# livepatch-mgr **Repository Path**: ydjohn/livepatch-mgr ## Basic Information - **Project Name**: livepatch-mgr - **Description**: No description available - **Primary Language**: Unknown - **License**: BSD-3-Clause - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 3 - **Created**: 2023-05-31 - **Last Updated**: 2024-08-08 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # livepatch-mgr 工具 livepatch-mgr是运行于Alibaba Cloud Linux之上的一个内核热补丁(kernel live patch)管理工具,支持热补丁相关运维管理操作,目前支持补丁基础管理、信息查询、主机修复功能。 ## 主机修复 ### 安装并使能本机适合的热补丁包 ```bash #livepatch-mgr update 已加载插件:fastestmirror, langpacks, releasever-adapter, update-motd Loading mirror speeds from cached hostfile 正在解决依赖关系 --> 正在检查事务 ---> 软件包 kernel-hotfix-4121479-21.al7.x86_64.0.1.0-1.al7 将被 安装 --> 解决依赖关系完成 依赖关系解决 ================================================================================ Package 架构 版本 源 大小 ================================================================================ 正在安装: kernel-hotfix-4121479-21.al7 x86_64 1.0-1.al7 plus 244 k 事务概要 ================================================================================ 安装 1 软件包 总下载量:244 k 安装大小:1.0 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction 正在安装 : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1 installing /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko (4.19.91-21.al7.x86_64) loading patch module: /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko 验证中 : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1 已安装: kernel-hotfix-4121479-21.al7.x86_64 0:1.0-1.al7 完毕! ``` ### 安装并使能本机适合的bugfix类热补丁包 > livepatch-mgr update --bugfix > 同livepatch-mgr update 的输出,且仅限于安装 bugfix 类的热补丁包 ### 安装并使能本机适合的CVE类热补丁包 > livepatch-mgr update --security > 同livepatch-mgr update 的输出,且仅限于安装 CVE 类的热补丁包 ### 指定cve id,安装并使能相应的热补丁包 > livepatch-mgr update -cve=< CVES > # CVES为指定的CVE ID,您可以指定多个CVE ID,以逗号(,)分隔,严格区分大小写 > 同livepatch-mgr update 的输出,且仅限于安装指定CVE的热补丁包 ### 指定Errata公告 id,安装并使能相应的热补丁包 > livepatch-mgr update --ids=< Advisory IDs > # Advisory IDs为指定的公告ID,您可以指定多个Advisory ID,以逗号(,)分隔,严格区分大小写 > 同livepatch-mgr update 的输出,且仅限于安装指定Advisory ID的热补丁包 ## 列出补丁 ### 列出本机所有热补丁 显示分为3类,installed、running、available ```bash #livepatch-mgr list Loaded patch modules: 5692820 fix_trace_buffer_out_bound CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; 4121479 fix XDP socket queue descriptor entries overflow; Installed patch modules: 5692820 fix_trace_buffer_out_bound CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; 4121479 fix XDP socket queue descriptor entries overflow; Available and not installed patch modules: CVE-2020-14386 kernel-hotfix-3768348-21.al7.x86_64 Using tp_reserve to calculate netoff can overflow as tp_rese...(more) kernel-hotfix-5902278-21.al7.x86_64 We notice that hung task happens in a conner but practical ...(more) ``` ### 列出本机已经安装的热补丁 ```bash #livepatch-mgr list --installed Installed patch modules: 5692820 fix_trace_buffer_out_bound CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; 4121479 fix XDP socket queue descriptor entries overflow; ``` ### 列出本机所有已经安装的bugfix类的热补丁 ```bash #livepatch-mgr list --installed --bugfix Installed patch modules: 5692820 fix_trace_buffer_out_bound 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; 4121479 fix XDP socket queue descriptor entries overflow; ``` ### 列出本机所有已经安装的security类的热补丁 ```bash #livepatch-mgr list --installed --security Installed patch modules: CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; ``` ### 列出本机所有正在生效的热补丁 ```bash #livepatch-mgr list --running Loaded patch modules: 5692820 fix_trace_buffer_out_bound CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; 4121479 fix XDP socket queue descriptor entries overflow; ``` ### 列出本机所有正在生效的bugfix类的热补丁 ```bash #livepatch-mgr list --running --bugfix Loaded patch modules: 5692820 fix_trace_buffer_out_bound 4375449 ovl: fix dentry leak in ovl_get_redirect; 5260815 ext4: Avoid freeing inodes on dirty list; 5000697 mm, compaction: make capture control handling safe wrt interrupts; 4121479 fix XDP socket queue descriptor entries overflow; ``` ### 列出本机所有正在生效的security类的热补丁 ```bash #livepatch-mgr list --running --security Loaded patch modules: CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations; CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write; ``` ### 列出本机适合的热补丁 ```bash #livepatch-mgr list --available ================================================================================ kernel-hotfix-4121479-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-BA-2020:0005 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2020-11-24 Updated : 2020-11-24 Description : the implementation of xskq_umem_get_ring_size and xskq_rxtx_get_ring_size are vulnerable to buffer overflow, attacker can use large q->nentries value to tirgger...(more) CVE(s) : Severity : Important ================================================================================ kernel-hotfix-5000697-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-BA-2021:0003 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2021-03-18 Updated : 2021-03-18 Description : While stressing compaction, one run oopsed on NULL capc->cc in __free_one_page()'s task_capc(zone): compact_zone_order() had been interrupted, and a page was b...(more) CVE(s) : Severity : Important ================================================================================ kernel-hotfix-3768348-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-SA-2020:0002 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2020-09-21 Updated : 2020-09-21 Description : Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value ...(more) CVE(s) : CVE-2020-14386 Severity : Important ...... ### 列出本机适合的bugfix类的热补丁 ```bash #livepatch-mgr list --available --bugfix ================================================================================ kernel-hotfix-4375449-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-BA-2021:0031 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2021-08-07 Updated : 2021-08-07 Description : We need to lock d_parent->d_lock before dget_dlock, or this may have d_lockref updated parallelly like calltrace below which will cause dentry->d_lockref leak a...(more) CVE(s) : Severity : Important ================================================================================ kernel-hotfix-5260815-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-BA-2021:0027 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2021-08-07 Updated : 2021-08-07 Description : ext4: Avoid freeing inodes on dirty list When we are evicting inode with journalled data, we may race with transaction commit. This results in use-after- free i...(more) CVE(s) : Severity : Important ...... ``` ### 列出本机适合的security类的热补丁 ```bash #livepatch-mgr list --available --security ================================================================================ kernel-hotfix-3768348-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-SA-2020:0002 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2020-09-21 Updated : 2020-09-21 Description : Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value ...(more) CVE(s) : CVE-2020-14386 Severity : Important ================================================================================ kernel-hotfix-5928799-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-SA-2021:0009 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2021-07-21 Updated : 2021-07-21 Description : A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE sets...(more) CVE(s) : CVE-2021-22555 Severity : High ================================================================================ kernel-hotfix-5956925-21.al7.x86_64 ================================================================================ Update ID : HOTFIX-SA-2021:0018 Release : Alibaba Cloud Linux 2.1903 Hotfix Issued : 2021-07-23 Updated : 2021-07-23 Description : An out-of-bounds write flaw was found in the Linux kernel's seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain a...(more) CVE(s) : CVE-2021-33909 Severity : High ...... ``` ## 使能热补丁 ### 加载所有本机已安装的热补丁 ```bash #livepatch-mgr.py load loading kernel-hotfix-5956925-23.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko loading kernel-hotfix-5902278-23.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko loading kernel-hotfix-5260815-23.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko loading kernel-hotfix-5928799-23.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko loading kernel-hotfix-5577959-23.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko ``` ### 加载cve类热补丁 ```bash #livepatch-mgr load --security loading kernel-hotfix-5956925-23.al7.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko loading kernel-hotfix-5928799-23.al7.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko ``` ### 加载bugfix类热补丁 ```bash #livepatch-mgr load --bugfix loading kernel-hotfix-5902278-23.al7.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko loading kernel-hotfix-5260815-23.al7.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko loading kernel-hotfix-5577959-23.al7.x86_64 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko ``` ### 加载某个具体的热补丁 ```bash # 带绝对路径的ko #livepatch-mgr load /var/khotfix/4.19.91-21.al7.x86_64/5956925/kpatch-5956925.ko loading kernel-hotfix-5956925 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko # 不带ko后缀的模块名字 #livepatch-mgr load kpatch-5260815 loading kernel-hotfix-5928799 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko # 带ko后缀的模块名字 #livepatch-mgr.py load kpatch-4121479.ko loading kernel-hotfix-5902278 loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko ``` ## 去使能热补丁 ### 卸载所有本机已安装的热补丁 ```bash #livepatch-mgr unload unloading kernel-hotfix-5956925-23.x86_64 disabling patch module: kpatch_5956925 unloading patch module: kpatch_5956925 unloading kernel-hotfix-5902278-23.x86_64 disabling patch module: kpatch_5902278 unloading patch module: kpatch_5902278 unloading kernel-hotfix-5260815-23.x86_64 disabling patch module: kpatch_5260815 unloading patch module: kpatch_5260815 unloading kernel-hotfix-5928799-23.x86_64 disabling patch module: kpatch_5928799 unloading patch module: kpatch_5928799 unloading kernel-hotfix-5577959-23.x86_64 disabling patch module: kpatch_5577959 unloading patch module: kpatch_5577959 ``` ### 卸载cve类热补丁 ```bash #livepatch-mgr unload --security unloading kernel-hotfix-5956925-23.al7.x86_64 disabling patch module: kpatch_5956925 unloading patch module: kpatch_5956925 unloading kernel-hotfix-5928799-23.al7.x86_64 disabling patch module: kpatch_5928799 unloading patch module: kpatch_5928799 ``` ### 卸载bugfix类热补丁 ```bash #livepatch-mgr unload --bugfix unloading kernel-hotfix-5902278-23.al7.x86_64 disabling patch module: kpatch_5902278 unloading patch module: kpatch_5902278 unloading kernel-hotfix-5260815-23.al7.x86_64 kpatch: patch module kpatch_5260815 is not loaded unloading kernel-hotfix-5577959-23.al7.x86_64 kpatch: patch module kpatch_5577959 is not loaded ``` ### 卸载某个具体的热补丁 ```bash // 带绝对路径的ko #livepatch-mgr unload /var/khotfix/4.19.91-21.al7.x86_64/5928799/kpatch-5928799.ko unoading kernel-hotfix-5928799 disabling patch module: kpatch_5928799 unloading patch module: kpatch_5928799 // 不带ko后缀的模块名字 #livepatch-mgr unload kpatch_5692820 unoading kernel-hotfix-5902278 disabling patch module: kpatch_5902278 unloading patch module: kpatch_5902278 // 带ko后缀的模块名字 #livepatch-mgr unload kpatch_5000697.ko unoading kernel-hotfix-5577959 disabling patch module: kpatch_5577959 unloading patch module: kpatch_5577959 ``` ## livepatch-mgr缓存数据更新 ``` livepatch-mgr sync ``` 通过sync子命令,将直接刷行livepatch-mgr的Errata缓存数据,以便及时获得安全包更新情况 ## 登录时安全包状态告警 在用户登录shell的时候,shell会反馈目前系统中安全更新的情况给用户,具体的显示为: ``` ****************** Livepatch-mgr Security Reminder ****************** Your system have [0] security packages available to install Your system have [0] security packages installed but not loaded Conclusion : Safe ********************************************************************* [root@******** ~]# ``` 登录shell的时候,Livepatch-mgr Security Reminder 会在用户每一个登录shell的时候进行通知。告诉用户目前系统由由多少个待安全的内核安全更新,以及有多少个已经安装了,但是没有加载的安全修复包。 ### 异常情况 当出现一下情况时: ``` ****************** Livepatch-mgr Security Reminder ****************** [Errno 11] Resource temporarily unavailable ``` 或者这种情况时: ``` ****************** Livepatch-mgr Security Reminder ****************** Error: Hotfix data cache is missing please use "livepatch-mgr sync" to rebuild ********************************************************************** ``` 这是因为livepatch-mgr的缓存数据库遭到了删除或者损坏,此时可以通过livepatch-mgr sync命令重建数据库 ### 开启用户告警功能 ``` livepatch-mgr remind --enable ``` 开启以后,用户每次登录shell的时候,reminder都会对当前系统安全包状态进行通知 ### 关闭用户告警功能 ``` livepatch-mgr remind --disable ``` 关闭以后,用户在登录shell的时候,reminder将不会对当前系统安全包状态进行通知。 ### 查看系统当前状态 ``` livepatch-mgr remind ``` 除了登录shell的时候,reminder对当前系统状态进行通知以外,用户在使用系统的时候也能通过remind子命令直接查看系统当前安全包状态