Bruh, do you even live patch?

By: Luke Rawlins Nov 4, 2016 | 3 minutes read
Share this:

Tags: livepatch, Ubuntu, Linux

Patching is arguably the single most important thing you can do to keep your systems secure.

It’s also tedious, boring work that ends with everyone’s least favorite activity…. rebooting some indispensable, far too important for downtime server. Often meaning that patching takes a back seat to convenience, but no more!

Starting with Ubuntu 16.04, and continuing on to the latest LTS Ubuntu 18.04 you can now update the kernel on a live system without a reboot.

*note - I use vi as my text editor if you aren’t comfortable with that replace all instances of vi or vim with nano.

Strictly speaking the unattended upgrades are not entirely necessary for live kernel patching, since it is handled by a snap package. But it’s not a bad idea to allow the rest of your packages to update periodically as well.

sudo apt update
sudo apt install unattended-upgrades

The configuration file for unattended-upgrades can be found at /etc/apt/apt.conf.d/50unattended-upgrades. By default it is configured to upgrade packages marked for security updates. You can keep that configuration or change the file as below to allow the updates channel as well.

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades 

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

You can also “blacklist” packages, that for one reason or another you do not want upgraded. The “//” is a comment in this file. So if you never wanted to upgrade vim simply delete the double slashes. Add any package you want to the list and it will be ignored when the system begins updating.

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

Toward the bottom of this file you will notice some blasphemous talk of automatic reboots, you don’t need that kind of negativity in your life… we are working towards live patching. Leave it turned off.

Now we need to update the apt configuration so that it knows when to run updates.

sudo cat /etc/apt/apt.conf.d/10periodic

This will display a file that looks like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";

The number at the end of each line represents how often, in days, that apt will check for, download, and clean updates. We are going to change a few things and add a line to install updates.

sudo vim /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This configuration will check for, download, and install updates at a randomized time everyday. It will clean up downloaded packages once every 7 days. For more details check /etc/cron.daily/apt-compat

Tux

Now the fun part install the Livepatching service. Canonical, the company behind Ubuntu, will allow anyone to install live patching for free on up to 3 desktops or servers. Beyond that you will need a paid support contract.

Go to the registration portal to register for your Livepatch token. https://auth.livepatch.canonical.com/

sudo snap install canonical-livepatch
sudo canonical-livepatch enable [put_your_token_here_without_brackets]

Thats it!

Take a look at https://ubuntu.com/livepatch for more information.

Related Posts


Passwordless login with SSH Keygen

What is a rsa key? RSA keys are a public key encryption method that keeps a private key on the host computer, and a public key on other machines. The public key is generated by a mathematical algorithm that can only be de-crypted with the private key. As long as the private key is kept confidential use of the keys is secure.Why use rsa keys? rsa keys are secure The keys are secure because they can be encrypted on a users computer protecting the key from falling into the wrong hands, like a password printed on a sticky note and place on your desk. Read more

Media Server

Have you ever wanted to set up your own video streaming service on your home or work network? This simple guide will help you set up a media server using Ubuntu 14.04 and Plex. The setup for Plex on Ubuntu is incredibly easy and is a great way to back up your existing video, music and picture library in a way that will allow you to share the content with anyone on or off your network. Read more

Linux DNS and DHCP Server

There are lots of reasons to use Linux for your networking needs both at home and at work not the least of which is the unbeatable price (free). Linux has a well deserved reputation for security and high availability that is unrivaled among modern operating systems. Setting up a dhcp and dns server with Linux is not as hard as you might think especially when using a package called “dnsmasq”. Dnsmasq is a lightweight package that is available from the default Ubuntu repositories. Read more


Contact

If you’d like to get in touch, contact with me via email - or follow on Twitter.

[email protected]