Amazon Linux 2. What’s New?
Introduction
Kernel Live Patching is now available in Preview for Amazon Linux 2. This will enable customers to patch security vulnerabilities and bugs in the Linux kernel without reboots. This will eventually pave the path for zero downtime in systems/ cluster of systems.
Importance of Security Patch.
Security patches are one of the few things we cannot ignore. It is essential to keep our systems and devices up to date with the latest security patches. It is vital to keep cyberattacks at bay. Security patches are crucial for data protection and avoid infiltration of the system by hackers.
However, there are a few considerations to make while we update a system with the patch.
Interruptions for applications can be exorbitant.
Every organization tries to build its service to be highly available but most security patches require rebooting systems or disrupting their normal function to install the patch. This time cost might be inconsequential, or it can have a significant impact on the organization and its core business.
Security Patches Can Get Released often.
The very first reason systems are delayed on security patches is the number of patches released. Failure to patch vulnerabilities is a major risk and cost more than the organization can afford to pay. Needless to say, the information security team in your organization mandates the systems to be up to update with the latest fix.
How will Live Kernel Patching help you?
For systems that need to be online 24/7, which is the case with most of the services these days, patching is not a piece of cake even with processes being around. Patching calls for system downtime least to say at least a few seconds, but we know this is not usually true. Reboots can quickly become a nightmare if the application or service is not back online and there can be various reasons for it. Kernel Live Patching in Amazon Linux provides a way to reduce this downtime, which will apply a fix in the running kernel, thus eliminating the need to reboot the systems. Amazon Linux 2 will patch security vulnerabilities behind the scene without restart or disruptions to the applications on your system. This functionality will reduce the downtime of the systems caused by patching of security vulnerabilities and bugs. This allows the companies to benefit from improved service and application availability while keeping the infrastructure secure and up to date.
How to enable Kernel Live Patching?
$ sudo yum list kernel
If your kernel version is 4.14.165-131.185 or later skip the following commands
$ sudo yum install -y kernel
$ sudo reboot
Install the plugin for kernel live patching
$ sudo yum install -y yum-plugin-kernel-livepatch
Enable the plugin
$ sudo yum kernel-livepatch enable -y
Confirm the installation
$ rpm -qa | grep kernel-livepatch
When you enable Kernel Live Patching, an empty kernel live patch RPM is automatically applied. If Kernel Live Patching was successfully enabledThe command will returns list
“kernel-livepatch-4.14.173-137.229-1.0-0.amzn2.x86_64
yum-plugin-kernel-livepatch-1.0-0.8.amzn2.noarch” .
Update and start the kpatch service. This will load all of the kernel live patches upon initialization or at boot
$ sudo yum update kpatch-runtime
$ sudo systemctl enable kpatch.service
Configure the Amazon Linux 2 Kernel Live Patching repository, which contains the kernel live patches.
$ sudo amazon-linux-extras enable livepatch
To view available kernel patches
$ yum updateinfo list
$ yum updateinfo list cves
The yum plugin for Kernel Live Patching manages the kernel live patches.
To apply kernel live patches use the following command.
$ sudo yum update –security
To apply a specific patch, get the patch version by using on of the commands described in the view available kernel patch section.
$ sudo yum install kernel-livepatch-kernel_version.x86_64
Disable Kernel Live Patching
If you want to discontinue using Kernel live patching, you can do so at any time. Remove the RPM packages, yum plguin and reboot the instance.
$ sudo yum kernel-livepatch disable
$ sudo yum remove yum-plugin-kernel-livepatch
$ sudo reboot
