When talking about Patches in Ubuntu, it is needed first to understand the following patch related parts:

Packages

The collection of items that are updated on the endpoint.

Channel (Component)

For each pocket, there are 4 different components (from the Ubuntu wiki)

• Main - Canonical-supported free and open-source software (supported by the Ubuntu Security team).

• Restricted - Proprietary drivers for devices (supported by the Ubuntu Security team).

• Universe - Community-maintained free and open-source software.

• Multiverse - Software restricted by copyright or legal issues.

Note1: the standard Ubuntu installation is a collection of software from the main and restricted components. You can install additional software from the Ubuntu Software Center.

Repository (Pocket)

There are several pocket types for each version of Ubuntu (from the Ubuntu wiki)

• release: during the development cycle, this is the only pocket that is used. Once the development version is released, the release pocket is frozen and does not change (supported by the Ubuntu Security team).

• security: built with release and security. UpdateProcedures gives the process used for creating security updates (supported by the Ubuntu Security team).

• updates: as a matter of Ubuntu policy, packages in updates are not directly built, but rather copied from proposed after they have been tested. See StableReleaseUpdates for details (supported by the Ubuntu Security team).

• backports: built with release, security, updates and backports. See UbuntuBackports for details.

Note1: Packages in backports are supported by the community

Note2: There is another pocket, proposed, but we do not recommend using that pocket, because packages in proposed are the responsibility of the uploader.

Rollup

Represent a combination of Component and Pocket.

Example - A package that exists in the "release" pocket and belongs to "main" component is part of the "release main" rollups.

Ubuntu Beta Support

In JetPatch, the user will have the ability to update the Ubuntu packages at the "rollup" level. In other words, there will be up 16 different rollups (based on the customer environment) that are applicable to update for each ubuntu version in the environment. 

In an environment with all supported Ubuntu versions (16.04 - 20.04) and configured to work with all the possible components in all repositories there will be 48 applicable updates in JetPatch:

4 Components * 4 Pockets * 3 Ubuntu versions 

Updates Information In JetPatch Patches Catalog

JetPatch will analyze the supported rollups in each endpoint and will present the following information for each patch in the Patch Catalog:

Patch ID

The ID will be generated by JetPatch and will be determined by the Ubuntu version, Component, and Pocket in the following logic:

Note - the XX in the ID will be determined based on the Ubuntu version.  In Ubuntu 20.04 the XX will be “20”. For example, the patch from "release main" rollup will be “UBRM-JP:2011”.

Patch Description

Same as the Patch ID, the patch description will be generated by JetPatch and will be determined by the Ubuntu version, Component, and Pocket in the following logic:

Note - the version variable will be the codename of the Ubuntu version (bionic, focal, xenial).  For example, title from "release main" on Xenial will be xenial-main. Bionic = 20.04, Focal = 19.04, Xenial = 16.04

Patch Title

Combines the Patch ID + Patch Description.  Example UBRM-JP:2011 bionic-main 

Operating System

Each patch will belong to a single Operating System that will be visible in the Patches Catalog table.

Category

The patch Category will be determined by the pocket it belongs to:

• Release
• Security
• Updates
• Backports

Release Date

The Release Date for a patch will remain empty

Needed On

JetPatch will determine if there is a patch for Ubuntu is needed if there is an available update for a package that belongs to the rollup.

In case that there are no updates for any package in a specific rollup, the patch will be marked as compliant.

Rollback

Removal of Ubuntu patches is currently not supported.

Example1: Install all available security packages supported by the Ubuntu Security team 

First, understand the security Patch IDs that are supported by the Ubuntu Security team

Why?

• Packages in the main and restricted channels are supported by the Ubuntu Security team (source)
• Packages the security pocket are supported by the Ubuntu Security team (source)
• These packages are under http://security.ubuntu.com/

Example with Ubuntu 16.04 (xenial)

Relevant Security Patch Titles to install in JetPatch

• UBSM-JP:1621 xenial-security main
• UBSR-JP:1622 xenial-security restricted

Example with Ubuntu 18.04 (bionic)

Relevant Patch Titles to install in JetPatch

• UBSM-JP:2021 bionic-security main
• UBSR-JP:2022 bionic-security restricted

Example with Ubuntu 20.04 (focal)

Relevant Patch Titles to install in JetPatch

• UBSM-JP:2021 focal-security main
• UBSR-JP:2022 focal-security restricted

Once a patch is deployed, it will only show as needed on again once there are new updates to deploy.

Example2: Install all available packages supported by the Ubuntu Security team 

First, understand the Patch IDs that are supported by the Ubuntu Security team

Why?

• Packages in the main and restricted channels are supported by the Ubuntu Security team (source)
• Packages in the release, security, and updates pockets are supported by the Ubuntu Security team (source)

Example with Ubuntu 16.04 (xenial)

Relevant Patch Titles to install in JetPatch

• UBRM-JP:1611 xenial-main
• UBRR-JP:1612 xenial-restricted
• UBSM-JP:1621 xenial-security main
• UBSR-JP:1622 xenial-security restricted
• UBUM-JP:1631 xenial-updates main
• UBUR-JP:1632 xenial-updates restricted

Example with Ubuntu 18.04 (bionic)

Relevant Patch Titles to install in JetPatch

• UBRM-JP:2011 bionic-main
• UBRR-JP:2012 bionic-restricted
• UBSM-JP:2021 bionic-security main
• UBSR-JP:2022 bionic-security restricted
• UBUM-JP:2031 bionic-updates main
• UBUR-JP:2032 bionic-updates restricted

Example with Ubuntu 20.04 (focal)

Relevant Patch Titles to install in JetPatch

• UBRM-JP:2011 focal-main
• UBRR-JP:2012 focal-restricted
• UBSM-JP:2021 focal-security main
• UBSR-JP:2022 focal-security restricted
• UBUM-JP:2031 focal-updates main
• UBUR-JP:2032 focal-updates restricted

Once a patch is deployed, it will only show as needed on again once there are new updates to deploy.

FAQ: How do I know which packages are going to be deployed during patch execution?

 

1. Go to the Activities table
2. Filter by the relevant Remediation Plan
3. View the output of the "execute patch installation for single computer" activity on your Ubuntu machines.
4. Download the output to view as shown below.

The following NEW packages will be installed:
  linux-headers-5.4.0-80 linux-headers-5.4.0-80-generic
  linux-image-5.4.0-80-generic linux-modules-5.4.0-80-generic
  linux-modules-extra-5.4.0-80-generic
The following packages will be upgraded:
  alsa-ucm-conf apt apt-utils cloud-init initramfs-tools initramfs-tools-bin
  initramfs-tools-core libapt-pkg6.0 libnss-systemd libpam-modules
  libpam-modules-bin libpam-runtime libpam-systemd libpam0g libprocps8
  libssl1.1 libsystemd0 libudev1 linux-base linux-firmware linux-generic
  linux-headers-generic linux-image-generic openssl procps python-apt-common
  python3-apt python3-distupgrade snapd sosreport systemd systemd-sysv
  systemd-timesyncd ubuntu-release-upgrader-core udev update-notifier-common
36 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.