Applying security updates to the Linux kernel is a straightforward process that can be done using tools such as apt
, yum
, or kexec
. However, when managing hundreds or thousands of servers running different Linux distribution to patch, this method can be challenging and time-consuming.
Manually updating the kernel requires rebooting the system. This results in downtime, which can be problematic, so reboots are usually scheduled to occur at specific time intervals. Because manual patching is done during these cycles, it provides hackers with a “time window” in which they can attack the server infrastructure.
For organizations that run more than a few servers, live patching is a better option. It’s an automated way to patch a Linux kernel while the server is running, which enables it to be both more efficient and more secure than manual methods.
This article explains how to set up automatic rebootless kernel updates using the live patching solutions from Canonical and CloudLinux.
Canonical Livepatch
Canonical Livepatch is a service that patches the running kernel without having to reboot your Ubuntu system. Livepatch service is free to use, up to three Ubuntu systems. To use this service on more than three computers, you’ll have to subscribe to the Ubuntu Advantage program.
Before installing the service, you need to get a livepatch token from the Livepatch Service site .
Once you have the token install and enable the service by running the following two commands:
sudo snap install canonical-livepatch
sudo canonical-livepatch enable <your-key>
To check the status of the service, run:
sudo canonical-livepatch status --verbose
Later if you want to deregister a machine, use this command:
sudo canonical-livepatch disable <your-key>
The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.
KernelCare
KernelCare is a great option for hosting providers and businesses.
KernelCare runs on Ubuntu, CentOS, Debian, and other popular flavors of Linux. It checks for patch releases every 4 hours and installs them automatically. Patches can be rolled back. KernelCare is free for non-profit organizations.
To install KernelCare run the installation script:
wget -qq -O - https://kernelcare.com/installer | bash
If you are using an IP-based license, nothing else is required to be done. Otherwise, if you are using a key-based license, run the following command to register the service:
/usr/bin/kcarectl --register <your-key>
Where <your-key>
is the registration keycode string provided when you sign up for the trial or purchase the product. You can get it on this page .
Below are some useful KernelCare commands:
-
To check if the running kerne is supported by KernelCare:
curl -s -L https://kernelcare.com/checker | python
-
To deregister a server:
sudo kcarectl --unregister
-
To check the status of the service:
sudo kcarectl --info
-
The software will automatically check for new patches every 4 hours. To update manually, run:
/usr/bin/kcarectl --update
Conclusion
The Live Patching technology allows you to apply patches to the Linux Kernel without rebooting.
If you have any questions or feedback, feel free to leave a comment.