73

Ubuntu says

Use canonical Livepatch to increase security between restarts.

I have to sign in to do this, so is it worth setting up? I'm not sure what it is, the box is unticked.

The more secure the better, but is it worth it? How complicated is this?

Willi Mentzel
  • 628
Computer says no
  • 877

5 Answers5

64

Livepatch allows you to install some critical kernel security updates without rebooting your system, by directly patching the running kernel.

It does not affect regular (not security-critical) kernel updates, you still have to install those the regular way and reboot. It does not affect updates to other non-kernel packages either, which don't require a reboot anyway.

On a regular home or office computer, which does get rebooted daily (or every few days to weeks at least, your mileage may vary), Livepatch probably doesn't give you many benefits. It's mainly intended for servers which are supposed to have months and years of continuous uptime without reboots.

See e.g. this blog post for more information about Livepatch: http://blog.dustinkirkland.com/2016/10/canonical-livepatch.html

Byte Commander
  • 107,489
  • 13
    Why does Livepatch require signing in with an Ubuntu Single Sign-On Account? – Aaron Franke Apr 03 '19 at 07:22
  • 4
    @AaronFranke It's Canonical's business model, I suppose. You get up to three free instances at a time for testing and personal use, and have to pay if you need more. – Byte Commander Apr 03 '19 at 08:28
  • 2
    What's stopping people from just creating multiple accounts then? One for each computer, infinite live patching? – Aaron Franke Apr 03 '19 at 09:08
  • 17
    Probably nothing. Morals maybe. – Byte Commander Apr 03 '19 at 09:52
  • 5
    For business use with bunches of machines to handle, create a lot of accounts and manage them individually is just too complicated with unneeded human works. The engineer needed for maintenance also have to be paid. No wonder why we prefer a license. – ttimasdf May 05 '19 at 01:29
  • Is there a non-SNAP (i.e. deb) version of LivePatch? SNAPs don't work on servers where the $HOME is on a different drive that the BOOT/OS drive. – Andor Kiss Aug 21 '19 at 21:20
  • @AaronFranke I wouldn't be surprised if they monitor hits based on ip addresses and correlate access across accounts. For example, Netflix is definitely aware when you're sharing passwords with someone else. A lot of time free instances have EULAs that prevent you from doing exactly what you're talking about with them (only using free versions), so a ton of free versions under different user names checking in from the same ip address is going to look mighty suspicious to Canonical. Which has the possibility to open a company up to legal liability. Which can be real bad, especially punitive. – Jazzepi Sep 30 '19 at 19:08
  • I want to use live patch but don't know why I always get a livepatch error.. – dgor Jan 26 '22 at 13:57
16

You have to run snap for this to work, which is not a big deal for some, but a dealbreaker for me.

I actually tried this for a while (months) when it first came out, and it never got invoked.

You are unlikely to need this on a desktop computer.

Organic Marble
  • 23,641
  • 15
  • 70
  • 122
4

Absolutely NEVER install Canonical Livepatch unless you buy the Pro version. The free version puts you at risk by installing untested patches, YOU ARE THE GUINEA PIG!!! Just run the "canonical-livepatch status" command and you'll see you are a beta tester without any way to opt out.

Gene
  • 51
  • 1
    Indeed you are correct: tier: updates (Free usage; This machine beta tests new patches.) That's an interesting and worthwhile observation. Do you happen to know if "Ubuntu Pro" and "Ubuntu Advantage" both eliminate this beta-tester requirement? I've scoured the documentation and can't find any mention of this. – Ben Johnson Aug 31 '22 at 13:54
  • Some evidence this is more than just FUD: https://canonical.com/blog/livepatch-2021-03-24-incident-investigation-report – Dark Nov 22 '22 at 16:28
2

Seems to me this is unneeded if you are running AWS instances in EC2 as the kernel is not upgradable even though it says so in the welcome messages. I think AWS tunes their branded kernels and there isnt a need to install livepatch as it will never pull any updates.

Photo Larry
  • 69
1

There is further description within the dialog. Livepatch allows you to apply updates without rebooting. This is usually (but not always) intended to be temporary. In those cases, it isn't the same as restarting to apply the update properly. Also, some updates cannot be applied at all without rebooting
If you intend/need to keep your system on for long a time, and think you won't be able to restart for an update, it is best you set this up. As soon as an update (especially security updates) is rolled out, you want to get it running on your system ASAP to minimise risk

Aswin B
  • 101
  • 2
    Why does Livepatch require signing in with an Ubuntu Single Sign-On Account? – Aaron Franke Apr 03 '19 at 07:22
  • 3
    To limit to three machines per account as this is part of their commercial services as the company Canonical as Byte Commander said earlier on. Post three machines you have to pay @Aaron Franke . – rhand Apr 23 '19 at 03:13
  • But creating an Ubuntu account is free. What if I create another account and use LivePatch for free on the 4th device? – Damn Vegetables Aug 14 '19 at 16:58
  • 2
    @DamnVegetables Nothing, but they are not targeting people with four or five or ten servers here. The actual target for this is people who manage 100 or up to thousands of servers. creating and keeping track of all those accounts would be a nightmare, and completely not worth the time at the average salary a sysadmin makes. If you just have a few you can probably get by with a couple separate accounts, TOS notwithstanding. – SilentVoid Dec 12 '20 at 17:58