113 lines
3.5 KiB
Groff
113 lines
3.5 KiB
Groff
.\" Libor Pechacek <lpechacek@suse.com>
|
|
.\"
|
|
.TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching"
|
|
.SH NAME
|
|
klp \- query kernel live patching status
|
|
.SH SYNOPSIS
|
|
.ll +8
|
|
.B klp
|
|
.RB [ " \-hv " ]
|
|
.RI COMMAND
|
|
.ll -8
|
|
.SH DESCRIPTION
|
|
.I klp
|
|
command can be used for getting a quick overview of the kernel live patching status.
|
|
For some of the commands, the output can be made more verbose by using the
|
|
.B \-v
|
|
option.
|
|
.SH COMMANDS
|
|
.TP
|
|
.B status
|
|
Display the overall status of kernel live patching (ready or in_progress)
|
|
.TP
|
|
.B check
|
|
Indicate the overall kernel live patching status with exit code. This command
|
|
is intended for use in scripts.
|
|
.TP
|
|
.B patches
|
|
Display the list of loaded patches. By default, the command prints out only
|
|
kernel modules that contain live patches. With
|
|
.B \-v
|
|
additional fields are printed.
|
|
.I Active
|
|
tells whether the patch is currently in use or can be unloaded.
|
|
.I RPM
|
|
shows the RPM package name in which the kernel live patch was distributed. The
|
|
.I CVE
|
|
section lists fixes included in this live patch, which have CVE numbers
|
|
assigned. The
|
|
.I "Bug fixes and enhancements"
|
|
part lists changes included in this live patch, which do not have CVEs assigned.
|
|
More information about individual changes can be found in the patch RPM
|
|
package changelog, SUSE Security Advisories, CVE database, and the patch RPM
|
|
source code. Another
|
|
.B \-v
|
|
will display patch expiration and update status information.
|
|
.TP
|
|
.B blocking
|
|
List process threads that are preventing live patching from finishing. By
|
|
default, just the PIDs are listed. By specifying the
|
|
.B \-v
|
|
option will make
|
|
.I klp
|
|
print out the process command line. Another
|
|
.B \-v
|
|
will display also stack traces if available.
|
|
.TP
|
|
.B downgrade
|
|
Replace the current kernel live patch with its previous version. The tool
|
|
first constructs a system management command for the downgrade and, after
|
|
confirmation, performs the downgrade. Specifying the non\(hyinteractive
|
|
mode with
|
|
.B \-n
|
|
will make
|
|
.I klp
|
|
skip the confirmation.
|
|
.TP
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-h, \-\-help
|
|
Display a help screen and quit.
|
|
.TP
|
|
.B \-n, \-\-non\-interactive
|
|
Switches to non\(hyinteractive mode and assumes "yes" on interactive commands.
|
|
.TP
|
|
.B \-v, \-\-verbose
|
|
Verbose. Makes
|
|
.I klp
|
|
print out process command line with
|
|
.B blocking
|
|
command.
|
|
Another
|
|
.B \-v
|
|
will also display stack traces.
|
|
.TP
|
|
.B \-\-version
|
|
Version. Display the version number.
|
|
.SH CAVEATS
|
|
By design, kernel live patching technology requires the processes to cross the
|
|
userspace/kernel boundary to present them with the patched kernel code. Processes
|
|
that execute kernel code at the time the patch module is loaded will prevent
|
|
the patching process from finishing until they leave kernel space. These processes
|
|
usually leave kernel after the event for which they are waiting happens or
|
|
timeout elapses. As an optimization, the kernel live patching core will not
|
|
consider processes that do not interact with the live patch being applied in
|
|
the above migration. The live patching core will also "wake up" sleeping
|
|
processes in a userspace transparent way, making the patch application progress.
|
|
.P
|
|
Despite the above measures, processes in
|
|
.B D
|
|
process state can prevent the patch from fully applying, and also kernel threads can
|
|
become a blocker under certain conditions.
|
|
.SH CHANGES FROM KGR TOOL
|
|
.I klp
|
|
tool is a modernized version of the previous
|
|
.I kgr
|
|
tool distributed with SUSE Linux Enterprise 12. It leaves out the
|
|
.B poke
|
|
functionality, which is now implemented in the kernel, and
|
|
.B blocking_threads
|
|
display, which is the default operation of
|
|
.I klp blocking
|
|
command.
|