Ubuntu 16.04 Extended Security Maintenance on Ubuntu Pro

Ubuntu 16.04 LTS Xenial Xerus will enter the extended security maintenance (ESM) period in April 2021. There are already good resources that talk about Ubuntu’s extended security maintenance (ESM), like the Ubuntu blog article Less than 6 months to Ubuntu 16.04 ESM: 6 things to prepare. In this article we’ll take a deeper look at what this actually means from an apt source perspective inside the Ubuntu system.

To demonstrate this, I’m using Ubuntu Pro 16.04 which is available on Azure, AWS and Google Cloud.

You can run ua status on Ubuntu Pro to see the status of the Pro features:

$ ua status

SERVICE       ENTITLED  STATUS    DESCRIPTION
esm-apps      yes       enabled   UA Apps: Extended Security Maintenance (ESM)
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       enabled   Canonical Livepatch service

Enable services with: ua enable <service>

                Account: <redacted>
           Subscription: <redacted>
            Valid until: 9999-12-31 00:00:00
Technical support level: essential

If you run apt update, you’ll see that some packages are pulled from the esm.ubuntu.com/infra repository, which corresponds to the ESM 3-year extension we’re talking about in this article:

$ sudo apt update

Hit:1 http://azure.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease               
Hit:5 https://esm.ubuntu.com/apps/ubuntu xenial-apps-security InRelease
Hit:6 https://esm.ubuntu.com/apps/ubuntu xenial-apps-updates InRelease
Hit:7 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
5 of the updates are from UA Apps: ESM.

You can list all packages in the esm-infra repository with the following command:

$ grep ^Package /var/lib/apt/lists/esm.ubuntu.com_infra_ubuntu_dists_xenial-infra-*_Packages | awk '{print $2}' | sort -u 

krb5-admin-server
krb5-doc
krb5-gss-samples
krb5-k5tls
krb5-kdc
krb5-kdc-ldap
krb5-locales
krb5-multidev
krb5-otp
krb5-pkinit
krb5-user
libgssapi-krb5-2
libgssrpc4
libk5crypto3
libkadm5clnt-mit9
libkadm5srv-mit9
libkdb5-8
libkrad-dev
libkrad0
libkrb5-3
libkrb5-dbg
libkrb5-dev
libkrb5support0

We can then look at the available versions of those packages with apt-cache policy to see which versions we get from the regular Ubuntu archive and which ones we get from the esm-infra repository:

$ apt-cache policy krb5-user

krb5-user:
  Installed: (none)
  Candidate: 1.13.2+dfsg-5ubuntu2.2+esm1
  Version table:
     1.13.2+dfsg-5ubuntu2.2+esm1 500
        500 https://esm.ubuntu.com/apps/ubuntu xenial-apps-security/main amd64 Packages
     1.13.2+dfsg-5ubuntu2.2 500
        500 http://azure.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages
     1.13.2+dfsg-5ubuntu2.1+esm1 500
        500 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main amd64 Packages
        500 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main amd64 Packages
     1.13.2+dfsg-5 500
        500 http://azure.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages

Now, because Ubuntu 16.04 is not in ESM mode yet as of the time of this writing, we don’t get to see the more recent versions in esm-infra. But once Ubuntu 16.04 enters ESM mode, we’ll stop seeing updates in the Ubuntu archive and then the new package versions will only be available in the ESM repositories.

Written on April 7, 2021