So, after a few months of being subscribed to the Ubuntu Security Mailing list and being emailed every time there’s a kernel vulnerability, I have decided to try out Canonical’s Live Patching service (free for personal use, up to three computers), based on the super simple tutorial by cyberciti.
So, first impressions were that it is in fact really easy to install. However, as soon as I tried to register my token, I hit a snag:
# canonical-livepatch enable a471d5444cbe4ccccccc1acccccccccc 2017/02/23 22:14:53 Error executing enable?auth-token=a471d5444cbe4ccccccc1acccccccccc. Connection to the daemon failed: Put http://127.0.0.1/enable?auth-token=a471d5444cbe4ccccccc1acccccccccc: dial unix /var/snap/canonical-livepatch/17/livepatchd-priv.sock: connect: no such file or directory
After a bit of digging, I found that the service is installed as “snap.canonical-livepatch.canonical-livepatchd.service” and the logs can be seen with:
journalctl -f -u snap.canonical-livepatch.canonical-livepatchd.service
In the output is the error message “Only Ubuntu 16.04 LTS is supported”:
Feb 23 21:57:52 ip-10-0-0-78 systemd: Started Service for snap application canonical-livepatch.canonical-livepatchd. Feb 23 21:57:52 ip-10-0-0-78 /usr/bin/snap: cmd.go:111: DEBUG: restarting into "/snap/core/current/usr/bin/snap" Feb 23 21:57:52 ip-10-0-0-78 snap: 2017/02/23 21:57:52 Only Ubuntu 16.04 LTS is supported, exiting. Feb 23 21:57:52 ip-10-0-0-78 systemd: snap.canonical-livepatch.canonical-livepatchd.service: Main process exited, code=exited, status=1/FAILURE
Which is weird, because the server is running 16.04.02:
root@ip-10-0-0-78:~# cat /etc/issue Ubuntu 16.04.2 LTS root@ip-10-0-0-78:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial root@ip-10-0-0-78:~# uname -a Linux ip-10-0-0-78 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I’m not sure whether this is intended (maybe kernel changes between minor versions are not supported?) or someone wrote an “exact match” regex when doing the version check.
Have asked on the community forums about it.