DevOpsil
Linux
89%
Needs Review

Ubuntu Zero-Downtime Patching: Unattended Upgrades, Livepatch, and USN Tracking

Raafay AsifRaafay Asif5 min read

Unpatched Servers Are a When, Not an If

The 2017 WannaCry ransomware exploited EternalBlue — a vulnerability that had been patched for two months before the attack. The machines it hit weren't unpatched because admins were negligent; they were unpatched because rebooting production is friction, and friction leads to drift.

Ubuntu gives you two tools to close this gap: unattended-upgrades for most CVEs (which require a reboot) and Canonical Livepatch for kernel vulnerabilities that don't. Together they cover the majority of critical security fixes with zero planned maintenance windows.


How Ubuntu Security Updates Work

Ubuntu publishes security updates through the <distro>-security pocket. When you run apt upgrade, you're pulling from that pocket along with regular updates. The Ubuntu Security Team publishes advisories as Ubuntu Security Notices (USN) — each USN maps to one or more CVEs and the exact package versions that fix them.

# See which packages have pending security updates right now
apt list --upgradable 2>/dev/null | grep -i security

# Or use the unattended-upgrades dry run
sudo unattended-upgrade --dry-run 2>&1 | grep Packages

Configuring Unattended Upgrades Properly

unattended-upgrades is installed by default on Ubuntu server. The default config applies security updates automatically but the defaults are conservative. Here's a production-ready configuration.

Edit /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // Remove the comments below to also apply ESM patches (Pro subscription)
    // "${distro_id}ESMApps:${distro_codename}-apps-security";
    // "${distro_id}ESM:${distro_codename}-infra-security";
};

// Blacklist packages that should never auto-update
Unattended-Upgrade::Package-Blacklist {
    // "linux-image-*";   // Leave kernel updates to Livepatch
    // "postgresql-*";    // Database major version updates need planning
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";

// Send email on upgrade or error
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "false";

Edit /etc/apt/apt.conf.d/20auto-upgrades to set the schedule:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The "1" values mean daily. Check the schedule is active:

sudo systemctl status apt-daily.timer apt-daily-upgrade.timer

Canonical Livepatch: Kernel Patches Without Reboots

Livepatch patches the running kernel in memory. Critical kernel CVEs like privilege escalation, container escapes, and local root vulnerabilities get fixed without rebooting — exactly what you want for production hosts.

Livepatch is free for up to 5 machines with a free Ubuntu Pro personal subscription. For larger fleets, Ubuntu Pro covers it (also free for open source projects and personal use up to 5 nodes).

# Step 1: Get an Ubuntu Pro token at ubuntu.com/pro
# Step 2: Attach the subscription
sudo pro attach <your-token>

# Step 3: Enable Livepatch
sudo pro enable livepatch

# Verify it's running
sudo canonical-livepatch status --verbose

Output example:

running: true
kernel: 6.8.0-52-generic #53-Ubuntu
fully-patched: true
version: 110.1

Check what patches have been applied live:

sudo canonical-livepatch status | grep -A5 "patches"

Ubuntu Pro ESM: Extended Security Maintenance

Ubuntu 24.04 LTS is supported until April 2029. With Ubuntu Pro's ESM (Extended Security Maintenance), that extends to 2034. ESM also covers the universe repository packages — the ~30,000 community packages that standard support doesn't cover but that your application likely depends on.

# After attaching Pro, enable ESM
sudo pro enable esm-infra
sudo pro enable esm-apps

# Now check USN coverage
sudo pro security-status

The security-status command shows every installed package, whether it's CVE-free, and which service (standard, esm-infra, esm-apps) covers it.


Monitoring: USN Tracking and CVE Awareness

Don't wait for your package manager to tell you about vulnerabilities. Subscribe to the USN mailing list or check programmatically:

# Check if a specific CVE affects your installed packages
ubuntu-security-status --usn USN-7001-1

# Or use the oval data to check CVEs
sudo apt install oval-xml -y
oval-check --cve CVE-2024-1234

The Ubuntu security tracker at ubuntu.com/security/cves lets you look up any CVE and see its status across all Ubuntu releases.

For fleet-level monitoring, expose /var/lib/apt/lists/* parsing or use apticron:

sudo apt install apticron -y
# Configure /etc/apticron/apticron.conf with your email
# apticron will send daily emails listing pending security updates

Tracking Reboot Requirements

Some security patches require a reboot to take effect. Ubuntu signals this clearly:

# Check if a reboot is required
ls /var/run/reboot-required 2>/dev/null && echo "REBOOT REQUIRED"

# See which packages triggered it
cat /var/run/reboot-required.pkgs 2>/dev/null

In a cron job or monitoring check:

#!/bin/bash
if [ -f /var/run/reboot-required ]; then
    echo "Reboot required on $(hostname) for packages:"
    cat /var/run/reboot-required.pkgs
fi

Add this to your monitoring pipeline so reboot-required states don't silently accumulate.


The Patching Stack Summary

LayerToolCovers
Userspace packagesunattended-upgradesglibc, openssl, curl, etc.
Kernel CVEsCanonical LivepatchPrivilege escalation, container escapes
Universe packagesUbuntu Pro ESM AppsThird-party/community packages
Reboot signaling/var/run/reboot-requiredAnything requiring restart
Visibilitypro security-statusFull fleet CVE inventory

With this stack running, your Ubuntu servers apply security patches within 24 hours of publication — no maintenance windows, no manual intervention, and kernel vulnerabilities patched without a reboot. The gap between "patch available" and "patch applied" drops from weeks to hours.

Share:

Was this article helpful?

Raafay Asif
Raafay Asif

Linux Systems Engineer

Everything runs on Linux — I make sure it runs well. From kernel tuning to systemd debugging, I live in the terminal. If your server is misbehaving, I've probably seen that exact dmesg output before.

Related Articles

More in Linux

View all →

Discussion