Within any IT organization, there exist processes so routine and well-established that they become practically a given—with little concern for whether such processes and practices could be improved upon. Time is money, and it’s difficult to teach an old dog new tricks, especially if the dog doesn’t see any pressing reason to change its ways—or any risks involved with deciding not to.
When it comes to kernel patching, it seems that the current widespread philosophy is “if it ain't broke, don't fix it”. A background activity carried out by SysAdmins without much thought, kernel patching generally isn’t even on the radar of those responsible for organizational security and compliance. However, this is a potentially ruinous oversight, as the current standard approach to kernel patching exposes servers to malicious intent by threat actors on multiple attack vectors.
Typical waiting periods between reboot cycles—when known vulnerabilities have not yet been patched—leave IT organizations extremely vulnerable to major security issues for a period of time. For this reason, anyone tasked with protecting their organization’s privacy and security should be seeking a better way. It’s time for this old dog to finally learn a new trick or two— and the first step is to make the transition to updating Linux kernel with live patching technology.
- What is Linux kernel update (and Why Does it Matter)?
- The History of Linux kernel patching
- What is the difference between update and upgrade in Linux?
- How often is Linux updated?
- Does Linux update automatically?
- When should I update my Linux kernel?
- Case: Does Ubuntu automatically update the kernel?
- How do I update Ubuntu/other distros
- Linux Kernel Security Updates Without Reboots
- Live Patching Tools Overview
What is Linux kernel update (and Why Does it Matter)?
If a Linux operating system (OS) is a solar system, the Linux kernel is the sun.
The main component and the core of a Linux OS, the Linux kernel acts as a kind of mediator between the computer’s hardware and its software applications. Every Linux OS has a kernel, which controls all major functions of the hardware—whether it be an industrial device, a phone, a server, etc.
If it hasn’t been made clear yet, the Linux kernel is particularly important because it is the foundation on which all the different types of Linux operate. Its name is no accident—the kernel is like a seed, the source from which everything else develops and functions.
With continual technological advancements and system changes, developers create updates to the Linux kernel that allow for increased functionality and processing speed. Good things, right? Yes, but there’s a “but.” These updates are necessary, but with software constantly changing in complex and nuanced ways, every update opens your system up to the risk of malicious, unauthorized users gaining access. Patching is the security solution to this problem, but with a wide window of vulnerability, prevailing patching procedures (try saying that three times fast) do not offer sufficient risk mitigation.
The History of Linux kernel patching
Linux is the standard in the world of enterprise IT, with the majority of existing websites running on its operating system. Over the course of its nearly-thirty years of existence, Linux has come to be known as an extremely stable OS; however, no system so complex and large-scale—and that runs on a kernel that contains over 20,000,000 lines of code susceptible to human error—is completely bug-free. Which means that, for as stable as it is, Linux is still vulnerable to the threat of cyber-attacks and security breaches.
As an open-source OS (meaning the public has the ability to access and modify source code),
Linux’s kernel vulnerabilities become public almost immediately—which means that time is of the essence when it comes to patching these weak spots, before they are exploited. The appeal to hackers is this: a single Linux server will often host hundreds of websites, which means that one hacked site can open the door to all of the other sites housed on the server. And to that, we say: Yikes.
As such, Linux vendors are constantly trying to create patch updates to combat these vulnerabilities, but most of these “solutions” end up being flawed quick fixes akin to putting a bandaid on a gunshot wound—sure, it may help the bleeding a bit, but it isn’t going to do much to solve the deeper issue. The bugs keep coming, bringing with them more vulnerabilities, leading to more patch updates needing to be built, and the cycle continues forever and ever.
The 17-year gap between Linux’s creation and the introduction of alternatives is a large contributing factor to the fact that today, 99% of organizations continue to patch in an outdated and inconvenient method that has risks of its own—a complete server reboot. SysAdmins are (understandably) not so hot on the idea of rebooting until they absolutely have to, which means that only when enough bugs have built up to the point that they can’t possibly be ignored any longer is the server shut down and restarted—which means that windows of vulnerability are often very wide.
What is the difference between update and upgrade in Linux?
To keep your Linux OS running at top quality, both updates and upgrades will be rolled out at varying frequencies.
An upgrade is the newest version of the software. Upgrades are less frequent than updates and are generally marked by major improvements, new features, increased functionality and other noticeable changes to the software. Typically, given the drastic changes and increased performance, OS upgrades will have to be purchased.
Software updates are patches—and act as an enhanced version of the system that you’re already using. Generally, an update will address specific bugs or kinks that may have caused issues or user frustration in the previous version. Updates happen much more frequently than upgrades, and generally are more focused on small tweaks to improve user experience or security, rather than any kind of major software overhaul.
How often is Linux updated?
Regular, scheduled Linux kernel updates are necessary for the sake of widespread organizational security as well as compliance with existing service legal agreement (SLA) contracts. Many such SLA contracts will contain clauses detailing the maximum allowable unpatched time period. The standard best-practice to maintain compliance and ensure security is to perform kernel updates at least once a month.
Systems like KernelCare take the uncertainty (and risk of human error) out of this process—ensuring that your Linux servers are always functioning in line with industry best-practices and contractual agreements.
Does Linux update automatically?
Not really. Linux cannot self-update like some other operating systems can. However, you can automatically update Linux applications and kernels yourself by combining a scheduling program with your platform's package maintainer. Some Linux vendors have created packages that do unattended updating for you—which may change the answer to this question to, in practice, “kinda”?
Linux’s unique origin and evolution sets it apart from other OSes. Expanding quickly through community effort and offering itself up as a relatively cheap hosting service, Linux gained fast popularity among users and nefarious hackers alike. This is why we can’t have nice things!!
For all of its developments, Linux still doesn’t have an integrated, self-updating software management tool. There are some ways to automatically update through the integration of other programs, but these all require reboots. While there are reboot-less solutions for the automatic update of applications, an update of the kernel itself pretty much always requires a reboot.
We know this to be true: Security improves when Linux updates become automated.
As we said in the short answer, you can automatically update Linux applications and kernels yourself by combining a scheduling program, like cron, with your platform's package maintainer, such as yum, apt, or dnf, and some Linux vendors have even done this for you by creating packages that do unattended updating…
But these updates don't mean you can install kernel updates without rebooting. Which is where we run into some of the security loopholes touched on above.
Later, we’ll get into the solution to this seemingly ever-present issue: live patching. Live patching fills the gap in auto-updating strategies—which is why it should be considered an essential part of your Linux server security strategy, not just a convenient one.
Related read: Why you should automate Linux kernel updates
When should I update my Linux kernel?
There are several bad reasons to update your Linux kernel, but among them stands one good reason: security.
Continuing to run a kernel after identifying vulnerabilities leaves the option for hackers to get into your system and do some serious damage, and it can also make you non-compliant with contract agreements and general best practices.
It’s clear that keeping your system secure is important. If your job is to keep your organization secure and compliant, then your top priority should be ensuring that you never have to reboot your servers. Luckily, this can be accomplished without upgrading the whole kernel and without rebooting—with the help of live kernel patch services such as KernelCare or Ksplice.
Does Ubuntu automatically update the kernel?
For most users, upgrading the kernel in Ubuntu is pretty straightforward. Most systems will prompt when the upgrade is ready. But if you’re looking for a custom kernel, or want to override the automatic process, this guide provides a good foundation for doing so:
How do I update Ubuntu/other distros
Our article on avoiding server reboots details three of the most popular ways to update Linux kernels without rebooting:
- on the command line
- with kexec
- with rebootless live kernel patching tools: Oracle Ksplice Uptrack, Canonical Livepatch, Red Hat's Kpatch, SUSE Kgraft (SLE Live Patching), and CloudLinux's KernelCare
Updating without Reboots
Updating Linux kernels is—to put it kindly—an undertaking, and a rather tedious one at that. Likening it to the slow and unbearable torture of being buried alive may ring as overdramatic, but only slightly so.
With new vulnerabilities popping up like it’s a game of whack-a-mole, the never-ending list of patches needing to fix them following behind, and the persistent risk of a system breach, the business of keeping your Linux kernel secure can be… taxing, to say the least. Throw in inconvenient and risky reboots and you’ve got a pretty solid recipe for an “I need a drink” kind of day developing.
The good news: there is another way. Rebootless. Live. Kernel. Patching.
Here’s the deal: Rebootless kernel patching is like car insurance. If you’re lucky, you won’t need it. But, in the odd chance you find yourself accidentally backing into someone in a parking lot, you’ll be glad that you have it.
And like insurance, rebootless kernel patching isn’t just a nice-to-have—it is an absolute necessity for anyone who wants to stay safe.
Humblebrag: at KernelCare, we have over 300,000 servers that haven’t needed to reboot in four years. Which translates to less downtime, less disruption to customers (and your bottom line), less risk, and less money spent on administration. Do we need to say more? Probably not, but we’re going to anyway.
Live Patching Tools Overview
If you're running an always-on system (one that you can’t—or simply don’t want to—reboot), “live kernel patching” is about to be your new favorite phrase. There are three types of live patching systems:
- Administered: You do the patching yourself.
- Fully automatic: The system patches for you.
- Fully automatic, advanced multi-platform: The system patches for you AND handles advanced-level threats across all platforms (ahem, KernelCare from CloudLinux, ahem).
Some additional good news: persistent live patching like the kind KernelCare offers enhances system performance—keeping your systems speedy, safe, and protected.
Continue reading: Does Live Kernel Patching Slow Systems Down?
Time and time again, rebootless patching naysayers will tout the same objection to its necessity: “We’ve never been hacked, so clearly we’re fine!”
Let’s say we offered you a fruit that lowers your risk of heart disease by 99%. Would your response be “Well, I’ve never had heart disease before, so I don’t really see the need”? ... We doubt it.
Yes, it is true that kernel vulnerabilities with the potential to allow for serious hacks are rare—you might only experience a couple each year.
But it’s also true that when they do happen, they are absolutely ruinous. To security, to productivity, to organization reputation and more.
KernelCare is simple, takes five minutes to install, and then works quietly in the background without anyone having to even think about it. Most days, you won’t really need it. But on that day when you do, you’re going to be thankful.
Sign up for a 30 day trial to see how you can deliver a better, more secure Linux platform