8.1. Updating kernel with ReadyKernel

8.1. Updating kernel with ReadyKernel

ReadyKernel is a kpatch-based service shipped with Acronis Cyber Infrastructure and available out-of-the-box on physical servers with active licenses. ReadyKernel offers a more convenient, rebootless alternative to updating the kernel the usual way and allows you not to wait for scheduled server downtime to apply critical security updates. ReadyKernel enables you to receive cumulative kernel patches that fix critical security issues and apply these patches without having to reboot the server. ReadyKernel updates are released for kernels younger than 18 months. When a kernel becomes older that 18 months, you need to switch to a newer kernel to keep receiving ReadyKernel updates.

Upon installation, the patches are loaded into server RAM and immediately applied to the kernel. If the server reboots, these patches are reapplied to the kernel on boot. You can check the details of the applied ReadyKernel patch at any time by using readykernel info.

If later you install a new kernel or a major kernel update that requires a reboot, the downloaded patches will remain on the server but will not be applied.

In Acronis Cyber Infrastructure, ReadyKernel is set to automatically download and apply updates. Checks for new patches are added to each yum transaction that takes place on any node in the infrastructure.

Even though ReadyKernel requires no user interaction by default, you can read the following subsections to understand how this tool works and manage it, if needed.

8.1.1. Installing ReadyKernel patches automatically

ReadyKernel is enabled by default and checks for new patches daily at 12:00 server time by means of a cron.d script. If a patch is available, ReadyKernel will download, install, and load it for the current kernel.

To disable automatic updating, run:

# readykernel autoupdate disable

You can re-enable automatic updating later by running:

# readykernel autoupdate enable <hour>

The service will check for patches daily at the specified <hour> (set in 24-hour format, server time).

8.1.2. Managing ReadyKernel patches manually

8.1.2.1. Downloading, installing, and loading ReadyKernel patches

To download, install, and instantly load the latest ReadyKernel patch for the current kernel, do the following:

  1. Check for new ReadyKernel patches:

    # readykernel check-update
    
  2. If a new patch is available, download, install, and instantly load it for the current kernel by running:

    # readykernel update
    

ReadyKernel patches are cumulative, that is, the latest patch includes all the previous ones. To keep the kernel secure, you only need to install and load the latest patch.

8.1.2.2. Loading and unloading ReadyKernel patches

To manually load the latest installed ReadyKernel patch to the kernel, do one of the following:

  • If an older patch is already loaded, unload it first, then load the latest patch by running:

    # readykernel load-replace
    
  • If no older patches are loaded, load the latest patch by running:

    # readykernel load
    

To unload the patch from the current kernel, run:

# readykernel unload

8.1.2.3. Installing and removing ReadyKernel patches for specific kernels

If multiple kernels are installed on the server, you can install a ReadyKernel patch for a specific kernel:

# yum install readykernel-patch-<kernel_version>

To remove a specific ReadyKernel patch from the server, run:

# yum remove readykernel-patch-<kernel_version>

8.1.2.4. Downgrading ReadyKernel patches

If you experience problems with the latest ReadyKernel patch, you can downgrade it to an older version if one is available.

To downgrade a patch for the current kernel to the previous version, run:

# yum downgrade readykernel-patch-$(uname -r)

To downgrade a patch for a specific kernel to the previous version, run:

# yum downgrade readykernel-patch-<kernel_version>

You can run these commands multiple times to downgrade to the patch version you need. Alternatively, you can downgrade a patch to a specific version by specifying the desired patch version. For example:

# yum downgrade readykernel-patch-12.7-0.4-17.vl7

8.1.2.5. Disabling loading of ReadyKernel patches on boot

If for some reason you do not want ReadyKernel patches to be applied at boot time, run the following command:

# readykernel autoload disable

To re-enable automatic loading of ReadyKernel patches on boot, run:

# readykernel autoload enable

8.1.3. Managing ReadyKernel logs

ReadyKernel logs event information in /var/log/messages and /var/log/kpatch.log. You can specify logging parameters for the latter in the configuration file /etc/logrotate.d/kpatch. For more information on parameters you can use, refer the logrotate manual page.