Unexpected warning message:- *** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Hi, thanks for the report. Can you share the output of `canonical-livepatch status`? The message you're seeing is based on a motd script from /etc/update-motd.d/99-livepatch-kernel-upgrade-required

Could you also run and provide the output of
`canonical-livepatch kernel-upgrade-required` and then `echo $?`

administrator@ServerIV:~$ canonical-livepatch status
last check: 1 hour ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 0cec8555fb9248f7a0013ddd8e256b11
administrator@ServerIV:~$ canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.
administrator@ServerIV:~$ echo $?
1
administrator@ServerIV:~$

So the reason you're seeing the message when you login is because there is a livepatch module inserted that is addressing some kernel vulnerabilities, you can see the specific vulnerabilities addressed with `canonical-livepatch status --verbose`. Note that because patches are cumulative you'll see vulnerabilities that were addressed years ago too (these are already addressed by the base kernel).

Now the tricky part here is the messaging, normally a kernel release doesn't immediately need livepatches and if you have unattended-upgrades setup and you reboot regularly, you'll always be on a recent release that doesn't require livepatches and you wouldn't see the message. In this case however it seems that there is a livepatch available for a kernel release where there is no newer kernel to upgrade to, so you're left with the confusing message that you should upgrade, even though there is nothing to upgrade to (afaik).

I will bring this up internally to verify my assumptions and figure out how we can clear up the messaging. Thanks for the report, and as a note, the messaging in this case is benign as you're on the latest kernel already and Livepatch is being overly cautious by telling you to update. Hope that all made sense, open to any suggestions and clarifications you might have.

I'm also having the same problem:

edgardfj@per450:~$ canonical-livepatch status
last check: 6 minutes ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 9b3c8681d3414fa4b044a00d94514c60

edgardfj@per450:~$ canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.

edgardfj@per450:~$ echo $?
1

I have exactly the same problem here. Get that message every time I log into my Ubuntu 20.04 LTS server even though the system is up to date and rebooted several times.

`canonical-livepatch kernel-upgrade-required` and `echo $?` output are precisely the same as the above users too.

Hi,

I just received a kernel update, rebooted my server and the suspect warning message is gone.

Was that you, Kian?

I've asked the others on the Ubuntu list to check.

Thanks

Same here. Just got the updates installed and rebooted my server and the warning message is gone now.

Cheers.

Hi all,

Glad the issue is resolved, I can't claim I did anything, since a new kernel revision was released that is what fixed the warning. But I can confirm the issue was because a recently released kernel had Livepatches released and since there was no newer kernel to update to, the message kept popping up. So it is a somewhat rare scenario but one that can happen again currently.

We will look at improving the wording of the messaging for a start and then possibly improve the logic to identify if there is a newer kernel available.

The problem persits here even after updating:

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Tue 25 Jul 2023 07:25:29 AM -03

  System load: 0.0
  Usage of /: 72.8% of 2.15TB
  Memory usage: 15%
  Swap usage: 0%
  Temperature: 68.0 C
  Processes: 409
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IPv4 address for idrac: 169.254.1.2
  IPv6 address for idrac: fde1:53ba:e9a0:de11:a457:ff2a:855d:a401
  IPv6 address for idrac: fde1:53ba:e9a0:de11:5b6:35d3:c4dc:1307
  IPv6 address for idrac: fde1:53ba:e9a0:de11:d28e:79ff:fecc:e99d

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is enabled.

0 updates can be applied immediately.

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Last login: Mon Jul 24 09:04:41 2023 from 177.55.228.251
edgardfj@per450:~$ sudo apt-get update
[sudo] password for edgardfj:
Ign:1 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 InRelease
Hit:2 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release
Hit:3 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7.568 B]
Get:7 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:8 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7.459 B]
Get:9 http://us.archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:10 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease [7.453 B]
Get:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease [7.452 B]
Fetched 366 kB in 2s (236 kB/s)
Reading package lists... Done
edgardfj@per450:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
edgardfj@per450:~$ exit
logout
=======================================================================================

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Tue 25 Jul 2023 07:26:25 AM -03

  System load: 0.0
  Usage of /: 72.8% of 2.15TB
  Memory usage: 15%
  Swap usage: 0%
  Temperature: 70.0 C
  Processes: 420
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IP...

Hi @edgardfj,

Can you run `canonical-livepatch status` and share the output? Not super necessary as I'm looking for your kernel revision and I see it's on 5.4.0-153

Looking at https://launchpad.net/ubuntu/+source/linux one can see that the latest Linux image in the updates/security pocket for Focal is "5.4.0-155.172". So it's likely that the users reporting the issue as resolved will have a kernel version that matches this. As for why your machine isn't seeing that update, I'm not 100% sure. It could be due to some phased roll-out of apt packages but could be something else.

Hi Kian,

Follows what you have requested:

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Wed 26 Jul 2023 10:00:13 AM -03

  System load: 0.39
  Usage of /: 72.8% of 2.15TB
  Memory usage: 17%
  Swap usage: 0%
  Temperature: 73.0 C
  Processes: 424
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IPv4 address for idrac: 169.254.1.2
  IPv6 address for idrac: fde1:53ba:e9a0:de11:ccfa:5080:b150:ecd0
  IPv6 address for idrac: fde1:53ba:e9a0:de11:1cd5:363e:64c5:16ba
  IPv6 address for idrac: fde1:53ba:e9a0:de11:a457:ff2a:855d:a401
  IPv6 address for idrac: fde1:53ba:e9a0:de11:5b6:35d3:c4dc:1307
  IPv6 address for idrac: fde1:53ba:e9a0:de11:d28e:79ff:fecc:e99d

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is enabled.

0 updates can be applied immediately.

New release '22.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Last login: Wed Jul 26 09:58:08 2023 from 177.55.228.206
edgardfj@per450:~$ canonical-livepatch status
last check: 18 minutes ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 9b3c8681d3414fa4b044a00d94514c60

Can confirm I am having this problem on three 20.04.6 LTS based virtual machines with Expanded Security Maintenance for Applications enabled.

apt update followed by apt upgrade and reboot does not solve the issue.
output of canonical-livepatch status --verbose says kernel is 5.4.0-177.197-generic and that kernel is supported, all applicable livepatch modules inserted on patch version 103.3

clearly has not been resolved and we are nearly a year after the last report. Any updates please?

Hi Nicholas,

Apologies for not updating the bug report, this issue was resolved. The root cause I've copied below. I will check if the same issue has resurfaced and either re-open the issue or ask for a new bug report if it seems unlikely to be the same problem.

"But I can confirm the issue was because a recently released kernel had Livepatches released and since there was no newer kernel to update to, the message kept popping up. So it is a somewhat rare scenario but one that can happen again currently."

For some context on the above, regular kernel deb updates that can be installed via apt are released prior to the roll-out of Livepatch patches. In a rare scenario where a Livepatch is released first instead, then users may run into this issue but this isn't the intended behavior. It's also possible however that the deb updates are held back for some reason, off the top of my head phased updates are one reason for that (https://wiki.ubuntu.com/PhasedUpdates).

Hi Kian, thanks for the update, how will I know the result of your investigation. I am a little confused as to the status change i.e. Invalid when I am still getting the problem. Please forgive my ignorance still a bit of a noob on this and struggling to make sure our ubuntu VMs are not a security hole in our IT infrastrucutre.

I will reply here with further details, likely tomorrow.

I've marked the bug as invalid as that was the original conclusion, if there is a bug here I will update the status. You should be subscribed to the bug and will receive an email when it is updated.

I have the same issue. Recieved the message today, did all updates, restarted, but it is still there.

last check: 6 minutes ago
kernel: 5.15.0-105.115-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.15 is covered by Livepatch
patch state: ✓ all applicable livepatch modules inserted
patch version: 103.3
tier: updates (Free usage; This machine beta tests new patches.)
machine id: b1abb77dafc6446f91b53dec65e1157d
client version: 10.8.2
architecture: amd64
cpu model: AMD EPYC 7543 32-Core Processor
boot time: 7 minutes ago
fixes:
  * cve-2024-26597
    LP bug:

sudo apt update && sudo apt upgrade -y
Hit:1 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:3 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease
Hit:4 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease
Hit:5 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease
Hit:6 http://archive.ubuntu.com/ubuntu jammy InRelease
Hit:7 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease
Hit:8 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:9 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

I have exactly the same issue as previous poster.

Same issue here:

root@hosting:/etc/update-motd.d# /snap/bin/canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.

Same Issue here also on a:

Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-105-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/pro

  System information as of Thu May 2 06:57:41 AM CEST 2024

  System load: 0.12158203125
  Usage of /: 21.6% of 97.87GB
  Memory usage: 11%
  Swap usage: 0%
  Temperature: 52.0 C
  Processes: 237
  Users logged in: 0
  IPv4 address for br-39dca69741e7: 172.18.0.1
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for enp0s31f6: 192.168.0.200

Expanded Security Maintenance for Applications is enabled.

0 updates can be applied immediately.

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

zoran@unifisrv:~$ canonical-livepatch status
last check: 10 minutes ago
kernel: 5.15.0-105.115-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.15 is covered by Livepatch
patch state: ✓ all applicable livepatch modules inserted
patch version: 103.3
tier: updates (Free usage; This machine beta tests new patches.)
machine id: a6584a6e6c6b45bea93869b2060f495b

 sudo canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.

zoran@unifisrv:~$ echo $?
1

As my server is non-critical I have disabled LivePatch.

*** Check the Status ***
sudo pro status

*** Disable LivePatch ***
sudo pro disable livepatch

*** Check Status Again ***
sudo pro status

Logout, log back in and the *** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window *** Warnning is gone!

Hi all, apologies for the delay.

After some conversations with our kernel team I can offer an explanation to why you are seeing the above message even after an update and reboot. I'd like to start by saying there is no security issue, if you are regularly applying updates you are running the most up-to-date/secure kernel and Livepatch allows you to delay reboots by applying fixes to critical/high vulnerabilities to your running kernel.

The issue is a result of an uncommon scenario where we've built a patch on top of the most recently released kernel due to the kernel having a speedier release cadence than usual. I've left out some finer details but ultimately this has a lot to do with our internal processes so I can appreciate that it doesn't help much without a better understanding of our internal machinery.

Normally a Livepatch is only released *after* a new kernel is released to the Ubuntu repos, the original bug report was a result of a mistake where we released the Livepatch first. In this week's version of events, the kernel was released on a different schedule and we've bumped into a similar scenario where the messaging is causing some confusion. I'll be leaving the bug status as invalid as there is nothing to fix on the Livepatch client side except for a possible tweak to the messge.

I'd like to ask for some feedback in this case, is there any alternative messaging you would like to see? Some options I can think of are below.

The current message - "*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***"

1. A tweaked version - *** Livepatch has fixed kernel vulnerabilities. Upgrade and reboot in the closest maintenance window. If a new kernel is not available this message can be ignored.***
2. A shorter message - *** Livepatch has fixed kernel vulnerabilities. ***
3. No message

I would assume by both #1 & #2, that if I did a reboot, that the message should be cleared. If not, then a "apt dist-upgrade" and a reboot should clear the message and that does not. So, I am left with #3 as the only choice if I have rebooted after the livepatch. Unfortunately, I am still getting the message "*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***" and I have rebooted the server.

I agree with Scott Thompson, the message should be cleared after a reboot somehow.
The only whay now to clear the message is to disable LivePatch.

I agree with both previous posters but #1 the tweaked version should be much clearer if for some reasons the message cannot be cleared.

#2 or #3. As a bit of a novice I performed multiple troubleshooting steps before realizing there was nothing to fix. (Reboots & reinstalling livepatch)

This bug started affecting also my servers that are up to date to the very latest patches:
Linux grecale 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

motd and livepatch outputs are the same as in post #2

Will this "FEATURE" be resolved with the next Kernel-Updates?

I've also been seeing the reboot message the past few days on Ubuntu Server 20.04 even after rebooting.

My vote would be for:

"2. A shorter message - *** Livepatch has fixed kernel vulnerabilities. ***"

because I think it would be nice to know that the current running kernel has been patched but a full kernel update is not available yet.

Will this "FEATURE" be resolved with the next Kernel-Updates?

It would be nice if a developer could answer this... :/

"1. A tweaked version - *** Livepatch has fixed kernel vulnerabilities. Upgrade and reboot in the closest maintenance window. If a new kernel is not available this message can be ignored.***"

+1

Thank you all for the feedback. We'll work on tweaking the messaging soon and update our documentation to add a page explaining this topic.

As for the question raised,
> Will this "FEATURE" be resolved with the next Kernel-Updates?

The message should dissapear once the next kernel update is made available. I will confirm this with our kernel developers but I don't foresee any reason why this wouldn't be the case.

'
Hooray : I'm not getting the *** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window *** message anynore.

sudo canonical-livepatch status --verbose
last check: 19 minutes ago
kernel: 5.15.0-106.116-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.15 is covered by Livepatch
patch state: ✓ no livepatches available for kernel 5.15.0-106.116-generic
tier: updates (Free usage; This machine beta tests new patches.)
machine id: a6584a6e6c6b45bea93869b2060f495b
client version: 10.8.2
architecture: amd64
cpu model: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
boot time: 1 day ago

What has changed? Has the FEATURE has been resolved?

@zmostarlic

The message has disappeared on your machine since a new kernel update was released (5.15.0-106.116-generic) and you have upgraded. There is no Livepatch available for this kernel currently. We are adding some improved logic to the messaging that will arrive in a future update to the Livepatch client.

And it is broken again.

I got today the message:
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

I have rebooted the my homelab-server, but alas the message reappears after a reboot.

zoran@unifisrv:~$ sudo canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.
zoran@unifisrv:~$ echo $?
1

zoran@unifisrv:~$ sudo canonical-livepatch status
last check: 4 minutes ago
kernel: 5.15.0-107.117-generic
server check-in: succeeded
kernel state: ✓ kernel series 5.15 is covered by Livepatch
patch state: ✓ all applicable livepatch modules inserted
patch version: 104.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: a6584a6e6c6b45bea93869b2060f495b

If you need more info please let me know!

Regards

Z

Hi Zoran,

I can confirm the same scenario as last time as come up, basically a patch was released for a kernel while the newer kernel is not yet available for install.

A few things that might help,
- The messaging changes are done and should be released this week. That will change the messaging to only suggest a reboot if the /var/run/reboot-required file exists, if not, the message will mention "If there is a new kernel available, upgrade and reboot".
- Since you are on the free tier of Livepatch, you get patches first, the paid tier will get patches at a later date. This is described in a bit more detail here https://ubuntu.com/security/livepatch/docs/livepatch/explanation/what_are_livepatch_tiers. It's not much of a solution but it's helpful to understand why some users might face this scenario and others don't.
- Our kernel team is working on updating some automation so that patches don't release in this fashion.

I'm also seeing this issue on a couple of machines. If possible, a better fix would only show the message when applicable, ie when a new kernel is available and when a reboot would fix the issue (and make the message disappear). Not otherwise.

It doesn't seem like good practice to teach users to ignore security messages, nor to make people reboot their systems or try to upgrade needlessly.

@Kian Parvin

I do not mind being a guinea pig, and I'm absolutly aware that I'm on the Free Tier, solving matters for the paid Tier.

As Andreas stated: "It doesn't seem like good practice to teach users to ignore security messages, nor to make people reboot their systems or try to upgrade needlessly."

I would rather see a solution that the message does NOT appear after e reboot!