KernelCare: New no-reboot Linux patching system

KernelCare: New no-reboot Linux patching system

Summary: One of Linux's advantages has always been that you rarely need to reboot it. Now, a new program, CloudLinux's KernelCare, tries to make rebooting totally unnecessary.


On a well-maintained Linux system, months can go by without needing to reboot. Sooner or later, however, a security patch to the Linux kernel will require you to reboot your machine. That's not a real problem on a desktop, but when you're talking hundreds of servers it can be a real pain. That's where CloudLinux's new program KernelCare comes in.


CloudLinux, makers of the CentOS-related CloudLinux OS, a Linux distribution for hosting providers, claims that with KernelCare, scheduled outages for security patches on Linux servers are now a thing of the past, giving organizations real-time updates. The program automatically applies Linux server security updates without having to re-boot. This frees technical personnel from the laborious process that takes several minutes for every server, several times a year.

"In our experience, KernelCare has worked perfectly and we love it because we no longer have to suffer through performance issues related to re-booting servers," said Wouter de Vries, founder and CEO of Antagonist, a Dutch Web-hosting provider. “Plus, now we don’t have to wait to find a window of opportunity to apply security updates because those are done automatically as soon as they’re available.”

"This is the equivalent of changing the engine on an airplane while it's flying," said Dan Olds, principal analyst, Gabriel Consulting Group, in a statement. "I think this will be viewed as a no-brainer purchase when you consider the cost of less than $50 annually per server for having the protection of kernel security updates without downtime."

Igor Seletskiy, CloudLinux's founder and CEO, added "Today, system administrators have to re-boot a server to apply the latest kernel security updates, which come out every one to two months. However, because they require a scheduled update (to minimize disruptions from downtime), they are often delayed — sometimes months or even years — which means the server is running with known security vulnerabilities. The problem of having to schedule downtime and then update and re-boot servers in a short period of time is that it is a strain on resources for enterprises of every size. KernelCare solves this update and re-boot issue by providing live kernel patching without the need for the re-boot."

KernelCare is a combination of both open source, a Linux kernel model, and proprietary software. These other components are distributed in binary only format under the KernelCare License. CloudLinux may open-source the rest of this code at a future time.

This isn't the only program that lets you make significant changes to the Linux kernel without requiring a reboot. The best known of these is Oracle's Ksplice. This Linux kernel hot-patching module can't be used with all Linux security patches.

A related, far newer program, kpatch, is also meant to enable system administrators to patch a Linux kernel without rebooting or restarting any processes. Its point is to enable "sysadmins to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, users to log off, or scheduled windows reboots." Kpatch, however, is still in active development and it's not ready for production systems.

For today, you can subscribe to Ksplice services for Red Hat Enterprise Linux (RHEL) or Oracle Linux server production uses or try KernelCare. CloudLinux's KernelCare is available via monthly subscription of $3.95 per server. KernalCare is now available for CentOS 6, RHEL 6, CloudLinux OS 6 and OpenVZ (64-bit only). CloudLinux plans to add support for Debian and Ubuntu, as well as CentOS 5, RHEL 5, CloudLinux OS 5 by July 2014. RHEL 7 will be supported once it is out of beta.

Related Stories:

Topics: Security, Data Centers, Enterprise Software, Linux, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Curious.....

    Was curious about how the software is supposed to work.. Their website is pretty empty as far as technical details go (though they at least make it easy to sign up for their service).

    Not sure how much trust I would put into a company that is claiming to solve an age-old problem that has confounded the brilliant minds of kernel developers for decades but who can't even post screenshots or a useful whitepaper on their own website.
  • Take Note Microsoft

    Sort out your antique patching system.
    Alan Smithie
    • Yes!

      Oh god, yes! Especially when you just want to turn your PC off and get some kip but it decides to do 150 updates for an hour or so from a fresh Windows install.

      And then lots of them fail and you have to do another 20 updates.

      And then you find out there's another 10 new ones after that.
      Ben Bristow
  • No SUSE Server Support

    I find Suse to be my favorite Linux distro due to the tools available. Wish that it was also included.
    • kGraft, under development at SUSE labs?
      Rabid Howler Monkey
  • Ksplice

    A GUI installer is available for several Ubuntu and Fedora Desktop versions:

    Ubuntu Desktop - 14.04 LTS, 13.10, 12.10, 12.04 LTS, 10.04 LTS
    Fedora Desktop - 20, 19
  • uhm, yeah, no

    Installing security updates using a closed binary blob?
  • Keeping Linux the leader in the datacenter

    When I see things like this, I remind myself that I made the right choice when dumping Windows and using GNU/Linux in the datacenter as well as the desktop. Running a server with NO planned downtime is huge. Meanwhile, I have to deal with other datacenters that use Windows and they have to schedule reboots once a month for patching. It requires a good amount of resources to handle this.

    GNU/Linux in itself can run pretty much indefinitely without a reboot unless a kernel change needs to be done which is why GNU/Linux would ever require a reboot. Other than changes to the kernel, GNU/Linux simply doesn't need to rebooted, ever. No wonder GNU/Linux is the number one choice for pretty much ALL virtual appliances, hypervisors, and other critical services. On the desktop, it provides a stable platform that "just works", period.
    • What took the Linux folk so long?

      Sun provided Solaris Live Upgrade, which supports live kernel patching, in 2001.
      Rabid Howler Monkey
  • Baby OSes require burping (rebooting)

    A real OS should be able to modify itself on the fly!
    I just don't understand the built-in requirement for a "recompile"!
    (BASIC rocks)!