Portal | Level: L1: Foundations | Topics: Debian & Ubuntu Ecosystem, Linux Fundamentals, Package Management | Domain: Linux

Debian & Ubuntu Ecosystem — Primer

Why This Matters

Debian and Ubuntu are the most widely deployed Linux family outside the Red Hat ecosystem. Ubuntu dominates cloud instances (AWS default AMI, most Docker base images), developer workstations, and CI runners. Debian is the stability bedrock that Ubuntu, Kali, Raspberry Pi OS, and dozens of other distros build on. If you manage Linux in production, you will encounter the Debian family.

---

Debian vs Ubuntu — Key Differences

Aspect	Debian	Ubuntu
Release model	Stable/Testing/Unstable	Time-based (April/October)
LTS support	~5 years (with LTS team)	5 years standard, 10 with ESM
Default MAC	AppArmor (since Buster)	AppArmor
Init system	systemd	systemd
Package format	.deb	.deb
Package manager	apt	apt (+ snap)
Networking	ifupdown or NetworkManager	Netplan (→ NetworkManager or systemd-networkd)
Firewall	nftables/iptables (no default frontend)	ufw (frontend for iptables/nftables)
Target audience	Servers, stability-critical	Cloud, desktop, developers
Naming	Codenames (Bookworm, Bullseye)	Version numbers (22.04, 24.04) + codenames

---

APT Deep Dive

Name origin: Debian is named after its founder Ian Murdock and his then-girlfriend (later wife) Debra — Debra + Ian = Debian. Ian Murdock started the project in 1993. Ubuntu, launched by Mark Shuttleworth in 2004, takes its name from the Southern African philosophy meaning "I am because we are."

Package Management Architecture

dpkg          ← low-level: install/remove .deb files
  ↑
apt / apt-get ← high-level: resolve dependencies, fetch from repos
  ↑
sources.list  ← repository configuration

Essential Commands

# Update package index (does NOT upgrade packages)
sudo apt update

# Upgrade all packages (safe — never removes packages)
sudo apt upgrade

# Full upgrade (may remove packages to resolve conflicts)
sudo apt full-upgrade

# Install a package
sudo apt install nginx

# Install a specific version
sudo apt install nginx=1.24.0-1ubuntu1

# Remove a package (keeps config files)
sudo apt remove nginx

# Remove package + config files
sudo apt purge nginx

# Remove unused dependencies
sudo apt autoremove

# Search for packages
apt search nginx
apt-cache search nginx

# Show package details
apt show nginx
apt-cache policy nginx    # shows version and repo source

# List installed packages
dpkg -l | grep nginx
apt list --installed | grep nginx

# Which package owns a file?
dpkg -S /usr/sbin/nginx

# List files in a package
dpkg -L nginx

# Download without installing
apt download nginx

# Simulate an install (dry run)
apt install --simulate nginx

Repository Configuration

# Main sources file
cat /etc/apt/sources.list

# Additional sources (drop-in directory)
ls /etc/apt/sources.list.d/

# Modern DEB822 format (Ubuntu 24.04+)
cat /etc/apt/sources.list.d/ubuntu.sources

Classic format (sources.list):

deb http://archive.ubuntu.com/ubuntu/ jammy main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted universe multiverse

Components explained: - main — Canonical-supported free software - restricted — proprietary drivers (Nvidia, etc.) - universe — community-maintained free software - multiverse — non-free software

Debian components: - main — DFSG-compliant, supported - contrib — DFSG-compliant but depends on non-free - non-free — non-DFSG software - non-free-firmware — firmware blobs (Bookworm+)

Adding Third-Party Repositories

# Modern approach (signed)
curl -fsSL https://example.com/key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/example.gpg

echo "deb [signed-by=/usr/share/keyrings/example.gpg] https://repo.example.com/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/example.list

sudo apt update

APT Pinning (Version Holds)

# Hold a package at current version (prevent upgrades)
sudo apt-mark hold nginx

# Unhold
sudo apt-mark unhold nginx

# List held packages
apt-mark showhold

# Pin via preferences (advanced)
cat > /etc/apt/preferences.d/nginx <<EOF
Package: nginx
Pin: version 1.24.0*
Pin-Priority: 1001
EOF

Unattended Upgrades

# Install
sudo apt install unattended-upgrades

# Enable
sudo dpkg-reconfigure -plow unattended-upgrades

# Config: /etc/apt/apt.conf.d/50unattended-upgrades
# Controls: which packages to auto-update, reboot policy, email alerts

---

AppArmor

Gotcha: AppArmor ships enabled by default on Debian 10+ and Ubuntu, but most services do not have profiles loaded. Running aa-status will show only a handful of profiled binaries (typically snap apps and a few daemons). This means most processes run unconfined — AppArmor is "on" but protecting very little until you create or install profiles.

AppArmor is the default Mandatory Access Control (MAC) system on Debian/Ubuntu (vs SELinux on RHEL).

Core Concepts

Profiles → Define what a process can access
Modes:
  enforce  → violations are blocked and logged
  complain → violations are logged but allowed
  disabled → profile not loaded

Essential Commands

# Check AppArmor status
sudo aa-status
sudo apparmor_status

# List profiles and their modes
sudo aa-status | grep -E "enforce|complain"

# Put a profile in complain mode (for debugging)
sudo aa-complain /usr/sbin/nginx

# Put a profile back in enforce mode
sudo aa-enforce /usr/sbin/nginx

# Disable a profile
sudo ln -s /etc/apparmor.d/usr.sbin.nginx /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginx

# Re-enable a profile
sudo rm /etc/apparmor.d/disable/usr.sbin.nginx
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx

# Reload all profiles
sudo systemctl reload apparmor

# Generate a profile from logs (after running in complain mode)
sudo aa-logprof

Profile Structure

# /etc/apparmor.d/usr.sbin.nginx
/usr/sbin/nginx {
  # Include common abstractions
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # Allow reading web content
  /var/www/** r,

  # Allow reading config
  /etc/nginx/** r,

  # Allow writing logs
  /var/log/nginx/** w,

  # Allow listening on network
  network inet stream,
  network inet6 stream,

  # Allow reading SSL certs
  /etc/ssl/** r,

  # Deny everything else (implicit)
}

AppArmor vs SELinux

Aspect	AppArmor	SELinux
Approach	Path-based (filenames)	Label-based (inodes)
Complexity	Simpler to learn	Steeper learning curve
Default distro	Debian, Ubuntu, SUSE	RHEL, CentOS, Fedora
Profiles	Per-binary	Per-process type
Learning mode	complain	permissive
Enforcement	Per-profile	System-wide
Coverage	Only profiled binaries	All processes

---

UFW (Uncomplicated Firewall)

UFW is the default firewall frontend on Ubuntu.

# Enable/disable
sudo ufw enable
sudo ufw disable

# Check status
sudo ufw status
sudo ufw status verbose
sudo ufw status numbered

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow by service name
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

# Allow by port
sudo ufw allow 8080/tcp
sudo ufw allow 5000:5100/tcp    # port range

# Allow from specific IP
sudo ufw allow from 192.168.1.0/24 to any port 22

# Deny a port
sudo ufw deny 3306/tcp

# Delete a rule (by number)
sudo ufw status numbered
sudo ufw delete 3

# Delete a rule (by specification)
sudo ufw delete allow 8080/tcp

# Reset to defaults
sudo ufw reset

# Application profiles
sudo ufw app list
sudo ufw allow 'Nginx Full'

UFW vs firewalld

Aspect	UFW (Debian/Ubuntu)	firewalld (RHEL)
Backend	iptables/nftables	nftables
Zones	No zone concept	Zone-based (public, internal, etc.)
Rich rules	Limited	Extensive
Complexity	Simple	More powerful
Runtime vs permanent	Always permanent	Separate runtime/permanent

---

Netplan (Ubuntu Networking)

Ubuntu 17.10+ uses Netplan as the network configuration abstraction layer.

Architecture

Netplan YAML → renderer (NetworkManager or systemd-networkd) → network config

Configuration

# /etc/netplan/01-config.yaml
network:
  version: 2
  renderer: networkd    # or NetworkManager

  ethernets:
    eth0:
      dhcp4: true

    eth1:
      addresses:
        - 192.168.1.100/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
        search:
          - example.com

Commands

# Apply changes
sudo netplan apply

# Test changes (auto-reverts after 120s if not confirmed)
sudo netplan try

# Generate backend config without applying
sudo netplan generate

# Debug
sudo netplan --debug apply

# Show current config
sudo netplan get

Netplan vs nmcli vs ifupdown

Method	Used by	Config files
Netplan	Ubuntu 17.10+	/etc/netplan/*.yaml
nmcli / NetworkManager	RHEL, Fedora, optional Debian	/etc/NetworkManager/
ifupdown	Legacy Debian	/etc/network/interfaces
systemd-networkd	Minimal/server	/etc/systemd/network/*.network

---

Debian/Ubuntu Service Management

Same systemd as RHEL, but some Debian-specific patterns:

# Services
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx

# Debian-specific: update-rc.d (legacy SysV compat)
sudo update-rc.d nginx defaults      # enable at boot
sudo update-rc.d nginx disable       # disable at boot

# Check boot targets
systemctl get-default
sudo systemctl set-default multi-user.target

# Journal
journalctl -u nginx -f               # follow logs
journalctl --since "1 hour ago"
journalctl -p err                     # errors only

---

Preseed (Debian Automated Installation)

Preseed is Debian's answer to RHEL's Kickstart for unattended installs.

# preseed.cfg (minimal example)
d-i debian-installer/locale string en_US.UTF-8
d-i keyboard-configuration/xkb-keymap select us
d-i netcfg/choose_interface select auto
d-i netcfg/get_hostname string server01
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
d-i partman-auto/method string regular
d-i partman-auto/choose_recipe select atomic
d-i passwd/root-password-crypted password $6$...
d-i pkgsel/include string openssh-server
d-i grub-installer/bootdev string /dev/sda
d-i finish-install/reboot_in_progress note

Preseed vs Kickstart

Aspect	Preseed (Debian)	Kickstart (RHEL)
Format	debconf key=value	Custom scripting format
Delivery	HTTP, file, initrd	HTTP, NFS, file
Partitioning	partman recipes	clearpart/part directives
Package selection	tasksel + pkgsel	%packages section
Post-install scripts	d-i preseed/late_command	%post section
Tool to generate	debconf-get-selections	system-config-kickstart, GUI

---

Cloud-Init on Ubuntu

Ubuntu is cloud-init's home distro (Canonical maintains it).

# /etc/cloud/cloud.cfg.d/99-custom.cfg
#cloud-config
hostname: web01
manage_etc_hosts: true

users:
  - name: deploy
    groups: sudo
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ssh-ed25519 AAAA... deploy@management

packages:
  - nginx
  - fail2ban

runcmd:
  - systemctl enable nginx
  - systemctl start nginx
  - ufw allow 'Nginx Full'
  - ufw --force enable

write_files:
  - path: /etc/motd
    content: |
      Managed by cloud-init

# Check cloud-init status
cloud-init status

# Re-run cloud-init
sudo cloud-init clean
sudo cloud-init init

# View logs
cat /var/log/cloud-init.log
cat /var/log/cloud-init-output.log

# Query instance metadata
cloud-init query instance-id
cloud-init query ds.meta_data

---

Ubuntu LTS Lifecycle

Release    EOL (standard)   EOL (ESM)     Kernel
18.04 LTS  April 2023       April 2028    4.15 → HWE 5.4
20.04 LTS  April 2025       April 2030    5.4  → HWE 5.15
22.04 LTS  April 2027       April 2032    5.15 → HWE 6.5
24.04 LTS  April 2029       April 2034    6.8  → HWE TBD

ESM (Extended Security Maintenance) — Canonical provides security patches for an additional 5 years. Free for personal use (up to 5 machines) via Ubuntu Pro.

HWE (Hardware Enablement) — newer kernel backported to LTS for hardware support.

# Check current kernel
uname -r

# Install HWE kernel
sudo apt install linux-generic-hwe-22.04

# Check Ubuntu Pro status
pro status

---

Snap Packages (Ubuntu-Specific)

Ubuntu ships snap as a parallel package system alongside apt.

# List installed snaps
snap list

# Search for snaps
snap find firefox

# Install a snap
sudo snap install firefox

# Remove a snap
sudo snap remove firefox

# Update all snaps
sudo snap refresh

# Revert to previous version
sudo snap revert firefox

# List snap services
snap services

# Snap connections (permissions)
snap connections firefox

Controversy: Snap uses loop mounts (visible in df/mount), auto-updates without control, and some packages are snap-only on Ubuntu (Firefox, Chromium). Many admins prefer to disable snap and use apt or flatpak instead.

---

Wiki Navigation

Prerequisites

• Linux Ops (Topic Pack, L0)

Next Steps

• LPIC / LFCS Exam Preparation (Topic Pack, L2)

Related Content

• Linux Distribution Comparison (Topic Pack, L1) — Debian & Ubuntu Ecosystem, Linux Fundamentals
• Linux Ops (Topic Pack, L0) — Linux Fundamentals, Package Management
• Skillcheck: Linux Fundamentals (Assessment, L0) — Linux Fundamentals, Package Management
• /proc Filesystem (Topic Pack, L2) — Linux Fundamentals
• Advanced Bash for Ops (Topic Pack, L1) — Linux Fundamentals
• Adversarial Interview Gauntlet (30 sequences) (Scenario, L2) — Linux Fundamentals
• Bash Exercises (Quest Ladder) (CLI) (Exercise Set, L0) — Linux Fundamentals
• Case Study: CI Pipeline Fails — Docker Layer Cache Corruption (Case Study, L2) — Linux Fundamentals
• Case Study: Container Vuln Scanner False Positive Blocks Deploy (Case Study, L2) — Linux Fundamentals
• Case Study: Disk Full Root Services Down (Case Study, L1) — Linux Fundamentals

Pages that link here

• /proc Filesystem
• Advanced Bash for Ops
• Anti-Primer: Debian Ubuntu
• Debian & Ubuntu Ecosystem
• Disk Full Root - Services Down
• LPIC / LFCS Exam Preparation
• Linux Distribution Comparison
• Linux Fundamentals - Skill Check
• Linux Ops
• Symptoms
• Symptoms
• Symptoms: CI Pipeline Fails, Docker Layer Cache Corruption, Fix Is Registry GC
• Symptoms: Container Image Vuln Scanner False Positive, Blocks Deploy Pipeline