If you manage your own server (s), then you will sooner or later encounter this issue. You must restart the operating system, but the machine is providing an important service that cannot be interrupted.
But why restart the server? Everything seems to be working well after the command
apt-get upgrade. However, the truth is not always the same as the appearance. Although the system will continue to run after each upgrade and is not required to restart like Windows, you may still need to do this.
For example, when a flaw in the kernel of the system (kernel) is discovered, it will be patched and pushed to your server as a new package. After you install the patched kernel, some files are written to the drive, but it is still the old kernel, as it is a file loaded into memory (RAM).
This means your server is still vulnerable to previously discovered security holes. Other processes, daemons and services can be reloaded without restarting the operating system. However, the kernel is at the center of the system and can only be reloaded at the next boot.
Ubuntu Livepatch solves this by allowing you to close kernel security holes without rebooting. This way, you can avoid or delay rebooting for weeks or months without compromising security.
The core idea behind the Live Patching feature is simple: When a function is vulnerable, rewrite it, remove the flaw, and load the new function somewhere in memory. When the function is called, instead of running the code in the kernel, redirect to use the rewrite code.
But, as with most things, the implementation and specifications aren’t as simple as that.
How to set up Livepatch on Ubuntu
Go to page login.ubuntu.com and create an Ubuntu One account (or just log in if you already have one). Check your email and click on the account verification link afterwards. Next, visit the Canonical Livepatch Service page: auth.livepatch.canonical.com. Select the option that indicates you are “Ubuntu user” and click the button to generate token code. The next page will show you the exact commands you must enter on your server. After the first command, enter:
sudo snap install canonical-livepatch
Wait for a few seconds until the snap pack is fully installed. When done, you should get a result similar to what is shown in the following image.
Finally, with the following command from Canonical’s page:
sudo canonical-livepatch enable #PASTE_YOUR_TOKEN_HERE
The service will operate and automatically apply security patches to the kernel, whenever necessary, with no user input required.
Install snap daemon if needed
In rare cases, the first command in the previous section may not succeed, with the following error message:
-bash: /usr/bin/snap: No such file or directory
In this case, that means your server provider has an Ubuntu operating system image that does not include the service snap daemon by default. Install it with the command:
sudo apt update && sudo apt install snapd
Now run the two commands from the previous section again.
Keep your server up to date
Livepatch will apply all necessary security updates to your kernel. However, you should still upgrade the rest of the system regularly with a command like:
sudo apt update && sudo apt upgrade
You should do this weekly, or even more often, if you can. Important system packages may remind you that they need to be restarted to apply the latest security fixes.
These reboot operations do not break any service in the process. For example, in this case, the SSH daemon was restarted without interrupting the active SSH session.
In other situations, you can restart the services yourself to make sure that new, patched code is reloaded, and security fixes are applied. For example, if you notice the nginx package has been upgraded, you can run:
systemctl restart nginx.service
to reload nginx daemon into memory.
On the other hand, even though a package is upgraded, it can still run with old, vulnerable code, putting your server at risk of attack. Some upgrade packages do this for you, but others do not. That’s why paying attention to what it is “Apt upgrade” Implementing and restarting some services, if necessary, is a good habit. You can also look at the log to see if this has been done automatically.
As you can see, Canonical has made it easy to avoid reboots on the server. As for the kernel, there is a part that requires no maintenance. The only thing you can do is run the command:
canonical-livepatch status to check everything.
Hope you are succesful.