Enable and Configure The Livepatch Client With Cloud-Init

haydntamura · December 18, 2025, 1:48pm

This guide walks through how to enable and configure the Livepatch client with cloud-init. Livepatch client supports cloud-init for communicating with the Canonical-hosted Livepatch server, and for an on-prem Livepatch server.

Using The Client With The Hosted Livepatch Server

When using the Livepatch client with the Canonical-hosted Livepatch server (the default configuration), you can use the following template cloud-init module:

#cloud-config
package_update: true
package_upgrade: true
packages:
  - snapd
write_files:
  - path: /etc/livepatch/livepatch.env
    owner: root:root
    content: |
      export PATCH_DELAY="__PATCH_DELAY__"
      export CUTOFF_DATE="__CUTOFF_DATE__"
      export CA_CERTS="__CA_CERTS__"
      export CHECK_INTERVAL="__CHECK_INTERVAL__"
      export DIAL_TIMEOUT="__DIAL_TIMEOUT__"
      export HTTP_PROXY="__HTTP_PROXY__"
      export HTTPS_PROXY="__HTTPS_PROXY__"
      export LOG_LEVEL="__LOG_LEVEL__"
      export NO_PROXY="__NO_PROXY__"
      export TLS_PATCH_DOWNLOAD="__TLS_PATCH_DOWNLOAD__"
  - path: /etc/livepatch/pro_token
    permissions: "0600"
    owner: root:root
runcmd:
  - |
    set -e
    snap wait system seed.loaded
    # fetch pro token from a vault and redirect into /etc/livepatch/pro_token
  - |
    set -e
    snap install canonical-livepatch
    pro attach $(cat /etc/livepatch/pro_token)
    . /etc/livepatch/livepatch.env
    canonical-livepatch config \
      ca-certs="$CA_CERTS" \
      check-interval="$CHECK_INTERVAL" \
      dial-timeout="$DIAL_TIMEOUT" \
      http-proxy="$HTTP_PROXY" \
      https-proxy="$HTTPS_PROXY" \
      log-level="$LOG_LEVEL" \
      no-proxy="$NO_PROXY" \
      tls-patch-download="$TLS_PATCH_DOWNLOAD"
    snap restart canonical-livepatch
  - |
    rm /etc/livepatch/*
final_message: The system is up, up to date, and Livepatch client is active after $UPTIME seconds

To configure the Livepatch client through the cloud-init module, replace each template value in the write_files section for /etc/livepatch/livepatch.env, such as __LOG_LEVEL__, with a valid configuration based on the available configuration options.

Note: To enable Livepatch, you need to attach the instance to Ubuntu Pro. Do not write the Pro token into the cloud-init module. Instead, store the pro token in a secrets vault, and access the pro token from the vault, writing the token into a root-owned file at/etc/livepatch/pro_token. The cloud-init module reads from this file to attach to Ubuntu Pro. The file is deleted at the last step of the cloud-init setup process.

For any configuration values you do not wish to change, remove them from the canonical-livepatch config statement in the second block of commands.

Using The Client With An On-Prem Livepatch Server

The cloud-init module for using the client with an on-prem Livepatch server is similar to the previous module; instead of the Pro token, you use an auth token generated by the admin tool:

canonical-livepatch-server-admin.livepatch-admin auth-token <sso-id> <tier> [flags]

For example:

canonical-livepatch-server-admin.livepatch-admin auth-token test edge

This command will output an auth token you can use with your client machines to apply patches in the edge tier.

The following cloud-init module should be used for client machines with an on-prem server:

#cloud-config
package_update: true
package_upgrade: true
packages:
  - snapd
write_files:
  - path: /etc/livepatch/livepatch.env
    permissions: "0600"
    owner: root:root
    content: |
      export SERVER_URL="__SERVER_URL__"
      export PATCH_DELAY="__PATCH_DELAY__"
      export CUTOFF_DATE="__CUTOFF_DATE__"
      export CA_CERTS="__CA_CERTS__"
      export CHECK_INTERVAL="__CHECK_INTERVAL__"
      export DIAL_TIMEOUT="__DIAL_TIMEOUT__"
      export HTTP_PROXY="__HTTP_PROXY__"
      export HTTPS_PROXY="__HTTPS_PROXY__"
      export LOG_LEVEL="__LOG_LEVEL__"
      export NO_PROXY="__NO_PROXY__"
      export TLS_PATCH_DOWNLOAD="__TLS_PATCH_DOWNLOAD__"
  - path: /etc/livepatch/authToken
    permissions: "0600"
    owner: root:root
runcmd:
  - |
    set -e
    snap wait system seed.loaded
    # fetch token from secrets vault and redirect to /etc/livepatch/authToken
  - |
    set -e
    snap install canonical-livepatch
    . /etc/livepatch/livepatch.env
    canonical-livepatch config \
      remote-server="$SERVER_URL" \
      ca-certs="$CA_CERTS" \
      check-interval="$CHECK_INTERVAL" \
      dial-timeout="$DIAL_TIMEOUT" \
      http-proxy="$HTTP_PROXY" \
      https-proxy="$HTTPS_PROXY" \
      log-level="$LOG_LEVEL" \
      no-proxy="$NO_PROXY" \
      tls-patch-download="$TLS_PATCH_DOWNLOAD"
    canonical-livepatch enable $(cat /etc/livepatch/authToken)
  - |
    rm /etc/livepatch/*
final_message: The system is up, up to date, and Livepatch client is active after $UPTIME seconds

Similar to the previous cloud-init module, any configuration values you do not wish to change should be removed from the canonical-livepatch config statement in the second block of commands.

Note: To enable Livepatch with an on-prem Livepatch server, you need to attach the instance with an auth token. Do not write the auth token into the cloud-init module. Instead, store the auth token in a secrets vault, and redirect to /etc/livepatch/authToken.
Be sure to set the __SERVER_URL__ variable to the URL of your Livepatch on-prem server.