Canonical Livepatch Service provides Kernel Live Patch. Now this is the most important things for using Ubuntu now.
Table of Contents
1 Kernel Live Patch
Kernel Live Patch enables kernel update without reboot.
In case of server machine and in case of host machine of virtual infrastructure, rebooting by kernel update will stop service and virtual machines. But security update must be applied immediately. When using Kernel Live Patch, kernel update does not stop service and virtual machines.
Kernel Live Patch is implemented with loadable module. When calling the function A which has a security issue, Ftrace will be called from the head of function A. And ftrace will call the function B which is applied security update. Finally function B will return to callee of function A directly.
This is like a replacement from function A to function B.
Kernel Live Patch is introduced to linux-4.0 which is released at 2015. The kpatch, which creates Kernel Live Patch from patch file, has been released already. But Kernel Live Patch is not introduced to major Linux distribution except commercial support.
Now, Canonical Livepatch Service introduces Kernel Live Patch to Ubuntu. This is the most important thing for Ubuntu.
You can use Canonical Livepath Service for up to 3 machines without charge. If you need more, you need commercial support.
Live Kernel Patch does not support unload now. This is kernel issue. There is no good way for checking if function in Kernel Live Patch is used or not.
2 Introduce Canonical Livepatch Service
Access to Canonical Livepatch Service page.
Select "Ubuntu user" without charge.
Login with Ubuntu One's account which is used to askubuntu.com and launchpad.net. If you does not have it, please create new account.
The key is published.
Introduce Canonical Livepatch Service with published key. I think that this will be the most popular snap package.
$ sudo snap install canonical-livepatch $ sudo /snap/bin/canonical-livepatch enable <key> Successfully enabled device. Using machine-token: <machine-token>
This machine-token will be used for counting machine numbers.
If you want to remove that machine from Canonical Livepatch Service, you need to run "canonical-livepatch disable".
$ sudo /snap/bin/canonical-livepatch disable