Ubuntu 16.04 Extended Security Maintenance on Ubuntu Pro
Ubuntu 16.04 LTS Xenial Xerus will enter the extended security maintenance (ESM) period in April 2021. There are already good resources that talk about Ubuntu’s extended security maintenance (ESM), like the Ubuntu blog article Less than 6 months to Ubuntu 16.04 ESM: 6 things to prepare. In this article we’ll take a deeper look at what this actually means from an apt source perspective inside the Ubuntu system.
To demonstrate this, I’m using Ubuntu Pro 16.04 which is available on Azure, AWS and Google Cloud.
You can run ua status on Ubuntu Pro to see the status of the Pro features:
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes enabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: <redacted>
Subscription: <redacted>
Valid until: 9999-12-31 00:00:00
Technical support level: essential
If you run apt update, you’ll see that some packages are pulled from the esm.ubuntu.com/infra repository, which corresponds to the ESM 3-year extension we’re talking about in this article:
$ sudo apt update
Hit:1 http://azure.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:5 https://esm.ubuntu.com/apps/ubuntu xenial-apps-security InRelease
Hit:6 https://esm.ubuntu.com/apps/ubuntu xenial-apps-updates InRelease
Hit:7 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
5 of the updates are from UA Apps: ESM.
You can list all packages in the esm-infra repository with the following command:
$ grep ^Package /var/lib/apt/lists/esm.ubuntu.com_infra_ubuntu_dists_xenial-infra-*_Packages | awk '{print $2}' | sort -u
krb5-admin-server
krb5-doc
krb5-gss-samples
krb5-k5tls
krb5-kdc
krb5-kdc-ldap
krb5-locales
krb5-multidev
krb5-otp
krb5-pkinit
krb5-user
libgssapi-krb5-2
libgssrpc4
libk5crypto3
libkadm5clnt-mit9
libkadm5srv-mit9
libkdb5-8
libkrad-dev
libkrad0
libkrb5-3
libkrb5-dbg
libkrb5-dev
libkrb5support0
We can then look at the available versions of those packages with apt-cache policy to see which versions we get from the regular Ubuntu archive and which ones we get from the esm-infra repository:
$ apt-cache policy krb5-user
krb5-user:
Installed: (none)
Candidate: 1.13.2+dfsg-5ubuntu2.2+esm1
Version table:
1.13.2+dfsg-5ubuntu2.2+esm1 500
500 https://esm.ubuntu.com/apps/ubuntu xenial-apps-security/main amd64 Packages
1.13.2+dfsg-5ubuntu2.2 500
500 http://azure.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages
1.13.2+dfsg-5ubuntu2.1+esm1 500
500 https://esm.ubuntu.com/infra/ubuntu xenial-infra-security/main amd64 Packages
500 https://esm.ubuntu.com/infra/ubuntu xenial-infra-updates/main amd64 Packages
1.13.2+dfsg-5 500
500 http://azure.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
Now, because Ubuntu 16.04 is not in ESM mode yet as of the time of this writing, we don’t get to see the more recent versions in esm-infra. But once Ubuntu 16.04 enters ESM mode, we’ll stop seeing updates in the Ubuntu archive and then the new package versions will only be available in the ESM repositories.