `5.10.23-5.al8.x86_64` is returned. The minor version number of all Alibaba Cloud Linux 3 operating systems is `5.al8`. As such, the kernel-hotfix-5928799-5.al8 hotfix is applicable to your Alibaba Cloud Linux 3. Note The version number of all Alibaba Cloud Linux 2 operating systems is al7.
Advisory ID	The release sequential number of a hotfix. Hotfixes are classified into CVE hotfixes and Bugfix hotfixes. The following section describes the naming conventions of hotfixes: CVE hotfixes are prefixed by `HOTFIX-SA-`. Bugfix hotfixes are prefixed by `HOTFIX-BA-`. You can click the Advisory ID of a hotfix to view its details and download the RPM package of the hotfix.
CVE ID(s)	The ID of the CVE to be fixed. For a Bugfix hotfix, the CVE ID(s) column is empty.

Click the release sequential number of a hotfix in the Advisory ID column to go to the details page of the hotfix.
On the details page, you can view details about the hotfix and the name of the RPM package corresponding to the hotfix.

Each RPM package name is in the following format: kernel-hotfix-{hotfix_id}-{Minor version number of the operating system}-{Version number of the hotfix}-{Timestamp of the hotfix}.{Major version number of the operating system}.{System architecture}.rpm.
The following section describes the RPM package name in the preceding figure:
- 5928799: the ID of the hotfix.
- 5.al8: the minor version number of Alibaba Cloud Linux 3. You can use this hotfix only when the kernel version of your Alibaba Cloud Linux 3 is consistent with this version. You can run the uname -r command in your ECS instance to view the kernel version of the operating system.
- 1.0: the version number of the RPM package for the hotfix.
- 20210720165816: the time when the hotfix was created. The hotfix was created at 16:58:16 on July 20, 2021. An invalid value may be displayed in this field for some hotfixes of earlier versions.
- al8: the version number of Alibaba Cloud Linux 3. The version number of all Alibaba Cloud Linux 3 operating systems is al8.
  
  Note The version number of all Alibaba Cloud Linux 2 operating systems is al7.
- x86_64: the architecture of the operating system.

Use a YUM repository
You can run the yum list command to check the installation package of a kernel hotfix. For more information, see Enable a kernel hotfix.

Enable a kernel hotfix

Connect to an Alibaba Cloud Linux ECS instance that requires hotfixes.
For more information, see Connection methods.
Run the following command to install the kpatch utility:
```
sudo yum -y install kpatch
```
Install a hotfix.
1. Run the following command to view the kernel version of the operating system:
```
sudo uname -r
```
  In this example, the following command output indicates that the minor version number of the operating system is 5.al8.
```
5.10.23-5.al8.x86_64
```
2. Run the yum list command to query the kernel hotfixes that are applicable to the operating system.
  Command syntax:
```
sudo yum list | grep "kernel-hotfix" | grep "<Minor version number of the operating system>"
```
  In this example, the minor version number of the operating system is 5.al8. Run the following command:
```
sudo yum list | grep "kernel-hotfix" | grep "5.al8"
```
  A command output similar to the following one is returned:
```
kernel-hotfix-5928799-5.al8.x86_64           1.0-20210720165816.al8                    alinux3-plus      
kernel-hotfix-5956925-5.al8.x86_64           1.0-20210726171200.al8                    alinux3-plus 
```
3. Install the specified hotfix.
  In this example, kernel-hotfix-5928799-5.al8.x86_64 is used to demonstrate how to run the yum command to install a hotfix.
  
  Note When you use a YUM repository to install hotfixes, you do not need to include .rpm (the suffix of an RPM package) in the command.
```
sudo yum -y install kernel-hotfix-5928799-5.al8.x86_64
```
Run the following command to use the kpatch utility to check the status of the hotfix:
```
sudo kpatch list
```
A command output similar to the following one indicates that the kernel hotfix is installed and in effect:
```
Loaded patch modules:
kpatch_5928799 [enabled]

Installed patch modules:
kpatch_5928799 (5.10.23-5.al8.x86_64)
```

Disable a kernel hotfix

If errors exist in your hotfix (for example, if your hotfix does not take effect), you can perform the following steps to disable the kernel hotfix: In this example, the yum commands are used.

Run the following command to view the hotfix that can be disabled:

sudo yum list installed | grep kernel-hotfix

A command output similar to the following one is returned:

kernel-hotfix-5928799-5.al8.x86_64  1.0-20210720165816.al8            @alinux3-plus

Run the following command to delete the hotfix package in which errors exist.
In this example, the kernel-hotfix-5928799-5.al8.x86_64 hotfix is used.
```
sudo yum -y remove kernel-hotfix-5928799-5.al8.x86_64
```
Run the following command to check whether the hotfix in which errors exist has been deleted:
```
sudo kpatch list
```
A command output similar to the following one indicates that no hotfixes are installed and in effect:
```
Loaded patch modules:

Installed patch modules:
```

Disable the kpatch service

If your hotfix is installed and in effect, but you do not want the operating system to load all the kernel modules of your hotfixes when you restart your server, you can perform the following steps to disable the kpatch service:

Run the following command to check whether the kpatch service is enabled:
```
sudo systemctl is-enabled kpatch.service
```
enabled in the command output indicates that the kpatch service is enabled.
Run the following command to disable the kpatch service:
```
sudo systemctl disable kpatch.service
```
A command output similar to the following one indicates that the kpatch service is disabled:
```
Removed symlink /etc/systemd/system/multi-user.target.wants/kpatch.service.
```
Run the following command to check the status of the kpatch service:
```
sudo systemctl status kpatch.service
```
A command output similar to the following one indicates that the kpatch service is disabled:
```
 kpatch.service - "Apply kpatch kernel patches"
   Loaded: loaded (/usr/lib/systemd/system/kpatch.service; disabled; vendor preset: disabled)
```
Note You can run the sudo systemctl enable kpatch.service command to enable the kpatch service.