How to use canonical’s livepatch service on ubuntu

Reduce downtime and unplanned work

Livepatch eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Reduce fire drills while keeping uninterrupted service with the Canonical Livepatch service for up to 10 years.

Livepatch is included in Ubuntu Pro and Ubuntu Advantage.

Livepatch is a perfect fit for our needs. There’s no other solution like it, and it’s highly cost-effective. Manually migrating virtual machines, applying kernel updates, and rebooting took an average of 32 hours per server. Multiplied by 80 servers, that was more than 2,500 hours of work.

Shinya Tsunematsu, Senior Engineering Lead of Tech Division, GMO Pepabo

Spend less time on unplanned work

According to a study of Dimensional research 64% of IT professionals spend more than 100 hours per year on unplanned work. That’s work that eliminates focus and distracts from one’s goals and business objectives. With 40% of high and critical severity vulnerabilities affecting the Linux kernel, the number of interruptions can be significant. Livepatch reduces the unplanned work that comes from Linux kernel vulnerabilities, making you more effective when managing Ubuntu systems.

Reduce downtime

Downtime is one of the major pains of every service provider. That is however unavoidable when deploying vulnerability fixes on the Linux kernel the traditional way. That’s because the updated system needs to be rebooted to apply the changes irrespective of your deployment strategy (Kubernetes, OpenStack or bare-metal). Industry leaders achieve high uptime by livepatching and scheduled maintenance.

Follow organisational policy

Livepatch on-prem allows you to define your rollout policy and remain in full control of which machines will get updated and when, as well as provide updates to isolated network environments. To keep your machines up-to-date, the Livepatch on-prem server regularly syncs with Canonical Livepatch service and obtains the latest patches. It then applies the policy for releasing patches gradually in as many stages as needed.

Kernel livepatching at a glance

When a high or critical Linux kernel vulnerability is detected a livepatch along with a Livepatch Security Notice are issued. Systems that are entitled and enable the livepatch client will receive and apply the patch, after it is made available. The livepatch will provide new kernel code replacing the vulnerable one, and will update the rest of the kernel to use the new code.

Livepatch on-prem overview

Livepatch on-prem is designed for complex Enterprise environments that follow their own rollout policy and remain in control of which machines will get updated and when. Livepatch on-prem regularly syncs with the Canonical Livepatch service and obtains the latest patches. It then deploys the livepatches gradually in as many stages as required.