|
|
Subscribe / Log in / New account

Live kernel patches for Ubuntu

Canonical has announced the availability of a live kernel patch service for the 16.04 LTS release. "It’s the best way to ensure that machines are safe at the kernel level, while guaranteeing uptime, especially for container hosts where a single machine may be running thousands of different workloads." Up to three systems can be patched for free; the service requires a fee thereafter. There is a long FAQ about the service in this blog post; it appears to be based on the mainline live-patching functionality with some Canonical add-ons.

From:  Dustin Kirkland <kirkland-AT-canonical.com>
To:  ubuntu-announce-AT-lists.ubuntu.com, kirkland-AT-canonical.com
Subject:  Canonical enterprise kernel livepatch service, free to Ubuntu community!
Date:  Tue, 18 Oct 2016 11:02:06 -0700
Message-ID:  <559980a7-c650-63a0-f84c-8b24fd80e566@canonical.com>

Kernel live patching enables runtime correction of critical security
issues in your kernel without rebooting. It’s the best way to ensure
that machines are safe at the kernel level, while guaranteeing uptime,
especially for container hosts where a single machine may be running
thousands of different workloads.

We’re very pleased to announce that this new enterprise, commercial
service from Canonical will also be available free of charge to the
Ubuntu community.

The Canonical Livepatch Service is an authenticated, encrypted, signed
stream of livepatch kernel modules for Ubuntu servers, virtual
machines and desktops.

Community users of Ubuntu are welcome to enable the Canonical
Livepatch Service on 3 systems running 64-bit Intel/AMD Ubuntu 16.04
LTS.  (To enable the Canonical Livepatch Service on more than 3
systems, please see http://ubuntu.com/advantage for commercial support
subscriptions starting at $12 per month.)

On an up-to-date, 64-bit Ubuntu 16.04 LTS system, you can enable the
Canonical Livepatch Service today in 3 simple steps:

(1) Go to https://ubuntu.com/livepatch and retrieve your livepatch
token, for example: d3b07384d213edec49eaa6238ad5ff00

(2) Install the livepatch snap, like this:
   $ sudo snap install canonical-livepatch

(3) Enable your account with the token from step 1
   $ sudo canonical-livepatch enable d3b07384d113edec49eaa6238ad5ff00

That’s it.  You’re up and running!  You can check your status at any 
time with:

   $ canonical-livepatch status
   kernel: 4.4.0-38.57-generic
   fully-patched: true
   version: "12.2"

Now your kernel will remain securely patched, and you can reboot when
it’s convenient for you.

For more detailed technical information, screenshots, and a demo, see
my blog post at:
  * http://blog.dustinkirkland.com/2016/10/canonical-livepatc...

And see the official landing page at:
  * http://www.ubuntu.com/server/livepatch

Cheers,

Dustin Kirkland
(on behalf of dozens of my colleagues at Canonical who are the brains
and brawn behind this amazing work! )

-- 
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

to post comments

Live kernel patches for Ubuntu

Posted Oct 19, 2016 15:41 UTC (Wed) by smcv (subscriber, #53363) [Link] (3 responses)

The result of "sudo snap install" can have CAP_SYS_MODULE?! That's an interesting contrast with the emphasis on sandboxing in most conversations involving app frameworks like Snap and Flatpak.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 4:28 UTC (Thu) by zyga (subscriber, #81533) [Link] (2 responses)

With my snappy developer hat on I can tell you that the default permissions are heavily confined but this particular snap is allowed to use a snap interface that grants it the extra permission. If you wanted to publish a snap using the same interface it would trigger manual review in the store.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 4:43 UTC (Thu) by Otus (subscriber, #67685) [Link] (1 responses)

I assume the user is also notified about it on install?

Sorry, haven't used snap so far.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 6:14 UTC (Thu) by zyga (subscriber, #81533) [Link]

Users can always see and change interface connections but there's no notification on install because for this particular snap and interface, we chose to auto-connect it automatically. This is all controlled by the base declaration assertion now but we will migrate it over to snap declaration assertions (the choice is per-snap).

Live kernel patches for Ubuntu

Posted Oct 20, 2016 0:21 UTC (Thu) by sashal (✭ supporter ✭, #81842) [Link] (1 responses)

So where's the source code? all I see is just the diffs that are supposedly what the live patching module "applies"...

As there's no argument that the modules they distribute are GPL since they're based on GPL code (which is provided as diffs), they're supposed to provide the complete source code to recreate those modules.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 3:09 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

The makefile in the git tree pulls down the source code and does the build. I think it's possible to quibble over whether the repository itself is the full corresponding source code, but it's certainly available in a way that makes it easy to duplicate the output.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 5:02 UTC (Thu) by TRS-80 (guest, #1804) [Link] (1 responses)

Is live-patching allowed when secure boot is enabled?

Live kernel patches for Ubuntu

Posted Oct 20, 2016 7:40 UTC (Thu) by Jonno (subscriber, #49613) [Link]

> Is live-patching allowed when secure boot is enabled?

Yes.

Secure boot itself only require the bootloader to be signed by a key the EFI firmware trusts (usually the Microsoft key). The bootloader may then require the kernel to be signed by some key the bootloader trusts (usually the same keys as the EFI firmware trusts and/or a list of keys provided when the bootloader was built), and the kernel may then require kernel modules to be signed by a key it trusts (usually a key created during kernel build time). As a live-patch is really just a specially crafted kernel module all you need to do is sign it with the same key used to sign the original kernel modules. As Canonical is the provider of both the kernel image and the live-patch module I do not see why they would not be able to do that.

Live kernel patches for Ubuntu

Posted Oct 20, 2016 9:07 UTC (Thu) by TimSmall (guest, #96681) [Link] (1 responses)

A small subset of the free service machines get to do canary testing on each patch before everyone else gets it. Which is what I assumed when I first read the article, but it's confirmed in the blog post.

Perhaps more importantly, unlike the equivalent SUSE service, the Ubuntu solution seems to lack a promotional music video https://youtu.be/SYRlTISvjww

Live kernel patches for Ubuntu

Posted Oct 20, 2016 18:30 UTC (Thu) by Lennie (subscriber, #49641) [Link]

Agreed we need more promotional music videos and catchy names for security bugs: http://www.phirelight.com/branding-vulnerabilities/

KernelCare

Posted Oct 20, 2016 17:26 UTC (Thu) by kirillx (guest, #111868) [Link] (9 responses)

For those using server Linux distros recommend to try kernelcare.com, it supports much more then just Ubuntu + older versions.
Those guys also claim to fix openssl and such security issues on the fly soon.

KernelCare

Posted Oct 20, 2016 17:45 UTC (Thu) by Sheldon (guest, #111869) [Link] (8 responses)

As I know they don't give free licenses but only cost $2-3 per month.
...but with support which is a really nice advantage.

No more please

Posted Oct 20, 2016 20:04 UTC (Thu) by corbet (editor, #1) [Link] (7 responses)

This looks like rather poorly disguised advertising campaign for a proprietary service, as far as I can tell. Please stop here.

No more please

Posted Oct 21, 2016 13:24 UTC (Fri) by niner (subscriber, #26151) [Link] (1 responses)

At least it's an excellent argument for showing account ids :)

No more please

Posted Oct 22, 2016 17:48 UTC (Sat) by ms-tg (subscriber, #89231) [Link]

Ha! You're right ;)

No more please

Posted Oct 24, 2016 10:43 UTC (Mon) by nye (subscriber, #51576) [Link] (4 responses)

Disagree: this is useful and relevant information. It's very common to discuss alternatives/competitors to the subject in LWN comments, and if the posters didn't have consecutive user IDs then nobody would have batted an eyelid.

No more please

Posted Oct 24, 2016 15:01 UTC (Mon) by raven667 (subscriber, #5198) [Link] (3 responses)

> if the posters didn't have consecutive user IDs then nobody would have batted an eyelid.

Poster, singular, as it is fairly clear that someone affiliated with the company registered two accounts and pretended to have a spontaneous conversation, no in good faith or honestly, using the comment space to create advertisements without compensating or gaining permission from LWN. It's spam, if it were better hidden that wouldn't make it any better.

No more please

Posted Oct 25, 2016 10:37 UTC (Tue) by nye (subscriber, #51576) [Link] (2 responses)

When people comment on OpenOffice articles saying that people should use LO instead, is that spam? What about when somebody who works on KDE software posts on a Gnome article, or vice-versa?

Is it different because it's a paid service? Does that mean that anyone posting in support of RHEL is spamming? There's nothing about Open Source or Free Software to say that there's anything wrong with charging for a service - indeed, many people go to great lengths to point this out. Is it just because they didn't declare where their income comes from? Florian Mueller's posts must surely all be spam then.

The world is not so black and white.

No more please

Posted Oct 25, 2016 10:58 UTC (Tue) by farnz (subscriber, #17727) [Link]

What makes this spam is the effort to use two newly registered accounts to make it look like people are having a conversation about the service, while not disclosing their affiliation with the service they're talking about.

When mezcalero posts a comment about systemd or Red Hat products, it's fine. There's no effort made by Lennart to disguise who he is, who he's working for, or to pretend that he's unaffiliated with either systemd or Red Hat. Similar applies to mgraesslin commenting on GNOME articles - he's made no attempt to hide his KDE affiliation.

Here, however, we've got two users posting, created one after the other, both with very similar writing styles, both acting as-if they're not affiliated to Kernelcare and advertising its paid service. The combination of 3 factors (two accounts created close together, very similar writing style, advertising a paid service as-if they're just ordinary users of the service) is enough to push it over the edge.

FWIW, if they'd just used one account, and posted something like "At Kernelcare, we offer a $3/month/server service that provides live patches to your Linux hosts", and then only responded to any replies they picked up, I'd not see it as problematic - it's relevant information, even if it's also a sales attempt. It's the attempt to disguise a commercial sales attempt as "ordinary users chatting" that pushes it over the edge for me.

No more please

Posted Oct 25, 2016 14:29 UTC (Tue) by corbet (editor, #1) [Link]

Because the world is not so black and white, we didn't just delete the posts as spam; I just asked that they end the game there. And they did.


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds