Linux Kernel Livepatch
Mitigate Linux kernel exploits
with Livepatch
Livepatch shrinks the exploit window for critical and high severity Linux kernel vulnerabilities, by patching the Linux kernel between security maintenance windows, while the system runs.
Livepatch provides security coverage for 10 years with Ubuntu Pro, and an additional two years with Ubuntu Pro Legacy, for a total of 12 years.
The benefits of Livepatch
Spend less time on unplanned work
According to a study of Dimensional research 64% of IT professionals spend more than 100 hours per year on unplanned work. That’s work that eliminates focus and distracts from one’s goals and business objectives. With 40% of high and critical severity vulnerabilities affecting the Linux kernel, the number of interruptions can be significant.
Livepatch reduces the unplanned work that comes from Linux kernel vulnerabilities, making you more effective when managing Ubuntu systems.
Reduce downtime
Downtime is one of the major pains of every service provider. That is however unavoidable when deploying vulnerability fixes on the Linux kernel the traditional way. That’s because the updated system needs to be rebooted to apply the changes irrespective of your deployment strategy (Kubernetes, OpenStack or bare-metal). Industry leaders achieve high uptime by livepatching and scheduled maintenance.
Follow organizational policy
Livepatch on-prem allows you to define your rollout policy and remain in full control of which machines will get updated and when, as well as provide updates to isolated network environments. To keep your machines up-to-date, the Livepatch on-prem server regularly syncs with Ubuntu Livepatch service and obtains the latest patches. It then applies the policy for releasing patches gradually in as many stages as needed.
Livepatch is used by
Kernel livepatching at a glance
When a high or critical Linux kernel vulnerability is detected a livepatch along with a Livepatch Security Notice are issued. Systems that enable the livepatch client will receive and apply the patch, after it is made available. The livepatch will provide new kernel code replacing the vulnerable one, and will update the rest of the kernel to use the new code.
Livepatch on-prem overview
Livepatch on-prem is designed for complex Enterprise environments that follow their own rollout policy and remain in control of which machines will get updated and when. Livepatch on-prem regularly syncs with the Ubuntu Livepatch service and obtains the latest patches. It then deploys the livepatches gradually in as many stages as required.
What our customers say
“Livepatch is a perfect fit for our needs. There’s no other solution like it, and it’s highly cost-effective. Manually migrating virtual machines, applying kernel updates, and rebooting took an average of 32 hours per server. Multiplied by 80 servers, that was more than 2,500 hours of work.”
Shinya Tsunematsu
Senior Engineering Lead
Tech Division, GMO Pepabo
“Livepatch is like a dream come true, both from a technical and a business standpoint. Our Ubuntu systems now rarely, or never, have to be rebooted. Service is continuous. That makes a big difference for user and customer satisfaction and loyalty.”
Masaaki Hirose
IT Platform Department
DeNA
Get Livepatch with Ubuntu Pro
Free for personal use
Livepatch is available free for up to 5 machines, for personal use, or evaluation purposes.
Part of Ubuntu Pro
Get Livepatch with an Ubuntu Pro subscription from Canonical.
How to enable
the Ubuntu Livepatch service
1 Attach your subscription
sudo pro attach [TOKEN]Note: obtain the subscription token via the Ubuntu Pro portal.
2 Enable Livepatch on your system
sudo pro enable livepatchLearn more about Livepatch
Webinar
Documentation
Datasheet
Best practices for scheduling security patching automations
In this webinar, you’ll learn about Canonical's release schedule for Ubuntu and its security updates, and how you can use this information to set optimal manual and automated security patching maintenance intervals.
