Ubuntu 18.04 ‘Bionic Beaver’ is reaching End of Standard Support this May. If you don’t take action, you will transition to 18.04 EOL (End Of Life). This distribution of Ubuntu was installed by millions of users and powers up thousands of devices. From kiosks and appliances to IoT devices and robots, 18.04 helped many companies deploy innovations to the world. As with all other Ubuntu LTS releases that reach their end of standard support, Bionic Beaver will transition to Extended Security Maintenance (ESM). This blog post will help developers and companies evaluate their options for devices currently running Ubuntu 18.04 LTS. It will also cover how you can enable ESM in case you choose to extend the support window with this service. Before we jump in, let’s cover a burning question: why do Ubuntu releases reach EOL?
Why do Ubuntu releases reach EOL?
Every single Ubuntu LTS comes with 5 years of standard support. During those five years, we provide bug fixes and security patches to more than 2,300 packages. This obviously requires a great engineering effort from Canonical. Even more, if you consider all the critical infrastructures where Ubuntu is being used today.
But our users also look forward to the new release of our operating system with the latest and greatest. So, as we release new distributions of Ubuntu, we also need to relocate our resources. And with this, we obviously need to move distributions to the ESM period.
ESM enables continuous vulnerability management for critical, high and medium Common Vulnerabilities and Exposures (CVEs). During this period, we no longer improve the distribution, but we keep it secure. We offer ESM for the benefit of our users. Some cannot migrate and need to keep their infrastructure running reliably and securely. Therefore, we provide 5 more years of critical security to those organisations. This is a paid service, as engineering time and resources are still needed to provide these updates. A paid service that is still cheaper than the actual cost for organisations to do all of this maintenance in-house.
Now that we covered the relationship between End of Standard Support and ESM, let’s explore what comes next.
Migrate from 18.04 EOL to a supported LTS distribution
It’s never too late to start thinking about the 18.04 EOL migration. Soon your 18.04 fleet will stop receiving updates, including security patches. That will put you and your final user at a security risk. So if you want to keep your device compliant with security maintenance and the latest and greatest software, migration is one way to go.
For device manufacturers, we advise you to have a look at Ubuntu Core. While Ubuntu Desktop and Server will fulfil their purpose for edge and IoT devices, Ubuntu Core was developed and has been optimised for these use cases. With out-of-the-box features such as OTA update control, low-touch device recovery, strict confinement, secure boot, and more, it makes it easier to deploy and manage devices. It also comes with a longer window of standard support: 10 years. This will help you avoid reading another blog about this for quite a while.
And the migration shouldn’t be painful. If you are short on resources, you can always package your application and bundle all your dependencies. We recommend the use of snaps as a container solution to bundle all your dependencies. Snaps won’t create another abstraction layer. They allow you to access the system’s resources through dedicated interfaces. Once your application is snapped, you can easily run it on any Ubuntu LTS, Core, Desktop or Server. You name it.
Can’t migrate from 18.04 EOL? Get 18.04 ESM
Sometimes migration is not straightforward. Dealing with dependency changes or simply recalling devices from the field can be troublesome. While the aim will be to migrate, you might need some time. So if you need more time and want to keep devices compliant, ESM gives you 5 extra years before 18.04 EOL.
ESM is part of the Ubuntu Pro subscription. ESM provides continuous vulnerability management and patching for critical, high and medium Common Vulnerabilities and Exposures (CVEs). This means that you will keep receiving security updates for more than 2,300 packages in Ubuntu Main. Here you find packages such as Python, OpenSSL, OpenVPN, network-manager, sed, curl, systemd, udev, bash, OpenSSH, login, libc… For the whole list of what’s included in Main, you can visit the Ubuntu Packages Search tool.
But there is more. With the release of Ubuntu Pro, you can also get security coverage to an additional 23,000 packages beyond the main operating system. These are packages in Ubuntu Universe. For example, Boost, Qt, OpenCV, PCL, python-(argcomplete, opencv, pybind11, png…), cython, eigen, GTK, FFMPEG… are some of the many packages covered in Universe that are now getting security maintenance from Canonical.
Option 1: Purchase ESM through the Ubuntu Pro store
If you have a few units to cover with ESM, we recommend you to purchase it directly from our store. ESM is part of the Ubuntu Pro subscription. Pricing for Ubuntu Pro depends on the volume of devices you want to cover and years of subscription to the service. To calculate pricing and make a purchase:
- Go to the Ubuntu Pro Store
- Select IoT and Devices Category
- Add the number of devices that you want to cover
- Select 18.04 LTS
- Pick whether you want only security updates for Main, or Main and Universe.
- Select if you want Enterprise Support
- Click Buy Now
Option 2: Purchase ESM through Canonical’s Embedding Programme
If you have a large fleet of devices, or you need to add support to estates that grow over time, joining Canonical’s Embedding Programme might be a better option. It will not only grant you access to the Ubuntu Pro subscription, and so to ESM, but it will also apply a beneficial discount-based model.
To join the Embedding Programme you need to get in touch with a sales representative.
What is included in the Ubuntu Pro subscription
ESM is part of the Ubuntu Pro subscription. You get access to this subscription through the Embedding programme or the Pro store. Besides getting ESM, customers can also enjoy other services like:
- Ubuntu systems management with Landscape.
- Kernel Livepatch service to avoid reboots.
- Security certification (e.g. FIPS and CIS).
- 24/7, open source software support for the full stack.
- Access to real-time kernel.
For more information about Ubuntu Pro visit our webpage, the service description or get in touch with one of our sales representatives.
How to enable ESM
Security updates provided during the ESM period are accessed through a dedicated PPA. To access this PPA you need a token. Tokens will be available in your Ubuntu Pro subscription portal once you have completed the purchase of the service. Remember, the Ubuntu Pro subscription can be purchased through the Embedding Programme or directly through the Ubuntu Pro store.
To enable ESM, you just need to follow the instructions in your welcome email:
- Install the Ubuntu Pro client
- Attach your token to an Ubuntu machine
- Activate ESM
- Run apt upgrade will now allow you to install available updates
For more detailed instructions please visit the Ubuntu Pro client discourse.
Enabling ESM on fleets of devices
Depending on your management infrastructure there will be different alternatives to enable ESM in your fleet of machines. An Ubuntu Pro subscription also gives you access to Landscape, which facilitates this process.
Landscape is a management and administration tool for Ubuntu. It allows you to monitor your systems through a management agent installed on each machine. The agent communicates with the Landscape server to update an automatically selected set of essential health metrics. It also allows you to remotely update and upgrade machines and manage users and permissions.
Using remote script execution, Landscape can interact with the Ubuntu Pro client. It can also distribute tokens in air-gapped environments.
Learn more about Landscape with our documentation.
Summary of 18.04 EOL implications
As 18.04 reaches the End of Standard Support in May of 2023, companies that have deployed devices with this LTS need to take action. Staying on 18.04 EOL distribution is a security risk that companies can’t afford. While migrating to a supported LTS is our main recommendation, we understand this is not always possible. If that’s the case for your organisation, ESM gives you more time.
Get in touch if you need advice on the best path for your company.