Ubuntu Pro - FAQ

There are different approaches here, but generally the preferred means is to use an airgapped contract server to distribute Ubuntu Pro tokens within your air gapped infrastructure.
This is an advanced use case, and we recommend speaking with our Customer Success team (through the support channels) to implement this in the best way for your environment.

@Lech So the 5 VMs limit for personal use is separate from the 5 devices limit? I’m training in multiple IT related subjects and my home lab is going to be running Ubuntu. However at least one of my courses is likely to go over this limit. Either the one involving the administering a virtualisation system and/or my web development course.

There’s also afterwards as likely to be doing development type projects in my home lab in a full stack web type area.

hi, @mrgrymreaper

The 5 devices is a limit for free personal use. This includes any physical or physical servers, devices or workstations. You could use that for your servers, and then to cover your workstations, you could get that commercially at $25 per workstation per year.

1 Like

@Lech I have 3 physical servers. One of them is shared storage for the other two. The other two are running hypervisors like VMware ESXi, XCP-ng etc.

For me the issue and the FAQ question really revolves around the limitation on the number of VMs. What would really help is if the number of VMs running on the hypervisors for personal use could receive a boost possibly to around 12-25 or somewhere close to this. The number of physical servers, workstations and devices covered of 5 can remain the same.

How would you advise dealing with this please and can this form a basis for feedback on improving the for personal use “Ubuntu Pro Infra-only”?

Hi @Lech,

I too really are looking forward to that splitting up of physical from virtual. It would really help me and also aid the implementation of my feedback. That I have already posted about earlier ( Ubuntu Pro - FAQ).

As people on the kind of courses that I’m on will likely have multiple VMs on the go, these will bring them over the limit. Especially the Web Development and the Virtualisation Administration one.

Hi @Lech,

I understand that Ubuntu Pro is only tracking the number of active users.
I would like to get clarity on this point regarding physical machines.
What exactly happens if I enroll more devices than I am entitled to? Let’s say some of the Pro attached devices were inactive for some time. When they come back online, the number of active devices will be higher than the the number of machines allowed in my subscription.

Do the machines get automatically kicked off Ubuntu Pro? Or features like esm-apps, esm-infra and livepatch get temporarily disabled?

Thanks in advance.

1 Like

Hi @Lech,

Could you please share, if I activate Ubuntu Pro on my VM, is it going to make any changes to my system, apps, repositories, or env?
And if I detach my pro token from my VM- will cause any issues or make changes to my VM?
Thanks in advance!

Hello! We have realtime Ubuntu machines that are used for robot control and are embedded in the robot. We are trying to figure out which Pro license is appropriate for them. Based on your two tests above, they are neither desktop machines nor servers: they have no desktop interface, but the software they run is robot control software, not something you’d run on a server. Thanks!

Ubuntu Pro and Bitdefender

Hi to all,

We were for a longtime looking a desktop distribution (rpm or deb based) that will comply with CIS Workstation Level 1 or even better level 2, and get quicker security fixes. Of course we are ready to pay an annual subscription for that.
We use Bitdefender Gravity Zone to enforce misconfigurations and vulnerabilities.

On Ubuntu 22.04.3 and after executing the CIS scripts (Level 1 and 2) we had:

  • Bitdefender still reported more than 50 misconfigurations
  • More worrying, 47 packages with vulnerabilities

In those vulnerabilities :

  • openssh 1:8.9p1-3ubuntu0.4 CVSS v3 : 9.8
  • ghostscript 9.55.0~dfsg1-0ubuntu5.4 CVSS v3 : 9.8
  • libarchive 3.6.0-1ubuntu1 CVSS v3 : 9.8
  • perl 5.34.0-3ubuntu1.2 CVSS v3 : 9.8
  • bash 5.1-6ubuntu1 CVSS v3 : 7.8
  • apparmor 3.0.4-2ubuntu2.2
  • vim 2:8.2.3995-1ubuntu2.11 CVSS v3 : 7.8

and others like ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm1, …

Are we missing something ? For some vulnerabilities it is however possible of a bitdefender mistake, we are looking into that too but most confirmed like libarchive


Hi @mrgrymreaper

First, I believe that 5 active machines - incl. physical servers, VMs or workstations would be more than enough for personal use. So your ask of 12-25 sounds like a commercial use-case to me. Do you actively use that many VMs within any given 24h? How many physical hypervisors do you need to cover?

Second, a personal subscriptions give you access to the full Ubuntu Pro not limited Ubuntu Pro (Infra-only). If, for example you would like to cover 3 physical machines with unlimited VMs, you could do that with a commercial subscription (quick solution). It would be 3x$500 for the full Ubuntu Pro or 3x$225 for Ubuntu Pro (Infra-only). You can buy directly in the shop

Finally - this is more mid-term, but let me check with our team to reconsider the 5 machines limitation for personal use. I believed that it would cover all personal use-cases, but I will find out if we could be even more generous on that front.


Hi @amalantony1806

we would monitor the number of active machines you have connected to the subscription and if we observe abuse that is not incidental we could notify you about it via email, or disable your subscription.

1 Like

hi @markpaters

Our sales team and @Gabriel-AN can help you with that. We offer an embedding program for partners using Ubuntu in robots and IOT devices.
You can find our more at https://ubuntu.com/internet-of-things

1 Like

Hello, @newtounbuntu-j
Attaching itself will not change anything, but by enabling the services you get some modifications.
When you activate Ubuntu Pro in your VM using the pro attach command, by default, you get the recommended services enabled. You can change which services are automatically enabled when attaching a specific token in your dashboard. See https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/get_token_and_attach.html

If you don’t change anything, you get esm-infra, esm-apps and livepatch by default (when applicable). Then, there will be changes to your apps, system and repositories:

  • repositories (authenticated repositories actually) will be added, so you have access to esm-infra and esm-apps
  • when enabling livepatch, if you don’t have snapd installed, the Client will attempt to install it. Then, it will install and configure the canonical-livepatch snap.

Detaching, on the other hand, will make fewer changes - the Client does not attempt to remove anything app-wise or system-wise: it will only remove the apt repository configuration which grants access to the service. Esm packages, for instance, will not be removed.

Please feel free to reach out if you still carry any doubt.

1 Like

Hi Christopher,

Thanks for taking the time to post the results of your investigations here. I think that there a several factors at play, based on the information that you’ve provided.

CVE reports can sometimes be given alarmingly high scores which turn out to be unrealistic in practice. Canonical’s security team deals with all vulnerability reports affecting the Ubuntu software ecosystem and makes their own assessment based on how the software is built, packaged and deployed within Ubuntu. In some cases their assessment can differ from the published CVE score: for instance, there is a reported vulnerability in libarchive which has a CVSS v3 score of 9.8, but which our team has triaged as Low severity - https://ubuntu.com/security/CVE-2022-36227
When patching vulnerabilities there is a balance to be made between fixing potential issues and disrupting production systems. For low risk issues, we tend to favour stability where possible.

Do have a look at Alex Murray’s recent posting about this: https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation

The other issue is that some scanning tools do not correctly parse the package version information. Canonical takes security patches that have been applied to updated versions and backports them to the package versions which have been fixed for a release, as we value stability. The package version number will remain the same, and we add a suffix to indicate that it has been patched. Naive checkers see the main version number is unchanged and report it as vulnerable. In this case, the checking tool is reporting a false positive result.

In both cases, Canonical is providing what we consider to be a secure and stable distribution, and the scanning tool is misreporting vulnerabilities.

For the CIS hardening checks, I can’t really comment without more details I’m afraid.

We will try to reach out to Bitdefender to find out why their reporting is not aligned.

1 Like


Does this still apply for small-scale commercial use? We are a small startup <10 people, and are only running 2 machines. I don’t see in the Pro page any sign up for small commercial use, only free personal use. Same with the Pro Dashboard, which provides a free personal token and not a free/small commercial token.

The terms of service seem to indicate that the small commercial use is under the umbrella of personal, but I wanted to double check.

Well it may sound commercial to you but that’s around the number which Redhat’s offering individual developers and home (personal use).

Though that’s for machines (physical and virtual) together, so if your going to out compete them your going to need, to do better in some way.

Hi, some questions I can’t seem to find answered elsewhere.

  • I have a personal Ubuntu Pro account.
  • I attached a machine on which I run on-premise landscape
  • On Landscape docs, it says with Ubuntu Pro I can manage as many Ubuntu-Pro machines as I like
  1. How to say to on-premise landscape which ubuntu pro account to use?
  2. Are the landscape-managed machines to be all from the same Pro account?
  3. Are there limits imposed by the Pro account level?

Thank you very much.

Hi, I have a question I haven’t been able to find an answer to.

I currently have a trial of Ubuntu Pro for my organization’s ESXi cluster. Do I need to attach the subscription to the physical ESXi nodes somehow?

My suspicion is that I don’t need to do anything with the physical nodes, and I can just start attaching VMs to the subscription. If I do that though, it looks like my “Active Machines” count is going to far exceed the “Machines” count on my subscription.

hi @mdibrowerch

thanks for reaching out!

You do not need to attach the subscription to the physical ESXi nodes. Be sure you got enough physical subscriptions for your hypervisors to cover the whole Ubuntu estate. Then simply attach your VMs to the subscription using the token provided. The pro client can recognise if you are running a VM or a physical node.

As you noticed, the Ubuntu Pro dashboard doesn’t present you that distinction. At the moment it gives you a total count of active machines (without VM/physical split). This is going to change in the next iteration.

hope it helps!


point taken @mrgrymreaper
We will revisit this number during the next product sprint
thanks for your feedback!