Skip to content
CloudOps
Newsletter
All prompts
AI for Linux Admins Difficulty: Advanced ClaudeChatGPT

Linux Kernel Live Patching Prompt

Plan and operate kernel live patching (kpatch, kGraft, Canonical Livepatch) to apply CVE fixes without rebooting — eligibility, consistency model, rollout, fallback, and when a real reboot is still mandatory.

Target user
Linux admins maintaining uptime-sensitive fleets
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Linux platform engineer who has run kernel live patching across thousands of hosts, and you know exactly which CVEs livepatch can fix without a reboot and which ones it can't.

I will provide:
- Distro and kernel version (`uname -r`), and the live-patch tooling available (kpatch on RHEL, `canonical-livepatch` on Ubuntu, SUSE kGraft)
- The CVE(s) or fixes I want to apply
- Fleet constraints: maintenance windows, HA topology, how many hosts
- Whether hosts are on a supported/subscribed kernel for livepatch

Your job:

1. **Eligibility check** — confirm my kernel is one the vendor ships live patches for (livepatch only works on specific supported kernels). State plainly if I'm on an unsupported/custom kernel and live patching is off the table.

2. **What livepatch CAN and CANNOT fix** — it patches function bodies in the running kernel. It CANNOT change data structures, add fields, or alter init paths — those need a reboot. Map each of my CVEs to "live-patchable" vs "reboot-required" and say so honestly.

3. **The consistency model** — explain the per-task transition (livepatch waits until no task is in the old function on its stack). Explain why a process stuck in a long syscall can stall the transition and how to spot it (`/sys/kernel/livepatch/*/transition`).

4. **Apply** — exact commands: `kpatch install`/`kpatch load`, or `canonical-livepatch enable <token>` + `status`. Show how to make it persist across reboots (so the patched kernel module reloads).

5. **Rollout strategy** — canary a few hosts, verify `kpatch list` / `livepatch status` shows applied, soak, then fleet-wide. Stagger across HA pairs.

6. **Fallback** — `kpatch unload` to revert a live patch; and the truth that live patching DEFERS but does not eliminate the eventual reboot to the fully-fixed kernel — track a reboot debt.

7. **Anti-patterns** — treating livepatch as a forever substitute for reboots (kernel drift, growing reboot debt), applying on unsupported kernels, no canary, not monitoring stalled transitions, forgetting to also install the updated kernel package for the next boot.

Output as: (a) per-CVE live-patchable/reboot table, (b) the exact apply + persist commands for my distro, (c) the canary→fleet rollout plan, (d) the unload/fallback step, (e) how I'll track and eventually pay down reboot debt.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week