Live Patching Linux On AWS EC2 - TuxCare
TuxCare Blog News

Live Patching Linux On AWS EC2

June 18, 2020

Live Patching Linux On AWS EC2 blog image

CloudLinux is an Amazon Web Services (AWS) Advanced Technology Partner, and our live patching system, KernelCare, is currently being used to patch AWS Elastic Compute Cloud (EC2) systems.

How does KernelCare patch Linux kernels on AWS EC2 servers? Read on to find out. 

EC2: A Unique Environment

 

Amazon uses its own Graviton2 ARM64 processors on many of its EC2 instance types. It does this because these chips, custom-built by AWS using 64-bit ARM Neoverse cores, offer more flexibility, versatility, and better performance. 

 

These new generation processors power Amazon EC2, M6g, C6g, and R6g instances. Compared to its first-generation Graviton chips, they deliver even better performance. They contain four times as many cores, memory that’s five times faster, and caches that are twice as large, all of which enable them to be seven times faster. 

 

Whether the OS is Amazon Linux 2, Ubuntu, RHEL, CentOS, Fedora, Debian, or others Amazon EC2 instances use the Graviton2 processors. In these instances, the chips power a wide variety of workloads that include application servers, micro-services, high-performance computing, electronic design automation, open-source databases, and in-memory caches.

 

Within EC2, the Graviton2 processors also power video encoding workloads, hardware acceleration for compression workloads, and support for CPU-based machine learning inference.

 

KernelCare In EC2

 

Does KernelCare do anything differently to patch kernels on EC2 servers with Graviton2 processors? No, because it doesn’t have to. Last year, the KernelCare team successfully created a proof-of-concept for live patching systems powered by ARM processors, and today KernelCare works the same way with any server that uses an ARM processor. 

 

From Raspberry Pi to IoT devices and edge gateways, to enterprise servers any device with an ARM chip can have its Linux kernel patched by KernelCare. This includes Amazon EC2 instances, on which KernelCare functions in its usual way, delivering security patches through its three components: 

 

  1. Patch Server
    A patch server stores patches for each kernel version. It can be accessed directly, or through a firewall. It can be a dedicated cloud server, or one that runs in-house.

  2. Agent Program
    A small agent program installed on the device or instance to be patched periodically checks the patch server for new patches at specified intervals.

  3. Kernel Module
    When instructed by the agent, a kernel module handles the patching, pausing and restarting the kernel’s processes to perform the patch in memory.

Patching-Process-Diagram (1)

KernelCare patches are custom-built for each supported kernel version, and distributed as atomic binary packages. Each is GPG-key signed for security.

 

Unlike with traditional update tools, such as yum and apt-get, KernelCare patches the Linux kernel as a binary in memory. There’s no need to stop or restart the device or refresh instances. 

 

During the live patching process, changes happen so quickly that users and applications can’t detect them being made. From the perspective of a user or server, the kernel never stops. 

Watch this video to see how live patching works on AWS EC2.

 

{% video_player “embed_player” overrideable=False, type=’scriptV4′, hide_playlist=True, viral_sharing=False, embed_button=False, autoplay=False, hidden_controls=False, loop=False, muted=False, full_width=False, width=’1920′, height=’1080′, player_id=’30092780721′, style=” %}

 

Using EC2? Contact Us

 

To sum up, KernelCare works seamlessly on AWS EC2 servers. If your organization is running an EC2 instance, KernelCare provides an effective way to keep its server kernels updated and secure. 

 

To talk with a consultant about how to get started with KernelCare on EC2, contact the KernelCare team at [email protected]. With our 7-day free trial, you can evaluate it free of charge, and we offer assistance with installation as well. 


More content from KernelCare and AWS

  1. Webinar recording: Live Patching Linux Kernel Vulnerabilities in Scalable Hosting Environments
  2. KernelCare is available for purchase on AWS Marketplace
  3. KernelCare is the Advanced Technology Partner at AWS for Live Patching

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022

IT Automation With Live...

In a symphony orchestra, instruments harmonize to create one pleasing...

June 20, 2022

KernelCare ePortal updated – version...

We are pleased to announce that a new updated ePortal version...

June 16, 2022

KernelCare agent update – version...

We are pleased to announce that a new updated KernelCare agent...

June 2, 2022

KernelCare ePortal updated – version...

We are pleased to announce that a new updated ePortal version...

May 26, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching