walinuxagent and out-of-archive code updates

Steve Langasek steve.langasek at ubuntu.com
Tue Mar 14 17:01:02 UTC 2017 

Dear Technical Board,

I wish to make you aware of a technical decision taken by the Ubuntu
Foundations team concerning a package in the archive.  I believe the
decision is technically sound and will stand up to scrutiny, but due to the
sensitivity and possible precedent-setting involved, I want us to be
completely transparent with the community about what is being done and why.

The walinuxagent package in Ubuntu is an agent for the Microsoft Azure
cloud, communicating with the cloud substrate and allowing management of
various aspects of the guest through the cloud's dashboard / management
interface.

The Microsoft Azure team has requested that the package in Ubuntu enable a
feature, currently disabled via config setting, that allows the agent to
pull down code from a trusted cloud-local endpoint and deploy it on the
running system.  This is desirable for two reasons:

 - it ensures that the agent on the guest remains up-to-date and compatible
   with the cloud substrate, even on long-running instances whose
   administrators are not applying package updates on a regular basis
 - it enables various optional modules which are part of the Azure platform
   but are not distributed with the walinuxagent package, they are only
   available from the walinuxagent endpoint.

Obviously we have good reason for a policy that third-party repositories and
code update mechanisms are not allowed for Ubuntu at large.  In this case, I
believe it's acceptable because:

 - in a cloud, this is not the first place in which arbitrary code can be
   fed into the instance from outside; cloud-init also does the same thing
   in a more general form
 - this is a cloud-local endpoint; we know from the architecture of Azure
   that this endpoint is controlled by the same party as the virtualization
   environment itself (i.e. Microsoft), so there is no concern that trusting
   this endpoint expands the set of targets for an attacker
 - the walinuxagent uses several methods to detect that it's running on the
   correct cloud substrate (specially-formed DHCP responses;
   locally-attached storage) which ensure that accidentally installing and
   attempting to run this agent on a non-Azure Ubuntu machine will be a
   no-op.

If you have any questions about this implementation, please ask.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20170314/670c44e5/attachment.pgp>

More information about the technical-board mailing list