(no title)

The core code behind kSplice/kGraft have been upstream since Linux 4.0 and both Red Hat and SUSE support it (in fact, many security patches are released this way). I believe that some less enterprise-y disros like Fedora and Ubuntu support it too.

The issue isn't whether it's supported, the problem is that live patching is limited in what it can patch (when functions are inlined it can become impossible to patch them and so on). So while a machine with 4 years uptime might be live patched there are some security issues that cannot be patched that way (for instance, the retpoline patches for Meltdown/Spectre require all function pointers to have different calling conventions and that requires a reboot).

> but almost no distro actually supports it

Ubuntu supports it officially, so does Fedora. From my experience it works more or less fine on CentOS, so probably RHEL too. For Suse there is kGraft, so basically >90% of install base supports live patching.

> It's technically possible with Ksplice, but almost no distro actually supports it.

SLES, RHEL, and Ubuntu all support live patching

https://www.suse.com/documentation/sles-15/book_sle_admin/da...

https://access.redhat.com/documentation/en-us/red_hat_enterp...

https://www.ubuntu.com/livepatch

In addition to the solutions in my sibling comment, there is also the commercial (but cheap) KernelCare (https://www.kernelcare.com/), which supports basically every major server OS (https://patches.kernelcare.com/).

I run it on all dedicated servers, as well as managed servers where we can easily pass the cost on.

They're currently releasing livepatches across all the kernel builds to address the Intel MDS stuff (at least the kernel-based mitigations) and it's all very pleasant and hands-off.