sources.list configuration does not cover security

Bug #1006963 reported by Scott Moser
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned
cloud-init (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

=== Begin SRU Information ===
[Impact]
 * Operating completely off-line (without access to *.ubuntu.com) is not
   really possible with cloud-init in 12.04. The user can specify a
   mirror to use to cloud-init, and it will respect that input. However,
   it will still write 'security.ubuntu.com' entries in
   /etc/apt/sources.list . The fix in 12.10 was to add support for
   declaring the security mirror in addition to the "primary" mirror.

   Looking at the config snippet probably makes it obvious how this
   is done. '$security' in the templates then references the specified
   security mirror, and the user can set that value by providing
   cloud-config syntax formed like the default below:

    | package_mirrors:
    | - arches: [i386, amd64]
    | failsafe:
    | primary: http://archive.ubuntu.com/ubuntu
    | security: http://security.ubuntu.com/ubuntu
    | search:
    | primary:
    | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
    | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
    | security: []
    | - arches: [armhf, armel, default]
    | failsafe:
    | primary: http://ports.ubuntu.com/ubuntu
    | security: http://ports.ubuntu.com/ubuntu

 * this will allow users on fully disconnected networks to use cloud
   images with local mirrors without modifying the image.

[Test Case]
 To demonstrate the problem, simply launch an instance in EC2. The
 rendered sources.list will contain references to
 us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
 the default/fallback case was previously to use archive.ubuntu.com
 and there was no changing of security.ubuntu.com at all. The result was
 that offline, an 'apt-get update' was guaranteed to fail even if the
 user specified 'apt_mirror'.

 You can demonstrate the fixed path by booting an instance with
 user-data like the following:
    |#cloud-config
    |system_info:
    | package_mirrors:
    | - arches: [i386, amd64]
    | failsafe:
    | primary: http://my.archive.mydomain.com/ubuntu
    | security: http://my.archive.mydomain.com/ubuntu
    | search:
    | primary: []
    | security: []

 You will see in /etc/sources.list, that there is no reference to
 "ubuntu.com" any more.

[Regression Potential]
 * The change in behavior could change mirror selection in undefined
   ways. We've not seen any issues with this path in quantal, though.
   This code is basically the same as is running in quantal just
   backported.

=== End SRU Information ===

cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.

This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com

Related bugs:
 * bug 1028501: cloud-init selects wrong mirrors for arm

Related branches

Scott Moser (smoser)
summary: - cloud-init sources.list configuration does not cover security
+ sources.list configuration does not cover security
Scott Moser (smoser)
Changed in cloud-init:
status: New → Triaged
importance: Undecided → Medium
description: updated
Revision history for this message
Scott Moser (smoser) wrote :

this is fixed now in trunk and in quantal.
the string 'security' can now be used to refer to the security mirror in the template in /etc/cloud/templates/sources.list.tmpl .

And, ubuntu's /etc/cloud/cloud.cfg contains:
system_info:
   package_mirrors:
     - arches: [i386, amd64]
       failsafe:
         primary: http://archive.ubuntu.com/ubuntu
         security: http://security.ubuntu.com/ubuntu

Changed in cloud-init:
status: Triaged → Fix Committed
Scott Moser (smoser)
Changed in cloud-init:
status: Fix Committed → Fix Released
Scott Moser (smoser)
Changed in cloud-init (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Scott Moser (smoser)
Changed in cloud-init (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Scott Moser (smoser)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted cloud-init into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cloud-init/0.6.3-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Scott Moser (smoser)
description: updated
Scott Moser (smoser)
description: updated
Revision history for this message
Scott Moser (smoser) wrote :

verified this is fixed:
$ dpkg-query --show cloud-init
cloud-init 0.6.3-0ubuntu1.2
$ ec2metadata --user-data
#cloud-config
system_info:
 package_mirrors:
   - arches: [i386, amd64]
     failsafe:
      primary: http://my.archive.mydomain.com/ubuntu
      security: http://my.archive.mydomain.com/ubuntu
     search:
      primary: []
      security: []
$ grep "^[^#]*security" /etc/apt/sources.list
deb http://my.archive.mydomain.com/ubuntu precise-security main
deb-src http://my.archive.mydomain.com/ubuntu precise-security main
deb http://my.archive.mydomain.com/ubuntu precise-security universe
deb-src http://my.archive.mydomain.com/ubuntu precise-security universe

tags: added: verification-done
removed: verification-needed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hello Scott, or anyone else affected,

Accepted cloud-init into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cloud-init/0.6.3-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
Scott Moser (smoser)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.6.3-0ubuntu1.3

---------------
cloud-init (0.6.3-0ubuntu1.3) precise-proposed; urgency=low

  * debian/patches/lp-1070345-landscape-restart-after-change.patch,
    debian/patches/lp-1066115-landscape-install-fix-perms.patch:
    fix missing or incorrect imports (LP: #1070345, LP: #1066115).

cloud-init (0.6.3-0ubuntu1.2) precise-proposed; urgency=low

  * debian/patches/lp-978127-maas-oauth-fix-bad-clock.patch: fix usage of
    oauth in maas data source if local system has a bad clock (LP: #978127)
  * debian/cloud-init.preinst: fix bug where user data scripts re-ran on
    upgrade from 10.04 versions (LP: #1049146)
  * debian/patches/lp-974509-detect-dns-server-redirection.patch: detect dns
    server redirection and disable searching dns for a mirror named
    'ubuntu-mirror' (LP: #974509)
  * debian/patches/lp-1018554-shutdown-message-to-console.patch: write a
    message to the console on system shutdown. (LP: #1018554)
  * debian/patches/lp-1066115-landscape-install-fix-perms.patch: install
    landscape package if needed which will ensure proper permissions on config
    file (LP: #1066115).
  * debian/patches/lp-1070345-landscape-restart-after-change.patch: restart
    landscape after modifying config (LP: #1070345)
  * debian/patches/lp-1073077-zsh-workaround-for-locale_warn.patch: avoid
    warning when user's shell is zsh (LP: #1073077)
  * debian/patches/rework-mirror-selection.patch: improve mirror selection by:
    * allowing region/availability-zone to be part of mirror (LP: #1037727)
    * making mirror selection arch aware (LP: #1028501)
    * allow specification of a security mirror (LP: #1006963)
 -- Scott Moser <email address hidden> Thu, 13 Dec 2012 12:16:56 -0500

Changed in cloud-init (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.