Want to get faster, more affordable, live kernel updates across your enterprise Linux servers? Here’s why you should consider KernelCare Enterprise over Oracle KSplice.
Live patching really matters because it eliminates the need to reboot a running kernel. It minimizes the need for maintenance windows and reduces pressure on IT teams, making it much easier to maintain a watertight patching regime.
It’s no surprise that live patching tools quickly became the best practice for applying security patches to close security vulnerabilities, and there are now a few competing tools available.
Yet many organizations don’t implement live patching because live patching tools commonly cover just a specific part of live patching requirements – and because these tools often come with a hefty sticker price.
That’s the case with KSplice too. While KSplice is an enterprise-grade live patching tool that’s a perfect fit for certain use cases, it has its drawbacks, particularly its high price tag and limited support for Linux distributions.
|Oracle KSplice||KernelCare Enterprise Live Patching|
|Supported distributions||Oracle Linux
(Must be an Oracle Linux Premier Support customer using Oracle Linux. There is an exception for legacy KSplice customers.)
|Amazon Linux 1 & 2, Debian 7, 8, 9 & 10, CentOS 6, 6 Plus, 7, 7 Plus, Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS & 20.04 LTS, CloudLinux OS 6, 6 Hybrid, 7 & 8, RHEL 6, 7 & 8, OpenVZ & Virtuozzo, Proxmox VE 2.x, 3.x & 4.x, Xen4CentOS 6 & 7, Oracle UEK 3, 4 & 5, Oracle Linux 6, 7 & 8, Yocto, Ubuntu Core|
|Supports kernels older than 3.10||Yes||Yes|
|User space patching||Yes (OpenSSL & Glibc)||Yes (OpenSSL & Glibc)|
|Custom Patches||No||Yes (contact us for special versions or configurations)|
|QEMU Patching||Yes (KVM & Xen)||Yes|
|24/7 Support||Yes, online and telephone 24/7||Yes, online and telephone, 24/7/365|
|Patchset Distribution||Each patch represented as a separate kernel module||Single patchset for all patches|
|Release Timing||After the patch is released upstream||Before or shortly after upstream distribution|
|32-bit Support||Yes||As custom request|
|Roll-back Functionality||Yes, rebootless||Yes, rebootless|
|Works Behind a Firewall||Yes||Yes|
|New Client Availability||Only for Oracle Linux Premier Support clients||Yes, and more than 40 distributions supported|
|Discounts / Trial Period||Free 30-day trial, free desktop edition is available||7-Day supported trial for enterprise clients|
|Type of Patching||Persistent||Persistent|
|Cost of Live Patching||Oracle Linux Premier Subscription – $2299($1399) per system per year||From $3.95 per month per server (under $50 per year per system), different add-ons can be included in the subscription, bulk pricing is available|
KSplice Inc. was, alongside KernelCare, one of the pioneers of live Linux kernel patching services. KSplice is short for kernel splicing, the service was created by four MIT students in 2009. Like other live patching solutions for Linux kernels such as Red Hat Enterprise Linux, the original KSplice Uptrack did its magic by swapping in updated kernel code with the latest patches, without the need to restart the entire OS instance to apply the patch.
In 2011, KSplice saw a major change in indirection as it was acquired by Oracle, and the company intended to use it alongside its own Unbreakable Linux kernel – a major competitor to the established Red Hat Enterprise Linux. It had a significant impact on the direction of KSplice Inc., and essentially locked it to Oracle’s Linux distributions, and indeed Oracle’s support pricing.
Fundamentally, as a live patching service and to minimize security vulnerabilities, KSplice is terrific. It has a long, proven history of delivering reliable live Linux kernel patching from the days of KSplice Uptrack. There’s a catch, however. Unless you’re a grandfathered customer from prior to the Oracle acquisition of KSplice, you can only use KSplice to live patch Oracle Linux because it’s the only support kernel for new customers.
That’s a major concern because Oracle Linux is just one of many commonly used Enterprise Linux distributions. If your workloads are based only on the Oracle Linux kernel, you’ll be fine; but if you use a mix of distributions including CentOS, Debian, and Ubuntu you’ll be better off driving kernel live patching through KernelCare Enterprise – which supports all of these, and many more.
KSplice kernel patching is only available through Oracle Linux Premier Support subscription. The high subscription price per machine can rule out KSplice for some types of workloads. On the flip side, if your requirements demand that you pay for an Oracle Linux Premier Subscription anyway, well – KSplice is included in that package, though of course your other Linux-based systems won’t be covered.
KernelCare on the other hand offers affordable pricing of under $50 per year per system, which is a fraction of the $1399 p.a. cost of Oracle Linux Premier Support. It is also a one-stop shop for your live patching requirements – you can sign up with one provider to live patch libraries and your database too. KernelCare Enterprise doesn’t tie you into an expensive support contract you don’t need – and you can opt for affordable monthly pricing.
Both KSplice and KernelCare Enterprise provide hardened, enterprise-grade live kernel patching that you can rely on to keep supported Linux distributions consistently patched. Similarly, both KSplice and KernelCare Enterprise are supported by companies with deep-rooted experience in supplying Linux solutions.
There are however a couple of fundamental differences. KernelCare’s reach stretches across the Linux OS landscape, so yes you can get kernel live patching from KernelCare that supports many more Linux distributions including Red Hat Enterprise Linux. KernelCare also supports live patching of other services including databases and libraries, and the support team can deliver custom patches too. Both KernelCare and KSplice Enhanced Client can patch QEMU.
While KSplice delivers each patch as a separate kernel module, KernelCare delivers a single patchset for all patches. What’s more, KernelCare Enterprise also delivers out-of-box integration with a range of patch management and vulnerability assessment tools. This makes it easy to also remove patches live, as it won’t break any inherent dependency among them.
If you’re currently using the KSplice client you can easily transfer to the KernelCare Enterprise solution, just run a script on the system and you’re done. It’s no more challenging than installing Uptrack used to be. KernelCare Enterprise then takes care of live patching of the kernel and indeed many other services on that machine.
Organizations relying exclusively on Oracle Linux for their Enterprise Linux OS needs and who are paying for Premier Support for other reasons can continue to use KSplice, as long as there are no other services e.g. databases in need of live patching.
For others, the broader reach and lower price of KernelCare Enterprise will probably win the argument.
If you’re still unsure, why not give it a try? KernelCare Enterprise is available as a 7-day trial – with the full functionality, and no commitment to buy.