Why I Worked on This
I run several Ubuntu 24.04 servers in my Proxmox homelab. These systems handle DNS, automation, monitoring, and other services that need to stay online. Security updates come out constantly, and many require kernel reboots. I wanted to reduce the frequency of planned reboots without ignoring critical patches.
The goal was simple: apply kernel security fixes automatically and only reboot when absolutely necessary. I needed a system that could handle most patches live and tell me clearly when a reboot was unavoidable.
My Real Setup
I have three Ubuntu 24.04 LXC containers and two VMs running on Proxmox. These systems run:
- Pi-hole for DNS
- n8n for automation
- Cronicle for scheduled tasks
- Uptime Kuma for monitoring
- A few Docker containers for self-hosted services
All of these need consistent uptime. I update packages weekly using unattended-upgrades, but kernel patches always meant scheduling downtime or accepting the risk of running outdated kernels.
What I Started With
Ubuntu ships with needrestart by default. It detects which services need restarting after updates and can identify when a kernel reboot is required. I was already using it manually after apt upgrade runs.
For live patching, Ubuntu offers Canonical Livepatch, but it requires Ubuntu Pro. I didn't want to deal with subscriptions for my homelab. I looked into kpatch because I knew it worked on RHEL systems, but it's not officially supported on Ubuntu.
What Worked
Automating needrestart
I configured needrestart to run automatically after unattended upgrades. This tells me which services need restarting and whether a kernel reboot is required.
First, I edited /etc/needrestart/needrestart.conf:
$nrconf{restart} = 'a';
$nrconf{kernelhints} = 1;
The restart = 'a' setting makes needrestart automatically restart services that can be safely restarted. The kernelhints option ensures it checks for kernel updates.
Then I created a post-upgrade hook at /etc/apt/apt.conf.d/99needrestart:
DPkg::Post-Invoke {"if [ -x /usr/sbin/needrestart ]; then /usr/sbin/needrestart -r a; fi";};
Now every time unattended-upgrades runs, needrestart automatically handles service restarts. If a kernel update requires a reboot, it logs that clearly.
Monitoring Reboot Requirements
I wrote a simple script that checks if a reboot is needed and sends a notification to my n8n webhook:
#!/bin/bash
if [ -f /var/run/reboot-required ]; then
REASON=$(cat /var/run/reboot-required.pkgs)
curl -X POST https://n8n.mydomain.com/webhook/reboot-alert \
-H "Content-Type: application/json" \
-d "{\"host\":\"$(hostname)\",\"reason\":\"$REASON\"}"
fi
I run this via cron daily at 6 AM. When a reboot is needed, I get a notification in my monitoring dashboard. This gives me visibility without constant manual checking.
What I Learned About kpatch on Ubuntu
I tried installing kpatch on one test VM. The upstream kpatch tools exist, but Ubuntu doesn't provide pre-built kernel patch modules like RHEL does. You have to build patches yourself from kernel source diffs.
I built one test patch for a specific CVE. The process involved:
- Installing kernel headers and build tools
- Downloading the kernel source for my exact version
- Creating a patch file from the security fix
- Using kpatch-build to generate a kernel module
- Loading it with kpatch load
It worked, but it's not sustainable for a homelab. Every kernel update means rebuilding patches manually. There's no automated delivery system like RHEL's subscription model.
I decided this wasn't practical for my setup. The effort required outweighed the benefit for systems I can reboot during low-traffic windows.
What Didn't Work
Canonical Livepatch Without Ubuntu Pro
Canonical's livepatch service is the official solution, but it requires an Ubuntu Pro subscription. The free tier exists but has limits that didn't fit my use case. I didn't want to manage subscriptions for homelab servers.
Automatic Reboots
I briefly enabled automatic reboots through unattended-upgrades by setting:
Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "03:00";
This caused problems. One reboot happened while I was running a long-running n8n workflow. The system came back up fine, but the workflow failed mid-execution. I removed this setting immediately.
Automatic reboots only make sense if you have proper orchestration and can handle interrupted workloads. I don't have that level of automation in my homelab.
kpatch Maintenance Overhead
Building kpatch modules manually for every security update isn't realistic. I spent about four hours getting one patch working. Multiply that by every kernel CVE, and it's not worth it.
The value proposition of live patching only works when someone else maintains the patches. On Ubuntu, that someone is Canonical, and they gate it behind Ubuntu Pro.
Current Approach
I settled on a hybrid system:
- Unattended-upgrades runs weekly
- needrestart automatically restarts services
- A monitoring script alerts me when a kernel reboot is required
- I schedule reboots manually during low-usage periods
This gives me automatic security patching for most updates while keeping control over when reboots happen. I typically reboot servers once every 2-3 weeks during weekend mornings when traffic is minimal.
Key Takeaways
Live kernel patching on Ubuntu without Ubuntu Pro is not practical for homelab use. The tooling exists, but the maintenance burden is too high.
Automating needrestart eliminated most of the manual work after updates. Services restart automatically, and I only intervene for kernel reboots.
Monitoring reboot requirements through automated alerts works better than automatic reboots. I know when action is needed without risking interrupted workloads.
For a homelab, scheduled reboots every few weeks are acceptable. The complexity of live patching doesn't justify the effort when I can plan downtime during low-traffic windows.
If I were managing production systems at scale, Ubuntu Pro with Canonical Livepatch would be worth it. For my setup, manual reboot scheduling with automated monitoring is the right balance.
