As a System Administrator, server uptime has much importance. The servers must be running as long as possible. While keeping this server uptime consistent, a System Administrator should also have to apply the patches and to maintain the reliability. If the patch is done for the kernel there may be a chance to reboot the kernel. Rebooting the kernel will result in the downtime of servers. The downtime will affect the business and thereby it leads to the customer dissatisfaction. So here comes the importance of kernel patch without rebooting. The security patches required for the kernel is done live and without the need of rebooting.
In Essence, Live kernel patching is applying security patches to a running Linux kernel without the need for a system reboot.
Need to avoid the rebooting:
1. Patches can be applied to the kernel with less time and effort without resulting in downtime.
2. Prevents security threats.
3. Does not affect the business and the customers.
4. Availability of the system can be maximized.
5. Applies security patches to running Linux.
Please note that Kernel itself should support the live patch and the system needs a client tool to retrieve kernel patches and load them.
It enables system administrators to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, for users to log off, or for scheduled downtime.
kpatch is a live kernel patching solution that allows you to patch a running kernel without rebooting the server or the system.
1. Apply critical security patches to the kernel immediately.
2. Scheduled reboot.
3. control over uptime.
The most important thing regarding the kpatch is that it is not a general purpose kernel upgrade mechanism. It is used for applying simple security and bugfix updates when rebooting the system is not immediately possible.
A systemd service called kpatch.service that is required by multiuser.target. This service should be loaded while boot time and a command-line tool which allows you to manage patch modules.
Steps for working with kpatch
1. [root@server ~]# yum install kpatch
2. [root@server ~]# yum install kpatch-patch-7.0 1.el7.x86_64.rpm Loaded plugins: fastestmirror
Please note that this step will work only if Live kernel patching capability is implemented via a kernel module (kmod) that is delivered as an RPM package. The kpatch utility is used to install and remove the kernel modules for live kernel patching.
3. [root@server ~]# kpatch list This command will show an output like as follows. Loaded patch modules: kpatch_7_0_1_el7
Installed patch modules:
4. If a new version of the kpatch-patch RPM package is later released, upgrade the applied patch with yum. For example, to upgrade to kpatch-patch-7.0-2.el7.x86_64.rpm, run
[root@server ~]# yum update kpatch-patch-7.0-2.el7.x86_64.rpm Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile
5.[root@server ~]# cat /proc/version kernel-7.0-2-957el7
6.[root@server kernel-3.10.0-957.1.3.el7]# cp -r /usr/src/debug/kernel-3.10.0-957.1.3.el7/linux-3.10.0-957.1.3.el7.x86_64/* ~/linux.orig [root@server kernel-3.10.0-957.1.3.el7]# cp -r ~/linux.orig/ ~/linux.kpatch
7. diff-u linux.org/fs/proc/version.c linux.kpatch/fs/proc/version.c>version.patch
8. kpatch-build version.patch This is for creating the patch module with kpatch
9. [root@server ~]# sudo /usr/local/sbin/kpatch load kpatch-version.ko
10. After completing the steps, you can check the version and it seems to be updated.
I would like to introduce another live Kernel Patching tool, kernelCare in this Blog. KernelCare is not opensource and it is not available for free.
KernelCare, the world’s finest defender of Linux kernels, puts an end to rebooting servers just to apply patches to your kernel. It ensures that you never miss security patches, and your kernels are always up-to-date.
Advantages of using KernelCare
1. Never miss a critical patch
2. Eliminate downtime
3. Quick, rebootless installation
4. Easy, rebootless install with a single line of code
5. Takes just minutes to be up-to-date
6. Rollback capability without rebooting with a single command
7. Virtually no performance impact during updates
KernelCare makes patching your Linux kernels simple. It maintains your kernel security with automated, rebootless updates without any service interruption or degradation. KernelCare works in both, live and staging environments, and for servers located behind the firewall, there is an ePortal to help you manage it.
The KernelCare license key deploys and registers your server. To register your key, run the following command:
kcarectl –register $kc_key
1. The first step is to install the livepatch utility named canonical-livepatch with snap.
sudo snap install canonical-livepatch
2. Enable livepatch:
sudo canonical-livepatch enable
As the working is fully automated, by enabling the kernelcare the patches are automatically worked without rebooting.
3. KernelCare will automatically check for new patches every four hours. If you want to check for new patches yourself, run the following command: