$ systemctl cat apt-news.service
# /usr/lib/systemd/system/apt-news.service
# APT News is hosted at https://motd.ubuntu.com/aptnews.json and can include
# timely information related to apt updates available to your system.
# This service runs in the background during an `apt update` to download the
# latest news and set it to appear in the output of the next `apt upgrade`.
# The script won't do anything if you've run: `pro config set apt_news=false`.
# The script will limit network requests to at most once per 24 hours.
# You can also host your own aptnews.json and configure your system to use it
# with the command:
# `pro config set apt_news_url=https://yourhostname/path/to/aptnews.json`
[Unit]
Description=Update APT News
[Service]
Type=oneshot
ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py
AppArmorProfile=ubuntu_pro_apt_news
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_NET_RAW
PrivateTmp=true
RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET
# These may break some tests, and should be enabled carefully
#NoNewPrivileges=true
#PrivateDevices=true
#ProtectControlGroups=true
# ProtectHome=true seems to reliably break the GH integration test with a lunar lxd on jammy host
#ProtectHome=true
#ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectSystem=full
#RestrictSUIDSGID=true
# Unsupported in bionic
# Suggestion from systemd.exec(5) manpage on SystemCallFilter
#SystemCallFilter=@system-service
#SystemCallFilter=~@mount
#SystemCallErrorNumber=EPERM
#ProtectClock=true
#ProtectKernelLogs=true
Just for completeness.
$ sudo apt update ftp.riken. jp/Linux/ ubuntu noble InRelease ftp.riken. jp/Linux/ ubuntu noble-updates InRelease ftp.riken. jp/Linux/ ubuntu noble-backports InRelease ftp.riken. jp/Linux/ ubuntu noble-proposed InRelease /repo.steampowe red.com/ steam stable InRelease /packages. microsoft. com/repos/ code stable InRelease security. ubuntu. com/ubuntu noble-security InRelease /pkgs.tailscale .com/stable/ ubuntu noble InRelease
Warning: The unit file, source configuration file or drop-ins of apt-news.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Warning: The unit file, source configuration file or drop-ins of esm-cache.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Hit:1 http://
Hit:2 http://
Hit:3 http://
Hit:4 http://
Hit:5 https:/
Hit:6 https:/
Hit:7 http://
Get:8 https:/
Fetched 6,563 B in 1s (6,699 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
67 packages can be upgraded. Run 'apt list --upgradable' to see them.
$ dpkg --verify ubuntu- advantage- tools; echo $?
0
$ apt policy ubuntu- advantage- tools advantage- tools: ftp.riken. jp/Linux/ ubuntu noble-proposed/main amd64 Packages ftp.riken. jp/Linux/ ubuntu noble-proposed/main i386 Packages ftp.riken. jp/Linux/ ubuntu noble/main amd64 Packages ftp.riken. jp/Linux/ ubuntu noble/main i386 Packages dpkg/status
ubuntu-
Installed: 31.1
Candidate: 31.1
Version table:
31.2 100
100 http://
100 http://
*** 31.1 500
500 http://
500 http://
100 /var/lib/
$ systemctl cat apt-news.service systemd/ system/ apt-news. service /motd.ubuntu. com/aptnews. json and can include /yourhostname/ path/to/ aptnews. json`
# /usr/lib/
# APT News is hosted at https:/
# timely information related to apt updates available to your system.
# This service runs in the background during an `apt update` to download the
# latest news and set it to appear in the output of the next `apt upgrade`.
# The script won't do anything if you've run: `pro config set apt_news=false`.
# The script will limit network requests to at most once per 24 hours.
# You can also host your own aptnews.json and configure your system to use it
# with the command:
# `pro config set apt_news_url=https:/
[Unit]
Description=Update APT News
[Service] /usr/bin/ python3 /usr/lib/ ubuntu- advantage/ apt_news. py =ubuntu_ pro_apt_ news ingSet= ~CAP_SYS_ ADMIN ingSet= ~CAP_NET_ ADMIN ingSet= ~CAP_NET_ BIND_SERVICE ingSet= ~CAP_SYS_ PTRACE ingSet= ~CAP_NET_ RAW Families= ~AF_NETLINK Families= ~AF_PACKET s=true =true Groups= true odules= true unables= true ID=true er=@system- service er=~@mount rNumber= EPERM ogs=true
Type=oneshot
ExecStart=
AppArmorProfile
CapabilityBound
CapabilityBound
CapabilityBound
CapabilityBound
CapabilityBound
PrivateTmp=true
RestrictAddress
RestrictAddress
# These may break some tests, and should be enabled carefully
#NoNewPrivilege
#PrivateDevices
#ProtectControl
# ProtectHome=true seems to reliably break the GH integration test with a lunar lxd on jammy host
#ProtectHome=true
#ProtectKernelM
#ProtectKernelT
#ProtectSystem=full
#RestrictSUIDSG
# Unsupported in bionic
# Suggestion from systemd.exec(5) manpage on SystemCallFilter
#SystemCallFilt
#SystemCallFilt
#SystemCallErro
#ProtectClock=true
#ProtectKernelL