{"id":78641,"date":"2020-09-30T15:00:04","date_gmt":"2020-09-30T12:00:04","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-is-linux-kernel-live-patching-cloudsavvy-it\/"},"modified":"2020-09-30T15:00:04","modified_gmt":"2020-09-30T12:00:04","slug":"what-is-linux-kernel-live-patching-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-is-linux-kernel-live-patching-cloudsavvy-it\/","title":{"rendered":"#What Is Linux Kernel Live Patching? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e969e94593\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e969e94593\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-linux-kernel-live-patching-cloudsavvy-it\/#What_Is_Live_Kernel_Patching\" >What Is Live Kernel Patching?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-linux-kernel-live-patching-cloudsavvy-it\/#Downsides_of_Live_Patching\" >Downsides of Live Patching<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-linux-kernel-live-patching-cloudsavvy-it\/#Who_Supports_Live_Patching\" >Who Supports Live Patching?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Is Linux Kernel Live Patching? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4038\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/f1fee0a0a83b16d260ba2e862cb46eec\/p\/uploads\/2017\/07\/add8ac45.png\" alt=\"Bash Shell\" width=\"1400\" height=\"600\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p><a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a>lying critical security updates is important to keeping your Linux server safe from potential attackers, but it can cause downtime, which isn\u2019t good either. Live kernel patching can apply important kernel updates without taking your server offline.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_Is_Live_Kernel_Patching\"><\/span>What Is Live Kernel Patching?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before live kernel patching, system administrators needed to choose between keeping their server on, or applying security updates. This is obviously not ideal, so in 2008 <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.ksplice.com\/doc\/ksplice.pdf\">Jeff Arnold at MIT<\/a> created KSplice, a tool that could apply updates by taking a binary diff and applying patches to the running kernel in memory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 alignnone wp-image-7099 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/21f913eb7ded6ccabd6bf147d945e12a\/p\/uploads\/2020\/09\/060577c8.png\" alt=\"KSplice, a tool that applies updates by taking a binary diff and applying patches to the running kernel in memory.\" width=\"700\" height=\"563\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This requires writing a custom patch for each update, so it\u2019s only reserved for critical security vulnerabilities that need quick fixes, not regular everyday updates. But, when the need arises, this simple solution offers a way to apply those fixes without affecting server uptime.<\/p>\n<p>In reality, live kernel patching is a bit less useful than it may seem. If you care about server uptime, you\u2019re likely also wanting to meet some sort of SLA or have a critical service to keep running. In a high-availability network, any single server should theoretically be able to\u00a0spontaneously combust without affecting the uptime of the application. Ideally, you should have two or more servers behind load balancers, and if you have more than one server, they can be updated one at a time without greatly affecting service availability, though you might be at 50% load capacity for a short while.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How To Get Started With AWS&#8217;s Elastic Load Balancers<\/em><\/strong><\/p>\n<p>With that considered, live kernel patching is usually done automatically once a new patch is available. By turning live patching on, your system should stay up to date automatically, and you won\u2019t have to have someone orchestrate a rolling server update with potential downtime. This is a huge upside for most system administrators.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Downsides_of_Live_Patching\"><\/span>Downsides of Live Patching<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Live kernel patching is still pretty complicated to do\u2014patches must be written by experts, for each system, and it\u2019s only reserved for important security patches. Even then, it\u2019s not guaranteed not to crash your system. Ubuntu manages this risk by rolling the patches out slowly to a few users at a time, while monitoring for crashes.<\/p>\n<p>Live kernel patching also can\u2019t do everything\u2014it can only be applied to small and specific portions of kernel code, and it can\u2019t be used for any major updates that affect multiple components or change data structures.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Who_Supports_Live_Patching\"><\/span>Who Supports Live Patching?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Unfortunately, the original KSplice program is no longer open source, after being acquired by Oracle in 2011 for integration into Oracle Linux.<\/p>\n<p>With KSplice going closed source, many other companies in the Linux server space developed their own version. With patches needing to be custom written and tested per system, it makes maintaining a single open-source \u201cLive Kernel Patcher\u201d very hard.<\/p>\n<p>Most companies offer it as a paid service. <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.kernelcare.com\/\">KernelCare<\/a>\u00a0is the closest thing to a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a> purpose solution, and supports most distributions with a paid subscription. Amazon Linux 2 is one of the very few that <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/about-aws\/whats-new\/2020\/06\/announcing-general-availability-kernel-live-patching-amazon-linux-2\/?tag=reviewgeek-20\">offers it for free<\/a>. RHEL has <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.redhat.com\/en\/blog\/introducing-kpatch-dynamic-kernel-patching\">kpatch<\/a>. Oracle Linux still uses <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/ksplice.oracle.com\/\">ksplice<\/a>.<\/p>\n<p>Ubuntu has <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/auth.livepatch.canonical.com\/\">Canonical Livepatch<\/a>. It\u2019s free for up to three machines, after which you\u2019ll need an <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/buy.ubuntu.com\/\">Ubuntu Advantage<\/a>\u00a0subscription for each machine.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to Make Sure Your Ubuntu Servers Are Always Patched<\/em><\/strong>\n<\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/7091\/what-is-linux-kernel-live-patching\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Is Linux Kernel Live Patching? \u2013 CloudSavvy IT&#8221; Applying critical security updates is important to keeping your Linux server safe from potential attackers, but it can cause downtime, which isn\u2019t good either. Live kernel patching can apply important kernel updates without taking your server offline. What Is Live Kernel Patching? Before live kernel patching,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":78642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2017\/07\/add8ac45.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-78641","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/78641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=78641"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/78641\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/78642"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=78641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=78641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=78641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}