Ubuntu Pro - FAQ

Thank you for the response. I can’t get the button to work, everythings seems to be saved. I’ll wait till next week.

As I didn’t find it anywhere, could you please comment on the following?

  1. What is the frequency of the CVE security patches on average?
  2. What is the time difference between security patches between PRO and upstream?

Thank you

In this blog post you can find detailed information. But to summarize, the Ubuntu security team is triaging, fixing and releasing updated software packages for known vulnerabilities every day. On average, the team is providing more than 3 updates each day, and the most vital updates are prepared, tested and released within 24 hours.

It will depend on the CVE priority. As stated above, critical vulnerabilities are released within 24 hours. Then, on average, high CVEs are patched within 30 days, and medium CVEs within 60 days since they are known to the Ubuntu Security Team. This criteria applies to every package affected by the vulnerability, across every Ubuntu release actively supported.

In general, preparing a security update requires not only a proper understanding of the security issue and its impact on the package(s), but also a great engineering effort to make sure that the issue is fixed and no regressions are introduced. Please note that the security team might need to backport the upstream fixes/patches to older versions of the vulnerable software as they are present in the different affected Ubuntu releases.

In this wiki you can find more details about the processes and tools involved in preparing, testing and releasing security updates. Also, please note that packages which have autopkgtest enabled will have their tests run automatically on the Ubuntu infrastructure whenever they get updated or any of their dependencies change. This means any other package that depends on the one being updated, will also have their tests run every time security engineers release a security update.

These strong building and testing processes and infrastructure, contribute to make Ubuntu as one of the most robust and secure Operating Systems.

1 Like

FYI: The wording is kind of strange here. “Machines” seems to be used for hosts and virtual machines in the backend? There are 4 licenses for hypervisor-hosts, and 7 attached Ubuntu VMs in the screenshot. It looks to the visitor, as if the ubuntu vms are counted as licenses, and so 3 licenses are missing.

image

Could you please clarify how Ubuntu Pro subscription works with CI? To have a specific example, let’s say I build docker images from Ubuntu base and want to install “pro” security patches in them, how many licenses do I need? There’s just one build agent where images are built, but many places where containers are run. So is it one license for the builder, or many licenses for however many machines I run containers on? Does it matter if those containers themselves run on Ubuntu or not?

I have not been able to find a way to see what hosts are subscribed to Ubuntu Pro, from a centralized view. I have searched all hosts that I have access to, and can only account for 4 installations, though it says I have 5.

I’m trying to figure out how an enterprise, paying $500/license minmum, would audit for abuse, and track down unauthorized licensing of assets (e.g. An admin licensing their personal hosts).

I have not been able to find any docs or screens on hostnames, IPs or other identifiers for hosts that are licensed. …and with that, will there be a way to centrally detach / ban clients or replace keys.

Any assistnace is appreciated…Thanks!

1 Like

So I created an account, used one of my five free pro tokens to register a VM, then crashed it (I was experimenting with realtime kernel on 512MB of memory, oops). I blew it away… deleted the VM… now, have I lost that one free pro token, no way to revoke it and get it back?

1 Like

Lech, good evening!

Do you know if it is possible to detach one machine that I don’t have more access? I have reinstalled the system (3 times) and forgot to detach the machine from Pro subscription before erase everything.

1 Like

hey @maculan , you don’t have to worry about detaching. if you don’t use a machine anymore it won’t show up as active

hi @tt-admin. Thanks for raising that. We are planning to separate VMs and physical machines on this dashboard in the future. For now this is an aggregate view of all attached & active machines

yes, indeed. you should have Ubuntu Pro on all machines where you use bits from Ubuntu Pro. So if those containers you build with Pro bits run on other machines - those machines should have an Ubuntu Pro license as well

hey @rude-yw. don’t worry about tokens on deleted VMs, you are entitled to 5 ‘active’ machines.

Excellent question about tracking Ubuntu Pro consumption. Landscape is an excellent tool to ensure all your Ubuntu instances have the Ubuntu Pro entitlement, and also provides a way to audit your estate to identify if Ubuntu Pro subscriptions are applied to a machine, or if they have expired. Landscape is a systems management solution with a web based dashboard, and the Landscape agent periodically communicates with a Landscape Server installation hosted in your infrastructure, or on our cloud.

To audit your estate, you can use Landscape’s remote script execution capability (scroll down to “Managing Scripts”) to run the following script: https://github.com/canonical/landscape-scripts/blob/main/management/Pro/uastatus.sh

This script will store custom metadata, in this case, information about your Ubuntu Pro subscription, within Landscape. You can run this script on demand at any time across your entire Ubuntu estate, and get up to date information that can be exported from Landscape into a CSV report, at any time.

Hi

I’ve tried calling Ubuntu multiple times on different days but no one answered. How do I attach Ubuntu pro to my virtual machines on a single proxmox server? I should be able to use it on an unlimited number of virtual machines since it’s a single host right?

Hello,

one of my customers runs some servers in a secured environment with a very limited access to the internet. The servers are managed via Foreman and Puppet. He is interested in using the RT kernel of Ubuntu Pro. Is it possible to sync the Pro packages to an internal mirror? Is it possible to register the servers across proxy systems? Is there any further information on implementation via Puppet?
Best,
Marc

yes, you can do it with a paid subscription by attaching the same physical machine token to each of your VMs. Free subscriptions don’t benefit from unlimited VM coverage and are limited to 5 machines (physical or virtual).

2 Likes

It is possible to leverage the benefits of Ubuntu Pro in airgapped environments, and Pro Client will respect Proxy Configurations. Setting http_proxy will impact Pro Client, Livepatch Client, and Snap. There is a ua_apt_http_proxy for requests apt sends to esm.ubuntu.com, and a global_apt_http_proxy which proxies all apt downloads. This is explained in more detail at this page:

https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/configure_proxies.html

There is a process that can be followed for setting up an airgapped contract server, which distributes Ubuntu Pro entitlements to machines inside the airgapped environments. Our Customer Success team helps customers with this. You can use apt-mirror or reprepro, and if you are motivated to use Puppet and Foreman, you can certainly use those tools. Landscape will have improved repository management capabilities, with special considerations for airgapped use cases, over the next few release cycles. It’s worth keeping an eye on the developments in Landscape Beta, where these features will arrive first.

2 Likes

Hi,
is it correct that the RT kernel does not support Nvidia drivers?

Hi @marcr, thanks for your question.

You are correct. Real-time Ubuntu doesn’t currently support NVIDIA drivers (please note the drivers declare themselves as incompatible with real-time kernels, as they have build time checks and fail to generate .ko).

If you need an NVIDIA SoC and have tight requirements, you can look into our low-latency kernel instead.

1 Like

thanks @rajanpatel
are there any instructions on how to run pro over a local mirror or in airgapped environments?