Ubuntu Server 18.04 – Automatically installing patches with the Canonical Livepatch service

How to Activate Windows Server 2019

Since the publication of the first edition of this tutorial, Canonical has released a new Livepatch service for Ubuntu, which allows it to receive updates and have them applied without rebooting. This is a game changer, as it takes care of keeping your running systems patched, without you having to do anything, not even reboot. This is a massive benefit to security as it gives you the benefits of the latest security patches without the inconvenience of scheduling a restart of your servers right away.

However, the service is not free or included with Ubuntu by default. You can, however, install the Livepatch service on three of your servers without paying, so it’s still something you may want to consider. In my case, I simply have this applied to the three most critical servers under my jurisdiction, and the rest I update manually. Since you can use this service for free on three servers, I see no reason why you shouldn’t benefit from this on your most critical resources.

Even though you generally won’t need to reboot your server in order to take advantage of patches with the Livepatch service, there may be some exceptions depending on the nature of the vulnerability. There have been exploits in the past that were catastrophic, and even servers subscribed to this service still needed to reboot. This is the exception rather than the rule, though. Most of the time, a reboot is simply not something you’ll need to worry about. More often than not, your server will have all patches applied and inserted right into the running kernel, which is an amazing thing.

One important thing to note is that this doesn’t stop you from needing to install updates via apt. Live patches are inserted right into the kernel, but they’re not permanent. You’ll still want to install all of your package updates on a regular basis through the regular means. At the very least, live patches will make it so that you won’t be in such a hurry to reboot. If an exploit is revealed on Monday but you aren’t able to reboot your server until Sunday, it’s no big deal.

Since the Livepatch service requires a subscription, you’ll need to create an account in order to get started using it. You can get started with this process at¬† https://auth.livepatch.canonical.com/.

The process will involve having you create an Ubuntu One account (https://login.ubuntu.com/), which is Canonical’s centralized login system. You’ll enter your email address, choose a password, and then at the end of the process you’ll be given a token to use with your Livepatch service, which will be a string of random characters.

Now that you have a token, you can decide on the three servers that are most important to you. On each of those servers, you can run the following commands to get started:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable <token>

Believe it or not, that’s all there is to it. With how amazing the Livepatch service is, you’d think it would be a complicated process to set up. The most time-consuming part is registering for a new account, as it only takes two commands to set this service up on a server. You can check the status of Livepatch with the following command:

sudo canonical-livepatch status

Depending on the budget of your organization, you may decide that this service is worth paying for, which will allow you to benefit from having it on more than three servers. It’s definitely worth considerating. You’ll need to contact Canonical to inquire about additional support, should you decide to explore that option.

Comments are closed.