Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Managing Livepatch on-prem

This article was last updated 1 year ago.

Ubuntu Livepatch is the service and the software that enables organizations to quickly patch vulnerabilities on the Linux kernel. It enables uninterrupted service while reducing fire drills during high and critical severity kernel vulnerabilities. With Ubuntu Livepatch on-prem we enhance our service to enable enterprises manage on private or public cloud their livepatched systems.

In this post, we will introduce Ubuntu Livepatch on-prem and look into how it can be deployed for your organization, as well as answer some of the most commonly asked questions.

On-prem kernel livepatching

Complex enterprise environments often follow policies that require a gradual roll-out of updates to reduce risk, or have high-security isolated environments that need to be updated. Livepatch on-prem allows an organization to define a roll-out policy and remain in full control of which machines will get updated and when. The Livepatch on-prem server is a middle-man service that regularly syncs with the Ubuntu Livepatch service to gather the latest kernel livepatches. It then deploys the patches gradually in as many stages as required, following the organizational policy.

How to deploy Livepatch on-prem

The service is easily deployable with juju on any environment from the public cloud of your choice to a private cloud using the model-driven juju framework. Once deployed it connects to the Ubuntu Livepatch service with an Ubuntu Advantage token, and can be configured to perform patch deployment according to a predefined set of policies.

How to manage livepatches

The deployment of the livepatches is performed in multiple tiers. The systems on the first tier receive the available patches unconditionally. The next tiers serve as promotion tiers where patches are promoted by the administrator. That approach allows for a risk-based deployment that keeps the most important systems as the last tier, as well as for cohort deployment where clusters of systems are patched gradually to keep the expected availability. The livepatch client systems are associated with a tier by assigning them the corresponding token for that tier, a token issued by the on-prem server.

Let’s take an example. An administrator can configure an incoming tier –let’s call it Tier 1– where livepatches get applied as they come from the Ubuntu Livepatch service, and a promotion tier –Tier 2– that the administrator can promote patches to once the criteria she set for promotion are met. That simple scenario is depicted graphically below.

That simple association of a livepatch client to a tier allows for complex policy definitions and scenarios to deploy.

How many clients can an on-prem server handle?

The server can handle thousands of clients in a single CPU core system, and it requires access to storage space of a few gigabytes, to store the patches. There are multiple supported storage backends, such as the local filesystem, OpenStack Object Storage (Swift), S3, minio or postgresql. You can find more detailed instructions on deploying and configuring livepatch on-prem on our website.

How can I access Livepatch on-prem?

Livepatch on-prem is available with an Ubuntu Advantage subscription.

Where can I find more information about livepatch on-prem?

The complete documentation of Livepatch on-prem service is available on Ubuntu Livepatch website.


Livepatch on-prem enables your organization to follow its own roll-out policies while taking advantage of Livepatching across your portfolio. Livepatching not only improves your infrastructure’s security posture but greatly reduces downtime and unplanned maintenance windows due to high and critical severity kernel vulnerabilities. If you would like to know more about Livepatch on-prem and how it could be implemented for you, get in touch!

Ubuntu cloud

Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Livepatch has a new 13-month sliding support window – What does it mean for you?

The Livepatch tool is a valuable solution for resolving critical and high-security kernel CVEs without requiring an immediate system reboot. However, it is...

Canonical Livepatch gets even better – Now supporting Hardware Enablement Kernels

Livepatch allows Ubuntu users to fix critical and high kernel vulnerabilities at runtime, which reduces the need for unplanned reboots. Until now, Livepatch...

An overview of machine learning security risks

Data is at the heart of all machine learning (ML) initiatives – and bad actors know it. As AI continues to occupy the limelight of modern tech discourse, ML...