Manage Livepatch configurations at scale with Landscape

1. Overview

In this tutorial, you will learn how to use Landscape’s dashboard to change which machines have the Ubuntu Pro Livepatch entitlement enabled.

The Pro Client provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. Pro Client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond Livepatch, Pro Client can enable Ubuntu Pro services like Expanded Security Maintenance (ESM), Ubuntu Security Guide (USG), FIPS, and more.

Landscape is Canonical’s systems management and monitoring solution. We will compose interactions with Pro Client into a Landscape-aware shell script, and track which systems are configured to live patch the Linux kernel.

Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.


2. Prerequisites

To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:

Sign up for Ubuntu Pro

Anyone can use Ubuntu Pro for free on up to 5 machines.

Customers with larger needs can mix and match Ubuntu Pro subscriptions with and without support for server and desktop, within one account. All Ubuntu Pro subscriptions include Livepatch and Landscape.

Visit ubuntu.com/pro/subscribe to create or sign in to your Ubuntu One account, and obtain an Ubuntu Pro token.

Attach your Ubuntu Pro subscription with Pro Client

Your Ubuntu Pro token is used to connect the Pro Client (installed on your machines) to your Ubuntu Pro subscription.

Let’s first check whether we have already attached our Pro token to Pro Client by running:

pro status
SERVICE          AVAILABLE  DESCRIPTION
anbox-cloud      yes        Scalable Android in the cloud
esm-apps         yes        Expanded Security Maintenance for Applications
esm-infra        yes        Expanded Security Maintenance for Infrastructure
landscape        yes        Management and administration tool for Ubuntu
livepatch        yes        Canonical Livepatch service
realtime-kernel  yes        Ubuntu kernel with PREEMPT_RT patches integrated
usg              yes        Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'

This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/pro

We can see that this is not yet attached to an Ubuntu Pro subscription. Let’s fix that now.

Your Ubuntu Pro token can be found on your Ubuntu Pro dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

The Ubuntu One account functions as a Single Sign On, so once logged in we can type the address for the Ubuntu Pro dashboard into the browser’s address bar: ubuntu.com/pro/dashboard. Then click on a subscription in the left hand column, and look for the “Token” field in the right hand side column. Now, attach the Pro Token to the Pro Client. Look for the copy and paste ready command to attach a machine, it will look similar to this:

sudo pro attach <your_pro_token>

Configure Landscape

The Landscape quickstart deployment guide offers the shortest path to a functional self-hosted Landscape Server instance, or create a free Landscape SaaS account. Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.

An administrator can remotely execute scripts on any client machine if the appropriate plugin is enabled. This plugin is disabled by default. Any calls to the ExecuteScript API endpoint will result in failed activities if the client has the default configuration. For more information on API endpoints for stored scripts, visit API Methods: Scripts.

To use remote script execution on client machines, you must first enable it with the landscape-config command or by manually editing /etc/landscape/client.conf.

To enable this plugin with landscape-config, run:

sudo landscape-config --include-manager-plugins=ScriptExecution --script-users=root,landscape,nobody

Or, to enable this plugin by manually editing /etc/landscape/client.conf, add the following line to the [client] section of that file:

include_manager_plugins = ScriptExecution
script_users = root,landscape,nobody

After you’ve enabled script execution using one of these options, the system users listed in script_users can run scripts once you restart Landscape Client with:


3. Enable Livepatch via Landscape

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.

Add the “Livepatch - Enable” script

Title: Livepatch - Enable

Code:

#!/bin/bash
pro enable livepatch

Run as user: root
Time limit (seconds): 300
Access group: Global access

Run the “Livepatch - Enable” script

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose Livepatch configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu
  4. Click the Livepatch - Enable radio button, then click Next
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run

4. Disable Livepatch via Landscape

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.

Add the “Livepatch - Disable” script

Title: Livepatch - Disable

Code:

#!/bin/bash
pro disable livepatch

Run as user: root
Time limit (seconds): 300
Access group: Global access

Run the “Livepatch - Disable” script

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose Livepatch configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu
  4. Click the Livepatch - Disable radio button, this is the name of the script from Step 4. Then click Next
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run

5. Summary & Next Steps

Congratulations! Your Landscape dashboard is reporting Livepatch information. Log in to Landscape, and click “New Web Portal” in the primary navigation at the top of the page. Click “Instances” in the right hand side navigation, and click on the title of an Ubuntu instance. There is a “Kernel” tab, which exposes information about your installed Linux kernel, alongside Livepatch and other security coverage information.


6. Tell us your thoughts!

Thank you for following this tutorial, we’d love to hear how you got on.

Give us feedback in the Ubuntu Discourse if you have any issues.

To help us improve our tutorials, we’d love to hear more about you:

How will you use this tutorial?

What is your current level of experience?

Why were you interested in this tutorial?