Server live patching is an essential tool that reduces system downtime, lowers maintenance expenses, and enhances security. Initially introduced in 2008, live patching is an automatic system for applying kernel security patches that does not necessitate rebooting. This allows users to avoid any server compromisation or security vulnerabilities during a patch update. And with server configuration management tools, every server can be automatically updated at the same time, effectively eliminating a host of significant cybersecurity blindspots.
Several tools are available on the Linux Kernel live patching software market, varying significantly in both price and quality. With so many options to choose from, it can be challenging to determine the best-fit live patching system for you or your enterprise. Thus, it is essential to conduct an in-depth investigation before committing to a single vendor.
One of your options is the Canonical Livepatch Service. Developed by the creators of Ubuntu, the Canonical Livepatch Service exclusively supports Ubuntu distributions. Although this service undoubtedly offers numerous advantages, it is strictly beneficial to enterprises that run the entirety of their servers on Ubuntu. An alternative live patching service must be leveraged for enterprises that run their servers via other distributions. For example, KernelCare supports a vast amount of both distributions and kernel versions, all of which can be found here.
In this post, we’ll be covering the ins and outs of Ubuntu and its Canonical Livepatch Service, ranging from installation to updates to testing and downsides. Moreover, we will also discuss the advantages of KernelCare’s live patching offerings, which include automated live patching support for Ubuntu 20.04.
- History of Ubuntu and Canonical
- What is the Canonical Livepatch Service
- How to Install Canonical Livepatch:
– Graphical User Interface
– Command-line Interface
- How to Force Livepatch to Update
- How to See What Updates Have Been Applied
- How is Livepatch Tested
- What is Ubuntu Advantage
- Premium Live Patching with KernelCare+ and KernelCare Enterprise via Data Dog Integration
- Downsides of Canonical Livepatch
- Further Reading on Canonical Livepatch
History of Ubuntu and Canonical
Rooted in the ancient African word which roughly translates to ‘humanity to others,’ the Ubuntu distribution serves to bring a sense of togetherness and community to the computer and software industries, offering an amalgamation of the best byproducts of the world’s software community.
In 2004, at the time of Linux’s inception, its offerings were fragmented, with proprietary and unsupported community versions available. Moreover, most computer users did not have access to free software daily. To address these problems, Mark Shuttleworth formed a small team of Debian developers. Together, with a shared goal of developing Ubuntu – a user-friendly Linux desktop, they created Canonical. With Ubuntu, Canonical first aimed to “deliver the world’s free software, freely, to everybody on the same terms. Whether you are a student in India or a global bank, you can download and use Ubuntu free of charge.” And secondly, Canonical strived to reduce the expenses associated with professional services like maintenance, management, operations, and support for those who utilize Ubuntu and scale.
Furthermore, in October 2004, Ubuntu became the first operating system to commit to scheduled releases bi-annually. And in 2006, Canonical determined that long-term support for large-scale deployments would accompany every fourth release, which would occur every two years. These releases are now referred to as LTS.
As a result of a joint effort of both the commercial and community teams, one high-quality release is produced and continuously maintained for a specific length of time. These ongoing updates, as well as the initial release, are also freely accessible to all users.
And Ubuntu’s publisher, the Canonical team, manages essential elements like desktop default, foundations, the kernel, Kubernetes, Openstack, and security. Nevertheless, numerous volunteer leaders globally take responsibility for several key aspects of the project. As Ubuntu’s founder, Mark Shuttleworth compiles a list of nominees and later appoints candidates to various boards, counsels, and teams integral to the project. With governance partially independent of Canonical, Ubuntu remains a world-class platform accessible to anyone, and a network shared by Canonical, other enterprises, and a slew of volunteers.
Canonical Livepatch serves to eliminate the frustration associated with keeping your Ubuntu systems updated with imperative kernel patches. And although Canonical Livepatch is easy to set up, graphically or via the command line, you must be running Linux Kernel 4.4 or higher to take advantage of its support. Moreover, a Long Term Support (LTS) release of Ubuntu must also be used, e.g., 16.04, 18.04, 20.04.
What is the Canonical Livepatch Service
“Kernel live patching enables runtime correction of critical security issues in your kernel without rebooting.” And through kernel live patching, the safety of your machines at the kernel level can be verified and uptime can be guaranteed.
In October 2016, Canonical publicly launched a new enterprise, commercial offering – the Canonical Livepatch Service. An authenticated, encrypted, signed stream of livepatch kernel modules for Ubuntu LTS architecture, the Canonical Livepatch Service addresses top security vulnerabilities at no additional cost and without necessitating a reboot. As all containers share the same kernel, container hosts like Docker and LX benefit particularly well from this service.
Community Ubuntu users can use the Canonical Livepatch Service on as many as three systems running 64-bit Intel/AMD Ubuntu 16.04 LTS at minimum. To enable this service on more than three systems, users will have to upgrade to a commercial support subscription with Ubuntu Advantage.
How to Install Canonical Livepatch
Regardless of if you set up the Canonical Livepatch Service via the graphical user interface (GUI) or the command-line interface (CLI), it is necessary to obtain an Ubuntu One account. Once you create your Ubuntu One account, which can be done at entirely no cost, a private key – tied to your account – will be issued to you, enabling you to operate the Livepatch service.
Those using the GUI to set up the Canonical Livepatch Service will never see their private key. Although still required and used, GUI handles everything in the background for the user. Alternatively, those using the CLI to set up the Canonical Livepatch Service will be required to copy and paste their private key from their browser and into the command line.
To enable the Canonical Livepatch Service graphically, first press the “Super” key located on the lower-left portion of most keyboards, between the “Control and “Alt” keys. Then, search for “livepatch.”
When the Livepatch icon appears, you may either click the icon or press the “Enter” key. Next, within the Livepatch tab you’ve selected, the “Software and Updates” dialog window will appear. Click the “Sign in” button. After doing so, you will receive a message reminding you that you need to use an Ubuntu One account. Choose the “Sign In / Register” option.
Once the Ubuntu Single Sign-On Account dialog window appears, you’ll enter your account information and click the “Connect” button. Or, if you’ve yet to register for an account, you may use this dialog window to do so. It is imperative to note that Canonical utilizes “Ubuntu One” and “Single Sign-On” as interchangeable terms. Although “Single Sign-On” was, in fact, officially replaced by “Ubuntu One,” both names are still often used.
Next, you will be prompted to enter your password. Do so and then click the “Authenticate” option. A dialog window will appear, displaying the email address linked to the chosen Ubuntu One account. Confirm that it is correct and click “Continue.” You will be required to enter your password one additional time. Just a few seconds afterwards, the Livepatch tab in the “Software and Updates” dialog window will update, showing that Livepatch is live and active.
In the tool notification area, located near the network, sound and power icons, a new shield icon will appear. The green circle with the checkmark signifies that Livepatch is on.
Similarly, an Ubuntu One account is required to enable the Canonical Livepatch Service using the command-line interface (CLI). You will have the chance to easily create one if you have yet to do so.
However, it is essential to note that this method isn’t entirely CLI, as some of the necessary steps are web-based. First, you’ll visit the Canonical Livepatch Service web page to obtain your private key. Once there, select the “Ubuntu User” option and then press “Get Your Livepatch Token.” After doing so, you’ll be prompted to log in to your Ubuntu One account.
If you already have an account, type in the email address associated with the account. Then, select the “I have an Ubuntu One account, and my password is:” option.
On the other hand, if you do not already have an account, type in the email address you would like to link to your account. Then, select the “I don’t have an Ubuntu One account” option. This will allow you to create your account.
Once you have created and verified your Ubuntu One account, your key will be displayed on the managed live kernel patching web page. While keeping this web page open, open a terminal window. To install the Livepatch service daemon, use the following command in the terminal window: sudo snap install canonical-livepatch
When the installation has completed, you will need the key from the “managed live kernel patching” web page to enable the service. To copy and paste your private key to the command line, begin by highlighting the key on the web page. Right-click it and choose “Copy” from the context menu. Then, without pressing “Enter,” type the following command in the terminal window: sudo canonical-livepatch enable
After entering this command, type a space, right-click and choose “Paste” from the context menu. The command you typed, a space, and your private key from the web page should then exist in the terminal window. Then, press “Enter.”
A verification message from Livepatch should appear notifying you that your computer is now enabled for kernel patching. The machine token, which is another long key, will then appear.
At this point, if you check the Livepatch tab located in the “Software and Updates” dialog window, you will see that Livepatch has been enabled and is now active.
How to Force Livepatch to Update
In providing a managed update service, Livepatch allows users to not think about or concern themselves with updates. However, you can force Livepatch to check for and apply any found kernel patches using the following command: sudo canonical-livepatch refresh
How to See What Updates Have Been Applied
After inputting the previously noted command, Livepatch will notify you of the kernel version applied both prior to and following the system refresh.
You may also check the status of Livepatch at any time using the following command: sudo canonical-livepatch status
This will provide you with the current kernel version, any critical kernel patches that must be installed, and any kernel patch versions that must be applied, among other status updates.
How is Livepatch Tested
Each livepatch goes through a series of thorough, strict tests in Canonical’s in-house Continuous Integration/Continuous Delivery (CI/CD) quality assurance system. This system performs hundreds of tests on combinations of livepatches, hardware, kernels, virtual machines, and physical machines. After passing CI/CD and regression tests, a livepatch is rolled out only to a small percentage of Canonical Livepatch Service users. If this tiny rollout finds success, a subsequent moderate rollout will follow. And if that is also successful, all free Ubuntu Community and paid Ubuntu Advantage users will receive the livepatch.
Canonical engineers automatically detect and inspect any systemic failures that arise during a livepatch test. Furthermore, by enrolling in the Ubuntu Advantage program, Canonical Livepatch Service users can avoid being selected at random to participate in any initial microscopic tests.
To learn about behind the scenes of live patch testing at KernelCare click here.
What is Ubuntu Advantage
Ubuntu Advantage is a paid, Open Source offering for the enterprise that supplies a single, per node packaging of world-class comprehensive security, software, and IaaS support.
Ubuntu Advantage provides users with critical security fixes, legal assurance, and telephone support at the open infrastructure support and security level. This plan supports Ubuntu base OS, Kernel, Kubernetes, OpenStack, Docker, SDN, and storage.
In terms of managed open infrastructure, Ubuntu Advantage provides fully managed OpenStack and Kubernetes, along with multi-cloud K8s, a managed private cloud, and data center automation, along with logging, alerting, and monitoring.
Users can also leverage the IoT and device services provided by Ubuntu Advantage. With offerings like hardware enablement, long-term OTA software updates, white-label app stores for IoT devices, consulting services, and 24/7 maintenance and support, users can take advantage of this new Linux development standard.
And with consulting and deployment for OpenStack, Kubernetes, and Kubeflow, Ubuntu Advantage provides users with the architecture design, deployment, training, and integration needed to determine an enterprise’s most optimal options while meeting their requirements.
Premium Live Patching with KernelCare+ and KernelCare Enterprise via DataDog Integration
In July 2020, KernelCare announced that its premium live patching offerings KernelCare+ and KernelCare Enterprise would be integrated with the DataDog cloud infrastructure monitoring service, which monitors databases, servers, services, and tools via its SaaS-based data analytics platform. DataDog effectively displays metrics and events across the full development and operations stack.
This integration enables joint customers to manage their kernel vulnerabilities and patching via their DataDog user interface. Although patching is scheduled, tested, downloaded, and deployed via the patch management tool, KernelCare enables live patching without requiring reboots. Instead, KernelCare temporarily freezes all processes in safe mode until the patch update is completed. Moreover, this integration supplies existing DataDog users with more precise reporting, fewer false positives, and enhanced security management for Linux kernels and libraries.
Downsides of Canonical Livepatch
Although the Canonical Livepatch Service does not require system reboots and automatically updates kernels free of charge for personal use, a host of disadvantages accompany this technology. For one, Canonical places a limit on the number of allowed updatable hosts. Those utilizing this service for personal use are limited to three machines, while those recognized as Ubuntu Community members are limited to 50 machines. Additional hosts can be added via Ubuntu Advantage support subscriptions. Necessitating at least an Essential level subscription, this upgrade can range from $225 to $1,500 per machine, per year for physical servers. For virtual machines, this cost can range from $75 to $500 per machine, per year. Furthermore, the Canonical Livepatch Service frequently puts forth insignificant custom kernel patches and supports limited distributions.
Read our blog for more information regarding the pros and cons of the leading Linux vendor services.
Further Reading on Canonical Livepatch
For additional information on the Canonical Livepatch Service, visit the following websites:
- Omg! Ubuntu! – This site consistently covers the most recent Ubuntu launches, updates, news, tutorials, and must-have integrations.
- Ubuntu Wiki – Here you’ll find a compilation of system requirements, notes, and FAQs regarding the Canonical Livepatch Service.
- Hotfix Your Ubuntu Kernels with the Canonical Livepatch Service! – This blog provides an in-depth explanation of how to properly install the Canonical Livepatch Service, as well as answers for a slew of FAQs.
Although Ubuntu is one of the world’s most popular operating systems amongst developers, its accompanying enterprise services are all commercial and require supporting subscriptions. Thus, Canonical Livepatch may not be the most effective and advantageous third-party vendor for Ubuntu users to turn to for live patching.
With easy install and no reboots required, KernelCare presents a stand-out kernel patching solution, compatible with a wide range of operating systems, including CentOS, RHEL, Linux, Ubuntu, Debian, etc. Moreover, KernelCare supports custom and fixed-date patching, streamlining patch management and creating a more user-friendly patch update experience. KernelCare users can also take advantage of the experience, expertise, and support provided by CloudLinux.
Visit our website today to access seamless and thorough comparisons of all available third-party live patching tools!
Check out other overviews of live patching services: