Manage Livepatch configurations at scale with Landscape

1. Overview

In this tutorial, you will learn how to use Landscape’s dashboard to change which machines have the Ubuntu Advantage Livepatch entitlement enabled.

The Ubuntu Advantage client (UA Client) provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. UA client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond Livepatch, UA Client can enable Ubuntu Advantage services like Extended Security Maintenance (ESM), Ubuntu Security Guide (USG), FIPS, and more.

Landscape is Canonical’s systems management and monitoring solution. We will compose interactions with UA Client into a Landscape-aware shell script, and track which systems are configured to live patch the Linux kernel.

Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.


2. Prerequisites

To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:

  • An Ubuntu One account
  • An Ubuntu Advantage for Infrastructure subscription
  • UA Client attached to your Ubuntu Advantage for Infrastructure subscription
  • Landscape Client installed and registered with either Landscape on-prem or Landscape SaaS
  • Landscape Client that is allowed to remotely execute scripts

Obtain an Ubuntu Advantage for Infrastructure subscription

Anyone can use Ubuntu Advantage for Infrastructure for free on up to 3 machines.

Customers with larger needs can mix and match Ubuntu Advantage Essential, Standard, and Advanced subscription types within one Ubuntu Advantage account. All Ubuntu Advantage subscriptions come with Livepatch and Landscape on-premises.

Visit ubuntu.com/advantage to create or sign in to your Ubuntu One account, and obtain an Ubuntu Advantage for Infrastructure subscription that matches your needs.

Attach UA client to your Ubuntu Advantage account

Your UA token is used to connect the UA client you have installed on your machines to your Ubuntu Advantage for Infrastructure subscription.

Let’s first check whether we have already attached our UA token to the UA client by running:

ua status
SERVICE       AVAILABLE  DESCRIPTION
cc-eal        no         Common Criteria EAL2 Provisioning Packages
esm-infra     yes        UA Infra: Extended Security Maintenance (ESM)
fips          yes        NIST-certified core packages
fips-updates  yes        NIST-certified core packages with priority security updates
livepatch     yes        Canonical Livepatch service
usg           yes        Security compliance and audit tools

This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage

We can see that this is not yet attached to a UA subscription. Let’s fix that now.

Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

The Ubuntu One account functions as a Single Sign On, so once logged in we can type the address for the Ubuntu Advantage dashboard into the browser’s address bar: ubuntu.com/advantage. Then click on a subscription in the left hand column, and the Documentation tab on the right hand side column. Now we’re ready to attach our UA token to the UA client. Look for the copy and paste ready command to attach a machine, it will look similar to this:

sudo ua attach <your_ua_token>

Configure Landscape

The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance, and enrolling a machine to be managed by Landscape with Landscape Client. Signing up for Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.

The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [y/N]:

Answering yes to this “Enable script execution” question is required for this tutorial to work successfully.

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users: ALL

Answering ALL to the Script users prompt is necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root) on an as-needed basis.


3. Enable Livepatch via Landscape

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.

Add the “Livepatch - Enable” script

Title: Livepatch - Enable

Code:

#!/bin/bash
livepatchenable() {
  local LIVEPATCHENTITLEMENT
  local LIVEPATCHENABLED
  local UASTATUS
  local UANOTATTACHED
  UASTATUS=$(ua status)
  UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
  if [[ $UANOTATTACHED -eq 0 ]]; then
    LIVEPATCHENTITLEMENT=$(echo "$UASTATUS" | grep -m 1 'livepatch' | awk '{ print $2 }' | grep -c 'yes')
    if [[ $LIVEPATCHENTITLEMENT -eq 1 ]]; then
      ua enable livepatch --assume-yes
      UASTATUS=$(ua status)
      echo "'ua status' reports livepatch is $(servicestatus 'livepatch')"
    fi
  fi
  servicestatus 'livepatch' > /var/lib/landscape/client/annotations.d/livepatch
  chown landscape: /var/lib/landscape/client/annotations.d/livepatch
  LIVEPATCHENABLED=$(servicestatus 'livepatch' | grep -c 'enabled')
  if [[ $LIVEPATCHENABLED -eq 0 ]]; then
    exit 1
  fi
}
servicestatus() {
  echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
livepatchenable

Run as user: root
Time limit (seconds): 300
Access group: Global access

Run the “Livepatch - Enable” script

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose Livepatch configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu
  4. Click the Livepatch - Enable radio button, then click Next
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run

4. Disable Livepatch via Landscape

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.

Add the “Livepatch - Disable” script

Title: Livepatch - Disable

Code:

#!/bin/bash
livepatchdisable() {
  local LIVEPATCHENABLED
  local UASTATUS
  local UANOTATTACHED
  UASTATUS=$(ua status)
  UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
  if [[ $UANOTATTACHED -eq 0 ]]; then
    ua disable livepatch --assume-yes
    UASTATUS=$(ua status)
    echo "'ua status' reports livepatch is $(servicestatus 'livepatch')"
  fi
  servicestatus 'livepatch' > /var/lib/landscape/client/annotations.d/livepatch
  chown landscape: /var/lib/landscape/client/annotations.d/livepatch
  LIVEPATCHENABLED=$(servicestatus 'livepatch' | grep -c 'enabled')
  if [[ $LIVEPATCHENABLED -eq 1 ]]; then
    exit 1
  fi
}
servicestatus() {
  echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
livepatchdisable

Run as user: root
Time limit (seconds): 300
Access group: Global access

Run the “Livepatch - Disable” script

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose Livepatch configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu
  4. Click the Livepatch - Disable radio button, this is the name of the script from Step 4. Then click Next
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run

5. Summary & Next Steps

Congratulations! Your Landscape dashboard is reporting Livepatch information in a searchable manner. In the search bar, try the following queries:

  • NOT annotation:livepatch OR annotation:livepatch:disabled
  • annotation:livepatch:enabled

All Ubuntu machines which are configured to live patch the Linux kernel will appear for search term annotation:livepatch:enabled. The NOT queries will reveal the inverse, and be useful in identifying machines either missing an Ubuntu Advantage subscription, or machines without Livepatch entitlements enabled.

Next, you can complete the tutorial which explains how to monitor Livepatch configurations at scale with Landscape.

You can see annotations for each computer under the Info tab, right above the comments section.


6. Tell us your thoughts!

Thank you for following this tutorial, we’d love to hear how you got on.

Give us feedback in the Ubuntu Discourse if you have any issues.

To help us improve our tutorials, we’d love to hear more about you:

How will you use this tutorial?

What is your current level of experience?

Why were you interested in this tutorial?