Hi,
I’m new here, so let me introduce myself. I’m a product manager at Canonical working on security and ESM and I would like to get your feedback and answer any questions you may have about Ubuntu 16.04 ESM.
Last week Ubuntu 16.04 transitioned to ESM (Extended Security Maintenance). I wrote a blog about the transition and what it means, and the available options. @rhys-davies put together a wiki page to explain some of the terminology.
Please look at the blog post and the wiki page and let me know if you have any questions or feedback about the transition and the process.
regards,
Nikos
6 Likes
Hi,
When you install Ubuntu Advantage (package ubuntu-advantage-tools) on Xenial, and enable only esm-infra service, it installs the file /etc/apt/sources.list.d/ubuntu-esm-infra.list with the two following lines:
deb https://esm.ubuntu.com/infra/ubuntu xenial-infra-security main
deb https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates main
When we have the following /etc/apt/sources.list on that host:
deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted universe multiverse
so no xenial-updates since we only wanted to have pure security updates and no more (e.g. bugfix) updates (to keep the change minimal), can we delete the line with xenial-infra-updates from /etc/apt/sources.list.d/ubuntu-esm-infra.list, so we stay on the security-only chanel?
The other way round, if we have a Xenial host with the following /etc/apt/sources.list:
deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu xenial-security main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted universe multiverse
so with xenial-updates, then do we strictly need the xenial-infra-updates repo? Or would it also be ok to only have xenial-infra-security to keep changes minimal?
The xenial-infra-updates pocket is used to deliver bug fixes for packages in ESM - and pretty much corresponds to the xenial-updates pocket during the LTS phase of the release - so you can treat it the same way (ie. include it in addition to the -security one if you prefer, or not).
Thanks @alexmurray, just to be sure - it would be ok having xenial-updates in /etc/apt/sources.list, but only xenial-infra-security in /etc/apt/sources.list.d/ubuntu-esm-infra.list ?
Background: We learned that once you enabled xenial-updates in /etc/apt/sources.list you cannot remove it anymore (leaving only xenial-security), because afterwards you cannot install new packages that depend on other packages that had been updated through xenial-updates before, so the version of the depended packages is newer than the to-be-installed package expects, so you have broken dependencies
If yes, an explanation to better understand would be nice, thanks.
When the security team prepares updates for the security pocket (aka -security) (whether ESM or during the normal support timeframe) we take whichever is the highest version from either the updates OR the security pocket and then patch that and release it to the security pocket. As such, -security can end up containing the changes from -updates anyway, so it is not strictly true that disabling -updates means you only ever get just security updates. This is just the nature of package versioning that we need to ensure that for all users (regardless of whether they have only security or both security+updates enabled) that they can always upgrade to the security updated version (ie the version number has to be strictly greater than anything prior to that).
We also try and make sure that we also bring to the security pocket any dependent packages from updates (say since the new version might require a newer version of a given dependency that is only in the updates pocket).
So using only -security reduces the number of changes from -updates you receive but not down to zero.
Saying that, if you have never used -updates it should be fine to use just -security - and the same goes for the ESM sources as well - this is a supported configuration as far as the security team is concerned. However, the default on install is to use both -security and -updates and this is what the vast majority of Ubuntu machines end up using.
1 Like
Thanks for the good understandable explanation. I woul recommend to write it as clear in https://wiki.ubuntu.com/SecurityTeam/FAQ#How_are_the_.22-updates.22_and_.22-security.22_pockets_different.3F the current is not so clear, it left me uncertain.
Answering myself I guess it should be safe on a host with both xenial-security and xenial-updates enabled in LTS repo to have only the ESM-Repo xenial-infra-security without xenial-infra-updates, because xenial-infra-security can stand alone for itself and has no dependencies on xenial-infra-updates, so if the latter is absent, still a new version from xenial-infra-security will be newer than both xenial-updates and xenial-security, and so no package from the EOL LTS repo will miss something, that it just does not know.
I would also appreciate, if you could write that so definitely in the above FAQ page, currently it is very vague, it seems like nobody is really sure about it…
Edit (since reply limit for me):
Just noticed that unfortunately the package ubuntu-advantage-tools (needed for ESM) is in repo xenial-updates.
So we would need our Xenial Hosts that have currently only xenial-security and not xenial-updates do include the latter and update then many packages (which we wanted to avoid) just to have access to the ubuntu-advantage-tools package. That is not nice. While I can understand that a new package does not suit to xenial-security well since it is not a security patch for an existing package, without it you just do not have any ESM security patches at all, so this is somehow paradox. I think the ubuntu-advantage-tools package is a security meta package, so it should better have been included in the xenial-security repo after LTS EOL.
Since I can install ubuntu-advantage-tools_27.2.2~16.04.1_amd64.deb (from xenial-updates) on a Xenial host that only has xenial-security and not xenial-updates, I think I will put the .deb file in our private apt repo, to avoid upgrading our security-only hosts to xenial-updates.
1 Like
I’ve updated the wiki to add some more description - thanks for the suggestion.
2 Likes
What am I doing wrong – or what is badly documented?
root@cs-linux5:~# ubuntu-advantage enable-esm C12qf6sUB…bEo38g
Sorry, but Extended Security Maintenance is not supported on xenial
(I’ve taken the middle out of the token I received when signing up).
Hi Chris,
You are most likely using an old Ubuntu Advantage client. Try updating, or better contact https://support.canonical.com/
I am trying to patch some offline (Xenial) servers we inherited and I am having trouble. I am trying to create a repository that I can use to patch these offline servers. I had mirroring setup and working with the regular repositories but not with the esm repository.
my apt-mirror command is returning…
/bin/sh: 0: Can’t open /mnt/data/repo/var/postmirror.sh