Home Kernel Live Patching 5 Kernel Live Patching Tools That Will Help To Run Linux Servers Without Reboots

5 Kernel Live Patching Tools That Will Help To Run Linux Servers Without Reboots

By editor
Published: Last Updated on 8K views

In this article you will learn what is Linux Kernel live patching, how it ensures the uptime, what 5 tools are available to help you run servers for years - without reboots and what are the advantages and drawbacks of each tool.

Introduction

Within IT organizations, there are processes and practices so routine that they are invisible. It doesn’t matter if such processes and practices are flawed, or if there exists a better way: if something has worked for a few years, people stop looking for alternatives. This perfectly describes current approaches to kernel patching.

Right now, most organizations patch the servers by planning reboot cycles. Because rebooting the server fleet is a headache that causes downtime, people put it off for as long as they can. Which means patches aren’t applied as early as possible. This gap between patch issue and its application means risk, malpractice and may cause non-compliance.

This standard approach to kernel patching exposes servers to malicious intent by threat actors on multiple attack vectors, putting IT organizations at risk of major security issues. Anyone tasked with keeping their organization safe from cyber attacks should be seeking a better way to run Linux servers without reboots (ideally, for years).

Why Live Patching Exists

In 2009, an MIT student administering a web server delayed patching the server’s Linux kernel, because applying the patch would have involved a reboot that inconvenienced his users. During the delay, the server was hacked. This inspired the student, Jeff Arnold, to try and develop a way to patch a Linux kernel without rebooting the server.

He teamed up with three other students to develop Ksplice, the first “rebootless” software tool for patching Linux kernels. They formed a company to promote their new product, which was acquired by Oracle. When Oracle integrated Ksplice with their own distribution, Oracle Linux, other Linux vendors began working on their own live patching systems.

That’s because live patching--applying security patches to a server while it’s running, no reboot necessary--offers valuable capabilities to organizations that manage multiple servers:

  • Continual operation of servers, with no reboots. This means little or no downtime.
  • Automation of patching-related tasks. This frees up support staff to do other work.
  • Immediate application of new patches. This greatly reduces server vulnerabilities.

How Linux Kernel Live patching works

There are two basic methods of live patching a Linux kernel: temporary and persistent. The temporary method applies a patch without a reboot, but actually does require rebooting the server later on. Persistent live patching requires no reboot at all.

The Temporary Method

The temporary method of live patching requires package management software (such as the YUM plugin) to be installed on the server. When patches are delivered to repositories, they’re applied according to the update workflows specified by the user.

This method is included with some Linux OS distributions, and with some vendors’ support contracts. It shouldn’t be considered free or inexpensive, however, because it involves costs in time and trouble that aren’t apparent up front.

The temporary method, also called “stack” patching, involves server reboots and downtime. That’s because temporary patches pile up on top of each other over time, degrading performance and stability. The only solution to this problem is to reboot the server to load a fresh kernel into memory.

The Persistent Method

With the persistent method of live patching, a dedicated patch server stores the latest patches. These patches are “monolithic,” not temporary, because they incorporate previous patches. On the web servers to be patched, an agent program runs in the background, periodically checking the patch server for patches. When instructed by the agent, a kernel module performs the patch.

This method involves vendor licensing fees, but these fees can be surprisingly low. Also, in replacing manual work with automated processes, the persistent method reduces the time and effort required to administer servers. Most importantly, because it involves no reboots at all, it enables servers to stay up and running, sometimes for years at a time.

Persistent live patching offers other important advantages as well. Even with hardware vulnerabilities that usually require reboots to address, such as Spectre, Meltdown, and Zombieload, servers using the persistent method remain up and running. Also, it works with vulnerability scanners, which is important for compliance with security standards such as SOC2.


Suggested read:


5 Linux Kernel Live Patching Systems That Will Help To Run Linux Servers Without Reboots

There are several different Kernel live patching systems available from different vendors, most of which are meant for use with a specific Linux distribution:

Oracle Ksplice

Ksplice is the original “rebootless” Linux kernel patching system, created in 2009 and acquired by Oracle in 2011. It now works only with Oracle Linux, and RHEL with an Oracle license. It lacks a scheduling feature, but does perform automatic patch updates with no reboot required.

RedHat Kpatch

Kpatch was created by Red Hat to work on its own Linux distribution, although It can be ported to Fedora, CentOS, and Debian-based systems such as Ubuntu and Gentoo. It’s not automated: with Kpatch, an administrator must check and apply patches manually.

SUSE Kgraft

Kgraft is SUSE’s live patching system, and works only with SUSE’s own Linux Enterprise Server. Unlike other systems, Kgraft doesn’t stop kernel functions while patches are applied. Instead, it monitors functions so it can apply all patches within a single system call.

Ubuntu Livepatch

Livepatch was created by Canonical, the company that develops Ubuntu. It’s unique among live patching systems in that it allows administrators to create their own custom kernel patches. It works on Ubuntu, of course, but also on Red Hat Enterprise Linux.

KernelCare

KernelCare, developed by CloudLinux, works with most popular distributions, such as CentOS, RHEL, Oracle Linux, Amazon Linux, Debian, and Ubuntu. It’s automated, easy to install, handles complex patches, and provides custom and fixed-date patching to meet specific needs.

Feature and Pricing Comparison

Patching Capabilities

KernelCare

Oracle Ksplice

Red Hat Kpatch

SUSE Kgraft

Ubuntu Livepatch

Patchset distribution

Single patchset for all patches

Each is separate module

Each is separate module

Each is separate module

Single patchset for all patches

Release timing

Before or shortly after base distro

After patch in base distro

None provided

Matches SUSE release cycles

Matches UBUNTU release cycles

Glibc patching

Yes

Yes

No

No

No

OpenSSL patching

Yes

Yes

No

No

No

Custom patches

Yes

No

Yes

Yes

No

Compatibility & Implementation

KernelCare

Oracle Ksplice

Red Hat Kpatch

SUSE Kgraft

Ubuntu Livepatch

Supports older kernels?

Yes

Yes

No

No

No

32-bit support?

Custom

Yes

No

No

No

API available?

Yes

Yes

No

Yes

Yes

Roll-back functionality?

Yes

Yes

No

No

No

Works behind a firewall?

Yes

Yes

Yes

Yes

Yes

Supported Distributions

Oracle Ksplice

Oracle Linux, Fedora 25-27, Ubuntu Desktop 14.04-17.10

Red Hat Kpatch

Red Hat Enterprise Linux, Ubuntu, Debian, Gentoo

SUSE Kgraft

SUSE

Ubuntu Livepatch

Ubuntu

KernelCare

CloudLinux OS, Amazon Linux 1 & 2, CentOS, Debian, OpenVZ, Oracle Enterprise Linux, Oracle UEK, Proxmox VE, Red Hat Enterprise Linux, Ubuntu, Ubuntu Core, Virtuozzo, Xen4 CentOS, Yokto

Per Server Pricing

Oracle Ksplice

$2299 ($1399) per server per year: the cost of an Oracle Linux Premier or (Limited) support subscription

Red Hat Kpatch

$1299 per server per year: the cost of a RHEL Premium support subscription

SUSE Kgraft

$2198 per server per year: the combined cost of the live patching service ($699) and Priority server subscription ($1499)

Ubuntu Livepatch

$225 per server per year, $75/year for virtual machines: the cost of an Ubuntu Advantage support subscription

KernelCare

$27 per server per year, for a 500+ server license.


Related read


Which Linux Kernel live patching system is best for you?

For a corporation running web servers internally, with a large staff of sysadmins, standardized systems, and existing support contracts with Oracle, Red Hat, or SUSE, the benefits of using the included patching systems may outweigh the costs. Interacting on a regular basis with these vendors’ support operations may help to streamline its own.

For an organization running web servers that are standardized on Ubuntu, its Livepatch system included with its support subscription is a good choice. The system is sound, and the cost is low, compared to the aforementioned support contracts.

For a corporation with a large server fleet, one that includes different Linux distributions, the KernelCare system is the only viable option. It’s also a good choice for corporations for which cost and efficiency are concerns, providing automated, flexible patching at low cost.

For a business running internet-enabled devices as part of the “Internet of Things,” KernelCare is the sole option. The majority of these devices use Linux containers, and when they’re hacked it can have deadly consequences, so keeping their kernels patched is crucial. The quick release timing of patches in the KernelCare system makes it well-suited to IoT applications.


Related read:


Are you currently using any one of the aforementioned live patching systems? Please share your thoughts in the comment section section below.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More