Purchasing and Applying 16.04 ESM from the Azure Marketplace

Overview

Duration: 2:00

Ubuntu 16.04 LTS Xenial Xerus has been available since 2016, with many organisations adopting it for enterprise use on Azure.

In April 2021, Ubuntu 16.04 LTS will reach the end of its standard, five-year security maintenance period. After this point, security patches for Ubuntu 16.04 LTS will only be available under Canonical’s Extended Security Maintenance (ESM) offering, with security patches provided for an additional three years beyond the traditional five-year standard support.

In this tutorial we will purchase ESM through the Azure Marketplace and apply this to our existing Ubuntu 16.04 LTS Azure virtual machines.

ⓘ This should only be used to add ESM to existing Ubuntu 16.04 LTS virtual machines, as any new Ubuntu 16.04 workloads should instead be launched on Ubuntu Pro 16.04 LTS, which includes ESM as one of its features.

What you’ll learn

  • How to find which subscriptions contain Ubuntu 16.04 machines
  • How to purchase Extended Security Maintenance for existing Ubuntu 16.04 LTS VMs through the Azure Marketplace
  • How to retrieve your Ubuntu Advantage token
  • How to apply this token to each of your Ubuntu 16.04 virtual machines

What you’ll need

  • An Azure account
  • At least one Azure subscription containing Ubuntu 16.04 virtual machines
  • Administrator rights to the relevant subscription

:warning: This process will apply to all VMs in the relevant subscription
The approach set out in this tutorial will purchase Ubuntu Advantage for Infrastructure Essentials for all Ubuntu virtual machines in the selected subscription, including virtual machines running releases later than Ubuntu 16.04.

Find the subscriptions containing 16.04 with Azure Resource Graph Explorer

Duration: 2:00

Open the Azure Resource Graph Explorer in the Azure Portal.

Create a new query:

// Find the subscriptions containing Ubuntu Server 16.04 (non-Pro) 
// virtual machines by subscription
// Click the "Run query" command above to execute the query and see results, together with how many 16.04 machines are in each subscription.
resources
| where tolower(properties['storageProfile']['imageReference']['publisher']) == "canonical" and (properties['storageProfile']['imageReference']['sku'] == "16.04-LTS" or properties['storageProfile']['imageReference']['sku'] == "16_04-lts-gen2")
| summarize count() by subscriptionId
| order by count_

Ensure that the dropdown box in the top right says “All subscriptions” and click “Run query”.

The results should look something like the below:

Screenshot from 2021-04-14 15-14-10

ⓘ Choose “Formatted results” to see the subscription names instead of the ID.

Purchase Ubuntu Advantage Essentials from the Azure Marketplace

Duration: 3:00

1. Select Ubuntu Advantage for Infrastructure from the Azure Marketplace

Navigate to Ubuntu Advantage for Infrastructure subscription on the Azure Marketplace.

Select “GET IT NOW”
image
and click “Continue”.

A pop-up will appear asking you for further details about you:

2. Select the relevant subscription

Select the Subscription that you found was using Ubuntu 16.04 in the previous step:

image

3. Choose an Essential subscription

Extended Security Maintenance is included in all subscription tiers, so for this tutorial we will select Essential.

image

:warning: This process will apply to all VMs in the relevant subscription
The approach set out in this tutorial will purchase Ubuntu Advantage for Infrastructure Essentials for all Ubuntu virtual machines in the selected subscription, including virtual machines running releases later than Ubuntu 16.04.

Click “Confirm” to accept the relevant terms:

We see in the Notifications pane that the purchase is taking place:

Screenshot from 2021-04-21 21-31-33

And then we can see it complete:

Screenshot from 2021-04-21 21-32-49

4. Complete the support registration

We can then click the link to go to the support plan details:

Screenshot from 2021-04-21 21-10-37 (1)

Then we need to click the “Canonical support” link to complete the registration.

ⓘ We need to click the “Canonical support” link here to complete the registration. Many of our customers miss this, as it just looks like an unimportant link.

We can also access the subscription details screen through the Help & Support, Support Plans blade in the Azure Portal. Choose the correct subscription, click “Marketplace” (it should say “Essentials”) and “View details”.

Once you click the “Canonical support” link, you will see a page similar to the below:

Screenshot from 2021-05-26 13-22-05-2

Click “Accept”. You will then see the following:


which you need to complete and click “Register”. This needs to be a unique email address under your control, as you will need it in the next step to obtain your token.

ⓘ The system currently (as at June 2021) has a limitation that you must use a unique email address for each subscription. Your email provider may let you use, for example: user+subscription1@domain.com which would be seen by the system as unique, but come into your existing user@domain.com email address.

If we have multiple subscriptions and want ESM for each of them, we need to go through each step in this tutorial for each subscription. For example, say we have subscription1 and subscription2. We would need to follow Step 3 of this tutorial and register subscription1 with Canonical, giving a unique email address of, for example, user+subscription1@domain.com. We would then need to follow this Step 4 and create an UbuntuOne account for user+subscription1@domain.com and retrieve the relevant token for that subscription. We would then need to follow Step 5 and apply that token to the virtual machines within that subscription. Then we would need to go through the process again for subscription2, using another email address (e.g. user+subscription2@domain.com), creating another UbuntuOne account and retrieving the token for subscription2 to apply to the virtual machines within that subscription2.

The process for attaching multiple subscriptions will hopefully be improved in the future, but if you need any help, please Contact the Canonical Azure team.

Then you will see:

If you instead see an error, check that you used an email address that has not been used with Canonical before.

Clicking “Support” on this screen will take you to Canonical’s support portal, where you can explore Knowledge Base articles and, if you have purchased Technical Support, log tickets.

ⓘ If you have any problems purchasing or completing your registration, please Contact the Canonical Azure team.

Retrieve Ubuntu Advantage client token

Duration: 2:00

If you do not already have an Ubuntu One account, create one.

Visit the Ubuntu Advantage website and click “Sign In”, logging in with the same email address as you use for Azure.

Under “Your Paid Subscriptions”, you should see “Ubuntu Advantage - Essentials”. We can click the arrow next to the number of MACHINES to show the following: "To attach a machine: sudo attach [token]" (deliberately blurred in my screenshot).

“[token]” here is the UA token that you will need to attach to each of your 16.04 machines.

Apply ESM to each of your Ubuntu 16.04 virtual machines

Duration: 3:00

1. Ensure we have a recent version of the ua client

On each of your Ubuntu 16.04 virtual machines, first check that the ua client is installed and which version. We want at least version 26.2.

Let’s first update to the latest version in the repositories we already have set up:

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

Now we can check the version:

$ ua version
27.0~16.04.1

We have a version of the ua client that is later than 26.2, so we can proceed to attaching the virtual machine to our UA Subscription in step 2.

If ua version gives a version less than 26.2, or you receive an error like this:

$ ua version
ua: command not found

it suggests that we do not have a recent enough version installed. Let’s check:

$ apt-cache policy ubuntu-advantage-tools  

ubuntu-advantage-tools:
  Installed: 10ubuntu0.16.04.1
[...]

We want at least version 26.2 and we currently have 10ubuntu0.16.04.1, so we first need to add the UA Client Stable PPA from Launchpad and upgrade our UA packages:

ⓘ Do not do the below if your ua version is already 26.2 or above! Instead skip to step 2.

$ sudo add-apt-repository ppa:ua-client/stable
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

Now we have a recent enough version:

$ ua version
26.3~16.04.1

2. Attach the virtual machine to your UA subscription

Once you have a recent version of the UA client version 26.2 enabled, you can run ua status:

$ sudo ua status
SERVICE       AVAILABLE  DESCRIPTION
esm-infra     yes        UA Infra: Extended Security Maintenance (ESM)
fips          yes        NIST-certified FIPS modules
fips-updates  yes        Uncertified security updates to FIPS modules
livepatch     yes        Canonical Livepatch service

This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage

We can see that this is not yet attached to a UA subscription. Let’s fix that, using the [token] from the previous step:

$ sudo ua attach [token]

3. Enable ESM Infra

Enable esm-infra:

$ sudo ua enable esm-infra
One moment, checking your subscription first
ESM Infra is already enabled.
See: sudo ua status

It looks as though this was already enabled for us when we attached the token. Let’s double-check it is enabled:

$ sudo ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)

Excellent, esm-infra is showing as enabled.

4. (Optional) Remove the ua-client PPA, if added

If you added the ua-client ppa, you might want to remove this, otherwise you might be pulling newer versions of the UA tools in the future that you might not really want:

$ sudo add-apt-repository --remove ppa:ua-client/stable

5. Repeat for all Ubuntu 16.04 virtual machines

We need to repeat these steps for each of our Ubuntu 16.04 virtual machines.

That’s all folks!

Duration: 1:00

Congratulations, we have enabled Extended Security Maintenance for your Ubuntu 16.04 virtual machines in this subscription!

If you found multiple subscriptions containing Ubuntu 16.04 virtual machines in the “Find the subscriptions containing 16.04 with Azure Resource Graph Explorer” step, you will need to repeat this tutorial for those subscriptions.

While it has been fun working with you to enable ESM manually on your Ubuntu 16.04 virtual machines, we encourage you to use Ubuntu Pro on Azure for your next Ubuntu deployment – this is available for all of our Ubuntu LTS versions and includes ESM turned on by default (among other great features) .

1 Like