Trying out Canonical LivePatch service

So, after a few months of being subscribed to the Ubuntu Security Mailing list and being emailed every time there’s a kernel vulnerability, I have decided to try out Canonical’s Live Patching service (free for personal use, up to three computers), based on the super simple tutorial by cyberciti.

So, first impressions were that it is in fact really easy to install. However, as soon as I tried to register my token, I hit a snag:

# canonical-livepatch enable a471d5444cbe4ccccccc1acccccccccc
2017/02/23 22:14:53 Error executing enable?auth-token=a471d5444cbe4ccccccc1acccccccccc.
Connection to the daemon failed: Put http://127.0.0.1/enable?auth-token=a471d5444cbe4ccccccc1acccccccccc: dial unix /var/snap/canonical-livepatch/17/livepatchd-priv.sock: connect: no such file or directory

After a bit of digging, I found that the service is installed as “snap.canonical-livepatch.canonical-livepatchd.service” and the logs can be seen with:

journalctl -f -u snap.canonical-livepatch.canonical-livepatchd.service

In the output is the error message “Only Ubuntu 16.04 LTS is supported”:

Feb 23 21:57:52 ip-10-0-0-78 systemd[1]: Started Service for snap application canonical-livepatch.canonical-livepatchd.
Feb 23 21:57:52 ip-10-0-0-78 /usr/bin/snap[3949]: cmd.go:111: DEBUG: restarting into "/snap/core/current/usr/bin/snap"
Feb 23 21:57:52 ip-10-0-0-78 snap[3949]: 2017/02/23 21:57:52 Only Ubuntu 16.04 LTS is supported, exiting.
Feb 23 21:57:52 ip-10-0-0-78 systemd[1]: snap.canonical-livepatch.canonical-livepatchd.service: Main process exited, code=exited, status=1/FAILURE

Which is weird, because the server is running 16.04.02:

root@ip-10-0-0-78:~# cat /etc/issue
Ubuntu 16.04.2 LTS

root@ip-10-0-0-78:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.2 LTS
Release:	16.04
Codename:	xenial

root@ip-10-0-0-78:~# uname -a
Linux ip-10-0-0-78 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I’m not sure whether this is intended (maybe kernel changes between minor versions are not supported?) or someone wrote an “exact match” regex when doing the version check.

Have asked on the community forums about it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.