10 Live Patching with SUSE Manager

Subscribe all systems to be managed via live patching to your fully synced live patching child channels within your systems base channel by browsing to Software › Software Channels. Select both live patching channels and change subscription.

Note

When subscribing to a channel that contains a product, the product package will automatically be installed on traditionaly registered systems and added to the package state on Salt managed systems. For Salt managed systems please apply the highstate to push these changes to your systems.

Use the search field listed under Software › Packages › Install to install the latest kgraft package to all systems to be managed via live patching.

Apply the highstate to enable live patching:

Once the highstate has been applied on Salt systems or the package has been installed on traditional systems browse to the systems details page for confirmation that live patching has been enabled. You can check the live patching state listed under the System Info › Kernel table field:

Open a terminal and as root enter:

# spacewalk-manage-channel-lifecycle --list-channels
Spacewalk Username: admin
Spacewalk Password:
Channel tree:

 1. sles{sles-version}-sp{sp-ver}-pool-x86_64
      \__ sle-live-patching{sles-version}-pool-x86_64-sp{sp-ver}
      \__ sle-live-patching{sles-version}-updates-x86_64-sp{sp-ver}
      \__ sle-manager-tools{sles-version}-pool-x86_64-sp{sp-ver}
      \__ sle-manager-tools{sles-version}-updates-x86_64-sp{sp-ver}
      \__ sles{sles-version}-sp{sp-ver}-updates-x86_64

Now use the --init argument to automatically create a new development clone of the original vendor channel:

spacewalk-manage-channel-lifecycle --init -c sles{sles-version}-sp{sp-ver}-pool-x86_64

Check the current kernel version in use on your client:

# uname -r
3.12.62-60.64.8-default

From the SUSE Manager Web UI select Software › Manage Software Channels › Overview › dev-sles12-sp3-updates-x86_64 › Patches › List/Remove . Type kernel in the search field. Find the kernel version that matches the kernel in use on your minion.

Remove all kernel update versions that are later than the current kernel.

Your channel is now ready to promote for testing SLE Live Patching.

Promote and clone the dev-sles12 -sp4 -pool-x86_64 to a new testing channel:

{prompt.root}spacewalk-manage-channel-lifecycle --promote -c dev-sles{sles-version}-sp{sp-ver}-pool-x86_64

From the SUSE Manager Web UI under the Systems tab select your client system to view the System Details › ] page. Select menu:Software[Software Channels. From the Software Channels page you can edit which channels a system is subscribed to. Select the new base software channel, in this case it should be test-sles12-sp3-pool-x86_64. Click the Confirm button to switch the Base Software Channel and finalize it by clicking the Modify Base Software Channel button.

From the Software Channels page select and add both SLE Live Patching child channels by clicking the Change Subscriptions button.

Select your SLES 12 SP4 minion from the Systems page to view its System Details . Once you have added the SLES 12 SP4 Updates child channel to your client, you should see several Critical software updates available. Click on Critical to see a list of available patches. Select any of these patches listed with the following synopsis: Important: Security update for the Linux kernel. All fixed security bugs will be listed along with their number. For example:(CVE-2016-8666)

Important: Reboot Icon

Normal or non-live kernel patches always require a reboot. In SUSE Manager these are represented by a Reboot Required icon located next to the Security shield icon.

You can search for individual CVE’s by selecting the Audit tab from the navigation menu. Try searching for CVE-2016-8666. You will see that the patch is available in the vendor update channel and the systems it applies to will be listed.