Re: Kernel live patching on CentOS Stream 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 1/14/22 07:57, Gionatan Danti wrote:
Il 2022-01-14 13:17 Josh Boyer ha scritto:
RHEL's kernel live patching uses upstream open source kpatch.  The
sources to the kpatches are delivered in customer facing CDN repos at
the same time as the kpatch itself.  We do not use proprietary code to
produce or apply the kpatches.

I can only speculate on whether RHEL kpatches would work on a CentOS
kernel, but my assumption is that they would not due to how they are
signed.

Is (well, was) the CentOS kernel identical at binary level to the RHEL one?
If so, the same kpatch should be applicable to both RHEL and CentOS (the old one).

But I seem to understand that the two kernels are *not* bytewise identical, so a binary kpatch can not be applied the CentOS. Is this true?

Anyway, RH kpatches are surely not compatible with CentOS stream. So I asked if some project was started to provide live kernel patching to the new CentOS project. If I don't miss something, this is not the case.

Regards.


No .. none of the CentOS Kernels were EVER binary compatible with any RHEL kernel.

CentOS Linux has always been (now also including CentOS Stream 8 and 9) a completely separate 'closed' build system.

We use the SAME source code to build things, modified to remove branding. But CentOS has NEVER been (nor is any other rebuild distribution now) Binary Compatible.

Want to see how .. just extract two rpms with the same name from two different distributions into separate directories and run a sha256sum on all the files in the different directories with find command. Some files may be identical (most text files that are copied), others will not be.

It is virtually impossible for all produced packages to be 'binary compatible' UNLESS they are built with exact the same files (not files BUILT fromt he same sources .. the exact same files) in the build root AND with exactly the same software doing the building. Any group that claims 'binary compatibility' is either lying or they do not understand compiling and linking.

CentOS never had that.  Neither does any rebuild.

This is why the CentOS Project 'CHANGED' our term from binary compatible to 'Functionally Compatible' a long time ago. (Using same source code, we produce DIFFERENT software .. that works the same way but has different SHASUM values. Don't be fooled by key words like 'binary compatible' .. check it out for yourself.

If you build kpatches to kernels, to make them work you need to build the kpatch for the specific kernel (CentOS would need to build against CentOS kernels, etc). Also, there are the certificate signing issues and keys that you would need to take into account. You need to have the CA Trust to be able to create signatures that the system will allow.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux