Live Patching the Linux Kernel

I recently came across Tier.net offering KernelCare as an option when you purchase a dedicated server. As a result, I looked into the landscape of live kernel patching (upgrading the kernel without reboot); and here’s what I learned.

A few years ago efforts were made to integrate and merge a number of different projects into the upstream kernel. As of the 4.x (and specifically 4.4) kernel version, there is now code to perform live kernel patching. But it’s not used by every solution.

Players:
KernelCare (CloudLinux)
Ksplice (acquired by Oracle)
Canonical (Ubuntu) Livepatch
SuSE Live Patching

Canonical publishes a nice summary of their product offering, and the marketplace, which I’ll use as a reference point.

Also big thanks to Alex Yevelev, VP of Sales at CloudLinux for contributing to this discussion.

First, lets start with support for distributions. Canonical supports only the generic kernel branch of 16.04 LTS. SuSE only supports their Enterprise Server 12, and charges $1,499/yr/server. Canonical provides your first 3 free, then charges $150/yr/server.

Ksplice has slightly broader support: Oracle Linux, Red Hat Enterprise Linux, Ubuntu Desktop and Fedora Desktop. The last two are free, and support a wider array:
* Fedora 24
* Fedora 25
* Ubuntu 12.04 LTS Precise
* Ubuntu 14.04 LTS Trusty
* Ubuntu 16.04 Xenial
* Ubuntu 16.10 Yakkety
* Ubuntu 17.04 Zesty (though at the time I wrote this, it 404s)

It appears as though for a commercial, supported version of Ksplice, you have to pay $2299/yr/server.

Finally, you have KernelCare.

They have the most reasonable pricing (after free), and support the largest number of distributions and kernels. I won’t go into everything, but it’s listed on their site, and depending on volume, and if you buy direct or through a reseller, it appears to only cost a few dollars per month, per server, (less than half the price of the next-cheapest: Canonical).

Here’s an in-depth dive into one of the technologies, kpatch:

Now for those on a budget, dealing with VMs, etc. It does appear as though there’s a work-around to use the ‘free’ Ksplice version on a server (This likely violates Terms, Licenses, etc.).
It seems on a server, you can try to install the Desktop ksplice, it will fail due to a missing libgtk2-perl library. Install that. Do apt-get -f install to try to install dependencies again. It will have enough to complete the install of ksplice (ksplice-uptrack) enough to issue you an accesskey token for your machine, which can now be found in /etc/uptrack/uptrack.conf.

Then apt-get remove ksplice-uptrack, and follow the instructions here to install the non-graphical uptrack. It will use the same config, with access key, and not require a GUI interface. Obviously you’re without support, and I can’t speak to whether the Ubuntu Desktop kernels match the Server Kernels, whether ksplice keeps them up to date, or how well it works.

I myself am sticking to a combination of KernelCare and Canonical for my server needs.