Ceci est une ancienne révision du document !
https://ubuntu.com/livepatch Many of us have seen the Ubuntu livepatch option, but not many home users actually use it. Many are unsure of what it is, or just do not want snaps on their systems. First the bad news. You need to sign up for an account, but you can use Donald Trump’s name if you like. You also need snapd… It also works on only LTS releases… that are 64-bit… with a kernel greater than 4.4. Whew!
Now some good news. This enterprise tool is available to users like you and me for three computers absolutely free. It works on bare metal servers, VM’s, and desktops. Live patches avoid configuration mistakes. Why is this good news? Because it is easy to make a simple mistake and kill your working server. Livepatching is a thing. It all starts with kernel probes, or kprobes, basically a debugging tool, that allows you to monitor events within a running system. You can find more info here: https://lwn.net/Articles/132196/ - if I understand it correctly, it is an ftrace-based (function trace) mechanism and kernel interface for doing live patching of a kernel and kernel module functions. Livepatch is available for most x86-based CPUs, so not yet for your Raspberry Pi server. Also, it may not work on some Ubuntu “flavors”. How do you check if livepatch is supported by your kernel, you may ask. Good question! Open a terminal and type: cat /boot/config-$(uname -r) | grep LIVEPATCH
Security is always a top priority, you need to keep your kernel up-to-date and you do not need the grey hairs. If you ever had to restart an Ubuntu server after patching, the one running your clients’ websites… you had to cross your fingers and hope it went quick – and most importantly, unnoticed. Enter livepatch. It is simple to set up in your terminal if you have a server, or in a GUI if you have a desktop. Why do you need an account? Well, security. As I understand it, there is a GPG key or private / public key, attached to your Ubuntu One account. This makes sense. However, I hope they have tightened up security, as my Ubuntu One details are in the wild and I can never use that password again. If you do not have one, create it here: https://login.ubuntu.com
If you have vanilla Ubuntu 18.04, you should be able to find it (livepatch) in the menu. On your LTS server, you will need to add it via the terminal with: sudo canonical-livepatch enable - if you do not see it, you need: sudo snap install canonical-livepatch first. There is a video on the livepatch website that will run you through this. TL;DR … it’s 2 commands: sudo snap install canonical-livepatch sudo canonical-livepatch enable <received token>
On your desktop, you can go to “software and updates” and click on the very last tab. You should see this: This is a nice overview to see what you may need. Clicking “learn more” will just take you to the livepatch website and not actually help you by telling you what you need to do next. The livepatch button will slide over if you have met all the requirements mentioned above. If you are activating it on a desktop, you will also see an icon in your taskbar. On a server, simply run: ls -ld /sys/kernel/livepatch - at the command prompt.
NB! Livepatch will not work on security hardened servers or workstations, as it needs to load a kernel module to actually do the patching. Would you like to see more articles on things like these, or would you like to correct us on any incorrect information? (Everyone makes a mistake!). Please let us know on misc@fullcirclemagazine.org P.S. There is a nice tutorial at Linuxbabe: https://www.linuxbabe.com/ubuntu/canonical-livepatch-service-ubuntu-16-04-live-kernel-patching