Comparing KernelCare Enterprise to Canonical Livepatch

Canonical does a solid job of live patching, but is it worth the relatively high fees? Besides, what about your other Linux distributions?

Live patching is the best way to install security updates for your Linux systems. With live patching, you can put in place the latest security fixes for kernel vulnerabilities – but without the need to reboot the system to apply the patch. That means you don’t need to plan a maintenance window and that your systems remain secure more consistently.

That’s why, just like other major Linux vendors, Canonical decided to develop a live patching tool for Ubuntu, called Livepatch. However, Livepatch has two key flaws in the way that it works – and it’s a relatively expensive option.

As an alternative, you might want to think about TuxCare’s KernelCare Enterprise. Let’s take a deep dive into the differences between the two tools.

Contents:

1. What is Canonical Livepatch?
2. Kernel Patching Lifetime
3. Vulnerability Coverage
4. Rollback Functionality
5. Supported Linux Kernels
6. Cost Comparison Between Canonical Livepatch and KernelCare
7. Transitioning from Canonical Livepatch to KernelCare
8. Conclusion

What is Canonical Livepatch?

Live Linux kernel patching has been around for over a decade, with the first workable solution emerging at MIT in 2009. It was called KSplice. The team at CloudLinux quickly followed with KernelCare,  which is now offered by TuxCare, and many major Linux vendors have produced live patching tools as well. For Ubuntu users, in addition to KernelCare Enterprise from TuxCare, there is Canonical’s Livepatch to provide security updates.

For all live patching tools the premise is essentially the same, though the difference between temporary patching and persistent patching matters, we cover that in the next section. The Livepatch tool takes live, running Linux kernels and replaces affected code on the fly – one moment there is a kernel vulnerability, the next moment it runs safe code, and there is no need to restart.

When you go through the motions of getting your livepatch token and deploy the snap package for it, it means that your sysadmin team does not have to schedule a maintenance window and wait for downtime before applying a patch. Patches are applied consistently and without delay which means there’s a smaller window of time where systems are vulnerable.

Kernel Patching Lifetime

Canonical has a sliding support window of 13 months for every version revision of the GA kernels of all its Ubuntu LTS releases. If you have not rebooted your system in 13 months and want to continue using Livepatch, you will need to install the latest kernel update and then reboot. This will bring you to a new revision of that same kernel version. This will also restart the clock for another 13 months of Livepatch support for that version. If your maintenance windows are longer than 13 months, you will need to adjust them to ensure that you continue to receive live patches for that particular kernel version.

KernelCare Enterprise offers live patches with a practically unlimited time frame – in fact, there is no restriction related to time between reboots. This allows you to enjoy continuous protection for your existing kernels without being bound by Ubuntu’s release schedule when planning your maintenance windows.

Vulnerability Coverage

Canonical does not use any commonly used external rating systems (e.g., CVSS scoring) and assigns CVE severity levels based on its own qualifications. So, Livepatch, providing patches for high and critical-severity CVEs, may address only a subset of these vulnerabilities as per the commonly used external rating systems.

At the same time, Livepatch does not address lower-priority security fixes that may be important to your specific circumstances. This can be important because a medium-severity kernel vulnerability may have different implications depending on the specific use case, the nature of the systems involved, and the potential impact on the environment. For example, such a vulnerability, affecting systems directly exposed to the internet, might be considered more urgent than the same vulnerability appearing in isolated internal networks.

KernelCare Enterprise delivers live patches for every vulnerability the vendor addresses that poses a threat of exploitation. It even provides live patches for vulnerabilities that the vendor does not address but still impact a large number of systems or known to be actively exploited in the wild ¹.

Rollback Functionality

Should a system administrator choose to, for whatever reason, KernelCare Enterprise allows any patch to be rolled back – a process that also doesn’t involve reboots. This can be particularly useful in situations where the patch has a considerable negative impact on a system’s performance (e.g., Spectre/Meltdown fixes) and there are other mitigations available. Canonical, on the other hand, does not support rebootless rollback functionality. This may cause costly service disruptions compromising the main benefit of live patching.

If a patch doesn’t work as expected, it’s nice to know you can easily revert to an older kernel if you need to. With KernelCare Enterprise, you can always roll back all applied changes by running a special command that does not require your system to be rebooted – removing the disruption out of a potential rollback, which Livepatch cannot provide.

Supported Linux Kernels

Most managed live kernel patching tools work only for a specific Linux distribution, and that’s the case for Canonical Ubuntu Livepatch too, which only supports Ubuntu systems, and only 4.4 and newer kernels. That’s fine if your entire workload is based on the latest Ubuntu distributions – but it won’t cover you for other Linux distributions. As some Linux distributions are better tailored for some scenarios, it is common to find multiple distributions running fulfilling different roles in a given organization. Thus Livepatch would only partially cover your live patching needs.

KernelCare Enterprise on the other hand supports a much wider range of distributions, including kernel live patching for RHEL, Debian, Oracle Linux, AlmaLinux, Amazon Linux, and so forth (in fact, covering over 40 different versions of Enterprise grade Linux distributions, and well over 4000 distribution+kernel version combinations). It’s a one-stop solution which means you don’t need to run multiple live patching solutions to cover all of your Linux-based systems.

Cost Comparison Between Canonical Livepatch and KernelCare

Canonical’s Ubuntu Livepatch isn’t the most expensive live patching solution for critical kernel patches but it isn’t the cheapest either. You can’t get Livepatch as a separate product, it’s only included as part of an Ubuntu Pro subscription which users sign up for using their Ubuntu One accounts.

Pricing starts from $225 per machine per year, up to $3,400 per machine per year. TuxCare’s KernelCare Enterprise is less than $60 per server per year.

Transitioning from Canonical Livepatch to KernelCare

If you’re already using Livepatch, you can effortlessly switch to KernelCare, bringing all your Linux distributions under a single live patching remit. Installing KernelCare is simple, all you need to do is to run a short script on the command line interface – no more difficult than enabling Canonical Livepatch.

Just like when you install the Livepatch tool, KernelCare simply runs in the background, never disrupting your operation. Thanks to KernelCare’s persistent patching methodology that single script is all you need to virtually eliminate patching-related restarts – unlike the Livepatch service on Ubuntu, which requires occasional restarts.

Conclusion

If you’re just running Ubuntu systems, it really comes down to cost and your ability to accommodate ongoing reboot-related disruptions to integrate critical kernel patches. Only using Ubuntu, and need to subscribe to Ubuntu Pro anyway? Then yes, Livepatch kernel live patching may be a sensible option – depending on how disruptive the Livepatch temporary patching regime is.

On the other hand, if you don’t need all the frills of an Ubuntu Pro subscription, then using KernelCare could mean significant savings. Relying on a variety of Linux distributions – and not just Ubuntu? Livepatch won’t cover your non-Ubuntu machines and you can’t force Livepatch to work on RHEL, for example. You should also consider KernelCare if the Livepatch requirements for occasional restarts cause problems with your workloads and if you need to reduce downtime.