Livepatch Charmers Canonical Livepatch On Prem Bundle
- By Livepatch charm developers
| Channel | Version | Revision | Published | Runs on |
|---|---|---|---|---|
| latest/stable | 9 | 9 | 03 May 2021 | |
| latest/beta | 9 | 9 | 03 May 2021 | |
| latest/edge | 9 | 9 | 06 Jul 2021 |
juju deploy livepatch-charmers-canonical-livepatch-on-prem-bundle
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Livepatch server on-premises bundle
This juju bundle deploys a livepatch server for serving patches to machines running livepatch client.
Model
The livepatch server on-premises model consists of 4 applications:
- haproxy
- livepatch
- postgresql
- ubuntu-advantage
Postgresql stores patch data and machine reports. Haproxy handles all incoming
http requests and forwards the traffic to the livepatch server running on the
livepatch unit.
Deployment
To deploy livepatch server, in a juju model, use the Canonical livepatch server bundle.
$ juju deploy cs:~livepatch-charmers/canonical-livepatch-on-prem-bundle
The livepatch application will initially be in blocked state. It needs to be configured
to start serving patches.
The url_template setting defines the url on which patches served by the livepatch server
will be accessible. In the simplest case, this can be
http://<ip-of-haproxy-unit>/patches/{filename}. If a DNS hostname is assigned to the haproxy unit, use that instead of the IP address.
$ juju configure livepatch url_template='http://{haproxy}/patches/{filename}'
To authorize the on-premises deployment to pull patches from Canonical livepatch servers, a contract token is required. It can be obtained from https://ubuntu.com/advantage. To set the token, run:
$ juju configure ubuntu-advantage token=<token>
(wait for the ubuntu-advantage applications to reach state 'Attached')
$ juju run-action livepatch get-resource-token --wait
Managing the server
To manage the livepatch server, use the livepatch server administration tool. It is provided as a snap.
$ sudo snap install canonical-livepatch-server-admin
For ease of use it's recommended to alias the snap command:
$ sudo snap alias canonical-livepatch-server-admin.livepatch-admin livepatch-admin
Server authentication
To enable server administrator access, authentication needs to be configured. The simplest way to do that is using password authentication.
To create a password hash, run:
$ htpasswd -bnBC 10 <username> <password>
then use the output of the command to configure livepatch:
$ juju config livepatch auth_basic_users='<OUTPUT>'
Multiple admin users can be configured as a comma-separated list.
Connecting to the livepatch server
Once the administration tool snap is installed and authentication configured, login to the server using:
$ LIVEPATCH_URL='http://{haproxy ip}' livepatch-admin login -a username:password
Managing the livepatch server
The livepatch administration command provides tools to manage livepatch tiers, patches, synchronization and machines.
Configuring livepatch clients
To apply patches on a machine, follow these instructions:
Generate an authorization token
$ LIVEPATCH_URL='http://{haproxy ip}' livepatch-admin auth-token
The id can be any alpha-numerical identifier. The tier is the the livepatch tier the client will receive patches from.
Install the livepatch client snap
$ sudo snap install canonical-livepatch
Configure livepatch client to access the on-premises server:
$ sudo canonical-livepatch config remote-server "
" Enable livepatch client using the authorization token:
$ sudo canonical-livepatch enable
Upgrading the deployment.
To upgrade applications in the deployment, run:
$ juju upgrade-charm livepatch
$ juju upgrade-charm ubuntu-advantage
$ juju upgrade-charm postgresql
$ juju upgrade-charm haproxy
After upgrading the livepatch application, its status may indicate that a schema upgrade is required. To perform a schema upgrade, run:
$ juju run-action livepatch/leader schema-upgrade