Applying Linux Kernel updates can be a problem, especially if you are working with an always-on or high-availability system, which should be operative all the time. But we also know that security experts are discovering new vulnerabilities and bugs in Kernel frequently and most of them are almost immediately patched shortly after.
But applying the patch may also require you to reboot the system which causes the system to go offline for a certain amount of time. Since patches are extremely critical for the system’s safety, the best solution is to apply the automatic patches without rebooting the system with these methods:
5 solutions to patch Linux Kernel without a reboot
There are several methods allows you to apply kernel security patches without rebooting. Rebootless Linux kernel updates are also called as Linux kernel live patching or live update. Rebootless Kernel updates are not a replacement for full kernel upgrades but it allows you to patch critical security vulnerabilities and bug fixes. With these methods, you can keep your servers safe and running without outage for years.
Several Linux vendors offer rebootless kernel updates. Your solution mostly depends on the distribution you are running. Here are the 5 solutions to update Linux kernel without reboot:
|Best Linux Kernel Live Update / Patching Tools|
|KernelCare||Easy install. No reboot required. Wide OS coverage. Supports custom and fixed-date patching.|
|Ksplice||Automatic updates. No reboot required. Only for Oracle distributions. Requires a support license.|
|Kpatch||No reboot required. Not automated. Limited distributions.|
|Livepatch||Automatic kernel updates. No reboot required. Non-trivial custom kernel patches.|
|Kgraft||No installation needed. No reboot required. Single platform support (OpenSUSE).|
KernelCare, developed by CloudLinux, was launched in 2014. KernelCare covers most of the popular distributions, including CentOS, RHEL, Oracle Linux, Debian, Ubuntu, and others. KernelCare also supports the older 2.6.32 kernels from RHEL 6. KernelCare is an “install and forget” solution with easy installation. After the installation, it downloads and applies the kernel patches automatically without rebooting.
KernelCare’s ability to handle more complex patches for vulnerabilities such as Zombiload, Meltdown and Spectre, and Mutagen Astronomy makes it better than its competitors. It also offers custom and fixed-date patching to meed the specific needs. CloudLinux also offers support for KernelCare with its experienced support team.
KernelCare Pros and Cons
|✔ Easy install||✘ Commercial (but there is a free, 30-day trial). There is also a free KernelCare license for non-profit organizations|
|✔ No reboot required|
|✔ Wide OS coverage (including one of the most popular Linux flavors, Ubuntu)|
|✔ Supports custom and fixed-date patching|
|✔ Good support and industry know-how from CloudLinux|
- Click here to try KernelCare free for 30 days.
- Click here to get a free license for your non-profit organization.
How to install KernelCare?
To install KernelCare use the following commands on the command line:
Step 1: Download and install KernelCare using wget or curl
wget -qq -O - https://kernelcare.com/installer | bash
curl -s -L https://kernelcare.com/installer | bash
Step 2: Register the key:
sudo /usr/bin/kcarectl -register <your key>
kcarectl –register <your key>
Step 3: To check if the running kernel is supported by KernelCare:
wget -qq -O – https://kernelcare.com/checker | python
curl -s -L https://kernelcare.com/checker | python
Ksplice is the oldest rebootless kernel updating solution. It is lates acquired by the Oracle and now it only supports Oracle Linux and RedHat Enterprise Linux distributions and an Oracle license is needed for the deployment. It requires running the install script once in the server and then it applies the patches automatically. It lacks an important feature such as scheduling.
Oracle Ksplice Pros and Cons
|✔ Automatic updates||✘ Only for Oracle distributions|
|✔ No reboot required||✘ Requires a support license|
How to install Oracle Ksplice?
To install Oracle Ksplice use the following commands on the command line:
Step 1: Download Oracle Ksplice using wget
sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc
Step 2: Install Ksplice
sudo sh install-uptrack-oc -autoinstall
Red Hat Kpatch
Red Hat Kpatch is Red Hat’s own rebootless kernel live patching tool. It was announced in 2014. It can be ported to work on Fedora and CentOS, Gentoo and Debian-based systems such as Ubuntu. Unlike other solutions in the list, it doesn’t apply the patches automatically and the administrator should check and apply the patches manually.
Red Hat Kpatch Pros and Cons
|✔ No reboot required||✘ Not automated|
|✘ Limited distributions|
How to install Red Hat Kpatch?
To install Red Hat Kpatch use the following commands on the command line:
Step 1: Download Kpatch using yum
sudo yum install kpatch
Step 2: Install Kpatch
sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm
Livepatch is the Canonical’s, the developer behind the Ubuntu distribution, solution for live patching kernels. It is free for up to 3 machines for Ubuntu Community members. Unlike other solutions in the list, it allows administrators to create their own patches but it can be difficult and time-consuming work. Livepatch is available for Ubuntu 16.04 and later, and RHEL 7.x.
Canonical Livepatch Pros and Cons
|✔ Automatic kernel updates||✘ Non-trivial custom kernel patches|
|✔ No reboot required||✘ Limit to the number of updatable hosts (additional hosts for a fee)|
How to install Canonical Livepatch?
To install Canonical Livepatch use the following commands on the command line:
Step 1: Get your Livepatch token
Step 2: Install Livepatch using snap
sudo snap install canonical-livepatch
Step 3: Enable Livepatch using Token
sudo canonical-livepatch enable [TOKEN]
SUSE’s Kgraft live patching solution only supports SUSE’s own Linux Enterprise Server 12 and it comes preinstalled with the distribution. Thus it requires no additional installation. It follows a different principle to most other approaches but it’s feature-set is comparable to Kpatch.
SUSE Kgraft Pros and Cons
|✔ No installation needed||✘ Single platform support|
|✔ No reboot required||✘ Commercial (but there is a generous 60-day free trial)|
How to install SUSE Kgraft?
There is no need to install SUSE Kgraft. It comes installed in SUSE Linux Enterprise Server 12.
Linux live update/patching tools comparison
|KernelCare||Oracle Ksplice||RedHat kpatch||kgraph/Suse||Ubuntu Livepatch|
|Supported Distributions||CentOS/RHEL/CL 6, CL 6 hybrid & 7
CentOS 7 Plus, CentOS 6 Plus,
OpenVZ & Virtuozzo, Debian 8 & 9,
Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, Proxmox VE 2.x, 3.x & 4.x,
Xen4CentOS 6 & 7, Amazon Linux 1 & 2, Oracle UEK 3, 4 & 5, Oracle Enterprise Linux 6 & 7, Yokto, Ubuntu Core
|Oracle Linux Red Hat compatible kernels in OL5, OL6 and OL7
Oracle Linux Unbreakable Enterprise kernels in OL5 R2, OL6 R2 R3 R4, OL7 R3 R4
Fedora 25-27 and Ubuntu Desktop 14.04-17.10 (free of charge)
*RHEL 5, 6 and 7 systems can be migrated to Oracle Linux subscription to become supported
|RHEL||Suse||Ubuntu 14.04 16.04 LTS
(only 4.4 and newer kernels)
|Supports kernels older than 3.10||Yes||Yes||No||no||no|
|24/7 support||Yes, online and telephone, 24/7/365||Yes, online and telephone||Yes||Yes||Yes, with paid subscription|
|Available for new clients||Yes||Only for Oracle Linux||Only for Redhat Linux||Only Suse Linux clients||Only Ubuntu clients|
|Pricing||$2.25-$3.95 per month per server||Is a part of Oracle Linux Premier (Limited) Support Subscription – $2299($1399) per system per year||Expensive / requires premium support||Free with Suse subscription||Ubuntu Advantage (at least Essential) support subscription|
|Patchset distribution||Single patchset for all patches||Each patch represented as separate kernel module||No distribution channel, patches are separate kernel modules||Each patch represented as separate kernel module||Single patchset for all patches|
|Patch size (how big is the patch)||Smaller size||Bigger size||Bigger size||Smaller size||Bigger size|
|Roll-back functionality||Yes, rebootless||Yes, rebootless||No|
|Major vulnerability patch release timing||Often before or shortly after base distribution||Always after patch is included with base distribution||None provided||Matches Suse release cycles||?|
|Glibc patching||March 2020||yes||no||no||no|
|OpenSSL patching||March 2020||yes||no||no||no|
|QEMU patching||Coming soon||No||no||no||no|
|Binary patches for known vulnerabilities||yes||yes||no||yes||yes|
|Works behind firewall||yes||yes||NA||yes||yes|
|Can be used to generate your own patches||custom/on request||No||yes||yes||no|
|Custom patches||yes||no||Yes / self made||Yes / self made||no|
|Patching for Devices||yes|
|Pricing||$2.25-$3.95 per month per server||Is a part of Oracle Linux Premier (Limited) Support Subscription – $2299($1399) per system per year||Available on a Premium support subscription for $1299 per year.||$2198 per year, the combined cost of the live patching service ($699) and SUSE Enterprise Linux with a Priority Server Subscription ($1499).||Ubuntu Advantage (at least Essential) support subscription|