Kernel 6.14 - End of Support

[t.lamprecht]

Hello,

Given the recent high churn of problematic issues, we decided to more actively announce the end of support for the 6.14-based kernel series.
We prolonged the life of that series significantly beyond what was originally planned.

At the time of writing, still-supported kernel release series:

• Kernel 6.8 for Proxmox VE 8 and other Debian Bookworm-based Proxmox project releases.
• Kernel 6.17 for Proxmox VE 9 and other Debian Trixie-based Proxmox project releases.
• Kernel 7.0, which is currently transitioning to become the new default kernel for Proxmox VE 9 and other Debian Trixie-based Proxmox project releases.

Note that we also plan to start sunsetting Kernel 6.17 at the start of July, transitioning to best-effort updates only.

 

[bbgeek17]

Out of curiosity, is this decision primarily driven by the recent wave of Kernel security vulnerability disclosures, or has there been a particular subsystem or area in the 6.14/6.17 series that has proven especially difficult to stabilize?

Either way, thank you for the transparency and the heads-up regarding the support timeline.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[t.lamprecht]

The deprecation itself was not strongly influenced by that, but the decision to communicate it more actively was in fact primarily driven by it. Normally, we only mentioned it on the side once a new kernel became the default. In the past, we always did security updates for recently obsoleted kernels if the issues were grave enough. Now that the stream of such issues is so constant, it was decided that we should really make a clean cut here.

For now, the backports were doable, as we luckily have very diligent staff with a lot of experience on hand, but we see better ROI with them spending their time on other areas than just building, backporting, and verifying such fixes for five kernels (6.8, 6.14 for both stable and oldstable, 6.17, and 7.0) once or even twice a week.
And with respect to stability, we did not note significantly more churn in one kernel or another compared to the past, especially given the strongly increasing total host count using them over the last years, that said, this is mostly from top of my head; I did not recheck with enteprise support/QA just now - I faintly remember some disk controller making a bit more frequent problems in newer kernel, which was actually one of the motivations to keep 6.14 a bit longer alive. Anyway, as said,. no clear number nor overly strong signals here.

 

[jaminmc]

Thank you all for your hard work in mitigating the identified kernel exploits and backporting the fixes. We greatly appreciate your efforts!

With these security updates in mind, has the Proxmox team considered implementing live kernel patching? Ubuntu Pro supports this feature, and third-party solutions like TuxCare are also available. Obviously, such a feature would be reserved for the enterprise version rather than the community tier. It could even serve as a valuable addition for HA servers that require the highest possible uptime.

 

[t.lamprecht]

We will re-evaluate it, but cannot make any promises.
What we also look into periodically is reducing the attack surface in general, like we started rolling out some simple but relatively effective approach to block autoloading of various niche kernel modules:
https://git.proxmox.com/?p=pve-kernel.git;a=commitdiff;h=2db8637db2b34de11b4d3f10b5e8ca0edf0a8f05