Add Livepatch graphs in Landscape

Tutorials
, ,
1
Key Value
Summary Learn how to chart kernel live patching activities over time with Landscape’s custom graphs.
Categories landscape, livepatch, ubuntu, server, desktop
Difficulty 1
Author Rajan Patel rajan.patel@canonical.com

Overview

Duration: 2:00

The Ubuntu Livepatch Service applies critical kernel security patches and does not require an immediate reboot. Livepatch is free for up to 3 machines for personal use and included in the Ubuntu Advantage subscription.

This tutorial will show you how to incorporate Livepatch activity into the Landscape monitoring dashboard. This data is helpful in identifying how many CVEs the Livepatch service has patched in the kernel between maintenance window reboots. Livepatch will assess the existing live patches, if the machine has not been rebooted to finalize previous live patches. In edge cases live patches will be withheld, if there is an incompatibility between a previously applied live patch, and a queued one. The number of live patches that have been applied since the previous reboot are a datapoint that justify why a reboot is necessary.

What you’ll need

  • Administrator access on Landscape On-Premises or Landscape SaaS, to add the monitoring script
  • A target machine with Landscape Client registered to your Landscape instance
  • Install and run Ubuntu’s Livepatch service on a target machine, by following the “apply kernel patches without rebooting” tutorial

Add the Monitoring Script

Duration: 3:00

When logging into the Landscape dashboard, the secondary navigation for Graphs takes you to the page in Landscape where shell scripts responsible for custom graphs are organised.

Screenshot of the Graphs link in Landscape
Screenshot of the Graphs link in Landscape2472×600 105 KB

Once there, click Add graph.

Screenshot of the Add Graph link in Landscape
Screenshot of the Add Graph link in Landscape2480×693 111 KB

Fill out the form on the Add Graph page with the following information:

Title: Livepatches since Reboot

Code:

#!/bin/bash
livepatchstatus() {
  local output
  output=$(/snap/bin/canonical-livepatch status --format json 2>/dev/null | grep -c "\"Patched\": true")
  echo "$output"
}
livepatchstatus

Any user with a home directory, with enough privileges to run the canonical-livepatch CLI tool can be specified for the “Run as user”, if you do not wish to use root.

Run as user: root

Y-axis title: Livepatches

Make a selection according to the machines of your choice to chart by selecting specific Tags, or clicking the checkbox for All Computers.

Access group: Global access

Click Save.

You should be able to see Livepatches since Reboot alongside any of the other custom graphs you may have added, in a table.

List of custom graphs in Landscape
List of custom graphs in Landscape1212×541 52.9 KB

Conclusion

Duration: 1:00

Congratulations! Your Landscape dashboard is producing Livepatch charts of CVEs that have been patched. To see these charts, click Computers in the primary navigation, select several machines, and then click Monitoring.

Screenshot of the Livepatches since Reboot custom graph, in Landscape
Screenshot of the Livepatches since Reboot custom graph, in Landscape2425×1576 311 KB

In this example, one machine has zero live patches, and another machine has 48 live patches.

Next steps

1 Like