Mirror Ubuntu Pro packages without Landscape

What is Ubuntu Pro?

Ubuntu Pro is a not uncontroversial additional offer from Canonical for Ubuntu users. This extends - for a fee - the support time window of LTS releases from 5 to up to 10 years. For private use, the offer can be used free of charge for up to 5 computers - Ubuntu members can even refuel up to 50 computers. For older releases, support for up to 12 years has been offered since 2024, for which an additional - not officially known - fee must be paid. In addition to the main repository, some packages from the universe pool are also included in Ubuntu Pro as part of Expanded Security Maintenance (ESM). There is no specific list - however, according to the website, the focus seems to be on server applications and programming languages. Other offerings include Kernel Live Patching and security modules such as FIPS and USG. Canonical thus offers a similar range to SUSE Linux Enterprise Server and Red Hat Enterprise Linux - which should be of particular interest to enterprise customers.

However, they usually need a way to keep these packages locally - to reduce unnecessary internet traffic. Canonical's answer to this is the in-house tool Ubuntu Landscape, which has numerous limitations compared to Uyuni and Foreman/Katello:

  • dusty web interface
  • mirroring software content is unnecessarily complex (manual interaction with the API)
  • no freezing of tested patch statuses (to prevent untested patches from jeopardizing production)
  • no security functions (e.g. CVE, OpenSCAP)
  • no integration into common configuration management (e.g. Ansible or Salt)
  • integrated monitoring is very rudimentary** and offers little added value
  • excessive telemetry data
  • no sensible airgapped operation (cookie banner for internal applications)
  • other Linux distributions are not supported

Use Ubuntu Pro

To use Ubuntu Pro, an Ubuntu One account is required. After registration, a token is displayed in the portal, which must be stored on the system used.

If you have not already done so, Pro support must be installed and activated:

 1# apt-get install ubuntu-advantage-tools
 2# pro attach <token>
 3Enabling default service esm-apps
 4Updating Ubuntu Pro: ESM Apps package lists
 5Ubuntu Pro: ESM Apps enabled
 6Enabling default service esm-infra
 7Updating Ubuntu Pro: ESM Infra package lists
 8Ubuntu Pro: ESM Infra enabled
 9Enabling default service livepatch
10Installing snapd
11Updating standard Ubuntu package lists
12Installing snapd snap
13Installing canonical-livepatch snap
14Canonical Livepatch enabled
15This machine is now attached to 'Ubuntu Pro - free personal subscription'
18anbox-cloud      yes       disabled     Scalable Android in the cloud
19esm-apps         yes       enabled      Expanded Security Maintenance for Applications
20esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
21fips             yes       disabled     NIST-certified FIPS crypto packages
22fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
23livepatch        yes       enabled      Canonical Livepatch service
24ros              yes       disabled     Security Updates for the Robot Operating System
25usg              yes       disabled     Security compliance and audit tools
28Operation in progress: pro attach
30For a list of all Ubuntu Pro services, run 'pro status --all'
31Enable services with: pro enable <service>

This will also install Snap again to provide live kernel patches. 🤡

Further updates can then be installed:

1# apt-get update ; apt-get full-upgrade

Mirror Pro packages locally

Although there is documentation for use in airgapped environments - this requires an active paid subscription. This is surprising, as the packages can also be consumed free of charge.

Once activated, a registered Ubuntu system accesses the following software repositories, among others:

Name URL Description
esm-infra https://esm.ubuntu.com/infra/ubuntu/ Operating system components
esm-apps https://esm.ubuntu.com/apps/ubuntu/ Applications and programming languages

Communication between the client and the repository server is encrypted and authenticated via a Bearer token:

1# cat /etc/apt/auth.conf.d/90ubuntu-advantage
2machine esm.ubuntu.com/apps/ubuntu/ login bearer password <token>  # ubuntu-pro-client
3machine esm.ubuntu.com/infra/ubuntu/ login bearer password <token>  # ubuntu-pro-client

One dedicated token is used per repository.

However, this information can also be specified in the URLs - for example with curl:

1$ curl -u bearer:<token> https://esm.ubuntu.com/apps/ubuntu/pool/
3<head><title>Index of /apps/ubuntu/pool/</title></head>
4<body bgcolor="white">
5<h1>Index of /apps/ubuntu/pool/</h1><hr><pre><a href="../">../</a>
6<a href="main/">main/</a>                                              18-May-2023 20:13                   -

This also allows the packages to be synchronized with other tools, such as Uyuni, Foreman/Katello or aptly:

URL Description
https://bearer:<token>@esm.ubuntu.com/infra/ubuntu/dists/<release>-infra-updates/main/binary-<arch>/ Operating system functional updates
https://bearer:<token>@esm.ubuntu.com/infra/ubuntu/dists/<release>-infra-security/main/binary-<arch>/ Operating system security updates
https://bearer:<token>@esm.ubuntu.com/apps/ubuntu/dists/<release>-apps-updates/main/binary-<arch>/ Application functional updates
https://bearer:<token>@esm.ubuntu.com/apps/ubuntu/dists/<release>-apps-security/main/binary-<arch>/ Application security updates

arch and release must each be replaced with one of the following values:

Architectures Releases
amd64, arm64, armel, armhf, i386, powerpc, ppc64el, s390x bionic, focal, jammy, noble, trusty, xenial

The steps should also be applicable for the additional repositories fips, fips-updates, cis, realtime and ros.

In order for Uyuni to synchronize the repositories, the corresponding GPG keys (ubuntu-pro-esm-infra.gpg, ubuntu-pro-esm-apps.gpg) must be imported. These are located on a system registered with Ubuntu Pro under /etc/apt/trusted.gpg.d and can be imported as follows:

1# gpg --homedir /var/lib/spacewalk/gpgdir --import ubuntu-pro-*.gpg

Ubuntu Pro packages synchronized in Uyuni


The procedure shown here can be used to circumvent the subscription limitations - however, this constitutes a breach of the Terms of Service and may have legal consequences. There must always be sufficient subscriptions for the number of systems used. Please stay fair - the free Pro offer is generous and should not be abused.


It is desirable that Canonical makes the package mirroring procedure publicly available and thus decouples it from Landscape. It is not the right tool for many scenarios and the coupling to Landscape is an unnecessary lock-in.

There is a lot of interest in Ubuntu Pro and users of other patch management tools would be happy not to have any obstacles put in their way.