| 2012-05-31 15:11:41 |
Scott Moser |
bug |
|
|
added bug |
| 2012-05-31 15:12:10 |
Scott Moser |
summary |
cloud-init sources.list configuration does not cover security |
sources.list configuration does not cover security |
|
| 2012-08-16 13:37:11 |
Scott Moser |
cloud-init: status |
New |
Triaged |
|
| 2012-08-16 13:37:25 |
Scott Moser |
cloud-init: importance |
Undecided |
Medium |
|
| 2012-08-16 13:39:19 |
Scott Moser |
description |
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com. |
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
|
| 2012-08-22 19:31:11 |
Launchpad Janitor |
branch linked |
|
lp:cloud-init |
|
| 2012-08-23 05:07:58 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/cloud-init |
|
| 2012-09-24 17:24:52 |
Scott Moser |
cloud-init: status |
Triaged |
Fix Committed |
|
| 2012-10-01 18:24:28 |
Scott Moser |
cloud-init: status |
Fix Committed |
Fix Released |
|
| 2012-10-12 20:11:55 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu) |
|
| 2012-10-12 20:12:32 |
Scott Moser |
cloud-init (Ubuntu): status |
New |
Fix Released |
|
| 2012-10-12 20:12:37 |
Scott Moser |
cloud-init (Ubuntu): importance |
Undecided |
Medium |
|
| 2012-10-12 20:25:00 |
Scott Moser |
nominated for series |
|
Ubuntu Precise |
|
| 2012-10-12 20:25:00 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Precise) |
|
| 2012-10-12 20:25:15 |
Scott Moser |
cloud-init (Ubuntu Precise): status |
New |
Triaged |
|
| 2012-10-12 20:25:18 |
Scott Moser |
cloud-init (Ubuntu Precise): importance |
Undecided |
Medium |
|
| 2012-11-06 21:47:48 |
Launchpad Janitor |
branch linked |
|
lp:~smoser/ubuntu/precise/cloud-init/sru |
|
| 2012-11-09 00:55:17 |
Scott Moser |
description |
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
=== Begin SRU Information ===
[Impact]
* Operating completely off-line (without access to *.ubuntu.com) is not
really possible with cloud-init in 12.04. The user can specify a
mirror to use to cloud-init, and it will respect that input. However,
it will still write 'security.ubuntu.com' entries in
/etc/apt/sources.list . The fix in 12.10 was to add support for
declaring the security mirror in addition to the "primary" mirror.
Looking at the config snippet probably makes it obvious how this
is done. '$security' in the templates then references the specified
security mirror, and the user can set that value by providing
cloud-config syntax formed like the default below:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://archive.ubuntu.com/ubuntu
| security: http://security.ubuntu.com/ubuntu
| search:
| primary:
| - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
| - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
| security: []
| - arches: [armhf, armel, default]
| failsafe:
| primary: http://ports.ubuntu.com/ubuntu
| security: http://ports.ubuntu.com/ubuntu
* this will allow users on fully disconnected networks to use cloud
images with local mirrors without modifying the image.
[Test Case]
To demonstrate the problem, simply launch an instance in EC2. The
rendered sources.list will contain references to
us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
the default/fallback case was previously to use archive.ubuntu.com
and there was no changing of security.ubuntu.com at all. The result was
that offline, an 'apt-get update' was guaranteed to fail even if the
user specified 'apt_mirror'.
You can demonstrate the fixed path by booting an instance with
user-data like the following:
|#cloud-config
|system_info:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://my.archive.mydomain.com/ubuntu
| search:
| primary: []
| security: []
You will see in /etc/sources.list, that there is no reference to
"ubuntu.com" any more.
[Regression Potential]
* The change in behavior could change mirror selection in undefined
ways. We've not seen any issues with this path in quantal, though.
This code is basically the same as is running in quantal just
backported.
=== End SRU Information ===
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
|
| 2012-12-10 23:03:42 |
Steve Langasek |
cloud-init (Ubuntu Precise): status |
Triaged |
Fix Committed |
|
| 2012-12-10 23:03:44 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2012-12-10 23:03:46 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2012-12-10 23:03:48 |
Steve Langasek |
tags |
|
verification-needed |
|
| 2012-12-12 21:12:47 |
Scott Moser |
description |
=== Begin SRU Information ===
[Impact]
* Operating completely off-line (without access to *.ubuntu.com) is not
really possible with cloud-init in 12.04. The user can specify a
mirror to use to cloud-init, and it will respect that input. However,
it will still write 'security.ubuntu.com' entries in
/etc/apt/sources.list . The fix in 12.10 was to add support for
declaring the security mirror in addition to the "primary" mirror.
Looking at the config snippet probably makes it obvious how this
is done. '$security' in the templates then references the specified
security mirror, and the user can set that value by providing
cloud-config syntax formed like the default below:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://archive.ubuntu.com/ubuntu
| security: http://security.ubuntu.com/ubuntu
| search:
| primary:
| - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
| - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
| security: []
| - arches: [armhf, armel, default]
| failsafe:
| primary: http://ports.ubuntu.com/ubuntu
| security: http://ports.ubuntu.com/ubuntu
* this will allow users on fully disconnected networks to use cloud
images with local mirrors without modifying the image.
[Test Case]
To demonstrate the problem, simply launch an instance in EC2. The
rendered sources.list will contain references to
us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
the default/fallback case was previously to use archive.ubuntu.com
and there was no changing of security.ubuntu.com at all. The result was
that offline, an 'apt-get update' was guaranteed to fail even if the
user specified 'apt_mirror'.
You can demonstrate the fixed path by booting an instance with
user-data like the following:
|#cloud-config
|system_info:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://my.archive.mydomain.com/ubuntu
| search:
| primary: []
| security: []
You will see in /etc/sources.list, that there is no reference to
"ubuntu.com" any more.
[Regression Potential]
* The change in behavior could change mirror selection in undefined
ways. We've not seen any issues with this path in quantal, though.
This code is basically the same as is running in quantal just
backported.
=== End SRU Information ===
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
=== Begin SRU Information ===
[Impact]
* Operating completely off-line (without access to *.ubuntu.com) is not
really possible with cloud-init in 12.04. The user can specify a
mirror to use to cloud-init, and it will respect that input. However,
it will still write 'security.ubuntu.com' entries in
/etc/apt/sources.list . The fix in 12.10 was to add support for
declaring the security mirror in addition to the "primary" mirror.
Looking at the config snippet probably makes it obvious how this
is done. '$security' in the templates then references the specified
security mirror, and the user can set that value by providing
cloud-config syntax formed like the default below:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://archive.ubuntu.com/ubuntu
| security: http://security.ubuntu.com/ubuntu
| search:
| primary:
| - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
| - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
| security: []
| - arches: [armhf, armel, default]
| failsafe:
| primary: http://ports.ubuntu.com/ubuntu
| security: http://ports.ubuntu.com/ubuntu
* this will allow users on fully disconnected networks to use cloud
images with local mirrors without modifying the image.
[Test Case]
To demonstrate the problem, simply launch an instance in EC2. The
rendered sources.list will contain references to
us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
the default/fallback case was previously to use archive.ubuntu.com
and there was no changing of security.ubuntu.com at all. The result was
that offline, an 'apt-get update' was guaranteed to fail even if the
user specified 'apt_mirror'.
You can demonstrate the fixed path by booting an instance with
user-data like the following:
|#cloud-config
|system_info:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://my.archive.mydomain.com/ubuntu
| search:
| primary: []
| security: []
You will see in /etc/sources.list, that there is no reference to
"ubuntu.com" any more.
[Regression Potential]
* The change in behavior could change mirror selection in undefined
ways. We've not seen any issues with this path in quantal, though.
This code is basically the same as is running in quantal just
backported.
=== End SRU Information ===
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
|
| 2012-12-12 21:29:12 |
Scott Moser |
description |
=== Begin SRU Information ===
[Impact]
* Operating completely off-line (without access to *.ubuntu.com) is not
really possible with cloud-init in 12.04. The user can specify a
mirror to use to cloud-init, and it will respect that input. However,
it will still write 'security.ubuntu.com' entries in
/etc/apt/sources.list . The fix in 12.10 was to add support for
declaring the security mirror in addition to the "primary" mirror.
Looking at the config snippet probably makes it obvious how this
is done. '$security' in the templates then references the specified
security mirror, and the user can set that value by providing
cloud-config syntax formed like the default below:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://archive.ubuntu.com/ubuntu
| security: http://security.ubuntu.com/ubuntu
| search:
| primary:
| - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
| - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
| security: []
| - arches: [armhf, armel, default]
| failsafe:
| primary: http://ports.ubuntu.com/ubuntu
| security: http://ports.ubuntu.com/ubuntu
* this will allow users on fully disconnected networks to use cloud
images with local mirrors without modifying the image.
[Test Case]
To demonstrate the problem, simply launch an instance in EC2. The
rendered sources.list will contain references to
us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
the default/fallback case was previously to use archive.ubuntu.com
and there was no changing of security.ubuntu.com at all. The result was
that offline, an 'apt-get update' was guaranteed to fail even if the
user specified 'apt_mirror'.
You can demonstrate the fixed path by booting an instance with
user-data like the following:
|#cloud-config
|system_info:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://my.archive.mydomain.com/ubuntu
| search:
| primary: []
| security: []
You will see in /etc/sources.list, that there is no reference to
"ubuntu.com" any more.
[Regression Potential]
* The change in behavior could change mirror selection in undefined
ways. We've not seen any issues with this path in quantal, though.
This code is basically the same as is running in quantal just
backported.
=== End SRU Information ===
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
=== Begin SRU Information ===
[Impact]
* Operating completely off-line (without access to *.ubuntu.com) is not
really possible with cloud-init in 12.04. The user can specify a
mirror to use to cloud-init, and it will respect that input. However,
it will still write 'security.ubuntu.com' entries in
/etc/apt/sources.list . The fix in 12.10 was to add support for
declaring the security mirror in addition to the "primary" mirror.
Looking at the config snippet probably makes it obvious how this
is done. '$security' in the templates then references the specified
security mirror, and the user can set that value by providing
cloud-config syntax formed like the default below:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://archive.ubuntu.com/ubuntu
| security: http://security.ubuntu.com/ubuntu
| search:
| primary:
| - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
| - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
| security: []
| - arches: [armhf, armel, default]
| failsafe:
| primary: http://ports.ubuntu.com/ubuntu
| security: http://ports.ubuntu.com/ubuntu
* this will allow users on fully disconnected networks to use cloud
images with local mirrors without modifying the image.
[Test Case]
To demonstrate the problem, simply launch an instance in EC2. The
rendered sources.list will contain references to
us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
the default/fallback case was previously to use archive.ubuntu.com
and there was no changing of security.ubuntu.com at all. The result was
that offline, an 'apt-get update' was guaranteed to fail even if the
user specified 'apt_mirror'.
You can demonstrate the fixed path by booting an instance with
user-data like the following:
|#cloud-config
|system_info:
| package_mirrors:
| - arches: [i386, amd64]
| failsafe:
| primary: http://my.archive.mydomain.com/ubuntu
| security: http://my.archive.mydomain.com/ubuntu
| search:
| primary: []
| security: []
You will see in /etc/sources.list, that there is no reference to
"ubuntu.com" any more.
[Regression Potential]
* The change in behavior could change mirror selection in undefined
ways. We've not seen any issues with this path in quantal, though.
This code is basically the same as is running in quantal just
backported.
=== End SRU Information ===
cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry.
This has issues in 2 places:
a.) internal and disconnected operation (no access to security.ubuntu.com)
b.) arm. For arm, there is no security.ubuntu.com
Related bugs:
* bug 1028501: cloud-init selects wrong mirrors for arm |
|
| 2012-12-12 21:37:51 |
Scott Moser |
tags |
verification-needed |
verification-done |
|
| 2013-01-08 19:15:09 |
Clint Byrum |
tags |
verification-done |
|
|
| 2013-01-08 19:15:11 |
Clint Byrum |
tags |
|
verification-needed |
|
| 2013-01-09 00:20:03 |
Scott Moser |
tags |
verification-needed |
verification-done |
|
| 2013-01-16 14:20:17 |
Colin Watson |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2013-01-16 14:20:17 |
Launchpad Janitor |
cloud-init (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
| 2013-08-28 11:32:39 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/precise/cloud-init/precise-proposed |
|
| 2023-05-09 20:31:52 |
James Falcon |
bug watch added |
|
https://github.com/canonical/cloud-init/issues/2262 |
|
