Using Canonical Livepatch Service to Patch Ubuntu 16.04 Kernel without Reboot

In this tutorial we’re going to learn how to patch Linux kernel on Ubuntu 16.04 without reboot using the Canonical Livepatch service which uses the upstream Linux Kernel Live Patching technology to apply critical kernel patches without rebooting.

This will be helpful to your website’s uptime. I use this feature for the server that runs this blog. Theoretically, you can use livepatch service to keep your server running as long as you want, unless the power goes down or the OS crashes, or hardware fails. For my other servers like mail server that doesn’t require high uptime, I simply configure unattended security update, which can instruct my server to automatically reboot at 4 AM if a new kernel is installed.

The Canonical livepatch service is free of charge for up to 3 machines (laptop, server or cloud). In order to use this service, your system must be a 64 bit Ubuntu 16.04 OS with Linux kernel 4.4+.

Patching Linux Kernel Without Reboot Using Canonical Livepatch Service

First, go to Canonical Livepatch service page. Select Ubuntu user if you want to use the service without paying for up to 3 machines. If you are an UA customer, then select Ubuntu Advantage customer.  And click Get your Livepatch token.

canonical livepatch service

You need to sign in with your Ubuntu one account which is totally free of charge. Once you are signed in, you will get a secret key for your account.

live kernel patching

Then make sure you have the snap daemon installed on your Ubuntu 16.04 system.

sudo apt update
sudo apt install snapd

Next, install the canonical-livepatch daemon.

sudo snap install canonical-livepatch

Enable the service with the following command.

sudo canonical-livepatch enable <your-secret-key>

Sample output:

Successfully enabled device. Using machine-token: 2ca4f0662793daje0393jdaf39332d

You can check live patch status at any time with:

canonical-livepatch status --verbose

canonical live patch

Possible patchStates are:

  • nothing-to-apply: No vulnerability found.
  • applied: Vulnerability found and patch is applied
  • kernel-upgrade-required: Livepatch cannot install a patch to fix the vulnerability.

You can also run the patcher manually:

sudo canonical-livepatch refresh

Please note that kernel patching is different from upgrading kernel to the latest version. After applying security patches, you still need to reboot in order to upgrade to the latest version of Linux kernel on Ubuntu 16.04.

I hope this tutorial helped you use the Canonical Live Patch service to update your Ubuntu 16.04 LTS systems with the highest and most critical security vulnerabilities, without a reboot. Subscribe to our free newsletter to get latest Linux tutorials. You can also follow us on Google+Twitter or like our Facebook page.

Rate this tutorial
[Total: 7 Average: 4]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.