Key | Value |
---|---|
Summary | Enable or disable live kernel patching on Ubuntu machines through the Landscape dashboard |
Categories | landscape, livepatch, ubuntu, server, desktop |
Difficulty | 1 |
Author | Rajan Patel rajan.patel@canonical.com |
Overview
Duration: 3:00
In this tutorial, you will learn how to use Landscape’s dashboard to change which machines have the Ubuntu Advantage Livepatch entitlement enabled.
The Ubuntu Advantage client (UA Client) provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. UA client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond Livepatch, UA Client can enable Ubuntu Advantage services like Extended Security Maintenance (ESM), Ubuntu Security Guide (USG), FIPS, and more.
Landscape is Canonical’s systems management and monitoring solution. We will compose interactions with UA Client into a Landscape-aware shell script, and track which systems are configured to live patch the Linux kernel.
Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.
Prerequisites
Duration: 10:00
To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:
- An Ubuntu One account
- An Ubuntu Advantage for Infrastructure subscription
- UA Client attached to your Ubuntu Advantage for Infrastructure subscription
- Landscape Client installed and registered with either Landscape on-prem or Landscape SaaS
- Landscape Client that is allowed to remotely execute scripts
Obtain an Ubuntu Advantage for Infrastructure subscription
Anyone can use Ubuntu Advantage for Infrastructure for free on up to 3 machines.
Customers with larger needs can mix and match Ubuntu Advantage Essential, Standard, and Advanced subscription types within one Ubuntu Advantage account. All Ubuntu Advantage subscriptions come with Livepatch and Landscape on-premises.
Visit ubuntu.com/advantage to create or sign in to your Ubuntu One account, and obtain an Ubuntu Advantage for Infrastructure subscription that matches your needs.
Attach UA client to your Ubuntu Advantage account
Your UA token is used to connect the UA client you have installed on your machines to your Ubuntu Advantage for Infrastructure subscription.
Let’s first check whether we have already attached our UA token to the UA client by running:
ua status
SERVICE AVAILABLE DESCRIPTION
cc-eal no Common Criteria EAL2 Provisioning Packages
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips yes NIST-certified core packages
fips-updates yes NIST-certified core packages with priority security updates
livepatch yes Canonical Livepatch service
usg yes Security compliance and audit tools
This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
We can see that this is not yet attached to a UA subscription. Let’s fix that now.
Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in we can type the address for the Ubuntu Advantage dashboard into the browser’s address bar: ubuntu.com/advantage. Then click on a subscription in the left hand column, and the Documentation tab on the right hand side column. Now we’re ready to attach our UA token to the UA client. Look for the copy and paste ready command to attach a machine, it will look similar to this:
sudo ua attach <your_ua_token>
Configure Landscape
The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance, and enrolling a machine to be managed by Landscape with Landscape Client. Signing up for Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.
The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.
Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.
Enable script execution? [y/N]:
Answering yes to this “Enable script execution” question is required for this tutorial to work successfully.
By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".
Script users: ALL
Answering ALL
to the Script users
prompt is necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root
) on an as-needed basis.
Enable Livepatch via Landscape
Duration: 10:00
When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.
Add the “Livepatch - Enable” script
Title: Livepatch - Enable
Code:
#!/bin/bash
livepatchenable() {
local LIVEPATCHENTITLEMENT
local LIVEPATCHENABLED
local UASTATUS
local UANOTATTACHED
UASTATUS=$(ua status)
UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
if [[ $UANOTATTACHED -eq 0 ]]; then
LIVEPATCHENTITLEMENT=$(echo "$UASTATUS" | grep -m 1 'livepatch' | awk '{ print $2 }' | grep -c 'yes')
if [[ $LIVEPATCHENTITLEMENT -eq 1 ]]; then
ua enable livepatch --assume-yes
UASTATUS=$(ua status)
echo "'ua status' reports livepatch is $(servicestatus 'livepatch')"
fi
fi
servicestatus 'livepatch' > /var/lib/landscape/client/annotations.d/livepatch
chown landscape: /var/lib/landscape/client/annotations.d/livepatch
LIVEPATCHENABLED=$(servicestatus 'livepatch' | grep -c 'enabled')
if [[ $LIVEPATCHENABLED -eq 0 ]]; then
exit 1
fi
}
servicestatus() {
echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
livepatchenable
Run as user: root
Time limit (seconds): 300
Access group: Global access
Run the “Livepatch - Enable” script
- Within the Landscape dashboard, click Computers in the primary navigation.
- Select all the computers whose Livepatch configuration needs to be identified.
- Click Scripts in the secondary navigation menu
- Click the Livepatch - Enable radio button, then click Next
- Confirm the script reads correctly, choose when you want the script to be delivered, and click Run
Disable Livepatch via Landscape
Duration: 10:00
When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.
Add the “Livepatch - Disable” script
Title: Livepatch - Disable
Code:
#!/bin/bash
livepatchdisable() {
local LIVEPATCHENABLED
local UASTATUS
local UANOTATTACHED
UASTATUS=$(ua status)
UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
if [[ $UANOTATTACHED -eq 0 ]]; then
ua disable livepatch --assume-yes
UASTATUS=$(ua status)
echo "'ua status' reports livepatch is $(servicestatus 'livepatch')"
fi
servicestatus 'livepatch' > /var/lib/landscape/client/annotations.d/livepatch
chown landscape: /var/lib/landscape/client/annotations.d/livepatch
LIVEPATCHENABLED=$(servicestatus 'livepatch' | grep -c 'enabled')
if [[ $LIVEPATCHENABLED -eq 1 ]]; then
exit 1
fi
}
servicestatus() {
echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
livepatchdisable
Run as user: root
Time limit (seconds): 300
Access group: Global access
Run the “Livepatch - Disable” script
- Within the Landscape dashboard, click Computers in the primary navigation.
- Select all the computers whose Livepatch configuration needs to be identified.
- Click Scripts in the secondary navigation menu
- Click the Livepatch - Disable radio button, this is the name of the script from Step 4. Then click Next
- Confirm the script reads correctly, choose when you want the script to be delivered, and click Run
Summary & Next Steps
Congratulations! Your Landscape dashboard is reporting Livepatch information in a searchable manner. In the search bar, try the following queries:
NOT annotation:livepatch OR annotation:livepatch:disabled
annotation:livepatch:enabled
All Ubuntu machines which are configured to live patch the Linux kernel will appear for search term annotation:livepatch:enabled
. The NOT
queries will reveal the inverse, and be useful in identifying machines either missing an Ubuntu Advantage subscription, or machines without Livepatch entitlements enabled.
Next, you can complete the tutorial which explains how to monitor Livepatch configurations at scale with Landscape.
You can see annotations for each computer under the Info tab, right above the comments section.
Tell us your thoughts!
Thank you for following this tutorial, we’d love to hear how you got on.
Give us feedback in the Ubuntu Discourse if you have any issues.
To help us improve our tutorials, we’d love to hear more about you:
How will you use this tutorial?
- Only read through it
- Read it and complete the exercises
0 voters
What is your current level of experience?
- Novice
- Intermediate
- Proficient
0 voters
Why were you interested in this tutorial?
- For my personal use, or hobby projects
- Only for my personal developer environment
- To evaluate Landscape for broader use within my organization
0 voters