Applying critical security updates is essential to keep your Linux server safe from potential attackers, but it can cause downtime, which is not good either. Live kernel patching can apply important kernel updates without taking the server offline.
What is the live kernel patch?
Before Live Kernel Patching, system administrators had to choose between keeping the server on or applying security updates. Evidently, this is not ideal, so in 2008 Jeff Arnold and MIT created KSplice, a tool that could apply updates by taking a binary difference and patching the running kernel in memory.
This needs to write a custom patch for each update, so it is only reserved for critical security vulnerabilities that need quick fixes, no regular daily updates. But, when the need arises, this simple solution offers a way to apply those fixes without affecting server uptime.
Actually, kernel live patching is a little less useful than it sounds. If you are concerned about server uptime, it is likely that you also want to comply with some type of SLA or have a critical service to keep running. In a high availability network, in theory, any server should be able to spontaneously fire without affecting app uptime. Ideally, you should have two or more servers behind the load balancers, and if you have more than one server, can be updated one at the same time without greatly affecting the availability of the service, even though it may be at 50% of load capacity for a short time.
RELATED: How to get started with AWS Elastic Load Balancers
Taking this into account, live kernel patching is generally done automatically once a new patch is available. When activating live patching, your system should be kept up-to-date automatically and you won't have to have someone orchestrating a continuous server update with feasible downtime. This is a great utility for most sysadmins.
Disadvantages of live patches
Live kernel patching is still quite tricky; patches must be written by experts, for each system, and is only reserved for important security patches. Even then, it is not guaranteed not to crash your system. Ubuntu handles this risk by slowly rolling out patches to a few users at the same time., while monitoring faults.
Live kernel patching can't do everything either: can only be applied to small and specific portions of kernel code, and cannot be used for major updates that affect multiple components or change data structures.
Who supports live patching?
Unfortunately, the original KSplice program is no longer open source, after Oracle acquired it in 2011 for integration into Oracle Linux.
With KSplice going closed source, many other companies in the Linux server space developed their own version. Since patches need to be custom written and tested per system, makes maintaining a single open source “Live Kernel Patcher” very difficult.
Most companies offer it as a paid service. KernelCare it is the closest thing to a general purpose solution and supports most distributions with a paid subscription. Amazon Linux 2 is one of the few that offers it for free. RHEL tiene kpatch. Oracle Linux still uses ksplice.
Ubuntu has Canonical Livepatch. It's free for up to three machines, after which you will need a Ubuntu Advantage subscription for each machine.
RELATED: How to make sure your Ubuntu servers are always patched
