Bruh, do you even live patch?

Patching is arguably the single most important thing you can do to keep your systems secure. It’s also tedious boring work that ends with everyone’s least favorite activity…. rebooting some indispensable, far too important for downtime server. Often meaning that patching takes a back seat to convenience, but no more! Linux kernel 4.4 on Ubuntu 16.04 has a built-in solution.

*note – I use vi as my text editor if you aren’t comfortable with that replace all instances of vi or vim with nano.

**note – If you want to be awesome learn vi by typing “vimtutor” at the terminal.

Unattended Upgrades

sudo apt update
sudo apt install unattended-upgrades

The configuration file for unattended-upgrades can be found at /etc/apt/apt.conf.d/50unattended-upgrades. By default it is configured to upgrade packages marked for security updates. You can keep that configuration or change the file as below to allow the updates channel as well.

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades 

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";

You can also “blacklist” packages, that for one reason or another you do not want upgraded. The “//” is a comment in this file. So if you never wanted to upgrade vim simply delete the double slashes. Add any package you want to the list and it will be ignored when the system begins updating.

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";

Toward the bottom of this file you will see some blasphemous talk of automatic reboots, you don’t need that kind of negativity in your life… we are working towards live patching. Leave it turned off.

Now we need to update the apt configuration so that it knows when to run updates.

sudo cat /etc/apt/apt.conf.d/10periodic

This will display a file that looks like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";

The number at the end of each line represents how often, in days, that apt will check for, download, and clean updates. We are going to change a few things and add a line to install updates.

sudo vim /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This configuration will check for, download, and install updates at a randomized time everyday. It will clean up downloaded packages once every 7 days. For more details check /etc/cron.daily/apt-compat

Live Patching

Now the fun part install the Livepatching service. Canonical, the company behind Ubuntu, will allow anyone to install live patching for free on up to 3 desktops or servers. Beyond that you will need a paid support contract.

Go to the registration portal to register for your Livepatch token.

Install the Livepatch service

sudo snap install canonical-livepatch
sudo canonical-livepatch enable [put_your_token_here_without_brackets]

Thats it!

Luke has an RHCSA for Red Hat Enterpirse Linux 7 and currently works as a Linux Systems Adminstrator in Ohio.

This post, re-published here with permission, was originally published on Luke’s site here.

Be the first to comment

Leave a Reply

Your email address will not be published.