Linux Kernel gets frequent updates, and it is essential to update the kernel security patches to overcome kernel vulnerability regularly.
So, install the latest security patches as early as possible because if you delay the installation, you may put your system at risk.
Linux systems are used for standalone web servers, applications, and hosting services, making the Linux systems a primary target for hackers using DDOS (distributed denial-of-service) attacks, RCE (remote code execution), etc. Maintaining appropriate security patches and keeping the system up to date helps OS to tighten the security against such threats.
However, most Linux distributions require a reboot to update the kernel, which will incur downtime. Therefore, we will also check out different ways to update the kernel.
Update Kernel via Command
Updating the Linux OS kernel via the command line is relatively easy. You can just run the kernel update command and reboot the machine.
- Run the command given below to update the kernel on CentOS, RHEL, or other RPM-based distributions.
sudo yum update kernel
sudo reboot
2. Run the command given below to update the kernel on Ubuntu –
sudo apt-get upgrade linux-image-generic
sudo reboot
3. Update the kernel on Debian using this command –
sudo apt-get upgrade kernel
sudo reboot
As we can see, the above commands are easy to run for the kernel update, but one thing that you can't avoid is server reboot!
It is a must to reboot the server to complete the kernel update.
If you run these OS to host a large e-Commerce website or a web application, you need to notify your users regarding this maintenance. Then after the reboot, you will have to wait for the server to go back up. To avoid such downtime, system admins sometimes avoid kernel updates, which becomes a serious security concern.
Update with kexec for Quick reboots
Kexec offers a quick rebooting option; it skips the boot loading and hardware initialization process to shorten the reboot time.
CentOS/ RHEL
1. First, install the kexec tools by running this command –
sudo yum install kexec-tools
2. Install a new kernel.
sudo yum update kernel
or
sudo rpm -qa kernel
kernel-3.10.0-514.26.1.el7.x86_64
kernel-3.10.0-1127.el7.centos.plus.x86_64
3. Then, boot from the chosen version.
sudo kexec -l /boot/vmlinuz-3.10.0-1127.el7.centos.plus.x86_64 \
-initrd=/boot/initramfs-3.10.0-1127.el7.centos.plus.x86_64.img \
-reuse-cmdline
sudo sync; sudo umount -a; sudo kexec -e
4. Run the command given below to choose the required kernel –
sudo kexec -e
Ubuntu/Debian:
1. Install the kexec tools by running this command –
sudo apt-get install kexec-tools
2. After hitting the command, you will get the screen shown below for the confirmation reboot using kexec-tools.
3. Before executing this command, you must be sure because kexec-tools can't use the reboot command to kill the processes, sync caches, or unmount the file system. It can also incur data corruption or data loss.
Update kernel without a reboot
It is possible to update the kernel without a reboot. It will be helpful for the systems running on high availability. In addition, many Linux distribution vendors offer kernel updates without performing a reboot.
Red Hat Kpatch
Red Hat offers its kernel patching tool for Fedora, CentOS, and other Debian-based systems like Ubuntu.
- Run the command given below to deploy Kpatch on RHEL7 –
sudo yum install kpatch
sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm
However, it is not an automatic patch installation. You need to check for each kernel patch when it is available.
CloudLinux KernelCare
KernelCare offers live Linux kernel patching services, including RHEL, CentOS, Oracle, Debian, Ubuntu Linux, etc. It also supports older versions like RHEL 6.
- Run the command given below to install KernelCare.
wget-qq -O -- https://kernelcare.com/installer | bash
sudo /usr/bin/kcarectl --register <your key>
As an 'install and forget' solution, KernelCare downloads and applies new kernel security patches automatically without a reboot.
KernelCare also offers more complex security patches for vulnerabilities like Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754). It also supports reboot-less rollbacks, fixed-date patches, delayed patches, etc. Cloud Linux KernelCare is not free, but they offer a 7-day free trial; after that, it will be a paid one.
Oracle Ksplice
Ksplice is a paid version to update the kernel without a reboot.
- Run this command to install Ksplice –
sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc
sudo sh install-uptrack-oc -autoinstall
2. Using Ksplice, you need to run the Install Script only once (for a lifetime). After that, Uptrack will take care of and automatically deploy the latest kernel without downtime.
Canonical Live Patch Service
Canonical is a well-known software company for Ubuntu-based Linux distribution. It is Canonical's technology for live-patching kernels. (Canonical is the company behind the popular Ubuntu Linux distribution.)
You can even create your patches, although it can be difficult, time-consuming work. (Some vendors will create an Ubuntu upgrade kernel for a fee.)
The command given below will be useful for Ubuntu 16.04 and later versions, as well as RHEL 7.x (beta); you will need to run it to deploy the live patching.
sudo snap install canonical-livepatch
sudo canonical-livepatch enable [TOKEN]
Canonical Livepatch offers free service for up to 3 Ubuntu distributions.
Looking to signup for the token?
Click here to sign up.
