Note: The Ubuntu Advantage Client or UA client has been renamed to the Ubuntu Pro Client in line with the rebranding of Ubuntu Advantage to Ubuntu Pro. Specific commands have also been updated to refer to Ubuntu Pro rather than Ubuntu Advantage.
Accessing Pro services
New to Ubuntu Pro? Do you want to make sure you are getting the most out of it?
This guide will help you to understand what is included in Ubuntu Pro and how to activate additional features.
What is the Ubuntu Pro Client?
The Ubuntu Pro Client tool is designed to help automate the enablement of Ubuntu Pro services. The Ubuntu Pro Client is available for all Ubuntu LTS releases, but the specific services that are available will depend on the LTS release you are running. The Client is pre-installed on most Ubuntu LTS releases and all Pro images in the major public clouds.
In this document we will cover the fundamentals of how to use the Pro Client and show you how to use the
pro enable <service> command for activating the Ubuntu Pro services such as Expanded Security Maintenance (ESM), Kernel Livepatch, the CIS Benchmark tool, Common Criteria, and FIPS 140-2 certified crypto modules. See https://ubuntu.com/pro for more details on the various Ubuntu Pro services.
For more details on the Ubuntu Pro Client and how to use its features, you can also check out our documentation.
What you’ll learn
You’ll learn how to get started with accessing the Ubuntu Pro services.
For Public Cloud Ubuntu Pro instances, the Ubuntu Pro Client is preconfigured and many Ubuntu Pro services will be auto-enabled by default. You will learn how to use the Ubuntu Pro Client to manage the Ubuntu Pro services.
What you’ll need
- An Ubuntu Pro free token, monthly trial token or paid subscription token
- A device with an installed and configured Ubuntu Desktop, Ubuntu Server or Ubuntu Pro image
Step 1: Install the Ubuntu Pro Client
We first need to make sure that we have the latest version of the Ubuntu Pro Client running:
sudo apt update sudo apt install ubuntu-advantage-tools
To check which version of the Ubuntu Pro Client you are using, run:
You should have a version greater than or equal to 27.11.2. This version is currently being rolled out to all of Ubuntu in phases.
If you get “Command ‘pro’ not found” then you haven’t gotten the update yet. You can skip the phasing and get it early by running:
sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1
Step 2: Attach your Token to an Ubuntu machine
Once you are running the latest version of the Pro Client, you need to attach the Ubuntu Pro token to your Ubuntu machine to gain access to the Ubuntu Pro services.
First we need to retrieve our Ubuntu Pro Token from our Ubuntu Pro Dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the same email address used to create your free token, monthly trial token or paid subscription token.
The Ubuntu One account functions as a single-sign-on, so once logged in we can go straight to the Ubuntu Pro dashboard at http://ubuntu.com/pro. Then click on the ‘Machines’ column in the Subscriptions table to reveal your token.
Now we’re ready to attach our Ubuntu Pro token to the Ubuntu Pro client:
sudo pro attach <your_pro_token>
You should then see something like the following:
Updating package lists Enabling default service esm-infra Updating package lists Ubuntu Pro: ESM Infra enabled Enabling default service livepatch Installing canonical-livepatch snap Canonical livepatch enabled. This machine is now attached to 'your contract here' SERVICE ENTITLED STATUS DESCRIPTION esm-infra yes enabled Expanded Security Maintenance for Infrastructure livepatch yes enabled Canonical Livepatch service
Please note that Expanded Security Maintenance and Livepatch will auto-enable once your token has been attached to your machine.
After attaching your Token to a machine you can use the Ubuntu Pro Client to activate most of the Ubuntu Pro services, including FIPS, USG for CIS or DISA STIG, and Common Criteria EAL2. For more details of how to use the Pro Client, please refer to the Pro Client documentation.
Step 3: Activate Ubuntu Pro services
Expanded Security Maintenance (ESM)
LTS or ‘Long Term Support’ releases of Ubuntu are published every two years in April.
For each Ubuntu LTS release, Canonical is committed to providing ten years of support for each Ubuntu LTS release. The Ubuntu lifecycle consists of an initial five-year maintenance period, during which maintenance updates are publicly available without an Ubuntu Pro subscription, and five years of Expanded Security Maintenance (ESM). For Ubuntu Pro customers, ESM provides fixes for high and critical CVEs for the most commonly used server packages in the Ubuntu Main and Universe repository.
ESM is automatically enabled during the
pro attach command. For Public Cloud Ubuntu Pro customers, ESM-infra is pre-enabled on all Ubuntu Pro instances. If ESM-infra is not enabled, you can enable it with the following command:
sudo pro enable esm-infra
Your system may have indicated that it was up to date before enabling ESM. However, with the ESM repository enabled, you will likely see a number of new package updates available.
If you have cron jobs set to regularly install updates, or other unattended upgrade methods configured, be aware that after enabling ESM this will likely result in a number of packages getting updated from the ESM repository.
After enabling ESM the cached list of packages available needs to be updated. To do this run the following command.
sudo apt update
After running that command you should get a message saying that a number of packages have updates available. You can see what versions are available with the following:
sudo apt list --upgradable
apt upgrade will then allow you to install those available updates.
sudo apt upgrade
The Canonical Kernel Livepatch service is designed to help you maximize uptime without compromising on security. Livepatch automatically patches the Ubuntu Linux Kernel when high or critical CVE fixes have been applied to the Kernel, and Kernel only.
Livepatch does not apply standard updates. Instead, it patches vulnerabilities by injecting lines of code into the Ubuntu kernel as it runs. This has two main effects:
- You will still need to apply kernel security updates at least semi-regularly, but using Livepatch gives you the flexibility to apply those updates at a time that is convenient for you.
- You can expect to still receive alerts about available fixes for kernel vulnerabilities that Livepatch is already protecting you from. To see which CVEs Livepatch is protecting you from, you can run the following command:
canonical-livepatch status --verbose
- Kernel version 4.4 or above (16.04+ delivered via the HWE Kernel https://wiki.ubuntu.com/Kernel/LTSEnablementStack 5).
- The ESM repo is enabled and up-to-date - specifically packages like snapd.
Livepatch is automatically enabled after attaching the Token to your machine. For Public Cloud Ubuntu Pro customers, Livepatch is pre-enabled on all Ubuntu Pro instances except for the Ubuntu Pro FIPS images.
Check whether Livepatch is enabled on your Ubuntu machine by running:
sudo pro status
If it is not enabled, you can enable it by running:
sudo pro enable livepatch
You should see output like the following, indicating that the Livepatch snap package has been installed.
One moment, checking your subscription first Installing snapd Updating package lists Installing canonical-livepatch snap Canonical livepatch enabled.
To check the status of Livepatch once it has been installed, use this command:
sudo canonical-livepatch status
Security Certifications (FIPS)
FIPS is supported on 16.04 ESM, 18.04 LTS, and 20.04 LTS. When enabling FIPS with the Ubuntu Pro client there are two options: FIPS and FIPS-updates. FIPS is the set of packages that were officially certified by NIST. These do not receive updates past the initial certification process.
FIPS-updates is a set of packages built to the same specification as those certified by NIST, but receive regular updates as High and Critical CVEs are patched for those packages. These packages should be FIPS compliant, but have not gone through the official certification process.
It is highly recommended to enable FIPS-updates rather than FIPS with the Ubuntu Pro Client, unless you have a requirement for Strict FIPS in your environment as you can only use certified FIPS modules.
More information: https://ubuntu.com/security/certifications/docs/fips
For more information on other options and configurations around use of the Ubuntu Pro Client, please refer to the official Pro Client documentation.
Ubuntu Security Guide
Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customisations. The following sections provide more information on hardening and auditing with USG.
For a quick start with Ubuntu Security Guide for CIS for DISA-STIG consider using this tutorial.
The Ubuntu Pro Client can be configured to use an HTTP/HTTPS proxy as needed for network requests. In addition, the Ubuntu Pro Client will automatically set up proxies for all programs required for enabling Ubuntu Pro services. This includes APT, Snaps, and Livepatch.
For a quick start with HTTP/HTTPS proxies, we have a guide on how to configure a proxy in the official documentation.