Canonical works closely with Microsoft to ensure that running Ubuntu on Azure is a great experience. One of the key aspects of this collaboration is ensuring the longevity and security of Ubuntu releases, such as Ubuntu 18.04 LTS, even beyond their Standard Security Maintenance period. We are excited to announce the integration of Ubuntu Pro update awareness into Azure through the Azure Guest Patching Service (AzGPS) and Update Management Center (UMC). This feature highlights the additional updates available through Ubuntu Pro, including those for Ubuntu 18.04 LTS, now under Extended Security Maintenance. This increased visibility of updates is a significant benefit for users of Azure native VMs and VM Scale Sets, as well as those connected via Azure Arc.
Ubuntu Pro on Azure
Ubuntu Pro, a subscription by Canonical, provides enhanced security, compliance, and system management tools for organisations using Ubuntu in the Azure cloud.
Expanded Security Maintenance (ESM) is one of the key features of Ubuntu Pro. ESM extends the security maintenance period for Ubuntu LTS releases from five to ten years, allowing Ubuntu 18.04 LTS users to continue using their deployments in production until 2028. ESM also expands the security coverage to a much greater range of packages.
Ubuntu Pro Awareness in Azure
The newly integrated Ubuntu Pro feature in Azure helps users identify Ubuntu instances that aren’t receiving all available security updates. For instance, examining an Ubuntu Server 18.04 LTS instance on Azure today could display something like this:
Take note of the message, “Security-ESM update(s) are available for this machine. An
Ubuntu Pro subscription is required to remain secure. Learn more.”
This message indicates that 46 security updates are available for this Ubuntu 18.04 LTS instance, of which 42 can only be accessed through ESM. To receive these, you must attach Ubuntu Pro subscription to the instance. If your instance is in this state, it’s crucial to take action, as it has known unpatched security vulnerabilities. The process of obtaining Ubuntu Pro and how to attach it to your instance is explained in the subsequent section.
Looking at the detailed view of packages, we can see that these have Classifications of “Security-ESM”:
Once you have activated Ubuntu Pro on these instances, as explained in the following section, these updates appear as available and can be applied in the usual way, yielding the expected result:
How to Obtain Ubuntu Pro
You can obtain Ubuntu Pro on Azure either by redeploying your workload or upgrading without redeployment. Full details are here, but in summary:
- Redeploying your workload: If your workload allows for periodic redeployment, for example, in a CI/CD environment, we recommend using Ubuntu Pro from the Azure Marketplace. Ubuntu Pro images should be a drop-in replacement for Ubuntu Server images in nearly all popular deployment tools (Azure Image Builder, Terraform, Packer etc).
- Upgrading without redeployment: If redeployment is not an option, you can upgrade to Ubuntu Pro by obtaining an activation token from Canonical (contact us here).
- Ubuntu Pro is accessible for free on up to 5 machines, or 50 if you are an official Ubuntu Community member. To get started, register here.
Azure Guest Patching Service
The Azure Guest Patching Service allows customers to simplify their Guest OS management on their VMs and VM Scale Sets. This service deploys the latest security and critical updates using Safe Deployment Principles, ensuring the customer’s operations remain uninterrupted and secure.
Azure Update Management Center
The Azure Update Management Center is designed to manage and govern updates across all your machines. Powered by Azure Guest Patching Service, it provides a unified service for monitoring Windows and Linux update compliance across your Azure, on-premises, and other cloud platform deployments, all from a single dashboard. Canonical collaborates with the Azure Update Management Center team to ensure that it can manage Ubuntu instances effectively at scale.
Conclusion
The introduction of enhanced Ubuntu update awareness into the Azure Update Management Center offers tailored security guidance to our Azure users. This guidance takes into account the actual Ubuntu releases and packages installed. Our ultimate goal is to empower our joint users with timely and relevant information, enabling them to make informed security decisions and thereby enhancing the security of their Ubuntu instances on Azure.
