How to manage Livepatch¶
For Ubuntu LTS releases, Livepatch is automatically enabled after you attach
your Ubuntu Pro subscription. However, you can choose to disable it initially
via the dashboard, and then enable it at a later time from the command line
using the Ubuntu Pro Client (pro
).
Make sure pro
is up-to-date¶
All systems come with pro
pre-installed through the
ubuntu-advantage-tools
package. To make sure that you’re running the latest
version of pro
, run the following commands:
sudo apt update && sudo apt install ubuntu-advantage-tools
Check the status of the services¶
After you have attached your subscription and
updated the ubuntu-advantage-tools
package, you can check which services
are enabled by running the following command:
pro status
This will show you which services are enabled or disabled on your machine (output truncated for brevity):
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
livepatch yes enabled Canonical Livepatch service
realtime-kernel yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
How to enable Livepatch¶
Important
Once you enable Livepatch, enabling some Pro services will not be possible until Livepatch is disabled again. For a complete view of which services are compatible with Livepatch, refer to the services compatibility matrix..
If Livepatch is disabled and you want to enable it, run the following command:
$ sudo pro enable livepatch
You should see output like the following, indicating that the Livepatch snap package has been installed successfully:
One moment, checking your subscription first
Installing snapd
Updating package lists
Installing canonical-livepatch snap
Canonical livepatch enabled.
Check Livepatch status after installation¶
If you’re interested in the detailed status of the Livepatch client once it has been installed, use the following command:
$ sudo canonical-livepatch status
Unsupported kernels¶
Although you can enable Livepatch on an unsupported kernel, since patches are kernel-specific, you will not receive any updates from Livepatch if your kernel is not supported.
The pro status
command will warn you in its output if Livepatch is not
supported:
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
livepatch yes warning Current kernel is not supported
realtime-kernel yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
NOTICES
The current kernel (5.19.0-46-generic, amd64) is not supported by livepatch.
Supported kernels are listed here: https://ubuntu.com/security/livepatch/docs/kernels
Either switch to a supported kernel or `pro disable livepatch` to dismiss this warning.
The canonical-livepatch status
command will also warn you if your kernel is
unsupported (output truncated for brevity):
...
server check-in: succeeded
kernel state: ✗ kernel not supported by Canonical
patch state: ✓ no livepatches needed for this kernel yet
...
You can also check the kernel support matrix to see if your kernel is supported by Livepatch. To find out more, refer to this explanation of how Livepatch works.
How to disable Livepatch¶
Enabling Livepatch installs the Livepatch client as a snap package, and there are a few possible ways to disable it. The simplest is to use the Pro Client:
sudo pro disable livepatch
If you also want to remove the Livepatch client from your machine, you can then use the following command:
snap remove canonical-livepatch
For other options, you can also refer to the Livepatch documentation.
Notes¶
For more information about the Livepatch client and how to use it, refer to the official Livepatch client documentation.
Livepatch is not compatible with FIPS-certified kernels or with the real-time kernel, and should not be enabled if you wish to use those services. If Livepatch is enabled and you try to enable an incompatible service,
pro
will notify you and offer to disable Livepatch first.