Live Patching Linux Without Downtime on AWS Graviton2-Based Instances
By Jim Jackson, President and CRO for KernelCare at CloudLinux
Linux’s popularity as a platform for web hosting services, standalone web servers, and web applications has made it a prime target for hackers. They use techniques such as remote code execution (RCE), cross-site scripting (XSS), and denial of service (DoS) attacks.
Almost every month, vulnerabilities are found in Linux kernels. Many are relatively benign or difficult to exploit, but vulnerabilities like Zombieload or Spectre and Meltdown can be terribly destructive.
Keeping your Linux system up to date with the latest operating system and application software patches is one of the most effective ways to strengthen system security. It is also the best way to protect against threats such as Zombieload.
Enterprises sometimes neglect to install the latest security updates because most kernel upgrades and security patches require a system reboot, which means downtime and waiting for reboot cycles.
KernelCare from CloudLinux uses live patching to update Linux kernels without stopping or restarting them. CloudLinux is an AWS Partner Network (APN) Advanced Technology Partner with the Amazon Linux 2 Service Ready validation.
KernelCare, which is available on AWS Marketplace, can live patch Amazon Elastic Compute Cloud (Amazon EC2) instances based on AWS Graviton2 Arm64 processors. This post explains, and demonstrates with a video, exactly how KernelCare live patches these new Amazon EC2 instances.
About AWS Graviton2 Processors
Enterprises use Amazon EC2 instances based on AWS Graviton2 processors to optimize performance and cost for their cloud workloads. AWS Graviton2 processors are custom built by Amazon Web Services (AWS) using 64-bit Arm Neoverse cores to deliver the best price performance for cloud workloads running on Amazon EC2.
AWS Graviton2 processors deliver a major leap in performance and capabilities over first-generation AWS Graviton processors. They deliver 7x performance, 4x the number of compute cores, 2x larger caches, and 5x faster memory.
AWS Graviton2 processors feature always-on 256-bit DRAM encryption and 50 percent faster per core encryption performance compared to the first-generation AWS Graviton processors.
AWS Graviton2 processors in Amazon EC2 instances power a wide variety of workloads. These include application servers, micro-services, high-performance computing, electronic design automation, gaming, open-source databases, and in-memory caches.
The AWS Graviton2 processors also provide enhanced performance for video encoding workloads, hardware acceleration for compression workloads, and support for CPU-based machine learning inference.
Amazon Linux 2, Ubuntu, Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Fedora, Debian, and FreeBSDnow run on Amazon EC2 instances based on AWS Graviton2 processors.
How KernelCare Live Patching Works
KernelCare is a live patching system that patches Linux kernel vulnerabilities automatically, with no reboots. It maintains your kernel security without any service interruption or degradation. It promptly delivers the latest security patches for different Linux distributions and applies them automatically to the running kernel in nanoseconds.
KernelCare works in both live and staging environments, in the cloud and on-premises. It’s used on more than 300,000 servers, and has been used to patch servers running for over six years. It works with all major Linux distributions, including RHEL, CentOS, Amazon Linux, and Ubuntu.
It also interoperates with common vulnerability scanners such as Nessus, Rapid7, and Qualys.
A small agent installed on a server applies KernelCare’s binary kernel patches. You can download these from our repository, the main KernelCare Patch Server. You can access this server directly or through a firewall (through a proxy server). You can also host a local private patch update server to deliver patches within a secured environment.
KernelCare patches are distributed as cumulative binary packages, custom-built for each supported kernel version. Each is GPG-key signed for security.
This is how the patches are applied:
Figure 1 – How KernelCare patches a Linux kernel.
KernelCare binary-patches the Linux kernel as a binary in memory. It touches nothing else, so there’s no need to update system libraries or packages to keep in step with kernel changes. In fact, the official patch level does not change. This is not the case when using traditional Linux update tools such as yum and apt-get.
You can read more technical details in KernelCare’s Technical Whitepaper.
Amazon EC2 instances powered by Graviton2 processors optimize performance and cost for cloud workloads. They run workloads on the most popular versions of Linux, including Amazon Linux 2.
KernelCare live patching keeps the Linux systems you run on AWS Graviton2 processors protected against the latest vulnerabilities without downtime. Just as it did with earlier versions of AWS Graviton processors.
Last year, the KernelCare team successfully created a proof-of-concept (POC) for live patching systems powered by Arm processors. Today, we support AWS Graviton2-powered Amazon EC2 instances. Watch a video demonstration of live patching in action.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
CloudLinux – APN Partner Spotlight
CloudLinux is an Amazon Linux 2 Service Ready Partner. KernelCare is an independent live-patching solution built by CloudLinux that works on many kinds of Linux distributions and kernels, including Amazon Linux 1 and 2, under both virtualized and bare-metal varieties.
*Already worked with CloudLinux? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.