canonical livepatch on prem bundle #9

Supports: focal

Description

Bundle for deploying livepatch server on-premises.

Livepatch server on-premises bundle

This juju bundle deploys a livepatch server for serving patches to machines running livepatch client.

Model

The livepatch server on-premises model consists of 4 applications: - haproxy - livepatch - postgresql - ubuntu-advantage

Postgresql stores patch data and machine reports. Haproxy handles all incoming http requests and forwards the traffic to the livepatch server running on the livepatch unit.

Deployment

To deploy livepatch server, in a juju model, use the Canonical livepatch server bundle.

$ juju deploy cs:~livepatch-charmers/canonical-livepatch-on-prem-bundle

The livepatch application will initially be in blocked state. It needs to be configured to start serving patches.

The url_template setting defines the url on which patches served by the livepatch server will be accessible. In the simplest case, this can be http://<ip-of-haproxy-unit>/patches/{filename}. If a DNS hostname is assigned to the haproxy unit, use that instead of the IP address.

$ juju configure livepatch url_template='http://{haproxy}/patches/{filename}'

To authorize the on-premises deployment to pull patches from Canonical livepatch servers, a contract token is required. It can be obtained from https://ubuntu.com/advantage. To set the token, run:

$ juju configure ubuntu-advantage token=<token>
(wait for the ubuntu-advantage applications to reach state 'Attached')
$ juju run-action livepatch get-resource-token --wait

Managing the server

To manage the livepatch server, use the livepatch server administration tool. It is provided as a snap.

$ sudo snap install canonical-livepatch-server-admin

For ease of use it's recommended to alias the snap command:

$ sudo snap alias canonical-livepatch-server-admin.livepatch-admin livepatch-admin

Server authentication

To enable server administrator access, authentication needs to be configured. The simplest way to do that is using password authentication.

To create a password hash, run:

$ htpasswd -bnBC 10 <username> <password>

then use the output of the command to configure livepatch:

$ juju config livepatch auth_basic_users='<OUTPUT>'

Multiple admin users can be configured as a comma-separated list.

Connecting to the livepatch server

Once the administration tool snap is installed and authentication configured, login to the server using:

$ LIVEPATCH_URL='http://{haproxy ip}' livepatch-admin login -a username:password

Managing the livepatch server

The livepatch administration command provides tools to manage livepatch tiers, patches, synchronization and machines.

Configuring livepatch clients

To apply patches on a machine, follow these instructions:

  1. Generate an authorization token

    $ LIVEPATCH_URL='http://{haproxy ip}' livepatch-admin auth-token

The id can be any alpha-numerical identifier. The tier is the the livepatch tier the client will receive patches from.

  1. Install the livepatch client snap

    $ sudo snap install canonical-livepatch

  2. Configure livepatch client to access the on-premises server:

    $ sudo canonical-livepatch config remote-server ""

  3. Enable livepatch client using the authorization token:

    $ sudo canonical-livepatch enable

Upgrading the deployment.

To upgrade applications in the deployment, run:

$ juju upgrade-charm livepatch
$ juju upgrade-charm ubuntu-advantage
$ juju upgrade-charm postgresql
$ juju upgrade-charm haproxy

After upgrading the livepatch application, its status may indicate that a schema upgrade is required. To perform a schema upgrade, run:

$ juju run-action livepatch/leader schema-upgrade

Bundle configuration