Ubuntu Pro Client

ariannalozano · October 5, 2022, 2:09pm

Note: The Ubuntu Advantage Client or UA client has been renamed to the Ubuntu Pro Client in line with the rebranding of Ubuntu Advantage to Ubuntu Pro. Specific commands have also been updated to refer to Ubuntu Pro rather than Ubuntu Advantage.

Accessing Pro services

New to Ubuntu Pro? Do you want to make sure you are getting the most out of it?

This guide will help you to understand what is included in Ubuntu Pro and how to activate additional features.

What is the Ubuntu Pro Client?

The Ubuntu Pro Client tool is designed to help automate the enablement of Ubuntu Pro services. The Ubuntu Pro Client is available for all Ubuntu LTS releases, but the specific services that are available will depend on the LTS release you are running. The Client is pre-installed on most Ubuntu LTS releases and all Pro images in the major public clouds.

In this document we will cover the fundamentals of how to use the Pro Client and show you how to use the pro enable <service> command for activating the Ubuntu Pro services such as Expanded Security Maintenance (ESM), Kernel Livepatch, the CIS Benchmark tool, Common Criteria, and FIPS 140-2 certified crypto modules. See https://ubuntu.com/pro for more details on the various Ubuntu Pro services.

For more details on the Ubuntu Pro Client and how to use its features, you can also check out our documentation.

What you’ll learn

You’ll learn how to get started with accessing the Ubuntu Pro services.

For Public Cloud Ubuntu Pro instances, the Ubuntu Pro Client is preconfigured and many Ubuntu Pro services will be auto-enabled by default. You will learn how to use the Ubuntu Pro Client to manage the Ubuntu Pro services.

What you’ll need

An Ubuntu Pro free token, monthly trial token or paid subscription token
A device with an installed and configured Ubuntu Desktop, Ubuntu Server or Ubuntu Pro image

Step 1: Install the Ubuntu Pro Client

We first need to make sure that we have the latest version of the Ubuntu Pro Client running:

sudo apt update
sudo apt install ubuntu-advantage-tools

To check which version of the Ubuntu Pro Client you are using, run:

pro version

You should have a version greater than or equal to 27.11.2. This version is currently being rolled out to all of Ubuntu in phases.

If you get “Command ‘pro’ not found” then you haven’t gotten the update yet. You can skip the phasing and get it early by running:

sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1

Step 2: Attach your Token to an Ubuntu machine

Once you are running the latest version of the Pro Client, you need to attach the Ubuntu Pro token to your Ubuntu machine to gain access to the Ubuntu Pro services.

First we need to retrieve our Ubuntu Pro Token from our Ubuntu Pro Dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the same email address used to create your free token, monthly trial token or paid subscription token.

The Ubuntu One account functions as a single-sign-on, so once logged in we can go straight to the Ubuntu Pro dashboard at Ubuntu Pro | Ubuntu. Then click on the ‘Machines’ column in the Subscriptions table to reveal your token.

Now we’re ready to attach our Ubuntu Pro token to the Ubuntu Pro client:

sudo pro attach <your_pro_token>

You should then see something like the following:

Updating package lists
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical livepatch enabled.
This machine is now attached to 'your contract here'

SERVICE ENTITLED STATUS DESCRIPTION

esm-infra yes enabled Expanded Security Maintenance for Infrastructure

livepatch yes enabled Canonical Livepatch service

Please note that Expanded Security Maintenance and Livepatch will auto-enable once your token has been attached to your machine.

After attaching your Token to a machine you can use the Ubuntu Pro Client to activate most of the Ubuntu Pro services, including FIPS, USG for CIS or DISA STIG, and Common Criteria EAL2. For more details of how to use the Pro Client, please refer to the Pro Client documentation.

Step 3: Activate Ubuntu Pro services

Expanded Security Maintenance (ESM)

LTS or ‘Long Term Support’ releases of Ubuntu are published every two years in April.

For each Ubuntu LTS release, Canonical is committed to providing ten years of support for each Ubuntu LTS release. The Ubuntu lifecycle consists of an initial five-year maintenance period, during which maintenance updates are publicly available without an Ubuntu Pro subscription, and five years of Expanded Security Maintenance (ESM). For Ubuntu Pro customers, ESM provides fixes for high and critical CVEs for the most commonly used server packages in the Ubuntu Main and Universe repository.

ESM is automatically enabled during the pro attach command. For Public Cloud Ubuntu Pro customers, ESM-infra is pre-enabled on all Ubuntu Pro instances. If ESM-infra is not enabled, you can enable it with the following command:

sudo pro enable esm-infra

Your system may have indicated that it was up to date before enabling ESM. However, with the ESM repository enabled, you will likely see a number of new package updates available.

If you have cron jobs set to regularly install updates, or other unattended upgrade methods configured, be aware that after enabling ESM this will likely result in a number of packages getting updated from the ESM repository.

After enabling ESM the cached list of packages available needs to be updated. To do this run the following command.

sudo apt update

After running that command you should get a message saying that a number of packages have updates available. You can see what versions are available with the following:

sudo apt list --upgradable

Running apt upgrade will then allow you to install those available updates.

sudo apt upgrade

Kernel Livepatch

The Canonical Kernel Livepatch service is designed to help you maximize uptime without compromising on security. Livepatch automatically patches the Ubuntu Linux Kernel when high or critical CVE fixes have been applied to the Kernel, and Kernel only.

Livepatch does not apply standard updates. Instead, it patches vulnerabilities by injecting lines of code into the Ubuntu kernel as it runs. This has two main effects:

You will still need to apply kernel security updates at least semi-regularly, but using Livepatch gives you the flexibility to apply those updates at a time that is convenient for you.
You can expect to still receive alerts about available fixes for kernel vulnerabilities that Livepatch is already protecting you from. To see which CVEs Livepatch is protecting you from, you can run the following command:
```
canonical-livepatch status --verbose
```

Livepatch requires:

Kernel version 4.4 or above (16.04+ delivered via the HWE Kernel https://wiki.ubuntu.com/Kernel/LTSEnablementStack 5).
The ESM repo is enabled and up-to-date - specifically packages like snapd.

Livepatch is automatically enabled after attaching the Token to your machine. For Public Cloud Ubuntu Pro customers, Livepatch is pre-enabled on all Ubuntu Pro instances except for the Ubuntu Pro FIPS images.

Check whether Livepatch is enabled on your Ubuntu machine by running:

sudo pro status

If it is not enabled, you can enable it by running:

sudo pro enable livepatch

You should see output like the following, indicating that the Livepatch snap package has been installed.

One moment, checking your subscription first
        
Installing snapd

Updating package lists

Installing canonical-livepatch snap

Canonical livepatch enabled.

To check the status of Livepatch once it has been installed, use this command:

sudo canonical-livepatch status

Security Certifications (FIPS)

FIPS is supported on 16.04 ESM, 18.04 LTS, and 20.04 LTS. When enabling FIPS with the Ubuntu Pro client there are two options: FIPS and FIPS-updates. FIPS is the set of packages that were officially certified by NIST. These do not receive updates past the initial certification process.

FIPS-updates is a set of packages built to the same specification as those certified by NIST, but receive regular updates as High and Critical CVEs are patched for those packages. These packages should be FIPS compliant, but have not gone through the official certification process.

It is highly recommended to enable FIPS-updates rather than FIPS with the Ubuntu Pro Client, unless you have a requirement for Strict FIPS in your environment as you can only use certified FIPS modules.

More information: https://ubuntu.com/security/certifications/docs/fips

For more information on other options and configurations around use of the Ubuntu Pro Client, please refer to the official Pro Client documentation.

Ubuntu Security Guide

Security Technical Implementation Guides like the CIS benchmark or DISA-STIG have hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Ubuntu Security Guide (USG) is a new tool available with Ubuntu 20.04 LTS that greatly improves the usability of hardening and auditing, and allows for environment-specific customisations. The following sections provide more information on hardening and auditing with USG.

For a quick start with Ubuntu Security Guide for CIS for DISA-STIG consider using this tutorial.

Proxy configuration

The Ubuntu Pro Client can be configured to use an HTTP/HTTPS proxy as needed for network requests. In addition, the Ubuntu Pro Client will automatically set up proxies for all programs required for enabling Ubuntu Pro services. This includes APT, Snaps, and Livepatch.

For a quick start with HTTP/HTTPS proxies, we have a guide on how to configure a proxy in the official documentation.

blixten · May 1, 2023, 4:42am

When will livepatch be enabled for arm64? (Like the raspberry pi community)

pi@ubuntu:~$ sudo pro enable livepatch
One moment, checking your subscription first
Livepatch is not available for platform arm64.
Supported platforms are: amd64.

rajanpatel · May 18, 2023, 3:56pm

Canonical has taken a proactive approach towards getting our software prepared for future ARM64 support, and achieving this requires close collaboration with chip manufacturers, and other entities upstream of Canonical. We do not have a defined date on the table around when Livepatch will be available for ARM64, but we will be hosting webinars and publishing updates on the Ubuntu Blog when Livepatch-related news is available.

b-atmaja · June 22, 2023, 2:03am

We are in the process for buying a Pro subscription, but one problem on 18.04 is blocking us:

    $ pro
    bash: pro: command not found
    $ sudo apt install ubuntu-advantage-tools 
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done 
    ubuntu-advantage-tools is already the newest version (17).
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    $ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    E: Version '27.11.2~18.04.1' for 'ubuntu-advantage-tools' was not found

Could you provide any workaround?

renanrodrigo · June 30, 2023, 11:49am

Hello there @b-atmaja

It seems your system can’t find the latest version of the Pro Client (the ubuntu-advantage-tools package).
Could you please:
a) run sudo apt update before running sudo apt install ubuntu-advantage-tools?
b) if that does not work, send us the output of the sudo apt update command, as well as apt policy ubuntu-advantage-tools?

mukulsharma · November 28, 2023, 10:50pm

Hi, I am enabling FIPS on my custom VM (based on ubuntu 18.04). I am running into following error.
Can someone pls help me get around with this issue? Thanks for suggestion/help.

root@ubuntu:~# sudo pro enable fips
sudo: unable to resolve host ubuntu
One moment, checking your subscription first
This will install the FIPS packages. The Livepatch service will be unavailable.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating FIPS package lists
Installing FIPS packages
Updating standard Ubuntu package lists
Could not enable FIPS.
Updating package lists
APT update failed.
APT update failed to read APT config for the following:

file:/6wind/tools-build-framework/output/delivery/bin/Packages
root@ubuntu:~#

renanrodrigo · November 29, 2023, 3:41pm

Hello, @mukulsharma

Please file a Launchpad bug for ubuntu-advantage-tools so our team can take a deeper look in it.
To make it easier for us, please run sudo pro collect-logs and send us the resulting tarball attached to the bug report.

matthiasbrendel · January 27, 2024, 7:08pm

Hi I had Ubuntu on my laptop, I think, I had 24.04 LTS. I got offered ubuntu pro upgrade. I was no paying attention, because updates worked before, even upgrades to next LTS.

But then my laptop started to have problems to copy from my mobile to an NTFS partition. And after that it did not boot again. I have dual boot, there is Windows on my laptop. But my drive with the ubuntu is lost and the NTFS partition used for data and shared with windos too. SImple disk repair tools can get most of my data from that drive. Repair in boot menu does not work either.

I think, ubuntu pro just messed up my partitions, but not too much. What can I do now?

btw the laptop is a huawei matebook D 14.

I cannot provide more information, since my ubuntu is not booting.

thx

Matthias

jan-lillelund · July 24, 2024, 1:11pm

Somebody is using my token to attach to Ubuntu Pro. I have three servers running and the dashboard states 5 have connected within the last 24 hours. How can I see who is contacting the Ubuntu pro servers? Alternatively, how do I change/revoke the token?

amuhlia · October 30, 2024, 11:21pm

i have a problem

root@laptop-muhlia:~/Android/Sdk/emulator# sudo pro attach C188KDGjTsXXXXXXXXXXXXXXXXXXXXXXXXXX
Failed to attach machine. See https://ubuntu.com/pro/dashboard