Livepatch Reference

Technical information - security, APIs, architecture, etc., related to Livepatch.

Networking

Livepatch client requires Internet access in order to fetch kernel patches from the server.

Compatibility

Livepatch determines which kernel patch may be applied based on your kernel version.

Security and privacy

Livepatch sends specific data about your system in order to patch your kernel.

Kernel patching

Livepatch inserts modules into a running kernel, this has inherent risks and the following can detail some of these risks and misunderstandings.

Hi, would it be possible to add a page here that lists the configuration keys that can be modified on the livepatch client? I am working on adding another key and would like to have a place to add a few notes.

Thanks!

Here’s a proposed page or set of pages based on the CLI help. This should probably be split into two pages: “How to configure the livepatch client” and “Config Reference”.

Configuration

The daemon can be configured using the CLI or its configuration file at /var/snap/canonical-livepatch/common/config.

CLI Configuration

Show the current configuration:

canonical-livepatch config

Change one or more settings:

canonical-livepatch config http-proxy="1.2.3.4" https-proxy="1.2.3.4"
canonical-livepatch config remote-server="https://example.livepatch.canonical.com"

Clear one or more settings:

canonical-livepatch config remote-server=

Change settings, reading a long, multi-line value from stdin:

canonical-livepatch config remote-server=https://2.3.4.5 ca-certs=@stdin < chain.pem

YAML Configuration

The daemon can also be configured by editing /var/snap/canonical-livepatch/common/config. The file is YAML-formatted. In order for changes to the file to take affect you must restart the daemon.

Configuration Keys

Key Data Type Description Default Value
http-proxy string Value passed as HTTP_PROXY (overrides /etc/environment) Empty
https-proxy string Value passed as HTTPS_PROXY (overrides /etc/environment) Empty
no-proxy string Value passed as NO_PROXY (overrides /etc/environment) Empty
remote-server string Livepatch server URL https://livepatch.canonical.com
ca-certs string Custom CA root certificate(s) Empty
dial-timeout string Timeout for opening TCP connections; allowed units are s, m, h 12s
check-interval integer Minutes between checks for new patches. Minimum 60. Use 0 to disable auto refresh. 60
log-level string One of debug, info, notice, warning, error warning
cutoff-date string RFC3339 date in the past after which new patched will not be installed. Only available to paid Ubuntu Pro users Empty
patch-delay string Duration before a newly released patch is received by the client; allowed units are s, m, h, d, w. Only available to paid Ubuntu Pro users 0