Live Patching on SLES 15

On SLES 15 systems and newer, live patching is managed by the klp livepatch tool.

Before you begin, ensure:

  • SUSE Manager is fully updated.

  • You have one or more Salt clients running SLES 15 (SP1 or later).

  • Your SLES 15 Salt clients are registered with SUSE Manager.

  • You have access to the SLES 15 channels appropriate for your architecture, including the live patching child channel (or channels).

  • The clients are fully synchronized.

  • Assign the clients to the cloned channels prepared for live patching. For more information on preparation, see Set up Channels for Live Patching.

Procedure: Setting up for Live Patching

  1. Select the client you want to manage with Live Patching from Systems  Overview, and navigate to the Software  Packages  Install tab. Search for the kernel-livepatch package, and install it.

    enable live patching kernel live install

  2. Apply the highstate to enable Live Patching, and reboot the client.

  3. Repeat for each client that you want to manage with Live Patching.

  4. To check that live patching has been enabled correctly, select the client from Systems  System List, and ensure that Live Patch appears in the Kernel field.

Procedure: Applying Live Patches to a Kernel

  1. In the SUSE Manager Web UI, select the client from Systems  Overview. A banner at the top of the screen shows the number of critical and non-critical packages available for the client.

  2. Click Critical to see a list of the available critical patches.

  3. Select any patch with a synopsis reading Important: Security update for the Linux kernel. Security bugs also include their CVE number, where applicable.

  4. OPTIONAL: If you know the CVE number of a patch you want to apply, you can search for it in Audit  CVE Audit, and apply the patch to any clients that require it.

  • Not all kernel patches are Live Patches. Non-Live kernel patches are represented by a Reboot Required icon located next to the Security shield icon. These patches always require a reboot.

  • Not all security issues can be fixed by applying a live patch. Some security issues can only be fixed by applying a full kernel update and requires a reboot. The assigned CVE numbers for these issues are not included in live patches. A CVE audit displays this requirement.