So, what does hot patching do? (Or: Why do I want KernelCare?)The basic concept of Linux kernel hot patching is pretty much the same not matter what it’s called. The goal is to only update the changes rather than the whole Kernel – which normally requires a reboot. It’s much harder than it sounds though since kernel updates come as complete packages and the system is running. Imagine trying to do an oil change on your car while driving at highway speeds; that’s kernel hot patching in a nutshell. With a KernelCare enabled kernel updates can be processed and then applied selectively to a running server. This can mean not needing to reboot for much longer than you would normally require to stay secure.
How do I check if I have KernelCare and is it working? (Or: Checking KernelCare version)The best way to check if your server is running with KernelCare is to look for its main CLI tool. You can do this with the following linux command:
which kcarectlIf the CLI tool is found on the server you will see output like the following, or something very similar.
# which kcarectl /usr/bin/kcarectlIf the CLI tool is not installed you will see the following:
# which kcarectl #
When using the Linux `which` command you will get no results if the executable is not found. In this case that means KernelCare is likely not active or installed on the server.Assuming the test above was successful, you’ll now want to check the status of KernelCare. This will help you determine if KernelCare is active and what the effective version is. You can do this with the following command:
/usr/bin/kcarectl --infoThe results will look similar to the following:
[root@host ~]# /usr/bin/kcarectl –info kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-327.36.3.el7.x86_64 (firstname.lastname@example.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Mon Oct 24 16:09:20 UTC 2016 kpatch-build-time: Mon Nov 7 08:20:19 2016 kpatch-description: 2;3.10.0-327.36.3.el7.x86_64As you can see the output provides various details about the KernelCare status. Looking at the kpatch-state we can see that hot patching is working and enabled.