How to Set Up Automatic Kernel Updates on Linux

Applying security updates to the Linux kernel is a straightforward process that can be done using package managers such as apt or dnf. However, when you manage hundreds or thousands of servers running different Linux distributions, this method becomes challenging and time-consuming.

Manually updating the kernel requires rebooting the system. This results in downtime, which can be problematic, so reboots are usually scheduled to occur at specific intervals. Because manual patching happens during these cycles, it leaves a time window in which an unpatched server can be attacked.

For organizations that run more than a few servers, live patching is a better option. It is an automated way to patch a running Linux kernel without a reboot, which makes it both more efficient and more secure than manual methods.

This article explains how to set up automatic, rebootless kernel updates with Canonical Livepatch on Ubuntu, when simple unattended upgrades are enough, and what to consider on mixed Linux fleets.

Canonical Livepatch #

Canonical Livepatch patches the running kernel without rebooting your Ubuntu system. It is part of Ubuntu Pro , which is free for personal use on up to five machines. Larger deployments require a paid Ubuntu Pro subscription.

First, get your Ubuntu Pro token from the Ubuntu Pro dashboard . Then attach the machine to your subscription and enable Livepatch:

sudo pro attach <token>
sudo pro enable livepatch

To check the status of the service, run:

sudo canonical-livepatch status --verbose

The output shows the kernel version, the patch state, and whether the running kernel is fully patched. To turn the service off later, disable it through the Pro client:

sudo pro disable livepatch

Livepatch supports selected Ubuntu kernels, releases, architectures, and kernel variants. Check Canonical’s supported kernel list before relying on it for a production system, especially when you use HWE, cloud, low-latency, or non-x86 kernels.

When Unattended Upgrades Are Enough #

Live patching matters most for fleets and servers that cannot afford a reboot. For a single workstation or a server with a maintenance window, you usually do not need it. The unattended-upgrades package installs security updates automatically, including kernel updates, which then take effect on the next reboot. This covers the common case without any subscription. See our guide on setting up automatic updates on Ubuntu for the full setup.

To confirm which kernel is currently running after an update, check the kernel version .

Other Live Patching Options #

Canonical Livepatch only works on Ubuntu. For mixed environments, commercial services such as KernelCare (from CloudLinux/TuxCare ) patch the running kernel automatically across Ubuntu, Debian, RHEL, and other distributions. These services are licensed products, so install and register them by following the vendor’s official documentation rather than piping a remote script into your shell.

Conclusion #

Live patching applies kernel security fixes without a reboot, which removes the downtime and the exposure window that come with manual patching. If you run a single machine, start with unattended upgrades; if you manage a fleet, evaluate Canonical Livepatch or a cross-distribution service that fits your stack.

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page