KernelCare on Devuan (Kind of)

“Why would I care about running KernelCare on an unsupported distribution”, you might ask me. “What are you talking about? Why are you here?! Get off my lawn!” might be another.

KernelCare is a great idea which sometimes breaks, but usually keeps you well within your SLA. It lets you do nearly-realtime half-week-or-so (I won’t claim 0-day) patching of the kernel without rebooting. This gets your kernel safe enough for the majority of issues – fairly consistently.

KernelCare supports Debian (Kind of), and by proxy- Devuan (Kind of).

For starters, you’re going to need to have the prerequisites installed- Python 2.7 (standard) with a few support tools. I’ll help you get those running (Kind of).

Although soon to be out-of-date, the easiest ways to get this handled is with pip 19. Obviously, I’d strongly suggest checking the base85 code before running it blindly as root, but for the sake of convenience:

$wget -O - | sudo python

Finally, we need an old version of cryptography to work with this older framework (I’m not the biggest fan of this design, either):

$sudo pip install 'cryptography<2.2'

Finally, you can install KernelCare! My modified installer script lives here for now. You’ll want to read the code, then run that, too- if you trust it. The default installer doesn’t work for Devuan. Since there is no direct numeric ID in the os-release file used by CloudLinux, I made it parse $PRETTY_NAME. It only understands ascii (Debian 9), and defaults to jessie (Debian 8) if it doesn’t match.

In the end, you’ll end up with something like this:

# kcarectl -i
Unknown kernel (debian 4.19.0-0.bpo.1-amd64), no patches available

OK, so this isn’t the best example, since I’m running a nonstandard kernel in this example, but it works!