How to enable Canonical Kernel Livepatch service on Ubuntu LTS system

Canonical introduced Live patch Service in Ubuntu 14.04 LTS system.

Live patching service allows you to install and apply critical Linux kernel security updates without rebooting your system.Which means, you don’t need to reboot your system after applying the kernel patches.

But usually, we need to reboot the Linux server after installing the kernel patches to available for the system to use.

Live patching is pretty fast. Most kernel fixes apply in seconds without any issues.

Canonical live patch service is available for users up to 3 systems without any cost.

You can enable Canonical Live patch in both variants desktop and server, through the command line.

 

 

 

  • kpatch allows Red hat, CentOS and Fedora users to install kernel security patch without rebooting

This live patching system is intended to address high and critical Linux kernel security vulnerabilities.

Refer the following table for supported systems and other details of Ubuntu releases

Ubuntu Release Arch Kernel Version Kernel Variants
Ubuntu 18.04 LTS 64-bit x86 4.15 GA generic and lowlatency kernel variants only
Ubuntu 16.04 LTS 64-bit x86 4.4 GA generic and lowlatency kernel variants only
Ubuntu 14.04 LTS 64-bit x86 4.4 Hardware Enablement kernel only

Note: Canonical Livepatch Service in Ubuntu 14.04 LTS requires users to run the Ubuntu v4.4 kernel in Trusty. Please reboot into this kernel if you are not currently running to use the service.

To do so, follow the below procedures.

How to get Live patch Token?

Navigate to Canonical Live patch service page and choose Ubuntu user if you want to use the free service.

It will be applicable up to 3 systems. If you are an UA customer, then select Ubuntu Advantage customer. Finally click Get your Live patch token button.

Make sure you already have account in Ubuntu One. If no, you can create a new one.

After logged in, you will get a secret key for your account.

Install Snap Daemon in Your System

The live patching system is handled through a snap package. So, make sure you have the “snap daemon” installed on your Ubuntu system.

$ sudo apt update

$ sudo apt install snapd

How to install & configure Live patch Service in your system?

Install the canonical-livepatch daemon by running the below command.

$ sudo snap install canonical-livepatch

canonical-livepatch 9.4.1 from Canonical* installed

Run the following command to enable live kernel patches on an Ubuntu machine.

$ sudo canonical-livepatch enable xxxxc4xxxx67xxxxbxxxxbxxxxfbxx4e

We successfully enabled device using machine-token: xxxxc4xxxx67xxxxbxxxxbxxxxfbxx4e

Run the below command to check the status of your livepatched machine.

$ sudo canonical-livepatch status

client-version: 9.4.1
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
last-check: 2019-07-24T12:30:04+05:30
boot-time: 2019-07-24T12:11:06+05:30
uptime: 19m11s
status:
- kernel: 4.15.0-55.60-generic
  running: true
  livepatch:
    checkState: checked
    patchState: nothing-to-apply
    version: ""
    fixes: ""

Run the same command with --verbose switch to get more information about live patched machine.

$ sudo canonical-livepatch status --verbose

Run the below command, if you would like to run the patch manually.

$ sudo canonical-livepatch refresh

Before refresh:

kernel: 4.15.0-55.60-generic
fully-patched: true
version: ""

After refresh:

kernel: 4.15.0-55.60-generic
fully-patched: true
version: ""

You will be getting one of the below status in the patchState output.

  • applied: There are no vulnerabilities found
  • nothing-to-apply: Vulnerabilities are found and patched successfully
  • kernel-upgrade-required: Livepatch cannot install a patch to fix the vulnerability

Note : Installing a kernel patch is different from upgrading/installing a new kernel on system. If you have installed new kernel then you have to reboot the system to activate the new kernel.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *