How to enable Canonical Kernel Livepatch service on Ubuntu LTS system
Canonical introduced Live patch Service in Ubuntu 14.04 LTS system.
Live patching service allows you to install and apply critical Linux kernel security updates without rebooting your system.Which means, you don’t need to reboot your system after applying the kernel patches.
But usually, we need to reboot the Linux server after installing the kernel patches to available for the system to use.
Live patching is pretty fast. Most kernel fixes apply in seconds without any issues.
Canonical live patch service is available for users up to 3 systems without any cost.
You can enable Canonical Live patch in both variants desktop and server, through the command line.
- kpatch allows Red hat, CentOS and Fedora users to install kernel security patch without rebooting
This live patching system is intended to address high and critical Linux kernel security vulnerabilities.
Refer the following table for supported systems and other details of Ubuntu releases
|Ubuntu Release||Arch||Kernel Version||Kernel Variants|
|Ubuntu 18.04 LTS||64-bit x86||4.15||GA generic and lowlatency kernel variants only|
|Ubuntu 16.04 LTS||64-bit x86||4.4||GA generic and lowlatency kernel variants only|
|Ubuntu 14.04 LTS||64-bit x86||4.4||Hardware Enablement kernel only|
Note: Canonical Livepatch Service in Ubuntu 14.04 LTS requires users to run the Ubuntu v4.4 kernel in Trusty. Please reboot into this kernel if you are not currently running to use the service.
To do so, follow the below procedures.
How to get Live patch Token?
Navigate to Canonical Live patch service page and choose
Ubuntu user if you want to use the free service.
Make sure you already have account in
Ubuntu One. If no, you can create a new one.
Install Snap Daemon in Your System
The live patching system is handled through a snap package. So, make sure you have the “snap daemon” installed on your Ubuntu system.
$ sudo apt update $ sudo apt install snapd
How to install & configure Live patch Service in your system?
Install the canonical-livepatch daemon by running the below command.
$ sudo snap install canonical-livepatch canonical-livepatch 9.4.1 from Canonical* installed
Run the following command to enable live kernel patches on an Ubuntu machine.
$ sudo canonical-livepatch enable xxxxc4xxxx67xxxxbxxxxbxxxxfbxx4e We successfully enabled device using machine-token: xxxxc4xxxx67xxxxbxxxxbxxxxfbxx4e
Run the below command to check the status of your livepatched machine.
$ sudo canonical-livepatch status client-version: 9.4.1 architecture: x86_64 cpu-model: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz last-check: 2019-07-24T12:30:04+05:30 boot-time: 2019-07-24T12:11:06+05:30 uptime: 19m11s status: - kernel: 4.15.0-55.60-generic running: true livepatch: checkState: checked patchState: nothing-to-apply version: "" fixes: ""
Run the same command with
--verbose switch to get more information about live patched machine.
$ sudo canonical-livepatch status --verbose
Run the below command, if you would like to run the patch manually.
$ sudo canonical-livepatch refresh Before refresh: kernel: 4.15.0-55.60-generic fully-patched: true version: "" After refresh: kernel: 4.15.0-55.60-generic fully-patched: true version: ""
You will be getting one of the below status in the
- applied: There are no vulnerabilities found
- nothing-to-apply: Vulnerabilities are found and patched successfully
- kernel-upgrade-required: Livepatch cannot install a patch to fix the vulnerability
Note : Installing a kernel patch is different from upgrading/installing a new kernel on system. If you have installed new kernel then you have to reboot the system to activate the new kernel.