Patch ubuntu 12.04 LTS server

Asked by Kadambari on 2015-06-22

Hello,

Last year i mounted 12.04.4 server amd64 iso on VMware host and installed a Ubuntu VM using it as customer requested it.
Currently it is kernel 3.11.0-15-generic
I now need to patch it to latest available kernel and apply security patches if any, can you help on
1.steps how this is to be done
2. What is new kernel available
3.list of packages it will upgrade and
4. In case our application team wants us to exclude any specific package during the patching then how do we do that.

Thanks,

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2015-07-20
Last reply:
2015-07-20
Manfred Hampl (m-hampl) said : #1

The answers to be given are more or less the same as in https://answers.launchpad.net/ubuntu/+question/263808

a. set up a sources.list file that contains the -updates and -security repositories
b. issue the command "sudo apt-get update" to load the current package inventory information to your system
c. check with "apt-get --simulate dist-upgrade" the list of packages that are due for an update
d. If you have the need to keep certain packages on the older relesae, you have to apt pin these to that version.

Your questions:
1. (has been answered above)
2. Your kernel seems to be from linux-lts-saucy that is no more supported, you should upgrade to linux-lts-trusty with the 3.13.0-55-generic kernel
3. (has been answered above)
4. (has been answered above)

What is the output of the terminal commands

uname -a
lsb_release -a
hwe-support-status --verbose

Hello,

True, i had inquired for bask upgrade earlier and it went well, since i am absolutely new to Ubuntu so have doubts and servers are Production, and i work on Redhat and have few Ubuntu servers setup due to customer request.
$ uname -a
Linux vir-t-app01 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:39:31 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise

hwe-support-status --verbose (command not found.)

Can you guide me on upgrading my server to linux-lts-trusty with the 3.13.0-55-generic kernel, what will be the requirements for this upgrade, what about application hosting and data on the server...

Thanks.

Manfred Hampl (m-hampl) said : #3

Please provide the output of

apt-cache policy update-manager-core
cat /etc/apt/sources.list
ls -l /etc/apt/sources.list.d

These commands will not change anything on your system and should not interfere with server operations at all.

In theory updating the packages to the current status (with bug fixes and enhancements) should not have any consequence for application hosting and data.
How do you manage package updates with Redhat? How do you care for regular patching of the programs against security vulnerabilities? I do not expect that this differs much from what is required to keep an Ubuntu system up-to-date.

There is just one remarkable feature in Ubuntu (do not know whether there is an equivalent in Redhat), that is the possibility to switch over from the 3.2 kernel provided in the original Ubuntu precise installation to the 3.5, 3.8, 3.11 and 3.13 kernel series (those provided by the later Ubuntu releases like quantal, raring, saucy and vivid).

Outputs:
$ apt-cache policy update-manager-core
update-manager-core:
  Installed: 1:0.156.14.11
  Candidate: 1:0.156.14.11
  Version table:
 *** 1:0.156.14.11 0
        100 /var/lib/dpkg/status
     1:0.156.14 0
        500 http://213.136.29.218/ubuntu/ precise/main amd64 Packages
===================

:~$ cat /etc/apt/sources.list
#

# deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ dists/precise/main/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ dists/precise/restricted/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ precise main restricted

#deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ dists/precise/main/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ dists/precise/restricted/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04.4 LTS _Precise Pangolin_ - Release amd64 (20140204)]/ precise main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
#odeb file:/home/kadambari/mono ./
deb file:/usr/local/mydebs ./
deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb-src http://213.136.29.218/ubuntu/ precise main restricted universe multiverse

deb http://us.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ precise main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu precise partner
# deb-src http://archive.canonical.com/ubuntu precise partner

## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu precise main
# deb-src http://extras.ubuntu.com/ubuntu precise main
:~$

=============
:~$ ls -l /etc/apt/sources.list.d
total 0
:~$
==============
In Redhat patching server to latest kernel or applying security patches is done via yum repository and for regular kernel patching we run dry run and inform the application team all packages that would get updated, so in case applications (eg. mysql,apache,perl) are not compatible with higher versions then we exclude them from getting updated.

In Redhat we are able to patch to latest available kernel and release of the OS version we are using.
In order to make Ubuntu server secure from vulnerabilities let me know if you recommend to upgrade my server to linux-lts-trusty with the 3.13.0-55-generic kernel or any other would you suggest.

Manfred Hampl (m-hampl) said : #5

A similar process to what you are doing on Redhat (with yum) can also be done (and should be done) also on Ubuntu (with apt package management tools)

Your sources.list file looks ok (although I do not know what that http://213.136.29.218/ubuntu/ server is for).
If this is a server, I assume that you will not need any of the deb-src lines, you could disable all of them by putting a hash sign '#' in front.

I recommend that you refresh the local copy of the package inventory information with the command

sudo apt-get update

This command should just copy the information about available updates to your system and does not change any software.
Please copy/paste the output into this question document that we can verify the result.

Hello,

nl.archive.ubuntu.com is http://213.136.29.218/ubuntu/ ,during installation i had to install many application packages from the internet so on google i found:
 link http://repogen.simplylinux.ch/ - Ubuntu Sources List Generator from where i used deb http://nl.archive.ubuntu.com/ubuntu/ precise main to find the software packages.
So do you suggest me to keep the same and run 'sudo apt-get update'

Manfred Hampl (m-hampl) said : #7

Just one of 213.136.29.218 and nl.archive.ubuntu.com and us.archive.ubuntu.com is enough. I think you can edit the file and remove the lines with http://213.136.29.218/ubuntu without any further consequence.

And then run
sudo apt-get update
and check for any warning and/or errors.

Hello,

I have requested for opening connection to port 80 for 213.136.29.218 from my server.
Will send the output as soon as i get the port opened.

Now the contents of sources.list is as below :
$ grep -v ^# /etc/apt/sources.list
deb http://213.136.29.218/ubuntu/ precise main restricted universe multiverse
deb-src http://213.136.29.218/ubuntu/ precise main restricted universe multiverse

Manfred Hampl (m-hampl) said : #9

Your sources.list file now is missing the precise-updates and precise-security repositories! Where have all those gone from the file that you had in comment #4?

Manfred Hampl (m-hampl) said : #10

And just a comment: I cannot reach 213.136.29.218 from my location. Are you sure that the IP address is correct?
Can't you use server names instead of IP addresses?

Hello,

When looking at the Ubuntu wiki (https://wiki.ubuntu.com/Releases) I see that 12.04.4 stops for the HWE version ,so Ubuntu 12.04.4 will be supported to somewhere in 2017 if I am not mistaken.
I must say, when reading the wiki it is not absolutely clear to me what this HWE thing is,can you help to understand this.

http://askubuntu.com/questions/248914/what-is-hardware-enablement-hwe
That page makes it more clear where HWE stands for.
We do not use it, we do not need it because of the fact we are running on ESX, VMware tools will normally take care of the hardware layer so does my Ubuntu server 12.04 LTS have support till 2017?

Thanks,

Manfred Hampl (m-hampl) said : #12

If you have Ubuntu 12.04.4 installed, then you have installed a no-more-supported variant.
You should apply all available patches (preferably only after doing some testing in a test environment).
This will (most probably) upgrade your system to 12.04.5
And at the same time you should also upgrade to linux-lts-trusty with the 3.13.0-*-generic kernel.

The software that you are currently running has gone out of support, and your system is missing several security patches that close critical vulnerabilities.

Please read https://wiki.ubuntu.com/1204_HWE_EOL

Can you help with this problem?

Provide an answer of your own, or ask Kadambari for more information if necessary.

To post a message you must log in.