Objective
This procedure includes the steps to connect to an Ubuntu Pro on Premise instance.
Currently working on setting up the livepatch path.
Pre-requisites
To ensure smooth operation, please detach any previously connected virtual machines from Ubuntu Pro. Execute the following commands with administrative privileges:
pro detach
output:
Detach will disable the following services: landscape livepatch Are you sure? (y/N) y Executing `landscape-config --disable` /etc/landscape/client.conf contains your landscape-client configuration. To re-enable Landscape with the same configuration, run: sudo pro enable landscape --assume-yesThe following configuration lines should be removed in /etc/apt/auth.conf.d/90ubuntu-advantage
machine esm.ubuntu.com/apps/ login bearer password ... # ubuntu-advantage-tools machine esm.ubuntu.com/infra/ login bearer password ... # ubuntu-advantage-tools
Remove virtual machine from the Landscape server
Steps
Configure the Ubuntu Pro Client by editing the contract_url setting in /etc/ubuntu-advantage/uaclient.conf to point to the server:
contract_url: http://vss-ubuntu-pro.eis.utoronto.ca:8484
Check everything works fine with the following command:
pro refresh
output:
Successfully processed your pro configuration. This machine is not attached to an Ubuntu Pro subscription. See https://ubuntu.com/pro
Attach your token:
pro attach [TOKEN]
output:
Enabling default service esm-apps Updating Ubuntu Pro: ESM Apps package lists Ubuntu Pro: ESM Apps enabled Enabling default service esm-infra Updating Ubuntu Pro: ESM Infra package lists Ubuntu Pro: ESM Infra enabled Enabling default service livepatch Unable to enable Livepatch: Failed running command '/snap/bin/canonical-livepatch enable <REDACTED>' [exit(1)]. Message: Could not retrieve client information.: failed to validate token: Get https://contracts.canonical.com/v1/resources/livepatch?token=mAgJOEWNBS19ydkRLQm50bjdCQjBydUFKVUhyazM0OTY3Y3ZoUjRLUlZVQjVDUTA4OjQ1M2MxMmM1YTUxMTRkMjE4NDFiOGEzMTc4N2MwMjgxAAI4aXMtY29udHJhY3QgY0FLX3J2REtCbnRuN0JCMHJ1QUpVSHJrMzQ5NjdjdmhSNEtSVlVCNUNRMDgAAhVpcy1yZXNvdXJjZSBsaXZlcGF0Y2gAAAYghERqv1OjwMSeB99ztJit6hphx7IBhPEfQ_qtteqj5nU: invalid token This machine is now attached to 'Ubuntu Pro' SERVICE ENTITLED STATUS DESCRIPTION anbox-cloud yes disabled Scalable Android in the cloud esm-apps yes enabled Expanded Security Maintenance for Applications esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips yes disabled NIST-certified FIPS crypto packages fips-updates yes disabled FIPS compliant crypto packages with stable security updates livepatch yes disabled Canonical Livepatch service ros yes disabled Security Updates for the Robot Operating System usg yes disabled Security compliance and audit tools NOTICES Operation in progress: pro attach For a list of all Ubuntu Pro services, run 'pro status --all' Enable services with: pro enable <service> Account: University of Toronto - EIS Private Cloud Subscription: Ubuntu Pro Valid until: Sat Jun 22 19:59:59 2024 EDTEdit the following path: /etc/apt/auth.conf.d/90ubuntu-advantage and add “http://”
machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu/ login bearer password ... # ubuntu-pro-client machine http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu/ login bearer password ... # ubuntu-pro-client
Update the Ubuntu repositories and ensure there are no errors related to the vss-ubuntu-pro repositories:
apt-get update
output:
Hit:1 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-security InRelease Hit:2 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-updates InRelease Hit:3 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-security InRelease Hit:4 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-updates InRelease Hit:5 http://ca.archive.ubuntu.com/ubuntu focal InRelease Hit:6 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:7 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:8 http://ca.archive.ubuntu.com/ubuntu focal-security InRelease Reading package lists... Done
Add the virtual machine to the landscape server. Login into the Landscape Server to get the Registration Key.
sudo landscape-config --computer-title "[Server Name]" --account-name standalone -p [REGISTRATION_KEY] --url https://vss-ls.dcb.eis.utoronto.ca/message-system --ping-url http://vss-ls.dcb.eis.utoronto.ca/ping
output:
enabled This script will interactively set up the Landscape client. It will ask you a few questions about this computer and your Landscape account, and will submit that information to the Landscape server. After this computer is registered it will need to be approved by an account administrator on the pending computers page. Please see https://landscape.canonical.com for more information. The Landscape client communicates with the server over HTTP and HTTPS. If your network requires you to use a proxy to access HTTP and/or HTTPS web sites, please provide the address of these proxies now. If you don't use a proxy, leave these fields empty. HTTP proxy URL: HTTPS proxy URL: Landscape has a feature which enables administrators to run arbitrary scripts on machines under their control. By default this feature is disabled in the client, disallowing any arbitrary script execution. If enabled, the set of users that scripts may run as is also configurable. Enable script execution? [Y/n]: By default, scripts are restricted to the 'landscape' and 'nobody' users. Please enter a comma-delimited list of users that scripts will be restricted to. To allow scripts to be run by any user, enter "ALL". Script users [landscape]: You may provide an access group for this computer e.g. webservers. Access group: You may provide tags for this computer e.g. server,precise. Tags [development,database]: Please wait... Request a new registration for this computer now? [y/N]: y System successfully registered.
LivePatch installation
Install the following packages in the client
sudo snap install canonical-livepatch
Configure the on-prem server
canonical-livepatch config remote-server="http://vss-ubuntu-pro.eis.utoronto.ca:8080/"
Verify configuration
canonical-livepatch config
output:
root@backup-billing-db-dev:/home/oramirez# canonical-livepatch config http-proxy: "" https-proxy: "" no-proxy: "" remote-server: http://vss-ubuntu-pro.eis.utoronto.ca:8080/ ca-certs: "" check-interval: 60 # minutes log-level: WARNING disable-signature-verification: false tls-patch-download: false
Enable the Livepatch updates with the token
canonical-livepatch enable <TOKEN_ON_VSS>
output:
Successfully enabled device. Using machine-token: <RANDOM_NUMBERS_OF_TOKEN>
Check status of Ubuntu Pro
pro status
output:
SERVICE ENTITLED STATUS DESCRIPTION anbox-cloud yes disabled Scalable Android in the cloud esm-apps yes enabled Expanded Security Maintenance for Applications esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips yes disabled NIST-certified FIPS crypto packages fips-updates yes disabled FIPS compliant crypto packages with stable security updates livepatch yes enabled Canonical Livepatch service ros yes disabled Security Updates for the Robot Operating System usg yes disabled Security compliance and audit tools For a list of all Ubuntu Pro services, run 'pro status --all' Enable services with: pro enable <service> Account: University of Toronto - EIS Private Cloud Subscription: Ubuntu Pro Valid until: Sat Jun 22 19:59:59 2024 EDT Technical support level: essential
References
https://ubuntu.com/pro/tutorial
https://ubuntu.com/security/livepatch/docs/livepatch_on_prem/how-to/use_livepatch_client