Upgrade Ubuntu LTS to Ubuntu Pro for extending the support upto 10 years of patches

Today the company canonical announced that all registered Ubuntu users can have free subscription of Ubuntu Pro for upto 5 machines. 

If you are a memeber of Ubuntu community, then you can use it upto 50 machines.

So, how to? I haven't found some tutorials from the internet. So I decided to write this one.

 

Suppose that you have a Ubuntu 20.04 LTS server running somewhere, and you want it to receive patches for the next 10 years rather than 5 years very after the destro was released.

1. ssh to your server and install this package ( ubuntu advantage agent )

sudo apt update
sudo apt install ubuntu-advantage-tools

2. Attaching your subscription 

2.1) go to  https://ubuntu.com/pro and register an account, and you will see something like this

 

you will see there is a token.

2.2) attach your server to Ubuntu Pro by these commands

sudo pro attach <your_token>

 

 

3. enable the fips patches

as you can see, by default after you attach your server to Ubuntu Pro Subscription , your server will have "esm-infra" enable Expanded Security Maintenance for Infrastructure. 

You can enable fips by doing so.

sudo pro enable fips
sudo pro enable fips-updates

But fips can not work with livepatch at the same time. You should decided which one is more suitable for you.

 

read this if you don't know what fips is. https://ubuntu.com/security/certifications/docs/fips-faq Fips is on a kernel level for disabling outdated cryptographic libs.

 

If your application running on the linux server is still using some outdated encryption algorithms by calling "libcrypto or kernel cryptoapi", it may fail !!!

So be alerted if you want secure your server when enabling fips.

But this is a good thing, isn't it? Let's get rid of lame encryptions from the levels of kernel and libs. Especially when you are developing something needed strong securities. Commercial support is worthy to pay. Thanks to Canonical for bring this to us for free though we can do it by ourselves. If I do it by myself, I would need lots of work and some time. 

 

If you want to share some info with Canonical for auditions you can also do 

# I won't do this :) but you know it's not an issue for canonical to know you better
sudo pro enable usg

 

Now congratulations 🎉 , your server can have upto 10 years of security patches after the year when the destro was released.

 

posted @ 2022-10-06 20:36  spaceship9  阅读(360)  评论(0编辑  收藏  举报