KernelCare: New no-reboot Linux patching system

One of Linux's advantages has always been that you rarely need to reboot it. Now, a new program, CloudLinux's KernelCare, tries to make rebooting totally unnecessary.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

On a well-maintained Linux system, months can go by without needing to reboot. Sooner or later, however, a security patch to the Linux kernel will require you to reboot your machine. That's not a real problem on a desktop, but when you're talking hundreds of servers it can be a real pain. That's where CloudLinux's new program KernelCare comes in.


CloudLinux, makers of the CentOS-related CloudLinux OS, a Linux distribution for hosting providers, claims that with KernelCare, scheduled outages for security patches on Linux servers are now a thing of the past, giving organizations real-time updates. The program automatically applies Linux server security updates without having to re-boot. This frees technical personnel from the laborious process that takes several minutes for every server, several times a year.

"In our experience, KernelCare has worked perfectly and we love it because we no longer have to suffer through performance issues related to re-booting servers," said Wouter de Vries, founder and CEO of Antagonist, a Dutch Web-hosting provider. "Plus, now we don't have to wait to find a window of opportunity to apply security updates because those are done automatically as soon as they're available."

"This is the equivalent of changing the engine on an airplane while it's flying," said Dan Olds, principal analyst, Gabriel Consulting Group, in a statement. "I think this will be viewed as a no-brainer purchase when you consider the cost of less than $50 annually per server for having the protection of kernel security updates without downtime."

Igor Seletskiy, CloudLinux's founder and CEO, added "Today, system administrators have to re-boot a server to apply the latest kernel security updates, which come out every one to two months. However, because they require a scheduled update (to minimize disruptions from downtime), they are often delayed -- sometimes months or even years -- which means the server is running with known security vulnerabilities. The problem of having to schedule downtime and then update and re-boot servers in a short period of time is that it is a strain on resources for enterprises of every size. KernelCare solves this update and re-boot issue by providing live kernel patching without the need for the re-boot."

KernelCare is a combination of both open source, a Linux kernel model, and proprietary software. These other components are distributed in binary only format under the KernelCare License. CloudLinux may open-source the rest of this code at a future time.

This isn't the only program that lets you make significant changes to the Linux kernel without requiring a reboot. The best known of these is Oracle's Ksplice. This Linux kernel hot-patching module can't be used with all Linux security patches.

A related, far newer program, kpatch, is also meant to enable system administrators to patch a Linux kernel without rebooting or restarting any processes. Its point is to enable "sysadmins to apply critical security patches to the kernel immediately, without having to wait for long-running tasks to complete, users to log off, or scheduled windows reboots." Kpatch, however, is still in active development and it's not ready for production systems.

For today, you can subscribe to Ksplice services for Red Hat Enterprise Linux (RHEL) or Oracle Linux server production uses or try KernelCare. CloudLinux's KernelCare is available via monthly subscription of $3.95 per server. KernalCare is now available for CentOS 6, RHEL 6, CloudLinux OS 6 and OpenVZ (64-bit only). CloudLinux plans to add support for Debian and Ubuntu, as well as CentOS 5, RHEL 5, CloudLinux OS 5 by July 2014. RHEL 7 will be supported once it is out of beta.

Related Stories:

Editorial standards