walinuxagent and out-of-archive code updates
Steve Langasek
steve.langasek at ubuntu.com
Tue Mar 14 17:01:02 UTC 2017
Dear Technical Board,
I wish to make you aware of a technical decision taken by the Ubuntu
Foundations team concerning a package in the archive. I believe the
decision is technically sound and will stand up to scrutiny, but due to the
sensitivity and possible precedent-setting involved, I want us to be
completely transparent with the community about what is being done and why.
The walinuxagent package in Ubuntu is an agent for the Microsoft Azure
cloud, communicating with the cloud substrate and allowing management of
various aspects of the guest through the cloud's dashboard / management
interface.
The Microsoft Azure team has requested that the package in Ubuntu enable a
feature, currently disabled via config setting, that allows the agent to
pull down code from a trusted cloud-local endpoint and deploy it on the
running system. This is desirable for two reasons:
- it ensures that the agent on the guest remains up-to-date and compatible
with the cloud substrate, even on long-running instances whose
administrators are not applying package updates on a regular basis
- it enables various optional modules which are part of the Azure platform
but are not distributed with the walinuxagent package, they are only
available from the walinuxagent endpoint.
Obviously we have good reason for a policy that third-party repositories and
code update mechanisms are not allowed for Ubuntu at large. In this case, I
believe it's acceptable because:
- in a cloud, this is not the first place in which arbitrary code can be
fed into the instance from outside; cloud-init also does the same thing
in a more general form
- this is a cloud-local endpoint; we know from the architecture of Azure
that this endpoint is controlled by the same party as the virtualization
environment itself (i.e. Microsoft), so there is no concern that trusting
this endpoint expands the set of targets for an attacker
- the walinuxagent uses several methods to detect that it's running on the
correct cloud substrate (specially-formed DHCP responses;
locally-attached storage) which ensure that accidentally installing and
attempting to run this agent on a non-Azure Ubuntu machine will be a
no-op.
If you have any questions about this implementation, please ask.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20170314/670c44e5/attachment.pgp>
More information about the technical-board
mailing list