Livepatch

Charly's Column – Livepatch

Article from Issue 244/2021
Author(s):

There is only one thing Charly appreciates even less than security holes in the kernel: downtime of his machines. That's why he patches his Ubuntu systems with Canonical's Livepatch on the fly.

Vulnerabilities in the kernel are always ugly, but since the Linux kernel is a very complex piece of software, admins have to come up with a strategy to deal with them. Fortunately, patches are often available shortly after the discovery of a vulnerability, but the application and the subsequent reboot will lead to an – admittedly usually short – period of unavailability of the system.

For Ubuntu systems, distributor Canonical has developed a very easy-to-use live patching system, Livepatch. It patches the kernel without requiring a reboot. This helps the admin sleep more soundly, and the system reboot can be skipped or postponed to a more convenient time, such as a scheduled maintenance window. To use Livepatch, you need an Ubuntu One account, which you create on https://auth.livepatch.canonical.com (Figure 1).

Figure 1: Canonical's Livepatch Service requires you to log in.

Choose Ubuntu user for free access. You can now set up a maximum of three Ubuntu systems with live patching. It does not matter at all whether they are laptops or servers. If you need the option to add more machines, choose the commercial option Canonical customer. After you create your account, the website presents you with a long string of hexadecimal characters, such as 7b1fb58c00a64e1c9f9679304f066ef5.

The system you want to live patch must be a 64-bit Ubuntu with kernel version 4.4 or later. First, make sure that snapd is installed (Listing 1, line 1). If the daemon is missing, install it retroactively (line 2). After that, use snap to install the Livepatch system (line 3). Now you can enable live patching with the key you got from the Canonical website (line 4).

Listing 1

Installing Livepatch

 

If successful, the system reports Successfully enabled device. If you are unsure whether live patching is active or not on a particular system, you can always find out with

sudo canonical-livepatch status

(shown in Figure 2). Note that live patching does not give you a new kernel version. It is only used to patch vulnerabilities in the currently running operating system kernel without rebooting. Updating the kernel still requires the usual installation process including a reboot.

Figure 2: The Livepatch status of a system can be checked at any time.

The Author

Charly Kühnast manages Unix systems in a data center in the Lower Rhine region of Germany. His responsibilities include ensuring the security and availability of firewalls and the DMZ.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News