[Bug 1913240] [NEW] do-release-upgrade ignores APT proxy exemption

MegaBrutal 1913240 at bugs.launchpad.net
Tue Jan 26 03:00:05 UTC 2021 

Public bug reported:

When I try to check for an upgrade, this is what happens:

# do-release-upgrade -c
Checking for a new Ubuntu release
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
There is no development version of an LTS available.
To upgrade to the latest non-LTS develoment release 
set Prompt=normal in /etc/update-manager/release-upgrades.

With tcpdump, I discovered that do-release-upgrade tries to connect the
configured APT-Cacher-NG proxy. The proxy only listens on plaintext HTTP
(TCP:80), while the script tries to connect it on HTTPS (TCP:443),
because it wants to download meta-release-lts through an https:// URL.
Since I have no intention to configure SSL certificates on the proxy for
the sole reason to enable upgraders to operate, I thought I'd rather
exempt it from the APT proxy setting.

Currently, I have this APT proxy configuration under
/etc/apt/apt.conf.d:

Acquire::http {
	Proxy::changelogs.ubuntu.com "DIRECT";
	Proxy "http://taranis.lan";
};
Acquire::https {
	Proxy::changelogs.ubuntu.com "DIRECT";
};

I added an explicit section for https too, just in case. According to
man apt-transport-http, the syntax should be correct and `apt-config
dump` reports that it correctly parsed the config file and understands
that it needs to exempt changelogs.ubuntu.com.

Acquire::http::Proxy "http://taranis.lan";
Acquire::http::Proxy::changelogs.ubuntu.com "DIRECT";
Acquire::https::Proxy "";
Acquire::https::Proxy::changelogs.ubuntu.com "DIRECT";

However, trying `do-release-upgrade -c` has the same result, the
upgrader still wants to get the meta-release file via the proxy. It is a
strange situation, because it seems `do-release-upgrade` wants to honour
the APT proxy configuration, but it ignores the exemptions. In my case,
it would be better to ignore the proxy altogether.

I have this proxy for quite a while and the server was configured to use
it, and I don't remember encountering this issue on any previous release
upgrade, but I haven't run one since 2018. I guess the feature of
honouring the APT proxy config was added recently in the last 2 years. I
have this issue on my Bionic server, and I reproduced it on a pristine
Focal VM installation as well.

I think the intended or desirable behaviour would be to adhere to the
APT proxy configuration in its entirety, including the exemptions.

** Affects: ubuntu-release-upgrader (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: bionic dist-upgrade focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1913240

Title:
  do-release-upgrade ignores APT proxy exemption

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  When I try to check for an upgrade, this is what happens:

  # do-release-upgrade -c
  Checking for a new Ubuntu release
  Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
  There is no development version of an LTS available.
  To upgrade to the latest non-LTS develoment release 
  set Prompt=normal in /etc/update-manager/release-upgrades.

  With tcpdump, I discovered that do-release-upgrade tries to connect
  the configured APT-Cacher-NG proxy. The proxy only listens on
  plaintext HTTP (TCP:80), while the script tries to connect it on HTTPS
  (TCP:443), because it wants to download meta-release-lts through an
  https:// URL. Since I have no intention to configure SSL certificates
  on the proxy for the sole reason to enable upgraders to operate, I
  thought I'd rather exempt it from the APT proxy setting.

  Currently, I have this APT proxy configuration under
  /etc/apt/apt.conf.d:

  Acquire::http {
  	Proxy::changelogs.ubuntu.com "DIRECT";
  	Proxy "http://taranis.lan";
  };
  Acquire::https {
  	Proxy::changelogs.ubuntu.com "DIRECT";
  };

  I added an explicit section for https too, just in case. According to
  man apt-transport-http, the syntax should be correct and `apt-config
  dump` reports that it correctly parsed the config file and understands
  that it needs to exempt changelogs.ubuntu.com.

  Acquire::http::Proxy "http://taranis.lan";
  Acquire::http::Proxy::changelogs.ubuntu.com "DIRECT";
  Acquire::https::Proxy "";
  Acquire::https::Proxy::changelogs.ubuntu.com "DIRECT";

  However, trying `do-release-upgrade -c` has the same result, the
  upgrader still wants to get the meta-release file via the proxy. It is
  a strange situation, because it seems `do-release-upgrade` wants to
  honour the APT proxy configuration, but it ignores the exemptions. In
  my case, it would be better to ignore the proxy altogether.

  I have this proxy for quite a while and the server was configured to
  use it, and I don't remember encountering this issue on any previous
  release upgrade, but I haven't run one since 2018. I guess the feature
  of honouring the APT proxy config was added recently in the last 2
  years. I have this issue on my Bionic server, and I reproduced it on a
  pristine Focal VM installation as well.

  I think the intended or desirable behaviour would be to adhere to the
  APT proxy configuration in its entirety, including the exemptions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1913240/+subscriptions

More information about the foundations-bugs mailing list