By guest author Christian Reiß
If you haven’t felt it before: when Dirty Cow hit you did. The Linux Kernel is rock solid, proven but also has security issues. In this case: Root rights for everyone! And on top of that this bug is so trivially easy to exploit (several proof-of-concepts are out there that can easily converted into a life, working gun) that you had to update your kernels. On every server. And reboot.
The last part is especially evil because a reboot will be noticed by your customers if you are not employing some high-availability setup. And in the world of web hosting this is mostly not the case. So every reboot is a downtime, costs time and money. Plus, you have to update your servers in due time and plan said downtime accordingly. But for all this to happen your distribution must build and provide you with updates first. You can’t install non-existent patches.
KernelCare is a product from the folks that bring you CloudLinux, which solves all of the above problems. It consists of a kernel module that loads additional kernel patches for your kernel version and applies them in real time. The daemon checks for available updates every 4 hours (via cron) and patches are made available blazingly fast. To pick up the above Dirty Cow example, here is their incident reaction chart. To sum it up: You are days ahead. In a situation where remote root exploits is a thing, days can kill you.
Let’s rather kill the bugs.
According to their official documentation the right way to install KernelCare is:
rpm -i https://downloads.kernelcare.com/kernelcare-latest.x86_64.rpm /usr/bin/kcarectl --register KEY
With only two commands per server and some supplying of keys you can get up and running, no reboot required. Wait, what? Manual labor? Per Server? I am thinking hundreds of servers to patch and maintain, manual “something” is not a thing.
Let’s rather kill the bugs with style.
Once your company (or hobby project) reaches a certain size, manually configuring servers is out of the question. You want fully automatized configuration and package management. This is where puppet comes in: You describe how your servers should be and puppet makes it happen. Puppet is a very large piece of software that is ‘easy to learn, difficult to master.’ And for everything you want it to do, you need a puppet module. And KernelCare just screams for one.
At this point, you know what puppet is, and you are using it. Explaining those points is outside the scope of this post and would blow this out of proportion. So if you have a running puppet setup...
...continue reading this blog post on alpha-labs.net >>