With Ubuntu 18.04 LTS, Canonical is making it easy to take advantage of Linux kernel live patching.
Live patching allows your system to install and apply critical security updates to the Linux kernel without requiring you to reboot your system after.
This means you can keep calm and compute safely, knowing that any issues at a kernel level are plugged – zero impact on your uptime or productivity.
Live patching is fast, too. Most kernel fixes are applied in seconds, and the process doesn’t interfere or ask for any hand-holding from you.
Ubuntu Livepatch isn’t just for servers
You can hold-off on rebooting without holding-out on the latest kernel security patches
Livepatching is super useful on Linux servers, where rebooting equals downtime, and downtime equals interruption. Reducing the need for that saves time, money and potentially reputation through service reliability.
But you don’t need to be in charge of a data center or server rack to appreciate the benefits of live patching.
Sure, kernel live patching is more of a convenience on desktop than a critical need, but it allows you be to less mindful of security updates without ending up exposed. And okay sure, it’s a real help if you’re chasing a new all-time uptime goal.
There are some things that live patching can’t do1, like install and enable new graphics drivers, or update major kernel modules. Nor can it transition you to an all-new Linux kernel branch: patching has to be in-series, i.e., updates to the same kernel version you use.
But it is useful enough to be worth enabling, even if you don’t much care.
How to enable Livepatch on Ubuntu 18.04 LTS
You can enable Canonical Livepatch on Ubuntu 14.04 LTS and 16.04 LTS, both desktop and server version, using the command line.
But Ubuntu 18.04 LTS lets you do it from the Software & Updates tool:
Yup, you no longer have to use the command line and paste in a token manually. Instead, head to Software & Updates > Updates tab and sign in with your existing Ubuntu One account (or create one if you don’t have one).
Signing in automatically fetches the “token” needed to attach your device to the service, and lets you use the service for free (see caveats below). Once authorised, check the ‘Use Canonical Livepatch to increase security between restarts’ option and you’re done.
Caveats and cool things
The Canonical Livepatch service is free to use for desktop users on a maximum of 3 machines per Ubuntu One account. Edit: now 5 since the rebranding to Ubuntu Pro.
To use it across more than the allowed number, i.e., those enterprise databases, virtual/cloud hosts and infrastructure running Ubuntu, you’ll want to talk to Canonical about becoming an Ubuntu Advantage customer. Edit: now called Ubuntu Pro.
Although live Linux kernel patching isn’t something most desktop users will find essential — reboots on modern systems don’t take long — it’s great to see Canonical making it easier for those who need it to opt-in with less effort.
Improved security for all Ubuntu users is always a good thing.
Big thanks Maximilian L.
- I may be wrong about this. ↩︎