Cloud images for non-Intel architectures are configured with security repos that don't work

Bug #1679252 reported by Dan Watkins on 2017-04-03
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
livecd-rootfs (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Impact]

Users who don't get a fresh sources.list written out on first boot (e.g. Docker users) can't install updates from xenial-security on non-Intel architectures.

[Test Case]

Run an ubuntu-cpc livefs build for a non-Intel architecture, unpack one of the produced root tarballs, chroot in to it and perform an `apt-get update`. You should see no errors.

[Regression Potential]

This change modifies the sources that apt will use for updates, so the biggest risk for regression is that the fix is malformed and systems become un-updateable (either partially or fully). The test above should catch this.

[Original Report]

In the fix for bug 1513529, we[0] modified livecd-rootfs to write out a sources.list that matches the sources.list in Ubuntu Server installed from an ISO. We (presumably) compared to an Intel installation, and hard-coded security.ubuntu.com as a repo in sources.list.

Unfortunately, packages for non-Intel architectures aren't published to security.ubuntu.com; they are instead published at http://ports.ubuntu.com/ubuntu-ports/. That should be the URL that we configure as the source for $SUITE-security.

[0] Well, *ahem*, _I_.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in livecd-rootfs (Ubuntu):
status: New → Confirmed

See https://github.com/docker-library/official-images/issues/2804 for the Docker impact downstream, as the aarch64/xenial and ppc64le/xenial official images are affected.

Fixing this bug allows this CVE http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7184.html to be addressed on those platforms.

Dan Watkins (daniel-thewatkins) wrote :

The attached backports infinity's fix to xenial.

description: updated
summary: - Non-Intel architectures are configured with security repos that don't
- work
+ Cloud image tarballs for non-Intel architectures are configured with
+ security repos that don't work
summary: - Cloud image tarballs for non-Intel architectures are configured with
- security repos that don't work
+ Cloud images for non-Intel architectures are configured with security
+ repos that don't work
tags: added: patch
Changed in livecd-rootfs:
status: Unknown → New

Additional downstream impact is https://github.com/docker/docker/issues/32335 , "unable to build docker armhf ubuntu xenial", reported by @andrewhsu .

Hello Dan, or anyone else affected,

Accepted livecd-rootfs into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.408.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

no longer affects: livecd-rootfs
Changed in livecd-rootfs (Ubuntu):
status: Confirmed → Fix Released
Changed in livecd-rootfs (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Dan Watkins (daniel-thewatkins) wrote :

This does fix the issue for arm64 (where I tested the patch), but ppc64el and powerpc need an additional change:

=== modified file 'live-build/ubuntu-cpc/hooks/034-disk-image-ppc64el.binary'
--- live-build/ubuntu-cpc/hooks/034-disk-image-ppc64el.binary 2016-04-14 18:06:33 +0000
+++ live-build/ubuntu-cpc/hooks/034-disk-image-ppc64el.binary 2016-06-09 14:48:38 +0000
@@ -26,6 +26,7 @@
     mkdir mountpoint
     mount_partition "${rootfs_dev_mapper}" mountpoint

+ chroot mountpoint apt-get -qqy update
     chroot mountpoint apt-get -qqy install grub2
     chroot mountpoint apt-get -qqy remove --purge grub-legacy-ec2

tags: added: verification-failed
removed: verification-needed

Is anyone testing armhf?

I ask because of this from @andrewhsu at Docker, at https://github.com/docker/docker/issues/32335#issuecomment-292042111

> This issue is preventing the release of docker 17.04.0 for ubuntu xenial on armhf. Ubuntu xenial on amd64 is fine, however, so packages are available for that. When the armhf/ubuntu:xenial image is fixed, the corresponding 17.04.0 packages will be built and released.

If I follow these instructions:

https://wiki.ubuntu.com/ARM/RaspberryPi

do I get a testable environment for this fix? If I read it right, it looks like the Pi 2 (and not the Pi 3) is the supported target hardware for armhf.

Download full text (3.5 KiB)

I can reproduce this bug on my Mac which should aid in confirmation for `armhf`.

```
Edwards-MacBook-Air:~ emv$ docker run --rm armhf/ubuntu:xenial apt-get update

Unable to find image 'armhf/ubuntu:xenial' locally
xenial: Pulling from armhf/ubuntu
3ec2010dcf9a: Pull complete
a9ce7d83bdeb: Pull complete
a096d24b8544: Pull complete
e1d64facf085: Pull complete
6300ac39294b: Pull complete
Digest: sha256:ad289f5b5c2a0bd88f61333b0d6f0ea81051c6f315a8eb22de0907e1da960115
Status: Downloaded newer image for armhf/ubuntu:xenial
Get:1 http://ports.ubuntu.com/ubuntu-ports xenial InRelease [247 kB]
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports xenial-updates InRelease [102 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports xenial-backports InRelease [102 kB]
Get:5 http://security.ubuntu.com/ubuntu xenial-security/universe Sources [30.0 kB]
Ign:6 http://security.ubuntu.com/ubuntu xenial-security/main armhf Packages
Ign:7 http://security.ubuntu.com/ubuntu xenial-security/restricted armhf Packages
Ign:8 http://security.ubuntu.com/ubuntu xenial-security/universe armhf Packages
Ign:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse armhf Packages
Ign:6 http://security.ubuntu.com/ubuntu xenial-security/main armhf Packages
Ign:7 http://security.ubuntu.com/ubuntu xenial-security/restricted armhf Packages
Ign:8 http://security.ubuntu.com/ubuntu xenial-security/universe armhf Packages
Ign:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse armhf Packages
Ign:6 http://security.ubuntu.com/ubuntu xenial-security/main armhf Packages
Ign:7 http://security.ubuntu.com/ubuntu xenial-security/restricted armhf Packages
Ign:8 http://security.ubuntu.com/ubuntu xenial-security/universe armhf Packages
Ign:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse armhf Packages
Err:6 http://security.ubuntu.com/ubuntu xenial-security/main armhf Packages
  404 Not Found [IP: 91.189.88.161 80]
Ign:7 http://security.ubuntu.com/ubuntu xenial-security/restricted armhf Packages
Ign:8 http://security.ubuntu.com/ubuntu xenial-security/universe armhf Packages
Ign:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse armhf Packages
Get:10 http://ports.ubuntu.com/ubuntu-ports xenial/universe Sources [9802 kB]
Get:11 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages [1486 kB]
Get:12 http://ports.ubuntu.com/ubuntu-ports xenial/restricted armhf Packages [8491 B]
Get:13 http://ports.ubuntu.com/ubuntu-ports xenial/universe armhf Packages [9531 kB]
Get:14 http://ports.ubuntu.com/ubuntu-ports xenial/multiverse armhf Packages [149 kB]
Get:15 http://ports.ubuntu.com/ubuntu-ports xenial-updates/universe Sources [185 kB]
Get:16 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages [592 kB]
Get:17 http://ports.ubuntu.com/ubuntu-ports xenial-updates/restricted armhf Packages [8116 B]
Get:18 http://ports.ubuntu.com/ubuntu-ports xenial-updates/universe armhf Packages [517 kB]
Get:19 http://ports.ubuntu.com/ubuntu-ports xenial-updates/multiverse armhf Packages [5194 B]
Get:20 http://ports.ubuntu.com/ubuntu-ports xenial-backports/main armhf Packages [4914 B]
Get:21 h...

Read more...

This gist demonstrates the issue on armhf, using a Docker armhf/ubuntu:xenial image.

https://gist.github.com/vielmetti/a078426659cb11f54a9142a878c7982c

I've alerted the maintainer of the build scripts for the Docker images, here:

https://github.com/tianon/jenkins-groovy/issues/24

hopefully @tianon can help with a test build to validate that this works.

The attached debdiff includes the above patch.

Steve Langasek (vorlon) wrote :

Hello Dan, or anyone else affected,

Accepted livecd-rootfs into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.408.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
tags: added: verification-needed

I've seen the version in xenial-proposed successfully build on arm64, powerpc and ppc64el; verification done.

tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.408.11

---------------
livecd-rootfs (2.408.11) xenial; urgency=medium

  * Add `apt-get update` to ubuntu-cpc ppc64el builds so they use the new
    sources.

livecd-rootfs (2.408.10) xenial; urgency=medium

  [ Adam Conrad ]
  * Fix security mirror sources.list entries for non-x86 architectures.
    (LP: #1679252)

 -- Daniel Watkins <email address hidden> Fri, 07 Apr 2017 16:12:53 -0400

Changed in livecd-rootfs (Ubuntu Xenial):
status: Fix Committed → Fix Released
tags: added: id-58e294093da7aa124fcea8a5
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.