Using a RHEL-9.2 or 9.4 image, investigate kpatch functions and possibilities. Report finding (features, limitations, how to use it) bellow.

Findings summary

How does the tool work

Following the official doc, the following packages have to be installed:

• kpatch
• kpatch-dnf (optional)

Once we have kpatch available, we can then install the kpatch-patch-VERSION package, where VERSION must match the current kernel ( uname -r )

What it does

The official documentation provides the insights

Basically, it loads a module in the kernel, and triggers refresh to processes. We can also manually "signal" processes, but it would work only on systems with sysfs livepatch signal interface.

How can it help an in-place update

It would allow to patch current kernel without the need to reboot the whole host, easing the whole process since users won't need to drain the host before the reboot, making the whole update process more predictable.

Check next sections about limitations and concerns.

Concerns and limitations

kpatch is NOT for kernel update, but only to apply simple security and bug fixes.
Even minor kernel upgrade are a no-go with kpatch. This also means major CVE might not be corrected via kpatch.

How to automate kpatch

Due to its limitations, it really should be an optional tool to trigger. It should be an option in the update process (not upgrade), or even a standalone process admins could run against a fleet of nodes.

This example playbook manages only the kpatch part against all nodes in the inventory, and could serve as a documented way to run it as a standalone step:

- name: Apply kpatch
  hosts: all
  gather_facts: false
  tasks:
    - name: Gather minimal facts
      ansible.builtin.setup:
        gather_subset:
          - '!all,!min'
          - 'kernel'

    - name: Install kpatch dependencies
      ansible.builtin.package:
        name:
          - kpatch
          - kpatch-dnf
        state: latest

    - name: Install kpatch-patch if available
      ansible.builtin.dnf:
        name: "kpatch-patch = {{ ansible_facts['kernel'] }}"
        state: present

Integration in the update process would involve some more work, the addition of a new parameter/boolean to toggle that feature, and the added feature to not update any kernel package when we enable kpatch.

Integration in edpm-ansible "edpm_update" role

We could add a new parameter, for instance edpm_update_kpatch as a boolean (default: false) to the role. Then, we would have to:

• ensure relevant package is installed
• ensure we have ansible_facts['kernel'] at least
• ensure kernel related packages are injected in the existing edpm_update_exclude_packages parameter (like it's done for openvswitch here)
• install kpatch-patch-KERNEL_VERSION

and, finally, ensure we don't reboot the node when edpm_update_kpatch is set to true (not sure where this is managed).