.\" Libor Pechacek .\" .TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching" .SH NAME klp \- query kernel live patching status .SH SYNOPSIS .ll +8 .B klp .RB [ " \-hv " ] .RI COMMAND .ll -8 .SH DESCRIPTION .I klp command can be used for getting a quick overview of the kernel live patching status. For some of the commands, the output can be made more verbose by using the .B \-v option. .SH COMMANDS .TP .B status Display the overall status of kernel live patching (ready or in_progress) .TP .B check Indicate the overall kernel live patching status with exit code. This command is intended for use in scripts. .TP .B patches Display the list of loaded patches. By default, the command prints out only kernel modules that contain live patches. With .B \-v additional fields are printed. .I Active tells whether the patch is currently in use or can be unloaded. .I RPM shows the RPM package name in which the kernel live patch was distributed. The .I CVE section lists fixes included in this live patch, which have CVE numbers assigned. The .I "Bug fixes and enhancements" part lists changes included in this live patch, which do not have CVEs assigned. More information about individual changes can be found in the patch RPM package changelog, SUSE Security Advisories, CVE database, and the patch RPM source code. Another .B \-v will display patch expiration and update status information. .TP .B blocking List process threads that are preventing live patching from finishing. By default, just the PIDs are listed. By specifying the .B \-v option will make .I klp print out the process command line. Another .B \-v will display also stack traces if available. .TP .B downgrade Replace the current kernel live patch with its previous version. The tool first constructs a system management command for the downgrade and, after confirmation, performs the downgrade. Specifying the non\(hyinteractive mode with .B \-n will make .I klp skip the confirmation. .TP .SH OPTIONS .TP .B \-h, \-\-help Display a help screen and quit. .TP .B \-n, \-\-non\-interactive Switches to non\(hyinteractive mode and assumes "yes" on interactive commands. .TP .B \-v, \-\-verbose Verbose. Makes .I klp print out process command line with .B blocking command. Another .B \-v will also display stack traces. .TP .B \-\-version Version. Display the version number. .SH CAVEATS By design, kernel live patching technology requires the processes to cross the userspace/kernel boundary to present them with the patched kernel code. Processes that execute kernel code at the time the patch module is loaded will prevent the patching process from finishing until they leave kernel space. These processes usually leave kernel after the event for which they are waiting happens or timeout elapses. As an optimization, the kernel live patching core will not consider processes that do not interact with the live patch being applied in the above migration. The live patching core will also "wake up" sleeping processes in a userspace transparent way, making the patch application progress. .P Despite the above measures, processes in .B D process state can prevent the patch from fully applying, and also kernel threads can become a blocker under certain conditions. .SH CHANGES FROM KGR TOOL .I klp tool is a modernized version of the previous .I kgr tool distributed with SUSE Linux Enterprise 12. It leaves out the .B poke functionality, which is now implemented in the kernel, and .B blocking_threads display, which is the default operation of .I klp blocking command.