UAclient

The Ubuntu Advantage (UA) client is a tool designed to automate access to UA services like Extended Security Maintenance (ESM), FIPS, and more. Currently this is available for Ubuntu 14.04 LTS (Trusty) ESM. The updated client provides users a command line interface with a single point to access all UA services. This simplifies access to UA Services and allows access to UA services for all users of Ubuntu with a free tier of service.

Fast Path to ESM

  1. Make sure that you have the latest UA client installed on your Ubuntu 14.04 LTS machine.
  2. Follow the instructions on ubuntu.com/advantage to retrieve your UA token and get started with ESM.

Keep reading if you want more detailed instructions, or have questions

Installing the UA client

The UA client is installed through apt. Make sure to confirm you have latest Ubuntu Advantage client which is 19.6~ubuntu14.04.3.

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

Once this has been installed, you will need to attach it to your UA account.

Attach the UA client

Retrieve your UA token from ubuntu.com/advantage. You will log in with your SSO credentials, the same credentials you use for login.ubuntu.com.

$ sudo ua attach YOUR_TOKEN

You should see output like the following, indicating that you have successfully associated this machine with your account.

Updating 'esm-infra' apt sources list on changed directives.
Updating package lists
Updating package lists
This machine is now attached to 'user@domain.tld'.

SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis-audit     no        —         Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       disabled  Canonical Livepatch service

Enable services with: ua enable <service>

     Account: user@domain.tld
Subscription: user@domain.tld

Once the UA client is attached to your UA account, you can use it to activate various services, including: access to ESM packages, and Livepatch. The UA client for different releases of Ubuntu may have more or less services available.

UA Status

Users can use the 'status' subcommand to get the current status and see what services are enabled or disabled:

$ sudo ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis-audit     no        —         Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       disabled  Canonical Livepatch service

Enable services with: ua enable <service>

     Account: user@domain.tld
Subscription: user@domain.tld

Extended Security Maintenance (ESM)

For Ubuntu 14.04 LTS as shown above, ESM will be automatically enabled after attaching the UA client to your account. After ubuntu-advantage-tools is installed and your machine is attached, ESM should be enabled. If ESM is not enabled, you can enable it with the following command:

$ sudo ua enable esm-infra

With the ESM repository enabled, you may see a number of additional package updates available that were not available previously. Your system may have indicated that it was up to date before installing the ubuntu-advantage-tools, but make sure to check for new updates with apt update. If you have cron jobs set to install updates, or other unattended upgrades configured, be aware that this will likely result in a number of package updates after ESM is enabled.

$ sudo apt update

Running apt upgrade will show a number of package updates available.

$ sudo apt upgrade

More information: https://wiki.ubuntu.com/SecurityTeam/ESM/

Livepatch

Livepatch requires kernel version 4.4 or above (16.04+ delivered via the HWE Kernel). You can check the current kernel version with the following command.

$ uname -r

If the installed kernel version is lower than 4.4, you will not be able to use Livepatch on that machine, until you update to a new enough kernel. To enable Livepatch on Ubuntu 14.04 LTS use the following command.

$ sudo ua enable livepatch

You should see output like the following, indicating that the Livepatch snap package has been installed.

One moment, checking your subscription first
Installing snapd
Updating package lists
Installing canonical-livepatch snap
Canonical livepatch enabled.

To check the status of Livepatch once it has been installed use this command

$ sudo canonical-livepatch status

More information: https://wiki.ubuntu.com/Kernel/Livepatch

Security Cerifications (FIPS / Common Criteria)

FIPS and Common Criteria are supported on 16.04+, please see https://docs.ubuntu.com/security-certs/en/. The UA client will be updated for 16.04+ at a later date.

FAQ

General

  • Why are we updating the client?
    • The updated client provides users a command line interface with a single point to access all UA services.
    • This reduces the number of tokens a customer has to manage as the old mechanism was one token per service.
  • What about releases other than Ubuntu 14.04 LTS?
    • Support for the client on Ubuntu 16.04 LTS (Xenial)+ is coming.
  • Can I see how many active devices I have attached?
    • Not yet, but providing a mechanism for reporting usage is planned for a future cycle.
  • Will the old ESM system stay in place for the entire Ubuntu 14.04 LTS ESM lifetime?
    • Yes. If you have ESM provisioned using the old client or manually you do not have to change.
  • Ubuntu.com/advantage shows I have 0? Why? I have more licenses.
    • The number is showing 0 attached the subscription - not your total license amount.

Attach

  • How do I attach/login/activate?
    • You have to obtain a token and run: ua attach <token>

  • Where do I get a token?
  • How do I use SSO?
    • SSO is available from a user’s Ubuntu One account and can be created at login.ubuntu.com.

  • What services get enabled by default?
    • ESM would be enabled by default where possible, Livepatch will not be auto-enabled on Ubuntu 14.04 LTS.
    • If a service is not applicable on the platform or release then the service will be skipped
  • I already have UA, and use Landscape to manage my devices, can I attach and manage UA from Landscape?
    • No

Status

  • What does entitled mean?

    • Entitled shows whether your contract with us includes this Ubuntu Advantage service or not.
  • Why does the STATUS column say n/a if I am entitled to the service?

    • This service may not be applicable to the system you are currently on. Here are some examples:
      • FIPS is currently only supported on Xenial. If you are on any other release, FIPS would show up as n/a.

      • On Ubuntu 14.04 LTS, Livepatch is only available if you have the HWE kernel installed and are booted into it. Otherwise it shows n/a.

      • If you are on a container, you cannot install Livepatch.

Issues/Bugs/Debug

  • Where can I file bugs?
  • Things are failing, what logs are useful?
    • First, consider using the --debug option to see what might be failing.

    • Otherwise, checkout /var/log/ubuntu-advantage.log. If including this log file in a bug report, please sanitize it first, as it will likely contain secrets!

  • I'm attaching successfully, but not showing entitled to anything? I have a commercial contract.
    • Please open a support case with the output of sudo ua status --format json

UAclient (last edited 2019-11-21 17:31:48 by powersj)