Table of Contents
Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Objective
...
|
Introduction
This guide outlines the necessary steps for migrating to an Ubuntu Pro on Premise instance.
...
On-Premise (VSS CGN) instance from an existing Ubuntu Pro subscription, ensuring a seamless transition.
Note |
---|
Currently there is no support for realtime-kernel in Ubuntu Pro On-Premise. Please disable realtime-kernel and revert your kernel settings. |
Current Active Services
Service | Description |
---|---|
esm-apps | Expanded Security Maintenance for Applications |
esm-infra | Expanded Security Maintenance for Infrastructure |
livepatch | Canonical Livepatch service |
Pre-requisites
To ensure smooth operation, please detach any previously connected virtual machines from Ubuntu Pro. Execute the following commands with administrative privileges:
Code Block pro detach
output:
Code Block Detach will disable the following services: esm-apps esm-infra landscape livepatch Are you sure? (y/N) y Updating package lists Updating package lists Executing `landscape-config --disable` /etc/landscape/client.conf contains your landscape-client configuration. To re-enable Landscape with the same configuration, run: sudo pro enable landscape --assume-yes
Remove Run the lines command below if the file still exists
/etc/apt/auth.conf.d/90ubuntu-advantage
Code Block machine esm.ubuntu.com/apps/ login bearer password ... # ubuntu-advantage-tools machine esm.ubuntu.com/infra/ login bearer password ... # ubuntu-advantage-tools
...
echo "" > /etc/apt/auth.conf.d/90ubuntu-advantage
Run the following command through the
vss-cli
to present the latest endpoint settingsCode Block vss-cli compute vm set {id} ubuntu-pro attach
Ubuntu Pro
Configure the Ubuntu Pro Client by editing the contract_url setting in
/etc/ubuntu-advantage/uaclient.conf
to point to the server:Code Block echo "contract_url: http://vss-ubuntu-pro.eis.utoronto.ca:8484 $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.endpoint")" > /etc/ubuntu-advantage/uaclient.conf
Check everything works fine with the following command:
Code Block pro refresh
output:
Code Block Successfully processed your pro configuration. This machine is not attached to an Ubuntu Pro subscription. See https://ubuntu.com/pro
Attach your token:
Code Block pro attach [TOKEN] $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.token")
output:
Edit the following path:Code Block Enabling default service esm-apps Updating Ubuntu Pro: ESM Apps package lists Ubuntu Pro: ESM Apps enabled Enabling default service esm-infra Updating Ubuntu Pro: ESM Infra package lists Ubuntu Pro: ESM Infra enabled Enabling default service livepatch Unable to enable Livepatch: Failed running command '/snap/bin/canonical-livepatch enable <REDACTED>' [exit(1)]. Message: Could not retrieve client information.: failed to validate token: Get https://contracts.canonical.com/v1/resources/livepatch?token=mAgJOEWNBS19ydkRLQm50bjdCQjBydUFKVUhyazM0OTY3Y3ZoUjRLUlZVQjVDUTA4OjQ1M2MxMmM1YTUxMTRkMjE4NDFiOGEzMTc4N2MwMjgxAAI4aXMtY29udHJhY3QgY0FLX3J2REtCbnRuN0JCMHJ1QUpVSHJrMzQ5NjdjdmhSNEtSVlVCNUNRMDgAAhVpcy1yZXNvdXJjZSBsaXZlcGF0Y2gAAAYghERqv1OjwMSeB99ztJit6hphx7IBhPEfQ_qtteqj5nU: invalid token This machine is now attached to 'Ubuntu Pro' SERVICE ENTITLED STATUS DESCRIPTION anbox-cloud yes disabled Scalable Android in the cloud esm-apps yes enabled Expanded Security Maintenance for Applications esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips yes disabled NIST-certified FIPS crypto packages fips-updates yes disabled FIPS compliant crypto packages with stable security updates livepatch yes disabled Canonical Livepatch service ros yes disabled Security Updates for the Robot Operating System usg yes disabled Security compliance and audit tools NOTICES Operation in progress: pro attach For a list of all Ubuntu Pro services, run 'pro status --all' Enable services with: pro enable <service> Account: University of Toronto - EIS Private Cloud Subscription: Ubuntu Pro Valid until: Sat Jun 22 19:59:59 2024 EDT
/etc/apt/auth.conf.d/90ubuntu-advantage
and add “http://”Code Block machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu/ login bearer password ... # ubuntu-pro-client machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu/ login bearer password ... # ubuntu-pro-client
Update the Ubuntu repositories and ensure there are no errors related to the
vss-ubuntu-pro
repositories:Code Block apt-get update
output:
Code Block Hit:1 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-security InRelease Hit:2 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-updates InRelease Hit:3 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-security InRelease Hit:4 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-updates InRelease Hit:5 http://ca.archive.ubuntu.com/ubuntu focal InRelease Hit:6 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:7 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:8 http://ca.archive.ubuntu.com/ubuntu focal-security InRelease Reading package lists... Done
To re-enable Landscape with the same configuration, run:(optional) If you are running landscape-client, proceed with the following command, otherwise skip
Code Block sudo pro enable landscape --assume-yes
output:
Code Block One moment, checking your subscription first Landscape is not available for Ubuntu 22.04 LTS (Jammy Jellyfish).
LivePatch
...
Install the following packages in the client
Code Block sudo snap install canonical-livepatch
Configure the on-prem server
Code Block canonical-livepatch config remote-server="http://vss-ubuntu-pro.eis.utoronto.ca:8080/"$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.endpoint")
Verify configuration
Code Block canonical-livepatch config
output:
Code Block root@backup-billing-db-dev:/home/oramirez# canonical-livepatch config http-proxy: "" https-proxy: "" no-proxy: "" remote-server: http://vss-ubuntu-prolivepatch.eis.utoronto.ca:8080/ ca-certs: "" check-interval: 60 # minutes log-level: WARNING disable-signature-verification: false tls-patch-download: false
Enable the Livepatch updates with the token
Code Block canonical-livepatch enable <TOKEN_ON_VSS> $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.token")
output:
Code Block Successfully enabled device. Using machine-token: <RANDOM_NUMBERS_OF_TOKEN>
Check status of Ubuntu Pro
Code Block pro status
output:
Code Block SERVICE ENTITLED STATUS DESCRIPTION anbox-cloud yes disabled Scalable Android in the cloud esm-apps yes enabled Expanded Security Maintenance for Applications esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips yes disabled NIST-certified FIPS crypto packages fips-updates yes disabled FIPS compliant crypto packages with stable security updates livepatch yes enabled Canonical Livepatch service ros yes disabled Security Updates for the Robot Operating System usg yes disabled Security compliance and audit tools For a list of all Ubuntu Pro services, run 'pro status --all' Enable services with: pro enable <service> Account: University of Toronto - EIS Private Cloud Subscription: Ubuntu Pro Valid until: Sat Jun 22 19:59:59 2024 EDT Technical support level: essential
Restart Landscape Client(Optional) If you are running Landscape, proceed to restart landscape-client, otherwise skip this step.
Code Block systemctl restart landscape-client
References
https://ubuntu.com/pro/tutorial
...
https://ubuntu.com/security/livepatch/docs/livepatch_on_prem/how-to/use_livepatch_client
Revert realtime-kernel example
https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363