subiquity

Subiquity crashes when using local apt mirror created with aptly

Bug #1991813 reported by Fabio Augusto Miranda Martins on 2022-10-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	subiquity	Triaged	Wishlist	Unassigned

Bug Description

Instead of simply mirroring an apt repository (such as what apt-mirror does), aptly will download the debs, create its own structure and then generate new Release/InRelease files and sign them with its own locally generated gpg-key

If you use subiquity to install a server and points it to a local mirror created with aptly, there's no way for you to provide the gpg key and pass apt.conf.d arguments to let it install.

As a consequence, subiquity crashes when attempting to run "apt-get update" in-target:

2022-10-05 13:50:18,233 ERROR root:39 finish: subiquity/Install/install/configure_apt: FAIL: Command '['/snap/subiquity/3119/usr/bin/python3.8', '-m', 'curtin', '--showtrace', '-vvv', '--set', 'json:reporting={"subiquity": {"type": "journald", "identifier": "curtin_event.1978.2"}}', 'in-target', '-t', '/tmp/tmpwpa9zwq_/mount', '--', 'apt-get', 'update']' returned non-zero exit status 100.

More details:

https://pastebin.ubuntu.com/p/Mb7VDBk2WS/

Crash report:

https://paste.ubuntu.com/p/sWtkbdNsqt/

Attempt to manually run the command (trying to mimic what subiquity does):

https://pastebin.ubuntu.com/p/PFytv3Ph5r/

Using the following information in a user-data through an automated install will work:

apt:
  primary:
  - arches: [amd64, i386, default]
    uri: http://192.168.123.237/ubuntu
  security:
  - arches: [amd64, i386, default]
    uri: http://192.168.123.237/ubuntu
  geoip: false
  disable_suites: [backports, proposed]
  disable_components: [restricted, universe, multiverse]
  conf: | # APT config
    Acquire::Check-Valid-Until "false";
    Acquire::AllowInsecureRepositories "true";
    Acquire::AllowDowngradeToInsecureRepositories "true";
    Acquire::AllowReleaseInfoChange "true";
  sources:
    additional-repo.list:
      source: "deb http://192.168.123.237/ bionic main"
    localrepokey:
      key: | # full key as block

Revision history for this message

Michael Hudson-Doyle (mwhudson) wrote on 2022-10-11:

I think the answer here has to be some kind of modified ISO. It's not like we're going to get the user to type the public key in by hand, or even a fingerprint to be fetched from the keyserver (I guess we _could_ display the fingerprint of the key that signed the repo and ask the user if they trust it but .... hmm).

Revision history for this message

Michael Hudson-Doyle (mwhudson) wrote on 2022-10-11:

I guess it also makes sense to ask, what is the d-i solution here?

Revision history for this message

Dan Bungert (dbungert) wrote on 2022-10-11:

For the Subiquity TUI, I would argue that this is working as intended. This could also be the case of a hostile mirror. See also the hoops that the browsers make users jump through before accepting a self-signed certificate.

For autoinstall we need to be able to support what you've done in sources -> localrepokey, so that part is fine.

I think we should mark this Wishlist as I think it's worth thinking about, but we need to make it clear that there is a degree of danger involved and the user shouldn't accept the key lightly.

Changed in subiquity:
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Fabio Augusto Miranda Martins (fabio.martins) wrote on 2022-10-13 (last edit on 2022-10-13):

On the following question:

> what is the d-i solution here?

I believe for that you need to pass "debian-installer/allow_unauthenticated=true" to the installer cmdline, and then it will accept such insecure apt mirror during the installation process.

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2022-11-29:

Hi Dan, Michael,

What are your thoughts on a new subiquity view,
right after the archive mirror view, that asks
the user for the URL to its public signing key?

We could enable it (or not) by auto-detecting if
the mirror uses a public key known to subiquity
(eg, download Ubuntu Archive keys at build time).

Thanks!

Revision history for this message

Bruno Travouillon (actatux) wrote on 2023-06-23:

Hello,

While working on the upgrade to 22.04, I hit the same issue.

> what is the d-i solution here?

With 18.04 and 20.04, I use d-i preseed/early_command to write a general purpose run-parts hook:

```
  # Aptly repos are signed with ACME GPG key. Import Aptly keyring in the installer.
  d-i preseed/early_command string \
    wget -O /usr/share/keyrings/$breed-archive-keyring.gpg http://mirror.acme.tld/repos/acme/aptly-archive-keyring.gpg; \
    echo '#!/bin/sh' > /usr/lib/base-installer.d/09apt-key; \
    echo 'set -x' >> /usr/lib/base-installer.d/09apt-key; \
    echo 'set -e' >> /usr/lib/base-installer.d/09apt-key; \
    echo 'mkdir -p /target/etc/apt/trusted.gpg.d/' >> /usr/lib/base-installer.d/09apt-key; \
    echo 'cp /usr/share/keyrings/$breed-archive-keyring.gpg /target/etc/apt/trusted.gpg.d/aptly-archive-keyring.gpg' >> /usr/lib/base-installer.d/09apt-key; \
    chmod +x /usr/lib/base-installer.d/09apt-key
```

The commit message of this change in our codebase:

> The import of the keyring into the debian-installer does not imply that
> the keyring will be available in the system once installed. Inject a
> run-parts hook named `09apt-key` in the base-installer to copy the
> keyring to the appropriate location. This will allow to install the
> security updates during the installation process.

I searched through subiquity and curtin documentation but did not find how to mimic the run-parts hooks.

HtH

Revision history for this message

Bruno Travouillon (actatux) wrote on 2023-06-24:

Looking further, the documentation at https://ubuntu.com/server/docs/install/autoinstall-reference#apt is not explicit. One must follow the link to https://curtin.readthedocs.io/en/latest/topics/apt_source.html where the configuration of a PGP key is documented.

It is then possible to install 22.04 with an internal repo managed by Aptly. The only caveat is that the parameter "Acquire::AllowReleaseInfoChange "true";" must be defined because Aptly rewrite the Release files when publishing a repo, which indeed crash the installer. To my understanding this is related to Aptly, not to Ubuntu.

I have been able to complete an unattened install through PXE with the user-data file below:
```
#cloud-config
autoinstall:
  apt:
    primary:
      - arches: [default]
        uri: "http://mirror.acme.tld/mirror/ubuntu/"
    conf: |
      Acquire::AllowReleaseInfoChange "true";
    sources:
      aptlyrepokey:
        key: | # fill key as block
          -----BEGIN PGP PUBLIC KEY BLOCK-----

          [...redacted for readability...]
          -----END PGP PUBLIC KEY BLOCK-----
  identity:
    hostname: dummy02
    password: $1$QuiloverocknrollTs5nMdFgH/
    username: ubuntu
  [... some other parameters not relevant here...]
  version: 1
```

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.