Ubuntu

apt-setup/security_host is ignored

Reported by Andrew Pollock on 2008-12-08
10
Affects Status Importance Assigned to Milestone
base-installer (Ubuntu)
Medium
Colin Watson
Dapper
Medium
Colin Watson
Hardy
Medium
Colin Watson
Intrepid
Medium
Colin Watson

Bug Description

Binary package hint: base-installer

I call this a regression because I presume at some point it worked as intended, but maybe it was dead on arrival... [cjwatson: It looks as if it was dead on arrival.]

The apt-setup/security_host preseed is read, but completely ignored by configure_apt() in library.sh, thusly:

                if db_get apt-setup/security_host; then
                        SECMIRROR="$RET"
                else
                        SECMIRROR="$MIRROR"
                fi
                echo "deb $PROTOCOL://$MIRROR/ubuntu $DISTRIBUTION-security $COMPONENTS" >> /target/etc/apt/sources.list

TEST CASE: Start a netboot installation with apt-setup/security_host=archive.ubuntu.com on the kernel command line, and check whether the resulting /var/log/installer/syslog includes a line containing all three of "base-installer:", "archive.ubuntu.com", and "-security"; if so the test has failed. (Or, if you can, firewall off archive.ubuntu.com or us.archive.ubuntu.com or whichever host it uses from the test machine and test whether installation still works given that command-line parameter; this is more real-world but more effort to set up.)

This only affects netboot installs, not CD installs.

Andrew Pollock (apollock) wrote :

I discussed this with Colin Watson via IRC, and I believe he's committed a fix for this. I'm filing this bug to ensure the fixed base-installer gets into Hardy.

Changed in base-installer:
assignee: nobody → kamion
Colin Watson (cjwatson) on 2008-12-15
Changed in base-installer:
importance: Undecided → Medium
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.86ubuntu9

---------------
base-installer (1.86ubuntu9) jaunty; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:05:18 +0000

Changed in base-installer:
status: Fix Committed → Fix Released
Colin Watson (cjwatson) on 2008-12-15
Changed in base-installer:
assignee: nobody → kamion
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → kamion
importance: Undecided → Medium
milestone: none → ubuntu-8.04.2
status: New → In Progress
assignee: nobody → kamion
importance: Undecided → Medium
status: New → In Progress
description: updated
Colin Watson (cjwatson) wrote :

I've uploaded fixes for dapper/hardy/intrepid, and would appreciate review.

Steve Langasek (vorlon) wrote :

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in base-installer:
milestone: ubuntu-8.04.2 → none
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Accepted into dapper-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in base-installer:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Andrew Pollock (apollock) wrote :

What's going to be the easiest way to test this new udeb? Normally it comes already inside the installer.

Colin Watson (cjwatson) wrote :

Actually, no, it doesn't - base-installer is acquired by the installer at run-time.

For hardy and intrepid, pass apt-setup/proposed=true to the installer on the kernel command line.

For dapper it's more effort. I suspect the easiest way is to make sure that you aren't preseeding the locale, and then when the locale prompt appears, switch to Alt-F2 and edit line 113 of /usr/lib/debian-installer/retriever/net-retriever to add "$codename-proposed" after "$codename-security", so that the line looks like this:

                for codename_extra in "$codename" "$codename-updates" "$codename-security" "$codename-proposed"; do

Steve Beattie (sbeattie) wrote :

Colin, I don't think the testcase in the description is quite correct. I used the netboot image from http://archive.ubuntu.com/ubuntu/dists/hardy-proposed/main/installer-i386/20070308ubuntu40.7/images/netboot/mini.iso with an apt-setup/security_host option that pointed to an non-available ip address. There's no mention of security.ubuntu.com in the resultant /var/log/installer/syslog; however, the security archive information was successfully pulled from:

  base-installer: Get:2 http://us.archive.ubuntu.com hardy-security Release.gpg [189B]
  base-installer: Get:4 http://us.archive.ubuntu.com hardy-security Release [58.5kB]
  base-installer: Get:7 http://us.archive.ubuntu.com hardy-security/main Packages [114kB]
  base-installer: Get:8 http://us.archive.ubuntu.com hardy-security/restricted Packages [7487B]

which is what I would expect would happen if $MIRROR is used instead of $SECMIRROR, based on the code snippet above. I do note that later on apt-setup fails to download the hardy-security repo from the non-reachable ip address, and (I believe, but need to reverify) that /etc/apt/sources.list was set up correctly to point to the alternate security host (which confuses me based on the code snippet above).

Using the same netboot image, with the same apt-setup/security_host option plus the addition apt-set/proposed=true argument, those downloads fail with:

  base-installer: Err http://192.168.1.210 hardy-security Release.gpg
  base-installer: Could not connect to 192.168.1.210:3142 (192.168.1.210). - connect (111 Connection refused)
  base-installer: W:
  base-installer: Failed to fetch http://192.168.1.210:3142/ubuntu/dists/hardy-security/Release.gpg Could not connect to 192.168.1.210:3142 (192.168.1.210). - connect (111 Connection refused)
  base-installer:
  base-installer: W:
  base-installer: Some index files failed to download, they have been ignored, or old ones used instead.
  base-installer:
  base-installer: W:
  base-installer: You may want to run apt-get update to correct these problems
  base-installer:

(In both instances there were non-relevant lines interspersed that I removed, but I'll attach the syslog from both runs.)

I *think* this issue is verified for hardy, but I'd like confirmation from Colin on this.

Steve Beattie (sbeattie) wrote :

And the log from the installation with apt-setup/proposed=true.

Steve Beattie (sbeattie) wrote :

Ah, yes, the sources.list after an installation that doesn't use hardy-proposed has the following in it:

  # deb http://us.archive.ubuntu.com/ubuntu hardy-security main restricted
  deb http://192.168.1.210:3142/ubuntu hardy-security main restricted
  deb-src http://192.168.1.210:3142/ubuntu hardy-security main restricted

which indicates it initially used $MIRROR, then later used $SECMIRROR.

Steve Beattie (sbeattie) wrote :

In the above, I should add that the version of /etc/apt/sources.list when using base-installer from hardy-proposed references the passed in security_host in the commented out line for hardy-security.

I've now verified the same behavior for intrepid, using the netboot iso at http://archive.ubuntu.com/ubuntu/dists/intrepid/main/installer-i386/20080522ubuntu23/images/netboot/mini.iso (the current intrepid-proposed netboot iso doesn't boot due to kernel version mismatches); without proposed, base-installer gets security archive information the first time off of archive.ubuntu.com instead of the apt-setup/security_host value. Using apt-setup/proposed=true, which pulls in the base-installer from intrepid-proposed causes all attempts to grab information for the intrepid-security repo to use the apt-setup/security_host value.

Colin Watson (cjwatson) wrote :

Yes, I think the test case is wrong - I should indeed have written archive.ubuntu.com.*security (or some such) rather than security.ubuntu.com. In fact I think this represents a pre-existing bug in base-installer, but not a very serious one.

description: updated
Colin Watson (cjwatson) wrote :

Steve points out on IRC that that pre-existing bug is indeed this same bug. Sorry, not enough coffee.

I've corrected the test case now.

Steve Beattie (sbeattie) wrote :

And finally, confirmation on dapper that the issue is fixed there as well, after editing /usr/lib/debian-installer/retriever/net-retriever to include the proposed repository as well. Marking as verification-done.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.86ubuntu2.3

---------------
base-installer (1.86ubuntu2.3) hardy-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:16:07 +0000

Changed in base-installer:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.86ubuntu7.1

---------------
base-installer (1.86ubuntu7.1) intrepid-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 13:38:05 +0000

Changed in base-installer:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.42ubuntu14

---------------
base-installer (1.42ubuntu14) dapper-proposed; urgency=low

  * Use the correct mirror for -security in the event of
    apt-setup/security_host being preseeded (LP: #306356).

 -- Colin Watson <email address hidden> Mon, 15 Dec 2008 12:08:52 +0000

Changed in base-installer:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers