pro(1) - phpMan

UBUNTU-PRO(1) Ubuntu Pro UBUNTU-PRO(1)

NAME
pro - Manage Ubuntu Pro services from Canonical

SYNOPSIS
pro <command> [<args>]

DESCRIPTION
Ubuntu Pro is a collection of services offered by Canonical to Ubuntu users. The Ubuntu
Pro command line tool is used to attach a system to an Ubuntu Pro contract to then enable
and disable services from Canonical. The available commands and services are described in
more detail below.

COMMANDS
api <api-endpoint>
Calls the Client API endpoints.

For a list of all of the supported endpoints and their structure, please refer to
the Pro client API reference guide:

https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/refer-
ences/api/

attach [--no-auto-enable] [--attach-config=/path/to/file.yaml] <token>
Connect an Ubuntu Pro support contract to this machine.

The --attach-config option can be used to provide a file with the token and option-
ally, a list of services to enable after attaching. The token parameter should not
be used if this option is provided. An attach config file looks like the following:
token: YOUR_TOKEN_HERE # required
enable_services: # optional list of service names to auto-enable
- esm-infra
- esm-apps
- cis

The optional --no-auto-enable flag will disable the automatic enablement of recom-
mended entitlements which usually happens immediately after a successful attach.

The exit code can be:
0: on successful attach
1: in case of any error while trying to attach
2: if the machine is already attached

collect-logs[-o<file>|--output<file>]
Create a tarball with all relevant logs and debug data.

The --output parameter defines the path to the tarball. If not provided, the file
is saved as pro_logs.tar.gz in the current directory.

config set/unset <config-name>

Set/unset one of the available Pro configuration settings:

http_proxy If set, pro will use the specified http proxy when making any http re-
quests

https_proxy If set, pro will use the specified https proxy when making any https
requests

apt_http_proxy [DEPRECATED] If set, pro will configure apt to use the specified
http proxy by writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-
aptproxy. (Please use global_apt_http_proxy)

apt_https_proxy [DEPRECATED] If set, pro will configure apt to use the specified
https proxy by writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-
aptproxy. (Please use global_apt_https_proxy)

global_apt_http_proxy If set, pro will configure apt to use the specified http
proxy by writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-apt-
proxy. Set this if you prefer a global proxy for all resources, not just the ones
from esm.ubuntu.com

global_apt_https_proxy If set, pro will configure apt to use the specified https
proxy by writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-apt-
proxy. Set this if you prefer a global proxy for all resources, not just the ones
from esm.ubuntu.com

ua_apt_http_proxy If set, pro will configure apt to use the specified http proxy by
writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy. This
proxy is limited to accessing resources from esm.ubuntu.com

ua_apt_https_proxy If set, pro will configure apt to use the specified https proxy
by writing a apt config file to /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy.
This proxy is limited to accessing resources from esm.ubuntu.com

<job_name>_timer Sets the timer running interval for a specific job. Those inter-
vals are checked every time the systemd timer runs.

apt_news If set to false, the Pro client will no longer display apt news messages
on the output of apt upgrade.

apt_news_url Sets the url where the Pro client will consume apt news information
from.

If needed, authentication to the proxy server can be performed by setting username
and password in the URL itself, as in:
http_proxy: http://<username>:<password>@<fqdn>:<port>

config show <config-name>
Show customizable configuration settings

If no config is provided, this command will display all of the Pro configuration
values

detach Remove the Ubuntu Pro support contract from this machine.

Disable this machine's access to an Ubuntu Pro service.

Activate and configure this machine's access to an Ubuntu Pro service.

fix [--dry-run] [--no-related] <security_issue>
Fix a CVE or USN on the system by upgrading the appropriate package(s).

The optional --dry-run flag will display everything that would be executed by the
fix command without actually making any changes.

The optional --no-related flag will modify how the fix command behaves when han-
dling a USN. With this flag, the command will not attempt to fix any USNs related
to the target USN.

<security_issue> can be any of the following formats: CVE-yyyy-nnnn, CVE-yyyy-
nnnnnnn, or USN-nnnn-dd.

The exit code can be 0, 1, or 2.
0: the fix was successfully applied or the security issue doesn't affect the
system
1: the fix cannot be applied
2: the fix was applied but requires a reboot before it takes effect

refresh [contract|config|messages]
Refresh three distinct Ubuntu Pro related artifacts in the system:

contract: Update contract details from the server.

config: Reload the config file.

messages: Update APT and MOTD messages related to UA.

You can individually target any of the three specific actions, by passing the tar-
get name to the command. If no `target` is specified, all targets are refreshed.

security-status [--thirdparty | --unavailable | --esm-infra | --esm-apps]

Show security updates for packages in the system, including all available Expanded
Security Maintenance (ESM) related content.

Shows counts of how many packages are supported for security updates in the system.

The output contains basic information about Ubuntu Pro. For a complete status on
Ubuntu Pro services, run 'pro status'.

The optional --thirdparty flag will only show information about third party pack-
ages

The optional --unavailable flag will only show information about unavailable pack-
ages

The optional --esm-infra flag will only show information about esm-infra packages

The optional --esm-apps flag will only show information about esm-apps packages

status [--simulate-with-token TOKEN] [--all]
Report current status of Ubuntu Pro services on system.

This shows whether this machine is attached to an Ubuntu Pro support contract. When
attached, the report includes the specific support contract details including con-
tract name, expiry dates, and the status of each service on this system.

The attached status output has four columns:

SERVICE: name of the service

ENTITLED: whether the contract to which this machine is attached entitles use of
this service. Possible values are: yes or no

STATUS: whether the service is enabled on this machine. Possible values are: en-
abled, disabled, n/a (if your contract entitles you to the service, but it isn't
available for this machine) or -- (if you aren't entitled to this service)

DESCRIPTION: a brief description of the service

The unattached status output instead has three columns. SERVICE and DESCRIPTION are
the same as above, and there is the addition of:

AVAILABLE: whether this service would be available if this machine were attached.
The possible values are yes or no.

If --simulate-with-token is used, then the output has five columns. SERVICE,
AVAILABLE, ENTITLED and DESCRIPTION are the same as mentioned above, and AUTO_EN-
ABLED shows whether the service is set to be enabled when that token is attached.

If the --all flag is set, unavailable services are also listed in the output.

system reboot-required
Tells if the system needs to be rebooted

version
Show version of the Ubuntu Pro package.

PRO UPGRADE DAEMON
Ubuntu Pro client sets up a daemon on supported platforms (currently on Azure and GCP) to
detect if an Ubuntu Pro license is purchased for the machine. If an Ubuntu Pro license is
detected, then the machine is automatically attached. If you are uninterested in Ubuntu
Pro services, you can safely stop and disable the daemon using systemctl:

sudo systemctl stop ubuntu-advantage.service sudo systemctl disable ubuntu-advantage.ser-
vice

TIMER JOBS
Ubuntu Pro client sets up a systemd timer to run jobs that need to be executed recur-
rently. The timer itself ticks every 5 minutes on average, and decides which jobs need to
be executed based on their intervals.

Jobs are executed by the timer script if the script has not yet run successfully, or their
interval since last successful run is already exceeded. There is a random delay applied
to the timer, to desynchronize job execution time on machines spinned at the same time,
avoiding multiple synchronized calls to the same service.

Current jobs being checked and executed are:

update_messaging
Makes sure that the MOTD and APT messages match the available/enabled services on
the system, showing information about available packages or security updates.

metering
If attached, this job will ping the Canonical servers telling which services are
enabled on the machine.

SERVICES
Anbox Cloud (anbox-cloud)
Anbox Cloud lets you stream mobile apps securely, at any scale, to any device, let-
ting you focus on your apps. Run Android in system containers on public or private
clouds with ultra low streaming latency. When the anbox-cloud service is enabled,
by default, the Appliance variant is enabled. Enabling this service allows orches-
tration to provision a PPA with the Anbox Cloud resources. This step also config-
ures the Anbox Management Service (AMS) with the necessary image server creden-
tials.

To learn more about Anbox Cloud, see https://anbox-cloud.io

Common Criteria EAL2 Provisioning (cc-eal)
Common Criteria is an Information Technology Security Evaluation standard (ISO/IEC
IS 15408) for computer security certification. Ubuntu 16.04 has been evaluated to
assurance level EAL2 through CSEC. The evaluation was performed on Intel x86_64,
IBM Power8 and IBM Z hardware platforms.

CIS Audit (cis)/Ubuntu Security Guide (usg)
Ubuntu Security Guide is a tool for hardening and auditing, allowing for environ-
ment-specific customizations. It enables compliance with profiles such as DISA-STIG
and the CIS benchmarks.

Find out more at https://ubuntu.com/security/certifications/docs/usg

Expanded Security Maintenance for Infrastructure (esm-infra)
Expanded Security Maintenance for Infrastructure provides access to a private PPA
which includes available high and critical CVE fixes for Ubuntu LTS packages in the
Ubuntu Main repository between the end of the standard Ubuntu LTS security mainte-
nance and its end of life. It is enabled by default with Ubuntu Pro.

You can find out more about the service at https://ubuntu.com/security/esm

Expanded Security Maintenance for Applications (esm-apps)
Expanded Security Maintenance for Applications is enabled by default on entitled
workloads. It provides access to a private PPA which includes available high and
critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main and Ubuntu Universe
repositories from the Ubuntu LTS release date until its end of life.

You can find out more about the esm service at https://ubuntu.com/security/esm

FIPS 140-2 certified modules (fips)
Installs FIPS 140 crypto packages for FedRAMP, FISMA and compliance use cases.
Note that "fips" does not provide security patching. For FIPS certified modules
with security patches please see "fips-updates". If you are unsure, choose "fips-
updates" for maximum security.

Find out more at https://ubuntu.com/security/fips

FIPS 140-2 certified modules with updates (fips-updates)
fips-updates installs FIPS 140 crypto packages including all security patches for
those modules that have been provided since their certification date.

You can find out more at https://ubuntu.com/security/fips

Landscape (landscape)
Landscape Client can be installed on this machine and enrolled in Canonical's Land-
scape SaaS: https://landscape.canonical.com or a self-hosted Landscape:
https://ubuntu.com/landscape/install

Landscape allows you to manage many machines as easily as one, with an intuitive
dashboard and API interface for automation, hardening, auditing, and more.

Find out more about Landscape at https://ubuntu.com/landscape

Livepatch Service (livepatch)
Livepatch provides selected high and critical kernel CVE fixes and other non-secu-
rity bug fixes as kernel livepatches. Livepatches are applied without rebooting a
machine which drastically limits the need for unscheduled system reboots. Due to
the nature of fips compliance, livepatches cannot be enabled on fips-enabled sys-
tems.

You can find out more about Ubuntu Kernel Livepatch service at
https://ubuntu.com/security/livepatch

ROS ESM Security Updates (ros)
ros provides access to a private PPA which includes security-related updates for
available high and critical CVE fixes for Robot Operating System (ROS) packages.
For access to ROS ESM and security updates, both esm-infra and esm-apps services
will also be enabled. To get additional non-security updates, enable ros-updates.

You can find out more about the ROS ESM service at https://ubuntu.com/robotics/ros-
esm

ROS ESM All Updates (ros-updates)
ros-updates provides access to a private PPA that includes non-security-related up-
dates for Robot Operating System (ROS) packages. For full access to ROS ESM, secu-
rity and non-security updates, the esm-infra, esm-apps, and ros services will also
be enabled.

You can find out more about the ROS ESM service at https://ubuntu.com/robotics/ros-
esm

REPORTING BUGS
Please report bugs either by running `ubuntu-bug ubuntu-advantage-tools` or login to
Launchpad and navigate to https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-
tools/+filebug

Canonical Ltd. 21 February 2020 UBUNTU-PRO(1)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2025-01-15 01:15 @18.225.156.91 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)