This article describes how to use the heat kernel patch (Kernel Live Patching) function on Alibaba Cloud Linux 2.
1. Preparations
Kernel version 1.1
First make sure the kernel version currently running. Inside the operating system, run the following command:
uname -r
4.19.57-15.1.al7.x86_641.2 installation tools and kernel dependencies
sudo yum install -y alinux-release-source alinux-release-kernels
sudo yum install -y yum-utils
sudo debuginfo-install -y kernel-$(uname -r) # 安装 Debuginfo 包
sudo yum install -y kpatch pesign zlib-devel \
binutils-devel newt-devel python-devel perl-ExtUtils-Embed \
audit-libs audit-libs-devel numactl-devel pciutils-devel bison patchutils \
kernel-devel-$(uname -r) # 安装依赖工具
sudo yum-builddep -y kernel-$(uname -r) # 检查 build 内核的时候的依赖1.3 Installation kpatch-build
To make hot patch, you need to use a tool has not put YUM source kpatch-build, need from GitHub get the source code. Run the following command to get the code, and compile:
sudo yum install -y git
git clone https://github.com/dynup/kpatch.git
cd kpatch
make1.4 Prepare the kernel source code
sudo yumdownloader --source kernel-$(uname -r) #安装内核源码
export VRDA=$(uname -r)
rpm -ivh kernel-${VRDA/x86_64/src}.rpm
rpmbuild --without debug \
--without doc \
--without perf \
--without tools \
--without bpftool \
--without debuginfo \
-bp ~/rpmbuild/SPECS/kernel.spec
export SourceDir=$(ls -d ~/rpmbuild/BUILD/kernel-${VRDA/-*/}/linux-*)
cp ~/rpmbuild/SOURCES/modsign_alinux.pem $SourceDir/certs
cp ~/rpmbuild/SOURCES/x509.genkey $SourceDir/certs
sed -i "s/CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=\"${VRDA/*-/-}\"/" $SourceDir/.config2. Prepare hot patch needs to be patch file
According to the actual situation to prepare hot patch file, generally obtained from the kernel source Git tree patch file can be used, but not all of the patch files can be used to make hot patch, make sure in advance for use of the hot patch restrictions have a full understanding, this may occur is not limited to the operating system downtime and other serious problems.
Here is a sample patch file:
diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
index edda898..8a4a686 100644
--- a/fs/proc/meminfo.c
+++ b/fs/proc/meminfo.c
@@ -121,7 +121,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
seq_printf(m, "VmallocTotal: %8lu kB\n",
(unsigned long)VMALLOC_TOTAL >> 10);
show_val_kb(m, "VmallocUsed: ", 0ul);
- show_val_kb(m, "VmallocChunk: ", 0ul);
+ show_val_kb(m, "VMALLOCCHUNK: ", 0ul);
show_val_kb(m, "Percpu: ", pcpu_nr_pages());Note that the source must unzip the patch file to download package with the current kernel source after the match.
3. Perform hot patch production
cd kpatch
export VRDA=$(uname -r)
export SourceDir=$(ls -d ~/rpmbuild/BUILD/kernel-${VRDA/-*/}/linux-*)
./kpatch-build/kpatch-build -v /usr/lib/debug/usr/lib/modules/$(uname -r)/vmlinux \
meminfo.patch \
-s $SourceDir \
-t vmlinux \
-j$(getconf _NPROCESSORS_ONLN) #meminfo.patch 是前面一步里的补丁文件After the implementation if successful, will produce livepatch-meminfo.ko files in the current directory
4. Load hot patch
sudo kpatch load livepatch-meminfo.ko