Please note that this guide assumes you’ve already set up the livepatch-server-snap
The Canonical Livepatch CVE service runs a simple HTTP server that periodically fetches and provides information about CVEs fixed in Ubuntu kernels. In this guide we will set up the CVE service snap, and point the Livepatch server snap to the service.
Installation
Install the latest stable CVE service snap from the snap store with:
sudo snap install canonical-livepatch-cve-service
The service automatically initializes and begins listening on localhost:8090 with the default parameters set. The service will also begin downloading CVE data from the default OSV source on startup.
Note: the default upstream OSV source is about 400MB, the CVE service will use eTags to check if the source has changed, and only download from the source if there is new CVE data.
To change the port and other parameters, see the Usage section.
Usage
configuring the snap
The CVE service snap has several configuration options available. All configuration options are set via:
sudo snap set canonical-livepatch-cve-service <config>=<value>
To use the default values after a custom value is used, set the config value to an empty string ””. For example :
sudo snap set canonical-livepatch-cve-service port=""
The service automatically restarts on a configuration change, ensuring that the service runs with the latest configuration.
Configuration Options
The following table shows all configuration options, useful information, and default values.
| Config Option | Description | Example | Notes |
|---|---|---|---|
source |
URL or file path to fixed CVE information. | "https://osv-vulnerabilities.storage.googleapis.com/Ubuntu/all.zip" |
When setting this option, you must also set the source-type config option.The default option for this value is "https://osv-vulnerabilities.storage.googleapis.com/Ubuntu/all.zip" |
source-type |
The format of the data source. | "osv-bucket-zip" |
When setting this option, you must also set the source config option.The default option for this value is "osv-bucket-zip". |
fetch-freq |
When to fetch fixed CVE data. If set to "", the CVE service will fetch data based on the interval configuration.If set to once, the CVE service will fetch the data a single time at startup.If set to never, the CVE service will not fetch data from the source. |
"", "once", "never" |
When setting the option to once or never, the interval config option is ignored.When setting the option to never, the source, source-type, and interval options are ignored.The default option for this value is "". |
interval |
The interval between CVE data fetches, in the format of xxhxxmxxs. |
"1h0m0s" |
The default option for this value is "1h0m0s". The CVE service enforces a minimum of 30 minute intervals. If the provided option is less than 30 minutes, the CVE service will use a 30 minute interval. |
port |
The port to bind to and listen to requests on. | "8090" |
The default option for this value is "8090". |
write-timeout |
The write timeout for sending CVE data. | "5m" |
The default option for this value is "5m". |
read-timeout |
The read timeout for reading from the livepatch server. | "30s" |
The default option for this value is "30s". |
Pointing Livepatch Server To The CVE Service
Livepatch server, when connected to the CVE service, will serve fixed CVE information, and periodically refresh its CVE cache by fetching from the CVE service. By default, Livepatch server has these features disabled so you can supply configuration values based on a certain deployment.
To point Livepatch Server to the CVE service, first enable the cve-lookup feature with:
sudo snap set canonical-livepatch-server lp.cve-lookup.enabled="true"
Then, enable the cve-sync feature, and set the source-url to the url pointing to the CVE service:
sudo snap set canonical-livepatch-server lp.cve-sync.enabled="true"
sudo snap set canonical-livepatch-server lp.cve-sync.source-url="http://<host>:port"
You can also set the refresh interval, and proxy information if required:
sudo snap set canonical-livepatch-server lp.cve-sync.interval="1h"
sudo snap set canonical-livepatch-server lp.cve-sync.proxy.enabled="true"
sudo snap set canonical-livepatch-server lp.cve-sync.proxy.http="<url>"
sudo snap set canonical-livepatch-server lp.cve-sync.proxy.https="<url>"
sudo snap set canonical-livepatch-server lp.cve-sync.proxy.no-proxy="<url>"
By default, the refresh interval is 1 hour, and the proxy is disabled.
When the Livepatch server receives fixed CVE data from the CVE service, it also gets a digest computed by the CVE service. Upon requesting CVE data, the server provides the CVE service with the digest. If the digest hasn’t changed on the CVE service, the request is rejected with a “Not Modified” HTTP code, preventing the server from repeatedly downloading the same data.
Final words
Now you have the Livepatch server snap integrated with the CVE service snap, allowing client machines to receive fixed CVE information about their installed patches.