I wish you could easily update the packages on Ubuntu ISO images

July 8, 2017

Our system for installing Ubuntu machines starts from a somewhat customized Ubuntu ISO image (generally burned onto a DVD, although I want to experiment with making it work on a USB stick) and proceeds through some post-install customization scripts. One of the things that these scripts do is apply all of the accumulated Ubuntu updates to the system. In the beginning, when an Ubuntu LTS release is fresh and bright and new, this update process doesn't need to do much and goes quite fast. As time goes by, this changes. With 16.04 about a year old by now, applying updates requires a significant amount of time on real hardware (especially on servers without SSDs).

Ubuntu does create periodic point updates for their releases, with updated ISO images; for 16.04, the most recent is 16.04.2, created in mid-February. But there's still a decent number of updates that have accumulated since then. What I wish for is a straightforward way for third parties (such as us) to create an ISO image that included all of the latest updates, and to do so any time they felt like it. If we could do this, we'd probably respin our install images on a regular basis, which would be good for other reasons as well (for example, getting regular practice with the build procedure, which is currently something we only do once every two years as a new LTS release comes out).

There is an Ubuntu wiki page on Install CD customization, with a section on adding extra packages, but the procedure is daunting and it's not clear if it's what you do if you're updating packages instead of adding new ones. Plus, there's no mention of a tool that will figure out and perhaps fetch all of the current updates for the set of packages on the ISO image (I suspect that such a tool exists, since it's so obvious a need). As a practical matter it's not worth our time to fight our way through the resulting collection of issues and work, since all we'd be doing is somewhat speeding up our installs (and we don't do that many installs).

Sidebar: Why this is an extra pain with Ubuntu (and Debian)

The short version is that it is because how Debian and thus Ubuntu have chosen to implement package security. In the RPM world, what gets signed is the individual package and any collection of these packages is implicitly trusted. In the Debian and Ubuntu world, what generally gets signed is the repository metadata that describes a pool of packages. Since the metadata contains the cryptographic checksums of all of the packages, the packages are implicitly protected by the metadata's signature (see, for example, Debian's page on secure apt).

There are some good reasons to want signed repository metadata (also), but in practice it creates a real pain point for including extra packages or updating the packages. In the RPM world, any arbitrary collection of signed packages is perfectly good, so you can arbitrarily update an ISO image with new official packages (which will all be signed), or include extra ones. But in the Debian and Ubuntu world, changing the set of packages means that you need new signed metadata, and that means that you need a new key to sign it with (and then you need to get the system to accept your key).

Comments on this page:

By rjc at 2017-07-08 01:20:58:

I know how that, as you have mentioned, this setup mostly works for you but what about using PXE-bootable Ubuntu installation with preseeding, which you have mentioned that you use anyway?

This way you get best of both worlds:

- you always get the newest packages

- preseeded d-i automation - including debconf-configured individual packages, etc.

- no need to ever remaster large DVD ISO images

- you avoid any 3rd party configuration management systems

This seems like the time and energy spent redoing the DVD or even USB installer each time, would be far greater than setting up network-bootable installation once and then simply adjust it every now and again - the amount of work later on is minimal.

By Aneurin Price at 2017-07-08 11:39:52:

Possibly I've misunderstood the problem, but is this not exactly what jigdo is for?

By cks at 2017-07-10 01:20:37:

My understanding is that Jigdo incrementally downloads things to reassemble existing, already-created images. However, our issue isn't with any downloading that might need to be done; our issue is that we want an image that doesn't yet exist (as far as I know), so we would need to create it ourselves. Thus Jigdo can't help us here, because it's not about creating new images, it's just about (re)assembling existing ones.

(Or perhaps I misunderstand how Jigdo is used.)

By Aneurin Price at 2017-07-10 14:27:23:

Hmm, it looks like you're right.

I was under the impression that updated jigdo files were automatically created when the archive is updated, making them a template for how to create an ISO based on the archive as it stands, but I've had a bit of a search and it seems Debian (all of the Ubuntu information I can find is out of date) only create them when they create ISOs for each point release. Possibly I was misled by all the talk of 'updating' ISOs, which in this context means 'from one point release to another'.

This seems like a rather major missed opportunity to me, but maybe there are good reasons.

Sorry for the noise.

By Usama at 2017-07-10 18:41:23:


To install, boot your computer from the the mini iso and select "Install" at the prompt. You can then follow the instructions from the text-based installer. On the software selection screen, you can select from a number of collections of software such as different desktop environments (kde, xfce, etc), a multitude of different servers, multimedia creation tools, media center (mythbuntu), etc. You can also select "Manual package selection" which will take you to aptitude. You may also select nothing and just continue to finish the installation. If you selected nothing, upon reboot you will arrive at a cli prompt; from here you can fully customize your new system.

By Miksa at 2017-07-13 06:44:10:

Another issue with the updated Ubuntu ISOs is, that I believe they come with updated kernels by default. Ubuntu 16.04 originally comes with kernel 4.4 and 16.04.2 comes with kernel 4.8 from Ubuntu 16.10.

The problem is that 4.8 isn't a LTS kernel, the suppport for it will end in august 2017 and you will be forced to do a major kernel upgrade to the Ubuntu 17.04 kernel. This is probably something you don't want to do in server/enterprise environment.

Hopefully you can choose the original LTS kernel during install, or you will need to downgrade the kernel afterwards.


By cks at 2017-07-13 11:39:38:

You can definitely choose the original LTS kernel during upgrades; our preseed file makes that choice, and our 16.04.2 based installs are all coming up with the original 4.4.0 LTS kernel.

For our purposes the kernel version doesn't matter and we're perfectly fine with hopping between versions if they work. There may even be benefits to it, depending on how things go. I hope that Ubuntu doesn't make you install an entirely new kernel package and just up-revs the linux-image-*-hwe package for you.

Written on 08 July 2017.
« Programming Bourne shell scripts is tricky, with dim corners
Why we're not currently interested in PXE-based Linux installs »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jul 8 00:07:16 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.