How to Apply Linux Kernel Security Patches: 3 Different Ways (2023)
Linux kernel updates are a fact of life. They are as dull as taxes and about as fun as going to the dentist. But sysadmins must keep patching: newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most but not all cases, the patches needed to fix them follow swiftly after.
There is a lot of work involved in installing the latest Linux kernel security patches, and practical realities can mean that patches are delayed. But, leave it too long, and you give an opportunity to threat actors to take advantage of an unpatched vulnerability.
That’s why finding the best way to patch as fast as you can is so critical.
Linux’s popularity as a platform for web hosting services, standalone web servers, and web applications makes it a prime target. Hackers use techniques including remote code execution (RCE), cross-site scripting (XSS), and denial of service (DoS) attacks.
Keeping Linux instances up to date with the latest operating system and application software patches is one of the most effective ways to strengthen system security and protect against these kinds of cyber threats.
However, it’s a disruptive and time-consuming task because, for Linux, most kernel upgrades and security patches require a system reboot. This article explains how to update Linux kernels without rebooting. I cover three different methods for some of the most popular Linux kernels. These methods are:
- using the command line;
- with kexec;
- with rebootless live kernel patching tools: Oracle Ksplice Uptrack, Canonical Livepatch, Red Hat’s Kpatch, SUSE Kgraft (SLE Live Patching), and KernelCare Enterprise.
This is the standard way to do a kernel update using the Linux distribution vendor’s repository. It is the method you’ll most likely find in vendor documentation.
- On Ubuntu, you can use these commands in a terminal:
sudo apt-get upgrade linux-image-generic sudo reboot
- On Debian you use:
sudo apt-get upgrade kernel sudo reboot
- For any RPM-based distribution, including CentOS and Red Hat Enterprise Linux (RHEL), use this:
sudo yum update kernel sudo reboot
So far, so easy. But there’s a catch: the kernel patch won’t take effect until you reboot.
Reboot? Yes. You must kick off your users, save your files, and close down processes – at the risk of making a lot of people very unhappy. Like anyone in the middle of a purchase on your website, for example. You then need to wait for your Linux server to boot up again and recover its previous state.
How long do your servers take to bounce back? Will customers and other stakeholders notice? Even if there’s a low risk that they would notice, you still need to notify them before installing that kernel patch.
This is one reason why many system administrators defer patch installation, avoiding downtime but compromising system security.
PRO: No installation.
CONS: Not automated. Reboot required.
kexec: Quicker reboots
You can make the rebooting step quicker by using kexec. This Linux kernel system call lets you boot straight into a new kernel, skipping the boot loader and hardware initialization phases, and significantly shortening your reboot time.
To use it, you first need to install kexec-tools.
- On Ubuntu/Debian:
sudo apt-get install kexec-tools
You’ll see a configuration window that looks a bit like this:
- On CentOS/RHEL:
sudo yum install kexec-tools
Next, install the new kernel. List the kernels and then choose the kernel you want to use:
sudo yum update kernel
sudo rpm -qa kernel
The output should be something like this.
Now boot into your chosen kernel version:
sudo kexec -l /boot/vmlinuz-3.10.0-862.3.2.el7.x86_64 -initrd=/boot/initramfs-3.10.0-862.3.2.el7.x86_64.img -reuse-cmdline sudo sync; sudo umount -a; sudo kexec -e
You can use the next command if you have no patience whatsoever (but see the warning below before you do so):
sudo kexec -e
WARNING: Using the above command is like power-cycling your server without giving the reboot command time to properly kill your processes, synchronize your file caches and unmount your file systems. Using this command can cause data loss or corruption.
Faster boot. One-time install.
More finger work (and higher potential for error unless you script it well).
Update your kernel without rebooting
Yes, you read that correctly. There is a way to update the Linux kernel without rebooting.
There are times when security patching is super critical and you just must get it done. At the same time, the processes that need to stop when you reboot are equally critical. If you’re running an ‘always-on’ or ‘high-availability’ system, you’ll be familiar with this dilemma.
A rebootless kernel update means that you can ‘have your cake and eat it (too)’. Rebootless updates, also known as live kernel patching, are not a replacement for full kernel upgrades because they only apply patches for security vulnerabilities or critical bug fixes.
However, rebootless updates are like a magic bullet for fixing vulnerabilities. When you consider the really urgent stuff, then updates for security vulnerabilities and bug fixes are really all you need. By using live patching methods, it is possible to keep a server safe from threats for years without ever rebooting the server.
Many leading Linux vendors offer a tool to achieve rebootless kernel updates. The tool you choose depends in part on the distribution you run and whether you already have a support contract in place with the vendor. In the rest of this article, we’ll talk about the following products:
- Ksplice by Oracle (for Oracle Linux updates, Ksplice Uptrack for enterprise users)
- kpatch by Red Hat (for RHEL kernel updates and CentOS updates)
- Livepatch by Canonical (for Ubuntu kernel updates)
- kGraft by SUSE (for SUSE updates only)
- KernelCare Enterprise (for all major Linux distributions)
Ksplice was the first commercially available implementation of rebootless kernel updates. Ksplice Inc. was eventually acquired by Oracle and it is now only available (unsurprisingly) for Oracle Linux and RedHat Enterprise Linux distributions. Deploying Ksplice requires a license from Oracle, which can become expensive.
To deploy it, run:
sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc
sudo sh install-uptrack-oc -autoinstall
You’ll note that there is no reboot command and that you only need to run the install script once in the lifetime of the server. After that, the Uptrack service will automatically detect new kernel updates and deploy the updates. There’s nothing more to do: no scheduling and no downtime.
No reboot required. Automatic updates.
Only for Oracle distributions. Requires a support license.
Canonical Livepatch Service
Livepatch is Canonical’s technology for (guess what?) live patching kernels. (Canonical is the company behind the popular Ubuntu Linux distribution.) The tool also allows you to create your own patches, but that is difficult, time-consuming work. (Some vendors will create an Ubuntu upgrade kernel for you, for a fee.)
The Livepatch service is available for Ubuntu 16.04 and later, and RHEL 7.x (beta). Livepatch is deployed like this:
sudo snap install canonical-livepatch
sudo canonical-livepatch enable [TOKEN]
Note: The Canonical Livepatch service is free for personal use on up to 3 machines if you’re an Ubuntu One member. Commercial use requires an Ubuntu Pro subscription.
No reboot required. Automatic kernel updates.
Non-trivial custom kernel patches. Restriction on the number of updatable hosts. Additional hosts and commercial use include a fee.
Red Hat kpatch
kpatch is Red Hat’s own kernel patching tool. It was announced in 2014 and has been ported to work on other distributions in the same family (Fedora, CentOS) as well as some Debian-based systems (Ubuntu, Gentoo).
Here’s an example of deploying it on RHEL 7:
sudo yum install kpatch
sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm
Unlike Ubuntu’s Livepatch service or Oracle’s Ksplice, it is not an automatic live patching service. You must manually check for new patches and install each kernel patch as it becomes available.
No reboot required.
Not automated. Works with a limited range of distributions.
Developed and announced at almost the same time as Red Hat’s solution, kGraft is SUSE’s live patching offering (known as SUSE Linux Enterprise Live Patching). It works only with SUSE’s own Linux Enterprise Server 12, and comes preinstalled, so there’s really nothing to do except to pay for it. It works on a different principle than most other approaches, but has a feature set comparable to kpatch.
No installation needed. No reboot required.
Single platform support. Commercial (but there is a 60-day free trial).
Also launched in 2020, TuxCare’s Linux kernel live patching service, KernelCare, stands out from the kernel patching solutions we covered so far for two reasons. First, KernelCare covers a wide range of Linux distributions including CentOS, RHEL (as early as RHEL 6), Oracle Linux, Debian, Ubuntu, and many more. Next, KernelCare is more affordable compared to subscribing to a vendor-specific support contract like those listed above.
Here’s how to install KernelCare:
wget -qq -O -- https://kernelcare.com/installer | bash sudo /usr/bin/kcarectl --register <your key>
KernelCare is an ‘install and forget’ solution. Once installed, KernelCare automatically downloads and applies new kernel security patches without rebooting the server.
But, in contrast to its closest competitors, KernelCare can handle many of the more complex patches that are required for vulnerabilities including the famous Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) vulnerabilities.
You benefit from a rich feature set too, as KernelCare supports custom patch configurations, fixed-date patches, delayed patches, and rebootless rollbacks that allows you to remove a patch without rebooting.
Like the other vendors considered here, KernelCare also springs from a strong Linux pedigree: KernelCare was created by CloudLinux, the leading vendor for a Linux OS dedicated to web hosting.
Easy install. No reboot required. Wide OS coverage (including one of the most popular Linux flavors, Ubuntu). Supports custom and fixed-date patching. Good support and industry know-how from TuxCare.
Updating the kernel is relatively painless using the standard command line tools, but only if your server is non-critical and only if your users can endure that it goes offline for a period.
If you’re running an always-on system, or if you can’t or don’t want to reboot, you need to consider live kernel patching solutions. Of these, there are three kinds:
- Administered: you trigger rebootless patching yourself. E.g. kpatch, kGraft
- Fully automatic: rebootless patching happens automatically. E.g. Livepatch, Ksplice
- Fully automatic, advanced multi-platform: it does it for you, also handles advanced threats, and works on all popular Linux distributions. E.g. KernelCare Enterprise
In many cases, particularly where you’re reliant on different Linux distributions and where you don’t have a vendor support contract, KernelCare Enterprise would be worth a look.
If you want to learn more about live patching technology and how it enables your infrastructure security, you can read some of our most popular blog posts:
- What is Linux Kernel Live Patching?
- KernelCare fixes Meltdown and Spectre without reboots!
- The Many Faces of Patching
- Why Live Patching Is a Game-Changing Cybersecurity Tool
- Custom Kernel Patching with Rebootless Updates