sudoedit.com!

Bruh, do you even live patch?

Patching is arguably the single most important thing you can do to keep your systems secure.

It's also tedious, boring work that ends with everyone's least favorite activity.... rebooting some indispensable, far too important for downtime server. Often meaning that patching takes a back seat to convenience, but no more!

Starting with Ubuntu 16.04, and continuing on to the latest LTS Ubuntu 18.04 you can now update the kernel on a live system without a reboot.

*note - I use vi as my text editor if you aren't comfortable with that replace all instances of vi or vim with nano.

Unattended Upgrades

Strictly speaking the unattended upgrades are not entirely necessary for live kernel patching, since it is handled by a snap package. But it's not a bad idea to allow the rest of your packages to update periodically as well.

sudo apt update
sudo apt install unattended-upgrades

The configuration file for unattended-upgrades can be found at /etc/apt/apt.conf.d/50unattended-upgrades. By default it is configured to upgrade packages marked for security updates. You can keep that configuration or change the file as below to allow the updates channel as well.

    sudo vim /etc/apt/apt.conf.d/50unattended-upgrades 

    // Automatically upgrade packages from these (origin:archive) pairs
    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}";
            "${distro_id}:${distro_codename}-security";
            "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };

You can also "blacklist" packages, that for one reason or another you do not want upgraded. The "//" is a comment in this file. So if you never wanted to upgrade vim simply delete the double slashes. Add any package you want to the list and it will be ignored when the system begins updating.

    // List of packages to not update (regexp are supported)
    Unattended-Upgrade::Package-Blacklist {
    //      "vim";
    //      "libc6";
    //      "libc6-dev";
    //      "libc6-i686";
    };

Toward the bottom of this file you will notice some blasphemous talk of automatic reboots, you don't need that kind of negativity in your life... we are working towards live patching. Leave it turned off.

Now we need to update the apt configuration so that it knows when to run updates.

sudo cat /etc/apt/apt.conf.d/10periodic

This will display a file that looks like this:

    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "0";
    APT::Periodic::AutocleanInterval "0";

The number at the end of each line represents how often, in days, that apt will check for, download, and clean updates. We are going to change a few things and add a line to install updates.

    sudo vim /etc/apt/apt.conf.d/10periodic

    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";

This configuration will check for, download, and install updates at a randomized time everyday. It will clean up downloaded packages once every 7 days. For more details check /etc/cron.daily/apt-compat

Live Patching

Now the fun part install the Livepatching service. Canonical, the company behind Ubuntu, will allow anyone to install live patching for free on up to 3 desktops or servers. Beyond that you will need a paid support contract.

Go to the registration portal to register for your Livepatch token. https://auth.livepatch.canonical.com/

Install the Livepatch service

    sudo snap install canonical-livepatch
    sudo canonical-livepatch enable [put_your_token_here_without_brackets]

Thats it!

Take a look at https://ubuntu.com/livepatch for more information.