Do you want to automatically apply critical Linux kernel patches to your Ubuntu system without restarting your computer? We describe how to use the Canonical Livepatch service for this purpose.
What is Livepatch and how does it work?
As Dustin Kirkland of Canonical has explained several years ago, Canonical Livepatch uses the Live patch of the kernel technology integrated into the standard Linux kernel. From Canonical Livepatch website note that large companies like AT & T, Cisco and Walmart use it.
It is free for personal use on up to three computers. According to Kirkland, it can be "desktops, servers, virtual machines or cloud instances." Companies can use it on multiple systems with a paid system. Ubuntu Advantage subscription.
Core fixes are necessary but impractical
Linux kernel patches are a fact of life. Keeping your system secure and up-to-date is essential in the interconnected world in which we live. However, restarting your computer to apply kernel patches can be a painful task. Especially if the computer provides a type of service to users and you need to coordinate or negotiate with them for the service to be taken offline. And there is a multiplier. If you hold several Ubuntu machines, you sometimes have to bite the ball and use them one after the other.
The Canonical Livepatch service eliminates the hassle of constantly updating your Ubuntu systems with critical kernel patches. It's easy to configure, graphically or from the command line, and it takes away one more chore.
Anything that reduces maintenance efforts, enhances safety and reduces downtime must be an attractive proposition, right? Yes, but there are warnings.
You must use a Long-term support (LTS) of Ubuntu such as 16.04 or 18.04. The most recent version of LTS is 18.04, this is the version we will use here.
It must be a 64-bit version.
You must be running Linux Kernel 4.4 or higher
You must have an Ubuntu One account. Memory? If you do not have an Ubuntu One account, you can sign up for a free account.
You can use the Canonical Livepatch service for free, but you are limited to three computers per Ubuntu One account. If you need to keep more than three computers, you will need additional Ubuntu One accounts.
If you have to deal with physical, virtual, or cloud-based servers, you have to become a Ubuntu Advantage customer.
Get a Ubuntu One account
If you are going to configure the Livepatch service via the graphical user interface (GUI) or via the command line interface (CLI), you need to have a Ubuntu One account. This is necessary because the operation of the Livepatch service depends on a private key assigned to you that is linked to your Ubuntu One account.
If you configure the Livepatch service with the help of the GUI, you will not see your key. It is always needed and used, but everything is treated in the background for you.
If you configure your Livepatch service through the terminal, you will need to copy and paste your browser key into the command line.
If you do not have an Ubuntu One account, you can create one no charge.
Graphic activation of the Canonical Livepatch service
To launch the graphical configuration interface, press the "Super" key. This is located between the "Control" and "Alt" keys at the bottom left of most keyboards. Look for "livepatch".
When you see the Livepatch icon, click on it or press "Enter."
The "Software and Updates" dialog box appears with the Livepatch tab selected. Click on the "Login" button. You are reminded that you need a Ubuntu One account.
Click on the "Sign in / Register" button.
The Ubuntu Single Sign-On Account dialog box appears. Canonical uses the terms "Ubuntu One" and "Single Sign-On" interchangeably. They want to say the same thing. Officially, "Single Sign-On" has been replaced by "Ubuntu One", but the old name persists.
Enter the details of your account and click on the "Connect" button. You can also use this dialog box to sign up for an account if you have not already created one.
You will be prompted to enter your password.
Enter your password and click on the "Authenticate" button. A dialog box shows you the email address associated with the Ubuntu One account you will use.
Make sure it is correct and click the "Continue" button.
Your password will be asked once again. After a few seconds, the Livepatch tab of the "Software and Updates" dialog will be updated to indicate that Livepatch is live and active.
A new shield icon will appear in the notification area of the tool, close to the network, sound and power icons. The green circle with the check mark tells you that everything is fine. Click on the icon to access the menu.
We are told that Livepatch is enabled and that there are no current updates.
The "Livepatch Settings" option opens the "Software and Updates" dialog in the Livepatch tab.
That's it; you are all done.
Enabling Canonical Livepatch Service with CLI Help
You are going to need a Ubuntu One account. If you do not have one, you can create one. They are free and it only takes a moment.
Some of the steps we need to perform are web-based. It is not really a CLI-only method. We start by visiting the Canonical Livepatch Service Web Page in order to obtain our secret key or "token".
Select the "Ubuntu User" radio button and click on the "Get Your Livepatch Token" button.
You are invited to sign in to your Ubuntu One account.
If you have an account, enter the email address you used to set up the account and select the radio button "I have an Ubuntu One account and my password is:".
If you do not have an account, enter your e-mail address and select the "I do not have an Ubuntu One account" radio button. You will be guided through the account creation process.
Once your Ubuntu One account is verified, you will see the Live Kernel Patch Management webpage. Your key will be displayed.
Leave the webpage with your key open and open a terminal window. Use this command in the terminal window to install the Livepatch service daemon:
sudo snap install canonical-livepatch
Once the installation is complete, you will need to activate the service. You will need the key of the "Dynamic Update of Managed Kernel" Web page.
You must copy and paste the key on the command line. Highlight the key on the webpage, right-click on it, and select "Copy" from the pop-up menu. Or you can highlight the key and press "Ctrl + C".
Type the following command in the terminal window, but do not press "Enter."
sudo canonical-livepatch enable
Then type a space, right-click and select "Paste" from the context menu. Or you can press "Ctrl + Shift + V". You should see the command you just typed, a space and the touch of the web page.
On the test machine used to search for this article, it looked like this:
Press Enter. "
RELATED, RELATED, RELATED: How to copy and paste text on the Linux Bash Shell
If all goes well, a Livepatch verification message tells you that kernel remediation is enabled on the computer. It will also show another long touch; it is the "machine token".
What just happened, it is:
You got your Canonical Livepatch key.
You can use it on three computers. You have already used it on a computer.
The computer token generated for this computer (with the help of your key) is the computer token displayed in this message.
If you check the Livepatch tab in the "Software and Updates" dialog box, you will see that Livepatch is enabled and active.
Check the status of Livepatch
You can have Livepatch provide you with a status report by using the following command:
sudo canonical-livepatch status
The status report contains:
client version: The version of the Livepatch software.
architecture: The processor architecture of the computer.
cpu model: The type and model of the CPU (CPU) in the computer.
last check: Time and date that Livepatch last checked for critical kernel updates for download.
startup time: The last time this computer was turned on.
the availability: The length of time this computer was turned on.
The state block tells us:
core: The current kernel version.
operation: If Livepatch is running or not.
State of control: If Livepatch has checked the kernel patches.
patchState: Indicates whether critical kernel patches need to be installed.
version: The kernel patch version, if any, that must be applied.
patches: Fixes contained in kernel patches.
Force Livepatch to update now
The main goal of Livepatch is to provide a managed update service, which means that you do not need to think about it. Everything is for you. But if you want, you can force Livepatch to look for kernel patches (and apply those that it finds) by using the following command:
sudo canonical-livepatch actualize
Livepatch tells you the kernel version before and after the refresh. There was nothing to apply in this example.
Less friction, more safety
Safety friction is the pain or inconvenience associated with the implementation, use or maintenance of a safety feature. If the friction is too high, the safety suffers because the functionality is not used or maintained. Livepatch simplifies the application of critical kernel updates to keep it as secure as possible.
It's long to "win, win".