Blocking the installation of all packages from Ubuntu Universe repository with Landscape

Key Value
Summary Blocking the installation of all packages from Universe repository with Landscape.
Categories desktop, server, landscape, security
Difficulty 2
Author Marcelo Marcal marcelo.marcal@canonical.com

Overview

Duration 3:00

The Ubuntu Universe repository contains a vast collection of community-maintained software packages. Still, sometimes system administrators may want to restrict access to this repository for various reasons, such as maintaining tighter control over Ubuntu systems and ensuring that only approved software packages are installed.

Canonical Landscape is a powerful tool that allows system administrators to manage and monitor Ubuntu servers and desktops at scale.

Follow along with this guide to learn how to use Canonical Landscape to block the installation of the Ubuntu Universe repository packages.

What you’ll learn

  • How to register a new Ubuntu machine with Landscape.
  • How to authorize the new computer to be managed by Landscape.
  • How to use apt preferences to prevent Ubuntu Universe packages installation.
  • How to create apt preferences file using Landscape.
  • How to run a script on the target machine.

What you’ll need

  • A Canonical Landscape instance: You can follow the Landscape quickstart deployment guide to install Landscape on-prem. Alternatively, you can use the SaaS version by signing up for an account at Canonical Landscape website
  • An Ubuntu server or desktop: You will need an already installed Ubuntu server or desktop. You can download the latest versions of Ubuntu from the official Ubuntu website

In this guide, we’ll be using the Landscape SaaS version.

Registering a new Landscape client

Duration 3:00

Registering a new client is a simple task. You have to install the landscape-client package and then run the landscape-config utility:

First, update the repositories:

sudo apt-get update

Install the landscape client

sudo apt-get install landscape-client

Register the computer with Landscape SaaS

sudo landscape-config --computer-title "My Web Server" --account-name <YOUR ACCOUNT NAME>

If you are registering the computer with an on-prem Landscape, you can find the instructions by clicking the following these instructions link on the Landscape initial page.

The landscape-config utility will ask you for some configuration options. You can keep the default options for all of them except:

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [y/N]: y

This option will enable script execution on the computer you are registering. This is required for this guide.

You’ll also need to answer ALL to the Script users option:

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users: ALL

At the end of the client configuration, you’ll see the following message:

System successfully registered.

Now, it’s time to accept the registered computer to be managed by Landscape.

Authorizing the new computer to be managed by Landscape

Duration: 1:00

Accessing the Landscape WebUI, you’ll see that there is one computer that needs an authorization:

You need to click on the computer name (My Web Server) and then on the Accept button:

Now the new computer is ready to be managed by Landscape.

Blocking Ubuntu Universe packages with apt preferences

Duration: 3:00

You can use the APT preferences fragment files in the /etc/apt/preferences.d/ folder to control which versions of packages will be selected for installation.

According to apt_preferences manpage, if the Priority is set to < 1, it will prevent the package installation. In our case, the goal is blocking all packages (*) from the Universe repository. So, you can achieve this by creating a new file named /etc/apt/preferences.d/disable-universe.pref with the contents:

Explanation: Disable packages from universe
Package: *
Pin: release c=universe
Pin-Priority: -1

You can get more information about apt preferences by checking its manpage:

man apt_preferences

Let’s first check the installation policy of an Ubuntu Universe package (7zip, for instance). Use the following command on the new Ubuntu machine you added to Landscape:

apt policy 7zip

You’ll get an output like this:

7zip:
  Installed: (none)
  Candidate: 21.07+dfsg-4
  Version table:
     21.07+dfsg-4 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

If you were to install the 7zip package, version 21.07+dfsg-4 would be installed.

It’s time to use Landscape to create the .pref file on the machine.

Creating an apt preferences file using Landscape

Duration: 3:00

Once you have allowed scripts execution on the new Ubuntu machine, you can use Landscape to create the .pref file by creating a script and then running it on the target machine.

On the Landscape WebUI, click on the Scripts tab:

And then Add Script:

On the next screen, fill the fields as following:

Title: Disable packages from universe

Code:

#!/bin/bash
bash -c 'cat <<EOF > /etc/apt/preferences.d/disable-universe.pref
Explanation: Disable packages from universe
Package: *
Pin: release c=universe
Pin-Priority: -1
EOF'

Run as user: root

And then click on the Save button.

Running the script on the target machine

Duration: 2:00

It’s time to run the script you created on the target machine.

On the Computers tab, select the target machine and then click on the Scripts tab:

Select the Disable packages from universe script and click on the Next button and then click on the Run button.

After a moment, you’ll see an “activity finished successfully” status:

Checking if it is possible to install a package from Ubuntu Universe

Duration: 1:00

It’s time to check if the script made the proper apt preferences configuration.

Log in on the target machine and type the following command:

apt policy 7zip

You’ll get an output like this:

7zip:
  Installed: (none)
  Candidate: (none)
  Version table:
     21.07+dfsg-4 -1
         -1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

Notice that the Candidate record is set to (none).

Now, try to install the 7zip package:

sudo apt install 7zip

You’ll get an error saying that the package has no installation candidate:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package 7zip is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package '7zip' has no installation candidate

That’s all, folks!

Duration: 1:00

Congratulations on completing this guide! You should feel proud of yourself for taking the time to learn how to keep your Ubuntu systems more secure.

By completing this guide, you have gained some valuable knowledge:

  • Registering a new Ubuntu machine with Landscape
  • Authorizing the new computer to be managed by Landscape
  • Using apt preferences to prevent Ubuntu Universe packages installation
  • Creating an apt preferences file using Landscape
  • Running a script on the target machine

Further reading

  • The Landscape Documentation site has everything you need for managing and monitoring Ubuntu systems at scale.
  • You can get more information about how to control packages installation on the Ubuntu manuals apt_preferences page or the apt_preferences manpage (man apt_preferences).