39

I would like to inhibit the generation of the following messages when I ssh into my machine

Expanded Security Maintenance for Applications is not enabled.


Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

For some reason (I do not care to speculate why) these messages are not emitted through the normal motd process, but seem to emanate from update-notifier. There are scripts in the motd directory that appear to generate these messages, but removing them has no effect.

How can I prevent my system from generating these messages at login?

Organic Marble
  • 24,913

6 Answers6

42

These messages are defined in /usr/lib/update-notifier/apt_check.py with no flags to disable them.

Here's a sed command that will neuter the functions that generate the messages by inserting a return statement as the first line of the message function:

sudo sed -Ezi.orig \
  -e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1    return\n/' \
  -e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1    return\n/' \
  /usr/lib/update-notifier/apt_check.py

A diff of the old and new files looks like this:

$ diff -u /usr/lib/update-notifier/apt_check.py{.orig,}
--- /usr/lib/update-notifier/apt_check.py.orig  2023-02-22 11:33:39.476095290 -0500
+++ /usr/lib/update-notifier/apt_check.py   2023-02-22 11:59:41.396527682 -0500
@@ -160,6 +160,7 @@
 def _output_esm_package_alert(
     outstream, service_type, disabled_pkg_count, is_esm=False
 ):
+    return
     " output the number of upgradable packages if esm service was enabled "
     outstream.write("\n")
     if disabled_pkg_count > 0:
@@ -206,6 +207,7 @@


def _output_esm_service_status(outstream, have_esm_service, service_type):


    

  • return
if have_esm_service:
outstream.write(gettext.dgettext("update-notifier",
"Expanded Security Maintenance for "

Test the fix with this command:

$ /usr/lib/update-notifier/apt_check.py --human-readable
1 update can be applied immediately.
To see these additional updates run: apt list --upgradable

Regenerate the cached message file

sudo /usr/lib/update-notifier/update-motd-updates-available --force
jwatson0
  • 544
  • 4
  • 3
  • 3
    Works on Ubuntu 22.10. – bvargo Feb 26 '23 at 19:02
  • 3
    And Ubuntu 22.04 – bvargo Mar 11 '23 at 18:14
  • 1
    Is there an advantage to using /usr/lib/update-notifier/apt_check.py --human-readable vs sudo run-parts /etc/update-motd.d/ to test the patch? – bvargo Mar 11 '23 at 18:19
  • 1
    Interestingly, after apply the fix above, testing with /usr/lib/update-notifier/apt_check.py --human-readable gives the desired output, while testing with sudo run-parts /etc/update-motd.d/ gives the output with ESM junk. Unfortunately I still get the ESM junk on login, which suggests the latter is the better test... :/ – rednoyz Sep 25 '23 at 06:49
  • 1
    @rednoyz Just throwing my notes in here: the run-parts command runs teh scripts in that folder, and those scripts really just paste out a text file that's been generated before. I believe if you use jwatson0's last line for regenerating the cached message, that the run-parts command, and your login, will work correctly. – DauntlessRob Nov 15 '23 at 00:40
27

The easiest way I found to avoid this esm message is to comment out the esm-repo in

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list

# Written by ubuntu-advantage-tools


#deb https://esm.ubuntu.com/apps/ubuntu jammy-apps-security main


deb-src https://esm.ubuntu.com/apps/ubuntu jammy-apps-security main


#deb https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates main


deb-src https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates main

Update: in later versions the file

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list

has been replaced by

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.sources

Now you have to comment out the entries there.

The same is for fresh installed ubuntu noble.

Community
  • 1
nobody
  • 5,812
  • 4
    this should be the accepted answer. works perfectly – taiyodayo Mar 04 '23 at 08:19
  • 2
    @taiyodayo I don't have that repo (or even the /var/lib/ubuntu-advantage/apt-esm directory), so this should not be the accepted answer. – Organic Marble Mar 31 '23 at 18:06
  • @OrganicMarble which ubuntu release? Only tested in jammy. – nobody Mar 31 '23 at 18:59
  • @nobody that's a great point. I have 20.04 but I never said that. I'll add the tag. And have an upvote. – Organic Marble Mar 31 '23 at 19:55
  • confirmed this working on Ubuntu 20.04.6 LTS. maybe it is different in older point releases? In that case it is probably advisable to upgrade 20.04 to the latest version. – taiyodayo Apr 03 '23 at 05:55
  • 1
    @taiyodayo I am running 20.04.6. But I have been removing ubuntu advantage's whack-a-mole installs since they started appearing, so maybe that's why I don't have the directories. – Organic Marble Apr 04 '23 at 14:10
  • Weird. I'm also running 22.04 LTS jammy, and the /var/lib/ubuntu-advantage directory exists but is empty. I'm still getting the advertisement spam in the generated MOTD. – Ti Strga Apr 10 '23 at 19:29
  • @TiStrga fresh install or upgrade. (mine is an upgrated release since 19.04) – nobody Apr 11 '23 at 10:28
  • 1
    @nobody Ours are semi-fresh installs. More specifically, they're Canonical's official "pre-configured" images for AWS EC2, but "always have been 22.04 rather than upgraded from earlier LTS," if that's what you mean. Maybe that's the crucial difference? – Ti Strga Apr 11 '23 at 16:22
  • 1
    I reverted my changes in the file I mentioned. And get the esm message back. But I have a simple desktop install no AWS image or something similiar. This could be the difference. – nobody Apr 11 '23 at 16:27
  • Didn't work for me on ubuntu 22.04 – rednoyz Sep 25 '23 at 06:50
23

This is now much easier to do with the most recent version of update-notifier by creating a marker file called hide-esm-in-motd in /var/lib/update-notifier/.

Check version of update-notifier

Depending on which version of Ubuntu you have installed, make sure you've upgraded to a version of update-notifier that implements this change.

You can check to see which version you have installed by running the following command:

apt-cache policy update-notifier

Make sure you have at least the following version or greater installed:

Xenial 16.04

  • update-notifier 3.168.22

Bionic 18.04

  • update-notifier 3.192.1.21

Focal 20.04

  • update-notifier 3.192.30.19

Jammy 22.04

  • update-notifier 3.192.54.8

Noble 24.04

  • update-notifier 3.192.68

If you have an earlier version, upgrade using sudo apt upgrade.

Bug Report

This was reported as Bug #2015420 on Launchpad, where you can read more information about it.

The origin of this bug was first discussed on GitHub:

ua/pro/ubuntu-advantage does not disable the MOTD advertising ESM updates

Implement the fix

Create the marker file:

sudo touch /var/lib/update-notifier/hide-esm-in-motd

This will cause the /usr/lib/update-notifier/update-motd-updates-available script to include a --no-esm-messages flag when generating the outputs in the file: /var/lib/update-notifier/updates-available. This script is called whenever you run apt update.

Before implementing this change, you'll see the following at the bottom of your MOTD at login:

--------------------------------------------------------


Expanded Security Maintenance for Applications is not enabled.


0 updates can be applied immediately.


Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

After creating the marker file, run the following commands to test:

sudo rm /var/lib/update-notifier/updates-available
sudo apt update

Then logout/login or connect via with ssh localhost and you'll notice that the ESM message is no longer present at the bottom of the MOTD:

--------------------------------------------------------


0 updates can be applied immediately.

Note

The bug description on Launchpad indicates that the marker file should be in /var/lib/ubuntu-advantage/, but on my systems, I place the file in /var/lib/update-notifier/ instead.

If you look at the source code for the script, /usr/lib/update-notifier/update-motd-updates-available, you'll see the following section. This clearly indicates that the marker file is in var/lib/update-notifier/ and not var/lib/ubuntu-advantage/.

# should we hide esm-related information in the output
no_esm_file="/var/lib/update-notifier/hide-esm-in-motd"
if [ -e "$no_esm_file" ]; then
    NO_ESM_MESSAGES="--no-esm-messages"
fi
mpboden
  • 3,134
  • 1
    Just a little note: as mentioned in the @jwatson0's answer, can be useful to refresh the cache by root user: /usr/lib/update-notifier/update-motd-updates-available --force – dharman Sep 20 '24 at 07:46
  • 1
    This was the key in Ubuntu Server 24.04. I had to upgrade first and then the trick of hide-esm-in-motd etc works great. – cdsaenz Jul 23 '25 at 01:05
10

This is what you need to do in order to disable ESM at all:

sudo touch /var/lib/ubuntu-advantage/hide-esm-in-motd
sudo touch /var/lib/update-notifier/hide-esm-in-motd
sudo rm -rf /var/lib/update-notifier/updates-available
sudo apt update

And that's it. No more ESM in MOTD.

By adding those 2 files, the updater checks if they exist, and if exist then it will not show messages about ESM in the MOTD.

The first file is for the oldest versions of Ubuntu where ESM was introduced for the first time and later it is deprecated (but still can exist). The second one actually did the work.

This is not documented but it works. You can see by yourself in file /usr/lib/update-notifier/update-motd-updates-available

50  # should we hide esm-related information in the output
51  no_esm_file="/var/lib/update-notifier/hide-esm-in-motd"
52  if [ -e "$no_esm_file" ]; then
53     NO_ESM_MESSAGES="--no-esm-messages"
54  fi
SpaleKG
  • 109
  • 1
    Why do you create 2 files and do nothing with them? Does your fix disable the update notifier? Explanation needed. – Organic Marble Apr 15 '24 at 12:20
  • 1
    f you try this you will get an answer to your second question.

    I have created 2 files because the notifier checks about those files existing. If they exist then messages are disabled. This is the simplest method for fixing this issue. To find this you need to look in the source code of notifier because this is not documented.

    So please don't put "-1" vote before even trying this and to see that it simply works and it is the simplest method to fix the issue.

     – SpaleKG Apr 16 '24 at 07:06
  • 1
    This is actually a great answer, better than injecting return statements in Python scripts with sed, however you have to understand, before a basic explanation was given it was worth very little. Unexplained nonsense unfortunately punctually gets posted every day on this site, so people are a little wary of short unexplained answers (and in general it's still worth elaborate at least a little bit). +1. – kos Apr 16 '24 at 07:34
  • By the way, another reason: besides the added sudo touch /var/lib/ubuntu-advantage/hide-esm-in-motd, which was back then unexplained, this was mostly the same as mpboden's answer. – kos Apr 16 '24 at 07:41
  • 1
    This is a duplicate answer of mine but incorrectly instructs to create the file /var/lib/ubuntu-advantage/hide-esm-in-motd. This file is not needed, and the source code you quoted clearly indicates what file it is checking for. So other than that, your answer does not provide any new information than mine does. – mpboden Apr 16 '24 at 14:19
  • I have added explanation for that file. It was about old versions of Ubuntu where ESM is introduced for the first time. So if someone have old version of Ubuntu which is not updated for any reason then that file fix the issue too. – SpaleKG Apr 17 '24 at 06:15
5

Using e.g. bash:
create .hushlogin and add something like this to an init file like .bashrc_profile

 grep 'immediately' /var/lib/update-notifier/updates-available
 grep 'security' /var/lib/update-notifier/updates-available
 grep 'upgradable' /var/lib/update-notifier/updates-available
 /etc/update-motd.d/98-reboot-required

On login:

2 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
*** System restart required ***

Note that /var/lib/update-notifier/updates-available may be mode 0600 so you'll have to fix that.

PaulG
  • 51
  • 2
  • 1
    This looks like a valid approach so +1. I ended up just disabling update-notifier and wrote my own script that runs at login and shows the number of updates. – Organic Marble Feb 09 '23 at 17:57
  • 1
    @OrganicMarble: would you please post that script either here or somewhere else? – bvargo Feb 26 '23 at 19:02
  • @bvargo I posted it in answer to another question, and a smarter user than me pointed out that it was wrong. So now I use the method in the accepted answer here. – Organic Marble Feb 26 '23 at 19:13
2

Finished product

Another way to do it:

cd /etc/update-motd.d/

rm 50-motd-news 91-contract-ua-esm-status

nano /var/lib/update-notifier/updates-available

So that only

  0 updates can be applied immediately.

(One blank line on top, two spaces before '0')

nano 10-help-text

comment out

#printf "\n"[enter image description here][1]
#printf " * Documentation:  https://help.ubuntu.com\n"
#printf " * Management:     https://landscape.canonical.com\n"
#printf " * Support:        https://ubuntu.com/advantage\n"
lane_ftw
  • 21