Installing or upgrading packages in Linux distributions does not normally require rebooting your system, except for the Linux kernel and drivers. But since Linux 4.0 kernel, Live Kernel patching is possible, meaning Linux kernel updates can be performed without having to reboot your server or computer. Canonical is now taking advantage of this new feature with their Livepatch Service available for Ubuntu 16.04 LTS and greater.

If you want to enable it on your machine, you’ll have to authenticate to Livepatch portal to get a key / token for the service as shown in the screenshot above.

Now you can install the service:



sudo snap install canonical-livepatch 1 sudo snap install canonical - livepatch



and enable it with your token:



sudo canonical-livepatch enable [your-token] Successfully enabled device. Using machine-token: [your-token] 1 2 sudo canonical - livepatch enable [ your - token ] Successfully enabled device . Using machine - token : [ your - token ]



That’s it. Your can check Livepatch service status with the command:



canonical-livepatch status --verbose client-version: "5" machine-id: [your-machine-id] machine-token: [your-machine-token] architecture: x86_64 cpu-model: AMD FX(tm)-8350 Eight-Core Processor last-check: 2016-10-25T19:35:55.009247615+07:00 boot-time: 2016-10-25T09:00:09+07:00 uptime: 10h52m7s status: - kernel: 4.4.0-45.66-generic running: true livepatch: state: nothing-to-apply version: "" fixes: "" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 canonical - livepatch status -- verbose client - version : "5" machine - id : [ your - machine - id ] machine - token : [ your - machine - token ] architecture : x86_64 cpu - model : AMD FX ( tm ) - 8350 Eight - Core Processor last - check : 2016 - 10 - 25T19 : 35 : 55.009247615 + 07 : 00 boot - time : 2016 - 10 - 25T09 : 00 : 09 + 07 : 00 uptime : 10h52m7s status : - kernel : 4.4.0 - 45.66 - generic running : true livepatch : state : nothing - to - apply version : "" fixes : ""



In my case, an update was not necessary, but if there’s one you should see something like:



livepatch: state: applied version: "12.2" fixes: '* CVE-2012-6828' 1 2 3 4 livepatch : state : applied version : "12.2" fixes : '* CVE-2012-6828'



That way you can make sure your system always have the latest security patchsets. This is mostly useful for servers, but it might not be a bad idea to enabled for your computer too, especially it’s free for end-users for up to 3 machines. Companies need to apply to Ubuntu Advantage for business to support more machines.