[Bug 1006963] Re: sources.list configuration does not cover security
This bug was fixed in the package cloud-init - 0.6.3-0ubuntu1.3 --- cloud-init (0.6.3-0ubuntu1.3) precise-proposed; urgency=low * debian/patches/lp-1070345-landscape-restart-after-change.patch, debian/patches/lp-1066115-landscape-install-fix-perms.patch: fix missing or incorrect imports (LP: #1070345, LP: #1066115). cloud-init (0.6.3-0ubuntu1.2) precise-proposed; urgency=low * debian/patches/lp-978127-maas-oauth-fix-bad-clock.patch: fix usage of oauth in maas data source if local system has a bad clock (LP: #978127) * debian/cloud-init.preinst: fix bug where user data scripts re-ran on upgrade from 10.04 versions (LP: #1049146) * debian/patches/lp-974509-detect-dns-server-redirection.patch: detect dns server redirection and disable searching dns for a mirror named 'ubuntu-mirror' (LP: #974509) * debian/patches/lp-1018554-shutdown-message-to-console.patch: write a message to the console on system shutdown. (LP: #1018554) * debian/patches/lp-1066115-landscape-install-fix-perms.patch: install landscape package if needed which will ensure proper permissions on config file (LP: #1066115). * debian/patches/lp-1070345-landscape-restart-after-change.patch: restart landscape after modifying config (LP: #1070345) * debian/patches/lp-1073077-zsh-workaround-for-locale_warn.patch: avoid warning when user's shell is zsh (LP: #1073077) * debian/patches/rework-mirror-selection.patch: improve mirror selection by: * allowing region/availability-zone to be part of mirror (LP: #1037727) * making mirror selection arch aware (LP: #1028501) * allow specification of a security mirror (LP: #1006963) -- Scott Moser smo...@ubuntu.com Thu, 13 Dec 2012 12:16:56 -0500 ** Changed in: cloud-init (Ubuntu Precise) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
Hello Scott, or anyone else affected, Accepted cloud-init into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cloud- init/0.6.3-0ubuntu1.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags removed: verification-done ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Description changed: === Begin SRU Information === [Impact] * Operating completely off-line (without access to *.ubuntu.com) is not really possible with cloud-init in 12.04. The user can specify a mirror to use to cloud-init, and it will respect that input. However, it will still write 'security.ubuntu.com' entries in /etc/apt/sources.list . The fix in 12.10 was to add support for declaring the security mirror in addition to the primary mirror. Looking at the config snippet probably makes it obvious how this is done. '$security' in the templates then references the specified security mirror, and the user can set that value by providing cloud-config syntax formed like the default below: | package_mirrors: | - arches: [i386, amd64] | failsafe: | primary: http://archive.ubuntu.com/ubuntu | security: http://security.ubuntu.com/ubuntu |search: | primary: |- http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ |- http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ | security: [] | - arches: [armhf, armel, default] |failsafe: | primary: http://ports.ubuntu.com/ubuntu | security: http://ports.ubuntu.com/ubuntu * this will allow users on fully disconnected networks to use cloud images with local mirrors without modifying the image. [Test Case] To demonstrate the problem, simply launch an instance in EC2. The rendered sources.list will contain references to us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . the default/fallback case was previously to use archive.ubuntu.com and there was no changing of security.ubuntu.com at all. The result was that offline, an 'apt-get update' was guaranteed to fail even if the user specified 'apt_mirror'. You can demonstrate the fixed path by booting an instance with user-data like the following: |#cloud-config |system_info: | package_mirrors: | - arches: [i386, amd64] | failsafe: | primary: http://my.archive.mydomain.com/ubuntu + | security: http://my.archive.mydomain.com/ubuntu | search: | primary: [] | security: [] You will see in /etc/sources.list, that there is no reference to ubuntu.com any more. [Regression Potential] * The change in behavior could change mirror selection in undefined ways. We've not seen any issues with this path in quantal, though. This code is basically the same as is running in quantal just backported. === End SRU Information === cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry. This has issues in 2 places: a.) internal and disconnected operation (no access to security.ubuntu.com) b.) arm. For arm, there is no security.ubuntu.com Related bugs: * bug 1028501: cloud-init selects wrong mirrors for arm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Description changed: === Begin SRU Information === [Impact] - * Operating completely off-line (without access to *.ubuntu.com) is not -really possible with cloud-init in 12.04. The user can specify a -mirror to use to cloud-init, and it will respect that input. However, -it will still write 'security.ubuntu.com' entries in -/etc/apt/sources.list . The fix in 12.10 was to add support for -declaring the security mirror in addition to the primary mirror. + * Operating completely off-line (without access to *.ubuntu.com) is not + really possible with cloud-init in 12.04. The user can specify a + mirror to use to cloud-init, and it will respect that input. However, + it will still write 'security.ubuntu.com' entries in + /etc/apt/sources.list . The fix in 12.10 was to add support for + declaring the security mirror in addition to the primary mirror. -Looking at the config snippet probably makes it obvious how this -is done. '$security' in the templates then references the specified -security mirror, and the user can set that value by providing -cloud-config syntax formed like the default below: + Looking at the config snippet probably makes it obvious how this + is done. '$security' in the templates then references the specified + security mirror, and the user can set that value by providing + cloud-config syntax formed like the default below: - | package_mirrors: - | - arches: [i386, amd64] - | failsafe: - | primary: http://archive.ubuntu.com/ubuntu - | security: http://security.ubuntu.com/ubuntu - |search: - | primary: - |- http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ - |- http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ - | security: [] - | - arches: [armhf, armel, default] - |failsafe: - | primary: http://ports.ubuntu.com/ubuntu - | security: http://ports.ubuntu.com/ubuntu + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://archive.ubuntu.com/ubuntu + | security: http://security.ubuntu.com/ubuntu + |search: + | primary: + |- http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ + |- http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ + | security: [] + | - arches: [armhf, armel, default] + |failsafe: + | primary: http://ports.ubuntu.com/ubuntu + | security: http://ports.ubuntu.com/ubuntu - * this will allow users on fully disconnected networks to use cloud -images with local mirrors without modifying the image. + * this will allow users on fully disconnected networks to use cloud + images with local mirrors without modifying the image. [Test Case] - To demonstrate the problem, simply launch an instance in EC2. The - rendered sources.list will contain references to - us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . - the default/fallback case was previously to use archive.ubuntu.com - and there was no changing of security.ubuntu.com at all. The result was - that offline, an 'apt-get update' was guaranteed to fail even if the - user specified 'apt_mirror'. + To demonstrate the problem, simply launch an instance in EC2. The + rendered sources.list will contain references to + us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . + the default/fallback case was previously to use archive.ubuntu.com + and there was no changing of security.ubuntu.com at all. The result was + that offline, an 'apt-get update' was guaranteed to fail even if the + user specified 'apt_mirror'. - You can demonstrate the fixed path by booting an instance with - user-data like the following: - |#cloud-config - |system_info: - | package_mirrors: - | - arches: [i386, amd64] - | failsafe: - | primary: http://my.archive.mydomain.com/ubuntu - | search: - | primary: [] - | security: [] + You can demonstrate the fixed path by booting an instance with + user-data like the following: + |#cloud-config + |system_info: + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://my.archive.mydomain.com/ubuntu + | search: + | primary: [] + | security: [] - You will see in /etc/sources.list, that there is no reference to - ubuntu.com any more. + You will see in /etc/sources.list, that there is no reference to + ubuntu.com any more. [Regression Potential] - * The change in behavior could change mirror selection in undefined -ways. We've not seen any issues with this path in quantal, though. -This code is basically the same as is running in quantal just -backported. + * The change in behavior could change mirror selection in undefined +
[Bug 1006963] Re: sources.list configuration does not cover security
verified this is fixed: $ dpkg-query --show cloud-init cloud-init 0.6.3-0ubuntu1.2 $ ec2metadata --user-data #cloud-config system_info: package_mirrors: - arches: [i386, amd64] failsafe: primary: http://my.archive.mydomain.com/ubuntu security: http://my.archive.mydomain.com/ubuntu search: primary: [] security: [] $ grep ^[^#]*security /etc/apt/sources.list deb http://my.archive.mydomain.com/ubuntu precise-security main deb-src http://my.archive.mydomain.com/ubuntu precise-security main deb http://my.archive.mydomain.com/ubuntu precise-security universe deb-src http://my.archive.mydomain.com/ubuntu precise-security universe ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
Hello Scott, or anyone else affected, Accepted cloud-init into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cloud- init/0.6.3-0ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: cloud-init (Ubuntu Precise) Status: Triaged = Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Description changed: - cloud-init will attempt to update /etc/apt/sources.list from its - template, and allows the user to set 'apt_mirror'. However, it does not - allow the user to set the security.ubuntu.com entry. + === Begin SRU Information === + [Impact] + * Operating completely off-line (without access to *.ubuntu.com) is not +really possible with cloud-init in 12.04. The user can specify a +mirror to use to cloud-init, and it will respect that input. However, +it will still write 'security.ubuntu.com' entries in +/etc/apt/sources.list . The fix in 12.10 was to add support for +declaring the security mirror in addition to the primary mirror. + +Looking at the config snippet probably makes it obvious how this +is done. '$security' in the templates then references the specified +security mirror, and the user can set that value by providing +cloud-config syntax formed like the default below: + + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://archive.ubuntu.com/ubuntu + | security: http://security.ubuntu.com/ubuntu + |search: + | primary: + |- http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ + |- http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ + | security: [] + | - arches: [armhf, armel, default] + |failsafe: + | primary: http://ports.ubuntu.com/ubuntu + | security: http://ports.ubuntu.com/ubuntu + + * this will allow users on fully disconnected networks to use cloud +images with local mirrors without modifying the image. + + [Test Case] + To demonstrate the problem, simply launch an instance in EC2. The + rendered sources.list will contain references to + us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . + the default/fallback case was previously to use archive.ubuntu.com + and there was no changing of security.ubuntu.com at all. The result was + that offline, an 'apt-get update' was guaranteed to fail even if the + user specified 'apt_mirror'. + + You can demonstrate the fixed path by booting an instance with + user-data like the following: + |#cloud-config + |system_info: + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://my.archive.mydomain.com/ubuntu + | search: + | primary: [] + | security: [] + + You will see in /etc/sources.list, that there is no reference to + ubuntu.com any more. + + [Regression Potential] + * The change in behavior could change mirror selection in undefined +ways. We've not seen any issues with this path in quantal, though. +This code is basically the same as is running in quantal just +backported. + + === End SRU Information === + + + cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry. This has issues in 2 places: a.) internal and disconnected operation (no access to security.ubuntu.com) b.) arm. For arm, there is no security.ubuntu.com - Related bugs: - * bug 1028501: cloud-init selects wrong mirrors for arm + Related bugs: + * bug 1028501: cloud-init selects wrong mirrors for arm -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Branch linked: lp:~smoser/ubuntu/precise/cloud-init/sru -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Also affects: cloud-init (Ubuntu) Importance: Undecided Status: New ** Changed in: cloud-init (Ubuntu) Status: New = Fix Released ** Changed in: cloud-init (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1006963] Re: sources.list configuration does not cover security
** Also affects: cloud-init (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: cloud-init (Ubuntu Precise) Status: New = Triaged ** Changed in: cloud-init (Ubuntu Precise) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
