Get started with Ubuntu Pro
New to Ubuntu Pro? This how-to guide will help you understand how to activate your Ubuntu Pro subscription and choose which services to enable. Together, we will identify security updates available uniquely with an Ubuntu Pro subscription, and we will apply fixes.
We will start by getting a free, personal subscription. Then we will attach this subscription to your existing Ubuntu LTS machine and enable the Expanded Security Maintenance for Applications (esm-apps) in beta, to find out if any additional security fixes are available for you on your machine.
What you’ll learn
- What Ubuntu Pro is and how to use it
- How to check the source of your installed packages
- How to attach an Ubuntu Pro subscription to your existing Ubuntu LTS machine
- How to check for and apply security updates on your Ubuntu machine, including security updates for Ubuntu Universe packages which are only available with Ubuntu Pro
What you’ll need
- An Ubuntu machine running 16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS
- Sudo access
- An email address, or an existing Ubuntu One account
- Ubuntu Pro client version 27.11.2 or newer
Before we start
a. Make sure that you are up to date
$ sudo apt update && sudo apt upgrade
b. Ensure that you’re running the latest version of the pro client.
$ pro --version
$ pro --version 27.11.2~20.04.1
I can see that I am running version 27.11.2, so no need to update.
If you run a previous version of the client, you have two options:
- You could wait for the pro client update, which is now released and phased to get to all Ubuntu machines by October 9th, 2022, or
- Consider bypassing the update phasing and install the client version 27.11.2 using the following command:
$ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1
Identify the source repository of your installed packages
First, let’s find out how many deb packages are installed on your machine and from which source. Run
$ pro security-status
$ pro security-status 2190 packages installed: 1870 packages from Ubuntu Main/Restricted repository 281 packages from Ubuntu Universe/Multiverse repository 10 packages from third parties 29 packages no longer available for download To get more information about the packages, run pro security-status --help for a list of available options. This machine is not attached to an Ubuntu Pro subscription. Main/Restricted packages receive updates with LTS until 2025. Try Ubuntu Pro beta with a free personal subscription on up to 5 machines. Learn more at https://ubuntu.com/pro
OK, so there are 2190 deb packages installed on your machine.
- 1870 packages are from Ubuntu Main/ Restricted repository which means that they receive Ubuntu LTS updates until 2025. This is covered without any subscription but can be expanded with Ubuntu Pro for an additional 5 years, until 2030.
- 281 packages are from Ubuntu Universe/ Multiverse repository and they come with no security assurance with Ubuntu LTS. They would be covered by Ubuntu Pro and there might be beta security updates available for them today. Let’s find out if that is the case.
Note: if you’re currently not using any packages from the Ubuntu Universe repository, that line will not be displayed.
At the bottom of the output, I am notified that I can get a free personal Ubuntu Pro subscription for 5 machines. Let’s get one!
Get your free Ubuntu Pro subscription
a. Create an Ubuntu One account
If you do not already have an Ubuntu One account, create one - Ubuntu One is the single account you use to log in to all services and sites related to Ubuntu, including Ubuntu Pro which is free of charge for personal use on up to 5 machines.
b. Confirm the email address
Simply click the link provided in the email.
c. Retrieve the token
You will be automatically redirected to your Ubuntu Pro dashboard (ubuntu.com/pro); an additional google captcha confirmation step might be required.
Your Ubuntu Pro token will be listed under ‘Free Personal Token’
Attach your Ubuntu LTS machine to an Ubuntu Pro subscription using the token
Now that we have our Ubuntu Pro token, we can attach it to our Ubuntu instance. Open the terminal on your Ubuntu LTS, and type the following command:
$ sudo pro attach [YOUR_TOKEN]
You should see some of the Ubuntu Pro services - Expanded Security Maintenance for Infrastructure (esm-infra), and Livepatch - automatically enabling, while others will remain disabled until you switch them on:
$ sudo pro attach [YOUR_TOKEN] Enabling default service esm-infra Updating package lists Ubuntu Pro: ESM Infra enabled Enabling default service livepatch Canonical livepatch enabled. Unable to determine current instance-id This machine is now attached to 'Ubuntu Pro - free personal subscription' SERVICE ENTITLED STATUS DESCRIPTION esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes enabled Canonical Livepatch service usg yes disabled Security compliance and audit tools NOTICES Operation in progress: pro attach Enable services with: pro enable <service> Account: [YOUR_EMAIL] Subscription: Ubuntu Pro - free personal subscription
Note: This output will depend on your Ubuntu LTS version; for instance
usg are not yet available on Ubuntu 22.04 LTS.
Enable the esm-apps service (in beta)
Now, let’s enable the esm-apps beta service by running
$ sudo pro enable esm-apps --beta
$ sudo pro enable esm-apps --beta One moment, checking your subscription first Updating package lists Ubuntu Pro: ESM Apps enabled
Remember that you need to attach a Pro subscription first. If you haven’t done it in advance, you will see the following message.
$ sudo pro enable esm-apps --beta To use 'esm-apps' you need an Ubuntu Pro subscription Personal and community subscriptions are available at no charge See https://ubuntu.com/pro
Find out if any additional security patches are available for you
Check if any additional security updates for the packages from the Ubuntu Universe repository are available for you.
$ apt list --upgradable | grep apps-security to find out which packages can be upgraded. Ubuntu Pro: esm-apps packages will be listed under release-apps-security
$ apt list --upgradable | grep apps-security WARNING: apt does not have a stable CLI interface. Use with caution in scripts. redis-server/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1] redis-tools/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1] redis/focal-apps-security,focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 all [upgradable from: 5:5.0.7-2ubuntu0.1]
Ok, I can see that there are 3 packages related to Redis that have esm-apps security updates available for Ubuntu Pro.
Note: If you don’t see anything in your output, it means that no Ubuntu Pro security updates are currently available on that Ubuntu machine. In that case consider installing a package that would provide an output. Before doing that, please disable the esm-apps service and enable it again once the package is installed (otherwise it would install the new version right away and thereby you would not see the difference).
$ sudo pro disable esm-apps
$ sudo apt-get install pdfresurrect
$ sudo pro enable esm-apps --beta
And then move back to the top of step 7.
Identify which CVEs are affecting you
a. First, let’s add an apt source for the esm-apps deb-src repository. This will allow us to download the source packages directly which contain the CVE information.
$ echo "deb-src https://esm.ubuntu.com/apps/ubuntu $(lsb_release -s -c)-apps-security main" | sudo tee /etc/apt/sources.list.d/esm-apps-sources.list
b. Let’s make sure that apt is aware of those source packages by running
$ sudo apt-get update
c. Now, let’s download a source package for a package present on esm-apps (from step 7). In our example here, it will be redis.
$ sudo apt-get source redis
(This command will download the package on the same folder where the user runs the command):
d. Let’s now find a file that starts with the package name we downloaded and ends with debian.tar.xz. We can do that by running the following ls command:
$ ls [PACKAGE_NAME]*.debian.tar.xz
For example, for redis we should run:
$ ls redis*.debian.tar.xz redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz
e. We can now use this name to show the latest changelog entry
$ tar -xOf [PACKAGE_FILE] debian/changelog | sed "/--/q"
For example, for redis we should run:
$ tar -xOf redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz debian/changelog | sed "/--/q" redis (5:5.0.7-2ubuntu0.1+esm1) focal-security; urgency=medium * SECURITY UPDATE: Several security issues. - debian/patches/CVE-2021-32626.patch: Fix invalid memory write on lua stack overflow - debian/patches/CVE-2021-32627_32628.patch: Fix ziplist and listpack overflows and truncations - debian/patches/CVE-2021-32672.patch: Fix protocol parsing on 'ldbReplParseCommand' - debian/patches/CVE-2021-32675.patch: Prevent unauthenticated client from easily consuming lots of memory - debian/patches/CVE-2021-32687.patch: Fix Integer overflow issue with intsets - debian/patches/CVE-2021-41099.patch: Fix integer overflow in _sdsMakeRoomFor - CVE-2021-32626 - CVE-2021-32627 - CVE-2021-32628 - CVE-2021-32672 - CVE-2021-32675 - CVE-2021-32687 - CVE-2021-41099 -- Eduardo Barretto <email@example.com> Tue, 08 Mar 2022 09:52:58 +0100
I can now see all CVE fixes available for redis with Ubuntu Pro. They fix the following CVEs:
You can learn more about those security vulnerabilities on Ubuntu security pages, e.g. https://ubuntu.com/security/CVE-2021-32626
Note: as those security fixes are currently in beta, the USNs will not yet be announced.
PS: You can delete the “/etc/apt/sources.list.d/esm-apps-sources.list” file after looking at the changelog.
Upgrade packages to a patched version
Now that we have identified which packages and CVEs are affecting you, let’s get them fixed.
$ sudo apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: redis redis-server redis-tools 3 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade. 3 esm-apps security updates Need to get 532 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-server amd64 5:5.0.7-2ubuntu0.1+esm1 [37.4 kB] Get:2 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-tools amd64 5:5.0.7-2ubuntu0.1+esm1 [491 kB] Get:3 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis all 5:5.0.7-2ubuntu0.1+esm1 [3,072 B] Fetched 532 kB in 1s (393 kB/s) (Reading database ... 281498 files and directories currently installed.) Preparing to unpack .../redis-server_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ... Unpacking redis-server (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ... Preparing to unpack .../redis-tools_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ... Unpacking redis-tools (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ... Preparing to unpack .../redis_5%3a5.0.7-2ubuntu0.1+esm1_all.deb ... Unpacking redis (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ... Setting up redis-tools (5:5.0.7-2ubuntu0.1+esm1) ... Setting up redis-server (5:5.0.7-2ubuntu0.1+esm1) ... Setting up redis (5:5.0.7-2ubuntu0.1+esm1) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for systemd (245.4-4ubuntu3.18) ...
Find out how many esm-apps fixes have been installed overall
$ pro security-status 2190 packages installed: 1870 packages from Ubuntu Main/Restricted repository 281 packages from Ubuntu Universe/Multiverse repository 10 packages from third parties 29 packages no longer available for download To get more information about the packages, run pro security-status --help for a list of available options. Main/Restricted packages receive updates with LTS until 2025. Universe/Multiverse packages are receiving security updates from Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 3 security updates.
Congrats! It seems that packages have been upgraded, so you’re not vulnerable to the CVEs listed in step 8 anymore. In the final output above, with
esm-apps --beta service enabled, we can see that 3 packages have received security updates.
What else can you use your Ubuntu Pro subscription for?
For users running in regulated environments, we have a set of FIPS-certified crypto-modules and hardening scripts available. To enable them, consider enabling other Pro services you are entitled to, such as the Ubuntu Security Guide.
$ sudo pro enable usg
That’s all, folks
Good job, you made it! You should now know how to access and use Ubuntu Pro, as well as understand all the great benefits Ubuntu Pro has to offer.
Still hungry to learn more about Ubuntu Pro? Head on over to Ubuntu Pro Discourse.