[Bug 1006963] Re: sources.list configuration does not cover security

Scott Moser smoser at ubuntu.com
Wed Dec 12 21:12:47 UTC 2012


** Description changed:

  === Begin SRU Information ===
  [Impact]
-  * Operating completely off-line (without access to *.ubuntu.com) is not
-    really possible with cloud-init in 12.04.  The user can specify a
-    mirror to use to cloud-init, and it will respect that input.  However,
-    it will still write 'security.ubuntu.com' entries in
-    /etc/apt/sources.list .  The fix in 12.10 was to add support for
-    declaring the security mirror in addition to the "primary" mirror.
+  * Operating completely off-line (without access to *.ubuntu.com) is not
+    really possible with cloud-init in 12.04.  The user can specify a
+    mirror to use to cloud-init, and it will respect that input.  However,
+    it will still write 'security.ubuntu.com' entries in
+    /etc/apt/sources.list .  The fix in 12.10 was to add support for
+    declaring the security mirror in addition to the "primary" mirror.
  
-    Looking at the config snippet probably makes it obvious how this
-    is done.  '$security' in the templates then references the specified
-    security mirror, and the user can set that value by providing
-    cloud-config syntax formed like the default below:
+    Looking at the config snippet probably makes it obvious how this
+    is done.  '$security' in the templates then references the specified
+    security mirror, and the user can set that value by providing
+    cloud-config syntax formed like the default below:
  
-     | package_mirrors:
-     |   - arches: [i386, amd64]
-     |     failsafe:
-     |      primary: http://archive.ubuntu.com/ubuntu
-     |      security: http://security.ubuntu.com/ubuntu
-     |    search:
-     |      primary:
-     |        - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
-     |        - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
-     |      security: []
-     |  - arches: [armhf, armel, default]
-     |    failsafe:
-     |      primary: http://ports.ubuntu.com/ubuntu
-     |      security: http://ports.ubuntu.com/ubuntu
+     | package_mirrors:
+     |   - arches: [i386, amd64]
+     |     failsafe:
+     |      primary: http://archive.ubuntu.com/ubuntu
+     |      security: http://security.ubuntu.com/ubuntu
+     |    search:
+     |      primary:
+     |        - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
+     |        - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
+     |      security: []
+     |  - arches: [armhf, armel, default]
+     |    failsafe:
+     |      primary: http://ports.ubuntu.com/ubuntu
+     |      security: http://ports.ubuntu.com/ubuntu
  
-  * this will allow users on fully disconnected networks to use cloud
-    images with local mirrors without modifying the image.
+  * this will allow users on fully disconnected networks to use cloud
+    images with local mirrors without modifying the image.
  
  [Test Case]
-  To demonstrate the problem, simply launch an instance in EC2.  The
-  rendered sources.list will contain references to
-  us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
-  the default/fallback case was previously to use archive.ubuntu.com
-  and there was no changing of security.ubuntu.com at all.  The result was
-  that offline, an 'apt-get update' was guaranteed to fail even if the
-  user specified 'apt_mirror'.
+  To demonstrate the problem, simply launch an instance in EC2.  The
+  rendered sources.list will contain references to
+  us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
+  the default/fallback case was previously to use archive.ubuntu.com
+  and there was no changing of security.ubuntu.com at all.  The result was
+  that offline, an 'apt-get update' was guaranteed to fail even if the
+  user specified 'apt_mirror'.
  
-  You can demonstrate the fixed path by booting an instance with
-  user-data like the following:
-     |#cloud-config
-     |system_info:
-     | package_mirrors:
-     |   - arches: [i386, amd64]
-     |     failsafe:
-     |      primary: http://my.archive.mydomain.com/ubuntu
-     |     search:
-     |      primary: []
-     |      security: []
+  You can demonstrate the fixed path by booting an instance with
+  user-data like the following:
+     |#cloud-config
+     |system_info:
+     | package_mirrors:
+     |   - arches: [i386, amd64]
+     |     failsafe:
+     |      primary: http://my.archive.mydomain.com/ubuntu
+     |     search:
+     |      primary: []
+     |      security: []
  
-  You will see in /etc/sources.list, that there is no reference to
-  "ubuntu.com" any more.
+  You will see in /etc/sources.list, that there is no reference to
+  "ubuntu.com" any more.
  
  [Regression Potential]
-  * The change in behavior could change mirror selection in undefined
-    ways.  We've not seen any issues with this path in quantal, though.
-    This code is basically the same as is running in quantal just
-    backported.
+  * The change in behavior could change mirror selection in undefined
+    ways.  We've not seen any issues with this path in quantal, though.
+    This code is basically the same as is running in quantal just
+    backported.
  
  === End SRU Information ===
  
- 
- cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'.  However, it does not allow the user to set the security.ubuntu.com entry.
+ cloud-init will attempt to update /etc/apt/sources.list from its
+ template, and allows the user to set 'apt_mirror'.  However, it does not
+ allow the user to set the security.ubuntu.com entry.
  
  This has issues in 2 places:
  a.) internal and disconnected operation (no access to security.ubuntu.com)
  b.) arm.  For arm, there is no security.ubuntu.com
  
  Related bugs:
   * bug 1028501:  cloud-init selects wrong mirrors for arm

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1006963

Title:
  sources.list configuration does not cover security

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions



More information about the Ubuntu-server-bugs mailing list