Upgrading the kernel is simple.
Just after a checkpoint has been taken, block all domain progress, wait for checkpoint to be written to disk, load the new kernel and fall into normal checkpoint recovery mode.
This took a few seconds on the 370/158.
Some active users will not even notice the pause.
In our experience a buggy new kernel will crash 99% of the time before the next checkpoint, especially with the frequency of checking internal kernel invariants turned up.
If the system is in production it is wise to rehearse from a tape checkpoint.
Rarely the format of the disk will change upon kernel upgrade and this takes longer and only a bit more complicated.
Now you must rehearse disk upgrade from a tape checkpoint.
Since the disk format at the kernel abstraction level is so simple—pages and nodes—this typically takes only the time to pass over the disk state.
With Keykos this happened about about once.