Ubuntu

info

Review the Maintenance Policy page to learn about our pack update and deprecation schedules.

Version Supported

22.04 LTS

Usage

To use the Ubuntu OS pack, add the pack to your cluster profile when you select the OS layer. Refer to the Create an Infrastructure Profile guide to learn more.

Add Custom Files

You can create custom files that you define in the files section that precedes the preKubeadmCommands and postKubeadmCommands sections. The files are invoked during runtime.

kubeadmconfig:
  files:
    - targetPath: /usr/local/share/ca-certificates/mycom.crt
      targetOwner: "root:root"
      targetPermissions: "0644"
      content: |
        -----BEGIN CERTIFICATE-----
        MIICyzCCAbOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
        cm5ldGVzMB4XDTIwMDkyMjIzNDMyM1oXDTMwMDkyMDIzNDgyM1owFTETMBEGA1UE
        AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdA
        nZYs1el/6f9PgV/aO9mzy7MvqaZoFnqO7Qi4LZfYzixLYmMUzi+h8/RLPFIoYLiz
        qiDn+P8c9I1uxB6UqGrBt7dkXfjrUZPs0JXEOX9U/6GFXL5C+n3AUlAxNCS5jobN
        fbLt7DH3WoT6tLcQefTta2K+9S7zJKcIgLmBlPNDijwcQsbenSwDSlSLkGz8v6N2
        7SEYNCV542lbYwn42kbcEq2pzzAaCqa5uEPsR9y+uzUiJpv5tDHUdjbFT8tme3vL
        9EdCPODkqtMJtCvz0hqd5SxkfeC2L+ypaiHIxbwbWe7GtliROvz9bClIeGY7gFBK
        jZqpLdbBVjo0NZBTJFUCAwEAAaMmMCQwDgYDVR0PAQH/BAQDAgKkMBIGA1UdEwEB
        /wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADIKoE0P+aVJGV9LWGLiOhki
        HFv/vPPAQ2MPk02rLjWzCaNrXD7aPPgT/1uDMYMHD36u8rYyf4qPtB8S5REWBM/Y
        g8uhnpa/tGsaqO8LOFj6zsInKrsXSbE6YMY6+A8qvv5lPWpJfrcCVEo2zOj7WGoJ
        ixi4B3fFNI+wih8/+p4xW+n3fvgqVYHJ3zo8aRLXbXwztp00lXurXUyR8EZxyR+6
        b+IDLmHPEGsY9KOZ9VLLPcPhx5FR9njFyXvDKmjUMJJgUpRkmsuU1mCFC+OHhj56
        IkLaSJf6z/p2a3YjTxvHNCqFMLbJ2FvJwYCRzsoT2wm2oulnUAMWPI10vdVM+Nc=
        -----END CERTIFICATE-----
  preKubeadmCommands:
    - echo "Executing pre kube admin config commands"
    - update-ca-certificates
    - "systemctl restart containerd; sleep 3"
    - 'while [ ! -S /var/run/containerd/containerd.sock ]; do echo "Waiting for containerd..."; sleep 1; done'
  postKubeadmCommands:
    - echo "Executing post kube admin config commands"

In the next example, a configuration file is added to a folder.

kubeadmconfig:
  files:
    - targetPath: /etc/containerd/config.toml
      targetOwner: "root:root"
      targetPermissions: "0644"
      content: |
        version = 2
        imports = ["/etc/containerd/conf.d/*.toml"]
        [plugins]
          [plugins."io.containerd.grpc.v1.cri"]
            sandbox_image = "registry.k8s.io/pause:3.9"
            device_ownership_from_security_context = true
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
            runtime_type = "io.containerd.runc.v2"
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            SystemdCgroup = true
  preKubeadmCommands:
    - 'echo "====> Applying pre Kubeadm commands"'
  postKubeadmCommands:
    - 'echo "====> Applying post Kubeadm commands"'

Ubuntu Pro

Ubuntu Pro is a security and maintenance subscription offering from Canonical that offers long-term security support and many other security hardening features. Ubuntu Pro offers several more benefits than the free Ubuntu offering:

• Extended Security Maintenance

• Kernel Livepatch service to avoid reboots

• FIPS 140-3 Level 1 certified crypto modules

• Common Criteria EAL2

For more information, refer to the Ubuntu Pro documentation from Canonical.

Enable Ubuntu Pro

Use the following steps to enable Ubuntu Pro.

1. Log in to Palette.

2. Navigate to the left main menu and select Profiles.

3. Click on Add Cluster Profile.

4. Fill out the basic information for the cluster profile. Ensure you select Full or Infrastructure for the profile Type. Click Next to continue.

5. Select the infrastructure provider and click Next.

6. Select Ubuntu as the OS layer and click Next.

7. On the Configure Pack page, in Pack Details, click on the Values option to reveal the YAML editor. Expand the Presets drawer.

8. Click the Ubuntu Pro checkbox to include the Ubuntu Pro parameters in the pack configuration file.

9. Provide the Canonical subscription token for Ubuntu Pro in the Token field. Refer to the Ubuntu Pro subscribe page to acquire a subscription token.

10. Toggle options on or off to enable or disable the various Ubuntu Pro services. The following table describes each of the available options.

    Parameter	Description
    esm-infra	Expanded Security Maintenance (ESM) for Infrastructure. Refer to the Ubuntu ESM documentation to learn more.
    esm-apps	Expanded Security Maintenance (ESM) for Applications. Refer to the Ubuntu ESM documentation to learn more.
    fips	Federal Information Processing Standards (FIPS) 140 validated cryptography for Linux workloads on Ubuntu. This installs NIST-certified core packages. Refer to the Ubuntu FIPS documentation to learn more. If you are using Ubuntu 22.04 on AWS IaaS clusters, refer to Enable FIPS Mode on AWS Ubuntu 22.04 as additional YAML configuration is required.
    fips-updates	Install NIST-certified core packages with priority security updates. Refer to the Ubuntu FIPS Updates documentation to learn more. If you are using Ubuntu 22.04 on AWS IaaS clusters, refer to Enable FIPS Mode on AWS Ubuntu 22.04 as additional YAML configuration is required.
    livepatch	Canonical Livepatch service. Refer to the Ubuntu Livepatch documentation for more details.
    cis	Gain access to OpenSCAP-based tooling that automates both hardening and auditing with certified content based on published CIS benchmarks. Refer to the Ubuntu CIS documentation to learn more.
    cc-eal	Common Criteria Evaluation Assurance Level (EAL) 2 certification for Ubuntu. Refer to the Ubuntu Common Criteria documentation to learn more.
    usg	Ubuntu Security Guide (USG) for compliance hardening. Refer to the Ubuntu USG documentation to learn more.

11. Click the Next layer button to continue to the next layer.

12. Complete the remainder of the cluster profile creation wizard by selecting the next cluster profile layers.

Enable FIPS Mode on AWS Ubuntu 22.04

1. Log in to Palette.

2. Navigate to the left main menu and select Profiles.

3. Click on Add Cluster Profile.

4. Fill out the basic information for the cluster profile. Ensure you select Full or Infrastructure for the profile Type. Click Next to continue.

5. Select the infrastructure provider and click Next.

6. Select Ubuntu (AWS) as the OS layer and click Next.

7. On the Configure Pack page, in Pack Details, click on the Values option to reveal the YAML editor. Expand the Presets drawer.

8. Click the Ubuntu Pro checkbox to include the Ubuntu Pro parameters in the pack configuration file.

9. Provide the Canonical subscription token for Ubuntu Pro in the Token field. Refer to the Ubuntu Pro subscribe page to acquire a subscription token.

10. Enable the fips and fips-updates options.

11. In the YAML editor, under the kubeadmconfig.postKubeadmCommands section, add the --assume-yes flags to the pro enable fips and pro enable fips-updates commands. Additionally, add the reboot command at the end of the section.

    The following example shows the required configuration.

    kubeadmconfig:
      postKubeadmCommands:
        - pro attach <ubuntu-pro-token>
        - pro enable fips --assume-yes
        - pro enable fips-updates --assume-yes
        - reboot

    When a cluster is deployed with these settings configured, Palette will automatically execute these commands on every node during bootstrap. These commands will perform the following actions.

    • Attaches the system to Canonical's Ubuntu Pro service.
    • Enables the FIPS-certified kernel and crypto modules.
    • Enables the FIPS updates for ongoing security updates on certified packages. This is recommended for production workloads.
    • Reboots the node to apply the FIPS-certified kernel and modules.

12. Click the Next layer button to continue to the next layer.

13. Complete the remainder of the cluster profile creation wizard by selecting the next cluster profile layers.

20.04 LTS

Usage

To use the Ubuntu OS pack, add the pack to your cluster profile when you select the OS layer. Refer to the Create an Infrastructure Profile guide to learn more.

Add Custom Files

You can create custom files that you define in the files section that precedes the preKubeadmCommands and postKubeadmCommands sections. The files are invoked during runtime.

kubeadmconfig:
  files:
    - targetPath: /usr/local/share/ca-certificates/mycom.crt
      targetOwner: "root:root"
      targetPermissions: "0644"
      content: |
        -----BEGIN CERTIFICATE-----
        MIICyzCCAbOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
        cm5ldGVzMB4XDTIwMDkyMjIzNDMyM1oXDTMwMDkyMDIzNDgyM1owFTETMBEGA1UE
        AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdA
        nZYs1el/6f9PgV/aO9mzy7MvqaZoFnqO7Qi4LZfYzixLYmMUzi+h8/RLPFIoYLiz
        qiDn+P8c9I1uxB6UqGrBt7dkXfjrUZPs0JXEOX9U/6GFXL5C+n3AUlAxNCS5jobN
        fbLt7DH3WoT6tLcQefTta2K+9S7zJKcIgLmBlPNDijwcQsbenSwDSlSLkGz8v6N2
        7SEYNCV542lbYwn42kbcEq2pzzAaCqa5uEPsR9y+uzUiJpv5tDHUdjbFT8tme3vL
        9EdCPODkqtMJtCvz0hqd5SxkfeC2L+ypaiHIxbwbWe7GtliROvz9bClIeGY7gFBK
        jZqpLdbBVjo0NZBTJFUCAwEAAaMmMCQwDgYDVR0PAQH/BAQDAgKkMBIGA1UdEwEB
        /wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADIKoE0P+aVJGV9LWGLiOhki
        HFv/vPPAQ2MPk02rLjWzCaNrXD7aPPgT/1uDMYMHD36u8rYyf4qPtB8S5REWBM/Y
        g8uhnpa/tGsaqO8LOFj6zsInKrsXSbE6YMY6+A8qvv5lPWpJfrcCVEo2zOj7WGoJ
        ixi4B3fFNI+wih8/+p4xW+n3fvgqVYHJ3zo8aRLXbXwztp00lXurXUyR8EZxyR+6
        b+IDLmHPEGsY9KOZ9VLLPcPhx5FR9njFyXvDKmjUMJJgUpRkmsuU1mCFC+OHhj56
        IkLaSJf6z/p2a3YjTxvHNCqFMLbJ2FvJwYCRzsoT2wm2oulnUAMWPI10vdVM+Nc=
        -----END CERTIFICATE-----
  preKubeadmCommands:
    - echo "Executing pre kube admin config commands"
    - update-ca-certificates
    - "systemctl restart containerd; sleep 3"
    - 'while [ ! -S /var/run/containerd/containerd.sock ]; do echo "Waiting for containerd..."; sleep 1; done'
  postKubeadmCommands:
    - echo "Executing post kube admin config commands"

In the next example, a configuration file is added to a folder.

kubeadmconfig:
  files:
    - targetPath: /etc/containerd/config.toml
      targetOwner: "root:root"
      targetPermissions: "0644"
      content: |
        ## template: jinja

        # Use config version 2 to enable new configuration fields.
        # Config file is parsed as version 1 by default.
        version = 2

        imports = ["/etc/containerd/conf.d/*.toml"]

        [plugins]
          [plugins."io.containerd.grpc.v1.cri"]
            sandbox_image = "registry.k8s.io/pause:3.9"
            device_ownership_from_security_context = true
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
            runtime_type = "io.containerd.runc.v2"
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            SystemdCgroup = true
  preKubeadmCommands:
    - 'echo "====> Applying pre Kubeadm commands"'
  postKubeadmCommands:
    - 'echo "====> Applying post Kubeadm commands"'

Ubuntu Pro

Ubuntu Pro is a security and maintenance subscription offering from Canonical that offers long-term security support and many other security hardening features. Ubuntu Pro offers several more benefits than the free Ubuntu offering:

• Extended Security Maintenance

• Kernel Livepatch service to avoid reboots

• FIPS 140-2 Level 1 certified crypto modules

• Common Criteria EAL2

For more information, refer to the Ubuntu Pro documentation from Canonical.

Enable Ubuntu Pro

Use the following steps to enable Ubuntu Pro.

1. Log in to Palette.

2. Navigate to the left main menu and select Profiles.

3. Click on Add Cluster Profile.

4. Fill out the basic information for the cluster profile. Ensure you select Full or Infrastructure for the profile Type. Click Next to continue.

5. Select the infrastructure provider and click Next.

6. Select Ubuntu as the OS layer and click Next.

7. On the Configure Pack page, in Pack Details, click on the Values option to reveal the YAML editor. Expand the Presets drawer.

8. Click the Ubuntu Pro checkbox to include the Ubuntu Pro parameters in the pack configuration file.

9. Provide the Canonical subscription token for Ubuntu Pro in the Token field. Refer to the Ubuntu Pro subscribe page to acquire a subscription token.

10. Toggle options on or off to enable or disable the various Ubuntu Pro services. The following table describes each of the available options.

    Parameter	Description
    esm-infra	Expanded Security Maintenance (ESM) for Infrastructure. Refer to the Ubuntu ESM documentation to learn more.
    esm-apps	Expanded Security Maintenance (ESM) for Applications. Refer to the Ubuntu ESM documentation to learn more.
    fips	Federal Information Processing Standards (FIPS) 140 validated cryptography for Linux workloads on Ubuntu. This installs NIST-certified core packages. Refer to the Ubuntu FIPS documentation to learn more.
    fips-updates	Install NIST-certified core packages with priority security updates. Refer to the Ubuntu FIPS Updates documentation to learn more.
    livepatch	Canonical Livepatch service. Refer to the Ubuntu Livepatch documentation for more details.
    cis	Gain access to OpenSCAP-based tooling that automates both hardening and auditing with certified content based on published CIS benchmarks. Refer to the Ubuntu CIS documentation to learn more.
    cc-eal	Common Criteria Evaluation Assurance Level (EAL) 2 certification for Ubuntu. Refer to the Ubuntu Common Criteria documentation to learn more.
    usg	Ubuntu Security Guide (USG) for compliance hardening. Refer to the Ubuntu USG documentation to learn more.

11. Click the Next layer button to continue to the next layer.

12. Complete the remainder of the cluster profile creation wizard by selecting the next cluster profile layers.

Terraform

You can reference Ubuntu in Terraform with the following code snippet.

data "spectrocloud_registry" "public_registry" {
  name = "Public Repo"
}

data "spectrocloud_pack_simple" "ubuntu" {
  name    = "edge-native-ubuntu"
  version = "22.04"
  type = "helm"
  registry_uid = data.spectrocloud_registry.public_registry.id
}