Red Hat Enterprise Linux (RHEL) Extended Update Support (EUS) Overview

Updated -

What Is Extended Update Support (EUS)?

Extended Update Support (EUS) is an optional offering for Red Hat Enterprise Linux subscribers. With EUS, Red Hat provides backports of Critical and Important impact1 security updates and urgent-priority bug fixes for a predefined set of minor releases of Red Hat Enterprise Linux. EUS enables customers to remain with the same minor release of Red Hat Enterprise Linux for 24 months, allowing for stable production environments for mission-critical applications.

EUS is provided with x86-64 Red Hat Enterprise Linux Server Premium subscriptions and is available as an Add-on to Red Hat Enterprise Linux Server standard subscriptions, Red Hat Enterprise Linux for IBM Power LE, and Red Hat Enterprise Linux for IBM z Systems subscriptions. It is not available for Red Hat Enterprise Linux Workstation. Please contact your Red Hat Sales Representative if you are unsure if you have access to EUS and to help decide if it is appropriate for your environment.

What Customer Use Cases Benefit from Using EUS?

  • Customers who have a policy of re-certifying application stacks when they move to new minor releases of Red Hat Enterprise Linux
  • Customers who have sensitive workloads that require minimal change
  • Customers using third party applications from ISVs who certify on specific Red Hat Enterprise Linux minor releases

Recommended Red Hat Enterprise Linux Maintenance Practices

To obtain the maximum benefits maintenance benefits from a Red Hat Enterprise Linux subscription, it is recommended practice for customers to upgrade to each minor release as they are released (e.g., 8.0 --> 8.1 --> 8.2).

How to Access EUS

Like all Red Hat Enterprise Linux maintenance, EUS is delivered via Red Hat Subscription Manager, where it is implemented as a mirror repository hierarchy (separate repository(s), for each minor release, along with the relevant set of child repositories).

With the introduction of Red Hat Enterprise Linux 8, content is distributed through the two main repositories: BaseOS and AppStream.

BaseOS

Content in the BaseOS repository is intended to provide the core set of the underlying OS functionality that provides the foundation for all installations. This content is available in the RPM format and is subject to support terms similar to those in previous releases of Red Hat Enterprise Linux.

AppStream

Content in the AppStream repository includes additional user space applications, runtime languages, and databases in support of the varied workloads and use cases. Content in AppStream is available in one of two formats - the familiar RPM format and an extension to the RPM format called modules.

RHEL EUS Example using x86-64 Architecture

Red Hat Enterprise Linux 7 Minor Release Main Repository

  • Red Hat Enterprise Linux 7 Server

Red Hat Enterprise Linux 7 EUS Main Repository

  • Red Hat Enterprise Linux 7 Server - Extended Update Support

Red Hat Enterprise Linux 8 Minor Release Repositories

  • Red Hat Enterprise Linux 8 for x86_64 - BaseOS
  • Red Hat Enterprise Linux 8 for x86_64 - AppStream

Red Hat Enterprise Linux 8 EUS Repositories

  • Red Hat Enterprise Linux 8 for x86_64 - AppStream - Extended Update Support
  • Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Extended Update Support

EUS can be activated for individual systems by subscribing them to the matching EUS repository(s).

Customers with an active EUS subscription will see EUS repositories in addition to the standard repositories via Red Hat Subscription Manager (RHSM). RHSM provides status, inventory, organization, and reporting on Red Hat subscriptions via:

  • A hosted service on the Red Hat Customer Portal
  • On-premise access through Red Hat Satellite
  • Using Subscription Manager from a Red Hat Enterprise Linux system
  • Coming soon: A robust supported and documented API for RHSM

When you purchase a subscription to a product, RHSM tracks which system(s) in your inventory are registered to the subscription. Registered systems are entitled to support services, as well as errata, patches, and upgrades from the Content Delivery Network (CDN).

EUS repositories are shown in RHSM, meaning customers will only see the repositories based on their particular system's hardware architecture and the major version of Red Hat Enterprise Linux that is installed. A system can be moved to an EUS repository(s) by changing the base repository in that system's repositories menu to an EUS repository(s).

EUS Timing and Planning Considerations

Red Hat Enterprise Linux 8 minor releases that include EUS are planned to release based on the below planning schedule. Customers requiring longer maintenance should plan based on the below schedule per the RHEL Life Cycle Policy

eus3.png
Click here for larger version of graphic

The RHEL EUS release repository receives all ALL security, bugfix, and enhancement errata until the next minor release is released. Afterwards, it only receives the selected backports as per the EUS inclusion policy.

NOTE: The standard base repository (such as the Red Hat Enterprise Linux 8 for x86_64 - BaseOS) is mutually exclusive with any EUS repositories (i.e., an individual system may only be subscribed to the standard base repository or to an EUS repository, but not to both simultaneously). Once a system has been subscribed to an EUS repository, it will receive only EUS errata updates.

Upgrade Restrictions for EUS repositories

Customers who have systems subscribed to EUS repositories should be aware that there are upgrade restrictions when upgrading between minor releases (i.e., systems subscribed to a certain EUS repository should always be upgraded to either a later, more recent EUS repository or to the base repository for that version of Red Hat Enterprise Linux). For example, if a system is currently subscribed to the EUS 8.1 repository, at any time its subscription could be upgraded to:

  • The RHEL 8.2 EUS repository after the release of 8.2
  • The RHEL 8.4 EUS repository after the release of RHEL 8.4
  • Any RHEL 8.y EUS repository where y is an even number
  • The standard base repository for Red Hat Enterprise Linux 8, which is the most recent minor release.

WARNING: It is unsafe to downgrade from a more recent minor release with a higher version number to an earlier minor release or an earlier EUS repository. For example, it would be unsafe to downgrade from Red Hat Enterprise Linux 8.2 to 8.1.

EUS repository Deactivation

For a given RHEL minor release EUS repository (for example RHEL 8.1), like all EUS repositories, will be retired 24 months after it is created and becomes available via Red Hat Subscription Manager. When an EUS repository reaches retirement, no new errata are released to the repositories. However, all previously released errata remain available to customers with an active subscription. It is imperative to migrate to a later EUS release to continue receiving errata updates like security and bug-fix errata. You can check to see which EUS repositories have been retired and are no longer receiving updates by looking at the Red Hat Enterprise Linux Retired Life Cycle Dates page.

More information on EUS and the Red Hat Enterprise Linux Life Cycle can be found on the Red Hat Customer Portal.

EUS Maintenance Policies

Please visit the Red Hat Enterprise Linux LIfe Cycle page for information on EUS maintenance policies.

Visit the Red Hat Customer Portal for more information regarding Red Hat Enterprise Linux subscriptions and base and child repositories.

Additional Reading

While EUS provides a more restrictive selection of errata, it does not provide an operational framework or discipline as to how a user of EUS can implement an errata management solution to support a rigid life cycle for their Red Hat Enterprise Linux systems. This is covered in the Red Hat Satellite Content Management Guide.

Red Hat Enterprise Linux 8 EUS Frequently Asked Questions


  1. Applies to Important CVEs that occur on or after October 1, 2019 

16 Comments

"Following the next minor release, an EUS channel is practically restricted to Critical-impact security advisories and urgent-priority bug fixes."

In other words, the security updates are provided at Red Hat's discretion, much like the policy for the Production 3 Phase found in the Life Cycle article. Wonder if the statement "provide secure environment" still holds true in these cases.

Greetings Akemi,

Your statement, "In other words, the security updates are provided at Red Hat's discretion" is not accurate. You may have overlooked the reference in the Life Cycle document that takes you to the Issue Severity Classification reference which clearly explains how Red Hat determines its Impact rating based on the well respected and independent vulnerability entities MITRE and NVD. So the decision is based on solid evaluation and input from outside resources. I suspect your own security team regularly refers to those industry sources for security information as well. Another good resource is Backporting Security Fixes.

The bottom line is that in order to keep up with the rapid innovation provided by the Open Source development models, Red Hat must continually move forward. Upstream develops on upstream. It is a tremendous amount of work to take a security fix to new upstream code, and modify that to work on a 3 year old code base. Therefore, Red Hat is a balance between the rapid upstream and the predictable update models needed by enterprise and businesses.

It is advised not to think of the minor releases, but rather patch bundles. Do not hesitate to update with a regularly scheduled update cycle. True, it is not always perfect as occasionally there is a regression or compatibility issue between new drivers and firmware. However, these same issues are eventually experienced anyway by those customers who do not update regularly and are compounded by minor release version jumping (i.e. 6.2 -> 6.6).

Extended Update Support (EUS), along with Extended Lifecycle Support (ELS) are both meant to be a stop-gap option, providing a bridge until the minor release update can take place.

Our customers who succeed best have regular patching schedules and make a planned effort to stay as current as possible. This discussion is rarely an issue for them and they maintain a very stable and secure platform. I work with many accounts, including financial and embedded telecom. I speak from experience when I say that those customers who struggle the most do not patch regularly and remain on non-current minor releases for long periods of time.

I hope this is helpful to you in understanding our Life Cycle and our security ratings. Please post any followup questions.

-Terry

Thanks for your detailed note. There is one thing I'd like to add about the wording. The "at Red Hat's discretion" part is not my creation. I copied it from the 'Life Cycle' document, note number 11:

  1. All errata provided at Red Hat's discretion.

So my understanding is this:

  • EUS comes as either an add-on subscription (so the customer would require two subs) or as an individual subscription.

  • EUS subs grant you access to both the regular repositories and the EUS repositories, but only one should be used. I.E a machine in Satellite 6 could be given access to the following repositories through a content view: RHEL 7 Common RPS and RHEL 7 Common EUS RPMS but they should only subscribe to one of them.

EUS is provided as either:

  • An add-on sub.
  • A component of an existing sub.

Let's take a look a the EUS add-on for example:

rct cat-manifest manifest.zip
Subscription:
        Name: Extended Update Support
        Quantity: 100
        Created: 2015-08-06T16:51:49.000+0000
        Start Date: 2015-08-05T04:00:00.000+0000
        End Date: 2016-08-05T03:59:59.000+0000
        Service Level: Layered
        Service Type: L1-L3
        Architectures: x86_64,ppc64,ia64,ppc,x86
        SKU: RH00030
        Contract: [REDACTED]
        Order: [REDACTED]
        Account: [REDACTED]
        Virt Limit: 
        Requires Virt-who: False
        Entitlement File: export/entitlements/8a99f98a4efa4ef4014f03ed07ca4560.json
        Certificate File: export/entitlement_certificates/5838778616511924647.pem
        Certificate Version: 3.2
        Provided Products:
                70: Red Hat Enterprise Linux Server - Extended Update Support
                84: Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
                86: Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
                91: Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                93: Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
                127: Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
                133: Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support
                182: Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
                246: Oracle Java (for RHEL Server) - Extended Update Support

As you can see in the above, the EUS add-on provides EUS content only. (Which makes a whole lot of sense)

Certain subscriptions provide access to RHEL content AND EUS content. An example of this are the 2013 RHEL Premium Subscriptions.

rct cat-manifest  manifest.zip 
Subscription:
    Name: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)
    Quantity: 100
    Created: 2015-08-06T16:51:43.000+0000
    Start Date: 2015-08-05T04:00:00.000+0000
    End Date: 2016-08-05T03:59:59.000+0000
    Service Level: Premium
    Service Type: L1-L3
    Architectures: x86_64,ppc64le,ppc64,ia64,ppc,s390,x86,s390x
    SKU: RH00013
    Contract: [REDACTED]
    Order: [REDACTED]
    Account: [REDACTED]
    Virt Limit: 
    Requires Virt-who: False
    Entitlement File: export/entitlements/8a99f9864efa4a57014f03eced2b40f0.json
    Certificate File: export/entitlement_certificates/1892488221322053305.pem
    Certificate Version: 3.2
    Provided Products:
        69: Red Hat Enterprise Linux Server
        70: Red Hat Enterprise Linux Server - Extended Update Support
        84: Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support
        86: Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support
        91: Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
        93: Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support
        127: Red Hat S-JIS Support (for RHEL Server) - Extended Update Support
        133: Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support
        176: Red Hat Developer Toolset (for RHEL Server)
        180: Red Hat Beta
        182: Red Hat EUCJP Support (for RHEL Server) - Extended Update Support
        201: Red Hat Software Collections (for RHEL Server)
        205: Red Hat Software Collections Beta (for RHEL Server)
        240: Oracle Java (for RHEL Server)
        246: Oracle Java (for RHEL Server) - Extended Update Support
        271: Red Hat Enterprise Linux Atomic Host
        272: Red Hat Enterprise Linux Atomic Host Beta
        273: Red Hat Container Images
        274: Red Hat Container Images Beta

In this subscription, EUS content AND RHEL content is provided. The only way you'd get access to both EUS and RHEL is either by attaching 2 distinct subs (EUS & RHEL), or one sub, similar to the one above that provides both.

As far as repos are concerned, you are correct in the statement that you should use only one of either the non-EUS version or the EUS version of a repo.

When we buy a Subscription, why can't we get a list of repositories that is included? Just got surprised. We have to use specific repos but they are not included in the EUS addon included in the premium subscription. The recent Spectre and Meltdown revelations certainly provide ample severity.

Can you be more specific on what is missing? Which RHEL subscription do you have? What version are you running?

You totally can. Take a look in the portal under subscriptions -> 'NAME OF YOUR SUB' -> Content. Example here

How do you actually lock your release on a minor version and subscribe to EUS: How to tie a system to a specific update of Red Hat Enterprise Linux? .

Can someone from Red Hat provide clarification on how non-base repositories (eg. optional repository) are handled in the EUS lifecycle? Are the additional repos such as 'optional' covered by EUS, if so, is it all additional repos or just a selection?

Yes, optional repositories are included in the EUS.

The end date for RHEL 7.7 EUS appears to be incorrect on the following page:
https://access.redhat.com/support/policy/updates/errata

7.1 (ended March 31, 2017)
7.2 (ended November 30, 2017)
7.3 (ended November 30, 2018)
7.4 (ends August 31, 2019)
7.5 (ends April 30, 2020)
7.6 (ends May 31, 2021)
7.7 (ends August 30, 2021; Final RHEL 7 EUS Release)

This puts 7.7 EUS end date only 3 months after 7.6 EUS.

Is the correct 7.7 EUS end date August 30 2022?

The dates are correct. The "7.6 (ends May 31, 2021)" date was extended to "...ease the migration pressures." due to the impacts of COVID-19. Please read the blog post [1] to learn more.

[1] https://www.redhat.com/en/blog/red-hat-announces-product-life-cycle-changes

Exactly the information I was after.

Thanks for the quick response Julio!

Hi, As I understand correctly EUS 7.7 will be final EUS for RHEL 7. Support of it ends August 30, 2021, but RHEL 7 Maintenance ends at June 30, 2024. What possibilities do we have then to have EUS functionality (to stay at minor level for 24 months since release) for remaining 3 years of RHEL 7 support?

Adam, we have also announced via the Life-cycle Dates section [1] of that RHEL Life Cycle page that RHEL 7.9 will be the last minor release of RHEL 7. So your option is to stay on RHEL 7.7 EUS until RHEL 7.9 is released and then updated to RHEL 7.9 and you will be able to stay on it until RHEL 7 reaches its end of Maintenance Support 2 phase on June 30, 2024.

[1] https://access.redhat.com/support/policy/updates/errata#Life_Cycle_Dates