How to live patch Ubuntu Linux Kernel without rebooting the server

Kernel live patching enables runtime correction of critical security issues in running kernel without rebooting. How do I enable or patch my Ubuntu Linux 16.04 LTS server without rebooting the box?

Ubuntu Linux version 16.04 LTS supports live patching for both enterprise and the Ubuntu community members. The Canonical Livepatch Service is an authenticated, encrypted, signed stream of livepatch kernel modules for Ubuntu servers, virtual machines and desktops. Please note that this service is free up to 3 servers running 64-bit Intel/AMD Ubuntu 16.04 LTS.

Before you start

Make sure you are using the following entries in the /etc/apt/sources.list:
$ cat /etc/apt/sources.list
deb xenial main restricted universe multiverse
deb xenial-updates main restricted universe multiverse
deb xenial-security main restricted universe multiverse

Make sure your system is updated using apt command or apt-get command:
$ sudo apt update
$ sudo apt upgrade

If snapd (the snappy software platform daemon) installed on your system:
$ sudo apt install snapd
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  snap-confine ubuntu-core-launcher
The following NEW packages will be installed:
  snap-confine snapd ubuntu-core-launcher
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 6,262 kB of archives.
After this operation, 32.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 xenial-updates/main amd64 snap-confine amd64 1.0.43-0ubuntu1~16.04.1 [28.9 kB]
Get:2 xenial-updates/main amd64 ubuntu-core-launcher amd64 1.0.43-0ubuntu1~16.04.1 [2,702 B]
Get:3 xenial-updates/main amd64 snapd amd64 2.15.2ubuntu1 [6,231 kB]
Fetched 6,262 kB in 1s (4,850 kB/s)
Selecting previously unselected package snap-confine.
(Reading database ... 244122 files and directories currently installed.)
Preparing to unpack .../snap-confine_1.0.43-0ubuntu1~16.04.1_amd64.deb ...
Unpacking snap-confine (1.0.43-0ubuntu1~16.04.1) ...
Selecting previously unselected package ubuntu-core-launcher.
Preparing to unpack .../ubuntu-core-launcher_1.0.43-0ubuntu1~16.04.1_amd64.deb ...
Unpacking ubuntu-core-launcher (1.0.43-0ubuntu1~16.04.1) ...
Selecting previously unselected package snapd.
Preparing to unpack .../snapd_2.15.2ubuntu1_amd64.deb ...
Unpacking snapd (2.15.2ubuntu1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up snap-confine (1.0.43-0ubuntu1~16.04.1) ...
Setting up ubuntu-core-launcher (1.0.43-0ubuntu1~16.04.1) ...
Setting up snapd (2.15.2ubuntu1) ...

Step 1: Generate a livepatch key

In order to get started login and generate a key from the following url (a free account is needed):

Sample outputs after login and generated a key for my personal server at home:

Fig.01: Getting started with “Hotfixing Ubuntu Kernels”

Step 2: Enable live patching

Install the canonical-livepatch snap (package):
$ sudo snap install canonical-livepatch
Sample outputs:

Fig.02: Installing live patch

Make sure /snap/bin in your PATH, run:

echo 'export PATH=$PATH:/snap/bin' >> ~/.bashrc
# Load the file
source ~/.bashrc
#Verify path
echo "$PATH"

Now, enable the service with your token. The syntax is:
$ sudo canonical-livepatch enable {YOUR-TOKEN-HERE-FROM-STEP-1}
So if token was d3b07384d213edec49eaa6238ad5ff00, enter:
$ sudo canonical-livepatch enable d3b07384d213edec49eaa6238ad5ff00
Sample outputs:

Successfully enabled device. Using machine-token: d3b07384d213edec49eaa6238ad5ff00

Step 3: View status

Type the following command to view kernel’s livepatch status:
$ canonical-livepatch status
Sample outputs:

kernel: 4.4.0-43.63-generic
fully-patched: true
version: ""

My kernel is fully patched. You can pass the --verbose option to see more details:
$ canonical-livepatch status --verbose
Sample outputs:

Fig.03: Canonical enterprise kernel livepatch service in action

Applied and patched kernel will display status as follows:
$ canonical-livepatch status --verbose
Sample outputs:

client-version: "5"
machine-id: 727********************
machine-token: 034*************************
architecture: x86_64
cpu-model: Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz
last-check: 2016-10-20T17:37:14.088531661-05:00
boot-time: 2016-10-16T12:27:58-05:00
uptime: 102h5m20s
- kernel: 4.4.0-43.63-generic
  running: true
    state: applied
    version: "13.3"
    fixes: '* CVE-2016-5195 LP: #1633547'

The patch is applied by canonical-livepatchd daemon on Ubuntu server automatically. You can view and confirm running service with the following simple command:
$ ps aux | grep '[c]anonical-livepatchd'
root 28631 0.0 0.0 1390464 23744 ? Ssl Oct19 0:08 /snap/canonical-livepatch/15/canonical-livepatchd

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.