One of the greatest achievements in Linux over the last few years has been live kernel patching. Nearly every distribution offers their own take on this and now, with the help of Snap, Canonical has finally made it incredibly easy to enable live kernel patching on Ubuntu.
If you’ve not heard of live kernel patching, the explanation is simple: The ability to modify the running kernel code without having to reboot the system. That’s right. Thanks to kernel livepatch your kernel can always be updated without ever having to reboot your system. The main benefit of this system? In a word:
This livepatching system is intended to address high and critical severity Linux kernel security vulnerabilities (as identified by Ubuntu Security Notices and the CVE database). Thanks to an easy to install snap package, you can add live kernel patching to your Ubuntu systems. Let me show you how.
Canonical Livepatch Service is available for both the generic and low latency flavors of the 64-bit Intel/AMD kernel on Ubuntu 16.04 LTS (Xenial) servers and desktops. You will also need the latest version of snapd (at least version 2.15).
First things first
Before you do anything with Snap, you must first update your system. If you attempt to enable livepatch prior to updating, it will fail. To take care of this, open up a terminal window and issue the following command:
sudo apt-get upgrade
Next, make sure snapd is updated with the command:
sudo apt-get install snapd
Once your system is fully updated, you’re ready to begin.
Installing the snap package
The livepatching system is handled through a snap package. You can install this snap package with a single command:
sudo snap canonical-livepatch
Once the snap is installed, your next step is to retrieve your livepatch token from the Canonical livepatch site. You’ll have to log into your Ubuntu One account in order to retrieve this token. The token will be in the form of a 32-character string. You will be required to copy that token into the next command.
Enabling the service
You are ready to enable livepatching on your system. To do this, issue the command below:
sudo canonical-livepatch enable TOKEN
Where TOKEN is your 32-character livepatch token. Once the command completes, you should see that the device has been successfully enabled (Figure A).
To find the status of your livepatched machine, issue the command sudo canonical-livepatch status. The command will report the status of your system’s kernel (Figure B).
You can issue that same command with the –verbose flag to get more information (Figure C).
Besides uptime on your servers, and always having the latest security patches at the ready, livepatching will benefit all of your container hosts (as they will all share the same kernel). Thanks to Canonical and snap, enjoying the amazing benefits of live kernel patching is now incredibly simple.