Inhibit ESM messages at login

Question

I would like to inhibit the generation of the following messages when I ssh into my machine

Expanded Security Maintenance for Applications is not enabled.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

For some reason (I do not care to speculate why) these messages are not emitted through the normal motd process, but seem to emanate from update-notifier. There are scripts in the motd directory that appear to generate these messages, but removing them has no effect.

How can I prevent my system from generating these messages at login?

Answer 1

These messages are defined in /usr/lib/update-notifier/apt_check.py with no flags to disable them.

Here's a sed command that will neuter the functions that generate the messages by inserting a return statement as the first line of the message function:

sudo sed -Ezi.orig \
  -e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1    return\n/' \
  -e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1    return\n/' \
  /usr/lib/update-notifier/apt_check.py

A diff of the old and new files looks like this:

$ diff -u /usr/lib/update-notifier/apt_check.py{.orig,}
--- /usr/lib/update-notifier/apt_check.py.orig  2023-02-22 11:33:39.476095290 -0500
+++ /usr/lib/update-notifier/apt_check.py   2023-02-22 11:59:41.396527682 -0500
@@ -160,6 +160,7 @@
 def _output_esm_package_alert(
     outstream, service_type, disabled_pkg_count, is_esm=False
 ):
+    return
     " output the number of upgradable packages if esm service was enabled "
     outstream.write("\n")
     if disabled_pkg_count > 0:
@@ -206,6 +207,7 @@
def _output_esm_service_status(outstream, have_esm_service, service_type):

return
if have_esm_service:
    outstream.write(gettext.dgettext("update-notifier",
                                     "Expanded Security Maintenance for "

Test the fix with this command:

$ /usr/lib/update-notifier/apt_check.py --human-readable
1 update can be applied immediately.
To see these additional updates run: apt list --upgradable

Regenerate the cached message file

sudo /usr/lib/update-notifier/update-motd-updates-available --force

Answer 2

The easiest way I found to avoid this esm message is to comment out the esm-repo in

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list

# Written by ubuntu-advantage-tools
#deb https://esm.ubuntu.com/apps/ubuntu jammy-apps-security main
deb-src https://esm.ubuntu.com/apps/ubuntu jammy-apps-security main
#deb https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates main
deb-src https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates main

Update: in later versions the file

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.list

has been replaced by

/var/lib/ubuntu-advantage/apt-esm/etc/apt/sources.list.d/ubuntu-esm-apps.sources 

Now you have to comment out the entries there.

The same is for fresh installed ubuntu noble.

Answer 3

This is now much easier to do with the most recent version of update-notifier by creating a marker file called hide-esm-in-motd in /var/lib/update-notifier/.

Check version of update-notifier

Depending on which version of Ubuntu you have installed, make sure you've upgraded to a version of update-notifier that implements this change.

You can check to see which version you have installed by running the following command:

apt-cache policy update-notifier

Make sure you have at least the following version or greater installed:

Xenial 16.04

• update-notifier 3.168.22

Bionic 18.04

• update-notifier 3.192.1.21

Focal 20.04

• update-notifier 3.192.30.19

Jammy 22.04

• update-notifier 3.192.54.8

Noble 24.04

• update-notifier 3.192.68

If you have an earlier version, upgrade using sudo apt upgrade.

---

Bug Report

This was reported as Bug #2015420 on Launchpad, where you can read more information about it.

The origin of this bug was first discussed on GitHub:

ua/pro/ubuntu-advantage does not disable the MOTD advertising ESM updates

---

Implement the fix

Create the marker file:

sudo touch /var/lib/update-notifier/hide-esm-in-motd

This will cause the /usr/lib/update-notifier/update-motd-updates-available script to include a --no-esm-messages flag when generating the outputs in the file: /var/lib/update-notifier/updates-available. This script is called whenever you run apt update.

Before implementing this change, you'll see the following at the bottom of your MOTD at login:

--------------------------------------------------------
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

After creating the marker file, run the following commands to test:

sudo rm /var/lib/update-notifier/updates-available
sudo apt update

Then logout/login or connect via with ssh localhost and you'll notice that the ESM message is no longer present at the bottom of the MOTD:

--------------------------------------------------------
0 updates can be applied immediately.

---

Note

The bug description on Launchpad indicates that the marker file should be in /var/lib/ubuntu-advantage/, but on my systems, I place the file in /var/lib/update-notifier/ instead.

If you look at the source code for the script, /usr/lib/update-notifier/update-motd-updates-available, you'll see the following section. This clearly indicates that the marker file is in var/lib/update-notifier/ and not var/lib/ubuntu-advantage/.

# should we hide esm-related information in the output
no_esm_file="/var/lib/update-notifier/hide-esm-in-motd"
if [ -e "$no_esm_file" ]; then
    NO_ESM_MESSAGES="--no-esm-messages"
fi

Answer 4

This is what you need to do in order to disable ESM at all:

sudo touch /var/lib/ubuntu-advantage/hide-esm-in-motd
sudo touch /var/lib/update-notifier/hide-esm-in-motd
sudo rm -rf /var/lib/update-notifier/updates-available
sudo apt update

And that's it. No more ESM in MOTD.

By adding those 2 files, the updater checks if they exist, and if exist then it will not show messages about ESM in the MOTD.

The first file is for the oldest versions of Ubuntu where ESM was introduced for the first time and later it is deprecated (but still can exist). The second one actually did the work.

This is not documented but it works. You can see by yourself in file /usr/lib/update-notifier/update-motd-updates-available

50  # should we hide esm-related information in the output
51  no_esm_file="/var/lib/update-notifier/hide-esm-in-motd"
52  if [ -e "$no_esm_file" ]; then
53     NO_ESM_MESSAGES="--no-esm-messages"
54  fi

Answer 5

Using e.g. bash:
create .hushlogin and add something like this to an init file like .bashrc_profile

 grep 'immediately' /var/lib/update-notifier/updates-available
 grep 'security' /var/lib/update-notifier/updates-available
 grep 'upgradable' /var/lib/update-notifier/updates-available
 /etc/update-motd.d/98-reboot-required

On login:

2 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
*** System restart required ***

Note that /var/lib/update-notifier/updates-available may be mode 0600 so you'll have to fix that.

Answer 6

Finished product

Another way to do it:

cd /etc/update-motd.d/

rm 50-motd-news 91-contract-ua-esm-status

nano /var/lib/update-notifier/updates-available

So that only

  0 updates can be applied immediately.

(One blank line on top, two spaces before '0')

nano 10-help-text

comment out

#printf "\n"[enter image description here][1]
#printf " * Documentation:  https://help.ubuntu.com\n"
#printf " * Management:     https://landscape.canonical.com\n"
#printf " * Support:        https://ubuntu.com/advantage\n"