maas proxy prevent nodes access cloud archive

Bug #1087145 reported by julian wang on 2012-12-06
34
This bug affects 4 people
Affects Status Importance Assigned to Milestone
squid-deb-proxy
Fix Released
Undecided
Unassigned
squid-deb-proxy (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Andres Rodriguez
Quantal
Undecided
Andres Rodriguez

Bug Description

[Impact]

Users cannot enable the Ubuntu Cloud Archive using squid-deb-proxy without changing its configuration by hand.

[Test Case]

$ export http_proxy=http://localhost:8000
$ wget -O/dev/null http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release

This command should succeed, but if the problem is present then it fails with 403 Forbidden.

[Development Fix]

Fixed in upstream trunk and in Raring 0.6.7.

[Stable Fix]

Merge proposal attached. This just tweaks mirror-dstdomain.acl the same way as in the development fix.

[Regression Potential]

Only access to archives in archive.canonical.com will be affected. I have verified that ".archive.canonical.com" also matches "archive.canonical.com" by getting a 404 (and not a 403) if I hit it with this change applied.

[Original Description]

To setup OpenStack Folsom on Ubuntu 12.04 LTS by MAAS+JuJu, it needs access ubuntu cloud archive:
deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main

But by default, it's not ok. Error logs from juju shows apt-get update failed by 403 forbidden.

======================================LOG=========================================================
2012-12-05 14:34:28,960 unit:keystone/1: hook.executor DEBUG: started
2012-12-05 14:34:29,003 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition install (None -> installed) {}
2012-12-05 14:34:29,003 unit:keystone/1: statemachine DEBUG: unitworkflowstate: execute action do_install
2012-12-05 14:34:29,050 unit:keystone/1: hook.output DEBUG: Cached relation hook contexts: []
2012-12-05 14:34:29,051 unit:keystone/1: hook.executor DEBUG: Running hook: /var/lib/juju/units/keystone-1/charm/hooks/install
2012-12-05 14:34:29,972 unit:keystone/1: unit.hook.api DEBUG: Get unit setting: 'private-address'
2012-12-05 14:34:30,443 unit:keystone/1: unit.hook.api DEBUG: Get unit setting: 'private-address'
2012-12-05 14:34:30,523 unit:keystone/1: hook.output INFO: Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.YQ7MyOjrEG --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA

2012-12-05 14:34:30,527 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:30,528 unit:keystone/1: hook.output ERROR: requesting key EC4926EA from hkp server keyserver.ubuntu.com

2012-12-05 14:34:34,702 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,703 unit:keystone/1: hook.output ERROR: key EC4926EA: "Canonical Cloud Archive Signing Key <email address hidden>" not changed

2012-12-05 14:34:34,704 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,704 unit:keystone/1: hook.output ERROR: Total number processed: 1

2012-12-05 14:34:34,705 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,705 unit:keystone/1: hook.output ERROR: unchanged: 1

2012-12-05 14:34:51,882 unit:keystone/1: unit.hook.api INFO: FATAL ERROR: ERROR: command apt-get update return non-zero.

2012-12-05 14:34:51,920 unit:keystone/1: hook.output DEBUG: hook install exited, exit code Traceback (most recent call last):
Failure: juju.errors.CharmInvocationError: Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
.
2012-12-05 14:34:51,921 unit:keystone/1: hook.executor DEBUG: Hook error: /var/lib/juju/units/keystone-1/charm/hooks/install Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
2012-12-05 14:34:51,922 unit:keystone/1: statemachine DEBUG: unitworkflowstate: executing error transition error_install, Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
2012-12-05 14:34:51,954 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition error_install (None -> install_error) {}
2012-12-05 14:34:52,001 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition complete error_install (state install_error) {}
2012-12-05 14:34:52,015 unit:keystone/1: juju.agents.unit DEBUG: Configuration Changed
2012-12-05 14:34:52,015 unit:keystone/1: juju.agents.unit DEBUG: Configuration updated on service in a non-started state
2012-12-05 14:34:52,032 unit:keystone/1: juju.agents.unit INFO: No upgrade flag set.

W: Failed to fetch http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/main/binary-amd64/Packages 403 Forbidden

W: Failed to fetch http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/main/binary-i386/Packages 403 Forbidden

E: Some index files failed to download. They have been ignored, or old ones used instead.
===================================================================================================

The solution is:
Change /etc/squid-deb-proxy/mirror_dstdomain.acl,
line 14:
--archive.canonical.com
++.archive.canonical.com

Restart squid-deb-proxy service.

Related branches

julian wang (zeratul-j) wrote :

Fix attached

affects: maas → squid-deb-proxy

The attachment "Fix attached" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Robie Basak (racb) wrote :

This appears to have been fixed on 6 December by mvo, in 0.6.7 in raring. Am I mistaken?

Changed in squid-deb-proxy (Ubuntu):
status: New → Fix Released
Robie Basak (racb) on 2013-01-07
description: updated
Dave Russell (drussell) wrote :

racb - yes, but need to ensure 12.04/cloud archive are taken care of too.

Robie Basak (racb) wrote :

My proposed SRU for 12.04 is in the queue, awaiting a sponsor.

James Page (james-page) wrote :

Robie; I've uploaded to precise-proposed; however I do think its worth fixing this in quantal as well as folk might be using squid-deb-proxy on Quantal to deploy precise servers using MAAS.

Changed in squid-deb-proxy (Ubuntu Precise):
assignee: nobody → Andres Rodriguez (andreserl)
Changed in squid-deb-proxy (Ubuntu Quantal):
assignee: nobody → Andres Rodriguez (andreserl)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid-deb-proxy (Ubuntu Precise):
status: New → Confirmed
Changed in squid-deb-proxy (Ubuntu Quantal):
status: New → Confirmed
Nobuto Murata (nobuto) wrote :

As commented above, upstream already has the fix in 0.6.7.

Changed in squid-deb-proxy:
status: New → Fix Released

Hello julian, or anyone else affected,

Accepted squid-deb-proxy into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/squid-deb-proxy/0.6.3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in squid-deb-proxy (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Javier López (javier-lopez) wrote :

After testing the -proposed package, I can see the issue is fixed:

$ export http_proxy=http://localhost:8000
$ wget -O/dev/null http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release
--2013-05-24 20:59:53-- http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 5510 (5.4K) [text/plain]
Saving to: `/dev/null'

100%[========================================================================================>] 5,510 --.-K/s in 0s

2013-05-24 20:59:54 (161 MB/s) - `/dev/null' saved [5510/5510]

$ apt-cache policy squid-deb-proxy
squid-deb-proxy:
  Installed: 0.6.3.1
  Candidate: 0.6.3.1
  Version table:
 *** 0.6.3.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     0.6.3 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid-deb-proxy - 0.6.3.1

---------------
squid-deb-proxy (0.6.3.1) precise-proposed; urgency=low

  * Allow caching of Canonical's cloud archive (LP: #1087145).
 -- Robie Basak <email address hidden> Mon, 07 Jan 2013 10:13:44 +0000

Changed in squid-deb-proxy (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in squid-deb-proxy (Ubuntu Quantal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers