Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

10 Live Patching with SUSE Manager

10.1 Introduction

Under normal circumstances a system needs to be rebooted after a kernel update. SLE Live Patching allows you skipping the reboot by applying a subset of Linux kernel releases injected via kGraft live patching technology.

In the following sections you will learn how to use SLE Live Patching to avoid the typical reboot requirement after updating a system kernel.

For in depth information covering kGraft use, see https://www.suse.com/documentation/sles-12/singlehtml/book_sle_admin/book_sle_admin.html#cha.kgraft.

10.2 Initial Setup Requirements

To work with SLE Live Patching the following expectations are assumed:

  • SUSE Manager fully updated.

  • At least 1 Salt Minion running SLES 12 SP1 or later and registered with SUSE Manager.

  • The matching SLES 12 SPx channels including the SLE Live Patching child channel fully synced.

10.3 Live Patching Setup

  1. Subscribe all systems to be managed via live patching to your fully synced live patching child channels within your systems base channel by browsing to Software › Software Channels. Select both live patching channels and change subscription.


    When subscribing to a channel that contains a product, the product package will automatically be installed on traditionaly registered systems and added to the package state on Salt managed systems. For Salt managed systems please apply the highstate to push these changes to your systems.

enable live patching channels
  1. Use the search field listed under Software › Packages › Install to install the latest kgraft package to all systems to be managed via live patching.

enable live patching kgraft install
  1. Apply the highstate to enable live patching:

enable live patching apply highstate
  1. Once the highstate has been applied on Salt systems or the package has been installed on traditional systems browse to the systems details page for confirmation that live patching has been enabled. You can check the live patching state listed under the System Info › Kernel table field:

enable live patching successful

10.4 Cloning Channels

It is considered best practice to clone a vendor channel that will be modified into a new channel with one of the following prefix names: dev, testing, and prod. In the following procedure you will clone the default vendor channel into a new channel named dev-sles12-sp3-pool-x86_64 using the command line.

  1. Open a terminal and as root enter:

    # spacewalk-manage-channel-lifecycle --list-channels
    Spacewalk Username: admin
    Spacewalk Password:
    Channel tree:
     1. sles{sles-version}-sp{sp-ver}-pool-x86_64
          \__ sle-live-patching{sles-version}-pool-x86_64-sp{sp-ver}
          \__ sle-live-patching{sles-version}-updates-x86_64-sp{sp-ver}
          \__ sle-manager-tools{sles-version}-pool-x86_64-sp{sp-ver}
          \__ sle-manager-tools{sles-version}-updates-x86_64-sp{sp-ver}
          \__ sles{sles-version}-sp{sp-ver}-updates-x86_64
  2. Now use the --init argument to automatically create a new development clone of the original vendor channel:

    spacewalk-manage-channel-lifecycle --init -c sles{sles-version}-sp{sp-ver}-pool-x86_64

10.5 Removing Non-live Kernel Patches from the Cloned Channels

In the following procedure you will remove all kernel patch updates located in the dev-sles12-sp4-updates-x86_64 channel that require a reboot. You created dev-sles12-sp4-updates-x86_64 during Section 10.4, “Cloning Channels”.

  1. Check the current kernel version in use on your client:

    # uname -r
  2. From the SUSE Manager Web UI select Software › Manage Software Channels › Overview › dev-sles12-sp3-updates-x86_64 › Patches › List/Remove . Type kernel in the search field. Find the kernel version that matches the kernel in use on your minion.

  3. Remove all kernel update versions that are later than the current kernel.

  4. Your channel is now ready to promote for testing SLE Live Patching.

10.6 Promoting Channels

The following procedure will guide you through promoting and cloning a development channel to a testing channel. You will change the subscription from the dev repositories on your client to the new testing channel repositories. You will also add the SLE Live Patching child channels to your client.

  1. Promote and clone the dev-sles12 -sp4 -pool-x86_64 to a new testing channel:

    {prompt.root}spacewalk-manage-channel-lifecycle --promote -c dev-sles{sles-version}-sp{sp-ver}-pool-x86_64
  2. From the SUSE Manager Web UI under the Systems tab select your client system to view the System Details › ] page. Select menu:Software[Software Channels. From the Software Channels page you can edit which channels a system is subscribed to. Select the new base software channel, in this case it should be test-sles12-sp3-pool-x86_64. Click the Confirm button to switch the Base Software Channel and finalize it by clicking the Modify Base Software Channel button.

  3. From the Software Channels page select and add both SLE Live Patching child channels by clicking the Change Subscriptions button.

10.7 Applying Live Patches to a Kernel

The following procedure will guide you through selecting and viewing available CVE Patches (Common Vulnerabilities and Exposures) then applying these kernel updates using the new SLE Live Patching feature.

  1. Select your SLES 12 SP4 minion from the Systems page to view its System Details . Once you have added the SLES 12 SP4 Updates child channel to your client, you should see several Critical software updates available. Click on Critical to see a list of available patches. Select any of these patches listed with the following synopsis: Important: Security update for the Linux kernel. All fixed security bugs will be listed along with their number. For example:(CVE-2016-8666)

    Important: Reboot Icon

    Normal or non-live kernel patches always require a reboot. In SUSE Manager these are represented by a Reboot Required icon located next to the Security shield icon.

  2. You can search for individual CVE’s by selecting the Audit tab from the navigation menu. Try searching for CVE-2016-8666. You will see that the patch is available in the vendor update channel and the systems it applies to will be listed.

Important: CVE Availability

Not all security issues can be fixed by applying a live patch. Some security issues can only be fixed by applying a full kernel update and will required a reboot. The assigned CVE numbers for these issues are not included in live patches. A CVE audit will display this requirement.

Print this page