[Bug 1006963] Re: sources.list configuration does not cover security
Scott Moser
smoser at ubuntu.com
Wed Dec 12 21:12:47 UTC 2012
** Description changed:
=== Begin SRU Information ===
[Impact]
- * Operating completely off-line (without access to *.ubuntu.com) is not
- really possible with cloud-init in 12.04. The user can specify a
- mirror to use to cloud-init, and it will respect that input. However,
- it will still write 'security.ubuntu.com' entries in
- /etc/apt/sources.list . The fix in 12.10 was to add support for
- declaring the security mirror in addition to the "primary" mirror.
+ * Operating completely off-line (without access to *.ubuntu.com) is not
+ really possible with cloud-init in 12.04. The user can specify a
+ mirror to use to cloud-init, and it will respect that input. However,
+ it will still write 'security.ubuntu.com' entries in
+ /etc/apt/sources.list . The fix in 12.10 was to add support for
+ declaring the security mirror in addition to the "primary" mirror.
- Looking at the config snippet probably makes it obvious how this
- is done. '$security' in the templates then references the specified
- security mirror, and the user can set that value by providing
- cloud-config syntax formed like the default below:
+ Looking at the config snippet probably makes it obvious how this
+ is done. '$security' in the templates then references the specified
+ security mirror, and the user can set that value by providing
+ cloud-config syntax formed like the default below:
- | package_mirrors:
- | - arches: [i386, amd64]
- | failsafe:
- | primary: http://archive.ubuntu.com/ubuntu
- | security: http://security.ubuntu.com/ubuntu
- | search:
- | primary:
- | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
- | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
- | security: []
- | - arches: [armhf, armel, default]
- | failsafe:
- | primary: http://ports.ubuntu.com/ubuntu
- | security: http://ports.ubuntu.com/ubuntu
+ | package_mirrors:
+ | - arches: [i386, amd64]
+ | failsafe:
+ | primary: http://archive.ubuntu.com/ubuntu
+ | security: http://security.ubuntu.com/ubuntu
+ | search:
+ | primary:
+ | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
+ | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
+ | security: []
+ | - arches: [armhf, armel, default]
+ | failsafe:
+ | primary: http://ports.ubuntu.com/ubuntu
+ | security: http://ports.ubuntu.com/ubuntu
- * this will allow users on fully disconnected networks to use cloud
- images with local mirrors without modifying the image.
+ * this will allow users on fully disconnected networks to use cloud
+ images with local mirrors without modifying the image.
[Test Case]
- To demonstrate the problem, simply launch an instance in EC2. The
- rendered sources.list will contain references to
- us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
- the default/fallback case was previously to use archive.ubuntu.com
- and there was no changing of security.ubuntu.com at all. The result was
- that offline, an 'apt-get update' was guaranteed to fail even if the
- user specified 'apt_mirror'.
+ To demonstrate the problem, simply launch an instance in EC2. The
+ rendered sources.list will contain references to
+ us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
+ the default/fallback case was previously to use archive.ubuntu.com
+ and there was no changing of security.ubuntu.com at all. The result was
+ that offline, an 'apt-get update' was guaranteed to fail even if the
+ user specified 'apt_mirror'.
- You can demonstrate the fixed path by booting an instance with
- user-data like the following:
- |#cloud-config
- |system_info:
- | package_mirrors:
- | - arches: [i386, amd64]
- | failsafe:
- | primary: http://my.archive.mydomain.com/ubuntu
- | search:
- | primary: []
- | security: []
+ You can demonstrate the fixed path by booting an instance with
+ user-data like the following:
+ |#cloud-config
+ |system_info:
+ | package_mirrors:
+ | - arches: [i386, amd64]
+ | failsafe:
+ | primary: http://my.archive.mydomain.com/ubuntu
+ | search:
+ | primary: []
+ | security: []
- You will see in /etc/sources.list, that there is no reference to
- "ubuntu.com" any more.
+ You will see in /etc/sources.list, that there is no reference to
+ "ubuntu.com" any more.
[Regression Potential]
- * The change in behavior could change mirror selection in undefined
- ways. We've not seen any issues with this path in quantal, though.
- This code is basically the same as is running in quantal just
- backported.
+ * The change in behavior could change mirror selection in undefined
+ ways. We've not seen any issues with this path in quantal, though.
+ This code is basically the same as is running in quantal just
+ backported.
=== End SRU Information ===
-
- cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
+ cloud-init will attempt to update /etc/apt/sources.list from its
+ template, and allows the user to set 'apt_mirror'. However, it does not
+ allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1006963
Title:
sources.list configuration does not cover security
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions
More information about the Ubuntu-server-bugs
mailing list