[Bug 1006963] Re: sources.list configuration does not cover security

Fri Nov 9 00:55:17 UTC 2012

** Description changed:

- cloud-init will attempt to update /etc/apt/sources.list from its
- template, and allows the user to set 'apt_mirror'.  However, it does not
- allow the user to set the security.ubuntu.com entry.
+ === Begin SRU Information ===
+ [Impact]
+  * Operating completely off-line (without access to *.ubuntu.com) is not
+    really possible with cloud-init in 12.04.  The user can specify a
+    mirror to use to cloud-init, and it will respect that input.  However,
+    it will still write 'security.ubuntu.com' entries in
+    /etc/apt/sources.list .  The fix in 12.10 was to add support for
+    declaring the security mirror in addition to the "primary" mirror.
+ 
+    Looking at the config snippet probably makes it obvious how this
+    is done.  '$security' in the templates then references the specified
+    security mirror, and the user can set that value by providing
+    cloud-config syntax formed like the default below:
+ 
+     | package_mirrors:
+     |   - arches: [i386, amd64]
+     |     failsafe:
+     |      primary: http://archive.ubuntu.com/ubuntu
+     |      security: http://security.ubuntu.com/ubuntu
+     |    search:
+     |      primary:
+     |        - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
+     |        - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
+     |      security: []
+     |  - arches: [armhf, armel, default]
+     |    failsafe:
+     |      primary: http://ports.ubuntu.com/ubuntu
+     |      security: http://ports.ubuntu.com/ubuntu
+ 
+  * this will allow users on fully disconnected networks to use cloud
+    images with local mirrors without modifying the image.
+ 
+ [Test Case]
+  To demonstrate the problem, simply launch an instance in EC2.  The
+  rendered sources.list will contain references to
+  us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
+  the default/fallback case was previously to use archive.ubuntu.com
+  and there was no changing of security.ubuntu.com at all.  The result was
+  that offline, an 'apt-get update' was guaranteed to fail even if the
+  user specified 'apt_mirror'.
+ 
+  You can demonstrate the fixed path by booting an instance with
+  user-data like the following:
+     |#cloud-config
+     |system_info:
+     | package_mirrors:
+     |   - arches: [i386, amd64]
+     |     failsafe:
+     |      primary: http://my.archive.mydomain.com/ubuntu
+     |     search:
+     |      primary: []
+     |      security: []
+ 
+  You will see in /etc/sources.list, that there is no reference to
+  "ubuntu.com" any more.
+ 
+ [Regression Potential]
+  * The change in behavior could change mirror selection in undefined
+    ways.  We've not seen any issues with this path in quantal, though.
+    This code is basically the same as is running in quantal just
+    backported.
+ 
+ === End SRU Information ===
+ 
+ 
+ cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'.  However, it does not allow the user to set the security.ubuntu.com entry.

  This has issues in 2 places:
  a.) internal and disconnected operation (no access to security.ubuntu.com)
  b.) arm.  For arm, there is no security.ubuntu.com

- Related bugs: 
-  * bug 1028501:  cloud-init selects wrong mirrors for arm
+ Related bugs:
+  * bug 1028501:  cloud-init selects wrong mirrors for arm

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1006963

Title:
  sources.list configuration does not cover security

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions