3

According to an answer to this question, livepatch supports only the release kernels for a given LTS release. This is understandable, in order to make development and support a possible task, but I've installed HWE on the last two versions on my daily driver (16.04 and 20.04) in order to obtain support for math libraries required for a Kerbal Space Program mod (Kopernicus, the real-gravity multi-body add-on).

I'd love to be able to keep my kernel updated without reboots that require reopening software I leave running in the background, and in general just to see the uptime line in my Conky get bigger than about 20 days.

Are there any known plans for livepatch to support these (from Canonical) HWE kernels?

Zeiss Ikon
  • 5,128
  • I have been running both the HWE Kernels and Livepatch. I didn't know that the HWE Kernels were not supported. The canonical-livepatch status is telling me that my kernel version of 5.13.0-30.33~20.04.1-generic is server check-in: succeeded and patch state: ✓ no livepatches needed for this kernel yet. Unless I am mistaken, it seems to be supported. – Terrance Mar 03 '22 at 15:13
  • Hmm. I'll have to try installing it when I'm home and see what I get... – Zeiss Ikon Mar 03 '22 at 15:16
  • Livepatch is done with the ua tool now. If I remember right, it is done via sudo ua enable livepatch <key>. – Terrance Mar 03 '22 at 15:17
  • Thanks, I'll be home in about seven hours, I'll try to remember to check this. – Zeiss Ikon Mar 03 '22 at 15:18
  • Sorry, I just looked at the manpage, The command to enable it is sudo ua enable-livepatch <token> – Terrance Mar 03 '22 at 17:44
  • And I get the value for somewhere? I always find man pages assume I know a lot more about Linux under the hood than I do... – Zeiss Ikon Mar 03 '22 at 17:51
  • You get it from https://auth.livepatch.canonical.com/ You will have to register for the account if you don't already have an Ubuntu One account. – Terrance Mar 03 '22 at 17:54
  • It should be still free for personal use. – Terrance Mar 03 '22 at 18:04
  • "Personal users of Ubuntu can subscribe three machines (laptop, server or cloud) free of charge. Canonical's customers are entitled to use the service on every system for which a product including Livepatch is active, including those covered by an Ubuntu Advantage enterprise support agreement (Essential, Standard, or Advanced)." – Terrance Mar 03 '22 at 18:05
  • It looks like the Link above it takes you to the Advantage page – Terrance Mar 03 '22 at 18:07
  • Try creating an account at https://login.ubuntu.com/ – Terrance Mar 03 '22 at 18:09
  • Claims to be working, similar status reported as yours above. Make that an answer and you'll get a vote and accept... – Zeiss Ikon Mar 03 '22 at 22:37

2 Answers2

3

Update 2023-03-05: It appears that the canonical-livepatch does not support the 5.19 HWE Kernels at this time. Even a clean install of 22.04 LTS is not supported that comes with the 5.19 Kernel (probably never supported). However, it does appear that support for the HWE 6.2 Kernel is coming in July 2023, see: https://ubuntu.com/blog/canonical-livepatch-gets-even-better-now-supporting-hardware-enablement-kernels And now as the 6.15 Kernels have come out, they are not supported by canonical-livepatch at this time. My guess is that since we are a few months away from 24.04 release that the Kernel version then will be supported in that release.

$ canonical-livepatch status
last check: 40 seconds ago
kernel: 5.19.0-35.36~22.04.1-generic
server check-in: succeeded
patch state: ✗ kernel version not supported
tier: updates (Free usage; This machine beta tests new patches.)
machine id: <redacted>

$ canonical-livepatch status
last check: 55 minutes ago
kernel: 5.15.0-67.74-generic
server check-in: succeeded
patch state: ✓ no livepatches needed for this kernel yet
tier: updates (Free usage; This machine beta tests new patches.)
machine id: <redacted>

*Updated answer for pro instead of ua.

If you have an Ubuntu One account, you can do Livepatch for HWE Kernels for personal use on up to 3 5 systems. You will need to get a token for it to work.

Visit https://auth.livepatch.canonical.com/ to get your token.

Once you have your token you should be able to activate Livepatch on your system using the pro tool.

sudo pro enable livepatch <token>

Then Livepatch should be working for HWE Kernels. (See note above since this was working at the time with ua and not pro)

terrance@terrance-ubuntu:~$ canonical-livepatch status
last check: 45 minutes ago
kernel: 5.13.0-30.33~20.04.1-generic
server check-in: succeeded
patch state: ✓ no livepatches needed for this kernel yet
tier: updates (Free usage; This machine beta tests new patches.)
machine id: <redacted>
Terrance
  • 41,612
  • 7
  • 124
  • 183
  • Followup on this -- if (as is generally the case) I have to do upgrades via "wipe and install clean" (I run 3rd party repos/PPAs and skip LTS releases to avoid too-frequent "learn it all again"), will the new install be seen as a "new" system? – Zeiss Ikon Mar 04 '22 at 12:04
  • @ZeissIkon That is a good question. Reading the answer https://askubuntu.com/a/1073938/231142 he was able to install it on 6 systems without an issue. I don't know how they would keep track of how many you have other than possibly an on your honor type thing. I never really have more than 2 fully active Ubuntu installations running for me at a time, so I never really thought about it. Looks like the question above that answer says how to deactivate for that system and maybe you might have to before installing a new one. – Terrance Mar 04 '22 at 14:24
  • Ugh. Yet another thing to remember to do before starting the new install... – Zeiss Ikon Mar 04 '22 at 14:46
  • @ZeissIkon I honestly don't think it is necessary. I've never experienced anything yet. That was only for an example. I have had to reinstall my primary system many times and I have never deactivated it first. – Terrance Mar 04 '22 at 14:47
  • Hopefully it stays that way. – Zeiss Ikon Mar 04 '22 at 14:48
  • Well, it continues to appear to work correctly, but I still get nagged to restart after getting an upgrade for the 5.4.* kernel I'm not even using -- and attempting to remove that kernel just results in installing the one I didn't want to upgrade to (and a restart nag that won't go away until I restart). Off to ask another question about getting rid of non-HWE kernels. – Zeiss Ikon Mar 08 '22 at 23:37
  • @ZeissIkon Livepatch is used to patch the running Kernel, not to push the new version or upgrade into it. You have to restart say from a 5.13.0-30-generic to 5.13.0-31-generic. You cannot live switch between those actual Kernel upgrades. – Terrance Mar 08 '22 at 23:40
  • Well, that's annoying. I get kernel version upgrades every week or two; that frequent restarting is what I was trying to avoid. I haven't even been aware of lesser kernel patches... – Zeiss Ikon Mar 08 '22 at 23:44
  • @ZeissIkon You might want to see: https://askubuntu.com/questions/1174833/disable-kernel-auto-updates-in-ubuntu-18-04-cli-only where you can put the kernel upgrades on hold if you are on a kernel that is working. Vulnerabilities are usually patched with the LivePatch and that should help keep you from rebooting. There are other applications / drivers that may require reboots as well. – Terrance Mar 08 '22 at 23:51
  • Hmm. Holding kernel upgrades won't also hold the active HWE kernel? – Zeiss Ikon Mar 08 '22 at 23:56
  • @ZeissIkon If you put the right ones on hold. I think you will have to put linux-generic-hwe-20.04 on hold. – Terrance Mar 09 '22 at 00:01
  • @user535733 Good idea! Thank you for the suggestion and I will definitely work on one. :) – Terrance Jan 29 '24 at 15:45
0

Just an update for new visitors. This is no longer an issue since now Kernel Livepatch supports HWE kernels: https://ubuntu.com/blog/canonical-livepatch-gets-even-better-now-supporting-hardware-enablement-kernels

Carlos B
  • 126