Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
stylenone

Objective

...

excludeTable of Contents
typelist
class
printabletrue

Introduction

This guide outlines the necessary steps for migrating to an Ubuntu Pro on Premise instance.

...

On-Premise (VSS CGN) instance from an existing Ubuntu Pro subscription, ensuring a seamless transition.

Note

Currently there is no support for realtime-kernel in Ubuntu Pro On-Premise. Please disable realtime-kernel and revert your kernel settings.

Current Active Services

Service

Description

esm-apps

Expanded Security Maintenance for Applications

esm-infra

Expanded Security Maintenance for Infrastructure

livepatch

Canonical Livepatch service

Pre-requisites

  1. To ensure smooth operation, please detach any previously connected virtual machines from Ubuntu Pro. Execute the following commands with administrative privileges:

    Code Block
    pro detach

    output:

    Code Block
    Detach will disable the following services:
        esm-apps
        esm-infra
        landscape
        livepatch
    Are you sure? (y/N) y
    Updating package lists
    Updating package lists
    Executing `landscape-config --disable`
    /etc/landscape/client.conf contains your landscape-client configuration.
    To re-enable Landscape with the same configuration, run:
        sudo pro enable landscape --assume-yes
  2. The following configuration lines should be removed in Run the command below if the file still exists /etc/apt/auth.conf.d/90ubuntu-advantage

    Code Block
    machine esm.ubuntu.com/apps/ login bearer password ... # ubuntu-advantage-tools
    machine esm.ubuntu.com/infra/ login bearer password ...  # ubuntu-advantage-tools
  3. Remove virtual machine from the Landscape server

...

  1. echo "" > /etc/apt/auth.conf.d/90ubuntu-advantage
  2. Run the following command through the vss-cli to present the latest endpoint settings

    Code Block
    vss-cli compute vm set {id} ubuntu-pro attach

Ubuntu Pro

  1. Configure the Ubuntu Pro Client by editing the contract_url setting in /etc/ubuntu-advantage/uaclient.conf to point to the server:

    Code Block
    echo "contract_url: http://vss-ubuntu-pro.eis.utoronto.ca:8484$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.endpoint")" > /etc/ubuntu-advantage/uaclient.conf

  2. Check everything works fine with the following command:

    Code Block
    pro refresh

    output:

    Code Block
    Successfully processed your pro configuration.
    This machine is not attached to an Ubuntu Pro subscription.
    See https://ubuntu.com/pro
  3. Attach your token:

    Code Block
    pro attach [TOKEN] $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.token")

    output:

    Code Block
    Enabling default service esm-apps
    Updating Ubuntu Pro: ESM Apps package lists
    Ubuntu Pro: ESM Apps enabled
    Enabling default service esm-infra
    Updating Ubuntu Pro: ESM Infra package lists
    Ubuntu Pro: ESM Infra enabled
    Enabling default service livepatch
    Unable to enable Livepatch: Failed running command '/snap/bin/canonical-livepatch enable <REDACTED>' [exit(1)]. Message: Could not retrieve client information.: failed to validate token: Get https://contracts.canonical.com/v1/resources/livepatch?token=mAgJOEWNBS19ydkRLQm50bjdCQjBydUFKVUhyazM0OTY3Y3ZoUjRLUlZVQjVDUTA4OjQ1M2MxMmM1YTUxMTRkMjE4NDFiOGEzMTc4N2MwMjgxAAI4aXMtY29udHJhY3QgY0FLX3J2REtCbnRuN0JCMHJ1QUpVSHJrMzQ5NjdjdmhSNEtSVlVCNUNRMDgAAhVpcy1yZXNvdXJjZSBsaXZlcGF0Y2gAAAYghERqv1OjwMSeB99ztJit6hphx7IBhPEfQ_qtteqj5nU: invalid token
    
    This machine is now attached to 'Ubuntu Pro'
    
    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       disabled     Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    NOTICES
    Operation in progress: pro attach
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT

    Edit the following path: /etc/apt/auth.conf.d/90ubuntu-advantage and add “http://

    Code Block
    machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu/ login bearer password ... # ubuntu-pro-client
    machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu/ login bearer password ... # ubuntu-pro-client

  4. Update the Ubuntu repositories and ensure there are no errors related to the vss-ubuntu-pro repositories:

    Code Block
    apt-get update

    output:

    Code Block
    Hit:1 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-security InRelease
    Hit:2 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-updates InRelease
    Hit:3 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-security InRelease
    Hit:4 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-updates InRelease
    Hit:5 http://ca.archive.ubuntu.com/ubuntu focal InRelease
    Hit:6 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease
    Hit:7 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease
    Hit:8 http://ca.archive.ubuntu.com/ubuntu focal-security InRelease
    Reading package lists... Done
  5. Add the virtual machine to the landscape server. Login into the Landscape Server to get the Registration Key.(optional) If you are running landscape-client, proceed with the following command, otherwise skip

    Code Block
    sudo landscape-config --computer-title "[Server Name]"pro enable landscape --account-name standalone  -p [REGISTRATION_KEY] --url https://vss-ls.dcb.eis.utoronto.ca/message-system --ping-url http://vss-ls.dcb.eis.utoronto.ca/pingassume-yes

    output:

    Code Block
    enabled
    
    This script will interactively set up the Landscape client. It will
    ask you a few questions about this computer and your Landscape
    account, and will submit that information to the Landscape server.
    After this computer is registered it will need to be approved by an
    account administrator on the pending computers page.
    
    Please see https://landscape.canonical.com for more information.
    
    
    The Landscape client communicates with the server over HTTP and
    HTTPS.  If your network requires you to use a proxy to access HTTP
    and/or HTTPS web sites, please provide the address of these
    proxies now.  If you don't use a proxy, leave these fields empty.
    
    HTTP proxy URL:
    HTTPS proxy URL:
    
    Landscape has a feature which enables administrators to run
    arbitrary scripts on machines under their control. By default this
    feature is disabled in the client, disallowing any arbitrary script
    execution. If enabled, the set of users that scripts may run as is
    also configurable.
    
    Enable script execution? [Y/n]:
    
    By default, scripts are restricted to the 'landscape' and
    'nobody' users. Please enter a comma-delimited list of users
    that scripts will be restricted to. To allow scripts to be run
    by any user, enter "ALL".
    
    Script users [landscape]:
    
    You may provide an access group for this computer e.g. webservers.
    
    Access group:
    
    You may provide tags for this computer e.g. server,precise.
    
    Tags [development,database]:
    Please wait...
    
    Request a new registration for this computer now? [y/N]: y
    System successfully registered.

...

  1. One moment, checking your subscription first
    Landscape is not available for Ubuntu 22.04 LTS (Jammy Jellyfish).

LivePatch

  1. Install the following packages in the client

    Code Block
    sudo snap install canonical-livepatch
  2. Configure the on-prem server

    Code Block
    canonical-livepatch config remote-server="http://vss-ubuntu-pro.eis.utoronto.ca:8080/"$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.endpoint")
  3. Verify configuration

    Code Block
    canonical-livepatch config

    output:

    Code Block
    root@backup-billing-db-dev:/home/oramirez# canonical-livepatch config
    http-proxy: ""
    https-proxy: ""
    no-proxy: ""
    remote-server: http://vss-ubuntu-prolivepatch.eis.utoronto.ca:8080/
    ca-certs: ""
    check-interval: 60  # minutes
    log-level: WARNING
    disable-signature-verification: false
    tls-patch-download: false
  4. Enable the Livepatch updates with the token

    Code Block
    canonical-livepatch enable <TOKEN_ON_VSS>$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.token")

    output:

    Code Block
    Successfully enabled device. Using machine-token: <RANDOM_NUMBERS_OF_TOKEN>
  5. Check status of Ubuntu Pro

    Code Block
    pro status

    output:

    Code Block
    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       enabled      Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT
    Technical support level: essential

  6. (Optional) If you are running Landscape, proceed to restart landscape-client, otherwise skip this step.

    Code Block
    systemctl restart landscape-client

References

https://ubuntu.com/pro/tutorial

...

https://ubuntu.com/security/livepatch/docs/livepatch_on_prem/how-to/use_livepatch_client

Revert realtime-kernel example

https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363