Ubuntu Pro beta tutorial

Get started with Ubuntu Pro

  1. Overview

New to Ubuntu Pro? This how-to guide will help you understand how to activate your Ubuntu Pro subscription and choose which services to enable. Together, we will identify security updates available uniquely with an Ubuntu Pro subscription, and we will apply fixes.

We will start by getting a free, personal subscription. Then we will attach this subscription to your existing Ubuntu LTS machine and enable the Expanded Security Maintenance for Applications (esm-apps) in beta, to find out if any additional security fixes are available for you on your machine.

Want to learn more about the benefits of Ubuntu Pro before moving on?

What you’ll learn

  • What Ubuntu Pro is and how to use it
  • How to check the source of your installed packages
  • How to attach an Ubuntu Pro subscription to your existing Ubuntu LTS machine
  • How to check for and apply security updates on your Ubuntu machine, including security updates for Ubuntu Universe packages which are only available with Ubuntu Pro

What you’ll need

  • An Ubuntu machine running 16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS
  • Sudo access
  • An email address, or an existing Ubuntu One account
  • Ubuntu Pro client version 27.11.2 or newer
  1. Before we start

a. Make sure that you are up to date

$ sudo apt update && sudo apt upgrade

b. Ensure that you’re running the latest version of the pro client.

$ pro --version

$ pro --version
27.11.2~20.04.1

I can see that I am running version 27.11.2, so no need to update.

If you run a previous version of the client, you have two options:

  1. You could wait for the pro client update, which is now released and phased to get to all Ubuntu machines by October 9th, 2022, or
  2. Consider bypassing the update phasing and install the client version 27.11.2 using the following command:

$ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1

  1. Identify the source repository of your installed packages

First, let’s find out how many deb packages are installed on your machine and from which source. Run $ pro security-status

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download

To get more information about the packages, run
    pro security-status --help
for a list of available options.

This machine is not attached to an Ubuntu Pro subscription.

Main/Restricted packages receive updates with LTS until 2025.

Try Ubuntu Pro beta with a free personal subscription on up to 5 machines.
Learn more at https://ubuntu.com/pro

OK, so there are 2190 deb packages installed on your machine.

  • 1870 packages are from Ubuntu Main/ Restricted repository which means that they receive Ubuntu LTS updates until 2025. This is covered without any subscription but can be expanded with Ubuntu Pro for an additional 5 years, until 2030.
  • 281 packages are from Ubuntu Universe/ Multiverse repository and they come with no security assurance with Ubuntu LTS. They would be covered by Ubuntu Pro and there might be beta security updates available for them today. Let’s find out if that is the case.

Note: if you’re currently not using any packages from the Ubuntu Universe repository, that line will not be displayed.

At the bottom of the output, I am notified that I can get a free personal Ubuntu Pro subscription for 5 machines. Let’s get one!

  1. Get your free Ubuntu Pro subscription

a. Create an Ubuntu One account

If you do not already have an Ubuntu One account, create one - Ubuntu One is the single account you use to log in to all services and sites related to Ubuntu, including Ubuntu Pro which is free of charge for personal use on up to 5 machines.

b. Confirm the email address

Simply click the link provided in the email.

c. Retrieve the token

You will be automatically redirected to your Ubuntu Pro dashboard (ubuntu.com/pro); an additional google captcha confirmation step might be required.

Your Ubuntu Pro token will be listed under ‘Free Personal Token’

  1. Attach your Ubuntu LTS machine to an Ubuntu Pro subscription using the token

Now that we have our Ubuntu Pro token, we can attach it to our Ubuntu instance. Open the terminal on your Ubuntu LTS, and type the following command:

$ sudo pro attach [YOUR_TOKEN]

You should see some of the Ubuntu Pro services - Expanded Security Maintenance for Infrastructure (esm-infra), and Livepatch - automatically enabling, while others will remain disabled until you switch them on:

$ sudo pro attach [YOUR_TOKEN]
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Canonical livepatch enabled.
Unable to determine current instance-id
This machine is now attached to 'Ubuntu Pro - free personal subscription'

SERVICE          ENTITLED  STATUS    DESCRIPTION
esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
fips             yes       disabled  NIST-certified core packages
fips-updates     yes       disabled  NIST-certified core packages with priority security updates
livepatch        yes       enabled   Canonical Livepatch service
usg              yes       disabled  Security compliance and audit tools

NOTICES
Operation in progress: pro attach

Enable services with: pro enable <service>

     Account: [YOUR_EMAIL]
Subscription: Ubuntu Pro - free personal subscription

Note: This output will depend on your Ubuntu LTS version; for instance fips, fips-updates and usg are not yet available on Ubuntu 22.04 LTS.

  1. Enable the esm-apps service (in beta)

Now, let’s enable the esm-apps beta service by running
$ sudo pro enable esm-apps --beta

$ sudo pro enable esm-apps --beta
One moment, checking your subscription first
Updating package lists
Ubuntu Pro: ESM Apps enabled

Remember that you need to attach a Pro subscription first. If you haven’t done it in advance, you will see the following message.

$ sudo pro enable esm-apps --beta
To use 'esm-apps' you need an Ubuntu Pro subscription
Personal and community subscriptions are available at no charge
See https://ubuntu.com/pro
  1. Find out if any additional security patches are available for you

Check if any additional security updates for the packages from the Ubuntu Universe repository are available for you.

Run $ apt list --upgradable | grep apps-security to find out which packages can be upgraded. Ubuntu Pro: esm-apps packages will be listed under release-apps-security

$ apt list --upgradable | grep apps-security

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

redis-server/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis-tools/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis/focal-apps-security,focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 all [upgradable from: 5:5.0.7-2ubuntu0.1]

Ok, I can see that there are 3 packages related to Redis that have esm-apps security updates available for Ubuntu Pro.

Note: If you don’t see anything in your output, it means that no Ubuntu Pro security updates are currently available on that Ubuntu machine. In that case consider installing a package that would provide an output. Before doing that, please disable the esm-apps service and enable it again once the package is installed (otherwise it would install the new version right away and thereby you would not see the difference).

$ sudo pro disable esm-apps

$ sudo apt-get install pdfresurrect

$ sudo pro enable esm-apps --beta

And then move back to the top of step 7.

  1. Identify which CVEs are affecting you

a. First, let’s add an apt source for the esm-apps deb-src repository. This will allow us to download the source packages directly which contain the CVE information.

$ echo "deb-src https://esm.ubuntu.com/apps/ubuntu $(lsb_release -s -c)-apps-security main" | sudo tee /etc/apt/sources.list.d/esm-apps-sources.list

b. Let’s make sure that apt is aware of those source packages by running

$ sudo apt-get update

c. Now, let’s download a source package for a package present on esm-apps (from step 7). In our example here, it will be redis.

$ sudo apt-get source redis

(This command will download the package on the same folder where the user runs the command):

d. Let’s now find a file that starts with the package name we downloaded and ends with debian.tar.xz. We can do that by running the following ls command:

$ ls [PACKAGE_NAME]*.debian.tar.xz

For example, for redis we should run:

$ ls redis*.debian.tar.xz
redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz

e. We can now use this name to show the latest changelog entry

$ tar -xOf [PACKAGE_FILE] debian/changelog | sed "/--/q"

For example, for redis we should run:

$ tar -xOf redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz debian/changelog | sed "/--/q"
redis (5:5.0.7-2ubuntu0.1+esm1) focal-security; urgency=medium

  * SECURITY UPDATE: Several security issues.
    - debian/patches/CVE-2021-32626.patch: Fix invalid memory write on
    lua stack overflow
    - debian/patches/CVE-2021-32627_32628.patch: Fix ziplist and
    listpack overflows and truncations
    - debian/patches/CVE-2021-32672.patch: Fix protocol parsing on
    'ldbReplParseCommand'
    - debian/patches/CVE-2021-32675.patch: Prevent unauthenticated
    client from easily consuming lots of memory
    - debian/patches/CVE-2021-32687.patch: Fix Integer overflow issue
    with intsets
    - debian/patches/CVE-2021-41099.patch: Fix integer overflow in
    _sdsMakeRoomFor
    - CVE-2021-32626
    - CVE-2021-32627
    - CVE-2021-32628
    - CVE-2021-32672
    - CVE-2021-32675
    - CVE-2021-32687
    - CVE-2021-41099

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Tue, 08 Mar 2022 09:52:58 +0100

I can now see all CVE fixes available for redis with Ubuntu Pro. They fix the following CVEs:

  • CVE-2021-32626

  • CVE-2021-32627

  • CVE-2021-32628

  • CVE-2021-32672

  • CVE-2021-32675

  • CVE-2021-32687

  • CVE-2021-41099

You can learn more about those security vulnerabilities on Ubuntu security pages, e.g. https://ubuntu.com/security/CVE-2021-32626

Note: as those security fixes are currently in beta, the USNs will not yet be announced.

PS: You can delete the “/etc/apt/sources.list.d/esm-apps-sources.list” file after looking at the changelog.

  1. Upgrade packages to a patched version

Now that we have identified which packages and CVEs are affecting you, let’s get them fixed.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  redis redis-server redis-tools
3 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
3 esm-apps security updates
Need to get 532 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-server amd64 5:5.0.7-2ubuntu0.1+esm1 [37.4 kB]
Get:2 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-tools amd64 5:5.0.7-2ubuntu0.1+esm1 [491 kB]
Get:3 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis all 5:5.0.7-2ubuntu0.1+esm1 [3,072 B]
Fetched 532 kB in 1s (393 kB/s)   
(Reading database ... 281498 files and directories currently installed.)
Preparing to unpack .../redis-server_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-server (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis-tools_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-tools (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis_5%3a5.0.7-2ubuntu0.1+esm1_all.deb ...
Unpacking redis (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Setting up redis-tools (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis-server (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis (5:5.0.7-2ubuntu0.1+esm1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (245.4-4ubuntu3.18) ...
  1. Find out how many esm-apps fixes have been installed overall

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download


To get more information about the packages, run
    pro security-status --help
for a list of available options.

Main/Restricted packages receive updates with LTS until 2025.

Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 3 security
updates.

Congrats! It seems that packages have been upgraded, so you’re not vulnerable to the CVEs listed in step 8 anymore. In the final output above, with esm-apps --beta service enabled, we can see that 3 packages have received security updates.

  1. What else can you use your Ubuntu Pro subscription for?

For users running in regulated environments, we have a set of FIPS-certified crypto-modules and hardening scripts available. To enable them, consider enabling other Pro services you are entitled to, such as the Ubuntu Security Guide.

$ sudo pro enable usg

  1. That’s all, folks

Good job, you made it! You should now know how to access and use Ubuntu Pro, as well as understand all the great benefits Ubuntu Pro has to offer.

Next steps:

Still hungry to learn more about Ubuntu Pro? Head on over to Ubuntu Pro Discourse.

15 Likes

How about having a quick ubuntu pro survey?

Everyone can now fill in this survey to help us improve how to get started with Ubuntu Pro. :raised_hands:
Your feedback is very important for us and the entire Ubuntu community. Thank you!

1 Like