Technical information - security, APIs, architecture, etc., related to Livepatch.
Networking
Livepatch client requires Internet access in order to fetch kernel patches from the server.
Compatibility
Livepatch determines which kernel patch may be applied based on your kernel version.
Security and privacy
Livepatch sends specific data about your system in order to patch your kernel.
Kernel patching
Livepatch inserts modules into a running kernel, this has inherent risks and the following can detail some of these risks and misunderstandings.
Configuration
Livepatch client can be configured with a variety of options, which are listed here.
Hi, would it be possible to add a page here that lists the configuration keys that can be modified on the livepatch client? I am working on adding another key and would like to have a place to add a few notes.
Thanks!
Here’s a proposed page or set of pages based on the CLI help. This should probably be split into two pages: “How to configure the livepatch client” and “Config Reference”.
Configuration
The daemon can be configured using the CLI or its configuration file at /var/snap/canonical-livepatch/common/config.
CLI Configuration
Show the current configuration:
canonical-livepatch config
Change one or more settings:
canonical-livepatch config http-proxy="1.2.3.4" https-proxy="1.2.3.4"
canonical-livepatch config remote-server="https://example.livepatch.canonical.com"
Clear one or more settings:
canonical-livepatch config remote-server=
Change settings, reading a long, multi-line value from stdin:
canonical-livepatch config remote-server=https://2.3.4.5 ca-certs=@stdin < chain.pem
YAML Configuration
The daemon can also be configured by editing /var/snap/canonical-livepatch/common/config. The file is YAML-formatted. In order for changes to the file to take affect you must restart the daemon:
sudo snap restart canonical-livepatch
Configuration Options
| Key |
Data Type |
Description |
Default Value |
http-proxy |
string |
Value passed as HTTP_PROXY (overrides /etc/environment) |
Empty |
https-proxy |
string |
Value passed as HTTPS_PROXY (overrides /etc/environment) |
Empty |
no-proxy |
string |
Value passed as NO_PROXY (overrides /etc/environment) |
Empty |
remote-server |
string |
Livepatch server URL |
https://livepatch.canonical.com |
ca-certs |
string |
Custom CA root certificate(s) |
Empty |
dial-timeout |
string |
Timeout for opening TCP connections; allowed units are s, m, h |
12s |
check-interval |
integer |
Minutes between checks for new patches. Minimum 60. Use 0 to disable auto refresh |
60 |
log-level |
string |
One of debug, info, notice, warning, error |
warning |
cutoff-date 1 |
string |
RFC3339 date in the past after which new patched will not be installed |
Empty |
patch-delay 1 |
string |
Duration before a newly released patch is received by the client; allowed units are s, m, h, d, w |
0 |
1 Only available to paid Ubuntu Pro users who are using Canonical-hosted Livepatch, with the remote-server option unchanged
Thanks @whershberger ! I have a few small comments on this before we publish the update:
I think we should expand on how the daemon can be restarted under YAML Configuration:
In the cutoff-date and patch-delay descriptions we should indicate that they are only available to hosted, i.e. non-on-prem users in addition to the paid Ubuntu Pro requirement. Perhaps we could phrase it something like Only available to paid Ubuntu Pro users who are using hosted Livepatch, with the remote-server option unchanged
I think we can add Config Options as a page under Livepatch Reference | Ubuntu and Configure client under Livepatch How-to Guides | Ubuntu - although the latter reads a bit strangely given that we already have separate pages for configuring various features.
I’ve made some adjustments based on your nits; thanks for the review. Are you willing to split the content into two pages since I don’t have edit access to the relevant forum threads?
Thank you @whershberger , I have updated and published the two new pages: