KernelCare: patch the kernel on the fly
The server on which the Linux system is installed and properly configured can not be shut down or restarted for months. However, sooner or later it still has to be done: for example, to install kernel updates. This procedure is often a separate headache for the system administrator. To reboot, you need to select the time when user activity is minimal. All users need to pre-send warning letters. In addition, there is always the risk of an extraordinary situation, due to which downtime servers can be delayed.
There are special software solutions with which you can install patches and kernel updates without rebooting. As an example, first of all you need to give Ksplice - a product of Oracle, distributed under the GPL v.2 license. It supports the following Linux distributions: Oracle, Linux, RHEL, Ubuntu (desktop versions only), and Fedora. In general, Ksplice copes with the tasks assigned to it, but it has one drawback: it may not work with all existing security patches.
In early 2014, the developers of RedHat Enterpise Linux offered their solution - Kpatch . The product is distributed under the GPL2 license; his original move is posted on github . Unfortunately, today it is in an extremely “raw” state and cannot be recommended for use. The same can be said for now about kGraft , the solution being developed by the creators of SUSE.
')
Most recently, our partners from the company CloudLinux (we have already written about their main development - the same name of the operating system ) offered their own tool with which you can install security patches and updates related to critical errors on the fly without rebooting the server . It is called KernelCare .
CloudLinux developers carefully monitor all information about kernel vulnerabilities. As soon as “weak spots” are detected in any of the supported kernels, they prepare a patch with which they can be fixed. Patches (each of them is specially “sharpened” for the core of a particular distribution) are placed on distribution servers. The KernelCare agent installed on the client server periodically contacts the distribution servers, downloads and installs all new patches. All this happens in the background; server does not need to restart.
The first articles, announcements about KernelCare appeared on the Internet in early 2014. Starting this month, the product is distributed on a paid subscription, but anyone can install a test version for free. The validity of the test license is 15 days.
The following Linux distributions are currently supported (KernelCare only works with 64-bit OS):
- RedHat 6.x;
- CentOS 6.x;
- CloudLinux 6.x.
Since April of this year, OpenVZ cores are supported. By July, it is planned to implement support for Debian and Ubuntu.
We test KernelCare
/ Testing was performed on CentOS 6 /
Install the kernelcare test version using the following command:
# rpm -i http://patches.kernelcare.com/kernelcare-latest.el6.x86_64.rpm
Immediately after installation, KernelCare automatically downloads and applies the necessary updates. After that, a message is displayed on the console:
Downloading updates Patch Level 9 applied Kernel is safe
You can view the list of applied patches using the command:
# / usr / bin / kcarectl --info kpatch-state: patch is applied kpatch-for: Linux version 2.6.32-358.23.2.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)) # 1 SMP Wed Oct 16 18:37:12 UTC 2013 kpatch-build-time: Mon May 12 23:50:58 2014 kpatch-description: 9
With detailed information about everything KernelCare does, you can also use the dmesg command:
# dmesg | grep 'kcare' kcare: registered device with node 10:57 kcare: allocated 278112 bytes for patch at ffffc900005c4000 kcare: verifying patch ... kcare: verified successfully kcare: allocating memory in module space ... kcare: allocated 278112 bytes at ffffffffa0207000 kcare: 865 relocations to fixup ... kcare: fixed 865 relocations kcare: jumping to ffffffffa020d9a0 kcare: registered device with node 10:57 kcare: allocated 278112 bytes for patch at ffffc900005c4000 kcare: verifying patch ... kcare: verified successfully kcare: allocating memory in module space ... kcare: allocated 278112 bytes at ffffffffa0207000 kcare: 865 relocations to fixup ... kcare: fixed 865 relocations
KernelCare checks for new patches every 4 hours. All patches are downloaded and applied automatically. Automatic update can be disabled. To do this, open the configuration file / etc / sysconfig / kcare. The file contains one single parameter - AUTO_UPDATE. Its value should be changed from True to False:
AUTO_UPDATE = False
When automatic update is disabled, you can download and apply a new patch using the command:
/ usr / bin / kcarectl --update Updates already downloaded Patch Level 9 applied Kernel is safe
All applied changes can be rolled back with the command:
kcaretl --unload Updates already downloaded KernelCare protection disabled
Conclusion
KernelCare is a really handy and useful tool. Among its undoubted merits are:
- easy installation and configuration;
- the speed of loading and application of patches;
- no impact on system performance;
- the ability to roll back the changes made.
CloudLinux developers are improving and improving the product, and there is every reason to hope that in the near future it will become more widespread and will find its well-deserved popularity among system administrators.
Readers who for one reason or another cannot leave comments here are invited to discuss an article in our blog .
Source: https://habr.com/ru/post/225299/
All Articles