未加星标

How to live patch Ubuntu Linux Kernel without rebooting the server

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

K ernel live patching enables runtime correction of critical security issues in running kernel without rebooting. How do I enable or patch my Ubuntu linux 16.04 LTS server without rebooting the box?

Ubuntu Linux version 16.04 LTS supports live patching for both enterprise and the Ubuntu community members. The Canonical Livepatch Service is an authenticated, encrypted, signed stream of livepatch kernel modules for Ubuntu servers, virtual machines and desktops. Please note that this service is free up to 3 servers running 64-bit Intel/AMD Ubuntu 16.04 LTS.

Before you start

Make sure you are using the following entries in the /etc/apt/sources.list:

$ cat /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu xenial main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu xenial-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted universe multiverse

Make sure your system is updated usingapt command orapt-get command:

$ sudo apt update $ sudo apt upgrade

If snapd (the snappy software platform daemon) installed on your system:

$ sudo apt install snapd

Sample outputs:

Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: snap-confine ubuntu-core-launcher The following NEW packages will be installed: snap-confine snapd ubuntu-core-launcher 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 6,262 kB of archives. After this operation, 32.5 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 snap-confine amd64 1.0.43-0ubuntu1~16.04.1 [28.9 kB] Get:2 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 ubuntu-core-launcher amd64 1.0.43-0ubuntu1~16.04.1 [2,702 B] Get:3 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 snapd amd64 2.15.2ubuntu1 [6,231 kB] Fetched 6,262 kB in 1s (4,850 kB/s) Selecting previously unselected package snap-confine. (Reading database ... 244122 files and directories currently installed.) Preparing to unpack .../snap-confine_1.0.43-0ubuntu1~16.04.1_amd64.deb ... Unpacking snap-confine (1.0.43-0ubuntu1~16.04.1) ... Selecting previously unselected package ubuntu-core-launcher. Preparing to unpack .../ubuntu-core-launcher_1.0.43-0ubuntu1~16.04.1_amd64.deb ... Unpacking ubuntu-core-launcher (1.0.43-0ubuntu1~16.04.1) ... Selecting previously unselected package snapd. Preparing to unpack .../snapd_2.15.2ubuntu1_amd64.deb ... Unpacking snapd (2.15.2ubuntu1) ... Processing triggers for man-db (2.7.5-1) ... Setting up snap-confine (1.0.43-0ubuntu1~16.04.1) ... Setting up ubuntu-core-launcher (1.0.43-0ubuntu1~16.04.1) ... Setting up snapd (2.15.2ubuntu1) ... Step 1: Generate a livepatch key

In order to get started login and generate a key from the following url (a free account is needed):

https://ubuntu.com/livepatch

Sample outputs after login and generated a key for my personal server at home:


How to live patch Ubuntu Linux Kernel without rebooting the server

Fig.01: Getting started with “Hotfixing Ubuntu Kernels”

Step 2: Enable live patching

Install the canonical-livepatch snap (package):

$ sudo snap install canonical-livepatch

Sample outputs:


How to live patch Ubuntu Linux Kernel without rebooting the server

Fig.02: Installing live patch

Enable the service with your token. The syntax is:

$ sudo canonical-livepatch enable {YOUR-TOKEN-HERE-FROM-STEP-1}

So if token was d3b07384d213edec49eaa6238ad5ff00, enter:

$ sudo canonical-livepatch enable d3b07384d213edec49eaa6238ad5ff00

Sample outputs:

Successfully enabled device. Using machine-token: d3b07384d213edec49eaa6238ad5ff00 Step 3: View status

Type the following command to view kernel’s livepatch status:

$ canonical-livepatch status

Sample outputs:

kernel: 4.4.0-43.63-generic fully-patched: true version: ""

My kernel is fully patched. You can pass the --verbose option to see more details:

$ canonical-livepatch status verbose

Sample outputs:


How to live patch Ubuntu Linux Kernel without rebooting the server

Fig.03: Canonical enterprise kernel livepatch service in action

Share this tutorial on:

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: UbuntuLinuxAMD
分页:12
转载请注明
本文标题:How to live patch Ubuntu Linux Kernel without rebooting the server
本站链接:http://www.codesec.net/view/485549.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(22)