Check the status of CVEs. Learn More.
📢 TuxCare KernelCare Enterprise Wins Gold in 2023 Cybersecurity Excellence Awards Read More
Canonical does a solid job of live patching, but is temporary patching the right solution for you – and is it worth the relatively high fees? Besides, what about your other Linux distributions?
Live patching is the best way to install security updates for your Linux systems. With live patching, you can put in place the latest security fixes for kernel vulnerabilities – but without the need to reboot the system to apply the patch. That means you don’t need to plan a maintenance window and that your systems remain secure more consistently.
That’s why, just like other major Linux vendors, Canonical decided to develop a live patching tool for Ubuntu, called Livepatch. However, Livepatch has two key flaws in the way that it works – and it’s a relatively expensive option.
As an alternative, you might want to think about TuxCare’s KernelCare Enterprise. Let’s take a deep dive into the differences between the two tools.
Contents:
Live Linux kernel patching has been around for over a decade, with the first workable solution emerging at MIT in 2009. It was called KSplice. The team at CloudLinux quickly followed with KernelCare, and many major Linux vendors have produced live patching tools in the meantime. For Ubuntu users, there is Livepatch to provide security updates.
For all live patching tools the premise is essentially the same, though the difference between temporary patching and persistent patching matters, we cover that in the next section. The Livepatch tool takes live, running Linux kernels and replaces affected code on the fly – one moment there is a kernel vulnerability, the next moment it runs safe code, and there is no need to restart.
When you go through the motions of getting your livepatch token and deploy the snap package for it, it means that your sysadmin team does not have to schedule a maintenance window and wait for downtime before applying a patch. Patches are applied consistently and without delay which means there’s a smaller window of time where systems are vulnerable.
All live patching tools are not the same – and one of the key differences is the way in which critical kernel patches are applied. There are two routes: temporary and persistent patching. Also called dynamic kernel patching, temporary patching uses a special technique to graft a patch onto the kernel – but the patch is not integrated fully.
Canonicals Ltd.’s Ubuntu Livepatch makes use of the temporary patching technique when applying kernel updates, and at some point, sysadmins need to restart the machine to fully integrate that patch – so disruptive restarts are eventually required. So, while temporary patching brings us a long way to running safe and secure workloads, it’s still not ideal. The rub here comes from the possible interactions between subsequent patches affecting the same code – and that’s very tricky to get right, as the number of possible combinations for already deployed (or not) patches to a given code section can quickly grow. That’s where persistent patching comes in.
Persistent patching takes a different approach because every kernel patch is fully integrated on the fly, with no restarts ever needed to complete patching. Patches are cumulative – in other words, instead of applying one patch on top of another, all fixes are included in the binary in one go. Persistent patching achieves the important goal of fully removing the need for reboots and reduces downtime to the maximum possible extent.
Most managed live kernel patching tools work only for a specific Linux distribution, and that’s the case for Canonical Ubuntu Livepatch too, which only supports Ubuntu systems, and only 4.4 and newer kernels. That’s fine if your entire workload is based on the latest Ubuntu distributions – but it won’t cover you for other Linux distributions. As some Linux distributions are better tailored for some scenarios, it is common to find multiple distributions running fulfilling different roles in a given organisation. Thus Livepatch would only partially cover your live patching needs.
KernelCare Enterprise on the other hand supports a much wider range of distributions, including kernel live patching for RHEL, Debian, CentOS and so forth (in fact, covering over 40 different Enterprise grade Linux distributions, and well over 4000 distribution+kernel version combinations). It’s a one-stop solution which means you don’t need to run multiple live patching solutions to cover all of your Linux-based systems.
Canonical’s Ubuntu Livepatch isn’t the most expensive live solution for critical kernel patches but it isn’t the cheapest either. You can’t get Livepatch as a separate product, it’s only included as part of an Ubuntu Advantage subscription which users sign up for using their Ubuntu One accounts.
Pricing is a bit complex and depends on whether you run a physical server or virtual machines, but it starts from $75 per machine per year, up to $2,500 per machine per year. TuxCare’s KernelCare Enterprise is less than $60 per server per year.
Canonical Ubuntu Livepatch | KernelCare Enterprise Live Patching | |
---|---|---|
Supported distributions | Ubuntu LTS 14.04, 16.04, 18.04, 20.04, 22.04 | Ubuntu LTS 14.04, 16.04, 18.04, 20.04, 22.04, as well as Red Hat, Oracle, AlmaLinux and many others |
Architectures | x86-64 | x86-64, arm64 |
Coverage | Linux kernel | Linux kernel & critical userspace (glibc & openssl) |
Vulnerabilities patched | Subset of High & Critical | All |
Kernel patching lifetime | 3-6 months | Practically unlimited |
Custom Patches | No | Yes (contact us for special versions or configurations) |
QEMU Patching | No | Yes |
Database Patching | No | Yes |
24/7 Support | Yes, with a paid subscription | Yes, online, 24/7/365 with different priorities for different subscriptions |
Patchset Distribution | Each patch represented as a separate kernel module | Single patchset for all patches |
API available? | Yes | Yes |
Roll-back Functionality | No | Yes, rebootless |
Available for new clients? | Only Ubuntu clients | Yes, and more than 40 distributions supported |
Type of Patching | Temporary | Persistent |
Add-ons | – | Custom patches, QEMU, Database patching |
Cost of Live Patching | Included as part of all Ubuntu Advantage for Infrastructure support packages ($225-$1,500/machine/year on physical servers, $75-$500/machine/year – on VMs). | $59.50 per year, per system. Different add-ons can be included in the subscription. Bulk pricing is available. |
If you’re already using Livepatch you effortlessly switch to KernelCare, bringing all your Linux distributions under a single live patching remit. Installing KernelCare is simple, all you need to do is to run a short script on the command line interface – no more difficult than enabling Canonical Livepatch.
Just like when you install the Livepatch tool, KernelCare simply runs in the background, never disrupting your operation. Thanks to KernelCare’s persistent patching methodology that single script is all you need to virtually eliminate patching-related restarts – unlike the Livepatch service on Ubuntu, which requires occasional restarts.
If you’re just running Ubuntu systems, it really comes down to cost and your ability to accommodate ongoing reboot-related disruptions to integrate critical kernel patches. Only use Ubuntu, and need to subscribe to Ubuntu Advantage anyway? Then yes, Livepatch kernel live patching may be a sensible option – depending on how disruptive the Livepatch temporary patching regime is.
On the other hand, if you don’t need all the frills of an Ubuntu Advantage subscription, then using KernelCare could mean significant savings. Rely on a variety of Linux distributions – and not just Ubuntu? Livepatch won’t cover your non-Ubuntu machines and you can’t force Livepatch to work on RHEL, for example. You should also consider KernelCare if the Livepatch requirements for occasional restarts cause problems with your workloads and if you need to reduce downtime.
Tell us your challenges and our experts will help you find the best approach to address them with the TuxCare product line.