On 26/07/24 20:21, Jason Wu Yong via rocky wrote:
Hello, I am an operation and maintenance staff of a company. I would like to ask a question: Currently our products run on the rockylinux system, but according to the official introduction of rockylinux, a minor version upgrade is carried out every six months; and then the previous minor version will reach EOL; this is very troublesome for us, because we also need to upgrade every six months; after the upgrade, we need to restart the server to update the kernel; if we have thousands of servers, our workload will be too large; why not adjust the EOL time of the previous minor version to a longer time?
Indeed I can see how this can be an issue for embedded systems and such, but keep these points in mind:
* You don't actually *have* to restart the system to the newer kernel, you can keep running it under the old kernel just fine, even after updating to a new point release.
* This can happen even within a point release, really any time there is a kernel update for whatever reason.
* You can use kpatch to install critical patches to the live running kernel without rebooting the system. Unfortunately Rocky Linux does not (unless I'm mistaken) provide the kernel-patch rpms for doing so. You can potentially generate your own patches for kpatch or you can get a RHEL subscription and use their patches.
* The kernel is not the only package where you should want to restart the system. If there's critical updates to glibc you should restart as well, and potentially certain other packages.
* You can get support for staying on a point release past the eol from certain 3rd-parties.
* A simple dnf update followed by a reboot is all that is needed to update to a new point release, or to get the latest updates to the current point release.
In your situation you may want to consider pinning the kernel and just running updates monthly but not rebooting. In cases where there are critical kernel or glibc vulnerabilities *then* you can update the kernel explicitly and do a reboot. Also, as mentioned above, kpatch was made for your situation.
Peter