Key | Value |
---|---|
Summary | Enable or disable live kernel patching on Ubuntu machines through the Landscape dashboard |
Categories | landscape, livepatch, ubuntu, server, desktop |
Difficulty | 1 |
Author | Rajan Patel rajan.patel@canonical.com |
Overview
Duration: 3:00
In this tutorial, you will learn how to use Landscape’s dashboard to change which machines have the Ubuntu Pro Livepatch entitlement enabled.
The Pro Client provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. Pro Client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond Livepatch, Pro Client can enable Ubuntu Pro services like Expanded Security Maintenance (ESM), Ubuntu Security Guide (USG), FIPS, and more.
Landscape is Canonical’s systems management and monitoring solution. We will compose interactions with Pro Client into a Landscape-aware shell script, and track which systems are configured to live patch the Linux kernel.
Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.
Prerequisites
Duration: 10:00
To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:
- An Ubuntu One account
- A free or paid Ubuntu Pro subscription
- An enabled Landscape entitlement
- Remote script execution enabled on Landscape Client
Sign up for Ubuntu Pro
Anyone can use Ubuntu Pro for free on up to 5 machines.
Customers with larger needs can mix and match Ubuntu Pro subscriptions with and without support for server and desktop, within one account. All Ubuntu Pro subscriptions include Livepatch and Landscape.
Visit ubuntu.com/pro/subscribe to create or sign in to your Ubuntu One account, and obtain an Ubuntu Pro token.
Attach your Ubuntu Pro subscription with Pro Client
Your Ubuntu Pro token is used to connect the Pro Client (installed on your machines) to your Ubuntu Pro subscription.
Let’s first check whether we have already attached our Pro token to Pro Client by running:
pro status
SERVICE AVAILABLE DESCRIPTION
anbox-cloud yes Scalable Android in the cloud
esm-apps yes Expanded Security Maintenance for Applications
esm-infra yes Expanded Security Maintenance for Infrastructure
landscape yes Management and administration tool for Ubuntu
livepatch yes Canonical Livepatch service
realtime-kernel yes Ubuntu kernel with PREEMPT_RT patches integrated
usg yes Security compliance and audit tools
For a list of all Ubuntu Pro services, run 'pro status --all'
This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro
We can see that this is not yet attached to an Ubuntu Pro subscription. Let’s fix that now.
Your Ubuntu Pro token can be found on your Ubuntu Pro dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in we can type the address for the Ubuntu Pro dashboard into the browser’s address bar: ubuntu.com/pro/dashboard. Then click on a subscription in the left hand column, and look for the “Token” field in the right hand side column. Now, attach the Pro Token to the Pro Client. Look for the copy and paste ready command to attach a machine, it will look similar to this:
sudo pro attach <your_pro_token>
Configure Landscape
The Landscape quickstart deployment guide offers the shortest path to a functional self-hosted Landscape Server instance, or create a free Landscape SaaS account. Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.
An administrator can remotely execute scripts on any client machine if the appropriate plugin is enabled. This plugin is disabled by default. Any calls to the ExecuteScript API endpoint will result in failed activities if the client has the default configuration. For more information on API endpoints for stored scripts, visit API Methods: Scripts.
To use remote script execution on client machines, you must first enable it with the landscape-config command or by manually editing /etc/landscape/client.conf.
To enable this plugin with landscape-config, run:
sudo landscape-config --include-manager-plugins=ScriptExecution --script-users=root,landscape,nobody
Or, to enable this plugin by manually editing /etc/landscape/client.conf
, add the following line to the [client]
section of that file:
include_manager_plugins = ScriptExecution
script_users = root,landscape,nobody
After you’ve enabled script execution using one of these options, the system users listed in script_users can run scripts once you restart Landscape Client with:
Enable Livepatch via Landscape
Duration: 10:00
When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.
Add the “Livepatch - Enable” script
Title: Livepatch - Enable
Code:
#!/bin/bash
pro enable livepatch
Run as user: root
Time limit (seconds): 300
Access group: Global access
Run the “Livepatch - Enable” script
- Within the Landscape dashboard, click Computers in the primary navigation.
- Select all the computers whose Livepatch configuration needs to be identified.
- Click Scripts in the secondary navigation menu
- Click the Livepatch - Enable radio button, then click Next
- Confirm the script reads correctly, choose when you want the script to be delivered, and click Run
Disable Livepatch via Landscape
Duration: 10:00
When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.
Add the “Livepatch - Disable” script
Title: Livepatch - Disable
Code:
#!/bin/bash
pro disable livepatch
Run as user: root
Time limit (seconds): 300
Access group: Global access
Run the “Livepatch - Disable” script
- Within the Landscape dashboard, click Computers in the primary navigation.
- Select all the computers whose Livepatch configuration needs to be identified.
- Click Scripts in the secondary navigation menu
- Click the Livepatch - Disable radio button, this is the name of the script from Step 4. Then click Next
- Confirm the script reads correctly, choose when you want the script to be delivered, and click Run
Summary & Next Steps
Congratulations! Your Landscape dashboard is reporting Livepatch information. Log in to Landscape, and click “New Web Portal” in the primary navigation at the top of the page. Click “Instances” in the right hand side navigation, and click on the title of an Ubuntu instance. There is a “Kernel” tab, which exposes information about your installed Linux kernel, alongside Livepatch and other security coverage information.
Tell us your thoughts!
Thank you for following this tutorial, we’d love to hear how you got on.
Give us feedback in the Ubuntu Discourse if you have any issues.
To help us improve our tutorials, we’d love to hear more about you:
How will you use this tutorial?
- Only read through it
- Read it and complete the exercises
What is your current level of experience?
- Novice
- Intermediate
- Proficient
Why were you interested in this tutorial?
- For my personal use, or hobby projects
- Only for my personal developer environment
- To evaluate Landscape for broader use within my organization