Esm-apps updates work? Wise to enable?

LXD
1

Before i run the below procedure, i would like some stable positive feedback. Recommended or could lead to problems down the road?
Does this even work with current stable LXD?

(Please note that enabling ESM updates for the LXD snap requires an active Ubuntu Pro subscription, as ESM updates are part of the extended support provided by Canonical for Ubuntu Pro users.)

sudo ua status

If the output shows that Ubuntu Pro is active and the system is properly registered, you can proceed to the next step.
Install the ubuntu-advantage package if it’s not already installed. This package provides the tools required to manage your Ubuntu Pro subscription. Run the following command to install it:

sudo apt update
sudo apt install ubuntu-advantage

Authenticate your system with the Ubuntu SSO (Single Sign-On) account associated with your Ubuntu Pro subscription. Run the following command and follow the on-screen prompts:

sudo ua attach <Your-SSO-token>

Replace <Your-SSO-token> with the token associated with your Ubuntu Pro subscription. If you don’t have a token, you can generate one by logging into the Ubuntu SSO portal (https://login.ubuntu.com) and navigating to the “Devices” section.
Once your system is successfully attached to your Ubuntu Pro subscription, you can enable ESM updates for the LXD snap by running the following command:

sudo ua enable-esm lxd

This command enables ESM updates specifically for the LXD snap package.
Finally, update the system and the LXD snap to apply the ESM updates:

sudo apt update
sudo snap refresh lxd

The system will now receive ESM updates for the LXD snap, which will include security patches and bug fixes.

2

I have no idea what ua enable-esm lxd is supposed to be doing.

The LXD team does not maintain an ESM version of the LXD snap and to my knowledge, there are no such versions maintained by anyone at the moment.

We release LXD LTS versions every 2 years which then get 5 years of updates, the first 2 years of which includes bugfixes. Currently LXD 3.0 is about to go EOL and as far as the LXD team is concerned, no further work will be happening on it.

It’s certainly possible for the security team at Canonical to provide security support on packages after that 5 years of upstream commitment, but doing so would require some infrastructure to be able to build the LXD snap in a private environment that’s only available to ESM users. Such an environment to my knowledge, does not (currently) exist. ESM updates instead currently focus on .deb packages being updated through a private repository that’s restricted to Ubuntu Pro users.

In your instructions above, I would be quite interested in the result of snap info lxd after having gone through all that, as I’d be extremely surprised if it differed in any way from what you’d get on a system with no ESM enabled.

1 Like
3

Thanks for the quick reply & info. I was frantically looking around how to solve the case where containers could benefit globally from these in house Ubuntu security updates for packages like imagemagick. Mistakes were made, when using AI search Engines, sorry for that.

As far as i understand the ubuntu pro token is supposed to go on the host and unsure if and how to add it to unprivileged containers. By the looks of it SRUs ( StableReleaseUpdates) could work with LXD VMs and containers are on the todo list? Still looking.

Since i fumbled posting that yesterday, i spun up a barebone 22.04 server and went through the steps above to answer your question.
There is no, ubuntu-advantage package in 22.04.

~ #  apt-cache search ubuntu-advantage
ubuntu-advantage-desktop-daemon - Daemon to allow access to ubuntu-advantage via D-Bus
ubuntu-advantage-tools - management tools for Ubuntu Pro
ubuntu-advantage-pro - Additional services for Ubuntu Pro images

and to answer your question,

~ # ua enable-esm lxd
usage: pro <command> [flags]
argument : invalid choice: 'enable-esm' (choose from 'attach', 'api', 'auto-attach', 'collect-logs', 'config', 'detach', 'disable', 'enable', 'fix', 'security-status', 'help', 'refresh', 'status', 'version', 'system')

~ # snap info lxd                                                                                                                                                                                                                          [25/192]
name:      lxd                                              
summary:   LXD - container and VM manager                   
publisher: Canonical✓                                      
store-url: https://snapcraft.io/lxd                         
contact:   https://github.com/lxc/lxd/issues               
license:   unset                                            
description: |                                             
  LXD is a system container and virtual machine manager.   
                                                            
  It offers a simple CLI and REST API to manage local or remote instances,
  uses an image based workflow and support for a variety of advanced features.
                                                           
  Images are available for all Ubuntu releases and architectures as well
  as for a wide number of other Linux distributions. Existing
  integrations with many deployment and operation tools, makes it work
  just like a public cloud, except everything is under your control.
                                                            
  LXD containers are lightweight, secure by default and a great 
  alternative to virtual machines when running Linux on Linux.
                                                            
  LXD virtual machines are modern and secure, using UEFI and secure-boot
  by default and a great choice when a different kernel or operating
  system is needed.                                        
                                                            
  With clustering, up to 50 LXD servers can be easily joined and managed
  together with the same tools and APIs and without needing any external
  dependencies.
   
   
  Supported configuration options for the snap (snap set lxd [<key>=<value>...]):
   
    - ceph.builtin: Use snap-specific Ceph configuration [default=false]
    - ceph.external: Use the system's ceph tools (ignores ceph.builtin) [default=false]
    - criu.enable: Enable experimental live-migration support [default=false]
    - daemon.debug: Increase logging to debug level [default=false]
    - daemon.group: Set group of users that have full control over LXD [default=lxd]
    - daemon.user.group: Set group of users that have restricted LXD access [default=lxd]
    - daemon.preseed: Pass a YAML configuration to `lxd init` on initial start
    - daemon.syslog: Send LXD log events to syslog [default=false]
    - daemon.verbose: Increase logging to verbose level [default=false]
    - lvm.external: Use the system's LVM tools [default=false]
    - lxcfs.pidfd: Start per-container process tracking [default=false]
    - lxcfs.loadavg: Start tracking per-container load average [default=false]
    - lxcfs.cfs: Consider CPU shares for CPU usage [default=false]
    - lxcfs.debug: Increase logging to debug level [default=false]
    - openvswitch.builtin: Run a snap-specific OVS daemon [default=false]
    - openvswitch.external: Use the system's OVS tools (ignores openvswitch.builtin) [default=false]
    - ovn.builtin: Use snap-specific OVN configuration [default=false]
    - shiftfs.enable: Enable shiftfs support [default=auto]
   
  For system-wide configuration of the CLI, place your configuration in
  /var/snap/lxd/common/global-conf/ (config.yml and servercerts)
commands:
  - lxd.benchmark
  - lxd.buginfo
  - lxd.check-kernel
  - lxd.lxc
  - lxd.lxc-to-lxd
  - lxd
  - lxd.migrate
services:
  lxd.activate:    oneshot, enabled, inactive
  lxd.daemon:      simple, enabled, active
  lxd.user-daemon: simple, enabled, inactive
snap-id:      J60k4JY0HppjwOjW8dZdYc8obXKxujRu
tracking:     latest/stable
refresh-date: 12 days ago, at 07:34 UTC
channels:
  latest/stable:    5.14-7072c7b  2023-06-01 (24918) 178MB -
  latest/candidate: 5.15-be147af  2023-06-21 (25038) 181MB -
  latest/beta:      ↑                                      
  latest/edge:      git-53db74c   2023-06-23 (25075) 181MB -
  5.14/stable:      –                                      
  5.14/candidate:   5.14-7072c7b  2023-05-31 (24918) 178MB -
  5.14/beta:        ↑                                      
  5.14/edge:        ↑                                      
  5.13/stable:      5.13-8e2d7eb  2023-05-31 (24846) 174MB -
  5.13/candidate:   ↑                                      
  5.13/beta:        ↑                                      
  5.13/edge:        ↑                                      
  5.0/stable:       5.0.2-838e1b2 2023-01-25 (24322) 117MB -
  5.0/candidate:    5.0.2-838e1b2 2023-01-18 (24322) 117MB -
  5.0/beta:         ↑                                      
  5.0/edge:         git-2a04cf3   2023-04-15 (24732) 118MB -
  4.0/stable:       4.0.9-a29c6f1 2022-12-04 (24061)  96MB -
  4.0/candidate:    4.0.9-a29c6f1 2022-12-02 (24061)  96MB -
  4.0/beta:         ↑                                      
  4.0/edge:         git-407205d   2022-11-22 (23988)  96MB -
  3.0/stable:       3.0.4         2019-10-10 (11348)  55MB -
  3.0/candidate:    3.0.4         2019-10-10 (11348)  55MB -
  3.0/beta:         ↑                                      
  3.0/edge:         git-81b81b9   2019-10-10 (11362)  55MB -
installed:          5.14-7072c7b             (24918) 178MB -

Would be great if LXD containers would automatically benefit and be able to pull the updates from ubuntu pro subscribed hosts.

https://wiki.ubuntu.com/StableReleaseUpdates
https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates
https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788
https://canonical-ubuntu-pro-client.readthedocs-hosted.com

4

Ah right, there definitely has been some work done to have ESM be propagated onto containers and VMs running on the system. That part makes sense, just not sure how far they got there.