Charly's Column – Livepatch

Vulnerabilities in the kernel are always ugly, but since the Linux kernel is a very complex piece of software, admins have to come up with a strategy to deal with them. Fortunately, patches are often available shortly after the discovery of a vulnerability, but the application and the subsequent reboot will lead to an – admittedly usually short – period of unavailability of the system.

For Ubuntu systems, distributor Canonical has developed a very easy-to-use live patching system, Livepatch. It patches the kernel without requiring a reboot. This helps the admin sleep more soundly, and the system reboot can be skipped or postponed to a more convenient time, such as a scheduled maintenance window. To use Livepatch, you need an Ubuntu One account, which you create on https://auth.livepatch.canonical.com (Figure 1).

Figure 1: Canonical's Livepatch Service requires you to log in.

Choose Ubuntu user for free access. You can now set up a maximum of three Ubuntu systems with live patching. It does not matter at all whether they are laptops or servers. If you need the option to add more machines, choose the commercial option Canonical customer. After you create your account, the website presents you with a long string of hexadecimal characters, such as 7b1fb58c00a64e1c9f9679304f066ef5.

The system you want to live patch must be a 64-bit Ubuntu with kernel version 4.4 or later. First, make sure that snapd is installed (Listing 1, line 1). If the daemon is missing, install it retroactively (line 2). After that, use snap to install the Livepatch system (line 3). Now you can enable live patching with the key you got from the Canonical website (line 4).

If successful, the system reports Successfully enabled device. If you are unsure whether live patching is active or not on a particular system, you can always find out with

sudo canonical-livepatch status

(shown in Figure 2). Note that live patching does not give you a new kernel version. It is only used to patch vulnerabilities in the currently running operating system kernel without rebooting. Updating the kernel still requires the usual installation process including a reboot.

Figure 2: The Livepatch status of a system can be checked at any time.