Enable Ubuntu PRO, Patch Securely, and Preserve MySQL 5.7
This is a how-to guide. For theory and background on Ubuntu ESM, apt pinning, and patch safety, see the reference article.
Prerequisites
- OS: Ubuntu 18.04 or 20.04
- Services: Apache2 (proxy), MySQL (5.7 or 8.0)
- Optional (if using Azure IaaS): Azure VM access (CLI)
Step 1: System State and Backup
lsb_release -auname -rapache2 -vmysql --versionapache2ctl -SBackup critical files:
sudo cp -a /etc/apache2 /var/backups/apache2_$(date +%F)sudo mysqldump -u root -p --all-databases > /var/backups/db_backup_$(date +%F).sqlStep 2: Lock MySQL 5.7 (Optional)
If you use mysql 5.7 on Ubuntu 20, upgrade without mysql packages hold may force upgrade to MySQL8. To avoid this, hold the version 5.7. Check your packages and lock the ones, that are installed in your case:
dpkg -l |grep mysqlsudo apt-mark hold libmysqlclient20 \ mysql-client-5.7 mysql-client-core-5.7 \ mysql-common mysql-server-5.7 mysql-server-core-5.7Create pinning file:
sudo vim /etc/apt/preferences.d/mysqlPackage: mysql-server-5.7Pin: version 5.7*Pin-Priority: 1001
Package: mysql-commonPin: version 5.8+1.0.4Pin-Priority: 1001Validate:
apt-mark showholdapt-cache policy mysql-serverStep 3: Enable Ubuntu PRO / ESM
Canonical Token
sudo apt install ubuntu-advantage-toolssudo pro attach <your--canonical-token>sudo pro enable esm-infrasudo pro enable esm-appssudo pro enable livepatchAzure-native Ubuntu PRO
In Azure CLI log in to your subscription with az login, choose your subscription and run the following command:
az vm update -g <rg> -n <vm> --license-type UBUNTU_PROOn the VM itself run:
sudo apt install ubuntu-advantage-toolssudo pro auto-attachCheck status:
pro statusStep 4: Patch with Automation
sudo apt updatesudo apt install unattended-upgradessudo dpkg-reconfigure unattended-upgradesDry run:
sudo unattended-upgrade -d --dry-runFull patch (interactive):
sudo apt upgrade -yStep 5: Reboot Consideration
Livepatch may avoid reboots for kernel CVEs, but not for kernel version updates:
uname -rIf newer kernel pending:
sudo rebootPost-Patch Checks
systemctl status mysqlsystemctl status apache2journalctl -xeNext Steps
- Monitor logs:
/var/log/mysql,/var/log/apache2,journalctl. - Remove pin/hold MySQL 5.7 when migration to MySQL 8 is complete.
- See reference article for full technical explanation.