[Bug 615545] Re: Instances launched in a VPC cannot access ec2.archive.ubuntu.com

Mon Dec 5 19:25:33 UTC 2011

** Description changed:

  sources.list is helpfully configured to us-east-1.ec2.archive.ubuntu.com
  for instances that I launch in US-EAST-1 on EC2. However, instances
  launched in a Virtual Private Cloud (VPC) can only access machines in
  their local subnet, private machines on the connected LAN, and the
  Internet via the VPC tunnel.

  Because us-east-1.ec2.archive.ubuntu.com resolves to an internal EC2
  10.0.0.0/8 address, instances launched in a VPC will be unable to
  perform any apt operations. The user must update sources.list to point
  to us.archive.ubuntu.com to use apt.

  Proposed solution:

  1) Detect that the machine was launched in a VPC. I'm not sure what the ideal way to determine this is without doing a DescribeInstances. But I did notice that when in a VPC, curl http://169.254.169.254/latest/meta-data/ does not have public-ipv4 and public-hostname listed as a possibility. So perhaps the absence of these could be used to determine it was in a VPC.
  2) Fallback to the public us.archive.ubuntu.com (or whatever region appropriate) if us-east-1.ec2.archive.ubuntu.com cannot be reached.
+ 
+ === SRU Information ===
+ [Impact]
+ After launch of an instance in a VPC (virtual private cloud) of EC2, the user must update /etc/apt/sources.list, as cloud-init has selected a mirror that is not available to the instance.
+ 
+ [Development Fix] The simple fix is to query the EC2 metadata service
+ and determine if the instance has booted inside VPC (is_vpc).  If so,
+ use the fallback apt source rather than the EC2 specific region source.
+ This was added to in the 10.10 cycle.
+ 
+ [Stable Fix]
+ Same as development fix.
+ 
+ [Test Case]
+  * a.) Boot instance in EC2 in a VPC
+  * b.) Boot instance in EC2 not in a VPC
+  * Instance 'a' should have 'archive.ubuntu.com' in /etc/apt/sources.list
+    * grep "http://archive.ubuntu.com" /etc/apt/sources.list
+  * Instance 'b' should have '<region>.ec2.archive.ubuntu.com' in /etc/apt/sources.list
+    * az=$(wget http://instance-data/latest/meta-data/placement/availability-zone -O - -q)
+    * region=${az%?} ; # az="us-east-1a", region="us-east-1"
+    * grep "http://$region.ec2.archive.ubuntu.com" /etc/apt/sources.list
+ 
+ [Regression Potential]
+ Inside of EC2, the regression potential is almost non-existant.  This exact same fix has been in since 10.10.
+ Outside of EC2, the potential for regression would be in EC2-like clouds that have a metadata service that looks similar to EC2's.  Since the fix has been in for > 18 months, the chance of this scenario causing failure is very low.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/615545

Title:
  Instances launched in a VPC cannot access ec2.archive.ubuntu.com

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/615545/+subscriptions