kernel-livepatch-tools/klp.man

.\" Libor Pechacek <lpechacek@suse.com>
.\"
.TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching"
.SH NAME
klp \- query kernel live patching status
.SH SYNOPSIS
.ll +8
.B klp
.RB [ " \-hv " ]
.RI COMMAND
.ll -8
.SH DESCRIPTION
.I klp
command can be used for getting a quick overview of the kernel live patching status.
For some of the commands, the output can be made more verbose by using the
.B \-v
option.
.SH COMMANDS
.TP
.B status
Display the overall status of kernel live patching (ready or in_progress)
.TP
.B check
Indicate the overall kernel live patching status with exit code. This command
is intended for use in scripts.
.TP
.B patches
Display the list of loaded patches. By default, the command prints out only
kernel modules that contain live patches. With
.B \-v
additional fields are printed.
.I Active
tells whether the patch is currently in use or can be unloaded.
.I RPM
shows the RPM package name in which the kernel live patch was distributed.  The
.I CVE
section lists fixes included in this live patch, which have CVE numbers
assigned. The
.I "Bug fixes and enhancements"
part lists changes included in this live patch, which do not have CVEs assigned.
More information about individual changes can be found in the patch RPM
package changelog, SUSE Security Advisories, CVE database, and the patch RPM
source code. Another
.B \-v
will display patch expiration and update status information.
.TP
.B blocking
List process threads that are preventing live patching from finishing.  By
default, just the PIDs are listed. By specifying the
.B \-v
option will make
.I klp
print out the process command line. Another
.B \-v
will display also stack traces if available.
.TP
.B downgrade
Replace the current kernel live patch with its previous version.  The tool
first constructs a system management command for the downgrade and, after
confirmation, performs the downgrade.  Specifying the non\(hyinteractive
mode with
.B \-n
will make
.I klp
skip the confirmation.
.TP
.SH OPTIONS
.TP
.B \-h, \-\-help
Display a help screen and quit.
.TP
.B \-n, \-\-non\-interactive
Switches to non\(hyinteractive mode and assumes "yes" on interactive commands.
.TP
.B \-v, \-\-verbose
Verbose. Makes
.I klp
print out process command line with
.B blocking
command.
Another
.B \-v
will also display stack traces.
.TP
.B \-\-version
Version. Display the version number.
.SH CAVEATS
By design, kernel live patching technology requires the processes to cross the
userspace/kernel boundary to present them with the patched kernel code.  Processes
that execute kernel code at the time the patch module is loaded will prevent
the patching process from finishing until they leave kernel space.  These processes
usually leave kernel after the event for which they are waiting happens or
timeout elapses.  As an optimization, the kernel live patching core will not
consider processes that do not interact with the live patch being applied in
the above migration.  The live patching core will also "wake up" sleeping
processes in a userspace transparent way, making the patch application progress.
.P
Despite the above measures, processes in
.B D
process state can prevent the patch from fully applying, and also kernel threads can
become a blocker under certain conditions.
.SH CHANGES FROM KGR TOOL
.I klp
tool is a modernized version of the previous
.I kgr
tool distributed with SUSE Linux Enterprise 12. It leaves out the
.B poke
functionality, which is now implemented in the kernel, and
.B blocking_threads
display, which is the default operation of
.I klp blocking
command.
Sync from SUSE:ALP:Source:Standard:1.0 kernel-livepatch-tools revision f71b7c82d3a105bace4a071f75492dc9 2024-09-05 15:27:29 +02:00			`.\" Libor Pechacek <lpechacek@suse.com>`
			`.\"`
			`.TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching"`
			`.SH NAME`
			`klp \- query kernel live patching status`
			`.SH SYNOPSIS`
			`.ll +8`
			`.B klp`
			`.RB [ " \-hv " ]`
			`.RI COMMAND`
			`.ll -8`
			`.SH DESCRIPTION`
			`.I klp`
			`command can be used for getting a quick overview of the kernel live patching status.`
			`For some of the commands, the output can be made more verbose by using the`
			`.B \-v`
			`option.`
			`.SH COMMANDS`
			`.TP`
			`.B status`
			`Display the overall status of kernel live patching (ready or in_progress)`
			`.TP`
			`.B check`
			`Indicate the overall kernel live patching status with exit code. This command`
			`is intended for use in scripts.`
			`.TP`
			`.B patches`
			`Display the list of loaded patches. By default, the command prints out only`
			`kernel modules that contain live patches. With`
			`.B \-v`
			`additional fields are printed.`
			`.I Active`
			`tells whether the patch is currently in use or can be unloaded.`
			`.I RPM`
			`shows the RPM package name in which the kernel live patch was distributed. The`
			`.I CVE`
			`section lists fixes included in this live patch, which have CVE numbers`
			`assigned. The`
			`.I "Bug fixes and enhancements"`
			`part lists changes included in this live patch, which do not have CVEs assigned.`
			`More information about individual changes can be found in the patch RPM`
			`package changelog, SUSE Security Advisories, CVE database, and the patch RPM`
			`source code. Another`
			`.B \-v`
			`will display patch expiration and update status information.`
			`.TP`
			`.B blocking`
			`List process threads that are preventing live patching from finishing. By`
			`default, just the PIDs are listed. By specifying the`
			`.B \-v`
			`option will make`
			`.I klp`
			`print out the process command line. Another`
			`.B \-v`
			`will display also stack traces if available.`
			`.TP`
			`.B downgrade`
			`Replace the current kernel live patch with its previous version. The tool`
			`first constructs a system management command for the downgrade and, after`
			`confirmation, performs the downgrade. Specifying the non\(hyinteractive`
			`mode with`
			`.B \-n`
			`will make`
			`.I klp`
			`skip the confirmation.`
			`.TP`
			`.SH OPTIONS`
			`.TP`
			`.B \-h, \-\-help`
			`Display a help screen and quit.`
			`.TP`
			`.B \-n, \-\-non\-interactive`
			`Switches to non\(hyinteractive mode and assumes "yes" on interactive commands.`
			`.TP`
			`.B \-v, \-\-verbose`
			`Verbose. Makes`
			`.I klp`
			`print out process command line with`
			`.B blocking`
			`command.`
			`Another`
			`.B \-v`
			`will also display stack traces.`
			`.TP`
			`.B \-\-version`
			`Version. Display the version number.`
			`.SH CAVEATS`
			`By design, kernel live patching technology requires the processes to cross the`
			`userspace/kernel boundary to present them with the patched kernel code. Processes`
			`that execute kernel code at the time the patch module is loaded will prevent`
			`the patching process from finishing until they leave kernel space. These processes`
			`usually leave kernel after the event for which they are waiting happens or`
			`timeout elapses. As an optimization, the kernel live patching core will not`
			`consider processes that do not interact with the live patch being applied in`
			`the above migration. The live patching core will also "wake up" sleeping`
			`processes in a userspace transparent way, making the patch application progress.`
			`.P`
			`Despite the above measures, processes in`
			`.B D`
			`process state can prevent the patch from fully applying, and also kernel threads can`
			`become a blocker under certain conditions.`
			`.SH CHANGES FROM KGR TOOL`
			`.I klp`
			`tool is a modernized version of the previous`
			`.I kgr`
			`tool distributed with SUSE Linux Enterprise 12. It leaves out the`
			`.B poke`
			`functionality, which is now implemented in the kernel, and`
			`.B blocking_threads`
			`display, which is the default operation of`
			`.I klp blocking`
			`command.`