Forget Server Reboots: KernelCare Keeps Linux Environments Secure, Stable, and Up to Date with Live Patching

TL; DR: KernelCare, developed by CloudLinux, is an automated patching solution that ensures Linux environments are always secure through up-to-date kernels. The company empowers users to combat vulnerabilities without reboots while staying in compliance with regulations like the SOC 2 auditing standards. With solutions for hosting providers, enterprises, IoT devices, libraries, and beyond, KernelCare is striving to become the default patch management system for Linux.

In the service provider world, SOC 2 compliance is the hallmark of good data governance.

The certification procedure, issued by third-party auditors, ensures that companies that store customer data in the cloud protect the interests of customer organizations and the privacy of their clients. The audit is structured using five trust principles: availability, confidentiality, data privacy, processing integrity, and security.

SOC 2 certification is undoubtedly a good thing for providers — demonstrating that they have met standard requirements and are a suitable business partner. But keeping up with regular vulnerability scans and software updates requires a lot of work, and patches must be applied quickly.

That’s where KernelCare comes in. The company is dedicated to helping users maintain secure Linux systems with updated kernels without any interruptions.

“Our value prop is that you don’t have to wait,” said Jim Jackson, President and CRO of KernelCare. “You could be reading the news and see an article about critical Linux Kernel Common Vulnerabilities and Exposures (CVEs) that affect your systems. If you’re running KernelCare, around the time you finish the article, they’ve already been patched.”

KernelCare empowers providers to update Linux kernels automatically, maintaining compliance without the downtime associated with rebooting or time invested in sysadmin work.

The team monitors all Linux security lists and creates a patch to combat new vulnerabilities as soon as they are discovered. After performing hundreds of quality assurance tests, patches are released and automatically applied to servers (though users have the option to select the only patches they would like to install).

KernelCare is a product of CloudLinux, which was founded in 2009 and now powers more than 20 million websites via CloudLinux OS.

“KernelCare was first released in 2014,” Jim said. “Now we have over 500,000 servers in production on it, and it’s one of the fastest-growing product lines in the company.”

Jim told us the company’s tech culture, talented team of “Linux gurus,” and solid product lineup drew him to the company around that time — and continues to fascinate him.

“Cloud Linux OS does a lot of great things for hosts in terms of boosting performance, increasing the density they can achieve on their servers, and reducing issues, and then KernelCare further reduces downtime and admin workloads by allowing them to apply patches to the kernel without rebooting,” he said.

One of the hosting companies CloudLinux serves recently retired a server that had continuously run without issues for five consecutive years.

“It had been patched that entire time with no changes in performance or stability, and it had never been out of service for five years,” Jim said. “It’s kind of a milestone. Now we have others that are about to approach the six-year mark.”

In addition to web hosts, KernelCare also serves a large group of enterprises with a live Linux kernel patching solution tailored to companies with more than 1,000 servers.

But KernelCare isn’t limited to hosts and enterprises — Jim told us the company has expanded to serve any organization that runs on a Linux environment, from government agencies to universities.

The company is also growing in terms of use cases through KernalCare+, a recently introduced patching solution that goes beyond Linux kernels to patch shared libraries without requiring a reboot.

“We started with OpenSSL and the GNU C Library (glibc),” he said. “We’ll expand that to QEMU soon and continue down that path. Any libraries that are problematic to patch because you have to bounce services that are using them — we’ll live-patch those, too. By the middle of this year, we’ll also be live patching databases like MySQL, MariaDB, Postgres, all those C++, open-source databases.”

These and many of the company’s updates come as a response to customer feedback. The CloudLinux and KernelCare teams are always open to user suggestions and embrace a can-do attitude in terms of development.

“Recently, we’ve been getting into discussions about embedded systems and environments, IoT devices, and edge gateways,” Jim said. “A lot of headless devices out there are running kernels that are 10 years old in some cases, and people have no way to update them because they can’t take them offline. So we’re expanding horizontally based on customer demand.”

The company will likely release a new, more inclusive naming convention for the expanded product group, which will ultimately include kernel, library, and database patching and continue to grow from there.

The common thread between all of KernelCare’s offerings is the power to relieve sysadmins from unnecessary burdens. “We take things that are difficult and time-consuming for admins and make them nonevents,” Jim said.

KernelCare team members are on a mission to continue automating and live patching every important task modern Linux systems require. To that end, they recently released automation to help users address unpatched libraries in memory.

“For example, OpenSSL has a huge attack surface, so there’s constantly CVEs coming out,” Jim said. “Every time you have one, you go run Yellowdog Updater, Modified (YUM) or AppGet to get the new library version, but that only updates it on the disk. It doesn’t get pulled into memory until you restart the services that are using it.”

After realizing that many admins weren’t aware of this, KernelCare automated the task.

“We found that when big organizations that were running KernelCare had CVEs that affected libraries, they were rebooting the servers anyway because it was too difficult and time-consuming for them to figure out which services were using a particular library. But that defeats the purpose of KernelCare,” Jim said. “So we have a lot of customers moving to KernelCare+ now because of that added feature. “

Over time, the company hopes to become the go-to patch management platform for Linux systems.

“The goal is to patch everything important and automate all of it within a single pane of glass,” Jim said. “It’s not just the kernel anymore.”

In January, KernelCare announced its plans for AlmaLinux — a CentOS replacement that comes at the heels of Red Hat’s discontinuation of CentOS as a stable release. The new Linux distribution will be released sometime in the first quarter of 2021.

Moving forward, the company also plans to expand its Linux support services.

“Back in Q4, we extended life cycle support for CentOS-6, which we could easily do because we were already supporting our own CloudLinux OS. That service has been extremely popular, surpassing our expectations on the number of servers deployed on it.”

From there, the team will add support for Oracle Linux 6 and possibly Ubuntu 16.