2012-12-10 19:11:24 |
Steve Langasek |
bug |
|
|
added bug |
2012-12-10 19:25:20 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2012-12-13 14:34:21 |
Yolanda Robla |
cloud-init (Ubuntu): status |
New |
Confirmed |
|
2012-12-13 14:34:26 |
Yolanda Robla |
cloud-init (Ubuntu): importance |
Undecided |
Wishlist |
|
2017-06-21 18:59:13 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sporkmonger/cloud-init/+git/cloud-init/+merge/326094 |
|
2017-07-11 14:31:21 |
Scott Moser |
bug task added |
|
cloud-init |
|
2017-07-11 14:31:32 |
Scott Moser |
cloud-init: status |
New |
Confirmed |
|
2017-07-11 14:31:36 |
Scott Moser |
cloud-init: importance |
Undecided |
Medium |
|
2017-07-21 17:24:14 |
Scott Moser |
cloud-init: status |
Confirmed |
Fix Committed |
|
2017-07-31 14:37:05 |
Launchpad Janitor |
cloud-init (Ubuntu): status |
Confirmed |
Fix Released |
|
2017-07-31 18:19:17 |
Scott Moser |
nominated for series |
|
Ubuntu Xenial |
|
2017-07-31 18:19:17 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Xenial) |
|
2017-07-31 18:19:17 |
Scott Moser |
nominated for series |
|
Ubuntu Zesty |
|
2017-07-31 18:19:17 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Zesty) |
|
2017-07-31 18:19:26 |
Scott Moser |
cloud-init (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-07-31 18:19:28 |
Scott Moser |
cloud-init (Ubuntu Zesty): status |
New |
Confirmed |
|
2017-07-31 18:19:32 |
Scott Moser |
cloud-init (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-07-31 18:19:34 |
Scott Moser |
cloud-init (Ubuntu Zesty): importance |
Undecided |
Low |
|
2017-07-31 18:19:37 |
Scott Moser |
cloud-init (Ubuntu Xenial): importance |
Medium |
Low |
|
2017-08-01 18:57:52 |
Scott Moser |
attachment added |
|
run-dnsmasq: run a dnsmasq service on lxd system https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1088611/+attachment/4925427/+files/run-dnsmasq |
|
2017-08-01 18:58:19 |
Scott Moser |
description |
The fix that's been applied for bug #974509 checks for the presence of a redirector by looking of three hostnames, and treating as invalid any results pointing to a matching address:
- does-not-exist.example.com.
- example.invalid.
- a random, unqualified 32-character alphanumeric hostname.
The last of these carries a small but non-zero risk of colliding with a real hostname, and there's a small but non-zero risk that this host points to the same address as something we care about. If possible, it would be better to not include this random-host lookup in the algorithm, as somewhere, some day, chances are there will eventually be a collision, causing an incomprehensible and unreproducible failure for a user. |
=== Begin SRU Template ===
[Impact]
Prior to this fix, cloud-init attempts to detect dns redirection by doing
dns queries for a random hostname and two invalid hostnames. Then, if
the result returned for the input value was the same as the response for
the invalid query cloud-init would assume that result was also invalid.
The change was to replace the random string with
__cloud_init_expected_not_found__
This is a valid hostname and resolution will use the 'search' path in
resolv.conf where the other invalid domain names would not.
[Test Case]
The test case for this consists of excercising the the 'is_resolvable_url'
method in cloudinit.util and watching dns queries. To do this, see the
following steps:
a.) start an lxc container
$ release=xenial
$ name=$release-1088611
$ lxc launch ubuntu-daily:$release $name
b.) start a dnsmasq server
$ ./run-dnsmasq lxdbr0
...
=== listening on 10.75.205.2/24 ===
# run-dnsmasq is attached and at
# https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/tree/bugs/lp-1088611/run-dnsmasq
c.) point /etc/resolv.conf at your server ip
$ lxc exec $name -- sh -c 'exec >/etc/resolv.conf;
echo nameserver 10.75.205.2; echo search foo;'
d.) perform query via is_resolvable_url watch dnsmasq output, expect
to see the random query.
$ lxc exec $name -- python3 -c 'import sys;
from cloudinit.util import is_resolvable_url;
print(is_resolvable_url(sys.argv[1]))' http://ubuntu.com
e.) upgrade to -proposed version
f.) perform query via is_resolvable_url, expect to *not* see random query.
[Regression Potential]
Immediate regression seems unlikely. Effectively the change in cloud-init
code path was simply to change a dns lookup attempt from rand() to a defined
string.
We chose a random string initially to make it difficult for a dns server to
circumvent cloud-init's attempt to identify dns redirection. The regression
path really then seems to involve a dns redirection service specifically
provding a response for '__cloud_init_expected_not_found__' that differs
from does-not-exist.example.com. Cloud-init could then be tricked into
believing that a apt mirror was valid where it previously would have
identified the dns redirection. The failure would be seen as errors
in package installation or 'apt-get update'.
[Other Info]
Upstream commit at
https://git.launchpad.net/cloud-init/commit/?id=42a7b34a12
Original upstream commit at
https://git.launchpad.net/cloud-init/commit/?id=1bb67be5bd
=== End SRU Template ===
The fix that's been applied for bug #974509 checks for the presence of a redirector by looking of three hostnames, and treating as invalid any results pointing to a matching address:
- does-not-exist.example.com.
- example.invalid.
- a random, unqualified 32-character alphanumeric hostname.
The last of these carries a small but non-zero risk of colliding with a real hostname, and there's a small but non-zero risk that this host points to the same address as something we care about. If possible, it would be better to not include this random-host lookup in the algorithm, as somewhere, some day, chances are there will eventually be a collision, causing an incomprehensible and unreproducible failure for a user. |
|
2017-08-23 12:27:18 |
Chris J Arges |
cloud-init (Ubuntu Xenial): status |
Confirmed |
Fix Committed |
|
2017-08-23 12:27:21 |
Chris J Arges |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-08-23 12:27:25 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2017-08-23 12:27:29 |
Chris J Arges |
tags |
|
verification-needed verification-needed-xenial |
|
2017-08-23 12:30:58 |
Chris J Arges |
cloud-init (Ubuntu Zesty): status |
Confirmed |
Fix Committed |
|
2017-08-23 12:31:03 |
Chris J Arges |
tags |
verification-needed verification-needed-xenial |
verification-needed verification-needed-xenial verification-needed-zesty |
|
2017-08-31 14:58:27 |
Chad Smith |
tags |
verification-needed verification-needed-xenial verification-needed-zesty |
verification-done-xenial verification-needed verification-needed-zesty |
|
2017-08-31 16:43:44 |
Chad Smith |
tags |
verification-done-xenial verification-needed verification-needed-zesty |
verification-done-xenial verification-done-zesty |
|
2017-09-13 01:26:05 |
Launchpad Janitor |
cloud-init (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-09-13 01:26:25 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-09-13 01:27:27 |
Launchpad Janitor |
cloud-init (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-09-23 02:13:11 |
Scott Moser |
cloud-init: status |
Fix Committed |
Fix Released |
|
2023-05-09 22:14:42 |
James Falcon |
bug watch added |
|
https://github.com/canonical/cloud-init/issues/2333 |
|