How to use Canonical’s Livepatch service on Ubuntu

Would you like critical Linux kernel patches to be automatically applied to your Ubuntu system – without having to restart your computer? We describe how to use Canonical’s Livepatch service to do just that.

What is Livepatch and how does it work?

As Dustin Kirkland from Canonical explained Canonical Livepatch used the Kernel live patching Technology built into the standard Linux kernel. Canonicals Livepatch website notes that large companies like AT&T, Cisco, and Walmart are using it.

It’s free for personal use on up to three computers – according to Kirkland, this can be “desktops, servers, virtual machines, or Cloud-Instances “. Businesses can do it on more systems with a paid one Ubuntu advantage Subscription.

Kernel patches are necessary but inconvenient

Linux kernel patches are a fact of life. In the connected world we live in, keeping your system secure and up to date is vital. But restarting your computer to apply kernel patches can be a hassle. This is especially true if the computer is providing a service to users and you need to coordinate or negotiate with them to take the service offline. And there is a multiplier. If you maintain multiple Ubuntu machines, at some point you’ll have to bite the bullet and edit each one one at a time.

The Canonical Livepatch Service removes the whole hassle of keeping your Ubuntu systems up to date with critical kernel patches. It’s easy to set up – either graphically or from the command line – and does one more task for you.

Anything that reduces maintenance, increases safety and reduces downtime has to be an attractive offer, right? Yes, but there are some caveats.

  • You must a. use Long term support (LTS) version of Ubuntu like 16.04 or 18.04. The latest LTS version is 04/18 so that’s the version we’re going to be using here.
  • It must be a 64-bit version.
  • You must be running Linux Kernel 4.4 or higher
  • You need an Ubuntu One account. Remember them? If you don’t have an Ubuntu One account, you can sign up for a free account.
  • You can use the Canonical Livepatch service for free, but are limited to three computers per Ubuntu One account. If you need to manage more than three computers, you’ll need additional Ubuntu One accounts.
  • If you are physical, virtual, or in the Cloud To take care of hosted servers, you need to have one Ubuntu advantage Customer.

Create an Ubuntu One account

Whether you use the Livepatch service via the Graphical user interface (GUI) or through the command line interface (CLI) you will need an Ubuntu One account. This is necessary because the operation of the Livepatch service depends on a private key that is issued to you and tied to your Ubuntu One account.

  • If you set up the Livepatch service using the GUI, your key will not be displayed. It’s still needed and used, but it’s all handled in the background for you.
  • If you set up your Livepatch service through the terminal, you will need to copy your key from your browser and paste it into the command line.

If you don’t have an Ubuntu One account, you can create one At no cost.

Graphical activation of the Canonical Livepatch service

To start the graphical setup interface, press the “Super” button. This is located between the “Ctrl” and “Alt” keys at the bottom left of most keyboards. Look for “Livepatch”.

When you see the Livepatch icon, click the icon or press “Enter”.

The “Software and Updates” dialog box is displayed with the “Livepatch” tab selected. Click the “Login” button. You will be reminded that you need an Ubuntu One account.

Ubuntu One login / registration dialog

Click the “Login / Register” button.

The Ubuntu Single Sign-On Account dialog box appears. Canonical uses the terms “Ubuntu One” and “Single Sign-On” synonymously. They mean the same thing. “Single Sign-On” has officially been replaced by “Ubuntu One”, but the old name remains.

Ubuntu single sign-on dialog box

Enter Your account details and click the “Connect” button. You can also use this dialog box to register for an account if you have not yet created an account.

You will be asked for your password.

Ubuntu authentication dialog box

Enter Your password and click the “Authentication” button. A dialog box will show you the email address associated with the Ubuntu One account you will be using.

Dialog window for checking the e-mail address

Make sure it is correct and click the “Next” button.

You will be asked again for your password. After a few seconds, the Livepatch tab in the Software and Updates dialog box updates to indicate that Livepatch is live and active.

Livepatch active in the Software and Updates dialog box

A new shield icon will appear in the tool’s notification area. close to the network, sound and power symbols. The green circle with the check mark tells you everything is fine. Click the icon to access the menu.

We are informed that Livepatch is activated and there are no current updates.

The “Livepatch Settings” option opens the “Software and Updates” dialog box on the Livepatch tab.

That’s it; you’re done.

Activate the Canonical Livepatch Service via the CLI

You will need one Ubuntu One account. If you don’t already have one, there is an option to create one. They’re free and it only takes a moment.

Some of the steps we need to take are web based so this is not really a pure CLI method. We start by visiting the Canonical Livepatch Service website to get our secret key or “token”.

Canonical Livepatch Service website

Select the “Ubuntu User” radio button and click the “Get Your Livepatch Token” button.

You will be asked to sign in to your Ubuntu One account.

Ubuntu One login webpage

  • If you have an account, enter the email address you used to set up the account and select the “I have an Ubuntu One account and my password is:” radio button.
  • If you don’t have an account, enter your email address and select the “I don’t have an Ubuntu One account” radio button. You will be guided through the account creation process.

Once your Ubuntu One account has been verified, you will see the Managed Live Kernel Patching webpage. Your key will be displayed.

Managed live kernel patching website

Keep the webpage open with your key and open a terminal window. Use this command in the terminal window to install the Livepatch service daemon:

sudo snap install canonical-livepatch

When the installation is complete, you need to activate the service. You need the key from the “Managed Live Kernel Patching” website.

You need to copy and paste the key on the command line. Highlight the key on the website, right click on it and select “Copy” from the context menu. Or you can highlight the key and press “Ctrl + C”.

Enter the following command in the terminal window but don’t press “Enter. “

sudo canonical-livepatch enable

Then enter a space, right-click and select “Paste” from the context menu. Or you can press “Ctrl + Shift + V”. You should see the command you just entered, a space, and the key from the webpage.

On the test machine used to research this article, it looked like this:

Press “Enter. “

How to copy and paste text in linux bash shell

If all goes well, you will see a confirmation message from Livepatch letting you know that the computer has been enabled for kernel patching. Another long key is also displayed; this is the “machine token”.

What just happened:

  • You have received your Livepatch key from Canonical.
  • You can use it on three computers. You have used it on a computer so far.
  • The machine token generated for this computer using your key is the machine token shown in this message.

If you check the Livepatch tab in the Software and Updates dialog box, you can see that Livepatch is enabled and active.

Livepatch tab in the Software and Upgrades dialog box

Check the Livepatch status

You can have Livepatch give you a status report with the following command:

sudo canonical-livepatch status

The status report contains:

  • Client version: The software version of Livepatch.
  • architecture: The computer’s CPU architecture.
  • CPU model: Type and model of the Central unit (CPU) in the computer.
  • final review: The time and date that Livepatch last checked whether critical kernel updates were available for download.
  • Boot time: The time this computer was last turned on.
  • Operating time: The length of time this computer was turned on.

The status block tells us:

  • Kernel: The version of the current kernel.
  • To run: Whether Livepatch is running or not.
  • Check status: Whether Livepatch has checked for kernel patches.
  • PatchState: Whether critical kernel patches need to be installed.
  • execution: The version of the kernel patches, if any, that need to be applied.
  • fixes: The fixes included in the kernel patches.

Force Livepatch to be updated now

The whole point of Livepatch is to provide a managed update service so that you don’t have to worry about it. It’s all taken care of for you. But if you want, you can force Livepatch to scan for kernel patches (and apply any it finds) with the following command:

sudo canonical-livepatch refresh

Livepatch will tell you the version of the kernel before and after the upgrade. There was nothing to be used example.

Less friction, more security

Security issues are the pain or inconvenience associated with implementing, using, or maintaining a security feature. If the friction is too high, safety suffers because the feature is not used or maintained. Livepatch eliminates friction losses when applying critical kernel updates and keeps your kernel as secure as possible.

That is the long script for “win, win”.

Related Posts