Sync from SUSE:SLFO:Main kernel-livepatch-tools revision f71b7c82d3a105bace4a071f75492dc9
This commit is contained in:
commit
e79fb77957
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
339
COPYING
Normal file
339
COPYING
Normal file
@ -0,0 +1,339 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License.
|
9
cache-cleaner
Normal file
9
cache-cleaner
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
rm -f /var/cache/livepatch/*
|
||||
|
||||
for module in /sys/kernel/livepatch/*; do
|
||||
/usr/bin/klp store_patch_info "${module#/sys/kernel/livepatch/}"
|
||||
done
|
||||
|
||||
# vim: ai sw=4 et sts=4 ft=sh
|
20
dracut-kernel-livepatch.sh
Normal file
20
dracut-kernel-livepatch.sh
Normal file
@ -0,0 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
|
||||
|
||||
if getargbool 1 klp; then
|
||||
modules=($(find "/lib/modules/$(uname -r)/livepatch" -type f | \
|
||||
sed -rn 's:.*/(livepatch[^/]*)\.ko(\.[gx]z|\.zst)?$:\1:p'))
|
||||
|
||||
if test ${#modules[@]} -gt 0; then
|
||||
for mod in "${modules[@]}"; do
|
||||
info "[klp] Loading $mod"
|
||||
modprobe "${mod##*/}"
|
||||
done
|
||||
else
|
||||
info "[klp] No patches found"
|
||||
fi
|
||||
else
|
||||
info "[klp] Disabled on kernel commandline, not loading any patches"
|
||||
fi
|
||||
|
21
dracut-module-setup.sh
Normal file
21
dracut-module-setup.sh
Normal file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
check()
|
||||
{
|
||||
test -d "$srcmods/livepatch"
|
||||
}
|
||||
|
||||
install()
|
||||
{
|
||||
inst_hook pre-pivot 99 "$moddir/kernel-livepatch.sh"
|
||||
inst_binary find
|
||||
}
|
||||
|
||||
installkernel()
|
||||
{
|
||||
# Cannot use instmods =livepatch, because this syntax only
|
||||
# works for subdirectories of subdirectories of $srcmods
|
||||
find "$srcmods/livepatch" -type f -regex '.*\.ko\(\.[gx]z\|\.zst\)?$' -printf '%P\n' | \
|
||||
hostonly='' instmods
|
||||
}
|
||||
|
48
kernel-livepatch-subpackage
Normal file
48
kernel-livepatch-subpackage
Normal file
@ -0,0 +1,48 @@
|
||||
%define _this_kmp_name %{-n*}-%(echo %2 | sed -r 'y/\./_/')
|
||||
%package -n %_this_kmp_name
|
||||
Release: %{-r*}
|
||||
Summary: %summary
|
||||
Group: %group
|
||||
Supplements: packageand(%3:kernel-livepatch-tools)
|
||||
Requires: coreutils grep
|
||||
Requires: %3
|
||||
Requires(post): kernel-livepatch-tools >= 1.2
|
||||
Requires(postun): kernel-livepatch-tools >= 1.2
|
||||
%description -n %_this_kmp_name
|
||||
%(
|
||||
for spec in {%_sourcedir,%_specdir}/%name.spec /dev/null; do
|
||||
[ -e $spec ] && break
|
||||
done
|
||||
awk '
|
||||
/^%%/ { in_desc = \
|
||||
($0 ~ /^%%description[ \t]*$/ ||
|
||||
$0 ~ /^%%description[ \t]+-n[ \t]*%name[ \t]*$/)
|
||||
next }
|
||||
in_desc { print }
|
||||
' $spec
|
||||
)
|
||||
|
||||
%pre -n %_this_kmp_name
|
||||
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper check "$nvr" "%1" $1
|
||||
|
||||
%post -n %_this_kmp_name
|
||||
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper install "$nvr" "%1" $1
|
||||
|
||||
%posttrans -n %_this_kmp_name
|
||||
%{?regenerate_initrd_posttrans}
|
||||
|
||||
%postun -n %_this_kmp_name
|
||||
nvr=%_this_kmp_name-%{version}-%{-r*}
|
||||
/bin/bash -${-/e/} %{_libexecdir}/kernel-livepatch/rpm-helper remove "$nvr" "%1" $1
|
||||
|
||||
%files -n %_this_kmp_name
|
||||
%defattr (-,root,root)
|
||||
%if 0%{?suse_version} >= 1600
|
||||
%dir /usr/lib/modules/%1
|
||||
/usr/lib/modules/%1/livepatch
|
||||
%else
|
||||
%dir /lib/modules/%1
|
||||
/lib/modules/%1/livepatch
|
||||
%endif
|
300
kernel-livepatch-tools.changes
Normal file
300
kernel-livepatch-tools.changes
Normal file
@ -0,0 +1,300 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 14 14:12:02 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||
|
||||
- Release version 1.4
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 14 14:09:59 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||
|
||||
- kernel-livepatch-tools-devel produces livepatch packages
|
||||
compatible with kernel-livepatch-tool >= 1.2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 14 11:28:34 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||
|
||||
- Fix installation paths for SL Micro 6.0 (jsc#PED-8219):
|
||||
* %%{_libexecdir} newly pointing to /usr/libexec; update macros
|
||||
calling kernel-livepatch/rpm-helper accordingly
|
||||
* dracut files stay in /usr/lib/dracut
|
||||
* rpm files stay in /usr/lib/rpm
|
||||
+ kernel modules are installed under /usr/lib
|
||||
- Keep backward compatibility with SLE15:
|
||||
+ install the rpm macros in %%{_sysconfdir} when built for
|
||||
SLE15 code base
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 14 09:09:46 UTC 2024 - Petr Mladek <pmladek@suse.com>
|
||||
|
||||
- Mark the package noarch. It is not architecture specific after
|
||||
the klp-convert removal. But rather be conservative and do it
|
||||
only for new products.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 25 10:32:11 UTC 2024 - Lukáš Hruška <lukas.hruska@suse.com>
|
||||
|
||||
- Remove klp-convert from kernel-livepatch-tools-devel (bsc#1218644)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 14 05:28:08 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Move RPM macros away from /etc as hinted by RPMLINT
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 1 20:31:28 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- klp.sh, rpm-helper: Cache live patch metadata (bsc#1191344)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 24 08:12:45 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- klp.sh: Add patch expiration info to klp -vv patches output
|
||||
(jsc#SLE-23644)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 10 10:05:16 UTC 2022 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- rpm-helper: Avoid error messages in the absence of the
|
||||
sysconfig file (bsc#1200407)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 22 09:51:14 UTC 2021 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Add support for ZSTD kernel module compression (jsc#SLE-21256)
|
||||
- klp.man,klp.sh: Fix option description and parsing
|
||||
- klp.man: Drop the extra 'check' command description
|
||||
- klp.sh: Add 'downgrade' command (jsc#SLE-23644)
|
||||
- klp.man: Fix formatting, correct typos, adjust wording
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 3 14:51:38 UTC 2021 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Introduce controlled live patch deployment to solve the
|
||||
incompatibility with the transactional server role. The
|
||||
deployment mode is defined in /etc/sysconfig/livepatching.
|
||||
(bsc#1187780)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 7 09:16:05 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Add support for compressed kernel modules (jsc#SLE-10886)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 13 13:23:11 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Fix interference with System Z boot sequence - no Grub prompt
|
||||
(bsc#1171301)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 21 19:24:45 UTC 2020 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Fix absence of live patch from initrd (bsc#1169827)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 4 12:09:53 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Remove klp-kvm-l1tf-ctrl-smt script previously used for
|
||||
disabling SMT (bsc#1154648)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 24 11:12:01 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Remove superfluous self-Provides: from live patches
|
||||
(bsc#1151657)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 6 13:56:21 UTC 2019 - Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
- Simplify rpm-helper invocation in preparation for handling
|
||||
non-standard kernels. As rpm-helper argument ordering changed,
|
||||
package version has been bumped and Requires: for post/postun
|
||||
scripts are now versioned. (bsc#1149422)
|
||||
- rpm macros: fix dependencies against -rc kernels (bsc#1149422)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 5 18:24:40 UTC 2019 - Joao Moreira <jmoreira@suse.com>
|
||||
|
||||
- Fix zero-index and .TOC. relocations in klp-convert (bsc#1129076)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 28 07:26:16 UTC 2019 - lpechacek@suse.com
|
||||
|
||||
- Use kernel source hash for dependencies (fate#325312)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 4 03:31:29 UTC 2018 - jmoreira@suse.com
|
||||
|
||||
- Build klp-convert without kernel-default-devel dependency
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 20 20:01:12 UTC 2018 - jmoreira@suse.com
|
||||
|
||||
- Add klp-convert to kernel-livepatch-tools-devel (fate#326849)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 14 13:13:35 UTC 2018 - lpechacek@suse.com
|
||||
|
||||
- Add script for disabling SMT (bsc#1099306)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 3 10:57:52 UTC 2018 - lpechacek@suse.com
|
||||
|
||||
- klp.sh: Fix blocking tasks display (bsc#1087476)
|
||||
- klp.sh: Fix klp check
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 9 08:55:16 UTC 2018 - lpechacek@suse.com
|
||||
|
||||
- kgr.sh, kgr.man: Compatibility wrapper added (bsc#1084612)
|
||||
- Fix Obsoletes:/Provides:
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 13 14:20:23 UTC 2017 - lpechacek@suse.com
|
||||
|
||||
- klp.man: Better describe klp -v patches output (bsc#1072162)
|
||||
- klp.man: Document klp check command (bsc#1051711)
|
||||
- klp.sh: Use KLP: change log records (bsc#1072117)
|
||||
- klp.sh: Fix thread command line display in kgr -vv blocking
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 1 14:59:58 UTC 2017 - lpechacek@suse.com
|
||||
|
||||
- Version bump and Obsoletes: added (fate#323682)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 30 10:53:21 UTC 2017 - lpechacek@suse.com
|
||||
|
||||
- rename kGraft to Kernel Live Patching (fate#323682)
|
||||
dracut-kgraft-patch.sh -> dracut-kernel-livepatch.sh
|
||||
kgraft-rpm-helper -> rpm-helper
|
||||
kgraft-module-subpackage -> kernel-livepatch-subpackage
|
||||
kgraft.changes -> kernel-livepatch-tools.changes
|
||||
kgraft.spec -> kernel-livepatch-tools.spec
|
||||
kgr.man -> klp.man
|
||||
kgr.sh -> klp.sh
|
||||
macros.kgraft -> macros.kernel-livepatch
|
||||
kgraft-patch* modules are now livepatch* and live in
|
||||
/lib/modules/$(uname -r)/livepatch
|
||||
- adapt the tools to Kernel Live Patching (fate#323504)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 15 18:19:53 UTC 2017 - lpechacek@suse.com
|
||||
|
||||
- exclusively use Fixes tag for kgr -v patches output
|
||||
- kgr.sh: Correct typos
|
||||
- Provide more debugging information in RPM post-trans script
|
||||
(bsc#1041710)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 2 10:53:15 UTC 2017 - lpechacek@suse.com
|
||||
|
||||
- Fix raw reference count leak in kgr -v patches (bsc#1006780)
|
||||
- Make kgr useful for non-root users (bsc#989374)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 5 12:33:25 UTC 2016 - lpechacek@suse.com
|
||||
|
||||
- kgr.sh: Indicate initial patch in kgr patches (bsc#939130)
|
||||
- kgr.sh: Use Fixes tag for kgr -v patches output (bsc#939130)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 22 07:24:51 UTC 2015 - lpechacek@suse.com
|
||||
|
||||
- kgr.sh: provide more useful information in 'patches' output
|
||||
(bsc#939131)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 1 11:34:49 UTC 2015 - mmarek@suse.cz
|
||||
|
||||
- kgraft-rpm-helper: Fix regexp for unused kgraft patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 29 06:29:25 UTC 2015 - lpechacek@suse.com
|
||||
|
||||
- kgr.sh: Fix process migration race in kgr poke (bsc#932505)
|
||||
- kgr.sh: Introduce blocking_threads (bsc#931843)
|
||||
- kgr.sh: Write out help when no command is provided (bnc#916191)
|
||||
- kgr.sh: Deal with exiting processes (bsc#912900)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 12 08:26:59 UTC 2015 - lpechacek@suse.com
|
||||
|
||||
- Added license file (bsc#912640)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 1 15:01:33 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Fix unloading of unused modules (bnc#907788)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 25 15:43:28 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Unload unused patches before installing a new patch (fate#318188)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 24 13:57:54 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Automatically name the packages as kgraft-patch-<kver>-<flavor>.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 21 15:58:38 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Use kernel-<flavor>-<version>-<release> in Supplements (bnc#901925)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 21 15:55:40 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Wait for the global kGraft flag to be cleared (bnc#905087)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 12 11:10:36 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Regenerate the initrd on package removal (bnc#904867)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 11 21:52:41 UTC 2014 - mmarek@suse.com
|
||||
|
||||
- Do not run the preinstall check if the target kernel is not
|
||||
running (bnc#904963)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 11 21:13:20 UTC 2014 - mmarek@suse.com
|
||||
|
||||
- Do not duplicate the kernel version in the package version
|
||||
(bnc#904668)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 10 13:36:12 UTC 2014 - mmarek@suse.cz
|
||||
|
||||
- Switch to Supplements: packageand(kernel-<flavor>:kgraft)
|
||||
(bnc#901925).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 27 14:07:06 UTC 2014 - lpechacek@suse.com
|
||||
|
||||
- Add Supplements: kernel-<flavor>
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 7 16:12:18 UTC 2014 - lpechacek@suse.com
|
||||
|
||||
- Sanitized .spec file
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 2 12:18:46 UTC 2014 - lpechacek@suse.com
|
||||
|
||||
- Added kgr tool
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 15 16:04:14 UTC 2014 - mmarek@suse.com
|
||||
|
||||
- Flag the initrd to be regenerated on removal of a kgraft patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 15 13:49:10 UTC 2014 - mmarek@suse.com
|
||||
|
||||
- Add kgraft dracut module
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 14 20:17:18 UTC 2014 - mmarek@suse.com
|
||||
|
||||
- Package kGraft scripts and macros (fate#313296)
|
||||
|
134
kernel-livepatch-tools.spec
Normal file
134
kernel-livepatch-tools.spec
Normal file
@ -0,0 +1,134 @@
|
||||
#
|
||||
# spec file for package kernel-livepatch-tools
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
# From dracut package
|
||||
%define dracutlibdir %{_prefix}/lib/dracut
|
||||
|
||||
Name: kernel-livepatch-tools
|
||||
Version: 1.4
|
||||
Release: 0
|
||||
Summary: Scripts for installing kernel live patches
|
||||
License: GPL-2.0-only
|
||||
Group: System/Kernel
|
||||
Source1: rpm-helper
|
||||
Source2: dracut-module-setup.sh
|
||||
Source3: dracut-kernel-livepatch.sh
|
||||
Source4: kernel-livepatch-subpackage
|
||||
Source5: macros.kernel-livepatch
|
||||
Source6: klp.sh
|
||||
Source7: klp.man
|
||||
Source8: COPYING
|
||||
Source12: sysconfig.livepatching
|
||||
Source13: cache-cleaner
|
||||
Source14: systemd-default-klp.preset
|
||||
Source15: systemd-klp-info-cache.service
|
||||
# compatibility with SLE 12, to be removed in SLE > 15
|
||||
Source50: kgr.sh
|
||||
Source51: kgr.man
|
||||
Provides: kgraft = %version
|
||||
Obsoletes: kgraft < %version
|
||||
%if 0%{?suse_version} >= 1600
|
||||
BuildArch: noarch
|
||||
%endif
|
||||
|
||||
%description
|
||||
This package contains a helper script used when installing kernel live patch
|
||||
packages and kernel live patch monitoring tool.
|
||||
|
||||
%package devel
|
||||
Summary: Macros for building kernel live patches
|
||||
Group: Development/Tools/Building
|
||||
# The OBS build does a testinstallation of all built packages, which needs
|
||||
# the kernel-livepatch-tools runtime package
|
||||
Requires: %{name}
|
||||
Requires: kmod-compat
|
||||
|
||||
%description devel
|
||||
This package contains RPM macro definitions for building kernel live patch
|
||||
packages.
|
||||
|
||||
%prep
|
||||
%setup -q -Tc
|
||||
cp %{_sourcedir}/{rpm-helper,dracut-{module-setup,kernel-livepatch}.sh,sysconfig.livepatching} .
|
||||
cp %{_sourcedir}/{kernel-livepatch-subpackage,macros.kernel-livepatch} .
|
||||
cp %{_sourcedir}/k{lp,gr}.{sh,man} .
|
||||
cp %{_sourcedir}/{cache-cleaner,systemd-{default-klp.preset,klp-info-cache.service}} .
|
||||
cp %{_sourcedir}/COPYING .
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
install -D rpm-helper %{buildroot}%{_libexecdir}/kernel-livepatch/rpm-helper
|
||||
install -D dracut-module-setup.sh \
|
||||
%{buildroot}%{dracutlibdir}/modules.d/99kernel-livepatch/module-setup.sh
|
||||
install -D dracut-kernel-livepatch.sh \
|
||||
%{buildroot}%{dracutlibdir}/modules.d/99kernel-livepatch/kernel-livepatch.sh
|
||||
install -D -m0644 kernel-livepatch-subpackage %{buildroot}%{_prefix}/lib/rpm/kernel-livepatch-subpackage
|
||||
%if 0%{?suse_version} >= 1600
|
||||
install -D -m0644 macros.kernel-livepatch %{buildroot}%{_rpmmacrodir}/macros.kernel-livepatch
|
||||
%else
|
||||
install -D -m0644 macros.kernel-livepatch %{buildroot}%{_sysconfdir}/rpm/macros.kernel-livepatch
|
||||
%endif
|
||||
install -D -m0755 klp.sh %{buildroot}%{_bindir}/klp
|
||||
install -D -m0755 kgr.sh %{buildroot}%{_bindir}/kgr
|
||||
sed -i 's/@@VERSION@@/%{version}-%{release}/' %{buildroot}%{_bindir}/klp
|
||||
install -d %{buildroot}%{_mandir}/man8
|
||||
gzip -c9 klp.man > %{buildroot}%{_mandir}/man8/klp.8.gz
|
||||
gzip -c9 kgr.man > %{buildroot}%{_mandir}/man8/kgr.8.gz
|
||||
install -D -m0755 cache-cleaner %{buildroot}%{_libexecdir}/kernel-livepatch/cache-cleaner
|
||||
install -D -m0644 systemd-klp-info-cache.service %{buildroot}/%{_unitdir}/klp-info-cache.service
|
||||
install -D -m0644 systemd-default-klp.preset %{buildroot}/%{_presetdir}/60-default-klp.preset
|
||||
install -d %{buildroot}%{_docdir}
|
||||
install -D -m 644 sysconfig.livepatching %{buildroot}%{_fillupdir}/sysconfig.livepatching
|
||||
install -d %{buildroot}%{_localstatedir}/cache/livepatch/
|
||||
|
||||
%pre
|
||||
%service_add_pre klp-info-cache.service
|
||||
|
||||
%post
|
||||
%service_add_post klp-info-cache.service
|
||||
%{fillup_only -n livepatching}
|
||||
|
||||
%preun
|
||||
%service_del_preun klp-info-cache.service
|
||||
|
||||
%postun
|
||||
%service_del_postun klp-info-cache.service
|
||||
|
||||
%files
|
||||
%{_libexecdir}/kernel-livepatch
|
||||
%dir %{dracutlibdir}
|
||||
%dir %{dracutlibdir}/modules.d
|
||||
%{dracutlibdir}/modules.d/99kernel-livepatch
|
||||
%{_bindir}/k{lp,gr}
|
||||
%{_mandir}/man8/k{lp,gr}.8%{ext_man}
|
||||
%{_fillupdir}/*
|
||||
%dir %{_localstatedir}/cache/livepatch/
|
||||
%{_libexecdir}/kernel-livepatch/cache-cleaner
|
||||
%{_unitdir}/klp-info-cache.service
|
||||
%{_presetdir}/60-default-klp.preset
|
||||
%license COPYING
|
||||
|
||||
%files devel
|
||||
%if 0%{?suse_version} >= 1600
|
||||
%{_rpmmacrodir}/macros.kernel-livepatch
|
||||
%else
|
||||
%{_sysconfdir}/rpm/macros.kernel-livepatch
|
||||
%endif
|
||||
%{_prefix}/lib/rpm/kernel-livepatch-subpackage
|
||||
|
||||
%changelog
|
83
kgr.man
Normal file
83
kgr.man
Normal file
@ -0,0 +1,83 @@
|
||||
.\" Libor Pechacek <lpechacek@suse.com>
|
||||
.\"
|
||||
.TH KLP 8 2017-12-13 "SLES 15" "SLE Live Patching"
|
||||
.SH NAME
|
||||
kgr \- compatibility wrapper for migration from kGraft / SLE 12
|
||||
.SH SYNOPSIS
|
||||
.ll +8
|
||||
.B kgr
|
||||
.RB [ " \-hv " ]
|
||||
.RI COMMAND
|
||||
.ll -8
|
||||
.SH DESCRIPTION
|
||||
.I kgr
|
||||
is a lightweight wrapper for the new klp tool. It is provided for smooth
|
||||
migration from SLE 12 and will be removed in future SLE releases.
|
||||
.SH COMMANDS
|
||||
.TP
|
||||
.B status
|
||||
See klp(1) for description.
|
||||
.TP
|
||||
.B check
|
||||
See klp(1) for description.
|
||||
.TP
|
||||
.B patches
|
||||
See klp(1) for description.
|
||||
.TP
|
||||
.B blocking
|
||||
See klp(1) for description. Unlike the SLE 12 implementation, this command
|
||||
displays execution threads. Processes display is known to be incomplete for
|
||||
multi-threaded applications.
|
||||
.TP
|
||||
.B blocking_threads
|
||||
Obsolete command.
|
||||
Same as
|
||||
.I kgr
|
||||
.IR blocking .
|
||||
.TP
|
||||
.B poke
|
||||
Obsolete command. Send STOP and CONT signals to processess that are blocking
|
||||
kGraft progress. See
|
||||
.SM
|
||||
.B CAVEATS
|
||||
for discussion about this method.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-h --help
|
||||
Display a help screen and quit.
|
||||
.TP
|
||||
.B \-v --verbose
|
||||
Verbose. Makes
|
||||
.I kgr
|
||||
print out process command line with
|
||||
.B blocking
|
||||
and
|
||||
.B blocking_threads
|
||||
commands.
|
||||
Another
|
||||
.B \-v
|
||||
will display also strack traces.
|
||||
.TP
|
||||
.B \--version
|
||||
Version. Display the version number.
|
||||
.SH EXIT STATUS
|
||||
With
|
||||
.B
|
||||
check
|
||||
command the exit status is 0 when system is ready for kernel live patching and
|
||||
1 when patching is in progress. For other commands the exit status is 0 upon
|
||||
successful command completion and 1 upon error.
|
||||
.SH CAVEATS
|
||||
By design, kGraft technology requires the processes to cross the user
|
||||
space/kernel boundary to present them with the patched kernel code. Processes
|
||||
that sleep in kernel code at the time the patch module is loaded will prevent
|
||||
patching process from finishing until they leave kernel space. These processes
|
||||
usually leave kernel after the event, for which they are waiting, happens or
|
||||
timeout elapses.
|
||||
.P
|
||||
Sending regular processes STOP signal followed by CONT signal achieves the
|
||||
goal of making them to cross the user space/kernel boundary immediately. However, this
|
||||
method may not be suitable for all processes running in the system and does not
|
||||
apply to kernel threads and processess in
|
||||
.B D
|
||||
process state. This method is also known to interfere with shell job control.
|
81
kgr.sh
Normal file
81
kgr.sh
Normal file
@ -0,0 +1,81 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Compatibility wrapper for kGraft / SLE 12
|
||||
# Will be removed in future SLE releases
|
||||
# Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
unset VERBOSE
|
||||
unset VERBOSE_OPT
|
||||
|
||||
function kgr_poke_processes() {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "Warning: running as non-root user, only this user's processes will be poked" >&2
|
||||
fi
|
||||
|
||||
for PROC in /proc/[0-9]*; do
|
||||
if [ 0$(cat $PROC/kgr_in_progress 2>/dev/null) -ne 0 ]; then
|
||||
PID=$(echo $PROC | cut -d/ -f3)
|
||||
if [ -n "$VERBOSE" ]; then
|
||||
echo "sending $PID STOP/CONT"
|
||||
fi
|
||||
kill -STOP $PID
|
||||
# give kernel time to distribute the signal to all threads
|
||||
sleep .1
|
||||
kill -CONT $PID
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
USAGE="Usage: $0 [-h][-v] COMMAND
|
||||
Compatibility wrapper for migration from kGraft / SLE 12. Use klp(1) in new
|
||||
applications. This wrappere will be removed in future SLE releases.
|
||||
|
||||
Commands:
|
||||
status: display the overall status of kernel live patching
|
||||
patches: display the list of loaded patches
|
||||
blocking: list execution threads that are preventing kernel
|
||||
live patching from finishing
|
||||
blocking_threads: (obsolete) same as blocking
|
||||
poke: (obsolete) move forward with the kernel live patching by
|
||||
sending STOP and CONT signal to the pending processes
|
||||
|
||||
Options:
|
||||
-h print this help
|
||||
-v more detailed output
|
||||
|
||||
Report bugs at https://bugzilla.suse.com/."
|
||||
PKGVERSION="@@VERSION@@"
|
||||
|
||||
while getopts vh-: opt
|
||||
do
|
||||
case $opt$OPTARG in
|
||||
-help|h)
|
||||
exec echo "$USAGE" ;;
|
||||
-version)
|
||||
exec echo "kgr $PKGVERSION" ;;
|
||||
v) VERBOSE=$((${VERBOSE:-0} + 1))
|
||||
VERBOSE_OPT="$VERBOSE_OPT -v";;
|
||||
*)
|
||||
echo "$0: try '$0 --help'" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift `expr $OPTIND - 1`
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo -e "Error: no command provided\n" >&2
|
||||
echo "$USAGE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case $1 in
|
||||
blocking) exec klp $VERBOSE_OPT blocking ;;
|
||||
blocking_threads) exec klp $VERBOSE_OPT blocking ;;
|
||||
poke) kgr_poke_processes ;;
|
||||
status) exec klp $VERBOSE_OPT status ;;
|
||||
check) exec klp $VERBOSE_OPT check ;;
|
||||
patches) exec klp $VERBOSE_OPT patches ;;
|
||||
*) echo "Error: unknown command \`$1'"; exit 1 ;;
|
||||
esac
|
||||
|
||||
# vim: ai sw=4 et sts=4 ft=sh
|
112
klp.man
Normal file
112
klp.man
Normal file
@ -0,0 +1,112 @@
|
||||
.\" Libor Pechacek <lpechacek@suse.com>
|
||||
.\"
|
||||
.TH KLP 8 2021-03-24 "SLES 15" "SLE Live Patching"
|
||||
.SH NAME
|
||||
klp \- query kernel live patching status
|
||||
.SH SYNOPSIS
|
||||
.ll +8
|
||||
.B klp
|
||||
.RB [ " \-hv " ]
|
||||
.RI COMMAND
|
||||
.ll -8
|
||||
.SH DESCRIPTION
|
||||
.I klp
|
||||
command can be used for getting a quick overview of the kernel live patching status.
|
||||
For some of the commands, the output can be made more verbose by using the
|
||||
.B \-v
|
||||
option.
|
||||
.SH COMMANDS
|
||||
.TP
|
||||
.B status
|
||||
Display the overall status of kernel live patching (ready or in_progress)
|
||||
.TP
|
||||
.B check
|
||||
Indicate the overall kernel live patching status with exit code. This command
|
||||
is intended for use in scripts.
|
||||
.TP
|
||||
.B patches
|
||||
Display the list of loaded patches. By default, the command prints out only
|
||||
kernel modules that contain live patches. With
|
||||
.B \-v
|
||||
additional fields are printed.
|
||||
.I Active
|
||||
tells whether the patch is currently in use or can be unloaded.
|
||||
.I RPM
|
||||
shows the RPM package name in which the kernel live patch was distributed. The
|
||||
.I CVE
|
||||
section lists fixes included in this live patch, which have CVE numbers
|
||||
assigned. The
|
||||
.I "Bug fixes and enhancements"
|
||||
part lists changes included in this live patch, which do not have CVEs assigned.
|
||||
More information about individual changes can be found in the patch RPM
|
||||
package changelog, SUSE Security Advisories, CVE database, and the patch RPM
|
||||
source code. Another
|
||||
.B \-v
|
||||
will display patch expiration and update status information.
|
||||
.TP
|
||||
.B blocking
|
||||
List process threads that are preventing live patching from finishing. By
|
||||
default, just the PIDs are listed. By specifying the
|
||||
.B \-v
|
||||
option will make
|
||||
.I klp
|
||||
print out the process command line. Another
|
||||
.B \-v
|
||||
will display also stack traces if available.
|
||||
.TP
|
||||
.B downgrade
|
||||
Replace the current kernel live patch with its previous version. The tool
|
||||
first constructs a system management command for the downgrade and, after
|
||||
confirmation, performs the downgrade. Specifying the non\(hyinteractive
|
||||
mode with
|
||||
.B \-n
|
||||
will make
|
||||
.I klp
|
||||
skip the confirmation.
|
||||
.TP
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-h, \-\-help
|
||||
Display a help screen and quit.
|
||||
.TP
|
||||
.B \-n, \-\-non\-interactive
|
||||
Switches to non\(hyinteractive mode and assumes "yes" on interactive commands.
|
||||
.TP
|
||||
.B \-v, \-\-verbose
|
||||
Verbose. Makes
|
||||
.I klp
|
||||
print out process command line with
|
||||
.B blocking
|
||||
command.
|
||||
Another
|
||||
.B \-v
|
||||
will also display stack traces.
|
||||
.TP
|
||||
.B \-\-version
|
||||
Version. Display the version number.
|
||||
.SH CAVEATS
|
||||
By design, kernel live patching technology requires the processes to cross the
|
||||
userspace/kernel boundary to present them with the patched kernel code. Processes
|
||||
that execute kernel code at the time the patch module is loaded will prevent
|
||||
the patching process from finishing until they leave kernel space. These processes
|
||||
usually leave kernel after the event for which they are waiting happens or
|
||||
timeout elapses. As an optimization, the kernel live patching core will not
|
||||
consider processes that do not interact with the live patch being applied in
|
||||
the above migration. The live patching core will also "wake up" sleeping
|
||||
processes in a userspace transparent way, making the patch application progress.
|
||||
.P
|
||||
Despite the above measures, processes in
|
||||
.B D
|
||||
process state can prevent the patch from fully applying, and also kernel threads can
|
||||
become a blocker under certain conditions.
|
||||
.SH CHANGES FROM KGR TOOL
|
||||
.I klp
|
||||
tool is a modernized version of the previous
|
||||
.I kgr
|
||||
tool distributed with SUSE Linux Enterprise 12. It leaves out the
|
||||
.B poke
|
||||
functionality, which is now implemented in the kernel, and
|
||||
.B blocking_threads
|
||||
display, which is the default operation of
|
||||
.I klp blocking
|
||||
command.
|
280
klp.sh
Normal file
280
klp.sh
Normal file
@ -0,0 +1,280 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Check kernel live patching status
|
||||
# Libor Pechacek <lpechacek@suse.com>
|
||||
|
||||
unset VERBOSE
|
||||
|
||||
function klp_in_progress() {
|
||||
for p in /sys/kernel/livepatch/*; do
|
||||
[ 0$(cat "$p/transition" 2>/dev/null) -ne 0 ] && return 0
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
function klp_dump_blocking_threads() {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "Warning: running as non-root user, display will be limited" >&2
|
||||
fi
|
||||
|
||||
unset PIDS
|
||||
|
||||
TRANSITIONING_PATCH="$(grep -ls '^1$' /sys/kernel/livepatch/*/transition | head -n1)"
|
||||
|
||||
if [ -n "$TRANSITIONING_PATCH" ]; then
|
||||
TRANSITION_DIRECTION=$(cat "${TRANSITIONING_PATCH/%\/transition/\/enabled}")
|
||||
|
||||
for DIR in /proc/[0-9]*/task/[0-9]*; do
|
||||
PATCH_STATE=$(cat $DIR/patch_state 2>/dev/null)
|
||||
if [ -n "$PATCH_STATE" ] && [ "$PATCH_STATE" -ge 0 \
|
||||
-a "$PATCH_STATE" -ne "$TRANSITION_DIRECTION" ]; then
|
||||
PID=${DIR#/proc/}
|
||||
PID=${PID%/task/*}
|
||||
TID=${DIR#*/task/}
|
||||
if [ -n "$VERBOSE" ]; then
|
||||
COMM="$(cat $DIR/cmdline 2>/dev/null | tr \\0 \ )"
|
||||
# fallback to the command name, for example for kernel threads
|
||||
[ -z "$COMM" ] && COMM="[$(cat $DIR/comm 2>/dev/null | tr \\0 \ )]"
|
||||
if [ ${VERBOSE:-0} -gt 1 ]; then
|
||||
STACK=$(cat $DIR/stack 2>/dev/null | sed 's/^/ /')
|
||||
fi
|
||||
# don't write out anything in case the process has exited
|
||||
if [ -e "$DIR" ]; then
|
||||
echo "$PID $TID $COMM"
|
||||
[ ${VERBOSE:-0} -gt 1 ] && echo "$STACK"
|
||||
fi
|
||||
else
|
||||
echo $PID $TID
|
||||
fi
|
||||
PIDS="$PIDS $PID"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$PIDS" -a -n "$VERBOSE" ]; then
|
||||
echo "no threads with klp_in_progress set"
|
||||
fi
|
||||
}
|
||||
|
||||
function klp_status() {
|
||||
if klp_in_progress ; then
|
||||
echo "in_progress"
|
||||
else
|
||||
echo "ready"
|
||||
fi
|
||||
}
|
||||
|
||||
function klp_check() {
|
||||
if klp_in_progress ; then
|
||||
echo "Following processes have not finished a previous kernel live patching yet:"
|
||||
VERBOSE=2 klp_dump_blocking_threads
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
function klp_patches() {
|
||||
unset PATCHES_FOUND
|
||||
for d in /sys/kernel/livepatch/*; do
|
||||
[ ! -d "$d" ] && continue
|
||||
PATCH_NAME=${d#/sys/kernel/livepatch/}
|
||||
PATCH_MOD=${PATCH_NAME}
|
||||
echo "${PATCH_MOD}"
|
||||
if [ -n "$VERBOSE" ]; then
|
||||
klp_detailed_patch_info "${PATCH_MOD}" | sed 's/^/ /'
|
||||
echo
|
||||
fi
|
||||
PATCHES_FOUND=1
|
||||
done
|
||||
if [ -z "$PATCHES_FOUND" -a -n "$VERBOSE" ]; then
|
||||
echo "no patch"
|
||||
fi
|
||||
}
|
||||
|
||||
function klp_patch_rpm_name() {
|
||||
# srcversion is the link between loaded kernel module and its RPM
|
||||
SRCVERSION=$(cat "/sys/module/$1/srcversion")
|
||||
|
||||
# exit when the module cannot be tracked down
|
||||
MODPATH=$(/usr/sbin/modinfo -n "$1" 2>/dev/null) || exit
|
||||
MODSRCVERSION=$(/usr/sbin/modinfo -F srcversion "$1")
|
||||
|
||||
if [ "$SRCVERSION" != "$MODSRCVERSION" ]; then
|
||||
echo "Warning: patch module srcversion does not match the on-disk checksum:" \
|
||||
"$1 ($SRCVERSION/$MODSRCVERSION)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo $(rpm -qf "${MODPATH}" 2>/dev/null)
|
||||
}
|
||||
|
||||
function klp_info_from_rpm() {
|
||||
|
||||
RPMNAME=$(klp_patch_rpm_name "$1")
|
||||
[ -n "$RPMNAME" ] || exit
|
||||
|
||||
REFS=($(rpm -q --changelog "${RPMNAME}" | \
|
||||
sed 's/^[[:space:]]*KLP:[[:space:]]*\(.*\)/\1/;t b;d;:b s/[[:space:]]/\n/g' | \
|
||||
sort -ru))
|
||||
declare -a CVES
|
||||
declare -a BUGS_FATES
|
||||
for REF in "${REFS[@]}"; do
|
||||
if [ ${REF:0:3} = 'CVE' ]; then
|
||||
CVES+=($REF)
|
||||
else
|
||||
BUGS_FATES+=($REF)
|
||||
fi
|
||||
done
|
||||
|
||||
declare -p RPMNAME
|
||||
declare -p CVES
|
||||
declare -p BUGS_FATES
|
||||
}
|
||||
|
||||
function klp_detailed_patch_info() {
|
||||
REFCNT=$(cat "/sys/module/$1/refcnt")
|
||||
ACTIVE=$([[ "$REFCNT" -eq 0 ]]; echo $?)
|
||||
|
||||
echo "active: ${ACTIVE}"
|
||||
|
||||
# collect info if we have it; first try the "cache" (bsc#1191344)
|
||||
SRCVERSION=$(cat "/sys/module/$1/srcversion")
|
||||
CACHE_FILE="/var/cache/livepatch/$1-$SRCVERSION"
|
||||
if [ -e "$CACHE_FILE" ]; then
|
||||
. "$CACHE_FILE"
|
||||
else
|
||||
KLP_INFO=$(klp_info_from_rpm $1)
|
||||
echo "$KLP_INFO" > "$CACHE_FILE"
|
||||
eval "$KLP_INFO"
|
||||
fi
|
||||
|
||||
[ -n "$RPMNAME" ] || exit
|
||||
echo "RPM: ${RPMNAME}"
|
||||
echo -n "CVE: "
|
||||
if [ ${#CVES[*]} -gt 0 ]; then
|
||||
echo ${CVES[*]}
|
||||
else
|
||||
echo -n "(none"
|
||||
[ ${#BUGS_FATES[*]} -eq 0 ] && echo -n " - this is an initial kernel live patch"
|
||||
echo ")"
|
||||
fi
|
||||
echo -n "bug fixes and enhancements: "
|
||||
if [ ${#BUGS_FATES[*]} -gt 0 ]; then
|
||||
echo ${BUGS_FATES[*]}
|
||||
else
|
||||
echo "(none)"
|
||||
fi
|
||||
|
||||
if [ ${VERBOSE:-0} -gt 1 ]; then
|
||||
SHORT_RPMNAME=$(rpm -q --qf "%{name}" "$RPMNAME" 2>/dev/null)
|
||||
|
||||
echo -n "Update status: "
|
||||
if zypper -qn --no-refresh up -D "$SHORT_RPMNAME" 2>/dev/null | fgrep -q "package to upgrade"; then
|
||||
echo "newer version is available"
|
||||
else
|
||||
echo "up to date"
|
||||
fi
|
||||
|
||||
EXP_DATE=$(grep "^$SHORT_RPMNAME," /usr/share/lifecycle/data/sle-module-live-patching.lifecycle 2>/dev/null \
|
||||
| cut -d, -f3)
|
||||
|
||||
echo -n "Patches issued until: "
|
||||
if [ -n "$EXP_DATE" ]; then
|
||||
echo "$EXP_DATE"
|
||||
else
|
||||
echo "to be announced"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function klp_downgrade()
|
||||
{
|
||||
VERBOSE_ORIG="$VERBOSE"
|
||||
unset VERBOSE
|
||||
|
||||
for patch in $(klp_patches); do
|
||||
RPM_FULL_NAME=$(klp_patch_rpm_name "$patch")
|
||||
if [ -z "$RPM_FULL_NAME" ]; then
|
||||
echo "Warning: cannot determine RPM package for $patch" >&2
|
||||
continue
|
||||
fi
|
||||
|
||||
RPM_INFO=$(rpm -q --qf '%{name};%{version}' "$RPM_FULL_NAME")
|
||||
RPM_VERSION=${RPM_INFO#*;}
|
||||
RPM_NAME=${RPM_INFO%;*}
|
||||
if [ "$RPM_VERSION" -le 1 ]; then
|
||||
echo "$RPM_FULL_NAME is the initial kernel live patch and cannot be downgraded."
|
||||
continue
|
||||
fi
|
||||
|
||||
ZYPPER_COMMAND="zypper -n in --oldpackage $RPM_NAME = $(($RPM_VERSION-1))"
|
||||
echo "KLP tool will replace the current kernel live patch with its previous version."
|
||||
echo "The command for downgrade is: $ZYPPER_COMMAND"
|
||||
if [ -z "$NON_INTERACTIVE" ]; then
|
||||
read -p "Continue? (y/N) " -n 1 -r
|
||||
echo
|
||||
else
|
||||
REPLY=Y
|
||||
fi
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
eval $ZYPPER_COMMAND
|
||||
fi
|
||||
done
|
||||
|
||||
VERBOSE="$VERBOSE_ORIG"
|
||||
}
|
||||
|
||||
USAGE="Usage: $0 [-h][-v] COMMAND
|
||||
Query kernel live patching status.
|
||||
|
||||
Commands:
|
||||
status: display the overall status of kernel live patching
|
||||
patches: display the list of loaded patches
|
||||
blocking: list execution threads that are preventing kernel
|
||||
live patching from finishing
|
||||
downgrade: revert the current live patch by installing
|
||||
the previous one
|
||||
|
||||
Options:
|
||||
-h print this help
|
||||
-n non-interactive mode
|
||||
-v more detailed output
|
||||
|
||||
Report bugs at https://bugzilla.suse.com/"
|
||||
PKGVERSION="@@VERSION@@"
|
||||
|
||||
while getopts hnv-: opt
|
||||
do
|
||||
case $opt$OPTARG in
|
||||
-help|h)
|
||||
exec echo "$USAGE" ;;
|
||||
-non-interactive|n)
|
||||
NON_INTERACTIVE=1 ;;
|
||||
-version)
|
||||
exec echo "klp $PKGVERSION" ;;
|
||||
-verbose|v) VERBOSE=$((${VERBOSE:-0} + 1)) ;;
|
||||
*)
|
||||
echo "$0: try '$0 --help'" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift `expr $OPTIND - 1`
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo -e "Error: no command provided\n" >&2
|
||||
echo "$USAGE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case $1 in
|
||||
blocking) klp_dump_blocking_threads ;;
|
||||
status) klp_status ;;
|
||||
check) klp_check ;;
|
||||
store_patch_info)
|
||||
SRCVERSION=$(cat "/sys/module/$2/srcversion")
|
||||
klp_info_from_rpm $2 > "/var/cache/livepatch/$2-$SRCVERSION" ;;
|
||||
patches) klp_patches ;;
|
||||
downgrade) klp_downgrade ;;
|
||||
*) echo "Error: unknown command \`$1'"; exit 1 ;;
|
||||
esac
|
||||
|
||||
# vim: ai sw=4 et sts=4 ft=sh
|
35
macros.kernel-livepatch
Normal file
35
macros.kernel-livepatch
Normal file
@ -0,0 +1,35 @@
|
||||
# Defines %flavors_to_build and %kernel_source() as a side effect.
|
||||
%klp_module_package(n:x) \
|
||||
%{expand:%( \
|
||||
subpkg=/usr/lib/rpm/kernel-livepatch-subpackage \
|
||||
echo "%%define _suse_klp_module_subpackage(n:v:r:f:p:bc) %%{expand:%%(cd %_sourcedir; cat $subpkg; echo %%%%nil)}" \
|
||||
flavors_to_build= \
|
||||
flavors="%*" \
|
||||
for flavor in $(ls /usr/src/linux-obj/%_target_cpu 2>/dev/null); do \
|
||||
case " $flavors " in \
|
||||
(*" $flavor "*) \
|
||||
[ -n "%{-x}" ] && continue ;; \
|
||||
(*) \
|
||||
[ -z "%{-x}" -a -n "$flavors" ] && continue ;; \
|
||||
esac \
|
||||
krel=$(make -s -C /usr/src/linux-obj/%_target_cpu/$flavor kernelrelease) \
|
||||
krpmver_flavor=${krel/.0-rc/.rc} \
|
||||
krpmver=${krpmver_flavor%%-*} \
|
||||
kprovide="kernel-$flavor-$krpmver" \
|
||||
khashprovide=$(rpm -q --whatprovides "$kprovide" --provides | grep "^kernel-$flavor-srchash-") \
|
||||
if [ -n "$khashprovide" ]; then \
|
||||
kprovide="$khashprovide" \
|
||||
fi \
|
||||
flavors_to_build="$flavors_to_build $flavor" \
|
||||
echo "%%_suse_klp_module_subpackage -n %{-n*}%{!-n:kernel-livepatch} -r %{release} $krel $krpmver_flavor $kprovide" \
|
||||
done \
|
||||
echo "%%global flavors_to_build${flavors_to_build:-%%nil}" \
|
||||
echo "%%{expand:%%(test -z '%flavors_to_build' && echo %%%%internal_kmp_error)}" \
|
||||
echo "%%global kernel_source() /usr/src/linux-obj/%_target_cpu/%%%%{1}" \
|
||||
\
|
||||
echo "%package -n %{-n*}%{!-n:kernel-livepatch}-kmp-_dummy_" \
|
||||
echo "Version: %version" \
|
||||
echo "Summary: %summary" \
|
||||
echo "Group: %group" \
|
||||
echo "%description -n %{-n*}%{!-n:kernel-livepatch}-kmp-_dummy_" \
|
||||
)}
|
141
rpm-helper
Normal file
141
rpm-helper
Normal file
@ -0,0 +1,141 @@
|
||||
#!/bin/bash
|
||||
|
||||
USAGE="$0 <check|install|remove> <package-version-release>"
|
||||
|
||||
if test "$1" = "-h" -o "$1" = "--help"; then
|
||||
echo "$USAGE"
|
||||
exit 0
|
||||
fi
|
||||
if test "$#" -lt 2; then
|
||||
echo "$USAGE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
shopt -s nullglob
|
||||
|
||||
check_livepatching_env()
|
||||
{
|
||||
LIVEPATCH_KERNEL=auto
|
||||
# Check if a sysconfig for livepatching exists. If yes, include the file.
|
||||
if test -e "/etc/sysconfig/livepatching"; then
|
||||
. /etc/sysconfig/livepatching || :
|
||||
fi
|
||||
|
||||
# We want to preserve the immutability of the system in the
|
||||
# transactional server role. To that end, we define the "auto" patch
|
||||
# deployment mode that skips the patch loading in transactional
|
||||
# updates.
|
||||
DO_PATCHING=0
|
||||
[ "$TRANSACTIONAL_UPDATE" != "true" -a "$LIVEPATCH_KERNEL" == "auto" ] && DO_PATCHING=1
|
||||
[ "$LIVEPATCH_KERNEL" == "always" ] && DO_PATCHING=1
|
||||
|
||||
[ "$DO_PATCHING" -eq 0 ] && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
do_check()
|
||||
{
|
||||
if test -e /.buildenv; then
|
||||
echo "Skipping kernel live patches in buildroot"
|
||||
return 0
|
||||
fi
|
||||
|
||||
check_livepatching_env || return 0
|
||||
|
||||
if test "$(uname -r)" != "$KREL"; then
|
||||
return 0
|
||||
fi
|
||||
klp check >&2
|
||||
}
|
||||
|
||||
refresh_initrd()
|
||||
{
|
||||
local image
|
||||
|
||||
/sbin/depmod -F "/boot/System.map-$KREL" -e "$KREL" || return
|
||||
# copied from weak-modules2
|
||||
for image in vmlinuz image vmlinux linux bzImage uImage Image ""; do
|
||||
if test -f "/boot/$image-$KREL"; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
if test -z "$image"; then
|
||||
return
|
||||
fi
|
||||
if test "$1" = "--force"; then
|
||||
/sbin/mkinitrd -k "/boot/$image-$KREL" -i "/boot/initrd-$KREL"
|
||||
else
|
||||
mkdir -p /var/run/regenerate-initrd
|
||||
touch "/var/run/regenerate-initrd/$image-$KREL"
|
||||
fi
|
||||
}
|
||||
|
||||
do_install()
|
||||
{
|
||||
local mod modules err
|
||||
|
||||
if test -e /.buildenv; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
refresh_initrd
|
||||
|
||||
if test "$(uname -r)" != "$KREL"; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if ! check_livepatching_env; then
|
||||
echo "[klp] Skipping installation of the kernel live patch."
|
||||
return 0
|
||||
fi
|
||||
|
||||
err=0
|
||||
modules=($(grep -l '^0$' /sys/module/livepatch*/refcnt /dev/null | sed 's:/refcnt::; s:/sys/module/::'))
|
||||
for mod in "${modules[@]}"; do
|
||||
echo "[klp] Unloading $mod"
|
||||
# Can't use modprobe -r, as the modules do not exist on disk
|
||||
# anymore
|
||||
rmmod "$mod" || :
|
||||
done
|
||||
modules=($(rpm -ql "$PACKAGE" | sed -rn 's:.*/(livepatch[^/]*)\.ko(\.[gx]z|\.zst)?$:\1:p'))
|
||||
for mod in "${modules[@]}"; do
|
||||
echo "[klp] Loading $mod"
|
||||
modprobe "$mod" || err=$?
|
||||
done
|
||||
|
||||
klp store_patch_info "$(echo "$mod" | tr - _)"
|
||||
|
||||
return $err
|
||||
}
|
||||
|
||||
do_remove()
|
||||
{
|
||||
if test -e /.buildenv; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if test "$NUM_PACKAGES" -eq 0; then
|
||||
# bnc#904867
|
||||
refresh_initrd --force
|
||||
else
|
||||
refresh_initrd
|
||||
fi
|
||||
}
|
||||
|
||||
if test $# -ne 4; then
|
||||
echo 'WARNING: Unexpected number of parameters. Are the live patch RPM scripts compatible with this rpm-helper?' >&2
|
||||
fi
|
||||
|
||||
cmd=$1
|
||||
PACKAGE=$2
|
||||
KREL=$3
|
||||
NUM_PACKAGES=${4-0}
|
||||
case "$cmd" in
|
||||
check|install|remove)
|
||||
do_$cmd
|
||||
exit
|
||||
;;
|
||||
*)
|
||||
echo "$USAGE" >&2
|
||||
exit 1
|
||||
esac
|
10
sysconfig.livepatching
Normal file
10
sysconfig.livepatching
Normal file
@ -0,0 +1,10 @@
|
||||
## Path: System/Live Patching
|
||||
## Description: Configuration of the system live patch deployment
|
||||
|
||||
## Type: string
|
||||
## Default: "auto"
|
||||
# Controls whether kernel live patches should be loaded into
|
||||
# kernel during live patch RPM package installation. The valid
|
||||
# settings are "always", "never" and "auto".
|
||||
LIVEPATCH_KERNEL='auto'
|
||||
|
1
systemd-default-klp.preset
Normal file
1
systemd-default-klp.preset
Normal file
@ -0,0 +1 @@
|
||||
enable klp-info-cache.service
|
13
systemd-klp-info-cache.service
Normal file
13
systemd-klp-info-cache.service
Normal file
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Clean up the klp(8) tool cache on boot
|
||||
After=local-fs.target
|
||||
ConditionPathIsReadWrite=/var/cache/livepatch
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Nice=19
|
||||
IOSchedulingClass=idle
|
||||
ExecStart=/usr/lib/kernel-livepatch/cache-cleaner
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user