Comparing KernelCare Enterprise to Canonical Livepatch - TuxCare

Comparing KernelCare Enterprise to Canonical Livepatch

Canonical does a solid job of live patching, but is temporary patching the right solution for you – and is it worth the relatively high fees? Besides, what about your other Linux distributions?

Live patching is the best way to install security updates for your Linux systems. With live patching, you can put in place the latest security fixes for kernel vulnerabilities – but without the need to reboot the system to apply the patch. That means you don’t need to plan a maintenance window and that your systems remain secure more consistently.

That’s why, just like other major Linux vendors, Canonical decided to develop a live patching tool for Ubuntu, called Livepatch. However, Livepatch has two key flaws in the way that it works – and it’s a relatively expensive option.

As an alternative, you might want to think about TuxCare’s KernelCare Enterprise. Let’s take a deep dive into the differences between the two tools.

Contents:

  1. What is Canonical Livepatch?
  2. Comparing Temporary and Persistent Patching
  3. Supported Linux Kernels
  4. Cost Comparison Between Canonical Livepatch and KernelCare
  5. Transitioning from Canonical Livepatch to KernelCare
  6. Conclusion

What is Canonical Livepatch?

Live Linux kernel patching has been around for over a decade, with the first workable solution emerging at MIT in 2009. It was called KSplice. The team at CloudLinux quickly followed with KernelCare, and many major Linux vendors have produced live patching tools in the meantime. For Ubuntu users, there is Livepatch to provide security updates.

For all live patching tools the premise is essentially the same, though the difference between temporary patching and persistent patching matters, we cover that in the next section. The Livepatch tool takes live, running Linux kernels and replaces affected code on the fly – one moment there is a kernel vulnerability, the next moment it runs safe code, and there is no need to restart.

When you go through the motions of getting your livepatch token and deploy the snap package for it, it means that your sysadmin team does not have to schedule a maintenance window and wait for downtime before applying a patch. Patches are applied consistently and without delay which means there’s a smaller window of time where systems are vulnerable.

Comparing Temporary and Persistent Patching

All live patching tools are not the same – and one of the key differences is the way in which critical kernel patches are applied. There are two routes: temporary and persistent patching. Also called dynamic kernel patching, temporary patching uses a special technique to graft a patch onto the kernel – but the patch is not integrated fully.

Canonicals Ltd.’s Ubuntu Livepatch makes use of the temporary patching technique when applying kernel updates, and at some point, sysadmins need to restart the machine to fully integrate that patch – so disruptive restarts are eventually required. So, while temporary patching brings us a long way to running safe and secure workloads, it’s still not ideal. The rub here comes from the possible interactions between subsequent patches affecting the same code – and that’s very tricky to get right, as the number of possible combinations for already deployed (or not) patches to a given code section can quickly grow. That’s where persistent patching comes in.

Persistent patching takes a different approach because every kernel patch is fully integrated on the fly, with no restarts ever needed to complete patching. Patches are cumulative – in other words, instead of applying one patch on top of another, all fixes are included in the binary in one go. Persistent patching achieves the important goal of fully removing the need for reboots and reduces downtime to the maximum possible extent.

Supported Linux Kernels

Most managed live kernel patching tools work only for a specific Linux distribution, and that’s the case for Canonical Ubuntu Livepatch too, which only supports Ubuntu systems, and only 4.4 and newer kernels. That’s fine if your entire workload is based on the latest Ubuntu distributions – but it won’t cover you for other Linux distributions. As some Linux distributions are better tailored for some scenarios, it is common to find multiple distributions running fulfilling different roles in a given organisation. Thus Livepatch would only partially cover your live patching needs.

KernelCare Enterprise on the other hand supports a much wider range of distributions, including kernel live patching for RHEL, Debian, CentOS and so forth (in fact, covering over 40 different Enterprise grade Linux distributions, and well over 4000 distribution+kernel version combinations). It’s a one-stop solution which means you don’t need to run multiple live patching solutions to cover all of your Linux-based systems.

Cost Comparison Between Canonical Livepatch and KernelCare

Canonical’s Ubuntu Livepatch isn’t the most expensive live solution for critical kernel patches but it isn’t the cheapest either. You can’t get Livepatch as a separate product, it’s only included as part of an Ubuntu Advantage subscription which users sign up for using their Ubuntu One accounts.

Pricing is a bit complex and depends on whether you run a physical server or virtual machines, but it starts from $75 per machine per year, up to $2,500 per machine per year. TuxCare’s KernelCare Enterprise is less than $50 per machine per year.

Canonical Ubuntu Livepatch KernelCare Enterprise Live Patching
Supported distributions Ubuntu 14.04 16.04 LTS (only 4.4 and newer kernels) Amazon Linux 1 & 2, Debian 7, 8, 9 & 10, CentOS 6, 6 Plus, 7, 7 Plus, Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS & 20.04 LTS, CloudLinux OS 6, 6 Hybrid, 7 & 8, RHEL 6, 7 & 8, OpenVZ & Virtuozzo, Proxmox VE 2.x, 3.x & 4.x, Xen4CentOS 6 & 7, Oracle UEK 3, 4 & 5, Oracle Linux 6, 7 & 8, Yocto, Ubuntu Core
Supports kernels older than 3.10 No Yes
User space patching No Yes (OpenSSL & Glibc)
Custom Patches No Yes (contact us for special versions or configurations)
QEMU Patching No Yes
IoT Patching No Yes
SAP Applications patching? No No
Database Patching No Yes
24/7 Support Yes, with a paid subscription Yes, online and telephone, 24/7/365 with different priorities for different subscriptions
Patchset Distribution Single patchset for all patches Single patchset for all patches
Release Timing Matches Ubuntu release cycles Before or shortly after upstream distribution
32-bit Support No Custom
API available? Yes Yes
Roll-back Functionality No Yes, rebootless
Works Behind a Firewall Yes Yes
64-bit Support Yes Yes
Available for new clients? Only Ubuntu clients Yes, and more than 40 distributions supported
Discounts / Trial Period Canonical Livepatch is free for personal use (up to 3 machines or up to 50 machines if you are a recognized Ubuntu Community Member) for the first 3 month 7-Day supported trial for enterprise clients
Type of Patching Temporary Persistent
Cost of Live Patching Included as part of all Ubuntu Advantage for Infrastructure support packages ($225-$1,500/machine/year on physical servers, $75-$500/machine/year – on VMs). From $3.95 per month per server (under $50 per year, per system). Different add-ons can be included in the subscription. Bulk pricing is available.

Ready To Learn More about Switching to KernelCare?

Chat With An Expert

Transitioning from Canonical Livepatch to KernelCare

If you’re already using Livepatch you effortlessly switch to KernelCare, bringing all your Linux distributions under a single live patching remit. Installing KernelCare is simple, all you need to do is to run a short script on the command line interface – no more difficult than enabling Canonical Livepatch.

Just like when you install the Livepatch tool, KernelCare simply runs in the background, never disrupting your operation. Thanks to KernelCare’s persistent patching methodology that single script is all you need to virtually eliminate patching-related restarts – unlike the Livepatch service on Ubuntu, which requires occasional restarts.

Conclusion

If you’re just running Ubuntu systems, it really comes down to cost and your ability to accommodate ongoing reboot-related disruptions to integrate critical kernel patches. Only use Ubuntu, and need to subscribe to Ubuntu Advantage anyway? Then yes, Livepatch kernel live patching may be a sensible option – depending on how disruptive the Livepatch temporary patching regime is.

On the other hand, if you don’t need all the frills of an Ubuntu Advantage subscription, then using KernelCare could mean significant savings. Rely on a variety of Linux distributions – and not just Ubuntu? Livepatch won’t cover your non-Ubuntu machines and you can’t force Livepatch to work on RHEL, for example. You should also consider KernelCare if the Livepatch requirements for occasional restarts cause problems with your workloads and if you need to reduce downtime.

Talk to a TuxCare Expert

Tell us your challenges and our experts will help you find the best approach to address them with the TuxCare product line.

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching