Get started with Ubuntu Pro
-
Overview
New to Ubuntu Pro? This how-to guide will help you understand how to activate your Ubuntu Pro subscription and choose which services to enable. Together, we will identify security updates available uniquely with an Ubuntu Pro subscription, and we will apply fixes.
We will start by getting a free, personal subscription. Then we will attach this subscription to your existing Ubuntu LTS machine and enable the Expanded Security Maintenance for Applications (esm-apps) in beta, to find out if any additional security fixes are available for you on your machine.
Want to learn more about the benefits of Ubuntu Pro before moving on?
What youâll learn
- What Ubuntu Pro is and how to use it
- How to check the source of your installed packages
- How to attach an Ubuntu Pro subscription to your existing Ubuntu LTS machine
- How to check for and apply security updates on your Ubuntu machine, including security updates for Ubuntu Universe packages which are only available with Ubuntu Pro
What youâll need
- An Ubuntu machine running 16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS
- Sudo access
- An email address, or an existing Ubuntu One account
- Ubuntu Pro client version 27.11.2 or newer
-
Before we start
a. Make sure that you are up to date
$ sudo apt update && sudo apt upgrade
b. Ensure that youâre running the latest version of the pro client.
$ pro --version
$ pro --version
27.11.2~20.04.1
I can see that I am running version 27.11.2, so no need to update.
If you run a previous version of the client, you have two options:
- You could wait for the pro client update, which is now released and phased to get to all Ubuntu machines by October 9th, 2022, or
- Consider bypassing the update phasing and install the client version 27.11.2 using the following command:
$ sudo apt install ubuntu-advantage-tools=27.11.2~$(lsb_release -rs).1
-
Identify the source repository of your installed packages
First, letâs find out how many deb packages are installed on your machine and from which source. Run $ pro security-status
$ pro security-status
2190 packages installed:
1870 packages from Ubuntu Main/Restricted repository
281 packages from Ubuntu Universe/Multiverse repository
10 packages from third parties
29 packages no longer available for download
To get more information about the packages, run
pro security-status --help
for a list of available options.
This machine is not attached to an Ubuntu Pro subscription.
Main/Restricted packages receive updates with LTS until 2025.
Try Ubuntu Pro beta with a free personal subscription on up to 5 machines.
Learn more at https://ubuntu.com/pro
OK, so there are 2190 deb packages installed on your machine.
- 1870 packages are from Ubuntu Main/ Restricted repository which means that they receive Ubuntu LTS updates until 2025. This is covered without any subscription but can be expanded with Ubuntu Pro for an additional 5 years, until 2030.
- 281 packages are from Ubuntu Universe/ Multiverse repository and they come with no security assurance with Ubuntu LTS. They would be covered by Ubuntu Pro and there might be beta security updates available for them today. Letâs find out if that is the case.
Note: if youâre currently not using any packages from the Ubuntu Universe repository, that line will not be displayed.
At the bottom of the output, I am notified that I can get a free personal Ubuntu Pro subscription for 5 machines. Letâs get one!
-
Get your free Ubuntu Pro subscription
a. Create an Ubuntu One account
If you do not already have an Ubuntu One account, create one - Ubuntu One is the single account you use to log in to all services and sites related to Ubuntu, including Ubuntu Pro which is free of charge for personal use on up to 5 machines.
b. Confirm the email address
Simply click the link provided in the email.
c. Retrieve the token
You will be automatically redirected to your Ubuntu Pro dashboard (ubuntu.com/pro); an additional google captcha confirmation step might be required.
Your Ubuntu Pro token will be listed under âFree Personal Tokenâ
-
Attach your Ubuntu LTS machine to an Ubuntu Pro subscription using the token
Now that we have our Ubuntu Pro token, we can attach it to our Ubuntu instance. Open the terminal on your Ubuntu LTS, and type the following command:
$ sudo pro attach [YOUR_TOKEN]
You should see some of the Ubuntu Pro services - Expanded Security Maintenance for Infrastructure (esm-infra), and Livepatch - automatically enabling, while others will remain disabled until you switch them on:
$ sudo pro attach [YOUR_TOKEN]
Enabling default service esm-infra
Updating package lists
Ubuntu Pro: ESM Infra enabled
Enabling default service livepatch
Canonical livepatch enabled.
Unable to determine current instance-id
This machine is now attached to 'Ubuntu Pro - free personal subscription'
SERVICE ENTITLED STATUS DESCRIPTION
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes enabled Canonical Livepatch service
usg yes disabled Security compliance and audit tools
NOTICES
Operation in progress: pro attach
Enable services with: pro enable <service>
Account: [YOUR_EMAIL]
Subscription: Ubuntu Pro - free personal subscription
Note: This output will depend on your Ubuntu LTS version; for instance fips
, fips-updates
and usg
are not yet available on Ubuntu 22.04 LTS.
-
Enable the esm-apps service (in beta)
Now, letâs enable the esm-apps beta service by running
$ sudo pro enable esm-apps --beta
$ sudo pro enable esm-apps --beta
One moment, checking your subscription first
Updating package lists
Ubuntu Pro: ESM Apps enabled
Remember that you need to attach a Pro subscription first. If you havenât done it in advance, you will see the following message.
$ sudo pro enable esm-apps --beta
To use 'esm-apps' you need an Ubuntu Pro subscription
Personal and community subscriptions are available at no charge
See https://ubuntu.com/pro
-
Find out if any additional security patches are available for you
Check if any additional security updates for the packages from the Ubuntu Universe repository are available for you.
Run $ apt list --upgradable | grep apps-security
to find out which packages can be upgraded. Ubuntu Pro: esm-apps packages will be listed under release-apps-security
$ apt list --upgradable | grep apps-security
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
redis-server/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis-tools/focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 amd64 [upgradable from: 5:5.0.7-2ubuntu0.1]
redis/focal-apps-security,focal-apps-security 5:5.0.7-2ubuntu0.1+esm1 all [upgradable from: 5:5.0.7-2ubuntu0.1]
Ok, I can see that there are 3 packages related to Redis that have esm-apps security updates available for Ubuntu Pro.
Note: If you donât see anything in your output, it means that no Ubuntu Pro security updates are currently available on that Ubuntu machine. In that case consider installing a package that would provide an output. Before doing that, please disable the esm-apps service and enable it again once the package is installed (otherwise it would install the new version right away and thereby you would not see the difference).
$ sudo pro disable esm-apps
$ sudo apt-get install pdfresurrect
$ sudo pro enable esm-apps --beta
And then move back to the top of step 7.
-
Identify which CVEs are affecting you
a. First, letâs add an apt source for the esm-apps deb-src repository. This will allow us to download the source packages directly which contain the CVE information.
$ echo "deb-src https://esm.ubuntu.com/apps/ubuntu $(lsb_release -s -c)-apps-security main" | sudo tee /etc/apt/sources.list.d/esm-apps-sources.list
b. Letâs make sure that apt is aware of those source packages by running
$ sudo apt-get update
c. Now, letâs download a source package for a package present on esm-apps (from step 7). In our example here, it will be redis.
$ sudo apt-get source redis
(This command will download the package on the same folder where the user runs the command):
d. Letâs now find a file that starts with the package name we downloaded and ends with debian.tar.xz. We can do that by running the following ls command:
$ ls [PACKAGE_NAME]*.debian.tar.xz
For example, for redis we should run:
$ ls redis*.debian.tar.xz
redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz
e. We can now use this name to show the latest changelog entry
$ tar -xOf [PACKAGE_FILE] debian/changelog | sed "/--/q"
For example, for redis we should run:
$ tar -xOf redis_5.0.7-2ubuntu0.1+esm1.debian.tar.xz debian/changelog | sed "/--/q"
redis (5:5.0.7-2ubuntu0.1+esm1) focal-security; urgency=medium
* SECURITY UPDATE: Several security issues.
- debian/patches/CVE-2021-32626.patch: Fix invalid memory write on
lua stack overflow
- debian/patches/CVE-2021-32627_32628.patch: Fix ziplist and
listpack overflows and truncations
- debian/patches/CVE-2021-32672.patch: Fix protocol parsing on
'ldbReplParseCommand'
- debian/patches/CVE-2021-32675.patch: Prevent unauthenticated
client from easily consuming lots of memory
- debian/patches/CVE-2021-32687.patch: Fix Integer overflow issue
with intsets
- debian/patches/CVE-2021-41099.patch: Fix integer overflow in
_sdsMakeRoomFor
- CVE-2021-32626
- CVE-2021-32627
- CVE-2021-32628
- CVE-2021-32672
- CVE-2021-32675
- CVE-2021-32687
- CVE-2021-41099
-- Eduardo Barretto <[email protected]> Tue, 08 Mar 2022 09:52:58 +0100
I can now see all CVE fixes available for redis with Ubuntu Pro. They fix the following CVEs:
-
CVE-2021-32626
-
CVE-2021-32627
-
CVE-2021-32628
-
CVE-2021-32672
-
CVE-2021-32675
-
CVE-2021-32687
-
CVE-2021-41099
You can learn more about those security vulnerabilities on Ubuntu security pages, e.g. https://ubuntu.com/security/CVE-2021-32626
Note: as those security fixes are currently in beta, the USNs will not yet be announced.
PS: You can delete the â/etc/apt/sources.list.d/esm-apps-sources.listâ file after looking at the changelog.
-
Upgrade packages to a patched version
Now that we have identified which packages and CVEs are affecting you, letâs get them fixed.
$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
redis redis-server redis-tools
3 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
3 esm-apps security updates
Need to get 532 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-server amd64 5:5.0.7-2ubuntu0.1+esm1 [37.4 kB]
Get:2 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis-tools amd64 5:5.0.7-2ubuntu0.1+esm1 [491 kB]
Get:3 https://esm.ubuntu.com/apps/ubuntu focal-apps-security/main amd64 redis all 5:5.0.7-2ubuntu0.1+esm1 [3,072 B]
Fetched 532 kB in 1s (393 kB/s)
(Reading database ... 281498 files and directories currently installed.)
Preparing to unpack .../redis-server_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-server (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis-tools_5%3a5.0.7-2ubuntu0.1+esm1_amd64.deb ...
Unpacking redis-tools (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Preparing to unpack .../redis_5%3a5.0.7-2ubuntu0.1+esm1_all.deb ...
Unpacking redis (5:5.0.7-2ubuntu0.1+esm1) over (5:5.0.7-2ubuntu0.1) ...
Setting up redis-tools (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis-server (5:5.0.7-2ubuntu0.1+esm1) ...
Setting up redis (5:5.0.7-2ubuntu0.1+esm1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (245.4-4ubuntu3.18) ...
-
Find out how many esm-apps fixes have been installed overall
$ pro security-status
2190 packages installed:
1870 packages from Ubuntu Main/Restricted repository
281 packages from Ubuntu Universe/Multiverse repository
10 packages from third parties
29 packages no longer available for download
To get more information about the packages, run
pro security-status --help
for a list of available options.
Main/Restricted packages receive updates with LTS until 2025.
Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 3 security
updates.
Congrats! It seems that packages have been upgraded, so youâre not vulnerable to the CVEs listed in step 8 anymore. In the final output above, with esm-apps --beta
service enabled, we can see that 3 packages have received security updates.
-
What else can you use your Ubuntu Pro subscription for?
For users running in regulated environments, we have a set of FIPS-certified crypto-modules and hardening scripts available. To enable them, consider enabling other Pro services you are entitled to, such as the Ubuntu Security Guide.
$ sudo pro enable usg
-
Thatâs all, folks
Good job, you made it! You should now know how to access and use Ubuntu Pro, as well as understand all the great benefits Ubuntu Pro has to offer.
Next steps:
Still hungry to learn more about Ubuntu Pro? Head on over to Ubuntu Pro Discourse.