Using critical security updates is important to protect your Linux server from potential attackers, but it can cause downtime, which is not good either. Live kernel correction can apply critical kernel updates without your server being offline.
What is Live Kernel Patching?
Before fixing live kernels, system administrators needed to choose to keep their server or use security updates. This is obviously not ideal, so in 2008 Jeff Arnold at MIT created KSplice, a tool that can use updates by taking a binary diff and applying corrections to the running kernel in memory.
This requires that you write a custom patch for each update, so it is only reserved for critical vulnerabilities that need hotfixes, not regular updates every day. But when the need arises, this simple solution offers a way to apply these corrections without affecting the server’s operating time.
In fact, live kernel patching is a little less useful than it may seem. If you care about server time, it is likely that you also want to meet some form of SLA or have a critical service to continue running. In a network with high availability, each individual server should theoretically be able to burn spontaneously without affecting the application’s operating time. Ideally, you should have two or more servers behind load balancers, and if you have more than one server, they can be updated one at a time without significantly affecting service availability, even if you may have 50% load capacity for a short time.
RELATED: How to get started with AWS’s elastic load balances
With that in mind, live kernel patching is usually done automatically when a new patch is available. By enabling live patching, your system should be updated automatically, and you do not need anyone to arrange a rolling server update with potential downtime. This is a huge upside for most system administrators.
The Disadvantages of Live Patching
Live kernel patching is still quite complicated to do – patches must be written by experts for each system, and it is only reserved for important security updates. Even then, it is not guaranteed that you will not crash your system. Ubuntu manages this risk by slowly rolling out the patches to a few users at a time, while monitoring for crashes.
Live kernel patching can not do everything either – it can only be applied to small and specific parts of the kernel code, and it can not be used for any major updates that affect multiple components or change data structures.
Who supports Live Patching?
Unfortunately, the original KSplice program is no longer open source, having been acquired by Oracle 2011 for integration into Oracle Linux.
With KSplice as a closed source, many other companies in the Linux server space developed their own version. With fixes that need to be customized and tested per system, it makes it very difficult to maintain a single open source “Live Kernel Patcher”.
Most companies offer it as a paid service. KernelCare is almost a general purpose solution and supports most distributions with a paid subscription. Amazon Linux 2 is one of the few that offers it for free. RHEL has kpatch. Oracle Linux still uses ksplice.
Ubuntu has Canonical Livepatch. It’s free for up to three machines, after which you need an Ubuntu Advantage subscription for each machine.
RELATED: How to make sure your Ubuntu servers are always patched