I have a server that I automatically powerup at 8:00 AM and shutdown at 24:00 PM due to power savings. I'm interessted in Ubuntu LivePatching but I'm not sure how it will perfom with these downtimes as I assume it is intended for 24/7 Servers.
thanks for your feedback. Michael
Theoretically, there is a sense in installing kernel live patching on a server Ubuntu installation that is rebooting daily. You decrease the window of opportunity for the hacker attacks that can occur in between the time of publishing of the patch and scheduled reboot.
I have Canonical livepatch installed on my desktop Ubuntu and it does work. At the time of publishing of the patch, it had live patched my kernel which is visible with command:
# canonical-livepatch status --verbose
The command will say "patchState: nothing-to-apply", yet it will list the patched CVE vulnerabilities by CVE numbers when a live patch is issued:
# canonical-livepatch status
client-version: "1"
architecture: x86_64
cpu-model: QEMU Virtual CPU version 2.4.0
last-check: 2016-08-24T19:38:36.793837171Z
boot-time: 2016-08-24T18:53:56Z
uptime: 45m4s
status:
- kernel: 4.4.0-21.37-generic
running: true
livepatch:
state: applied
version: "10.1"
fixes: |-
* CVE-NNNN-XXXX LP: #NNNNNNN
#
You don't set up time when your system is patched as it depends on Canonical making the patch available, at which livepatchd will live patch your kernel ASAP. Reboot is not necessary, and your system will remain patched until the scheduled reboot.
Unless you install new version of kernel when it is available via
# apt-get dist-upgrade
your system will continue to livepatch kernel upon next power on, right until you do install Linux kernel upgrade and reboot having selected the patched kernel or making it the default.
By default, canonical-livepatch will check if there are new patches made available by Canonical every 60 minutes.
You can change this check interval in minutes by:
# canonical-livepatch config check-interval=120
Unfortunately, the lowest value is hardcoded to 60 minutes.
