Apply kernel patches without rebooting

Key Value
Summary Learn how to install and run Ubuntu’s Livepatch service to get critical kernel patches without rebooting.
Categories server
Difficulty 1


Duration: 1:00

The Ubuntu Livepatch Service applies critical kernel security patches without rebooting. This is especially useful on production environments and services where downtime is disruptive.

Livepatch is free for up to 5 machines with an Ubuntu Prosubscription.

This tutorial will show you how to enable this service on your Ubuntu system.

What you’ll need

  • A computer running Ubuntu LTS with an Internet connection
  • Ubuntu Pro subscription
  • Some basic command-line knowledge

Getting the Ubuntu Pro token

Duration: 1:00

In order to use this service, you have to attach your subscription via the Ubuntu Pro token. On public cloud marketplace Pro instances the subscription is already attached and you should skip this step.

To attach subscription, simply visit the Pro dashboard.

The dashboard will show your subscription credentials and instructions to apply them on the system. Follow the instructions and attach the system to your Ubuntu Advantage or Free subscription. It is as simple as

$ sudo pro attach [TOKEN]

Enabling Livepatch

Duration: 1:00

Livepatch is enabled by default when attaching a subscription. You can verify your subscription status with the pro status command.

If livepatch is disabled, you can enable it with the following command:

$ sudo pro enable livepatch

You can ensure that the Livepatch service is working properly by running:

$ canonical-livepatch status --verbose


Duration: 1:00

Congratulations, you now have zero downtime kernel patching on your system!

Next steps

If you have a problem, we’re ready to help! Check the following links:

Further reading

Please also mention that these instructions are applicable to Ubuntu Pro instances or otherwise make reference to Ubuntu Pro.

$ canonical-livepatch status --verbose

no longer works - it needed:

/snap/bin/canonical-livepatch status --verbose

then something broke on your system, /snap/bin is usually in the PATH on all official Ubuntu and all official Ubuntu flavour (xubuntu, kubuntu, lubuntu, UbuntuStudio) installations …

1 Like

It was an upgrade from 20.04 LTS to 22.04 LTS. I checked my user path and no /snap/bin. On the other hand root’s path did include /snap/bin.

A somewhat missing part in this document:

canonical-livepatch status --verbose

tells me that my kernel is not supported by Canonical.

This is kind of surprising for me as I never installed a specific kernel.
Would be great to know how to change that. I am currently using:

kernel: 5.19.0-42.43~22.04.1-generic