Hello everyone and Happy New Year! I hope 2017 has started great for everyone out there.
So I have been playing around with Canonical’s Livepatch service on my Ubuntu 16.04 servers and I have to say, it is pretty slick. I run two KVM hosts that run various servers and containers so that I can do my job. In fact, this web server runs as a KVM on one of my hosts. Since I can’t typically run kernel updates and reboot when ever I feel like since I have other work loads running on these servers, Canonical Livepatch answers this problem for me.
How it works is pretty simple. When a security patch for the Kernel comes out, this service downloads the patch and installs it in the running kernel on my system WITHOUT HAVING TO REBOOT MY SERVER!!! That is amazing!! I get the security update to patch and make my system secure and I don’t have to schedule a maintenance window and bring down 20+ VM’s and 100+ containers, I can just update the host and BAM! All my containers and my hosts are updated, no reboot, no downtime. I still have to touch all my KVM’s, but that is the way when you run VM’s.
So you want to try this out? It’s pretty simple to setup. First, it only works on Ubuntu 16.04 LTS. This “should” change to be available in 14.04 but as of when I wrote this, it was still not yet available on 14.04.
The Kernel Livepatch is a snap application, making use of snaps on the system. This makes it even easier to install and update. To install on your system, it is as simple as:
sudo snap install canonical-livepatch
This will pull down the snap application and install and start it. Now, you have to enable the service. You need to go to https://auth.livepatch.canonical.com to sign up for the service. Regular Ubuntu users are authorized up to 3 machines to get Livepatches for. If you need more, you can purchase them via support for your systems. Once you are signed up, you will have a token that you use to add your systems.
You then run:
sudo canonical-livepatch enable <TOKEN>
This will setup livepatch. To see it work, simply run
canonical-livepatch status --verbose
and you will get the following output:
client-version: "6" machine-id: --REMOVED-- machine-token: --REMOVED-- architecture: x86_64 cpu-model: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz last-check: 2017-01-11T15:21:36.477627539-08:00 boot-time: 2016-11-28T09:16:56-08:00 uptime: 1062h5m33s status: - kernel: 4.4.0-47.68-generic running: true livepatch: checkState: checked patchState: applied version: "15.1" fixes: |- * CVE-2016-7425 * CVE-2016-8655 * CVE-2016-8658
I have those CVE’s installed, and I didn’t have to reboot my system for them to be implemented. Now my KVM host is patched, and I had 0 downtime to do it.
There you have it. Let me know in the comments if you have any questions!