UAclient

Differences between revisions 25 and 26

This content was moved to the Ubuntu Server Guide on Discourse

Ubuntu Advantage Client

UAclient (last edited 2021-04-13 13:22:32 by rharding)

-  ⇤ ← Revision 25 as of 2020-06-18 14:52:41 → 
  Size: 8690
  Editor: thibautr
  Comment:
+   ← Revision 26 as of 2021-04-13 13:22:32 → ⇥
  Size: 265
  Editor: rharding
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 4:
-||<tablebgcolor="#f1f1ed" tablewidth="40%" tablestyle="margin: 0pt 0pt 1em 1em; float: right; font-size: 0.9em;"style="padding: 0.5em;"><<TableOfContents>>||

The '''Ubuntu Advantage (UA) client''' is a tool designed to automate access to UA services like Extended Security Maintenance (ESM), FIPS, and more.  Currently this is available for [[https://wiki.ubuntu.com/SecurityTeam/ESM/14.04|Ubuntu 14.04 LTS (Trusty) ESM]], [[https://ubuntu.com/aws/pro|Ubuntu Pro for AWS]] and [[https://ubuntu.com/azure/pro|Ubuntu Pro for Azure]]. The updated client provides users a command line interface with a single point to access all UA services. This simplifies access to UA Services and allows access to UA services for all users of Ubuntu with a free tier of service.

= Fast Path to ESM =

 1. Make sure that you have the latest UA client installed on your Ubuntu 14.04 LTS machine.
 2. Follow the instructions on [[https://ubuntu.com/advantage/|ubuntu.com/advantage]] to retrieve your UA token and get started with ESM. 

Keep reading if you want more detailed instructions, or have questions

= Installing the UA client =

The UA client is installed through '''`apt`'''. Make sure to confirm you have latest Ubuntu Advantage client which is 19.6~ubuntu14.04.3. 

{{{
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
}}}

Once this has been installed, you will need to attach it to your UA account.
-Line 27:
+Line 6:
-= Attach the UA client =
-Line 29:
+Line 7:
-Retrieve your UA token from [[https://ubuntu.com/advantage/|ubuntu.com/advantage]]. You will log in with your SSO credentials, the same credentials you use for [[https://login.ubuntu.com|login.ubuntu.com]].
-Line 31:
+Line 8:
-{{{
$ sudo ua attach YOUR_TOKEN
}}}
-Line 35:
+Line 9:
-You should see output like the following, indicating that you have successfully associated this machine with your account.
+= This content was moved to the Ubuntu Server Guide on Discourse =
-Line 37:
+Line 11:
-{{{
Updating 'esm-infra' apt sources list on changed directives.
Updating package lists
Updating package lists
This machine is now attached to 'user@domain.tld'.

SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis-audit     no        —         Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       disabled  Canonical Livepatch service

Enable services with: ua enable <service>

     Account: user@domain.tld
Subscription: user@domain.tld
}}}

Once the UA client is attached to your UA account, you can use it to activate various services, including: access to ESM packages, and Livepatch. The UA client for different releases of Ubuntu may have more or less services available.

= UA Status =

Users can use the 'status' subcommand to get the current status and see what services are enabled or disabled:

{{{
$ sudo ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis-audit     no        —         Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       disabled  Canonical Livepatch service

Enable services with: ua enable <service>

     Account: user@domain.tld
Subscription: user@domain.tld
}}}

= Extended Security Maintenance (ESM) =

For Ubuntu 14.04 LTS as shown above, ESM will be automatically enabled after attaching the UA client to your account. After ubuntu-advantage-tools is installed and your machine is attached, ESM should be enabled. If ESM is not enabled, you can enable it with the following command:

{{{
$ sudo ua enable esm-infra
}}}

With the ESM repository enabled, you may see a number of additional package updates available that were not available previously. Your system may have indicated that it was up to date before installing the ubuntu-advantage-tools, but make sure to check for new updates with '''`apt update`'''. If you have cron jobs set to install updates, or other unattended upgrades configured, be aware that this will likely result in a number of package updates after ESM is enabled.

{{{
$ sudo apt update
}}}

Running '''`apt upgrade`''' will show a number of package updates available.

{{{
$ sudo apt upgrade
}}}

More information: https://wiki.ubuntu.com/SecurityTeam/ESM/

= Livepatch =

Livepatch requires:
 * kernel version 4.4 or above (16.04+ delivered via the [[https://wiki.ubuntu.com/Kernel/LTSEnablementStack|HWE Kernel]]). 
 * The ESM repo enabled and up-to-date specifically packages like snapd.

To enable just do:

{{{
$ sudo ua enable livepatch
}}}

You should see output like the following, indicating that the Livepatch snap package has been installed.

{{{
One moment, checking your subscription first
Installing snapd
Updating package lists
Installing canonical-livepatch snap
Canonical livepatch enabled.
}}}

To check the status of Livepatch once it has been installed use this command

{{{
$ sudo canonical-livepatch status
}}}

More information: https://wiki.ubuntu.com/Kernel/Livepatch

= Security Cerifications (FIPS / Common Criteria) =

FIPS and Common Criteria are supported on 16.04+, please see https://docs.ubuntu.com/security-certs/en/.  The UA client will be updated for 16.04+ at a later date.

= FAQ =

== General ==

 * Why are we updating the client?
  * The updated client provides users a command line interface with a single point to access all UA services. 
  * This reduces the number of tokens a customer has to manage as the old mechanism was one token per service. 

 * What about releases other than Ubuntu 14.04 LTS?
  * Support for the client on Ubuntu 16.04 LTS (Xenial)+ is coming.

 * Can I see how many active devices I have attached?
  * Not yet, but providing a mechanism for reporting usage is planned for a future cycle.

 * Will the old ESM system stay in place for the entire Ubuntu 14.04 LTS ESM lifetime?
  * Yes. If you have ESM provisioned using the old client or manually you do not have to change.

 * Ubuntu.com/advantage shows I have 0? Why? I have more licenses.
  * The number is showing 0 attached the subscription - not your total license amount.

== Attach ==

 * How do I attach/login/activate?
  * You have to obtain a token and run: '''`ua attach <token>`'''

 * Where do I get a token?
  * [[https://ubuntu.com/advantage/|ubuntu.com/advantage]]

 * How do I use SSO?
  * SSO is available from a user’s Ubuntu One account and can be created at [[https://login.ubuntu.com/|login.ubuntu.com]]. 

 * What services get enabled by default?
  * ESM would be enabled by default where possible, Livepatch will not be auto-enabled on Ubuntu 14.04 LTS.
  * If a service is not applicable on the platform or release then the service will be skipped

 * I already have UA, and use Landscape to manage my devices, can I attach and manage UA from Landscape?
  * No

== Status ==

 * What does '''entitled''' mean?
  * Entitled shows whether your contract with us includes this Ubuntu Advantage service or not.

 * Why does the STATUS column say '''n/a''' if I am '''entitled''' to the service?
  * This service may not be applicable to the system you are currently on. Here are some examples:
   * FIPS is currently only supported on Xenial. If you are on any other release, FIPS would show up as '''n/a'''.
   * On Ubuntu 14.04 LTS, Livepatch is only available if you have the HWE kernel installed and are booted into it. Otherwise it shows '''n/a'''.
   * If you are on a container, you cannot install Livepatch.

== Issues/Bugs/Debug ==

 * Where can I file bugs?
  * https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+filebug
 
 * Things are failing, what logs are useful?
  * First, consider using the '''`--debug`''' option to see what might be failing. 
  * Otherwise, checkout '''`/var/log/ubuntu-advantage.log`'''. If including this log file in a bug report, please sanitize it first, as it '''will likely contain secrets'''!

 * I'm attaching successfully, but not showing entitled to anything? I have a commercial contract.
   * Please open a [[https://support.canonical.com/ | support case ]] with the output of sudo ua status --format json
+[[https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788|Ubuntu Advantage Client]]

Ubuntu Wiki

UAclient

This content was moved to the Ubuntu Server Guide on Discourse