diff --git a/0001-contrib-disable-upstart-kpatch.conf-install.patch b/0001-contrib-disable-upstart-kpatch.conf-install.patch new file mode 100644 index 0000000..44eb5b4 --- /dev/null +++ b/0001-contrib-disable-upstart-kpatch.conf-install.patch @@ -0,0 +1,46 @@ +From f056d60fb309896a52882fd3fc10fb5305f5a47e Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 21 Jun 2018 15:40:20 -0400 +Subject: [PATCH] contrib: disable upstart kpatch.conf install + +Do not install the upstart configuration file to avoid this rhpkg +build complaint: + + Checking for unpackaged file(s): /usr/lib/rpm/check-files /builddir/build/BUILDROOT/kpatch-0.6.1-1.el7.noarch + error: Installed (but unpackaged) file(s) found: + /etc/init/kpatch.conf + Installed (but unpackaged) file(s) found: + /etc/init/kpatch.conf + +We'll need to think of a better way to do this upstream, but for now, +just skip the unneeded file on RHEL. + +Signed-off-by: Joe Lawrence +--- + contrib/Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/contrib/Makefile b/contrib/Makefile +index 0b0eeeb23a56..e873f27d6eae 100644 +--- a/contrib/Makefile ++++ b/contrib/Makefile +@@ -6,12 +6,12 @@ install: all + $(INSTALL) -d $(SYSTEMDDIR) + $(INSTALL) -m 0644 kpatch.service $(SYSTEMDDIR) + sed -i 's~PREFIX~$(PREFIX)~' $(SYSTEMDDIR)/kpatch.service +- $(INSTALL) -d $(UPSTARTDIR) +- $(INSTALL) -m 0644 kpatch.conf $(UPSTARTDIR) +- sed -i 's~PREFIX~$(PREFIX)~' $(UPSTARTDIR)/kpatch.conf ++# $(INSTALL) -d $(UPSTARTDIR) ++# $(INSTALL) -m 0644 kpatch.conf $(UPSTARTDIR) ++# sed -i 's~PREFIX~$(PREFIX)~' $(UPSTARTDIR)/kpatch.conf + + uninstall: + $(RM) $(SYSTEMDDIR)/kpatch.service +- $(RM) $(UPSTARTDIR)/kpatch.conf ++# $(RM) $(UPSTARTDIR)/kpatch.conf + + clean: +-- +1.8.3.1 + diff --git a/0002-kpatch-clarify-unload-unsupport.patch b/0002-kpatch-clarify-unload-unsupport.patch new file mode 100644 index 0000000..b1c0d2d --- /dev/null +++ b/0002-kpatch-clarify-unload-unsupport.patch @@ -0,0 +1,78 @@ +kpatch: clarify that "kpatch unload" isn't supported + +Add a user-prompt to the kpatch unload subcommand and make a similiar +mention in the manual page. + +Provide an undocumented force option so that QE and dev scripts can +still run unload kpatch modules from scripts. + +RHEL-only. + +Signed-off-by: Joe Lawrence +diff -Nupr kpatch-0.6.1.old/kpatch/kpatch kpatch-0.6.1/kpatch/kpatch +--- kpatch-0.9.2.old/kpatch/kpatch 2019-08-28 10:35:01.191259434 -0400 ++++ kpatch-0.9.2/kpatch/kpatch 2019-08-28 16:11:13.067926576 -0400 +@@ -49,8 +49,8 @@ usage () { + echo >&2 + usage_cmd "load --all" "load all installed patch modules into the running kernel" + usage_cmd "load " "load patch module into the running kernel" +- usage_cmd "unload --all" "unload all patch modules from the running kernel" +- usage_cmd "unload " "unload patch module from the running kernel" ++ usage_cmd "unload --all (UNSUPPORTED)" "unload all patch modules from the running kernel" ++ usage_cmd "unload (UNSUPPORTED)" "unload patch module from the running kernel" + echo >&2 + usage_cmd "info " "show information about a patch module" + echo >&2 +@@ -71,6 +71,16 @@ die() { + exit 1 + } + ++confirm_prompt() { ++ local prompt="$1" ++ local answer ++ while true; do ++ read -rp "$prompt [Y/N] " answer ++ [[ $answer == 'Y' || $answer == 'y' ]] && return 0 ++ [[ $answer == 'N' || $answer == 'n' ]] && return 1 ++ done ++} ++ + __find_module () { + MODULE="$1" + [[ -f "$MODULE" ]] && return +@@ -406,6 +416,19 @@ unset MODULE + init_sysfs_var + + [[ "$#" -lt 1 ]] && usage ++ ++# RHEL-specific support options ++case "$1" in ++"force") ++ # For scripting purposes, support "kpatch force unload". ++ # Shift out the "force" to avoid the user-prompt check below. ++ shift ++ ;; ++"unload") ++ confirm_prompt "WARNING: Red Hat doesn't support unloading of kpatches, continue anyway?" || exit 1 ++ ;; ++esac ++ + case "$1" in + "load") + [[ "$#" -ne 2 ]] && usage +diff -Nupr kpatch-0.6.1.old/man/kpatch.1 kpatch-0.6.1/man/kpatch.1 +--- kpatch-0.9.2.old/man/kpatch.1 2019-08-28 10:35:01.191259434 -0400 ++++ kpatch-0.9.2/man/kpatch.1 2019-08-28 14:51:23.268198897 -0400 +@@ -23,10 +23,10 @@ load --all + load + load patch module into the running kernel + +-unload --all ++unload --all (UNSUPPORTED) + unload all patch modules from the running kernel + +-unload ++unload (UNSUPPORTED) + unload patch module from the running kernel + + info diff --git a/0100-kpatch-wait-for-module-ref-counts-on-unload.patch b/0100-kpatch-wait-for-module-ref-counts-on-unload.patch new file mode 100644 index 0000000..2b10e15 --- /dev/null +++ b/0100-kpatch-wait-for-module-ref-counts-on-unload.patch @@ -0,0 +1,100 @@ +From cdee6bd650a35075515d4fe2bb67657811c9640c Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Mon, 16 Nov 2020 15:21:59 -0500 +Subject: [PATCH] kpatch: wait for module ref counts on unload + +There exists a very small timing window in which "kpatch unload" gets to +its "rmmod" step before the kpatch-patch module's reference count has +cleared and the "rmmod" fails. + +This is only a transient problem, but we can adopt code from upstream +livepatch kselftests which wait for the module refcounts to settle +before moving onto "rmmod". + +A small wrinkle is that this is not supported by the older kpatch.ko +core. The price for circumventing the activeness safety check via +KPATCH_FORCE_UNSAFE is that it must leave the kpatch patch modules in +place (see e1890e627a9b ("prevent rmmod of forced modules")). + +Signed-off-by: Joe Lawrence +--- + kpatch/kpatch | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +diff --git a/kpatch/kpatch b/kpatch/kpatch +index bca8f41..b35b742 100755 +--- a/kpatch/kpatch ++++ b/kpatch/kpatch +@@ -28,6 +28,7 @@ SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")" + VERSION="0.9.2" + POST_ENABLE_WAIT=15 # seconds + POST_SIGNAL_WAIT=60 # seconds ++MODULE_REF_WAIT=15 # seconds + + # How many times to try loading the patch if activeness safety check fails. + MAX_LOAD_ATTEMPTS=5 +@@ -125,6 +126,10 @@ find_core_module() { + return 1 + } + ++kpatch_core_loaded() { ++ grep -q -e "T kpatch_register" /proc/kallsyms ++} ++ + core_loaded () { + grep -q -e "T klp_enable_patch" -e "T kpatch_register" /proc/kallsyms + } +@@ -265,6 +270,31 @@ wait_for_patch_transition() { + return 1 + } + ++module_ref_count() { ++ local modname="$1" ++ [[ $(cat "/sys/module/$modname/refcnt" 2>/dev/null) != "0" ]] ++} ++ ++wait_for_zero_module_ref_count() { ++ local modname="$1" ++ local i=0 ++ ++ # We can't rely on a zero refcount with kpatch.ko as it ++ # implements KPATCH_FORCE_UNSAFE with an additional reference on ++ # kpatch-patch modules to avoid potential crashes. ++ kpatch_core_loaded && return 0 ++ ++ module_ref_count "$modname" || return 0 ++ ++ echo "waiting (up to $MODULE_REF_WAIT seconds) for module refcount..." ++ for (( i=0; i /dev/null || return 0 ++ rmmod "$modname" 2> /dev/null || return 0 + } + + unload_module () { +-- +2.25.4 + diff --git a/0200-Makefile-set-install-permission-modes.patch b/0200-Makefile-set-install-permission-modes.patch new file mode 100644 index 0000000..aecd225 --- /dev/null +++ b/0200-Makefile-set-install-permission-modes.patch @@ -0,0 +1,39 @@ +From 73f6d5cdb2a4ce78cec6f49517116a3c7616f393 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 12 Nov 2020 15:15:47 -0500 +Subject: [PATCH] Makefile: set install permission modes + +By default, the install command will apply rwxr-xr-x permissions (how +intuitive). Give the command expected file modes to avoid rpmbuild +complaints like this: + + *** WARNING: ./usr/lib/python3.9/site-packages/dnf-plugins/kpatch.py is executable but has no shebang, removing executable bit + *** WARNING: ./etc/dnf/plugins/kpatch.conf is executable but has no shebang, removing executable bit + +Signed-off-by: Joe Lawrence +--- + Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index fb92d06..77c8eb5 100644 +--- a/Makefile ++++ b/Makefile +@@ -23,11 +23,11 @@ all: $(TARGETS) + + install: $(TARGETS) + install -d $(MANDIR) +- install man/dnf.kpatch.8.gz $(MANDIR) ++ install -m 644 man/dnf.kpatch.8.gz $(MANDIR) + install -d $(CONFDIR) +- install conf/kpatch.conf $(CONFDIR) ++ install -m 644 conf/kpatch.conf $(CONFDIR) + install -d $(DNFPLUGINDIR) +- install kpatch.py $(DNFPLUGINDIR) ++ install -m 644 kpatch.py $(DNFPLUGINDIR) + + %.gz: % + gzip --keep $^ +-- +2.25.4 + diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..c821aac --- /dev/null +++ b/gating.yaml @@ -0,0 +1,6 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.general-kpatch.tier0.functional} diff --git a/kpatch.spec b/kpatch.spec new file mode 100644 index 0000000..8cb3c68 --- /dev/null +++ b/kpatch.spec @@ -0,0 +1,90 @@ +%define kpatch_dnf_ver 0.2 + +Name: kpatch +Version: 0.9.2 +Release: 1%{?dist} +Summary: Dynamic kernel patch manager + +Group: System Environment/Kernel +License: GPLv2 +URL: https://github.com/dynup/kpatch +Source0: https://github.com/dynup/kpatch/archive/v%{version}.tar.gz +Source1: kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz + +# RHEL-only +Patch0: 0001-contrib-disable-upstart-kpatch.conf-install.patch +Patch1: 0002-kpatch-clarify-unload-unsupport.patch + +# Upstream backports +Patch100: 0100-kpatch-wait-for-module-ref-counts-on-unload.patch + +# kpatch-dnf backports +Patch200: 0200-Makefile-set-install-permission-modes.patch + +Requires: bash kmod binutils +Recommends: kpatch-dnf + +BuildArch: noarch + + +%description +kpatch is a live kernel patch module manager. It allows the user to manage +a collection of binary kernel patch modules which can be used to dynamically +patch the kernel without rebooting. + + +%package -n kpatch-dnf +Summary: kpatch-patch manager plugin for DNF +Version: %kpatch_dnf_ver +Release: 2%{?dist} +BuildRequires: python3-devel python3-dnf +Requires: python3 python3-dnf python3-hawkey +Provides: kpatch-dnf + +%description -n kpatch-dnf +kpatch-dnf is a DNF plugin than manages subcription to kpatch-patch updates. +When enabled, kernel packages are automatically subscribed to corresponding +kpatch-patch packages updates. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch100 -p1 + +%setup -D -T -a 1 +cd kpatch-dnf-%{kpatch_dnf_ver} +%patch200 -p1 +cd .. + +%build +make -C man + +make -C kpatch-dnf-%{kpatch_dnf_ver} + +%install +make install PREFIX=/usr DESTDIR=%{buildroot} -C kpatch +make install PREFIX=/usr DESTDIR=%{buildroot} -C man +make install PREFIX=/usr DESTDIR=%{buildroot} -C contrib +rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz + +make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver} + +%files +%{_sbindir}/kpatch +%{_usr}/lib/systemd/system/kpatch.service +%doc %{_mandir}/man1/kpatch.1.gz + +%files -n kpatch-dnf +%{python3_sitelib}/dnf-plugins/kpatch.py +%{python3_sitelib}/dnf-plugins/__pycache__ +%config(noreplace) %{_sysconfdir}/dnf/plugins/kpatch.conf +%doc %{_mandir}/man8/dnf.kpatch.8.gz + +%post -n kpatch-dnf +echo "To enable automatic kpatch-patch subscription, run:" +echo -e "\t$ dnf kpatch auto" + +%changelog +* Wed Dec 2 2020 Joe Lawrence 0.9.2-1 +- initial kpatch utility build for rhel-9.0.0 (rhbz#1901593) diff --git a/sources b/sources new file mode 100644 index 0000000..b4a5b2b --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +7290837c74e9d758f867e81d87035afa v0.9.2.tar.gz +3d9859136686aa6b691ec8b0d8be6e92 kpatch-dnf-v0.2.tar.gz