[Bug 1006963] Re: sources.list configuration does not cover security
Scott Moser
smoser at ubuntu.com
Fri Nov 9 00:55:17 UTC 2012
** Description changed:
- cloud-init will attempt to update /etc/apt/sources.list from its
- template, and allows the user to set 'apt_mirror'. However, it does not
- allow the user to set the security.ubuntu.com entry.
+ === Begin SRU Information ===
+ [Impact]
+ * Operating completely off-line (without access to *.ubuntu.com) is not
+ really possible with cloud-init in 12.04. The user can specify a
+ mirror to use to cloud-init, and it will respect that input. However,
+ it will still write 'security.ubuntu.com' entries in
+ /etc/apt/sources.list . The fix in 12.10 was to add support for
+ declaring the security mirror in addition to the "primary" mirror.
+
+ Looking at the config snippet probably makes it obvious how this
+ is done. '$security' in the templates then references the specified
+ security mirror, and the user can set that value by providing
+ cloud-config syntax formed like the default below:
+
+ | package_mirrors:
+ | - arches: [i386, amd64]
+ | failsafe:
+ | primary: http://archive.ubuntu.com/ubuntu
+ | security: http://security.ubuntu.com/ubuntu
+ | search:
+ | primary:
+ | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
+ | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
+ | security: []
+ | - arches: [armhf, armel, default]
+ | failsafe:
+ | primary: http://ports.ubuntu.com/ubuntu
+ | security: http://ports.ubuntu.com/ubuntu
+
+ * this will allow users on fully disconnected networks to use cloud
+ images with local mirrors without modifying the image.
+
+ [Test Case]
+ To demonstrate the problem, simply launch an instance in EC2. The
+ rendered sources.list will contain references to
+ us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
+ the default/fallback case was previously to use archive.ubuntu.com
+ and there was no changing of security.ubuntu.com at all. The result was
+ that offline, an 'apt-get update' was guaranteed to fail even if the
+ user specified 'apt_mirror'.
+
+ You can demonstrate the fixed path by booting an instance with
+ user-data like the following:
+ |#cloud-config
+ |system_info:
+ | package_mirrors:
+ | - arches: [i386, amd64]
+ | failsafe:
+ | primary: http://my.archive.mydomain.com/ubuntu
+ | search:
+ | primary: []
+ | security: []
+
+ You will see in /etc/sources.list, that there is no reference to
+ "ubuntu.com" any more.
+
+ [Regression Potential]
+ * The change in behavior could change mirror selection in undefined
+ ways. We've not seen any issues with this path in quantal, though.
+ This code is basically the same as is running in quantal just
+ backported.
+
+ === End SRU Information ===
+
+
+ cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
- Related bugs:
- * bug 1028501: cloud-init selects wrong mirrors for arm
+ Related bugs:
+ * bug 1028501: cloud-init selects wrong mirrors for arm
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1006963
Title:
sources.list configuration does not cover security
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions
More information about the Ubuntu-server-bugs
mailing list