Canonical Livepatch Service: Patch Linux Kernel on Ubuntu without Reboot
In this tutorial we’re going to learn how to patch Linux kernel on Ubuntu without reboot using the Canonical Livepatch service, which uses the upstream Linux Kernel Live Patching technology to apply critical kernel patches without rebooting.
This will be helpful to your website’s uptime. I use this feature for the server that runs this blog. The livepatch service allows your server to stay up and safe, so you can reboot your server at a later time. For my other servers like mail server that doesn’t require high uptime, I simply configure unattended security updates, which can instruct my server to automatically reboot at 4 AM if a new kernel is installed.
The Canonical livepatch service is free of charge for up to 3 machines (laptop, server or cloud). In order to use this service, your system must be a 64 bit Ubuntu OS with Linux kernel 4.4+.
Hint: Livepatch security updates are not available for Ubuntu 20.10.
Patching Linux Kernel Without Reboot Using Canonical Livepatch Service
First, go to Canonical Livepatch service page. Select Ubuntu user if you want to use the service without paying for up to 3 machines. If you are an UA customer, then select Ubuntu Advantage customer. And click Get your Livepatch token.
You need to sign in with your Ubuntu One account which is totally free of charge. Once you are signed in, you will get a secret key for your account.
Then make sure you have the snap daemon installed on your Ubuntu system.
sudo apt update sudo apt install snapd
Next, install the canonical-livepatch daemon.
sudo snap install canonical-livepatch
Enable the service with the following command.
sudo canonical-livepatch enable your-secret-key
Sample output:
Successfully enabled device. Using machine-token: 2ca4f0662793daje0393jdaf39332d
You can check live patch status at any time with:
canonical-livepatch status --verbose
Possible patch states are:
nothing-to-apply: No vulnerability found.applied: Vulnerability found and patch is appliedkernel-upgrade-required: Livepatch cannot install a patch to fix the vulnerability on the current running kernel.
You can also run the patcher manually:
sudo canonical-livepatch refresh
Please note that kernel patching is different from upgrading the kernel to the latest version.
- Live kernel patch: fix vulnerabilities in the currently running Linux kernel.
- Upgrade Kernel: Upgrade to a newer kernel. Requires reboot in order to use the new features in the new kernel.
The New Method to Patch Linux Kernel on Ubuntu
The above method still works, but Ubuntu is transitioning to a new method, which gives you the following benefits:
SERVICE ENTITLED DESCRIPTION cis yes Center for Internet Security Audit Tools esm-infra yes UA Infra: Extended Security Maintenance (ESM) fips yes NIST-certified core packages fips-updates yes NIST-certified core packages with priority security updates livepatch yes Canonical Livepatch service
First, you need to create an Ubuntu Advantage account. (It has a free tier: UA Infra Essential). Then attach your Ubuntu server to your Ubuntu account.
sudo ua attach your-token
Install the livepatch daemon.
sudo snap install canonical-livepatch
Enable livepatch on your system.
sudo ua enable livepatch
Check your status:
sudo ua status
Wrapping Up
I hope this tutorial helped you use the Canonical Live Patch service to update your Ubuntu LTS systems with the highest and most critical security vulnerabilities, without a reboot. Subscribe to our free newsletter to get latest Linux tutorials. You can also follow us on Twitter or like our Facebook page.
