How to check the Livepatch client status

Once canonical-livepatch, the livepatch client, is running on a machine, it will periodically (every hour by default) check for new patches.

To show the current state of the client, run:

$ canonical-livepatch status

Example output:

last check: 52 seconds ago
kernel: 5.4.0-216.236-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.4 is covered by Livepatch
patch state: ✓ all applicable livepatch modules inserted
patch version: 113.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: {alpha-numeric-string}

The kernel state line indicates the current support status for your running kernel:

  • ✓ kernel series {kernel-series} is covered by Livepatch

    The kernel series (e.g. 5.4) is still supported by Canonical. Livepatches are available for this series until the support window ends.

  • ✓ kernel {kernel-version} is covered by Livepatch until {date}, please install available kernel updates and reboot before then

    This specific kernel version (e.g. 5.4.0-216.236-generic) is covered until the given date (its SRU end-of-support date). You must install updates and reboot before then to stay covered.

  • ✗ kernel is not covered by Livepatch

    The running kernel version is not supported by Canonical Livepatch. Consider upgrading to a supported kernel.

  • ✗ kernel is no longer covered by Livepatch

    This kernel has reached end of life and no longer receives livepatches. Upgrade to a newer kernel.

  • ✗ Livepatch coverage has ended; please upgrade the kernel and reboot

    Coverage has ended and no SRU date was provided. An upgrade is required.

  • ✗ Livepatch coverage ended {date}; please upgrade the kernel and reboot

    Coverage has ended as of the specified date. Upgrade to continue receiving patches.

  • ✗ unable to determine kernel support status; please contact Canonical support
    An unexpected error occurred. Please file a bug or contact Canonical support.

The patch state line can also have one of several values:

  • ⧗ livepatches are installed, but the module is not yet applied

    A patch has been downloaded but not yet applied.

  • ⧗ patching the kernel

    A patch is currently being applied.

  • ✓ no livepatches available for kernel {kernel-version}

    No patches exist yet for the kernel with the specified version.

  • ✓ all applicable livepatch modules inserted

    All available patches for this kernel are applied.

  • ✗ module inserted but kernel bug detected

    The kernel reported an error after applying the patch.

  • ✗ the application caused a crash last time it was applied, check system logs with journalctl -f -u snap.canonical-livepatch.canonical-livepatchd

    An earlier patch attempt caused a crash.

  • ✗ unknown error occurred, please check system logs with journalctl -f -u snap.canonical-livepatch.canonical-livepatchd

    An unexpected error occurred.

  • ✗ kernel {kernel-version} contains a vulnerability that cannot be livepatched, please upgrade and reboot

    This kernel has an unpatchable vulnerability. An upgrade is required.

  • ✓ kernel upgraded after a reboot

    The kernel was recently upgraded and rebooted successfully.

  • ✗ failed to verify the signature of the livepatch kernel module

    Signature verification failed. The patch was not applied.

  • ✗ failed to extract information about the livepatch kernel module

    Patch metadata could not be read.

  • ✗ failed to load certificate used to verify the signature of the livepatch kernel module
    The required certificate could not be loaded.

If livepatches have been applied, you will see a patch version field patch version: 113.1 as in the status output above.

Patch versions map directly to Ubuntu Livepatch Security Notices (LSN) published in the format LSN-<version>. The notices describe the vulnerabilities that were resolved in that version.

You can retrieve the corresponding LSN by mapping the version to the LSN identifier. For example:

Note: LSN identifiers are zero-padded (e.g. 113.1 maps to LSN-0113-1).

The canonical-livepatch status command accepts flags that change the output format:

  • --summary shows a concise summary (similar to default output).

  • --verbose shows extended details such as client version, architecture, boot time, and applied CVEs.

  • --show-secrets shows sensitive machine tokens (requires sudo).

  • --format <format> chooses the output format. Supported values:

    • humane (default, human-readable with minimal detail)

    • json (machine-readable JSON with extra metadata like architecture, CPU model, boot time, uptime, patch tier, etc.)

    • yaml (machine-readable YAML with extra metadata similar to JSON output)

Previous Disable client Next Configure proxy

This page was last modified 29 days ago. Help improve this document in the forum.