How to use the Canonical Livepatch Downloader

The Canonical Livepatch downloader tool is a CLI application that provides basic commands to query and download patch files.

Please note that this tool is not a replacement for the Canonical Livepatch client. Instead it provides some basic patch download and query functionality which may be particularly desirable in the following scenarios:

  • If the Livepatch client cannot be used and patches must be inserted manually.
  • To downloaded patches before transferring them into an airgapped on-premise deployment of the Livepatch Server.

Using the Canonical Livepatch Downloader

Setup the Downloader

Install the snap with

sudo snap install canonical-livepatch-downloader

Enable the tool by running the following command with an Ubuntu Pro token obtained from the Ubuntu Pro dashboard, note that the token must be entitled to Livepatch.

canonical-livepatch-downloader enable <token>

Downloading single patches

For this section we will list and download patches for a specific kernel release. Using the host system’s kernel and assuming an amd64 architecture.

KERNEL_VERSION=$(cat /proc/version_signature  | cut -d ' ' -f 2)
canonical-livepatch-downloader list --kernel=$KERNEL_VERSION --architecture=amd64

A sample output for a specific kernel version is provided below:

$ canonical-livepatch-downloader list --kernel=5.15.0-107.117-generic --architecture=amd64
- filename: livepatch-5.15.0-107.117-generic-107.1-amd64.tar.bz2
  hash: 696070a5dfb927bc9dcec809f7ba81c059e981a02829b44253e8ecf84d829fb5
- filename: livepatch-5.15.0-107.117-generic-106.1-amd64.tar.bz2
  hash: 2b061466b553ca8805e7f278405031bf7607e088525dee5d21e19de513253df6
- filename: livepatch-5.15.0-107.117-generic-105.1-amd64.tar.bz2
  hash: a73e702c795d1670066ac7209912434ae02006dc97a81b2b4bbdfebfbd15b7db
- filename: livepatch-5.15.0-107.117-generic-104.1-amd64.tar.bz2
  hash: a603d9c7448d874625a95a2c06cbf554d3184868e803fb98b310a5722e9f359b

Next we will download the latest patch for your kernel.

canonical-livepatch-downloader get-latest --kernel=$KERNEL_VERSION --architecture=amd64

An example output is provided below

$ canonical-livepatch-downloader get-latest --kernel=5.15.0-107.117-generic --architecture=amd64
Downloading patch 1/1
Patch livepatch-5.15.0-107.117-generic-107.1-amd64 downloaded and extracted to /home/demo/snap/canonical-livepatch-downloader/common/patches/livepatch-5.15.0-107.117-generic-107.1-amd64

Note that the path the patch was downloaded to is shown. Unfortunately the downloaded file path cannot currently be changed due to snap confinement.

If a specific patch from the list is desired instead of the latest, use the get-files command as follows.

canonical-livepatch-downloader get-files livepatch-5.15.0-107.117-generic-105.1-amd64.tar.bz2

Syncing groups of patches

Syncing a group of patches is useful when you want to manually transfer patches from into an airgapped environment.

To sync a group of patches we will utilise the list and get-files commands. Note that, again, because of snap confinement we must place the output of the list command in a location that the snap can access.

The list command provides filtering based on the following parameters:

  • Architecture: Specify a fixed architecture string, e.g. “amd64” or “s390x”
  • Flavour: Specify a kernel flavour, e.g. “generic”, “lowlatency”, etc.
  • Kernel: A prefix match on kernel versions. E.g. 6.2 will match kernel versions 6.2.*
  • Tier: Specify the tier from which to download patches, defaults to “Proposed”. See here for more info on tiers.

The same flag cannot be passed multiple times. If multiple kernel versions, flavours or architectures are desired, run the following commands with each combination.

Assuming that we want to sync all patches for architecture amd64, kernel 4.4.0-1100 and flavour aws:

canonical-livepatch-downloader list --architecture=amd64 --flavour=aws --kernel=4.4.0-1100  > ~/snap/canonical-livepatch-downloader/common/patch-list.txt
canonical-livepatch-downloader get-files -i ~/snap/canonical-livepatch-downloader/common/patch-list.txt

The output will indicate the download progress and specify the final download location

24/24 patches downloaded successfully.
Patches downloaded and extracted to /home/demo/snap/canonical-livepatch-downloader/common/patches

Removing downloaded patches

Because patches are downloaded to ~/canonical-livepatch-downloader/common/patches to remove all downloads simply run

rm -r ~/snap/canonical-livepatch-downloader/common/patches/*

Removing the Downloader

When removing the tool, Snap snapshots may result in the removal taking a long time because a backup of the downloaded patches are being made. To avoid this, uninstall the tool with the following command to skip the creation of a snapshot.

sudo snap remove canonical-livepatch-downloader --purge