** Description changed: === Begin SRU Information === [Impact] * Operating completely off-line (without access to *.ubuntu.com) is not really possible with cloud-init in 12.04. The user can specify a mirror to use to cloud-init, and it will respect that input. However, it will still write 'security.ubuntu.com' entries in /etc/apt/sources.list . The fix in 12.10 was to add support for declaring the security mirror in addition to the "primary" mirror. Looking at the config snippet probably makes it obvious how this is done. '$security' in the templates then references the specified security mirror, and the user can set that value by providing cloud-config syntax formed like the default below: | package_mirrors: | - arches: [i386, amd64] | failsafe: | primary: http://archive.ubuntu.com/ubuntu | security: http://security.ubuntu.com/ubuntu | search: | primary: | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ | security: [] | - arches: [armhf, armel, default] | failsafe: | primary: http://ports.ubuntu.com/ubuntu | security: http://ports.ubuntu.com/ubuntu * this will allow users on fully disconnected networks to use cloud images with local mirrors without modifying the image. [Test Case] To demonstrate the problem, simply launch an instance in EC2. The rendered sources.list will contain references to us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . the default/fallback case was previously to use archive.ubuntu.com and there was no changing of security.ubuntu.com at all. The result was that offline, an 'apt-get update' was guaranteed to fail even if the user specified 'apt_mirror'. You can demonstrate the fixed path by booting an instance with user-data like the following: |#cloud-config |system_info: | package_mirrors: | - arches: [i386, amd64] | failsafe: | primary: http://my.archive.mydomain.com/ubuntu + | security: http://my.archive.mydomain.com/ubuntu | search: | primary: [] | security: [] You will see in /etc/sources.list, that there is no reference to "ubuntu.com" any more. [Regression Potential] * The change in behavior could change mirror selection in undefined ways. We've not seen any issues with this path in quantal, though. This code is basically the same as is running in quantal just backported. === End SRU Information === cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry. This has issues in 2 places: a.) internal and disconnected operation (no access to security.ubuntu.com) b.) arm. For arm, there is no security.ubuntu.com Related bugs: * bug 1028501: cloud-init selects wrong mirrors for arm
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
