Unexpected warning message:- *** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Hi, thanks for the report. Can you share the output of `canonical-livepatch status`? The message you're seeing is based on a motd script from /etc/update-motd.d/99-livepatch-kernel-upgrade-required

Could you also run and provide the output of
`canonical-livepatch kernel-upgrade-required` and then `echo $?`

administrator@ServerIV:~$ canonical-livepatch status
last check: 1 hour ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 0cec8555fb9248f7a0013ddd8e256b11
administrator@ServerIV:~$ canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.
administrator@ServerIV:~$ echo $?
1
administrator@ServerIV:~$

So the reason you're seeing the message when you login is because there is a livepatch module inserted that is addressing some kernel vulnerabilities, you can see the specific vulnerabilities addressed with `canonical-livepatch status --verbose`. Note that because patches are cumulative you'll see vulnerabilities that were addressed years ago too (these are already addressed by the base kernel).

Now the tricky part here is the messaging, normally a kernel release doesn't immediately need livepatches and if you have unattended-upgrades setup and you reboot regularly, you'll always be on a recent release that doesn't require livepatches and you wouldn't see the message. In this case however it seems that there is a livepatch available for a kernel release where there is no newer kernel to upgrade to, so you're left with the confusing message that you should upgrade, even though there is nothing to upgrade to (afaik).

I will bring this up internally to verify my assumptions and figure out how we can clear up the messaging. Thanks for the report, and as a note, the messaging in this case is benign as you're on the latest kernel already and Livepatch is being overly cautious by telling you to update. Hope that all made sense, open to any suggestions and clarifications you might have.

I'm also having the same problem:

edgardfj@per450:~$ canonical-livepatch status
last check: 6 minutes ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 9b3c8681d3414fa4b044a00d94514c60

edgardfj@per450:~$ canonical-livepatch kernel-upgrade-required
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***Kernel upgrade recommended.

edgardfj@per450:~$ echo $?
1

I have exactly the same problem here. Get that message every time I log into my Ubuntu 20.04 LTS server even though the system is up to date and rebooted several times.

`canonical-livepatch kernel-upgrade-required` and `echo $?` output are precisely the same as the above users too.

Hi,

I just received a kernel update, rebooted my server and the suspect warning message is gone.

Was that you, Kian?

I've asked the others on the Ubuntu list to check.

Thanks

Same here. Just got the updates installed and rebooted my server and the warning message is gone now.

Cheers.

Hi all,

Glad the issue is resolved, I can't claim I did anything, since a new kernel revision was released that is what fixed the warning. But I can confirm the issue was because a recently released kernel had Livepatches released and since there was no newer kernel to update to, the message kept popping up. So it is a somewhat rare scenario but one that can happen again currently.

We will look at improving the wording of the messaging for a start and then possibly improve the logic to identify if there is a newer kernel available.

The problem persits here even after updating:

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Tue 25 Jul 2023 07:25:29 AM -03

  System load: 0.0
  Usage of /: 72.8% of 2.15TB
  Memory usage: 15%
  Swap usage: 0%
  Temperature: 68.0 C
  Processes: 409
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IPv4 address for idrac: 169.254.1.2
  IPv6 address for idrac: fde1:53ba:e9a0:de11:a457:ff2a:855d:a401
  IPv6 address for idrac: fde1:53ba:e9a0:de11:5b6:35d3:c4dc:1307
  IPv6 address for idrac: fde1:53ba:e9a0:de11:d28e:79ff:fecc:e99d

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is enabled.

0 updates can be applied immediately.

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Last login: Mon Jul 24 09:04:41 2023 from 177.55.228.251
edgardfj@per450:~$ sudo apt-get update
[sudo] password for edgardfj:
Ign:1 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 InRelease
Hit:2 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 Release
Hit:3 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7.568 B]
Get:7 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:8 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7.459 B]
Get:9 http://us.archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:10 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease [7.453 B]
Get:11 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease [7.452 B]
Fetched 366 kB in 2s (236 kB/s)
Reading package lists... Done
edgardfj@per450:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
edgardfj@per450:~$ exit
logout
=======================================================================================

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Tue 25 Jul 2023 07:26:25 AM -03

  System load: 0.0
  Usage of /: 72.8% of 2.15TB
  Memory usage: 15%
  Swap usage: 0%
  Temperature: 70.0 C
  Processes: 420
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IP...

Hi @edgardfj,

Can you run `canonical-livepatch status` and share the output? Not super necessary as I'm looking for your kernel revision and I see it's on 5.4.0-153

Looking at https://launchpad.net/ubuntu/+source/linux one can see that the latest Linux image in the updates/security pocket for Focal is "5.4.0-155.172". So it's likely that the users reporting the issue as resolved will have a kernel version that matches this. As for why your machine isn't seeing that update, I'm not 100% sure. It could be due to some phased roll-out of apt packages but could be something else.

Hi Kian,

Follows what you have requested:

Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-153-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Wed 26 Jul 2023 10:00:13 AM -03

  System load: 0.39
  Usage of /: 72.8% of 2.15TB
  Memory usage: 17%
  Swap usage: 0%
  Temperature: 73.0 C
  Processes: 424
  Users logged in: 0
  IPv4 address for eno8303: 10.150.6.114
  IPv4 address for idrac: 169.254.1.2
  IPv6 address for idrac: fde1:53ba:e9a0:de11:ccfa:5080:b150:ecd0
  IPv6 address for idrac: fde1:53ba:e9a0:de11:1cd5:363e:64c5:16ba
  IPv6 address for idrac: fde1:53ba:e9a0:de11:a457:ff2a:855d:a401
  IPv6 address for idrac: fde1:53ba:e9a0:de11:5b6:35d3:c4dc:1307
  IPv6 address for idrac: fde1:53ba:e9a0:de11:d28e:79ff:fecc:e99d

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is enabled.

0 updates can be applied immediately.

New release '22.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

*** Livepatch has fixed kernel vulnerabilities. System restart recommended on the closest maintenance window ***

Last login: Wed Jul 26 09:58:08 2023 from 177.55.228.206
edgardfj@per450:~$ canonical-livepatch status
last check: 18 minutes ago
kernel: 5.4.0-153.170-generic
server check-in: succeeded
kernel state: ✓ kernel is supported by Canonical until 2024-07-16
patch state: ✓ all applicable livepatch modules inserted
patch version: 96.2
tier: updates (Free usage; This machine beta tests new patches.)
machine id: 9b3c8681d3414fa4b044a00d94514c60