How to setup Livepatch on-prem server administration tool

tasdomas · March 30, 2023, 1:25pm

To perform operations such as promoting patches to tiers and issuing tokens for machines to attach to the livepatch server, an administration tool is provided as a snap:

$ sudo snap install canonical-livepatch-server-admin

For ease of use, it’s recommended to alias the admin command:

$ sudo snap alias canonical-livepatch-server-admin.livepatch-admin livepatch-admin

Authentication

There are two ways for the livepatch administration tool to authenticate with the livepatch server:

Ubuntu SSO
Username/password

Password authentication

To configure password authentication, username/password hash pairs will need to be generated using the htpasswd tool available in the apache2-utils package:

$ htpasswd -bnBC 10 <username> <password>
username:$2y$10$74ZpDgHaxnUQo.AJZk1cMuSRfef5oK5xq5o/GLbUH/Bbw6W2bmctm

Multiple such pairs can be provided as a comma-separated list:

$ juju config livepatch auth_basic_users="<user1>:<password1,<user2>:<password2>"

When logging in with the client, the username and password will need to be provided:

$ export LIVEPATCH_URL={haproxy url}

$ livepatch-admin login --auth <username>:<password>

Ubuntu SSO authentication

Ubuntu SSO authentication utilizes membership in public launchpad groups to gate access. The launchpad groups that will have administrator privileges are specified using charmed operator configuration:

$ juju config livepatch auth_lp_teams='https://launchpad.net/~<team>'

Multiple teams can be specified as a comma-separated list.

When logging in, user interaction will be necessary:

$ export LIVEPATCH_URL={haproxy url}

$ livepatch-admin login

To login please visit http://127.0.0.1:44035

tasdomas · June 1, 2021, 2:23pm

tasdomas · September 7, 2021, 7:32am

ghill · March 27, 2023, 11:39pm

I’m having trouble promoting patches.
Regardless of authentication method, including deliberately malformed credentials (same exit code, no output or error message), I get this from attempting to promote a patch with livepatch-admin:
Error: failed to associate patch with tier: Put /v1/admin/tiers/beta/92.1: cannot unmarshal parameters: cannot unmarshal into field LimitedRelease: unexpected content type “”; want application/json; content: “”

If I were to recreate the request in curl to debug my issue, what fields is the server expecting?

This is installed via charm, running on the same controller as Landscape on-prem, is haproxy getting in the way?

Is there any way to get more feedback from the livepatch-admin login command?

kian-parvin · May 12, 2023, 12:57pm

Hi @ghill,

Apologies for the delay in replying.

If the below doesn’t help could you please post your bug here, this is the official tracker for on-prem bugs and will make it easier to track.

It’ll be helpful to know what charm revision of the livepatch-server you are running and the Snap revision of the admin-tool.

I think you might simply need a newer version of the admin-tool Snap. A sudo snap refresh canonical-livepatch-server-admin. Failing that, you can install the Snap from the candidate channel which has a newer version, which can be done with sudo snap refresh canonical-livepatch-server-admin --channel=latest/candidate

ghill · May 23, 2023, 4:36pm

Thank you @kian-parvin, you are correct, refreshing the canonical-livepatch-server-admin snap to latest/candidate is what resolved the issue for me.
The new supported-kernels feature looks promising, though I needed to then refresh the server for the new schema.

Quick followup question, if nothing is entered into sync reports, does that mean there are no issues and no patches found? There does not seem to be a “successfully contacted server, no new patches found” entry, and my last entry is from May 17th.

Thanks again.

kian-parvin · May 26, 2023, 3:18pm

Glad that resolved things! For clarity, the supported-kernels table is intended purely as a way for the server to communicate to client machines whether their kernel is supported. This list is maintained by Canonical since we create the patches and the data from the hosted server is synced to the on-prem instances for them to communicate to their downstream clients.

As for your question, yes that should indicate that things are okay. You can view all the sync reports if you add the --all flag so that any syncs that didn’t return anything will also be shown. More details are available with livepatch-admin sync reports --help. And if you want to see what patches you currently have stored you can use livepatch-admin storage patches.

I recommend adding the --help flag to commands to get more info where needed.
Hope that helps!