kpatch-build: add support for openEuler #1263
Conversation
|
Test log in openEuler 21.09 (x86_64): [anatasluo@localhost ~]$ ./kpatch/kpatch-build/kpatch-build 1.patch fs/proc/version.c | 1 + diff --git a/fs/proc/version.c b/fs/proc/version.c static int version_proc_show(struct seq_file *m, void *v)
[anatasluo@localhost ~]$ sudo insmod livepatch-1.ko |
kpatch-build/kpatch-build
Outdated
|
|
||
| echo "Fedora/Red Hat distribution detected" | ||
| echo "Fedora/Red Hat/OpenEuler distribution detected" |
There was a problem hiding this comment.
Since this now covers so many distros, how about we make the message more custom:
[[ "$DISTRO" = fedora ]] && echo "Fedora distribution detected"
[[ "$DISTRO" = rhel ]] && echo "RHEL distribution detected"
etc ...
There was a problem hiding this comment.
It looks better now.
kpatch-build/kpatch-build
Outdated
| @@ -773,7 +773,13 @@ else | |||
| rpmbuild -D "_topdir $RPMTOPDIR" -bp --nodeps "--target=$(uname -m)" "$RPMTOPDIR"/SPECS/kernel$ALT.spec 2>&1 | logger || | |||
| die "rpmbuild -bp failed. you may need to run 'yum-builddep kernel' first." | |||
|
|
|||
| mv "$RPMTOPDIR"/BUILD/kernel-*/linux-* "$KERNEL_SRCDIR" 2>&1 | logger || die | |||
| if [[ "$DISTRO" = openEuler ]]; then | |||
| # openEuler has two dirctories with the same content after 'rpm -D' | |||
kpatch-build/kpatch-build
Outdated
| [[ "$DISTRO" = fedora ]] && echo "Fedora distribution detected" | ||
| [[ "$DISTRO" = rhel ]] && echo "RHEL distribution detected" | ||
| [[ "$DISTRO" = ol ]] && echo "Oracle Linux distribution detected" | ||
| [[ "$DISTRO" = centos ]] && echo "Centos distribution detected" |
There was a problem hiding this comment.
sorry for this mistake, already fix it now.
| @@ -841,6 +855,9 @@ fi | |||
| # shellcheck disable=SC1090 | |||
| source "$CONFIGFILE" | |||
|
|
|||
| [[ "$DISTRO" = openEuler ]] && [[ -z "$CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY" ]] && \ | |||
| die "openEuler kernel doesn't have 'CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY' enabled" | |||
There was a problem hiding this comment.
I'm guessing OpenEuler sets CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY by default, but is it absolutely necessary that it be turned on for this distro? IOW, could one build conventional livepatches on this kernel? Thanks.
There was a problem hiding this comment.
Q: Could one build conventional livepatches on this kernel?
A: yes, but absolutely necessary to need CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY set.
As we can see from the source code of the openEuler, without CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY, there is even no klp_enable_patch function.
Q: Is CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY set by default?
A: It depends on the version of the kernel. From this openEuler commit, I think they prefer to use their own strategy.
|
@joe-lawrence I have added some instructions in the commit log. It is a good idea to add complete instructions to the install.md file. I will do it later this week. |
anatasluo
force-pushed
the
master
branch
7 times, most recently
from
ef3dd60 to
910ac3d
Compare
|
@joe-lawrence I have added some instructions in INSTALL.md. I am not sure it is organized very well. |
| @@ -206,3 +207,123 @@ Alternatively, the kpatch and kpatch-build scripts can be run directly from the | |||
| git tree. | |||
|
|
|||
|
|
|||
| ### OpenEuler | |||
There was a problem hiding this comment.
I think the whole "OpenEuler" section needs to go a bit further up in the file, before the "Build" and "Install" sections (they are general sections and not specific to Gentoo).
doc/INSTALL.md
Outdated
| When CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY set, openEuler uses the conventional strategy. | ||
|
|
||
| Only one config option can take effect at the same time. | ||
| Differences between two strategies will not be discussed here, but you can easily guess them from config names. |
There was a problem hiding this comment.
Does (Open)Euler document the differences anywhere? If so, it would be nice if we could provide the user a link.
There was a problem hiding this comment.
After some searching work, I find they have their own version of kpatch which is https://gitee.com/src-openeuler/kpatch. I also find a blog written by the openEuler official which describes the differences. The link is https://www.modb.pro/db/232858. Sadly, they are both written in chinese. I have added these information to the document.
doc/INSTALL.md
Outdated
|
|
||
| Check whether your current kernel compiled with *CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY* | ||
| ```bash | ||
| grep -rn "CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY" /boot/config-$(uname -r) |
There was a problem hiding this comment.
nit: maybe grep -rn is muscle memory :) but strictly speaking, I think recursive search and line numbers aren't needed for this check
There was a problem hiding this comment.
yeah, it looks better now, already fix it.
|
|
||
| If you see any output, it means your kernel satisfies, you can go directly to check step 2. | ||
|
|
||
| If not, then you need to recompile your current kernel with CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY set. |
There was a problem hiding this comment.
Not knowing much about OpenEuler, I read this as implying that CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY is required. Just curious if that is true and how/when are CONFIG_LIVEPATCH_STOP_MACHINE_CONSISTENCY livepatches built?
There was a problem hiding this comment.
openEuler maintains their own version of kpatch, already add its link to the document.
| 3. recompile kernel and install it to your running environment. | ||
|
|
||
| Just to remind, after installing the recompiled kernel, the config file should also be updated. | ||
|
|
There was a problem hiding this comment.
Kernel build instructions look fine, though if OpenEuler provides their own wiki or howto (even if not in English), we could alternately link there in case any details change.
There was a problem hiding this comment.
Sorry, I can not find any official blog from the openEuler about how to recompile the kernel. Actually, I get most of these information from reading source code. Their official documents are very insufficient.
As I noticed, commit eaaced1 has added partial support for openEuler. This patch enables usage in openEuler like: kpatch-build xxxx.patch I test it in openEuler 21.09, for people who want to use kpatch in openEuler, two more steps are needed. 1) add repo source source rpm package of openEuler kernel are put in two places. One is https://repo.openeuler.org/openEuler-21.09/source/ Another one is https://repo.openeuler.org/openEuler-21.09/update/source/ The latter one is not inclued in rpm repo lists by default. 2) compile kernel with CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY enabled openEuler has its own strategy when trying to apply patches. We can use the klp_enable_patch function only when CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY is enabled. Signed-off-by: anatasluo <luolongjuna@gmail.com>
|
@jpoimboe @joe-lawrence After some tests, I found there is no need to run Actually, these two packages are from kpatch maintained by openEuler, and it will probably make people confused. So, I remove it from kpatch_openEuler_dependencies, and that is the content of my closest commit. |
|
@anatasluo : thanks for updating, though it looks like the INSTALL.md updates were lost in the last force push? Those looked pretty good. |
Signed-off-by: anatasluo <luolongjuna@gmail.com>
Sorry, I forgot to add it to the commit. Already add it now. |
|
@anatasluo : just wondering, what kind of kpatches have you been building on OpenEuler? |
|
@jpoimboe My test log is here: #1263 (comment) This log includes my test patch. Currently, I am trying to solve some CVE using kpatch on openEuler. |
As I noticed, commit eaaced1 has added
partial support for openEuler.
This patch enables usage in openEuler like:
kaptch-build xxxx.patch
I test it in openEuler 21.09, for people who
want to use kpatch in openEuler, two more steps
are needed.
add repo source
source rpm package of openEuler kernel are put in
two places. One is
https://repo.openeuler.org/openEuler-21.09/source/
Another one is
https://repo.openeuler.org/openEuler-21.09/update/source/
The latter one is not included in rpm repo lists by default.
compile kernel with CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY enabled
openEuler has its own strategy when trying to apply patches.
We can only use klp_enable_patch function when
CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY enabled.
Signed-off-by: anatasluo luolongjuna@gmail.com