In this tutorial, you will learn how to perform a phased rollout of individual CVE fixes. The typical use case is deploying a CVE patch in a development environment, and if the patch does not disrupt the workloads, deploy it in an identical manner in the production environment.
To complete this tutorial, you will use Landscape’s dashboard and the latest version of Pro Client, a command-line utility included in the ubuntu-advantage-tools package.
Beyond CVE patching, Pro Client also provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. Pro Client produces machine readable outputs and integrates with other Canonical or third-party tooling. Beyond CVE patching, Pro Client can enable Ubuntu Pro services like Ubuntu Security Guide (USG), Extended Security Maintenance (ESM), FIPS, Livepatch, and more.
Landscape is Canonical’s systems management and monitoring solution. Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries, which can also filter hardware and software metadata. These cross-sections, regardless of size, can be reconfigured as easily as one machine.
We will compose interactions with Pro Client into a Landscape-aware shell script, and apply patches for individual CVEs to any selection of machines in your fleet. Pro Client’s CVE patch success and failure outputs are captured in Landscape’s Activity Monitor and Event Log.