Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Objective

This guide outlines the necessary steps for migrating to an Ubuntu Pro On-Premise (VSS-PUBLIC) instance from an existing Ubuntu Pro installation, ensuring a seamless transition.

Currently there is no support for realtime-kernel in Ubuntu Pro On-Premise. Please disable realtime-kernel and revert your kernel settings.

Current Active Services

Service

Description

esm-apps

Expanded Security Maintenance for Applications

esm-infra

Expanded Security Maintenance for Infrastructure

livepatch

Canonical Livepatch service

Pre-requisites

  1. To ensure smooth operation, please detach any previously connected virtual machines from Ubuntu Pro. Execute the following commands with administrative privileges:

    pro detach

    output:

    Detach will disable the following services:
        esm-apps
        esm-infra
        landscape
        livepatch
    Are you sure? (y/N) y
    Updating package lists
    Updating package lists
    Executing `landscape-config --disable`
    /etc/landscape/client.conf contains your landscape-client configuration.
    To re-enable Landscape with the same configuration, run:
        sudo pro enable landscape --assume-yes
  2. Run the command below if the file still exists /etc/apt/auth.conf.d/90ubuntu-advantage

    echo "" > /etc/apt/auth.conf.d/90ubuntu-advantage
  3. Run the following command through the vss-cli to present the latest endpoint settings

    vss-cli compute vm set {id} ubuntu-pro attach

Steps

  1. Configure the Ubuntu Pro Client by editing the contract_url setting in /etc/ubuntu-advantage/uaclient.conf to point to the server:

    echo "contract_url: $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.endpoint")" > /etc/ubuntu-advantage/uaclient.conf

  2. Check everything works fine with the following command:

    pro refresh

    output:

    Successfully processed your pro configuration.
    This machine is not attached to an Ubuntu Pro subscription.
    See https://ubuntu.com/pro
  3. Attach your token:

    pro attach $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.token")

    output:

    Enabling default service esm-apps
    Updating Ubuntu Pro: ESM Apps package lists
    Ubuntu Pro: ESM Apps enabled
    Enabling default service esm-infra
    Updating Ubuntu Pro: ESM Infra package lists
    Ubuntu Pro: ESM Infra enabled
    Enabling default service livepatch
    Unable to enable Livepatch: Failed running command '/snap/bin/canonical-livepatch enable <REDACTED>' [exit(1)]. Message: Could not retrieve client information.: failed to validate token: Get https://contracts.canonical.com/v1/resources/livepatch?token=mAgJOEWNBS19ydkRLQm50bjdCQjBydUFKVUhyazM0OTY3Y3ZoUjRLUlZVQjVDUTA4OjQ1M2MxMmM1YTUxMTRkMjE4NDFiOGEzMTc4N2MwMjgxAAI4aXMtY29udHJhY3QgY0FLX3J2REtCbnRuN0JCMHJ1QUpVSHJrMzQ5NjdjdmhSNEtSVlVCNUNRMDgAAhVpcy1yZXNvdXJjZSBsaXZlcGF0Y2gAAAYghERqv1OjwMSeB99ztJit6hphx7IBhPEfQ_qtteqj5nU: invalid token
    
    This machine is now attached to 'Ubuntu Pro'
    
    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       disabled     Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    NOTICES
    Operation in progress: pro attach
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT

  4. Update the Ubuntu repositories and ensure there are no errors related to the vss-ubuntu-pro repositories:

    apt-get update

    output:

    Hit:1 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-security InRelease
    Hit:2 http://vss-ubuntu-pro.eis.utoronto.ca/esm-apps/ubuntu focal-apps-updates InRelease
    Hit:3 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-security InRelease
    Hit:4 http://vss-ubuntu-pro.eis.utoronto.ca/esm-infra/ubuntu focal-infra-updates InRelease
    Hit:5 http://ca.archive.ubuntu.com/ubuntu focal InRelease
    Hit:6 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease
    Hit:7 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease
    Hit:8 http://ca.archive.ubuntu.com/ubuntu focal-security InRelease
    Reading package lists... Done
  5. (optional) If you are running landscape-client, proceed with the following command, otherwise skip

    sudo pro enable landscape --assume-yes

    output:

    One moment, checking your subscription first
    Landscape is not available for Ubuntu 22.04 LTS (Jammy Jellyfish).

LivePatch installation

  1. Install the following packages in the client

    sudo snap install canonical-livepatch
  2. Configure the on-prem server

    canonical-livepatch config remote-server=$(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.endpoint")
  3. Verify configuration

    canonical-livepatch config

    output:

    root@backup-billing-db-dev:/home/oramirez# canonical-livepatch config
    http-proxy: ""
    https-proxy: ""
    no-proxy: ""
    remote-server: http://vss-ubuntu-livepatch.eis.utoronto.ca/
    ca-certs: ""
    check-interval: 60  # minutes
    log-level: WARNING
    disable-signature-verification: false
    tls-patch-download: false
  4. Enable the Livepatch updates with the token

    canonical-livepatch enable $(vmware-rpctool "info-get guestinfo.ut.vss.ubuntu_pro.livepatch.token")

    output:

    Successfully enabled device. Using machine-token: <RANDOM_NUMBERS_OF_TOKEN>
  5. Check status of Ubuntu Pro

    pro status

    output:

    SERVICE          ENTITLED  STATUS       DESCRIPTION
    anbox-cloud      yes       disabled     Scalable Android in the cloud
    esm-apps         yes       enabled      Expanded Security Maintenance for Applications
    esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
    fips             yes       disabled     NIST-certified FIPS crypto packages
    fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
    livepatch        yes       enabled      Canonical Livepatch service
    ros              yes       disabled     Security Updates for the Robot Operating System
    usg              yes       disabled     Security compliance and audit tools
    
    For a list of all Ubuntu Pro services, run 'pro status --all'
    Enable services with: pro enable <service>
    
                    Account: University of Toronto - EIS Private Cloud
               Subscription: Ubuntu Pro
                Valid until: Sat Jun 22 19:59:59 2024 EDT
    Technical support level: essential

  6. (Optional) If you are running Landscape, proceed to restart landscape-client, otherwise skip this step.

    systemctl restart landscape-client

References

https://ubuntu.com/pro/tutorial

https://ubuntu.com/security/livepatch/docs/livepatch_on_prem/how-to/use_livepatch_client

Revert realtime-kernel example

https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363

  • No labels