** Description changed: === Begin SRU Information === [Impact] - * Operating completely off-line (without access to *.ubuntu.com) is not - really possible with cloud-init in 12.04. The user can specify a - mirror to use to cloud-init, and it will respect that input. However, - it will still write 'security.ubuntu.com' entries in - /etc/apt/sources.list . The fix in 12.10 was to add support for - declaring the security mirror in addition to the "primary" mirror. + * Operating completely off-line (without access to *.ubuntu.com) is not + really possible with cloud-init in 12.04. The user can specify a + mirror to use to cloud-init, and it will respect that input. However, + it will still write 'security.ubuntu.com' entries in + /etc/apt/sources.list . The fix in 12.10 was to add support for + declaring the security mirror in addition to the "primary" mirror. - Looking at the config snippet probably makes it obvious how this - is done. '$security' in the templates then references the specified - security mirror, and the user can set that value by providing - cloud-config syntax formed like the default below: + Looking at the config snippet probably makes it obvious how this + is done. '$security' in the templates then references the specified + security mirror, and the user can set that value by providing + cloud-config syntax formed like the default below: - | package_mirrors: - | - arches: [i386, amd64] - | failsafe: - | primary: http://archive.ubuntu.com/ubuntu - | security: http://security.ubuntu.com/ubuntu - | search: - | primary: - | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ - | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ - | security: [] - | - arches: [armhf, armel, default] - | failsafe: - | primary: http://ports.ubuntu.com/ubuntu - | security: http://ports.ubuntu.com/ubuntu + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://archive.ubuntu.com/ubuntu + | security: http://security.ubuntu.com/ubuntu + | search: + | primary: + | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ + | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ + | security: [] + | - arches: [armhf, armel, default] + | failsafe: + | primary: http://ports.ubuntu.com/ubuntu + | security: http://ports.ubuntu.com/ubuntu - * this will allow users on fully disconnected networks to use cloud - images with local mirrors without modifying the image. + * this will allow users on fully disconnected networks to use cloud + images with local mirrors without modifying the image. [Test Case] - To demonstrate the problem, simply launch an instance in EC2. The - rendered sources.list will contain references to - us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . - the default/fallback case was previously to use archive.ubuntu.com - and there was no changing of security.ubuntu.com at all. The result was - that offline, an 'apt-get update' was guaranteed to fail even if the - user specified 'apt_mirror'. + To demonstrate the problem, simply launch an instance in EC2. The + rendered sources.list will contain references to + us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . + the default/fallback case was previously to use archive.ubuntu.com + and there was no changing of security.ubuntu.com at all. The result was + that offline, an 'apt-get update' was guaranteed to fail even if the + user specified 'apt_mirror'. - You can demonstrate the fixed path by booting an instance with - user-data like the following: - |#cloud-config - |system_info: - | package_mirrors: - | - arches: [i386, amd64] - | failsafe: - | primary: http://my.archive.mydomain.com/ubuntu - | search: - | primary: [] - | security: [] + You can demonstrate the fixed path by booting an instance with + user-data like the following: + |#cloud-config + |system_info: + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://my.archive.mydomain.com/ubuntu + | search: + | primary: [] + | security: [] - You will see in /etc/sources.list, that there is no reference to - "ubuntu.com" any more. + You will see in /etc/sources.list, that there is no reference to + "ubuntu.com" any more. [Regression Potential] - * The change in behavior could change mirror selection in undefined - ways. We've not seen any issues with this path in quantal, though. - This code is basically the same as is running in quantal just - backported. + * The change in behavior could change mirror selection in undefined + ways. We've not seen any issues with this path in quantal, though. + This code is basically the same as is running in quantal just + backported. === End SRU Information === - - cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry. + cloud-init will attempt to update /etc/apt/sources.list from its + template, and allows the user to set 'apt_mirror'. However, it does not + allow the user to set the security.ubuntu.com entry. This has issues in 2 places: a.) internal and disconnected operation (no access to security.ubuntu.com) b.) arm. For arm, there is no security.ubuntu.com Related bugs: * bug 1028501: cloud-init selects wrong mirrors for arm
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
