Amazon Linux 2 livepatch yum update failure

I decided to just disable live patching on the instance. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/al2-live-patching.html#al2-live-patching-disable

Hi, we recently fixed a similar yum dependency issue and released a new version of yum livepatch plugin: yum-plugin-kernel-livepatch-1.0-0.9.amzn2.

Could you please try updating the yum livepatch plugin, if you have not done so, and see if it fixes the issue?

Edited by: awsethan on Jul 7, 2021 10:04 AM

Sorry, no, I'm no longer using livepatch.

Hi,

I am experiencing the same problem on all my AMZN2 instances. Looking at what it wants to do I can see that it wants to install the Live Patch package for a Kernel that is about to be removed. As you can see I'm already using the version yum-plugin-kernel-livepatch-1.0-0.9.amzn2.noarch but I still can't update the servers kernels without removing and adding back livepatch modules with a reboot in-between.

I noticed I can work around my issue by changing the value in yum.conf, I limit my installed kernel count:
from (broken)
installonly_limit=3
to (temp fix)
installonly_limit=4

This temporarily fixed the issue as when the next kernel release comes, livepatch will also try to install the livepatch version but yum would probably remove the kernel.

Error:
--> Finished Dependency Resolution
Error: Package: kernel-livepatch-4.14.231-173.361-1.0-2.amzn2.x86_64 (@amzn2extra-livepatch)
Requires: kernel = 4.14.231-173.361.amzn2
Removing: kernel-4.14.231-173.361.amzn2.x86_64 (@amzn2-core)
kernel = 4.14.231-173.361.amzn2
Info:
→ uname -r
4.14.232-177.418.amzn2.x86_64

→ kpatch list
Loaded patch modules:

Installed patch modules:
livepatch_CVE_2021_33034 (4.14.231-173.361.amzn2.x86_64)

→ rpm -qa | grep -e kernel -e kpatch | sort -u
kernel-4.14.231-173.361.amzn2.x86_64
kernel-4.14.232-176.381.amzn2.x86_64
kernel-4.14.232-177.418.amzn2.x86_64
kernel-headers-4.14.232-177.418.amzn2.x86_64
kernel-livepatch-4.14.231-173.361-1.0-2.amzn2.x86_64
kernel-livepatch-4.14.232-176.381-1.0-0.amzn2.x86_64
kernel-livepatch-4.14.232-177.418-1.0-0.amzn2.x86_64
kernel-tools-4.14.232-177.418.amzn2.x86_64
kpatch-runtime-0.9.2-4.amzn2.noarch
yum-plugin-kernel-livepatch-1.0-0.9.amzn2.noarch

Edited by: faramirza77 on Jul 16, 2021 3:52 AM

Are you limiting the installonly_limit in yum.conf? It seems livepatch needs to have the default 5 kernels to function without breaking. Will see if I get any reply on my hunch.

This resolved the issue for me, thank you!

In three of my personal EC2 machines, plus several systems at work that also encountered this same issue today, the value of installonly_limit in /etc/yum.conf is set to 3. Given how many different systems had the same value - none of which were set manually - I think it's safe to say that this value of 3 is (or used to be) a default for Amazon Linux 2.

Setting it to 5, as you suggested, fixes the problem flawlessly. Thank you so much for the guidance!

5 is the minimum number of kernels that need to be configured in the installonly_limit in yum.conf, otherwise breaks the livepatch functionality. Tested in AMZN2 instance.