How to Apply Linux Kernel Security Patches? Manually and Automatically without reboot? Print

  • 0

As we know, we do receive Linux kernel updates time and time again and it is essential to update the kernel security patches regularly to overcome the kernel vulnerability. It is required to install the latest security patches as early as possible because if you delay with patch installation then you might invite threats for your system. 

Linux systems are used for standalone web servers, web applications, and web hosting services. Due to that, it becomes a major target for hackers that uses techniques such as DDOS (denial of service) attacks, (RCE) remote code execution etc. Maintaining proper security patches and keep the system up to date helps OS to tighten the security against such threats. However, most of the Linux distributions require a reboot to update the kernel and this will incur downtime. We will also teach different ways to update the kernel.

Update Kernel via Command

Updating the Linux OS kernel via the command line is very easy. You can just run the kernel update command and reboot the machine.

  1. Run the below command to update kernel on CentOS or RHEL or other RPM-based distribution.

    sudo yum update kernel
    sudo reboot
  2. Run the below command to update kernel on Ubuntu.

    sudo apt-get upgrade linux-image-generic
    sudo reboot
  3. Update the kernel on Debian using the below command.

    sudo apt-get upgrade kernel
    sudo reboot

As we can see, the above commands are very easy to run for the kernel update but one thing that you can't avoid is server reboot! Yes, it is a must to reboot the server to complete the kernel update. If you are running these OS to host a large e-commerce website or running a web application then you need to notify your users for this maintenance and also need to wait to getup the server after a reboot.  To avoid such downtime, sometimes system admins avoid the kernel updates and this becomes a serious security concern.

Update with kexec for Quick reboots

Kexec offers a very quick rebooting step. It will skip the boot loading and hardware initialization process to shorten the reboot time. 

CentOS/RHEL:

  1. First, install the kexec tools by running the below command.

    sudo yum install kexec-tools
  2. Install a new kernel.

    sudo yum update kernel

    or

    sudo rpm -qa kernel
    kernel-3.10.0-514.26.1.el7.x86_64

    kernel-3.10.0-1127.el7.centos.plus.x86_64

    Then, boot from the chosen version.

    sudo kexec -l /boot/vmlinuz-3.10.0-1127.el7.centos.plus.x86_64 \
    -initrd=/boot/initramfs-3.10.0-1127.el7.centos.plus.x86_64.img \
    -reuse-cmdline
    sudo sync; sudo umount -a; sudo kexec -e

    Run the below command to chose the required kernel.

    sudo kexec -e

Ubuntu/Debian:

  1. Install the kexec tools by running the below command.<

    sudo apt-get install kexec-tools

    After hitting the command, you will get the below screen for the confirmation reboot using kexec-tools



  2. You will need to be sure before doing this because kexec-tools won't will the reboot command to kill the processes, syncing caches or unmounting the file system and it can incur data corruption or data loss.

Update kernel without a reboot

It is possible to update the kernel without a reboot. It will be helpful for the systems that are running on a high-availability. Many of the Linux distribution vendors offer kernel updates without performing a reboot. 

Red Hat Kpatch 

Red Hat offers its own kernel patching tool for Fedora, CentOS and other Debian-based systems like Ubuntu.

  1. Run the below command deploy Kpatch on RHEL7.

    sudo yum install kpatch
    sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm

However, it is not an automatic patch installation. You need to check for the each kernel patch when it is available.


CloudLinux KernelCare 

KernelCare offers live Linux kernel patching service includes RHEL, CentOS, Oracle, Debian, Ubuntu Linux etc. It also support older version like RHEL 6.

  1. Run the below command to install kernelcare.

    wget -qq -O -- https://kernelcare.com/installer | bash
    sudo /usr/bin/kcarectl --register <your key>
     

As it is an 'install and forget' solution, kernelCare downloads and applies new kernel security patches automatically without a reboot.

KernelCare also offers more complex security patches for vulnerabilities like Spectre (CVE-2017-5753,CVE-2017-5715) and Meltdown (CVE-2017-5754). It also supports rebootless rollbacks, fixed-date patches, delayed patches etc.CloudLinux kernelcare is not a free one. They offer 7 days free trial after that it will be a paid one. 


Oracle Ksplice

Ksplice is a paid version to update the kernel without giving a reboot.

  1. Run the below command to install Ksplice.

    sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc
    sudo sh install-uptrack-oc -autoinstall

Using Ksplice, you just need to run the install script only once for the lifetime and after that Uptrack will take care and automatically deploy the latest kernel without downtime.


Canonical Livepatch Service 

This is Canonical’s technology for (guess what?) live-patching kernels. (Canonical is the company behind the popular Ubuntu Linux distribution.) You can even create your own patches, although it can be difficult, time-consuming work. (Some vendors will create an Ubuntu upgrade kernel for you, for a fee.)

Canonical is a popular software company for Ubuntu-based Linux distribution. Below command will be useful for Ubuntu 16.04 and later, and RHEL 7.x (beta).

You will need to run the below command to deploy the live patching. 

sudo snap install canonical-livepatch
sudo canonical-livepatch enable [TOKEN]

Canonical Livepatch offers free service for up to 3 Ubuntu distributions. Looking to signup for the token. Click here for signup. 


Was this answer helpful?

« Back
Sign up for a newsletter

chat