Key | Value |
---|---|
Summary | How to purchase Extended Security Maintenance from the Azure Marketplace and apply this to your Ubuntu 16.04 Azure VMs. |
Categories | cloud, azure |
Difficulty | 2 |
Author | Aaron Whitehouse <aaron.whitehouse@canonical.com> |
Overview
Duration: 2:00
IMPORTANT NOTE: as of March 2023, the Microsoft integration is not working correctly and this approach does not currently work. If you are simply wanting to add ESM to your Ubuntu Server 16.04 (or later) instances on Azure, there is now a much better way to do this, see: Announcing In-Place Upgrade from Ubuntu Server to Ubuntu Pro on Azure. If you also need support, please contact our Azure team, as there are alternative, working, approaches to provide the required tokens via the Azure Marketplace.
Ubuntu 16.04 LTS Xenial Xerus has been available since 2016, with many organisations adopting it for enterprise use on Azure.
In April 2021, Ubuntu 16.04 LTS will reach the end of its standard, five-year security maintenance period. After this point, security patches for Ubuntu 16.04 LTS will only be available under Canonicalâs Extended Security Maintenance (ESM) offering, with security patches provided for an additional three years beyond the traditional five-year standard support.
In this tutorial we will purchase ESM through the Azure Marketplace and apply this to our existing Ubuntu 16.04 LTS Azure virtual machines.
â This should only be used to add ESM to existing Ubuntu 16.04 LTS virtual machines, as any new Ubuntu 16.04 workloads should instead be launched on Ubuntu Pro 16.04 LTS, which includes ESM as one of its features.
What youâll learn
- How to find which subscriptions contain Ubuntu 16.04 machines
- How to purchase Extended Security Maintenance for existing Ubuntu 16.04 LTS VMs through the Azure Marketplace
- How to retrieve your Ubuntu Advantage token
- How to apply this token to each of your Ubuntu 16.04 virtual machines
What youâll need
- An Azure account
- At least one Azure subscription containing Ubuntu 16.04 virtual machines
- Administrator rights to the relevant subscription
This process will apply to all VMs in the relevant subscription
The approach set out in this tutorial will purchase Ubuntu Advantage for Infrastructure Essentials for all Ubuntu virtual machines in the selected subscription, including virtual machines running releases later than Ubuntu 16.04.
Find the subscriptions containing 16.04 with Azure Resource Graph Explorer
Duration: 2:00
Open the Azure Resource Graph Explorer in the Azure Portal.
Create a new query:
// Find the subscriptions containing Ubuntu Server 16.04 (non-Pro)
// virtual machines by subscription
// Click the "Run query" command above to execute the query and see results, together with how many 16.04 machines are in each subscription.
resources
| where tolower(properties['storageProfile']['imageReference']['publisher']) == "canonical" and (properties['storageProfile']['imageReference']['sku'] == "16.04-LTS" or properties['storageProfile']['imageReference']['sku'] == "16_04-lts-gen2")
| summarize count() by subscriptionId
| order by count_
Ensure that the dropdown box in the top right says âAll subscriptionsâ and click âRun queryâ.
The results should look something like the below:
â Choose âFormatted resultsâ to see the subscription names instead of the ID.
Purchase Ubuntu Advantage Essentials from the Azure Marketplace
Duration: 3:00
1. Select Ubuntu Advantage for Infrastructure from the Azure Marketplace
Navigate to Ubuntu Advantage for Infrastructure subscription on the Azure Marketplace.
Select âGET IT NOWâ
and click âContinueâ.
A pop-up will appear asking you for further details about you:
2. Select the relevant subscription
Select the Subscription that you found was using Ubuntu 16.04 in the previous step:
3. Choose an Essential subscription
Extended Security Maintenance is included in all subscription tiers, so for this tutorial we will select Essential.
This process will apply to all VMs in the relevant subscription
The approach set out in this tutorial will purchase Ubuntu Advantage for Infrastructure Essentials for all Ubuntu virtual machines in the selected subscription, including virtual machines running releases later than Ubuntu 16.04.
Click âConfirmâ to accept the relevant terms:
We see in the Notifications pane that the purchase is taking place:
And then we can see it complete:
4. Complete the support registration
We can then click the link to go to the support plan details:
Then we need to click the âCanonical supportâ link to complete the registration.
â We need to click the âCanonical supportâ link here to complete the registration. Many of our customers miss this, as it just looks like an unimportant link.
We can also access the subscription details screen through the Help & Support, Support Plans blade in the Azure Portal. Choose the correct subscription, click âMarketplaceâ (it should say âEssentialsâ) and âView detailsâ.
Once you click the âCanonical supportâ link, you will see a page similar to the below:
Click âAcceptâ. You will then see the following:
which you need to complete and click âRegisterâ. This needs to be a unique email address under your control, as you will need it in the next step to obtain your token.
â The system currently (as at June 2021) has a limitation that you must use a unique email address for each subscription. Your email provider may let you use, for example:
user+subscription1@domain.com
which would be seen by the system as unique, but come into your existinguser@domain.com
email address.If we have multiple subscriptions and want ESM for each of them, we need to go through each step in this tutorial for each subscription. For example, say we have
subscription1
andsubscription2
. We would need to follow Step 3 of this tutorial and registersubscription1
with Canonical, giving a unique email address of, for example,user+subscription1@domain.com
. We would then need to follow this Step 4 and create an UbuntuOne account foruser+subscription1@domain.com
and retrieve the relevant token for that subscription. We would then need to follow Step 5 and apply that token to the virtual machines within that subscription. Then we would need to go through the process again forsubscription2
, using another email address (e.g.user+subscription2@domain.com
), creating another UbuntuOne account and retrieving the token forsubscription2
to apply to the virtual machines within thatsubscription2
.The process for attaching multiple subscriptions will hopefully be improved in the future, but if you need any help, please Contact the Canonical Azure team.
Then you will see:
If you instead see an error, check that you used an email address that has not been used with Canonical before.
Clicking âSupportâ on this screen will take you to Canonicalâs support portal, where you can explore Knowledge Base articles and, if you have purchased Technical Support, log tickets.
â If you have any problems purchasing or completing your registration, please Contact the Canonical Azure team.
Retrieve Ubuntu Advantage client token
Duration: 2:00
If you do not already have an Ubuntu One account, create one.
Visit the Ubuntu Advantage website and click âSign Inâ, logging in with the same email address as you use for Azure.
Under âYour Paid Subscriptionsâ, you should see âUbuntu Advantage - Essentialsâ. We can click the arrow next to the number of MACHINES to show the following: "To attach a machine: sudo attach [token]
" (deliberately blurred in my screenshot).
â[token]â here is the UA token that you will need to attach to each of your 16.04 machines.
Apply ESM to each of your Ubuntu 16.04 virtual machines
Duration: 3:00
1. Ensure we have a recent version of the ua client
On each of your Ubuntu 16.04 virtual machines, first check that the ua client is installed and which version. We want at least version 26.2.
Letâs first update to the latest version in the repositories we already have set up:
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
Now we can check the version:
$ ua version
27.0~16.04.1
We have a version of the ua client that is later than 26.2, so we can proceed to attaching the virtual machine to our UA Subscription in step 2.
If ua version
gives a version less than 26.2, or you receive an error like this:
$ ua version
ua: command not found
it suggests that we do not have a recent enough version installed. Letâs check:
$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
Installed: 10ubuntu0.16.04.1
[...]
We want at least version 26.2 and we currently have 10ubuntu0.16.04.1, so we first need to add the UA Client Stable PPA from Launchpad and upgrade our UA packages:
â Do not do the below if your ua version is already 26.2 or above! Instead skip to step 2.
$ sudo add-apt-repository ppa:ua-client/stable
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
Now we have a recent enough version:
$ ua version
26.3~16.04.1
2. Attach the virtual machine to your UA subscription
Once you have a recent version of the UA client version 26.2 enabled, you can run ua status
:
$ sudo ua status
SERVICE AVAILABLE DESCRIPTION
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips yes NIST-certified FIPS modules
fips-updates yes Uncertified security updates to FIPS modules
livepatch yes Canonical Livepatch service
This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
We can see that this is not yet attached to a UA subscription. Letâs fix that, using the [token] from the previous step:
$ sudo ua attach [token]
3. Enable ESM Infra
Enable esm-infra:
$ sudo ua enable esm-infra
One moment, checking your subscription first
ESM Infra is already enabled.
See: sudo ua status
It looks as though this was already enabled for us when we attached the token. Letâs double-check it is enabled:
$ sudo ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
Excellent, esm-infra is showing as enabled
.
4. (Optional) Remove the ua-client PPA, if added
If you added the ua-client ppa, you might want to remove this, otherwise you might be pulling newer versions of the UA tools in the future that you might not really want:
$ sudo add-apt-repository --remove ppa:ua-client/stable
5. Repeat for all Ubuntu 16.04 virtual machines
We need to repeat these steps for each of our Ubuntu 16.04 virtual machines.
Thatâs all folks!
Duration: 1:00
Congratulations, we have enabled Extended Security Maintenance for your Ubuntu 16.04 virtual machines in this subscription!
If you found multiple subscriptions containing Ubuntu 16.04 virtual machines in the âFind the subscriptions containing 16.04 with Azure Resource Graph Explorerâ step, you will need to repeat this tutorial for those subscriptions.
While it has been fun working with you to enable ESM manually on your Ubuntu 16.04 virtual machines, we encourage you to use Ubuntu Pro on Azure for your next Ubuntu deployment â this is available for all of our Ubuntu LTS versions and includes ESM turned on by default (among other great features) .