Skip to main content

Canonical Livepatch

livepatch.jpeg

To avoid downtime during kernel upgrades, you can use a feature of the Linux kernel called live patching. This feature makes it possible to implement kernel updates without rebooting.

What Is Livepatch and How Does It Work?

Canonical Livepatch uses the Kernel Live Patching technology built into the standard Linux kernel. Canonical’s Livepatch website notes that massive corporations like AT&T, Cisco, and Walmart use it.

It’s free for personal use on up to three computers, these can be “desktops, servers, virtual machines, or cloud instances.” Organizations can use it on more systems with a paid Ubuntu Advantage subscription.

Kernel Patches Are Necessary But Inconvenient

Linux kernel patches are a fact of life. Keeping your system secure and patched up to date is vital in the inter-connected world we live in. But having to reboot your computer to apply kernel patches can be a pain. Especially if the computer is providing some sort of service to users and you have to co-ordinate or negotiate with them to take the service off-line. And there’s a multiplier. If you maintain several Ubuntu machines, at some point you have to bite the bullet and do each one in turn.

The Canonical Livepatch Service removes all of the aggravation of keeping your Ubuntu systems up to date with critical kernel patches. It’s easy to set up—either graphically or from the command line—and it takes one more chore off your shoulders.

Anything that reduces maintenance efforts, boosts security, and reduces downtime has to be an attractive proposition, right? Yes, but there are some caveats.

  • You must be using a Long Term Support (LTS) release of Ubuntu such as 16.04 or 18.04. The most recent LTS version is 18.04, so that’s the version we’re going to use here.
  • It must be a 64-bit version.
  • You must be running Linux Kernel 4.4 or higher
  • You need to have an Ubuntu One account. Remember them? If you don’t have an Ubuntu One account, you can sign up for a free account.
  • You can use the Canonical Livepatch Service at no cost, but you’re limited to three computers per Ubuntu One account. If you have to maintain more than three computers, you’ll need additional Ubuntu One accounts.
  • If you have physical, virtual, or cloud-hosted servers to look after,  you’ll need to become an Ubuntu Advantage customer.

If you don’t have an Ubuntu One account, you can create one at no cost.

Installation

 There are two major maintainers for kernel live patches: Canonical, who provides their own Livepatch Service for Ubuntu, and KernelCare who support Ubuntu in addition to most other major Linux distributions. Both require registration to use, and only Canonical’s service is free for individual use.

You can register for a Livepatch key at https://auth.livepatch.canonical.com/.

After enrolling, you can install the canonical-livepatch snap package. Snap is another Ubuntu package manager that runs alongside apt.

sudo snap install canonical-livepatch

You can enable  canonical-livepatch with a one-line command using the key you obtained  when registering:

sudo canonical-livepatch enable your-key

The output should contain the message Successfully enabled device. The service should run in the background from now on without any further intervention, and you can check its status using canonical-livepatch status:

sudo canonical-livepatch status

After installing, you should see something like this:

Output
last check: 50 seconds ago
kernel: 5.15.0-25-generic
server check-in: succeeded
patch state: ✓ all applicable livepatch modules inserted
patch version: 84.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 2565a9e7fc9f4405a167e4caf9b9dcf3

You have now configured automatic kernel updates for your server, meaning it should no longer be necessary to reboot in order to maintain a secure and up-to-date environment.

Back to top