Ubuntu Advantage Client

The Ubuntu Advantage (UA) client is a tool designed to automate access to UA services like Extended Security Maintenance (ESM), CIS, FIPS, and more. The client is available for all Ubuntu LTS releases. Features might depend on the specific LTS release as they do or do not apply. The updated client provides users a command-line interface with a single point to access all UA services. This simplifies access to UA Services and allows access to UA services for all users of Ubuntu with a free tier of service. See https://ubuntu.com/advantage for more details on the various UA services.

Working with specific services

Extended Security Maintenance (ESM)

  1. Make sure that you have the latest UA client installed on your Ubuntu 16.04 LTS machine.
  2. Follow the instructions on https://ubuntu.com/advantage/ to retrieve your UA token and get started with ESM.

Keep reading if you want more detailed instructions, or have questions

Installing the UA client

The UA client is installed through apt. Make sure to confirm you have the latest Ubuntu Advantage client which is equal to or greater than version 27.

$ ua --version

Once you have verified your client, you will need to attach it to your UA account.

Attach the UA client

Retrieve your UA token from https://ubuntu.com/advantage/. You will log in with your SSO credentials, the same credentials you use for https://login.ubuntu.com.

$ sudo ua attach YOUR_TOKEN

You should see output like the following, indicating that you have successfully associated this machine with your account.

Enabling default service esm-infra
Updating package lists
ESM Infra enabled
This machine is now attached to 'UA Infra - Essential (Virtual)'

esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       n/a       Canonical Livepatch service

Operation in progress: ua attach

Enable services with: ua enable <service>

Once the UA client is attached to your UA account, you can use it to activate various services, including: access to ESM packages, Livepatch, FIPS, and CIS. Some features are specific to certain LTS releases

UA Status

Users can use the status subcommand to get the current status and see what services are enabled or disabled:

$ sudo ua status

esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       n/a       Canonical Livepatch service

Enable services with: ua enable <service>

           Subscription: UA Applications - Essential (Virtual)
            Valid until: 2022-12-31 00:00:00
Technical support level: essential

Extended Security Maintenance (ESM)

For Ubuntu 14.04 LTS and 16.04 LTS as shown above, ESM will be automatically enabled after attaching the UA client to your account. After ubuntu-advantage-tools is installed and your machine is attached, ESM should be enabled. If ESM is not enabled, you can enable it with the following command:

$ sudo ua enable esm-infra

With the ESM repository enabled, you may see a number of additional package updates available that were not available previously. Your system may have indicated that it was up to date before installing the ubuntu-advantage-tools, but make sure to check for new updates with apt update. If you have cron jobs set to install updates, or other unattended upgrades configured, be aware that this will likely result in a number of package updates after ESM is enabled.

$ sudo apt update

Running apt upgrade will show a number of package updates available.

$ sudo apt upgrade

More information: https://ubuntu.com/security/esm


Livepatch requires:

To enable run:

$ sudo ua enable livepatch

You should see output like the following, indicating that the Livepatch snap package has been installed.

One moment, checking your subscription first
Installing snapd
Updating package lists
Installing canonical-livepatch snap
Canonical livepatch enabled.

To check the status of Livepatch once it has been installed use this command

$ sudo canonical-livepatch status

More information: https://ubuntu.com/security/livepatch

Security Certifications (FIPS / Common Criteria)

FIPS and Common Criteria are supported on 16.04+, please see https://docs.ubuntu.com/security-certs/en/. The UA client will be updated for 16.04+ at a later date.



Why are we updating the client?

The updated client provides users a command-line interface with a single point to access all UA services. This reduces the number of tokens a customer has to manage as the old mechanism was one token per service.

Will the old ESM system stay in place for the entire Ubuntu 14.04 LTS ESM lifetime?

Yes. If you have ESM provisioned using the old client or manually you do not have to change.

Ubuntu.com/advantage shows I have 0? Why? I have more licenses.

The number is showing 0 attached to the subscription - not your total license amount.


How do I attach/login/activate?

You have to obtain your token and run: ua attach <token>

Where do I get a token?

How do I use SSO?

SSO is available from a user’s Ubuntu One account and can be created at https://login.ubuntu.com/.

What services get enabled by default?

ESM would be enabled by default where possible. Livepatch will not be auto-enabled on Ubuntu 14.04 LTS, but is enabled by default on later series. If a service is not applicable on the platform or release then the service will be skipped

I already have UA, and use Landscape to manage my devices, can I attach and manage UA from Landscape?

Not at this time. That said, you can automate the rollout using Landscape’s ability to execute commands on systems under management.


What does ‘’‘entitled’’’ mean?

Entitled shows whether your contract with us includes this Ubuntu Advantage service or not.

Why does the STATUS column say ‘’‘n/a’’’ if I am ‘’‘entitled’’’ to the service?

This service may not be applicable to the system you are currently on. Here are some examples:

  • FIPS is currently only supported on Xenial and Bionic. If you are on any other release, FIPS would show up as ‘’‘n/a’’’.
  • On Ubuntu 14.04 LTS, Livepatch is only available if you have the HWE kernel installed and are booted into it. Otherwise it shows ‘’‘n/a’’’.
  • If you are on a container, you cannot install Livepatch.


Where can I file bugs?

Things are failing, what logs are useful?

First, consider using the --debug option to see what might be failing. Otherwise, checkout /var/log/ubuntu-advantage.log. If including this log file in a bug report, please sanitize it first, as it will likely contain secrets!

I’m attaching successfully, but not showing entitled to anything? I have a commercial contract.

Please open a https://support.canonical.com/ with the output of sudo ua status --format json

I upgraded from Trusty with ESM to Xenial and now it does not show I have ESM enabled any longer
This is a known issue and can be resolved by re-enabling ESM using sudo ua enable esm-infra after rebooting the system into Xenial. See https://github.com/canonical/ubuntu-advantage-client/issues/1590

My cloud-init cloud-config is no longer working to enable UA products
Customers using the following cloud-config userdata will have to update to use the new cmdline client ‘ua attach’, ‘ua enable’ commands.

         commands: XXX
         ubuntu-advantage enable-fips

I find customers also like to know that running <canonical-livepatch status --format yaml> and <canonical-livepatch status --verbose> will tell you which livepatch is currently enabled and which CVEs it’s protecting you from (otherwise some people can end up updating and rebooting every time their sys mgmt tool alerts them to a vulnerability)

I would repeat this question for Livepatch, especially because at some point we will recommend that users move from the Livepatch-specific token to the UA client.

Can we please tweak this to be more applicable to Pro users on the clouds? Specifically I am thinking, for example, of a statement upfront that, if you are running Ubuntu Pro on Azure/AWS/GCE, you should already have a recent version of the ua-client installed and it should already be attached, so you can likely go straight to the sudo ua status step.

We could also add a reference to Ubuntu Pro in the “Where do I get a token?” FAQ. Something along the lines that “Our recommended approach to obtain services like Livepatch and ESM on the Public Clouds is to use Ubuntu Pro. For other use cases you can purchase Ubuntu Advantage directly from Canonical: [existing link].”

I am not sure about having this part at the beginning:

I think you have done a great job summarising the value of ua client and how to install and configure it. I wonder if specific guidance on enabling ESM to 14.04 or 16.04 belongs somewhere else separately (e.g. on our 16.04 page). That would also give us greater flexibility to tailor the advice to, for example, Public Cloud users, who in some cases have better options.

Should we add in a ua version so that people who do have the latest version aren’t adding a ppa etc? I wonder if we should just tell people to run ua version and check it is at least 26.3 (and follow your steps if not) – if they have a version >= 26.3 do they need the very latest from a ppa?

I can appreciate the nice to know information but I’d leave those details to the livepatch documentation vs this specific to enabling UA services. We do reference them to the livepatch content for more information.

We’ll see if we get more questions/feedback there and balance how much detail about each service best serves users here.