canonical livepatch

Dimitri John Ledkov xnox at ubuntu.com
Fri Nov 4 11:29:17 UTC 2016


Hello,

On 4 November 2016 at 09:00, Christian Ehrhardt
<christian.ehrhardt at canonical.com> wrote:
> Hi,
> just checked, with the same kernel mine still looks today like yours did
> initially.
> If run the status command with --verbose it will list the status it is in,
> which might help seeing whats going on on your system.
>

Well if you reboot every day, then you boot the kernel which is fully
patched - with all security (not just severe ones) and bugfixes. Such
kernels are released at the same time as livepatches.
I.e. if one can afford reboots, one is fully up to date.

Plus this service is currently running for xenial only.

I don't like rebooting my desktop. Hence I have:

$ uptime
 11:25:14 up 24 days,  7:20,  3 users,  load average: 3.15, 2.50, 2.20

$ lsmod | grep live
kpatch_livepatch_Ubuntu_4_4_0_38_57_generic_13    49152  1

$ sudo canonical-livepatch status --verbose
client-version: "5"
machine-id: censored
machine-token: censored
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
last-check: 2016-11-04T11:07:47.882167806Z
boot-time: 2016-10-11T05:05:04+01:00
uptime: 583h20m17s
status:
- kernel: 4.4.0-38.57-generic
  running: true
  livepatch:
    state: applied
    version: "13.3"
    fixes: ""

Maybe I should reboot into a newer kernel 38 -> 45. If you are running
45 kernel, I presume you wouldn't need any livepatches as everything
is rolled into the latest kernel update.

-- 
Regards,

Dimitri.




More information about the Ubuntu-devel-discuss mailing list