Get started with Ubuntu Pro

1. Overview

New to Ubuntu Pro? This how-to guide will help you understand how to activate your Ubuntu Pro subscription and choose which services to enable. Together, we will identify security updates available uniquely with an Ubuntu Pro subscription, and we will apply fixes.

We will start by getting a free, personal subscription. Then we will attach this subscription to your existing Ubuntu LTS machine and enable the Expanded Security Maintenance for Applications (esm-apps) in beta, to find out if any additional security fixes are available for you on your machine.

Want to learn more about the benefits of Ubuntu Pro before moving on?

What you’ll learn

• What Ubuntu Pro is and how to use it
• How to check the source of your installed packages
• How to attach an Ubuntu Pro subscription to your existing Ubuntu LTS machine
• How to check for and apply security updates on your Ubuntu machine, including security updates for Ubuntu Universe packages which are only available with Ubuntu Pro

What you’ll need

• An Ubuntu machine running 16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS
• Sudo access
• An email address, or an existing Ubuntu One account
• Ubuntu Pro client version 27.11.2 or newer

2. Before we start

a. Make sure that you are up to date

$ sudo apt update && sudo apt upgrade

b. Ensure that you’re running the latest version of the pro client.

$ pro --version

$ pro --version
27.11.2~20.04.1

I can see that I am running version 27.11.2, so no need to update.

If you run a previous version of the client, you have two options:

1. You could wait for the pro client update, which is now released and phased to get to all Ubuntu machines by October 9th, 2022, or
2. Consider bypassing the update phasing and install the client version 27.11.2 using the following command:

$ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1

3. Identify the source repository of your installed packages

First, let’s find out how many deb packages are installed on your machine and from which source. Run $ pro security-status

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download

To get more information about the packages, run
    pro security-status --help
for a list of available options.

This machine is not attached to an Ubuntu Pro subscription.

Main/Restricted packages receive updates with LTS until 2025.

Try Ubuntu Pro beta with a free personal subscription on up to 5 machines.
Learn more at https://ubuntu.com/pro

OK, so there are 2190 deb packages installed on your machine.

• 1870 packages are from Ubuntu Main/ Restricted repository which means that they receive Ubuntu LTS updates until 2025. This is covered without any subscription but can be expanded with Ubuntu Pro for an additional 5 years, until 2030.
• 281 packages are from Ubuntu Universe/ Multiverse repository and they come with no security assurance with Ubuntu LTS. They would be covered by Ubuntu Pro and there might be beta security updates available for them today. Let’s find out if that is the case.

Note: if you’re currently not using any packages from the Ubuntu Universe repository, that line will not be displayed.

At the bottom of the output, I am notified that I can get a free personal Ubuntu Pro subscription for 5 machines. Let’s get one!

4. Get your free Ubuntu Pro subscription

a. Create an Ubuntu One account

If you do not already have an Ubuntu One account, create one - Ubuntu One is the single account you use to log in to all services and sites related to Ubuntu, including Ubuntu Pro which is free of charge for personal use on up to 5 machines.

b. Confirm the email address

Simply click the link provided in the email.

c. Retrieve the token

You will be automatically redirected to your Ubuntu Pro dashboard (ubuntu.com/pro); an additional google captcha confirmation step might be required.

Your Ubuntu Pro token will be listed under ‘Free Personal Token’

Screenshot from 2022-10-04 09-43-331189×746 70.4 KB

5. Attach your Ubuntu LTS machine to an Ubuntu Pro subscription using the token

Now that we have our Ubuntu Pro token, we can attach it to our Ubuntu instance. Open the terminal on your Ubuntu LTS, and type the following command:

$ sudo pro attach [YOUR_TOKEN]

You should see some of the Ubuntu Pro services - Expanded Security Maintenance for Infrastructure (esm-infra), and Livepatch - automatically enabling, while others will remain disabled until you switch them on:

$ sudo pro attach [YOUR_TOKEN]
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Canonical livepatch enabled.
Unable to determine current instance-id
This machine is now attached to 'Ubuntu Pro - free personal subscription'

SERVICE          ENTITLED  STATUS    DESCRIPTION
esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
fips             yes       disabled  NIST-certified core packages
fips-updates     yes       disabled  NIST-certified core packages with priority security updates
livepatch        yes       enabled   Canonical Livepatch service
usg              yes       disabled  Security compliance and audit tools

NOTICES
Operation in progress: pro attach

Enable services with: pro enable <service>

     Account: [YOUR_EMAIL]
Subscription: Ubuntu Pro - free personal subscription

Note: This output will depend on your Ubuntu LTS version; for instance fips, fips-updates and usg are not yet available on Ubuntu 22.04 LTS.

6. Enable the esm-apps service (in beta)

Now, let’s enable the esm-apps beta service by running
$ sudo pro enable esm-apps --beta

$ sudo pro enable esm-apps --beta
One moment, checking your subscription first
Updating package lists
Ubuntu Pro: ESM Apps enabled

Remember that you need to attach a Pro subscription first. If you haven’t done it in advance, you will see the following message.

$ sudo pro enable esm-apps --beta
To use 'esm-apps' you need an Ubuntu Pro subscription
Personal and community subscriptions are available at no charge
See https://ubuntu.com/pro

7. Find out if any additional security patches are available for you

Check if any additional security updates for the packages from the Ubuntu Universe repository are available for you.

Run $ apt list --upgradable | grep apps-security to find out which packages can be upgraded. Ubuntu Pro: esm-apps packages will be listed under release-apps-security

$ apt list --upgradable | grep apps-security

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

redis-server/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis-tools/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis/focal-apps-security,focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 all [upgradable from: 5:5.0.7-2ubuntu0.1]

Ok, I can see that there are 3 packages related to Redis that have esm-apps security updates available for Ubuntu Pro.

Note: If you don’t see anything in your output, it means that no Ubuntu Pro security updates are currently available on that Ubuntu machine. In that case consider installing a package that would provide an output. Before doing that, please disable the esm-apps service and enable it again once the package is installed (otherwise it would install the new version right away and thereby you would not see the difference).

$ sudo pro disable esm-apps

$ sudo apt-get install pdfresurrect

$ sudo pro enable esm-apps --beta

And then move back to the top of step 7.

8. Identify which CVEs are affecting you

a. First, let’s add an apt source for the esm-apps deb-src repository. This will allow us to download the source packages directly which contain the CVE information.

$ echo "deb-src https://esm.ubuntu.com/apps/ubuntu $(lsb_release -s -c)-apps-security main" | sudo tee /etc/apt/sources.list.d/esm-apps-sources.list

b. Let’s make sure that apt is aware of those source packages by running

$ sudo apt-get update

c. Now, let’s download a source package for a package present on esm-apps (from step 7). In our example here, it will be redis.

$ sudo apt-get source redis

(This command will download the package on the same folder where the user runs the command):

d. Let’s now find a file that starts with the package name we downloaded and ends with debian.tar.xz. We can do that by running the following ls command:

$ ls [PACKAGE_NAME]*.debian.tar.xz

For example, for redis we should run:

$ ls redis*.debian.tar.xz
redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz

e. We can now use this name to show the latest changelog entry

$ tar -xOf [PACKAGE_FILE] debian/changelog | sed "/--/q"

For example, for redis we should run:

$ tar -xOf redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz debian/changelog | sed "/--/q"
redis (5:5.0.7-2ubuntu0.1+esm1) focal-security; urgency=medium

  * SECURITY UPDATE: Several security issues.
    - debian/patches/CVE-2021-32626.patch: Fix invalid memory write on
    lua stack overflow
    - debian/patches/CVE-2021-32627_32628.patch: Fix ziplist and
    listpack overflows and truncations
    - debian/patches/CVE-2021-32672.patch: Fix protocol parsing on
    'ldbReplParseCommand'
    - debian/patches/CVE-2021-32675.patch: Prevent unauthenticated
    client from easily consuming lots of memory
    - debian/patches/CVE-2021-32687.patch: Fix Integer overflow issue
    with intsets
    - debian/patches/CVE-2021-41099.patch: Fix integer overflow in
    _sdsMakeRoomFor
    - CVE-2021-32626
    - CVE-2021-32627
    - CVE-2021-32628
    - CVE-2021-32672
    - CVE-2021-32675
    - CVE-2021-32687
    - CVE-2021-41099

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Tue, 08 Mar 2022 09:52:58 +0100

I can now see all CVE fixes available for redis with Ubuntu Pro. They fix the following CVEs:

• CVE-2021-32626

• CVE-2021-32627

• CVE-2021-32628

• CVE-2021-32672

• CVE-2021-32675

• CVE-2021-32687

• CVE-2021-41099

You can learn more about those security vulnerabilities on Ubuntu security pages, e.g. https://ubuntu.com/security/CVE-2021-32626

Note: as those security fixes are currently in beta, the USNs will not yet be announced.

PS: You can delete the “/etc/apt/sources.list.d/esm-apps-sources.list” file after looking at the changelog.

9. Upgrade packages to a patched version

Now that we have identified which packages and CVEs are affecting you, let’s get them fixed.

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  redis redis-server redis-tools
3 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
3 esm-apps security updates
Need to get 532 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-server amd64 5:5.0.7-2ubuntu0.1+esm1 [37.4 kB]
Get:2 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-tools amd64 5:5.0.7-2ubuntu0.1+esm1 [491 kB]
Get:3 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis all 5:5.0.7-2ubuntu0.1+esm1 [3,072 B]
Fetched 532 kB in 1s (393 kB/s)   
(Reading database ... 281498 files and directories currently installed.)
Preparing to unpack .../redis-server_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-server (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis-tools_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-tools (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis_5%3a5.0.7-2ubuntu0.1+esm1_all.deb ...
Unpacking redis (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Setting up redis-tools (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis-server (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis (5:5.0.7-2ubuntu0.1+esm1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (245.4-4ubuntu3.18) ...

10. Find out how many esm-apps fixes have been installed overall

$ pro security-status
2190 packages installed:
     1870 packages from Ubuntu Main/Restricted repository
     281 packages from Ubuntu Universe/Multiverse repository
     10 packages from third parties
     29 packages no longer available for download


To get more information about the packages, run
    pro security-status --help
for a list of available options.

Main/Restricted packages receive updates with LTS until 2025.

Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 3 security
updates.

Congrats! It seems that packages have been upgraded, so you’re not vulnerable to the CVEs listed in step 8 anymore. In the final output above, with esm-apps --beta service enabled, we can see that 3 packages have received security updates.

11. What else can you use your Ubuntu Pro subscription for?

For users running in regulated environments, we have a set of FIPS-certified crypto-modules and hardening scripts available. To enable them, consider enabling other Pro services you are entitled to, such as the Ubuntu Security Guide.

$ sudo pro enable usg

12. That’s all, folks

Good job, you made it! You should now know how to access and use Ubuntu Pro, as well as understand all the great benefits Ubuntu Pro has to offer.

Next steps:

Still hungry to learn more about Ubuntu Pro? Head on over to Ubuntu Pro Discourse.

How about having a quick ubuntu pro survey?

Everyone can now fill in this survey to help us improve how to get started with Ubuntu Pro.
Your feedback is very important for us and the entire Ubuntu community. Thank you!

I’m interested in some of the FIPS and STIG applications of Ubuntu Pro. However, my targeted environment is air-gapped. When I try to attach a Ubuntu Pro subscription, the process fails with a lack internet connection. Is there a work around? I realize that I will have to bring packages over, but can the clients even work without internet access?

Hi, yes it is certainly possible, but unfortunately it is not completely trivial. The first thing to do is to mirror the packages that you will need, ideally managed through a local Landscape instance. This includes getting the FIPS and USG packages from the private repos that are made accessible through “pro enable /”. Then use Landscape (or a system management tool of your choosing) to install the packages on the target machines - this will provide the functionality even within an air-gapped environment.
We are actively working on an air-gapped Pro proxy service that will simplify this, but as of today the steps, as above, are rather involved I’m afraid.

Hi, I need to know about Ubuntu Pro. In your Tutorial: Ubuntu Pro beta tutorial ; When i do Step 3. Identify the source repository of your installed packages… My reply is:

This machine is attached to an Ubuntu Pro subscription.

But in your Tutorial has the opposite:

This machine is not attached to an Ubuntu Pro subscription.

I believe my system (I’m using Ubuntu 22.04) have ok to all installation.
How i can see if my token are correct in my Terminal?

Thank’s

I have a question. Currently you can disa the Ubuntu Pro token from the machine itself.

However, how can you do remove a machine from the Ubuntu Pro Dashboard on the website without access to the machine?

The main use can is if either the OS get broken or the primary drive died and so you have to redo a clean install (after changing drive in the second scenario.) For a desktop PC or a laptop, there is also the scenario where the physical machine is stolen and such inaccessible from the user.

In general, you should have to the tutorial all the methods to detach a machine from a token.

Yep in this situation right now. I was playing around with a few Ubuntu VMs and added my 5 machines (token) to those VMs. I blew away the VMs and I logged into the web console but there is no way to remove the machines. The machines are gone, how do we delete the old machines/reset the token?

That would mean that you’ve already attached your machine to an Ubuntu Pro subscription. You can run $ pro status to check if it’s indeed the case, and if yes - then you’d see which Pro services are available/ enabled

if you want to detach the Pro subription from a machine, you can run $ sudo pro detach. this would disable the service and “free” your token. More importantly, Ubuntu Pro checks for “active machines” for the exact reasons you mentioned - workstation can get broken, or VMs can get killed. That’s why you can attach how many machines you want, but the total number of “active machines” should not go above the limit.

see my reply to @haroldw . Ubuntu Pro would check the number of “active machines” against your contract. No need to worry about the VMs you blew away - they won’t be counted as “active”

The topic is starting to generate some traffic in #ubuntu on IRC. We already requested a factoid !ubuntupro that will link to this page. It would be helpful to point out a way to disable the apt hooks completely as this seems to be what “upsets” most users so far. Is removing/renaming “/etc/apt/apt.conf.d/20apt-esm-hook.conf” the best way to do that? Is it something worth mentioning here?

If you don’t like to see “apt news” simply set the apt news config to false. Run pro config set apt_news=false

Does that remove all hooks in apt or only the news part?

The issues we are getting on IRC/forums/comment sections of articles are that you are permanently getting messages about packages you can not upgrade unless signing up in the apt output, completely unrelated to the news bit.

@Lech have we taken into account that the list of packages you get shown will grow with the age of the release in this output ?

it will likely become a multi-page output over time, making interaction with apt really hard… (it already scrolls the normal apt output offscreen today for me due to the long list of imagemagik and python packages the list shows now)

Yup I understand now that they drop off after 24 hours. Ok that’s good enough for me ! Thanks!

Hello @Lech, now that Ubuntu Pro is an official live product, I recommend replacing the first post in this thread with something simpler.

I think it could be as easy as:

• visit https://ubuntu.com/pro and sign up for a token

• sudo apt update
  sudo apt upgrade
  sudo apt install ubuntu-advantage-tools
  sudo pro attach <token>
  sudo apt update
  sudo apt upgrade
  

• and use pro status and pro security-status for some status pages

The first post makes it look like a very complicated experience.

Thanks

For me (and I’m quite sure for others too) this is a surprise. I bet everybody expected that pro config set apt_news=false would disable every messages related to the pro version when doing apt upgrade. At least this is what Canonical led people to believe.
Now all of a sudden there are actually subcategories of the pro version. This doesn’t look nice and it’s just misleading.

So you would prefer that apt does not tell users about open security vulnerabilities on their system (and how to get the fixes for them) ?

Sorry I have to say this, but I feel that this is the typical disingenuous marketing answer that you’d normally expect in other places, but consistent with Canonical’s misleading its users, as I said in the previous post.

The reason why I’m saying this is quite simple: you’re not addressing users’ concerns, you’re just talking about what the pro version has to offer. And I know it’s got a lot to offer, there’s no doubt about that, but you’re supposed to have boundaries (in an operating system, for example), and while it makes sense to promote update-related products exactly in APT, the main issue is that you are not giving users the option of opting out. So it’s an issue of restricting the freedom of choice. And it seems that this is happening, slowly, more and more.

So my short answer is: absolutely, yes, I prefer that APT doesn’t tell users about open vulnerabilities that they have to pay for, if they decide not to. It’s already on by default. It would be nice if you could just give the possibility of disabling it.