Applying security updates to the Linux kernel is a process that can be done using tools like apt, yum, or kexec. In case of a large number of servers, this process can be difficult and time-consuming. A system reboot is required to manually update the kernel. For organizations with more than a few servers, live patching is the best option. It is an automatic way to fix the Linux kernel while the server is running, making it more efficient and safer than manual methods.

KernelCare

KernelCare – the great option for hosting provaiders and businesses. KernelCare runs on Ubuntu, CentOS, Debian, and other popular flavors of Linux. It checks for updates every 4 hours and installs them automatically. Patches can be rolled back. KernelCare is free for nonprofits. To install KernelCare, run the installation script:

wget -qq -O - https://kernelcare.com/installer | bash

If you are using an IP based license, nothing else is required. Otherwise, if you are using a key based license, run the following command to register the service:

/usr/bin/kcarectl --register <your-key>

Where is the registration code string <your-key>provided when signing up for a trial or purchasing a product. You can get it on this page. Below are some useful KernelCare commands. To check if a running KernelCare kernel is supported:

curl -s -L https://kernelcare.com/checker | python

To unregister a server:

sudo kcarectl --unregister

To check the status of the service:

sudo kcarectl --info

The software will automatically check for new patches every 4 hours. To update manually, run:

/usr/bin/kcarectl --update

Canonical Livepatch

Canonical Livepatch is a service that fixes a running kernel without rebooting your Ubuntu system. Livepatch is free to use on three Ubuntu systems. To use this service on more than three computers, you need to subscribe to the Ubuntu Advantage program. Before installing the service, you need to get a livepatch token from the Livepatch service website. After installing the token and enabling the service by running the following two commands:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable <your-key>

To check the status of the service, run:

sudo canonical-livepatch status --verbose

Later, if you want to unregister the machine, use this command:

sudo canonical-livepatch disable <your-key>

The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.