Red Hat has added full support for live kernel patching it said today, as it rolls out RHEL 8.1 (Red Hat Enterprise Linux); the latest iteration of its flagship operating system and its first minor release since RHEL 8 landed in May.
Live kernel patching can now be applied to remediate “critical or important Common Vulnerabilities and Exposures (CVEs) while reducing the need for a system reboot” Red Hat said today, meaning workloads can be kept running.
The support comes thanks to kpatch, the Linux dynamic kernel patching infrastructure, which lets sysadmins apply critical security patches to the kernel immediately, without having to wait for tasks to complete, users to log off, or for scheduled reboot windows.
(The managed service comes on the back of customer demand, but those who request it will be bold ones: as kpatch’s Github repo warns:”Use with caution! Kernel crashes, spontaneous reboots, and data loss may occur!”
The offering is part of a concerted push by Red Hat to improve its security offering, and follows the decision in early October to expand the scope of coverage for CVE remediation, amid demand from customers for better patching support.
(As of October 1, 2019, Red Hat expanded the scope of its CVE patching to include “important” as well as “critical” CVEs. This covers all actively supported versions of RHEL, including active releases of RHEL 6, 7 and 8, with future RHEL releases automatically inheriting this enhanced CVE policy.)
RHEL 8.1: What’s New?
Chris Baker, product marketing manager, told Computer Business Review: “Live kernel patching, made possible by the work around kpatch, is a frequently requested solution by enterprise IT teams who want to remain aware and hardened against an evolving threat landscape while simultaneously limiting system downtime.
“We’ve offered limited support for live kernel patching in previous versions of Red Hat Enterprise Linux, but the maturity of the feature has now reached the point where we can fully support it across Red Hat Enterprise Linux 8 deployments.
He added: “The patch occurs at the ‘function’ level of the kernel and leverages ftrace to route the workings of the kernel around the functions being patched.”Essentially, live kernel patching makes the kernel ‘think’ everything is fine and working as intended while the patch is applied.”
New System Roles…
RHEL 8.1 also adds new System Roles, designed to streamline the process by which Red Hat Enterprise Linux subsystems are set up to handle specific functions, such as storage, networking, time synchronization, kdump and SElinux.
“This expands the existing collection of Ansible system roles for RHEL 8, better supplementing configuration automation across various versions of Red Hat Enterprise Linux deployed as the backbone of enterprise IT infrastructure.”
The release comes after Red Hat moved to simplify RHEL product phases, reducing them to three: full support, maintenance support, and extended life phase.
The shift was designed to reduce the level of change within each major release over time and make release availability and content more predictable.
It now entails ten-year life cycle support for RHEL in full support, maintenance support phases. Customers can then purchase annual add-on subscriptions called Extended Life-cycle Support (ELS) to extend limited subscription service.