ubuntu-advantage
UBUNTU-PRO(1) Ubuntu Pro UBUNTU-PRO(1)
NAME
pro - Manage Ubuntu Pro services from Canonical
SYNOPSIS
pro <command> [<args>]
DESCRIPTION
Ubuntu Pro is a collection of services offered by Canonical to Ubuntu
users. The Ubuntu Pro command line tool is used to attach a system to
an Ubuntu Pro contract to then enable and disable services from Canoni-
cal. The available commands and services are described in more detail
below.
COMMANDS
api <api-endpoint>
Calls the Client API endpoints.
For a list of all of the supported endpoints and their struc-
ture, please refer to the Pro client API reference guide:
https://canonical-ubuntu-pro-client.readthedocs-
hosted.com/en/latest/references/api/
attach [--no-auto-enable] [--attach-config=/path/to/file.yaml] <token>
Connect an Ubuntu Pro support contract to this machine.
The --attach-config option can be used to provide a file with
the token and optionally, a list of services to enable after at-
taching. The token parameter should not be used if this option
is provided. An attach config file looks like the following:
token: YOUR_TOKEN_HERE # required
enable_services: # optional list of service names to
auto-enable
- esm-infra
- esm-apps
- cis
The optional --no-auto-enable flag will disable the automatic
enablement of recommended entitlements which usually happens im-
mediately after a successful attach.
The exit code can be:
0: on successful attach
1: in case of any error while trying to attach
2: if the machine is already attached
collect-logs[-o<file>|--output<file>]
Create a tarball with all relevant logs and debug data.
The --output parameter defines the path to the tarball. If not
provided, the file is saved as pro_logs.tar.gz in the current
directory.
config set/unset <config-name>
Set/unset one of the available Pro configuration settings:
http_proxy If set, pro will use the specified http proxy when
making any http requests
https_proxy If set, pro will use the specified https proxy when
making any https requests
apt_http_proxy [DEPRECATED] If set, pro will configure apt to
use the specified http proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. (Please use
global_apt_http_proxy)
apt_https_proxy [DEPRECATED] If set, pro will configure apt to
use the specified https proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. (Please use
global_apt_https_proxy)
global_apt_http_proxy If set, pro will configure apt to use the
specified http proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. Set this if you
prefer a global proxy for all resources, not just the ones from
esm.ubuntu.com
global_apt_https_proxy If set, pro will configure apt to use the
specified https proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. Set this if you
prefer a global proxy for all resources, not just the ones from
esm.ubuntu.com
ua_apt_http_proxy If set, pro will configure apt to use the
specified http proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. This proxy is
limited to accessing resources from esm.ubuntu.com
ua_apt_https_proxy If set, pro will configure apt to use the
specified https proxy by writing a apt config file to
/etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. This proxy is
limited to accessing resources from esm.ubuntu.com
<job_name>_timer Sets the timer running interval for a specific
job. Those intervals are checked every time the systemd timer
runs.
apt_news If set to false, the Pro client will no longer display
apt news messages on the output of apt upgrade.
apt_news_url Sets the url where the Pro client will consume apt
news information from.
If needed, authentication to the proxy server can be performed
by setting username and password in the URL itself, as in:
http_proxy: http://<username>:<password>@<fqdn>:<port>
config show <config-name>
Show customizable configuration settings
If no config is provided, this command will display all of the
Pro configuration values
detach Remove the Ubuntu Pro support contract from this machine.
disable [anbox-cloud|cc-eal|cis|esm-apps|esm-infra|fips|fips-updates|
landscape|livepatch|realtime-kernel|ros|ros-updates]
Disable this machine's access to an Ubuntu Pro service.
enable [anbox-cloud|cc-eal|cis|esm-apps|esm-infra|fips|fips-updates|
landscape|livepatch|realtime-kernel|ros|ros-updates]
Activate and configure this machine's access to an Ubuntu Pro
service.
fix [--dry-run] [--no-related] <security_issue>
Fix a CVE or USN on the system by upgrading the appropriate
package(s).
The optional --dry-run flag will display everything that would
be executed by the fix command without actually making any
changes.
The optional --no-related flag will modify how the fix command
behaves when handling a USN. With this flag, the command will
not attempt to fix any USNs related to the target USN.
<security_issue> can be any of the following formats: CVE-yyyy-
nnnn, CVE-yyyy-nnnnnnn, or USN-nnnn-dd.
The exit code can be 0, 1, or 2.
0: the fix was successfully applied or the security issue
doesn't affect the system
1: the fix cannot be applied
2: the fix was applied but requires a reboot before it takes
effect
refresh [contract|config|messages]
Refresh three distinct Ubuntu Pro related artifacts in the sys-
tem:
contract: Update contract details from the server.
config: Reload the config file.
messages: Update APT and MOTD messages related to UA.
You can individually target any of the three specific actions,
by passing the target name to the command. If no `target` is
specified, all targets are refreshed.
security-status [--thirdparty | --unavailable | --esm-infra | --esm-
apps]
Show security updates for packages in the system, including all
available Expanded Security Maintenance (ESM) related content.
Shows counts of how many packages are supported for security up-
dates in the system.
The output contains basic information about Ubuntu Pro. For a
complete status on Ubuntu Pro services, run 'pro status'.
The optional --thirdparty flag will only show information about
third party packages
The optional --unavailable flag will only show information about
unavailable packages
The optional --esm-infra flag will only show information about
esm-infra packages
The optional --esm-apps flag will only show information about
esm-apps packages
status [--simulate-with-token TOKEN] [--all]
Report current status of Ubuntu Pro services on system.
This shows whether this machine is attached to an Ubuntu Pro
support contract. When attached, the report includes the spe-
cific support contract details including contract name, expiry
dates, and the status of each service on this system.
The attached status output has four columns:
SERVICE: name of the service
ENTITLED: whether the contract to which this machine is attached
entitles use of this service. Possible values are: yes or no
STATUS: whether the service is enabled on this machine. Possi-
ble values are: enabled, disabled, n/a (if your contract enti-
tles you to the service, but it isn't available for this ma-
chine) or -- (if you aren't entitled to this service)
DESCRIPTION: a brief description of the service
The unattached status output instead has three columns. SERVICE
and DESCRIPTION are the same as above, and there is the addition
of:
AVAILABLE: whether this service would be available if this ma-
chine were attached. The possible values are yes or no.
If --simulate-with-token is used, then the output has five col-
umns. SERVICE, AVAILABLE, ENTITLED and DESCRIPTION are the same
as mentioned above, and AUTO_ENABLED shows whether the service
is set to be enabled when that token is attached.
If the --all flag is set, unavailable services are also listed
in the output.
system reboot-required
Tells if the system needs to be rebooted
version
Show version of the Ubuntu Pro package.
PRO UPGRADE DAEMON
Ubuntu Pro client sets up a daemon on supported platforms (currently on
Azure and GCP) to detect if an Ubuntu Pro license is purchased for the
machine. If an Ubuntu Pro license is detected, then the machine is au-
tomatically attached. If you are uninterested in Ubuntu Pro services,
you can safely stop and disable the daemon using systemctl:
sudo systemctl stop ubuntu-advantage.service sudo systemctl disable
ubuntu-advantage.service
TIMER JOBS
Ubuntu Pro client sets up a systemd timer to run jobs that need to be
executed recurrently. The timer itself ticks every 5 minutes on aver-
age, and decides which jobs need to be executed based on their inter-
vals.
Jobs are executed by the timer script if the script has not yet run
successfully, or their interval since last successful run is already
exceeded. There is a random delay applied to the timer, to desynchro-
nize job execution time on machines spinned at the same time, avoiding
multiple synchronized calls to the same service.
Current jobs being checked and executed are:
update_messaging
Makes sure that the MOTD and APT messages match the avail-
able/enabled services on the system, showing information about
available packages or security updates.
metering
If attached, this job will ping the Canonical servers telling
which services are enabled on the machine.
SERVICES
Anbox Cloud (anbox-cloud)
Anbox Cloud lets you stream mobile apps securely, at any scale,
to any device, letting you focus on your apps. Run Android in
system containers on public or private clouds with ultra low
streaming latency. When the anbox-cloud service is enabled, by
default, the Appliance variant is enabled. Enabling this service
allows orchestration to provision a PPA with the Anbox Cloud re-
sources. This step also configures the Anbox Management Service
(AMS) with the necessary image server credentials.
To learn more about Anbox Cloud, see https://anbox-cloud.io
Common Criteria EAL2 Provisioning (cc-eal)
Common Criteria is an Information Technology Security Evaluation
standard (ISO/IEC IS 15408) for computer security certification.
Ubuntu 16.04 has been evaluated to assurance level EAL2 through
CSEC. The evaluation was performed on Intel x86_64, IBM Power8
and IBM Z hardware platforms.
CIS Audit (cis)/Ubuntu Security Guide (usg)
Ubuntu Security Guide is a tool for hardening and auditing, al-
lowing for environment-specific customizations. It enables com-
pliance with profiles such as DISA-STIG and the CIS benchmarks.
Find out more at https://ubuntu.com/security/certifica-
tions/docs/usg
Expanded Security Maintenance for Infrastructure (esm-infra)
Expanded Security Maintenance for Infrastructure provides access
to a private PPA which includes available high and critical CVE
fixes for Ubuntu LTS packages in the Ubuntu Main repository be-
tween the end of the standard Ubuntu LTS security maintenance
and its end of life. It is enabled by default with Ubuntu Pro.
You can find out more about the service at
https://ubuntu.com/security/esm
Expanded Security Maintenance for Applications (esm-apps)
Expanded Security Maintenance for Applications is enabled by de-
fault on entitled workloads. It provides access to a private PPA
which includes available high and critical CVE fixes for Ubuntu
LTS packages in the Ubuntu Main and Ubuntu Universe repositories
from the Ubuntu LTS release date until its end of life.
You can find out more about the esm service at
https://ubuntu.com/security/esm
FIPS 140-2 certified modules (fips)
Installs FIPS 140 crypto packages for FedRAMP, FISMA and compli-
ance use cases. Note that "fips" does not provide security
patching. For FIPS certified modules with security patches
please see "fips-updates". If you are unsure, choose "fips-up-
dates" for maximum security.
Find out more at https://ubuntu.com/security/fips
FIPS 140-2 certified modules with updates (fips-updates)
fips-updates installs FIPS 140 crypto packages including all se-
curity patches for those modules that have been provided since
their certification date.
You can find out more at https://ubuntu.com/security/fips
Landscape (landscape)
Landscape Client can be installed on this machine and enrolled
in Canonical's Landscape SaaS: https://landscape.canonical.com
or a self-hosted Landscape: https://ubuntu.com/landscape/install
Landscape allows you to manage many machines as easily as one,
with an intuitive dashboard and API interface for automation,
hardening, auditing, and more.
Find out more about Landscape at https://ubuntu.com/landscape
Livepatch Service (livepatch)
Livepatch provides selected high and critical kernel CVE fixes
and other non-security bug fixes as kernel livepatches.
Livepatches are applied without rebooting a machine which dras-
tically limits the need for unscheduled system reboots. Due to
the nature of fips compliance, livepatches cannot be enabled on
fips-enabled systems.
You can find out more about Ubuntu Kernel Livepatch service at
https://ubuntu.com/security/livepatch
ROS ESM Security Updates (ros)
ros provides access to a private PPA which includes security-re-
lated updates for available high and critical CVE fixes for Ro-
bot Operating System (ROS) packages. For access to ROS ESM and
security updates, both esm-infra and esm-apps services will also
be enabled. To get additional non-security updates, enable ros-
updates.
You can find out more about the ROS ESM service at
https://ubuntu.com/robotics/ros-esm
ROS ESM All Updates (ros-updates)
ros-updates provides access to a private PPA that includes non-
security-related updates for Robot Operating System (ROS) pack-
ages. For full access to ROS ESM, security and non-security up-
dates, the esm-infra, esm-apps, and ros services will also be
enabled.
You can find out more about the ROS ESM service at
https://ubuntu.com/robotics/ros-esm
REPORTING BUGS
Please report bugs either by running `ubuntu-bug ubuntu-advantage-
tools` or login to Launchpad and navigate to https://bugs.launch-
pad.net/ubuntu/+source/ubuntu-advantage-tools/+filebug
COPYRIGHT
Copyright (C) 2019-2020 Canonical Ltd.
Canonical Ltd. 21 February 2020 UBUNTU-PRO(1)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2025
Hurricane Electric.
All Rights Reserved.