Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Nikos Mavrogiannopoulos
on 13 September 2021


Ubuntu Livepatch is the service and the software that enables organizations to quickly patch vulnerabilities on the Linux kernel. It enables uninterrupted service while reducing fire drills during high and critical severity kernel vulnerabilities. With Ubuntu Livepatch on-prem we enhance our service to enable enterprises manage on private or public cloud their livepatched systems.

In this post, we will introduce Ubuntu Livepatch on-prem and look into how it can be deployed for your organization, as well as answer some of the most commonly asked questions.

On-prem kernel livepatching

Complex enterprise environments often follow policies that require a gradual roll-out of updates to reduce risk, or have high-security isolated environments that need to be updated. Livepatch on-prem allows an organization to define a roll-out policy and remain in full control of which machines will get updated and when. The Livepatch on-prem server is a middle-man service that regularly syncs with the Ubuntu Livepatch service to gather the latest kernel livepatches. It then deploys the patches gradually in as many stages as required, following the organizational policy.

How to deploy Livepatch on-prem

The service is easily deployable with juju on any environment from the public cloud of your choice to a private cloud using the model-driven juju framework. Once deployed it connects to the Ubuntu Livepatch service with an Ubuntu Advantage token, and can be configured to perform patch deployment according to a predefined set of policies.

How to manage livepatches

The deployment of the livepatches is performed in multiple tiers. The systems on the first tier receive the available patches unconditionally. The next tiers serve as promotion tiers where patches are promoted by the administrator. That approach allows for a risk-based deployment that keeps the most important systems as the last tier, as well as for cohort deployment where clusters of systems are patched gradually to keep the expected availability. The livepatch client systems are associated with a tier by assigning them the corresponding token for that tier, a token issued by the on-prem server.

Let’s take an example. An administrator can configure an incoming tier –let’s call it Tier 1– where livepatches get applied as they come from the Ubuntu Livepatch service, and a promotion tier –Tier 2– that the administrator can promote patches to once the criteria she set for promotion are met. That simple scenario is depicted graphically below.

That simple association of a livepatch client to a tier allows for complex policy definitions and scenarios to deploy.

How many clients can an on-prem server handle?

The server can handle thousands of clients in a single CPU core system, and it requires access to storage space of a few gigabytes, to store the patches. There are multiple supported storage backends, such as the local filesystem, OpenStack Object Storage (Swift), S3, minio or postgresql. You can find more detailed instructions on deploying and configuring livepatch on-prem on our website.

How can I access Livepatch on-prem?

Livepatch on-prem is available with an Ubuntu Advantage subscription.

Where can I find more information about livepatch on-prem?

The complete documentation of Livepatch on-prem service is available on Ubuntu Livepatch website.

Conclusion

Livepatch on-prem enables your organization to follow its own roll-out policies while taking advantage of Livepatching across your portfolio. Livepatching not only improves your infrastructure’s security posture but greatly reduces downtime and unplanned maintenance windows due to high and critical severity kernel vulnerabilities. If you would like to know more about Livepatch on-prem and how it could be implemented for you, get in touch!

Related posts


Canonical
19 September 2023

라이브패치(Livepatch)에 새로운 13개월 슬라이딩 지원 기간이 있습니다. 여러분에게 어떤 의미가 있을까요?

Security Security

라이브패치는 시스템을 즉시 재부팅할 필요 없고 런타임에 중요하고 높은 보안 커널 공통 보안 취약성 및 노출(CVE)을 수정하는 유용한 툴입니다. 그러나 정기적인 유지 관리 기간 및 재부팅을 대체하는 용도로 사용해서는 안 됩니다. 좋은 기업 정책에는 시스템이 안정적이고 안전하게 유지되도록 라이브패치와 정기적인 재부팅이 모두 포함되어야 합니다. 그 이유는 펌웨어 또는 장치 드라이버 업데이트와 같은 일부 시스템 CVE는 ...


ijlal-loutfi
13 April 2023

Livepatch has a new 13-month sliding support window – What does it mean for you?

Security Livepatch

The Livepatch tool is a valuable solution for resolving critical and high-security kernel CVEs without requiring an immediate system reboot. However, it is not a substitute for regular maintenance windows and reboots, as some CVEs still require a system reboot. Additionally, Livepatch only covers security-related kernel updates, not non-s ...


ijlal-loutfi
13 April 2023

Canonical Livepatch gets even better – Now supporting Hardware Enablement Kernels

Security Livepatch

Livepatch allows Ubuntu users to fix critical and high kernel vulnerabilities at runtime, which reduces the need for unplanned reboots. Until now, Livepatch has only been available for Long-Term Release (LTS) kernels, but starting with the release of Ubuntu’s interim release of 23.04 Lunar Lobster in April 2023, it will also be available ...