Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
stylenone

Objective

...

excludeTable of Contents
typelist
class
printabletrue

Introduction

This guide outlines the necessary steps for migrating to an Ubuntu Pro on Premise instance.

...

On-Premise (VSS CGN) instance from an existing Ubuntu Pro subscription, ensuring a seamless transition.

Note

Currently there is no support for realtime-kernel in Ubuntu Pro On-Premise. Please disable realtime-kernel and revert your kernel settings.

Current Active Services

Service

Description

esm-apps

Expanded Security Maintenance for Applications

esm-infra

Expanded Security Maintenance for Infrastructure

livepatch

Canonical Livepatch service

Pre-requisites

  1. To ensure smooth operation, please detach any previously connected virtual machines from Ubuntu Pro. Execute the following commands with administrative privileges:

    Code Block
    pro detach

    output:

    Code Block
    Detach will disable the following services:
        esm-apps
        esm-infra
        landscape
        livepatch
    Are you sure? (y/N) y
    Updating package lists
    Updating package lists
    Executing `landscape-config --disable`
    /etc/landscape/client.conf contains your landscape-client configuration.
    To re-enable Landscape with the same configuration, run:
        sudo pro enable landscape --assume-yes
  2. Remove Run the lines command below if the file still exists /etc/apt/auth.conf.d/90ubuntu-advantage

    Code Block
    machine esm.ubuntu.com/apps/ login bearer password ... # ubuntu-advantage-tools
    machine esm.ubuntu.com/infra/ login bearer password ...  # ubuntu-advantage-tools

...

  1. echo "" > /etc/apt/auth.conf.d/90ubuntu-advantage
  2. Run the following command through the vss-cli to present the latest endpoint settings

    Code Block
    vss-cli compute vm set {id} ubuntu-pro attach

Ubuntu Pro

  1. Configure the Ubuntu Pro Client by editing the contract_url setting in /etc/ubuntu-advantage/uaclient.conf to point to the server:

    Code Block
    echo "contract_url: http://vss-ubuntu-pro.eis.utoronto.ca:8484 $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.endpoint")" > /etc/ubuntu-advantage/uaclient.conf

  2. Check everything works fine with the following command:

    Code Block
    pro refresh

    output:

    Code Block
    Successfully processed your pro configuration.
    This machine is not attached to an Ubuntu Pro subscription.
    See https://ubuntu.com/pro
  3. Attach your token:

    Code Block
    pro attach [TOKEN] $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.token")

    output:

    Code Block
    Enabling default service esm-apps
    Updating Ubuntu Pro: ESM Apps package lists
    Ubuntu Pro: ESM Apps enabled
    Enabling default service esm-infra
    Updating Ubuntu Pro: ESM Infra package lists
    Ubuntu Pro: ESM Infra enabled
    Enabling default service livepatch
    Unable to enable Livepatch: Failed running command '/snap/bin/canonical-livepatch enable <REDACTED>' [exit(1)]. Message: Could not retrieve client information.: failed to validate token: Get https://contracts.canonical.com/v1/resources/livepatch?token=mAgJOEWNBS19ydkRLQm50bjdCQjBydUFKVUhyazM0OTY3Y3ZoUjRLUlZVQjVDUTA4OjQ1M2MxMmM1YTUxMTRkMjE4NDFiOGEzMTc4N2MwMjgxAAI4aXMtY29udHJhY3QgY0FLX3J2REtCbnRuN0JCMHJ1QUpVSHJrMzQ5NjdjdmhSNEtSVlVCNUNRMDgAAhVpcy1yZXNvdXJjZSBsaXZlcGF0Y2gAAAYghERqv1OjwMSeB99ztJit6hphx7IBhPEfQ_qtteqj5nU: invalid token
    
    This machine is now attached to 'Ubuntu Pro'
    
    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       disabled     Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    NOTICES
    Operation in progress: pro attach
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT
    Edit the following path: /etc/apt/auth.conf.d/90ubuntu-advantageand add “http://
    Code Block
    machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu/ login bearer password ... # ubuntu-pro-client
    machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu/ login bearer password ... # ubuntu-pro-client

  4. Update the Ubuntu repositories and ensure there are no errors related to the vss-ubuntu-pro repositories:

    Code Block
    apt-get update

    output:

    Code Block
    Hit:1 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-security InRelease
    Hit:2 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-updates InRelease
    Hit:3 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-security InRelease
    Hit:4 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-updates InRelease
    Hit:5 http://ca.archive.ubuntu.com/ubuntu focal InRelease
    Hit:6 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease
    Hit:7 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease
    Hit:8 http://ca.archive.ubuntu.com/ubuntu focal-security InRelease
    Reading package lists... Done
  5. To re-enable Landscape with the same configuration, run:(optional) If you are running landscape-client, proceed with the following command, otherwise skip

    Code Block
    sudo pro enable landscape --assume-yes

    output:

    Code Block
    One moment, checking your subscription first
    Landscape is not available for Ubuntu 22.04 LTS (Jammy Jellyfish).

LivePatch

...

  1. Install the following packages in the client

    Code Block
    sudo snap install canonical-livepatch
  2. Configure the on-prem server

    Code Block
    canonical-livepatch config remote-server="http://vss-ubuntu-pro.eis.utoronto.ca:8080/"$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.endpoint")
  3. Verify configuration

    Code Block
    canonical-livepatch config

    output:

    Code Block
    root@backup-billing-db-dev:/home/oramirez# canonical-livepatch config
    http-proxy: ""
    https-proxy: ""
    no-proxy: ""
    remote-server: http://vss-ubuntu-prolivepatch.eis.utoronto.ca:8080/
    ca-certs: ""
    check-interval: 60  # minutes
    log-level: WARNING
    disable-signature-verification: false
    tls-patch-download: false
  4. Enable the Livepatch updates with the token

    Code Block
    canonical-livepatch enable <TOKEN_ON_VSS> $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.token")

    output:

    Code Block
    Successfully enabled device. Using machine-token: <RANDOM_NUMBERS_OF_TOKEN>
  5. Check status of Ubuntu Pro

    Code Block
    pro status

    output:

    Code Block
    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       enabled      Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT
    Technical support level: essential

  6. Restart Landscape Client(Optional) If you are running Landscape, proceed to restart landscape-client, otherwise skip this step.

    Code Block
    systemctl restart landscape-client

References

https://ubuntu.com/pro/tutorial

...

https://ubuntu.com/security/livepatch/docs/livepatch_on_prem/how-to/use_livepatch_client

Revert realtime-kernel example

https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363