yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1006963] Re: sources.list configuration does not cover security

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1006963@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Jan 2013 14:20:17 -0000
Reply-to: Bug 1006963 <1006963@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package cloud-init - 0.6.3-0ubuntu1.3

---------------
cloud-init (0.6.3-0ubuntu1.3) precise-proposed; urgency=low

  * debian/patches/lp-1070345-landscape-restart-after-change.patch,
    debian/patches/lp-1066115-landscape-install-fix-perms.patch:
    fix missing or incorrect imports (LP: #1070345, LP: #1066115).

cloud-init (0.6.3-0ubuntu1.2) precise-proposed; urgency=low

  * debian/patches/lp-978127-maas-oauth-fix-bad-clock.patch: fix usage of
    oauth in maas data source if local system has a bad clock (LP: #978127)
  * debian/cloud-init.preinst: fix bug where user data scripts re-ran on
    upgrade from 10.04 versions (LP: #1049146)
  * debian/patches/lp-974509-detect-dns-server-redirection.patch: detect dns
    server redirection and disable searching dns for a mirror named
    'ubuntu-mirror' (LP: #974509)
  * debian/patches/lp-1018554-shutdown-message-to-console.patch: write a
    message to the console on system shutdown. (LP: #1018554)
  * debian/patches/lp-1066115-landscape-install-fix-perms.patch: install
    landscape package if needed which will ensure proper permissions on config
    file (LP: #1066115).
  * debian/patches/lp-1070345-landscape-restart-after-change.patch: restart
    landscape after modifying config (LP: #1070345)
  * debian/patches/lp-1073077-zsh-workaround-for-locale_warn.patch: avoid
    warning when user's shell is zsh (LP: #1073077)
  * debian/patches/rework-mirror-selection.patch: improve mirror selection by:
    * allowing region/availability-zone to be part of mirror (LP: #1037727)
    * making mirror selection arch aware (LP: #1028501)
    * allow specification of a security mirror (LP: #1006963)
 -- Scott Moser <smoser@xxxxxxxxxx>   Thu, 13 Dec 2012 12:16:56 -0500

** Changed in: cloud-init (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1006963

Title:
  sources.list configuration does not cover security

Status in Init scripts for use on cloud images:
  Fix Released
Status in “cloud-init” package in Ubuntu:
  Fix Released
Status in “cloud-init” source package in Precise:
  Fix Released

Bug description:
  === Begin SRU Information ===
  [Impact]
   * Operating completely off-line (without access to *.ubuntu.com) is not
     really possible with cloud-init in 12.04.  The user can specify a
     mirror to use to cloud-init, and it will respect that input.  However,
     it will still write 'security.ubuntu.com' entries in
     /etc/apt/sources.list .  The fix in 12.10 was to add support for
     declaring the security mirror in addition to the "primary" mirror.

     Looking at the config snippet probably makes it obvious how this
     is done.  '$security' in the templates then references the specified
     security mirror, and the user can set that value by providing
     cloud-config syntax formed like the default below:

      | package_mirrors:
      |   - arches: [i386, amd64]
      |     failsafe:
      |      primary: http://archive.ubuntu.com/ubuntu
      |      security: http://security.ubuntu.com/ubuntu
      |    search:
      |      primary:
      |        - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
      |        - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
      |      security: []
      |  - arches: [armhf, armel, default]
      |    failsafe:
      |      primary: http://ports.ubuntu.com/ubuntu
      |      security: http://ports.ubuntu.com/ubuntu

   * this will allow users on fully disconnected networks to use cloud
     images with local mirrors without modifying the image.

  [Test Case]
   To demonstrate the problem, simply launch an instance in EC2.  The
   rendered sources.list will contain references to
   us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
   the default/fallback case was previously to use archive.ubuntu.com
   and there was no changing of security.ubuntu.com at all.  The result was
   that offline, an 'apt-get update' was guaranteed to fail even if the
   user specified 'apt_mirror'.

   You can demonstrate the fixed path by booting an instance with
   user-data like the following:
      |#cloud-config
      |system_info:
      | package_mirrors:
      |   - arches: [i386, amd64]
      |     failsafe:
      |      primary: http://my.archive.mydomain.com/ubuntu
      |      security: http://my.archive.mydomain.com/ubuntu
      |     search:
      |      primary: []
      |      security: []

   You will see in /etc/sources.list, that there is no reference to
   "ubuntu.com" any more.

  [Regression Potential]
   * The change in behavior could change mirror selection in undefined
     ways.  We've not seen any issues with this path in quantal, though.
     This code is basically the same as is running in quantal just
     backported.

  === End SRU Information ===

  cloud-init will attempt to update /etc/apt/sources.list from its
  template, and allows the user to set 'apt_mirror'.  However, it does
  not allow the user to set the security.ubuntu.com entry.

  This has issues in 2 places:
  a.) internal and disconnected operation (no access to security.ubuntu.com)
  b.) arm.  For arm, there is no security.ubuntu.com

  Related bugs:
   * bug 1028501:  cloud-init selects wrong mirrors for arm

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions