Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Add Livepatch graphs in Landscape

1. Overview

The Ubuntu Livepatch Service applies critical kernel security patches and does not require an immediate reboot. Livepatch is free for up to 3 machines for personal use and included in the Ubuntu Advantage subscription.

This tutorial will show you how to incorporate Livepatch activity into the Landscape monitoring dashboard. This data is helpful in identifying how many CVEs the Livepatch service has patched in the kernel between maintenance window reboots. Livepatch will assess the existing live patches, if the machine has not been rebooted to finalize previous live patches. In edge cases live patches will be withheld, if there is an incompatibility between a previously applied live patch, and a queued one. The number of live patches that have been applied since the previous reboot are a datapoint that justify why a reboot is necessary.

What you’ll need

  • Administrator access on Landscape On-Premises or Landscape SaaS, to add the monitoring script
  • A target machine with Landscape Client registered to your Landscape instance
  • Install and run Ubuntu’s Livepatch service on a target machine, by following the “apply kernel patches without rebooting” tutorial

2. Add the Monitoring Script

When logging into the Landscape dashboard, the secondary navigation for Graphs takes you to the page in Landscape where shell scripts responsible for custom graphs are organised.

Once there, click Add graph.

Fill out the form on the Add Graph page with the following information:

Title: Livepatches since Reboot

Code:

#!/bin/bash
livepatchstatus() {
  local output
  output=$(/snap/bin/canonical-livepatch status --format json 2>/dev/null | grep -c "\"Patched\": true")
  echo "$output"
}
livepatchstatus

Any user with a home directory, with enough privileges to run the canonical-livepatch CLI tool can be specified for the “Run as user”, if you do not wish to use root.

Run as user: root

Y-axis title: Livepatches

Make a selection according to the machines of your choice to chart by selecting specific Tags, or clicking the checkbox for All Computers.

Access group: Global access

Click Save.

You should be able to see Livepatches since Reboot alongside any of the other custom graphs you may have added, in a table.


3. Conclusion