Skip to main content

Canonical Livepatch

livepatch.jpeg

To avoid downtime during kernel upgrades, you can use a feature of the Linux kernel called live patching. This feature makes it possible to implement kernel updates without rebooting.

What Is Livepatch and How Does It Work?

Canonical Livepatch uses the Kernel Live Patching technology built into the standard Linux kernel. Canonical’s Livepatch website notes that massive corporations like AT&T, Cisco, and Walmart use it.

It’s free for personal use on up to three computers, these can be “desktops, servers, virtual machines, or cloud instances.” Organizations can use it on more systems with a paid Ubuntu Advantage subscription.

Kernel Patches Are Necessary But Inconvenient

Linux kernel patches are a fact of life. Keeping your system secure and patched up to date is vital in the inter-connected world we live in. But having to reboot your computer to apply kernel patches can be a pain. Especially if the computer is providing some sort of service to users and you have to co-ordinate or negotiate with them to take the service off-line. And there’s a multiplier. If you maintain several Ubuntu machines, at some point you have to bite the bullet and do each one in turn.

The Canonical Livepatch Service removes all of the aggravation of keeping your Ubuntu systems up to date with critical kernel patches. It’s easy to set up and it takes one more chore off your shoulders.

Anything that reduces maintenance efforts, boosts security, and reduces downtime has to be an attractive proposition, right? Yes, but there are some caveats.

  • You must be using a Long Term Support (LTS) release of Ubuntu such as 20.04 or 22.04.
  • It must be a 64-bit version.
  • You must be running Linux Kernel 4.4 or higher
  • You need to have an Ubuntu One account. If you don’t have an Ubuntu One account, you can sign up for a free account.
  • You can use the Canonical Livepatch Service at no cost, but you’re limited to three computers per Ubuntu One account. If you have to maintain more than three computers, you’ll need additional Ubuntu One accounts.
  • If you have physical, virtual, or cloud-hosted servers to look after,  you’ll need to become an Ubuntu Advantage customer.

Installation

 There are two major maintainers for kernel live patches: Canonical, who provides their own Livepatch Service for Ubuntu, and KernelCare who support Ubuntu in addition to most other major Linux distributions. Both require registration to use, and only Canonical’s service is free for individual use.

You can register for a Livepatch key at https://auth.livepatch.canonical.com/.

After enrolling, you can install the canonical-livepatch snap package. Snap is another Ubuntu package manager that runs alongside apt.

sudo snap install canonical-livepatch

You can enable  canonical-livepatch with a one-line command using the key you obtained  when registering:

sudo canonical-livepatch enable your-key

The output should contain the message Successfully enabled device. The service should run in the background from now on without any further intervention, and you can check its status using canonical-livepatch status:

sudo canonical-livepatch status

After installing, you should see something like this:

Output
last check: 50 seconds ago
kernel: 5.15.0-25-generic
server check-in: succeeded
patch state: ✓ all applicable livepatch modules inserted
patch version: 84.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 2565a9e7fc9f4405a167e4caf9b9dcf3

You have now configured automatic kernel updates for your server, meaning it should no longer be necessary to reboot in order to maintain a secure and up-to-date environment.

Updates

From time to time, you may need to update your livepatch software.  Since this is a Snap package you will need to perform the following to check if you need to  update it.

sudo snap info canonical-livepatch

You may also see a notification similar to this appear on your desktop's notification panel

Screenshot from 2023-04-14 21-31-36.png

To perform the update, follow these steps:
  1. Stop your existing Livepatch instance
sudo snap stop canonical-livepatch

      2.  Refresh your Livepatch instance

sudo snap refresh canonical-livepatch

If successful, you should see output in your terminal similar to this:

canonical-livepatch 10.5.4 from Canonical refreshed

Back to top