Applying security updates to the Linux kernel is a straightforward process that can be done using tools like apt, yum, or kexec. However, when managing hundreds or thousands of servers running different Linux distributions to patch, this method can be challenging and time consuming.
Updating the kernel manually requires rebooting the system. This results in downtime, which can be problematic, so reboots are usually scheduled to occur at specific time intervals. Because manual patching is performed during this cycle, it provides hackers with a “time window” in which they can attack the server infrastructure.
For organizations running more than a few servers, live patching is a better choice. This is an automatic way to patch the Linux kernel while the server is running, which allows it to be more efficient and safer than the manual method.
This article describes how to set up a kernel update without automatic booting using a live patch solution from Canonical and CloudLinux.
Canonical Direct Capture
Canonical Livepatch is a service that patches the running kernel without having to reboot your Ubuntu system. Livepatch service is free to use, up to three Ubuntu systems. To use this service on more than three computers, you must subscribe to the Ubuntu Advantage program.
Before installing the service, you need to get a livepatch token from the Livepatch Service site.
After you install the token and activate the service by running the following two commands:
sudo snap install canonical-livepatch sudo canonical-livepatch enable
To check the service status, run:
sudo canonical-livepatch status --verboseLater if you want to unregister the machine, use this command:
sudo canonical-livepatch disable
The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.
KernelCare is a great choice for hosting providers and businesses.
KernelCare runs on Ubuntu, CentOS, Debian, and other popular Linux. It checks for patch releases every 4 hours and installs them automatically. Patches can be rolled back. KernelCare is free for non-profit organizations.
To install KernelCare, run the installation script:
wget -qq -O - https://kernelcare.com/installer | bashIf you are using an IP based license, there is nothing more to do. Otherwise, if you are using a key-based license, run the following command to register the service:
Where is the registration key string that is provided when you register for a trial or purchase a product. You can find it on this page.
Below are some useful KernelCare commands:
- To check if a running kernel is supported by KernelCare:
curl -s -L https://kernelcare.com/checker | python
- To unregister a server:
sudo kcarectl --unregister
- To check service status:
sudo kcarectl --info
- The software will automatically check for new patches every 4 hours. To update manually, run:
Live Patching technology allows you to apply patches to the Linux Kernel without needing to reboot.
If you have any questions or feedback, please leave a comment.