Install and enable Canonical Livepatch Service on Linux Ubuntu Systems. Using Canonical Livepatch Service, Ubuntu users can apply critical security patches and update Ubuntu 16.04 LTS Linux Kernel without rebooting.
Canonical Livepatch Service
Kernel live patching enables runtime correction of critical security issues in your kernel without rebooting. It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads.
Canonical launched the Canonical Livepatch Service recently, an “authenticated, encrypted, signed stream of livepatch kernel modules for Ubuntu servers, virtual machines and desktops”, applying critical security and vulnerability patches without requiring a reboot.
The Canonical Livepatch Service is intended to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE database. All other non-security bug fixes, stability, performance, or hardware enablement updates will be released as usual, about every 3 weeks. The rolling-back/removing an already inserted livepatch module is disabled in Linux 4.4.
Requirements For Canonical Livepatch Service
Please note that it works on 64bit Ubuntu 16.04 LTS system only. Older releases of Ubuntu will not work, because they’re missing the Linux kernel support. The Livepatch service will not work on Ubuntu 32bit Systems or Systems using custom Kernels. Also you will need the latest version of snapd (version 2.15 or newer). To install the latest snapd, run the command:
sudo apt install snapd
sudo apt-get update
Enable Canonical Livepatch Service
Ubuntu Community users can enable and use the Canonical Livepatch Service on 3 systems running 64-bit Intel/AMD Ubuntu 16.04 LTS. You can enable the Canonical Livepatch Service today in 3 simple steps:
Step 1: In order to use Canonical Livepatch Service, you need to get a token. For this you will have to sign up at https://ubuntu.com/livepatch. If you don’t have an Ubuntu SSO account, create a new one. An Ubuntu SSO account is free, and provides services similar to Google, Microsoft, and Apple for Android/Windows/Mac devices, respectively. You can create your Ubuntu SSO account at https://login.ubuntu.com/.
Once you have the token, copy the unique token and run the following command in terminal:
$ sudo snap install canonical-livepatch
$ sudo canonical-livepatch enable [TOKEN_GOES_HERE]
If you get an error message saying it can’t find canonical-livepatch, run the following command using the token:
$ sudo ./canonical-livepatch enable [[TOKEN_GOES_HERE]
Step 2: To check the description and the status of patches applied to Kernel, run the command:
$ canonical-livepatch status --verbose
For more info, visit:
http://blog.dustinkirkland.com/2016/10/canonical-livepatch.html
https://lists.ubuntu.com/archives/ubuntu-announce/2016-October/000214.html