Key | Value |
---|---|
Summary | Blocking the installation of all packages from Universe repository with Landscape. |
Categories | desktop, server, landscape, security |
Difficulty | 2 |
Author | Marcelo Marcal marcelo.marcal@canonical.com |
Overview
Duration 3:00
The Ubuntu Universe repository contains a vast collection of community-maintained software packages. Still, sometimes system administrators may want to restrict access to this repository for various reasons, such as maintaining tighter control over Ubuntu systems and ensuring that only approved software packages are installed.
Canonical Landscape is a powerful tool that allows system administrators to manage and monitor Ubuntu servers and desktops at scale.
Follow along with this guide to learn how to use Canonical Landscape to block the installation of the Ubuntu Universe repository packages.
What you’ll learn
- How to register a new Ubuntu machine with Landscape.
- How to authorize the new computer to be managed by Landscape.
- How to use apt preferences to prevent Ubuntu Universe packages installation.
- How to create apt preferences file using Landscape.
- How to run a script on the target machine.
What you’ll need
- A Canonical Landscape instance: You can follow the Landscape quickstart deployment guide to install Landscape on-prem. Alternatively, you can use the SaaS version by signing up for an account at Canonical Landscape website
- An Ubuntu server or desktop: You will need an already installed Ubuntu server or desktop. You can download the latest versions of Ubuntu from the official Ubuntu website
In this guide, we’ll be using the Landscape SaaS version.
Registering a new Landscape client
Duration 3:00
Registering a new client is a simple task. You have to install the landscape-client package and then run the landscape-config utility:
First, update the repositories:
sudo apt-get update
Install the landscape client
sudo apt-get install landscape-client
Register the computer with Landscape SaaS
sudo landscape-config --computer-title "My Web Server" --account-name <YOUR ACCOUNT NAME>
If you are registering the computer with an on-prem Landscape, you can find the instructions by clicking the following these instructions
link on the Landscape initial page.
The landscape-config utility will ask you for some configuration options. You can keep the default options for all of them except:
Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.
Enable script execution? [y/N]: y
This option will enable script execution on the computer you are registering. This is required for this guide.
You’ll also need to answer ALL
to the Script users
option:
By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".
Script users: ALL
At the end of the client configuration, you’ll see the following message:
System successfully registered.
Now, it’s time to accept the registered computer to be managed by Landscape.
Authorizing the new computer to be managed by Landscape
Duration: 1:00
Accessing the Landscape WebUI, you’ll see that there is one computer that needs an authorization:
You need to click on the computer name (My Web Server) and then on the Accept
button:
Now the new computer is ready to be managed by Landscape.
Blocking Ubuntu Universe packages with apt preferences
Duration: 3:00
You can use the APT preferences fragment files in the /etc/apt/preferences.d/
folder to control which versions of packages will be selected for installation.
According to apt_preferences manpage, if the Priority is set to < 1
, it will prevent the package installation. In our case, the goal is blocking all packages (*
) from the Universe repository. So, you can achieve this by creating a new file named /etc/apt/preferences.d/disable-universe.pref
with the contents:
Explanation: Disable packages from universe
Package: *
Pin: release c=universe
Pin-Priority: -1
You can get more information about apt preferences by checking its manpage:
man apt_preferences
Let’s first check the installation policy of an Ubuntu Universe package (7zip, for instance). Use the following command on the new Ubuntu machine you added to Landscape:
apt policy 7zip
You’ll get an output like this:
7zip:
Installed: (none)
Candidate: 21.07+dfsg-4
Version table:
21.07+dfsg-4 500
500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
If you were to install the 7zip package, version 21.07+dfsg-4
would be installed.
It’s time to use Landscape to create the .pref
file on the machine.
Creating an apt preferences file using Landscape
Duration: 3:00
Once you have allowed scripts execution on the new Ubuntu machine, you can use Landscape to create the .pref
file by creating a script and then running it on the target machine.
On the Landscape WebUI, click on the Scripts
tab:
And then Add Script
:
On the next screen, fill the fields as following:
Title: Disable packages from universe
Code:
#!/bin/bash
bash -c 'cat <<EOF > /etc/apt/preferences.d/disable-universe.pref
Explanation: Disable packages from universe
Package: *
Pin: release c=universe
Pin-Priority: -1
EOF'
Run as user: root
And then click on the Save
button.
Running the script on the target machine
Duration: 2:00
It’s time to run the script you created on the target machine.
On the Computers
tab, select the target machine and then click on the Scripts
tab:
Select the Disable packages from universe
script and click on the Next
button and then click on the Run
button.
After a moment, you’ll see an “activity finished successfully” status:
Checking if it is possible to install a package from Ubuntu Universe
Duration: 1:00
It’s time to check if the script made the proper apt preferences configuration.
Log in on the target machine and type the following command:
apt policy 7zip
You’ll get an output like this:
7zip:
Installed: (none)
Candidate: (none)
Version table:
21.07+dfsg-4 -1
-1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
Notice that the Candidate
record is set to (none)
.
Now, try to install the 7zip package:
sudo apt install 7zip
You’ll get an error saying that the package has no installation candidate:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package 7zip is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package '7zip' has no installation candidate
That’s all, folks!
Duration: 1:00
Congratulations on completing this guide! You should feel proud of yourself for taking the time to learn how to keep your Ubuntu systems more secure.
By completing this guide, you have gained some valuable knowledge:
- Registering a new Ubuntu machine with Landscape
- Authorizing the new computer to be managed by Landscape
- Using apt preferences to prevent Ubuntu Universe packages installation
- Creating an apt preferences file using Landscape
- Running a script on the target machine
Further reading
- The Landscape Documentation site has everything you need for managing and monitoring Ubuntu systems at scale.
- You can get more information about how to control packages installation on the Ubuntu manuals apt_preferences page or the apt_preferences manpage (
man apt_preferences
).