kpatch is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system uptime and availability. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to scheduled downtimes. Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed.
kpatch is developed by Red Hat, and the source code is licensed under the GNU General Public License version 2 (GPLv2). As of May 2014[update], kpatch is submitted for inclusion into the Linux kernel mainline.
Internally, kpatch consists of two parts – the core kernel module executes the live patching mechanism by altering kernel's inner workings, while a set of userspace utilities prepares individual hot patch kernel modules from source diffs and manages their application. Live kernel patching is performed at the function level, meaning that kpatch can replace entire functions in the running kernel with their patched versions by using facilities provided by ftrace to "route around" old versions of functions; that way, hot patches can also easily be undone. No changes to the kernel's internal data structures are possible; however, security patches, which are one of the natural candidates to be used with kpatch, rarely contain changes to the kernel's data structures.
kpatch ensures that hot patches are applied atomically and safely by stopping all running processes while the hot patch is applied, and by ensuring that none of the stopped processes is running inside the functions that are to be patched. Such an approach simplifies the whole live patching mechanism and prevents certain issues associated with the way data structures are used by original and patched versions of functions. As the downside, this approach also leaves the possibility for a hot patch to fail, and introduces a small amount of latency required for stopping all running processes.
Red Hat announced and publicly released kpatch in February 2014 under the GNU General Public License version 2 (GPLv2), shortly before SUSE released its own live kernel patching implementation called kGraft. kpatch aims to become merged into the Linux kernel mainline, and it was submitted for the inclusion in May 2014.
- Dynamic software updating – a field of research focusing on upgrading programs while they are running
- kexec – a method for loading a whole new Linux kernel from a running system
- Ksplice – another Linux kernel live patching technology developed by Ksplice, Inc. (later acquired by Oracle)
- Josh Poimboeuf; Seth Jennings (February 26, 2014). "Introducing kpatch: Dynamic Kernel Patching". redhat.com. Retrieved July 23, 2014.
- Sean Michael Kerner (June 6, 2014). "Linux Kernel Patching Gets Dynamic". ServerWatch. Retrieved July 23, 2014.
- Jonathan Corbet (May 7, 2014). "The first kpatch submission". LWN.net. Retrieved July 23, 2014.
- Josh Poimboeuf (May 1, 2014). "kpatch: dynamic kernel patching". LWN.net. Retrieved July 23, 2014.
- Seth Jennings; Josh Poimboeuf (June 10, 2014). "Dynamic Kernel Patching". Red Hat. Retrieved July 23, 2014.
- "SUSE Releases kGraft for Live Patching of Linux Kernel". SUSE. March 27, 2014. Retrieved February 11, 2015.
- Michael Larabel (May 1, 2014). "SUSE Posts kGraft, Red Hat Posts Kpatch Patches". Phoronix. Retrieved July 23, 2014.
- "Red Hat Enterprise Linux 7.0 Release Notes, Chapter 5. Kernel". Red Hat. July 15, 2014. Retrieved July 23, 2014.
- Carlos Sanchez (June 26, 2014). "Red Hat Releases Red Hat Enterprise Linux 7 with Increased Linux Containers Support". infoq.com. Retrieved July 23, 2014.
- kpatch source code on GitHub
- New Kernel Live Patching Combines kGraft & Kpatch, Phoronix, November 7, 2014, by Michael Larabel
- Live Kernel Patching Support Called For Linux 3.20 Kernel, Phoronix, February 9, 2015, by Michael Larabel