ClickCease How to Apply Linux Kernel Security Patches: 3 Different Ways

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

How to Apply Linux Kernel Security Patches: 3 Different Ways (2024)

Rohan Timalsina

August 5, 2024 - TuxCare expert team

  • Just like a strong foundation is vital for a building, a secure kernel is essential for a secure Linux system. 
  • Live patching allows applying security patches to a running kernel without need for a reboot, significantly reducing downtime for critical systems.
  • Unpatched kernels can leave your systems exposed to known vulnerabilities, increasing the risk of security incidents like data breaches or unauthorized access.

Linux kernel updates are a fact of life. They are as dull as taxes and about as fun as going to the dentist. But sysadmins must keep patching: newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most, but not all, cases, the patches needed to fix them follow swiftly after.

There is a lot of work involved in installing the latest Linux kernel security patches, and practical realities can mean that patches are delayed. But, leave it too long, and you give an opportunity to threat actors to take advantage of an unpatched vulnerability.

 

That’s why finding the best way to patch as fast as you can is so critical.

 

Linux’s popularity as a platform for web hosting services, standalone web servers, and web applications makes it a prime target. Hackers use techniques including remote code execution (RCE), cross-site scripting (XSS), and denial of service (DoS) attacks

Keeping Linux instances up to date with the latest operating system and application software patches is one of the most effective ways to strengthen system security and protect against these kinds of cyber threats. 

However, it’s a disruptive and time-consuming task because, for Linux, most kernel upgrades and security patches often require a system reboot. This article explains how to update the Linux kernel without rebooting. Also, we cover three different methods for applying Linux kernel security patches. These methods are:

 

  • using the command line
  • with kexec
  • with rebootless live kernel patching tools: Oracle Ksplice Uptrack, Canonical Livepatch, Red Hat’s Kpatch, SUSE Kgraft (SLE Live Patching), and KernelCare Enterprise.

 

1. Traditional Command Line Updates

 

This is the standard way to apply a Linux kernel security patch using the distribution vendor’s repository. It is the method you’ll most likely find in vendor documentation. However, many distributions now offer user-friendly graphical package managers that simplify the update process.

 

On Ubuntu, you can use these commands in the terminal.

 

sudo apt update

sudo apt upgrade linux-image-generic 

sudo reboot

 

On Debian you use:

 

sudo apt upgrade linux-image

sudo reboot

 

For any RPM-based distribution, including CentOS and Red Hat Enterprise Linux (RHEL), use this:

 

sudo yum update kernel
sudo reboot

 

So far, so easy. But there’s a catch: the kernel patch won’t take effect until you reboot.

Reboot? Yes. You must kick off your users, save your files, and close down processes – at the risk of making a lot of people very unhappy. Like anyone in the middle of a purchase on your website, for example. You then need to wait for your Linux server to boot up again and recover its previous state. 

How long do your servers take to bounce back? Will customers and other stakeholders notice? Even if there’s a low risk that they would notice, you still need to notify them before installing that kernel patch.

This is one reason why many system administrators defer patch installation, avoiding downtime but compromising system security.

 

PROS: No installation. Straightforward process.

CONS: Not automated. Reboot required.

 

2. kexec: Quicker reboots

 

When a Linux kernel security patch is applied, a reboot is usually necessary to load the new patched kernel. You can make this rebooting process faster by using kexec, a Linux kernel feature that lets you boot straight into a new kernel, skipping the boot loader and hardware initialization phases.

To use it, you first need to install kexec-tools.

 

On Ubuntu/Debian:

 

sudo apt install kexec-tools

 

You’ll see a configuration window that looks a bit like this:

 

 On CentOS/RHEL:

 

sudo yum install kexec-tools

 

Next, install the new kernel. List the kernels and then choose the kernel you want to use:

 

sudo yum update kernel

or

 

sudo rpm -qa kernel

 

The output should be something like this:

 

kernel-3.10.0-514.26.1.el7.x86_64 

kernel-3.10.0-862.3.2.el7.x86_64

 

Now boot into your chosen kernel version:

 

sudo kexec -l /boot/vmlinuz-3.10.0-862.3.2.el7.x86_64  

-initrd=/boot/initramfs-3.10.0-862.3.2.el7.x86_64.img  

-reuse-cmdline 

sudo sync; sudo umount -a; sudo kexec -e

 

You can use the next command if you have no patience whatsoever (but see the warning below before you do so):

 

sudo kexec -e

 

Note: While kexec is not directly involved in the patching process itself, it offers faster reboots by bypassing the usual boot loader and hardware initialization. However, this speed comes at a cost. Unlike a standard reboot that gracefully shuts down processes, synchronizes caches, and unmounts file systems, kexec jumps directly to the new kernel. This can lead to data loss or corruption if running applications have unsaved changes or open file handles.

 

PROS: Faster boot. One-time install.

CONS: More finger work (and higher potential for error unless you script it well).

 

3. Update Your Kernel Without Rebooting

 

Yes, you read that correctly. There is a way to update the Linux kernel without rebooting.

There are times when security patching is supercritical and you just must get it done. At the same time, the processes that need to stop when you reboot are equally critical. If you’re running an ‘always-on’ or ‘high-availability’ system, you’ll be familiar with this dilemma.

A rebootless kernel update means that you can ‘have your cake and eat it (too)’. Rebootless updates, also known as live kernel patching, are not a replacement for full kernel upgrades because they only apply patches for security vulnerabilities or critical bug fixes. 

However, rebootless updates are like a magic bullet for fixing vulnerabilities and ensuring Linux kernel security. When you consider the really urgent stuff, then updates for security vulnerabilities and bug fixes are really all you need. By using live patching methods, it is possible to keep a server safe from threats for years without ever rebooting the server.

Many leading Linux vendors offer a tool to achieve rebootless kernel updates. The tool you choose depends in part on the distribution you run and whether you already have a support contract in place with the vendor. In the rest of this article, we’ll talk about the following products. 

 

  • Ksplice by Oracle (for Oracle Linux updates, Ksplice Uptrack for enterprise users)
  • kpatch by Red Hat (for RHEL kernel updates and CentOS updates)
  • Livepatch by Canonical (for Ubuntu kernel updates)
  • kGraft by SUSE (for SUSE updates only)
  • KernelCare Enterprise (for all major Linux distributions)

 

Oracle Ksplice

 

Ksplice was the first commercially available implementation of rebootless kernel updates. Ksplice, Inc. was eventually acquired by Oracle and it is now only available (unsurprisingly) for the Oracle Linux distribution. Deploying Ksplice requires an Oracle Linux Premier Support subscription, which can be a significant cost factor.

 

To deploy it, run:

 

sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc

sudo sh install-uptrack-oc -autoinstall

 

You’ll note that there is no reboot command and that you only need to run the install script once in the lifetime of the server. After that, the Uptrack service will automatically detect new kernel updates and deploy them. There’s nothing more to do – no scheduling and no downtime.

 

PROS: No reboot required. Automatic updates.

CONS: Only for Oracle distribution versions. Requires a support license.

 

Canonical Livepatch Service 

 

Canonical Livepatch, offered by the company behind Ubuntu, is a tool for applying Linux kernel security patches without requiring a reboot. It also allows you to create your own patches, but that is difficult, time-consuming work. (Some vendors will create an Ubuntu upgrade kernel for you, for a fee.)

   The Livepatch service is available for Ubuntu 16.04 and later, and RHEL 7.x (beta). Livepatch is deployed like this:

sudo snap install canonical-livepatch

 

sudo canonical-livepatch enable [TOKEN]

 

Note: The Canonical Livepatch service is free for personal use on up to 5 machines if you’re an Ubuntu One member. Commercial use requires an Ubuntu Pro subscription.

PROS: No reboot required. Automatic kernel updates.

CONS: Non-trivial custom kernel patches. Restriction on the number of updatable hosts. Additional hosts and commercial use include a fee. 

 

Red Hat kpatch 

 

kpatch is Red Hat’s own kernel patching tool. It was announced in 2014 and has been ported to work on other distributions in the same family (Fedora, CentOS) as well as some Debian-based systems (Ubuntu, Gentoo).

 

Here’s an example of deploying it on RHEL 7:

 

sudo yum install kpatch

sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm

 

Unlike Ubuntu’s Livepatch service or Oracle’s Ksplice, it is not an automatic live patching service. You must manually check for new patches and install each kernel patch as it becomes available.

 

PRO: No reboot required.

CONS: Not automated. Works with a limited range of distributions.

 

SUSE kGraft 

 

Developed and announced at almost the same time as Red Hat’s solution, kGraft is SUSE’s live patching offering (known as SUSE Linux Enterprise Live Patching). It works only with SUSE’s own Linux Enterprise Server 12, and comes preinstalled, so there’s really nothing to do except to pay for it. It works on a different principle than most other approaches, but has a feature set comparable to kpatch.

 

PROS: No installation needed. No reboot required.

CONS: Single platform support. Commercial (but there is a 60-day free trial).

 

KernelCare Enterprise

 

TuxCare’s Linux kernel live patching service, KernelCare Enterprise, stands out from the kernel patching solutions we covered so far for two reasons. First, KernelCare covers a wide range of Linux distributions, including CentOS, RHEL (as early as RHEL 6), Oracle Linux, Debian, Ubuntu, and many more. Next, KernelCare is more affordable compared to subscribing to a vendor-specific support contract like those listed above.

 

Here’s how to install KernelCare:

 

wget -qq -O -- https://kernelcare.com/installer | bash

sudo /usr/bin/kcarectl --register <your key>

 

KernelCare is an ‘install and forget’ solution. Once installed, KernelCare automatically downloads and applies new Linux kernel security patches without rebooting the server.

But, in contrast to its closest competitors, KernelCare can handle many of the more complex patches that are required for vulnerabilities, including the famous Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) vulnerabilities. 

KernelCare also covers you for more recent complex vulnerabilities, including the Dirty Pipes vulnerability (CVE-2022-0847). To track the release status of live patches for Linux kernel vulnerabilities (CVEs), you can utilize the TuxCare CVE tracker.

You benefit from a rich feature set too, as KernelCare supports custom patch configurations, fixed-date patches, delayed patches, and rebootless rollbacks that allow you to remove a patch without rebooting.

Like the other vendors considered here, KernelCare also springs from a strong Linux pedigree: KernelCare was created by CloudLinux, the leading vendor for a Linux OS dedicated to web hosting.

 

PROS:

 

  • Easy install. No reboot required.
  • Wide OS coverage (including one of the most popular Linux flavors, Ubuntu).
  • Supports custom and fixed-date patching.
  • Expert support and industry know-how from TuxCare.

 

CONS:

 

 

Get a FREE Trial of KernelCare Enterprise 

 

Final Thoughts

 

Maintaining Linux kernel security is an ongoing battle. Regularly checking for updates and applying them promptly is crucial to stay ahead of evolving cyber threats. Updating the kernel is relatively painless using the standard command line tools, but only if your server is non-critical and only if your users can endure it going offline for a period.

If you’re running an always-on system, or if you can’t or don’t want to reboot, you need to consider live kernel patching solutions. Of these, there are three kinds:

 

  1. Administered: you trigger rebootless patching yourself. E.g. kpatch, kGraft
  2. Fully automatic: rebootless patching happens automatically. E.g. Livepatch, Ksplice
  3. Fully automatic, advanced multi-platform: it does it for you, also handles advanced threats, and works on all popular Linux distributions. E.g. KernelCare Enterprise

 

In many cases, particularly where you’re reliant on different Linux distributions and where you don’t have a vendor support contract, KernelCare Enterprise would be worth a look

If you want to learn more about live patching technology and how it enables your infrastructure security, you can read some of our most popular blog posts:

 

 

Summary
How to Apply Linux Kernel Security Patches: 3 Different Ways
Article Name
How to Apply Linux Kernel Security Patches: 3 Different Ways
Description
Learn 3 methods to apply the latest Linux kernel security updates and keep your system safe. Explore automated and rebootless patching tools.
Author
Publisher Name
TuxCare
Publisher Logo

Ready to modernize your vulnerability patching approach with automated, non-disruptive live patching from KernelCare Enterprise? Schedule a chat with one of our Linux security experts!

Talk to an Expert

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter