Activity log for bug #1757534

Date Who What changed Old value New value Message
2018-03-21 20:44:51 Dmitrii Shcherbakov bug added bug
2018-03-21 20:45:01 Dmitrii Shcherbakov bug task added juju
2018-03-21 20:49:23 Dmitrii Shcherbakov attachment added userdata.yaml https://bugs.launchpad.net/snapd/+bug/1757534/+attachment/5086274/+files/userdata.yaml
2018-03-21 20:50:45 Dmitrii Shcherbakov description Continuing the theme of limited trust deployments which have fixed white lists of hostnames or IP ranges (https://pad.lv/1737332) there needs to be a way to set SNAPPY_STORE_NO_CDN=1 via core snap before any snap is installed. Even if we set a proxy server to be the right one, snap download requests will still go to CDNs after snap store instructs snapd to do so. Not every company (especially banks, telcos and other security-cautious company types) will allow TCP 443 rules to an unspecified number of hosts, moreover, with CDNs instances of new package distribution hosts are added and removed dynamically and static IP-based firewalls will cause problems with that. DNS-based firewalling is implemented via periodic resolution which is not accurate (YMMV with TTL and firewall implementation) and not every client network will have that kind of functionality [1][2][3]. SNAPPY_STORE_NO_CDN https://github.com/snapcore/snapd/blob/2.31.2/store/store.go#L444 req.Header.Set("X-Ubuntu-No-CDN", strconv.FormatBool(s.noCDN)) https://github.com/snapcore/snapd/blob/2.31.2/store/store.go#L907 Snap store server side seems to react to a special HTTP header X-Ubuntu-No-CDN in which case packages are downloaded from servers that are not third-party CDN servers. There are currently no controls in core snap for that https://github.com/snapcore/snapd/blob/2.31.2/overlord/configstate/configcore/corecfg.go What can be used a substitute is the following cloud-init userdata: juju model-config cloudinit-userdata write_files: - content: | [Service] Environment=SNAPPY_STORE_NO_CDN=1 owner: "root:root" path: /etc/systemd/system/snapd.service.d/cdn.conf permissions: '0644' snap: commands: "00": apt-get install squashfuse -y "11": systemctl restart snapd See https://paste.ubuntu.com/p/CGSWSP5MDw/ It would be helpful to make this configurable via core snap (but before it is installed) and also in Juju so that people do not reinvent the wheel all the time (userdata usage is a workaround for the lack of a feature). [1] https://supportforums.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480 [2] https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules [3] http://blog.ipspace.net/2016/10/using-dns-names-in-firewall-rulesets.html Continuing the theme of limited trust deployments which have fixed white lists of hostnames or IP ranges (https://pad.lv/1737332) there needs to be a way to set SNAPPY_STORE_NO_CDN=1 via core snap before any snap is installed. Even if we set a proxy server to be the right one, snap download requests will still go to CDNs after snap store instructs snapd to do so. Not every company (especially banks, telcos and other security-cautious company types) will allow TCP 443 rules to an unspecified number of hosts, moreover, with CDNs instances of new package distribution hosts are added and removed dynamically and static IP-based firewalls will cause problems with that. DNS-based firewalling is implemented via periodic resolution which is not accurate (YMMV with TTL and firewall implementation) and not every client network will have that kind of functionality [1][2][3]. SNAPPY_STORE_NO_CDN https://github.com/snapcore/snapd/blob/2.31.2/store/store.go#L444  req.Header.Set("X-Ubuntu-No-CDN", strconv.FormatBool(s.noCDN)) https://github.com/snapcore/snapd/blob/2.31.2/store/store.go#L907 Snap store server side seems to react to a special HTTP header X-Ubuntu-No-CDN in which case packages are downloaded from servers that are not third-party CDN servers. There are currently no controls in core snap for that https://github.com/snapcore/snapd/blob/2.31.2/overlord/configstate/configcore/corecfg.go What can be used a substitute is the following cloud-init userdata: juju model-config cloudinit-userdata write_files: - content: | [Service] Environment=SNAPPY_STORE_NO_CDN=1 owner: "root:root" path: /etc/systemd/system/snapd.service.d/cdn.conf permissions: '0644' packages: - squashfuse snap: commands: "00": systemctl restart snapd See https://paste.ubuntu.com/p/CGSWSP5MDw/ It would be helpful to make this configurable via core snap (but before it is installed) and also in Juju so that people do not reinvent the wheel all the time (userdata usage is a workaround for the lack of a feature). [1] https://supportforums.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480 [2] https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules [3] http://blog.ipspace.net/2016/10/using-dns-names-in-firewall-rulesets.html
2018-03-22 03:48:25 Nobuto Murata bug added subscriber Nobuto Murata
2018-03-26 13:18:28 John A Meinel juju: status New Triaged
2018-03-26 13:18:30 John A Meinel juju: importance Undecided Medium
2019-09-20 08:28:34 Zygmunt Krynicki snapd: status New Triaged
2019-09-20 08:28:37 Zygmunt Krynicki snapd: importance Undecided Wishlist
2019-09-20 08:53:07 John Lenton tags cpe-onsite cpe-onsite papercut
2020-06-11 09:08:45 Ian Johnson bug added subscriber Ian Johnson
2022-11-03 15:40:54 Canonical Juju QA Bot juju: importance Medium Low
2022-11-03 15:40:55 Canonical Juju QA Bot tags cpe-onsite papercut cpe-onsite expirebugs-bot papercut