How to set up automatic kernel updates on Linux

Applying security updates to the Linux kernel is a simple process that can be done with tools like apt, yum, or kexec. However, when managing hundreds or thousands of servers running different Linux distributions, this method can be difficult and time consuming to fix.

Manual kernel updates require a system reboot. This leads to downtime, which can be problematic, so reboots are usually scheduled at regular intervals. Because manual patching is performed during these cycles, this gives hackers a “time window” in which they can attack the server infrastructure.

For organizations with more than a few servers, live patching is the best option. It is an automatic way to fix the Linux kernel while the server is running, making it more efficient and safer than manual methods.

This article explains how to set up automatic kernel updates without rebooting using real-time fix solutions from Canonical and CloudLinux.

Canonical Livepatch

Canonical Livepatch is a service that fixes a running kernel without rebooting your Ubuntu system. Livepatch is free to use on three Ubuntu systems. To use this service on more than three computers, you need to subscribe to the Ubuntu Advantage program.

Before installing the service, you need to get a livepatch token from the Livepatch service website.

After installing the token and enabling the service by running the following two commands:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable <your-key>

To check the status of the service, run:

sudo canonical-livepatch status --verbose

Later, if you want to unregister the machine, use this command:

sudo canonical-livepatch disable <your-key>

The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.

KernelCare

KernelCare is a great option for hosting providers and businesses.

KernelCare runs on Ubuntu, CentOS, Debian, and other popular flavors of Linux. It checks for updates every 4 hours and installs them automatically. Patches can be rolled back. KernelCare is free for nonprofits.

To install KernelCare, run the installation script:

wget -qq -O - https://kernelcare.com/installer | bash

If you are using an IP based license, nothing else is required. Otherwise, if you are using a key based license, run the following command to register the service:

/usr/bin/kcarectl --register <your-key>

Where is the registration code string provided when signing up for a trial or purchasing a product. You can get it on this page.

Here are some useful KernelCare commands:

  • To check if a running KernelCare kernel is supported:
    curl -s -L https://kernelcare.com/checker | python
  • To unregister a server:
    sudo kcarectl --unregister
  • To check the status of the service:
    sudo kcarectl --info
  • The software will automatically check for new patches every 4 hours. To update manually, run:
    /usr/bin/kcarectl --update

Output

Live Patching technology allows you to apply patches to the Linux kernel without rebooting.

If you have questions or feedback, feel free to leave comments.

Sidebar