Livepatch has fixed kernel vulnerabilities. Or not???

Keith keithw at caramail.com
Mon Mar 27 18:01:33 UTC 2023 

On 3/27/23 3:01 AM, Bo Berglund wrote:
> On Sun, 26 Mar 2023 10:50:40 +0200, Bo Berglund <bo.berglund at gmail.com> wrote:
> 
>> I saw this yesterday when I logged on via SSH to my Ubuntu Server 20.04.6 LTS:
>>
>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>> the closest maintenance window ***
>>
>> Today was the possible "maintenance window" so I rebooted the server.
>>
>> Now when I log on *after* the reboot I see this greeting:
>>
>> -------------
>> Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-89-generic x86_64)
>>
>>   System information as of Sun 26 Mar 2023 09:56:23 AM CEST
>>
>>   System load:    0.04                Users logged in:       0
>>   Usage of /home: 80.1% of 258.81GB   IPv4 address for eth0: 192.168.xxx.yyy
>>   Memory usage:   6%                  IPv4 address for tun0: 10.8.0.1
>>   Swap usage:     0%                  IPv4 address for tun1: 10.8.139.1
>>   Processes:      247
>>
>> Expanded Security Maintenance for Applications is enabled.
>>
>> 0 updates can be applied immediately.
>>
>> New release '22.04.2 LTS' available.
>> Run 'do-release-upgrade' to upgrade to it.
>>
>>
>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>> the closest maintenance window ***
>> -------------
>>
>> What gives?
>> Do I have to do multiple reboots to get this done, if so why?
>> Otherwise: What should I do now?
>>
> 
> I found this thread about the same issue:
> https://askubuntu.com/questions/1411986/livepatch-behaviour-and-restart-in
> 
> It suggests doing this to solve it:
>   apt update && apt full-upgrade -y && sudo reboot
> 
> But that is exactly what I have done multiple times and the messge still
> persists! I have rebooted twice to no avail.
> 
> What is going on and why does it not stop????
> 
> 
Hi Bo

You can use the pro and/or canonical-livepatch commands to figure out 
what the status is on kernel patches and reboot requirements.

$ pro security-status
$ pro system reboot-required
$ canonical-livepatch status --verbose
# canonical-livepatch refresh   downloads and applies kernel patches
$ canonical-livepatch kernel-upgrade-required; echo $?
Exit code of 0 means restart is necessary
Exit code of 1 means restart is not necessary, but recommended at later time
Exit code of 2 means no restart is necessary.

Some "turn it off/turn it back on" level things to try:
1. Disable the livepatch service and reboot. see if motd updates and 
still indicates a system restart. If not, re-enable service and see if 
issue comes back. If a system restart is indicated even with livepatch 
disabled, then the problem is somewhere else.
$ sudo pro disable/enable livepatch

2. Disable the etc-update-motd-d plugin for the canonical-livepatch snap
$ sudo snap disconnect canonical-livepatch:etc-update-motd-d --forget
That should remove 
/etc/update-motd.d/99-livepatch-kernel-upgrade-required script which is 
generating the motd restart message but still leave livepatch enabled. 
Re-enable the plugin and then logout/login to see if issue persists
$ sudo snap connect canonical-livepatch:etc-update-motd-d

3. check the /var/run/ directory to see if reboot-required and 
reboot-required.pkgs files are in there. Check the pkgs file and see 
what packages are listed. Verify they are installed correctly. The "dpkg 
-V <packagename>" command will help here.

If there are no reboot files in /var/run, then I'm out of ideas. 
Probably should file a bug against the canonical-livepatch client. Might 
make a inquiry on another venue like Ubuntu Forums, Ubuntu community 
discourse server, or AskUbuntu also.

-- 
Keith

More information about the ubuntu-users mailing list