canonical-livepatch-cve-service

Canonical Livepatch CVE Service Snap

Description:

The Canonical Livepatch CVE service runs a simple HTTP server that periodically fetches and provides information about CVEs fixed in Ubuntu kernels.

Usage:

Once installed, the CVE service snap will automatically initialize and begin listening on localhost:8090.

The snap has several configuration options available. All configuration options are set via:

sudo snap set canonical-livepatch-cve-service <config>=<value>

To use the default values after a custom value is used, set the config value to an empty string "". For example:

sudo snap set canonical-livepatch-cve-service port=""

The service will automatically restart on a configuration change, ensuring that the service runs with the latest configuration.

Configuration Options:

The following list shows all configuration options and example values:

• source

  • Description: URL or file path to fixed CVE information.
  • Example: "https://osv-vulnerabilities.storage.googleapis.com/Ubuntu/all.zip"
  • Notes When setting this option, you must also set the source-type config option. The default for this value is "https://osv-vulnerabilities.storage.googleapis.com/Ubuntu/all.zip".

• source-type

  • Description: The format of the data source.
  • Example: "osv-bucket-zip"
  • Note: When setting this option, you must also set the source config option. The default for this value is "osv-bucket-zip".

• fetch-freq

  • Description: When to fetch fixed CVE data. If set to "", the service fetches based on the interval. If set to once, it fetches a single time at startup. If never, it does not fetch data from the source.
  • Example: "", once, never
  • Note: When setting the option to once or never, the interval option is ignored. When setting the option to never, the source, source-type, and interval options are ignored. The default for this value is "".

• interval

  • Description: The interval between CVE data fetches, in the format of xxhxxmxxs.
  • Example: "1h0m0s"
  • Note: The default for this value is "1h0m0s".

• port

  • Description: The port to bind to and listen to requests on.
  • Example: "8090"
  • Note: The default for this value is "8090".

• write-timeout

  • Description: The write timeout for sending CVE data.
  • Example: "5m"
  • Note: The default for this value is "5m".

• read-timeout

  • Description: The read timeout for reading responses from Livepatch server.
  • Example: "30s"
  • Note: The default for this value is "30s".

Pointing Livepatch Server To The CVE Service

Livepatch server, when connected to the CVE service, will serve fixed CVE information, and periodically refresh its CVE cache by fetching from the CVE service. By default, Livepatch server has these features disabled so you can supply configuration values based on a certain deployment.

To point Livepatch Server to the CVE service, first enable the cve-lookup feature with:

sudo snap set canonical-livepatch-server lp.cve-lookup.enabled="true"

Then, enable the cve-sync feature, and set the source-url to the url pointing to the CVE service:

sudo snap set canonical-livepatch-server lp.cve-sync.enabled="true"

sudo snap set canonical-livepatch-server lp.cve-sync.source-url="http://<host>:port"

You can also set the refresh interval, and proxy information if required:

sudo snap set canonical-livepatch-server lp.cve-sync.interval="1h"

sudo snap set canonical-livepatch-server lp.cve-sync.proxy.enabled="true"

sudo snap set canonical-livepatch-server lp.cve-sync.proxy.http="<url>"

sudo snap set canonical-livepatch-server lp.cve-sync.proxy.https="<url>"

sudo snap set canonical-livepatch-server lp.cve-sync.proxy.no-proxy="<url>"

By default, the refresh interval is 1 hour, and the proxy is disabled.