Ubuntu Zero-Downtime Patching: Unattended Upgrades, Livepatch, and USN Tracking
Unpatched Servers Are a When, Not an If
The 2017 WannaCry ransomware exploited EternalBlue — a vulnerability that had been patched for two months before the attack. The machines it hit weren't unpatched because admins were negligent; they were unpatched because rebooting production is friction, and friction leads to drift.
Ubuntu gives you two tools to close this gap: unattended-upgrades for most CVEs (which require a reboot) and Canonical Livepatch for kernel vulnerabilities that don't. Together they cover the majority of critical security fixes with zero planned maintenance windows.
How Ubuntu Security Updates Work
Ubuntu publishes security updates through the <distro>-security pocket. When you run apt upgrade, you're pulling from that pocket along with regular updates. The Ubuntu Security Team publishes advisories as Ubuntu Security Notices (USN) — each USN maps to one or more CVEs and the exact package versions that fix them.
# See which packages have pending security updates right now
apt list --upgradable 2>/dev/null | grep -i security
# Or use the unattended-upgrades dry run
sudo unattended-upgrade --dry-run 2>&1 | grep Packages
Configuring Unattended Upgrades Properly
unattended-upgrades is installed by default on Ubuntu server. The default config applies security updates automatically but the defaults are conservative. Here's a production-ready configuration.
Edit /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// Remove the comments below to also apply ESM patches (Pro subscription)
// "${distro_id}ESMApps:${distro_codename}-apps-security";
// "${distro_id}ESM:${distro_codename}-infra-security";
};
// Blacklist packages that should never auto-update
Unattended-Upgrade::Package-Blacklist {
// "linux-image-*"; // Leave kernel updates to Livepatch
// "postgresql-*"; // Database major version updates need planning
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";
// Send email on upgrade or error
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "false";
Edit /etc/apt/apt.conf.d/20auto-upgrades to set the schedule:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
The "1" values mean daily. Check the schedule is active:
sudo systemctl status apt-daily.timer apt-daily-upgrade.timer
Canonical Livepatch: Kernel Patches Without Reboots
Livepatch patches the running kernel in memory. Critical kernel CVEs like privilege escalation, container escapes, and local root vulnerabilities get fixed without rebooting — exactly what you want for production hosts.
Livepatch is free for up to 5 machines with a free Ubuntu Pro personal subscription. For larger fleets, Ubuntu Pro covers it (also free for open source projects and personal use up to 5 nodes).
# Step 1: Get an Ubuntu Pro token at ubuntu.com/pro
# Step 2: Attach the subscription
sudo pro attach <your-token>
# Step 3: Enable Livepatch
sudo pro enable livepatch
# Verify it's running
sudo canonical-livepatch status --verbose
Output example:
running: true
kernel: 6.8.0-52-generic #53-Ubuntu
fully-patched: true
version: 110.1
Check what patches have been applied live:
sudo canonical-livepatch status | grep -A5 "patches"
Ubuntu Pro ESM: Extended Security Maintenance
Ubuntu 24.04 LTS is supported until April 2029. With Ubuntu Pro's ESM (Extended Security Maintenance), that extends to 2034. ESM also covers the universe repository packages — the ~30,000 community packages that standard support doesn't cover but that your application likely depends on.
# After attaching Pro, enable ESM
sudo pro enable esm-infra
sudo pro enable esm-apps
# Now check USN coverage
sudo pro security-status
The security-status command shows every installed package, whether it's CVE-free, and which service (standard, esm-infra, esm-apps) covers it.
Monitoring: USN Tracking and CVE Awareness
Don't wait for your package manager to tell you about vulnerabilities. Subscribe to the USN mailing list or check programmatically:
# Check if a specific CVE affects your installed packages
ubuntu-security-status --usn USN-7001-1
# Or use the oval data to check CVEs
sudo apt install oval-xml -y
oval-check --cve CVE-2024-1234
The Ubuntu security tracker at ubuntu.com/security/cves lets you look up any CVE and see its status across all Ubuntu releases.
For fleet-level monitoring, expose /var/lib/apt/lists/* parsing or use apticron:
sudo apt install apticron -y
# Configure /etc/apticron/apticron.conf with your email
# apticron will send daily emails listing pending security updates
Tracking Reboot Requirements
Some security patches require a reboot to take effect. Ubuntu signals this clearly:
# Check if a reboot is required
ls /var/run/reboot-required 2>/dev/null && echo "REBOOT REQUIRED"
# See which packages triggered it
cat /var/run/reboot-required.pkgs 2>/dev/null
In a cron job or monitoring check:
#!/bin/bash
if [ -f /var/run/reboot-required ]; then
echo "Reboot required on $(hostname) for packages:"
cat /var/run/reboot-required.pkgs
fi
Add this to your monitoring pipeline so reboot-required states don't silently accumulate.
The Patching Stack Summary
| Layer | Tool | Covers |
|---|---|---|
| Userspace packages | unattended-upgrades | glibc, openssl, curl, etc. |
| Kernel CVEs | Canonical Livepatch | Privilege escalation, container escapes |
| Universe packages | Ubuntu Pro ESM Apps | Third-party/community packages |
| Reboot signaling | /var/run/reboot-required | Anything requiring restart |
| Visibility | pro security-status | Full fleet CVE inventory |
With this stack running, your Ubuntu servers apply security patches within 24 hours of publication — no maintenance windows, no manual intervention, and kernel vulnerabilities patched without a reboot. The gap between "patch available" and "patch applied" drops from weeks to hours.
Was this article helpful?
Linux Systems Engineer
Everything runs on Linux — I make sure it runs well. From kernel tuning to systemd debugging, I live in the terminal. If your server is misbehaving, I've probably seen that exact dmesg output before.
Related Articles
Rocky Linux 9 Server Hardening: Security Baseline from First Boot
A production security baseline for Rocky Linux 9 — covering SELinux configuration, firewalld rules, SSH hardening, auditd, AIDE integrity checking, and CIS Benchmark compliance checks.
Ubuntu 24.04 LTS Server Setup for Production: From Bare Metal to Hardened Baseline
A complete walkthrough for turning a fresh Ubuntu 24.04 LTS installation into a production-ready server — from initial SSH lockdown to swap configuration and kernel parameter tuning.
Systemd Service Hardening: Sandbox Your Daemons
How to use systemd's built-in sandboxing directives to isolate services, restrict filesystem access, and harden daemons without containers.
Linux Package Management: apt, dnf, and zypper Compared
Install, update, and manage packages across Ubuntu (apt), RHEL (dnf/yum), and SUSE (zypper) — repositories, GPG keys, version pinning, and automation.
Linux User & Group Management: From Root to Least Privilege
Create and manage Linux users and groups, configure sudo access, understand /etc/passwd and /etc/shadow, and implement PAM authentication policies.
Alpine Linux apk Reference: Package Management, Repositories, and System Administration
A complete reference for Alpine Linux's apk package manager — adding packages, managing repositories, pinning versions, building custom packages, and running Alpine as a minimal server OS.
More in Linux
View all →Linux Control Groups (cgroups V2): Limiting CPU And Memory For Production Workloads
If you're running production workloads without cgroup constraints, you're one runaway process away from a bad day. Here's everything you need to configure...
Alpine Linux for Docker: Building Minimal, Secure Container Images
How to use Alpine Linux as a Docker base image effectively — understanding musl libc compatibility, multi-stage builds, layer optimization, and the security trade-offs versus glibc-based distributions.
openSUSE MicroOS and Transactional Updates: Atomic System Updates with Btrfs Snapshots
How openSUSE's transactional-update and Btrfs snapshot integration enables atomic, rollback-safe system updates — and how MicroOS takes this to a fully immutable, container-optimized OS.
openSUSE and SUSE Linux Enterprise: YaST Administration and zypper Package Management
A practical guide to SUSE Linux administration — using YaST for system configuration, zypper for package management, managing repositories, and understanding the differences between openSUSE Leap, Tumbleweed, and SUSE Linux Enterprise.