KernelCare: The Distribution-Agnostic Approach to Live Kernel Patching
Once you’ve made the wise decision to switch from regularly rebooting your servers to live patching your Linux kernel, you have some decisions to make. There are a few different providers of live patching. Which is best for your server fleet?
One strong option is KSplice. KSplice offered the first commercially-available implementation of rebootless kernel updating. The brainchild of a group of MIT students, the company was acquired by Oracle in 2011. KSplice has a lot in common with KernelCare. At its core, it is an extension of the Linux kernel that allows patches to be applied “hot” to a running kernel, without the need to reboot any servers – reducing downtime, and increasing security compliance.
The 2011 Oracle acquisition is at the root of the big difference between KernelCare and KSplice. When Oracle acquired KSplice, they decided that it would only be available on Oracle Linux and RedHat Enterprise Linux distributions, and that the deployment would need a license from Oracle.
Oracle offers a brilliant suite of products and platforms, and many users don’t require anything beyond Oracle Linux and RedHat Enterprise Linux distributions. If this is you, then KSplice is a strong option. KSplice is easy to deploy, with a single install script for the lifetime of a server, and it works very well.
If you have a more varied distribution approach, though, then KernelCare might the better option. KernelCare is distribution-agnostic. It supports Oracle Linux kernels, as well as Red Hat Enterprise Linux (RHEL), CentOS, Debian, Ubuntu, and others. And it doesn’t require an Oracle support license. KernelCare security-patches kernels on all platforms, without being bound to any distribution.
And we do this with a novel approach to writing patches. Stack patching – where each new patch is layered on top of the last one – has been known to slowly degrade performance and stability over time. At KernelCare, we avoid this trap by creating a new atomic patch binary every single time.
What’s more, KernelCare offers a more flexible pricing structure. We don’t lock customers into long contracts, and we’re happy to let people trial KernelCare before they make a call.
Live kernel patching independent of the distribution
If you’re faithful to Oracle, then KSplice is probably all you need. But if you need live kernel patching independent of the distribution, you might consider a switch. We’ve made it very easy to complete the move.
First, get a trial license key from https://kernelcare.com/free-trial
Next you simply download and run this script:
$ wget https://downloads.kernelcare.com/ksplice2kcare
Then you run this command:
$ bash ksplice2kcare _YOUR_KERNELCARE_KEY_
If you are using IP based licenses, you run:
$ bash ksplice2kcare IP
(The script will check for two letters “IP”, and assume IP-based license in this case.)
And you’re all done! Distribution-agnostic live kernel patching is yours. (The completed log file can be found at /var/log/ksplice2kcare.com.)