Quick Links

Applying critical security updates is important to keeping your Linux server safe from potential attackers, but it can cause downtime, which isn't good either. Live kernel patching can apply important kernel updates without taking your server offline.

What Is Live Kernel Patching?

Before live kernel patching, system administrators needed to choose between keeping their server on or applying security updates. This is obviously not ideal, so in 2008 Jeff Arnold at MIT created KSplice, a tool that could apply updates by taking a binary diff and applying patches to the running kernel in memory.

KSplice, a tool that applies updates by taking a binary diff and applying patches to the running kernel in memory.

This requires writing a custom patch for each update, so it's only reserved for critical security vulnerabilities that need quick fixes, not regular everyday updates. But, when the need arises, this simple solution offers a way to apply those fixes without affecting server uptime.

In reality, live kernel patching is a bit less useful than it may seem. If you care about server uptime, you're likely also wanting to meet some sort of SLA or have a critical service to keep running. In a high-availability network, any single server should theoretically be able to spontaneously combust without affecting the uptime of the application. Ideally, you should have two or more servers behind load balancers, and if you have more than one server, they can be updated one at a time without greatly affecting service availability, though you might be at 50% load capacity for a short while.

With that considered, live kernel patching is usually done automatically once a new patch is available. By turning live patching on, your system should stay up to date automatically, and you won't have to have someone orchestrate a rolling server update with potential downtime. This is a huge upside for most system administrators.

Downsides of Live Patching

Live kernel patching is still pretty complicated to do---patches must be written by experts, for each system, and it's only reserved for important security patches. Even then, it's not guaranteed not to crash your system. Ubuntu manages this risk by rolling the patches out slowly to a few users at a time, while monitoring for crashes.

Live kernel patching also can't do everything---it can only be applied to small and specific portions of kernel code, and it can't be used for any major updates that affect multiple components or change data structures.

Who Supports Live Patching?

Unfortunately, the original KSplice program is no longer open source, after being acquired by Oracle in 2011 for integration into Oracle Linux.

With KSplice going closed source, many other companies in the Linux server space developed their own version. With patches needing to be custom written and tested per system, it makes maintaining a single open-source "Live Kernel Patcher" very hard.

Most companies offer it as a paid service. KernelCare is the closest thing to a general purpose solution, and supports most distributions with a paid subscription. Amazon Linux 2 is one of the very few that offers it for free. RHEL has kpatch. Oracle Linux still uses ksplice.

Ubuntu has Canonical Livepatch. It's free for up to three machines, after which you'll need an Ubuntu Advantage subscription for each machine.