如何在Ubuntu上使用Canonical的Livepatch服务

Fancy having critical Linux kernel patches automatically applied to your Ubuntu system—without having to reboot your computer? We describe how to use Canonical’s Livepatch Service to do just that.

想将重要Linux内核补丁自动应用于您的Ubuntu系统，而不必重启计算机吗？我们描述了如何使用Canonical的Livepatch Service来做到这一点。

什么是Livepatch？如何运作？ (What Is Livepatch and How Does It Work?)

As Canonical’s Dustin Kirkland explained several years ago, Canonical Livepatch uses the Kernel Live Patching technology built into the standard Linux kernel. Canonical’s Livepatch website notes that massive corporations like AT&T, Cisco, and Walmart use it.

正如Canonical的Dustin Kirkland在几年前解释的那样，Canonical Livepatch使用内置在标准Linux内核中的Kernel Live Patching技术。 Canonical的Livepatch网站指出，像AT＆T，Cisco和Walmart这样的大型公司都在使用它。

It’s free for personal use on up to three computers—according to Kirkland, these can be “desktops, servers, virtual machines, or cloud instances.” Organizations can use it on more systems with a paid Ubuntu Advantage subscription.

它是免费的，最多可在三台计算机上供个人使用-根据Kirkland的说法，这些计算机可以是“台式机，服务器，虚拟机或云实例”。组织可以通过付费的Ubuntu Advantage订阅在更多系统上使用它。

内核补丁是必需的但不方便 (Kernel Patches Are Necessary But Inconvenient)

Linux kernel patches are a fact of life. Keeping your system secure and patched up to date is vital in the inter-connected world we live in. But having to reboot your computer to apply kernel patches can be a pain. Especially if the computer is providing some sort of service to users and you have to co-ordinate or negotiate with them to take the service off-line. And there’s a multiplier. If you maintain several Ubuntu machines, at some point you have to bite the bullet and do each one in turn.

Linux内核补丁已成事实。在我们所处的互连世界中，确保系统安全和更新补丁至关紧要。但是，必须重新启动计算机以应用内核补丁可能会很痛苦。特别是如果计算机正在为用户提供某种服务，而您必须协调或与用户协商才能使服务脱机。还有一个乘数。如果您维护多台Ubuntu计算机，则在某些时候您必须忍耐并依次进行操作。

The Canonical Livepatch Service removes all of the aggravation of keeping your Ubuntu systems up to date with critical kernel patches. It’s easy to set up—either graphically or from the command line—and it takes one more chore off your shoulders.

Canonical Livepatch Service消除了使关键系统补丁程序保持最新状态的所有麻烦。通过图形或从命令行进行设置很容易，并且省去了繁琐的工作。

Anything that reduces maintenance efforts, boosts security, and reduces downtime has to be an attractive proposition, right? Yes, but there are some caveats.

减少维护工作量，增强安全性并减少停机时间的任何事情都必须是一个有吸引力的提议，对吗？是的，但是有一些警告。

You must be using a Long Term Support (LTS) release of Ubuntu such as 16.04 or 18.04. The most recent LTS version is 18.04, so that’s the version we’re going to use here.

您必须使用Ubuntu的长期支持(LTS)版本，例如16.04或18.04。 LTS的最新版本是18.04，因此这是我们将在此处使用的版本。
It must be a 64-bit version.它必须是64位版本。
You must be running Linux Kernel 4.4 or higher您必须运行Linux Kernel 4.4或更高版本
You need to have an Ubuntu One account. Remember them? If you don’t have an Ubuntu One account, you can sign up for a free account.

您需要有一个Ubuntu One帐户。还记得他们吗？如果您没有Ubuntu One帐户，则可以注册一个免费帐户。
You can use the Canonical Livepatch Service at no cost, but you’re limited to three computers per Ubuntu One account. If you have to maintain more than three computers, you’ll need additional Ubuntu One accounts.您可以免费使用Canonical Livepatch Service，但每个Ubuntu One帐户只能使用三台计算机。如果必须维护三台以上的计算机，则需要其他的Ubuntu One帐户。
If you have physical, virtual, or cloud-hosted servers to look after, you’ll need to become an Ubuntu Advantage customer.

如果您需要物理，虚拟或云托管服务器，则需要成为Ubuntu Advantage客户。

获取一个Ubuntu帐户 (Getting an Ubuntu One Account)

Whether you’re going to set up the Livepatch Service through the graphical user interface (GUI) or via the command-line interface (CLI), you must have an Ubuntu One account. This is required because the operation of the Livepatch Service depends on a private key that is issued to you, and tied to your Ubuntu One account.

无论您是要通过图形用户界面(GUI)还是通过命令行界面(CLI)设置Livepatch服务，都必须拥有一个Ubuntu One帐户。这是必需的，因为Livepatch Service的操作取决于发给您的并与您的Ubuntu One帐户绑定的私钥。

If you set up the Livepatch Service using the GUI, you won’t see your key. It is still required and used, but it is all handled in the background for you.如果使用GUI设置Livepatch Service，则看不到密钥。它仍然是必需和使用的，但是所有这些都在后台为您处理。
If you set up your Livepatch Service via the terminal, you’ll need to copy and paste your key from your browser to the command line.如果通过终端设置Livepatch Service，则需要将密钥从浏览器复制并粘贴到命令行。

If you don’t have an Ubuntu One account, you can create one at no cost.

如果您没有Ubuntu One帐户，则可以免费创建一个。

以图形方式启用Canonical Livepatch服务 (Enabling the Canonical Livepatch Service Graphically)

To launch the graphical setup interface, press the “Super” key. This is located between the “Control” and “Alt” keys on the lower-left of most keyboards. Search for “livepatch.”

要启动图形设置界面，请按“超级”键。它位于大多数键盘左下方的“ Control”和“ Alt”键之间。搜索“ livepatch”。

When you see the Livepatch icon, click the icon or press “Enter”.

当您看到Livepatch图标时，单击该图标或按“ Enter”。

The “Software and Updates” dialog window will appear with the Livepatch tab selected. Click the “Sign in” button. You are reminded that you need an Ubuntu One account.

将出现“软件和更新”对话框窗口，并选中“ Livepatch”选项卡。点击“登录”按钮。提醒您，您需要一个Ubuntu One帐户。

Click the “Sign in / Register” button.

点击“登录/注册”按钮。

The Ubuntu Single Sign-On Account dialog window appears. Canonical uses the terms “Ubuntu One” and “Single Sign-On” interchangeably. They mean the same thing. Officially “Single Sign-On” was replaced by “Ubuntu One”, but the old name lingers on.

出现“ Ubuntu单一登录帐户”对话框窗口。 Canonical互换使用术语“ Ubuntu One”和“单点登录”。他们是同一回事。 “ Single Sign-On”正式被“ Ubuntu One”所取代，但旧名称仍然存在。

Enter your account details and click the “Connect” button. You can also use this dialog window to register for an account if you have not already created one.

输入您的帐户详细信息，然后单击“连接”按钮。如果尚未创建一个帐户，也可以使用此对话框窗口进行注册。

You will be prompted for your password.

系统将提示您输入密码。

Enter your password and click the “Authenticate” button. A dialog window shows you the email address associated with the Ubuntu One account you’re going to use.

输入密码，然后单击“身份验证”按钮。对话框窗口显示与您将要使用的Ubuntu One帐户关联的电子邮件地址。

Make sure it is correct and click the “Continue” button.

确保正确无误，然后单击“继续”按钮。

You’ll be asked for your password once more. After a few seconds, the Livepatch tab in the “Software and Updates” dialog window will update to show that Livepatch is live and active.

系统将再次要求您输入密码。几秒钟后，“软件和更新”对话框窗口中的“ Livepatch”选项卡将更新，以显示Livepatch处于活动状态。

A new shield Icon will appear in the tool notification area, close to the networking, sound, and power icons. The green circle with the tick tells you all is well. Click the icon to access the menu.

一个新的盾牌图标将出现在工具通知区域中，靠近网络，声音和电源图标。带勾号的绿色圆圈告诉您一切都很好。单击图标访问菜单。

We are told that Livepatch is on, and there are no current updates.

我们被告知Livepatch已打开，并且当前没有更新。

The “Livepatch settings” option will open the “Software and Updates” dialog window at the Livepatch tab.

“ Livepatch设置”选项将在“ Livepatch”选项卡上打开“软件和更新”对话框窗口。

That’s it; you’re all done.

而已; 大功告成

使用CLI启用Canonical Livepatch服务(Enabling the Canonical Livepatch Service using the CLI)

You’re going to need an Ubuntu One account. If you don’t have one, you’ll have the opportunity to create one. They’re free, and it only takes a moment.

您将需要一个Ubuntu One帐户。如果没有，您将有机会创建一个。它们是免费的，只需要一点时间。

Some of the steps we need to perform are web-based, so this isn’t a truly CLI-only method. We start by visiting the Canonical Livepatch Service web page in order to obtain our secret key or “token.”

我们需要执行的某些步骤是基于Web的，因此这不是真正的仅CLI方法。我们首先访问Canonical Livepatch Service网页，以获取我们的密钥或“令牌”。

Select the “Ubuntu User” radio button and click the “Get Your Livepatch Token” button.

选择“ Ubuntu用户”单选按钮，然后单击“获取您的Livepatch令牌”按钮。

You’re prompted to log in to your Ubuntu One account.

系统提示您登录到Ubuntu One帐户。

If you have an account, enter the email address you used to set up the account, and select the “I have an Ubuntu One account, and my password is:” radio button.如果您有一个帐户，请输入用于设置该帐户的电子邮件地址，然后选择“我有一个Ubuntu One帐户，我的密码是：”单选按钮。
If you don’t have an account, enter your email address and select the “I don’t have an Ubuntu One account” radio button. You will be guided through the account creation process.如果您没有帐户，请输入您的电子邮件地址，然后选择“我没有Ubuntu One帐户”单选按钮。系统将指导您完成帐户创建过程。

Once your Ubuntu One account has been verified, you’ll see the Managed live kernel patching web page. Your key will be displayed.

验证Ubuntu One帐户后，您将看到“托管实时内核修补”网页。您的密钥将显示。

Keep the web page with your key on it open and open a terminal window. Use this command in the terminal window to install the Livepatch service daemon:

使带有键的网页保持打开状态，并打开一个终端窗口。在终端窗口中使用以下命令来安装Livepatch服务守护程序：

sudo snap install canonical-livepatch

When the installation is finished, you’ll need to enable the service. You’ll need the key from the “Managed live kernel patching” web page.

安装完成后，您需要启用该服务。您需要“托管实时内核修补”网页中的密钥。

You need to copy and paste the key to the command line. Highlight the key on the web page, right-click it, and select “Copy” from the context menu. Or you can highlight the key and press “Ctrl+C.”

您需要将密钥复制并粘贴到命令行。突出显示网页上的键，右键单击它，然后从上下文菜单中选择“复制”。或者，您可以突出显示键并按“ Ctrl + C”。

Type the following command in the terminal window, but don’t press “Enter.”

在终端窗口中键入以下命令，但不要按“ Enter”。

sudo canonical-livepatch enable

Then type a space, and right-click and select “Paste” from the context menu. Or you can press “Ctrl+Shift+V.” You should see the command you just typed, a space, and the key from the web page.

然后键入一个空格，然后右键单击并从上下文菜单中选择“粘贴”。或者，您可以按“ Ctrl + Shift + V”。您应该从网页上看到刚键入的命令，一个空格和键。

On the test machine used to research this article it looked like this:

在用于研究本文的测试机上，它看起来像这样：

Press “Enter.”

按“ Enter”。

If all goes well, you’ll see a verification message from Livepatch telling you that the computer has been enabled for kernel patching. It will also show another long key; this is the “machine-token.”

如果一切顺利，您将看到Livepatch发出的验证消息，告知您已为计算机启用内核修补程序。它还将显示另一个长键；这就是“机器令牌”。

What just happened is:

刚发生的是：

You’ve obtained your Livepatch key from Canonical.您已经从Canonical获得了Livepatch密钥。
You can use it on three computers. You’ve used it on one computer so far.您可以在三台计算机上使用它。到目前为止，您已在一台计算机上使用它。
The machine-token that was generated for this computer—using your key—is the machine-token displayed in this message.使用您的密钥为此计算机生成的机器令牌就是此消息中显示的机器令牌。

If you check the Livepatch tab in the “Software and Updates” dialog window, you’ll see that Livepatch is enabled and active.

如果您在“软件和更新”对话框窗口中选中“ Livepatch”选项卡，则会看到Livepatch已启用并处于活动状态。

检查Livepatch的状态 (Checking the Status of Livepatch)

You can make Livepatch give you a status report using the following command:

您可以使用以下命令使Livepatch为您提供状态报告：

sudo canonical-livepatch status

The status report contains:

状态报告包含：

client-version: The software version of Livepatch.

client-version ：Livepatch的软件版本。
architecture: The CPU architecture of the computer.

架构：计算机的CPU架构。
cpu-model: The type and model of the Central Processing Unit (CPU) in the computer.

cpu-model ：计算机中中央处理器(CPU)的类型和型号。
last-check: The time and date that Livepatch last checked to see if there were any critical kernel updates available for download.

last-check ：Livepatch上次检查以查看是否有任何重要的内核更新可供下载的时间和日期。
boot-time: The time this computer was last powered on.

boot-time ：这台计算机的上一次开机时间。
uptime: The duration this computer has been powered on.

正常运行时间：这台计算机的开机时间。

The status block tells us:

状态块告诉我们：

kernel: The version of the current kernel.

kernel ：当前内核的版本。
running: Whether Livepatch is running or not.

running ：Livepatch是否正在运行。
checkstate: Whether Livepatch has checked for kernel patches.

checkstate ：Livepatch是否已检查内核补丁。
patchState: Whether there are any critical kernel patches requiring to be installed.

patchState ：是否需要安装任何重要的内核补丁。
version: The version of the kernel patches, if any, that need to be applied.

version ：需要应用的内核补丁的版本(如果有)。
fixes: The fixes contained in the kernel patches.

fixes ：内核补丁中包含的修复程序。

强制Livepatch立即更新 (Forcing Livepatch to Update Now)

The whole point of Livepatch is to provide a managed update service, meaning you don’t need to think about it. It’s all done for you. But if you want to, you can force Livepatch to check for kernel patches (and to apply any it finds) with the following command:

Livepatch的重点是提供托管更新服务，这意味着您无需考虑它。一切都为您完成。但是，如果需要，您可以使用以下命令强制Livepatch检查内核补丁(并应用发现的补丁)：

sudo canonical-livepatch refresh

Livepatch tells you the version of the kernel before and after the refresh. There was nothing to be applied in this example.

Livepatch会告诉您刷新前后的内核版本。在此示例中没有任何内容可应用。

减少摩擦，提高安全性 (Less Friction, More Security)

Security friction is the pain or inconvenience associated with implementing, using, or maintaining a security feature. If the friction is too high, the security suffers because the feature isn’t used or maintained. Livepatch takes all the friction out of applying critical kernel updates, keeping your kernel as secure as possible.

安全摩擦是与实现，使用或维护安全功能相关的痛苦或不便。如果摩擦力太大，则由于不使用或维护该功能而使安全性受损。 Livepatch消除了应用关键内核更新的所有麻烦，从而使您的内核尽可能安全。

That’s longhand for “win, win.”

这是“赢，赢”的代名词。

翻译自: https://www.howtogeek.com/446140/how-to-use-canonicals-livepatch-service-on-ubuntu/