Ubuntu Pro is a service offered by Canonical for expanded CVE patching, ten-years security maintenance and optional support. Anyone can use Ubuntu Pro for free for personal use on up to 5 machines. The site also states:

Server with unlimited VMs*

The * is interesting here. Its says:

Any of: KVM | Qemu | Boch, VMWare ESXi, LXD | LXC, Xen, Hyper-V (WSL, Multipass), VirtualBox, z/VM, Docker. All Nodes in the cluster have to be subscribed to the service in order to benefit from the unlimited VM support

I use Proxmox and also i could not find any information on how the VMs would actually find the host’s license. So i decided to mirror the packages myself and use it in my VMs.

Nginx proxies the requests and authenticates with an Ubuntu Pro token.

I This post only provides the basic nginx config part and the script to setup the sources. You have to take care of any security to prevent an open proxy here. Please do not blindly copy & paste this :) . I use SSL. But that is optional of course.

You can get your authentication token from /etc/apt/auth.conf.d/90ubuntu-advantage after you enabled Ubuntu Pro on the host.

To generate the Basic authentication for the config file you can use:

echo "bearer:YOURTOKEN" | base64 -w0

/etc/nginx/sites-enabled/esm:

resolver 8.8.8.8 8.8.4.4 ipv6=off;
server {
    #listen [::]:80;

    server_name YOURHOSTNAME;
    #access_log /tank/steam/access.log main;
    error_log /tank/esm/error.log;
    access_log /tank/esm/access.log main;

    location / {
        proxy_cache esm;
        proxy_max_temp_file_size 1509600m;
        proxy_set_header Host esm.ubuntu.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header X-Upstream-Status $upstream_status;
        add_header X-Upstream-Response-Time $upstream_response_time;
        add_header X-Upstream-Cache-Status $upstream_cache_status;

        proxy_ignore_client_abort on;
        proxy_redirect off;

        set $endpoint esm.ubuntu.com;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 1h;
        proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
        proxy_cache_valid 200 90d;
        proxy_cache_valid 301 302 0;
        proxy_cache_revalidate on;
	proxy_cache_methods GET;
	proxy_cache_background_update on;
        proxy_set_header Authorization "Basic YOURAUTHTOKEN";
        proxy_pass https://$endpoint$request_uri;

    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/YOURHOSTNAME/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/YOURHOSTNAME/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = YOURHOSTNAME) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen YOURIP:80;
    server_name YOURHOSTNAME;
    return 404; # managed by Certbot
}

install-esm.sh:

#!/bin/bash
function list_include_item {
  local list="$1"
  local item="$2"
  if [[ $list =~ (^|[[:space:]])"$item"($|[[:space:]]) ]] ; then
    # yes, list include item
    result=0
  else
    result=1
  fi
  return $result
}

if [ ! -f /etc//os-release ]; then
   echo "Could not find /etc/os-release"
   exit 1
fi

. /etc/os-release

ESM_FILE=/etc/apt/sources.list.d/esm.list
codenames="bionic focal jammy"
if ! `list_include_item "$codenames" "$UBUNTU_CODENAME"` ; then
   echo "Codename $UBUNTU_CODENAME is not suppported"
   exit 1
fi

wget -qO /etc/apt/trusted.gpg.d/ubuntu-esm-AB01A101DB53907B "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xe8a443ce358113d187bee0e6ab01a101db53907b"
rm -f /etc/apt/trusted.gpg.d/ubuntu-esm-AB01A101DB53907B.gpg
gpg --dearmor /etc/apt/trusted.gpg.d/ubuntu-esm-AB01A101DB53907B

wget -qO /etc/apt/trusted.gpg.d/ubuntu-esm-4067E40313CB4B13 "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x56f7650a24c9e9ecf87c4d8d4067e40313cb4b13"
rm -f /etc/apt/trusted.gpg.d/ubuntu-esm-4067E40313CB4B13.gpg
gpg --dearmor /etc/apt/trusted.gpg.d/ubuntu-esm-4067E40313CB4B13

cat > $ESM_FILE <<EOF
deb https://yourhostname/apps/ubuntu $UBUNTU_CODENAME-apps-security main
deb https://yourhostname/apps/ubuntu $UBUNTU_CODENAME-apps-updates main
deb https://yourhostname/infra/ubuntu $UBUNTU_CODENAME-infra-security main
deb https://yourhostname/infra/ubuntu $UBUNTU_CODENAME-infra-updates main
EOF

apt update

echo ""
echo "Added Ubuntu $UBUNTU_CODENAME ESM sources to $ESM_FILE"

#ubuntu #ubuntupro #linux #opensource #mirror #nginx