[Bug 974509] Re: cloud-init selects wrong mirror with dns server redirection
Scott Moser
smoser at ubuntu.com
Thu Nov 8 18:14:22 UTC 2012
** Description changed:
+ === Begin SRU Information ===
+ [Impact]
+ * If a user launches an cloud-image in an environment where the DNS
+ server does DNS redirection (also known as DNS hijacking), then the
+ system will configure itself to use a mirror at
+ http://ubuntu-mirror/ubuntu .
+
+ This behavior was by design in cloud-init. It was intended to allow
+ a cloud provider to set up a mirror at 'ubuntu-mirror' and have
+ cloud-init select the mirror transparently. However, this causes
+ failure if dns hijacking ins being used.
+
+ * The fix is two fold:
+ a.) cloud-init's code that checks for DNS entries is now protected
+ by logic that detects the dns hijacking and does not consider
+ such entries as valid.
+ b.) the selection of the "search dns for 'ubuntu-mirror'" behavior
+ has been disabled by default.
+
+ [Test Case]
+ * download cloud image from cloud-images.ubuntu.com, and convert for use
+ $ url="http://cloud-images.ubuntu.com/server/releases/precise/release-20121026.1/"
+ $ wget "$url/ubuntu-12.04-server-cloudimg-i386-disk1.img" -O disk.img.orig
+ $ qemu-img convert -O raw disk.img.orig disk.raw.dist
+
+ * have *some* way to add 'ubuntu-mirror' to the dns for kvm guests (or
+ just have a service provider that uses dns hijacking)
+
+ I used dnsmasq on a server system, and can control this by adding entries
+ to /etc/hosts. You need to be able to configure your system such
+ that 'host ubuntu-mirror' returns something:
+ $ host ubuntu-mirror
+ ubuntu-mirror has address 192.168.1.1
+
+ * boot kvm guest (cloud-localds from 12.10 cloud-utils)
+ $ qemu-img create -f qcow2 disk.img disk.raw.dist
+ # this user-data just sets password so you can log in
+ $ cat user-data.txt
+ #cloud-config
+ password: passw0rd
+ chpasswd: { expire: False }
+ ssh_pwauth: True
+
+ $ cloud-localds seed.img user-data.txt
+ $ kvm -m 512 -curses -drive file=seed.img,if=virtio \
+ -drive file=disk.img,if=virtio
+
+ * login and see problem.
+ looking at sources.list will show 'ubuntu-mirror' entry
+
+ [Regression Potential]
+ * A regression is possible due to this designed change in behavior. If
+ someone was expecting the 'ubuntu-mirror' mirror to be automatically
+ located they will subsequently have to take different means to
+ accomplish this. That can be either:
+ a.) modifying the image to set 'apt_mirror_search_dns: true'
+ b.) doing 'a' through user-data user-data
+ * The change made in quantal was tested for regression as described in
+ comment 5 below.
+
+ [Other Info]
+ * The changes here also enable 2 other fixes
+ * allowing region/availability-zone to be part of mirror (bug 1037727)
+ * making mirror selection arch aware (bug #1028501)
+
+ === End SRU Information ===
+
+
+ === original bug report ===
Hi,
I have Rogers as an ISP in the great white north, and use their DNS
servers. However they run DNS redirectors so that when you get a bad
domain then it does bogus things to the hostname. Anyways this resolves
in unresovalble hosts in my /etc/apt/sources.list when Im running an
openstack instance.
ubuntu at server-5:/var/log$ host nov.ec2.archive.ubuntu.com
nov.ec2.archive.ubuntu.com has address 8.15.7.107
nov.ec2.archive.ubuntu.com has address 63.251.179.17
Host nov.ec2.archive.ubuntu.com not found: 3(NXDOMAIN)
Host nov.ec2.archive.ubuntu.com not found: 3(NXDOMAIN)
The console output is the following:
http://paste.ubuntu.com/916324/
If you have any questions please let me know.
Regards
chuck
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/974509
Title:
cloud-init selects wrong mirror with dns server redirection
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/974509/+subscriptions
More information about the Ubuntu-server-bugs
mailing list