Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Staying ahead of artificial intelligence threats

September 17, 2025
Pedro Navarro Perez
Related topics:
Artificial intelligenceLinuxSecurity
Related products:
Red Hat Enterprise LinuxRed Hat OpenShift

Share:

    In this article, you will learn about kernel live patching for Red Hat OpenStack Services on OpenShift environments. The year 2024 marked a significant milestone, with over 40,000 Common Vulnerabilities and Exposures (CVEs) published, representing a 38% increase from the 28,818 CVEs in 2023. According to a lwn.net report, this continues a consecutive seven-year trend of record-high CVE publications since 2017. Experts predict another record-breaking year of CVE production in 2025, with estimates ranging from 48,675 to 58,956 new CVEs, which will likely bring the total number of CVEs above 300,000.

    Given the escalating speed and sophistication of AI-powered attacks, as well as the continuous surge in CVEs, kernel live patching has become an indispensable practice, especially for critical systems and servers. 

    What is Linux kernel live patching?

    Linux kernel live patching is a method for applying critical security patches to a running Linux kernel without the need to reboot or interrupt runtime.

    Without live patching, applying a patch typically requires rebooting the patched service or app to load the new changes of the patched version. This is true even for patches applied to the Linux kernel itself, creating a conundrum for Linux system administrators. They need to apply imperative security updates, but that means unscheduled reboots to the Linux server, including latency and downtime.

    Learn more about kernel live patch mechanics. 

    OpenStack Services on OpenShift environments

    Starting with feature release 2, users can test a technology preview of kernel live patching support for OpenStack Services on OpenShift compute nodes. With this feature, users can apply critical security patches to a running Linux kernel in-memory, without needing to reboot or interrupt the runtime. This means you no longer need to drain the clusters and migrate the workload when applying CVE patches that require kernel updates, resulting in fewer maintenance windows.

    The process would entail the operator creating a file kpatch-deployment.yaml OpenStackDataPlaneDeployment custom resource (CR) as follows:

    apiVersion: dataplane.openstack.org/v1beta1
    kind: OpenStackDataPlaneDeployment
    metadata:
      name: apply-kpatch
      namespace: openstack
    spec:
      nodeSets:
      - <nodeSet_name> 1
      servicesOverride:
      - update 2
      ansibleExtraVars: 3
        edpm_update_enable_kpatch: true
      ansibleLimit: <node_hostname>,...,<node_hostname> 4
    1. Lists the OpenStackDataPlaneDeploymentNodeSet CRs that contain the nodes that you are applying kernel live patching.
    2. Specifies the update as the only service to execute.
    3. Enables the flag of kpatch edpm_update_enable_kpatch: true
    4. Optional: Lists the individual nodes in the node set to apply the kernel live patch process. If not set, all the nodes in the node set are affected.

    As shown in Figure 1, the operator would apply the kpatch-deployment.yaml file:

    oc apply -f kpatch-deployment.yaml
    Kernel Live Patching in a Red Hat OpenStack Service.
    Figure 1: Kernel live patching in a Red Hat OpenStack Service on OpenShift environment.

    You can view the Ansible logs while the deployment executes as follows:

    oc get pod -l app=openstackansibleee -w
    oc logs update-apply-kpatch-openstack-edpm-2z6hb

    Finally, check that the kernel live patching process has been applied successfully:

    oc get openstackdataplanedeployment
    
    NAME                       		 NODESETS            	 STATUS   	MESSAGE
    edpm-deployment-post-ceph   ["openstack-edpm"]   True     Setup complete
    edpm-deployment-pre-ceph    ["openstack-edpm"]   True     Setup complete
    apply-kpatch              		["openstack-edpm"]  	False    Deployment in progress
    ----

    Redefine your maintenance windows

    Kernel live patching offers significant operational advantages by fundamentally changing how you approach system maintenance and security updates:

    • Allows you to apply critical and important security patches to a running Linux kernel, without the need to reboot or interrupt runtime.
    • No need to drain the clusters and migrate the workload.
    • Results in fewer maintenance windows.

    Try it

    Leveraging kernel live patching is a great way to keep your infrastructure updated and minimize the amount of manual work required. General Availability of kernel live patching for Red Hat OpenStack Services on OpenShift is targeted for feature release 4 and expected in November 2025.

    You can learn more in the Linux Kernel's livepatch documentation and in Red Hat Enterprise Linux Applying patches with kernel live patching documentation.

    Related Posts

    • How to update OpenStack Services on OpenShift

    • How to deploy EVPN in OpenStack Services on OpenShift

    • Re-post: Introducing kpatch: Dynamic Kernel Patching

    • How to retrieve packet drop reasons in the Linux kernel

    • Quality testing the Linux kernel

    • 5 steps to consistently patch RHEL and Windows systems

    Recent Posts

    • Splitting OpenShift machine config pool without node reboots

    • Node.js 20+ memory management in containers

    • Integrate incident detection with OpenShift Lightspeed via MCP

    • One model is not enough, too many models is hard: Technical deep dive

    • What's new in Ansible Automation Platform 2.6

    What’s up next?

    Open source AI for developers introduces and covers key features of Red Hat OpenShift AI, including Jupyter Notebooks, PyTorch, and enhanced monitoring and observability tools, along with MLOps and continuous integration/continuous deployment (CI/CD) workflows.

    Get the e-book
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue