Live Patching Linux On AWS EC2

Published: Jun 19, 2020 4:07:36 PM / Last update: Jun 19, 2020 / by KernelCare Team

Live Patching Linux On AWS EC2 blog image

CloudLinux is an Amazon Web Services (AWS) Advanced Technology Partner, and our live patching system, KernelCare, is currently being used to patch AWS Elastic Compute Cloud (EC2) systems.

How does KernelCare patch Linux kernels on AWS EC2 servers? Read on to find out. 

EC2: A Unique Environment

 

Amazon uses its own Graviton2 ARM64 processors on many of its EC2 instance types. It does this because these chips, custom-built by AWS using 64-bit ARM Neoverse cores, offer more flexibility, versatility, and better performance. 

 

These new generation processors power Amazon EC2, M6g, C6g, and R6g instances. Compared to its first-generation Graviton chips, they deliver even better performance. They contain four times as many cores, memory that’s five times faster, and caches that are twice as large, all of which enable them to be seven times faster. 

 

Whether the OS is Amazon Linux 2, Ubuntu, RHEL, CentOS, Fedora, Debian, or others Amazon EC2 instances use the Graviton2 processors. In these instances, the chips power a wide variety of workloads that include application servers, micro-services, high-performance computing, electronic design automation, open-source databases, and in-memory caches.

 

Within EC2, the Graviton2 processors also power video encoding workloads, hardware acceleration for compression workloads, and support for CPU-based machine learning inference.

 

KernelCare In EC2

 

Does KernelCare do anything differently to patch kernels on EC2 servers with Graviton2 processors? No, because it doesn’t have to. Last year, the KernelCare team successfully created a proof-of-concept for live patching systems powered by ARM processors, and today KernelCare works the same way with any server that uses an ARM processor. 

 

From Raspberry Pi to IoT devices and edge gateways, to enterprise servers any device with an ARM chip can have its Linux kernel patched by KernelCare. This includes Amazon EC2 instances, on which KernelCare functions in its usual way, delivering security patches through its three components: 

 

  1. Patch Server
    A patch server stores patches for each kernel version. It can be accessed directly, or through a firewall. It can be a dedicated cloud server, or one that runs in-house.

  2. Agent Program
    A small agent program installed on the device or instance to be patched periodically checks the patch server for new patches at specified intervals.

  3. Kernel Module
    When instructed by the agent, a kernel module handles the patching, pausing and restarting the kernel’s processes to perform the patch in memory.

Patching-Process-Diagram (1)

KernelCare patches are custom-built for each supported kernel version, and distributed as atomic binary packages. Each is GPG-key signed for security.

 

Unlike with traditional update tools, such as yum and apt-get, KernelCare patches the Linux kernel as a binary in memory. There’s no need to stop or restart the device or refresh instances. 

 

During the live patching process, changes happen so quickly that users and applications can’t detect them being made. From the perspective of a user or server, the kernel never stops. 

Watch this video to see how live patching works on AWS EC2.

 

Graviton2 Demo

 

Using EC2? Contact Us

 

To sum up, KernelCare works seamlessly on AWS EC2 servers. If your organization is running an EC2 instance, KernelCare provides an effective way to keep its server kernels updated and secure. 

 

To talk with a consultant about how to get started with KernelCare on EC2, contact the KernelCare team at sales@kernelcare.com. With our 30-day free trial, you can evaluate it free of charge, and we offer assistance with installation as well. 


More content from KernelCare and AWS

  1. Webinar recording: Live Patching Linux Kernel Vulnerabilities in Scalable Hosting Environments
  2. KernelCare is available for purchase on AWS Marketplace
  3. KernelCare is the Advanced Technology Partner at AWS for Live Patching

Topics: AWS KernelCare

KernelCare Team

Written by KernelCare Team

    cover for blog

    Download Whitepaper

    Subscribe to Email Updates

    Recent Posts