** Description changed: - cloud-init will attempt to update /etc/apt/sources.list from its - template, and allows the user to set 'apt_mirror'. However, it does not - allow the user to set the security.ubuntu.com entry. + === Begin SRU Information === + [Impact] + * Operating completely off-line (without access to *.ubuntu.com) is not + really possible with cloud-init in 12.04. The user can specify a + mirror to use to cloud-init, and it will respect that input. However, + it will still write 'security.ubuntu.com' entries in + /etc/apt/sources.list . The fix in 12.10 was to add support for + declaring the security mirror in addition to the "primary" mirror. + + Looking at the config snippet probably makes it obvious how this + is done. '$security' in the templates then references the specified + security mirror, and the user can set that value by providing + cloud-config syntax formed like the default below: + + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://archive.ubuntu.com/ubuntu + | security: http://security.ubuntu.com/ubuntu + | search: + | primary: + | - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/ + | - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/ + | security: [] + | - arches: [armhf, armel, default] + | failsafe: + | primary: http://ports.ubuntu.com/ubuntu + | security: http://ports.ubuntu.com/ubuntu + + * this will allow users on fully disconnected networks to use cloud + images with local mirrors without modifying the image. + + [Test Case] + To demonstrate the problem, simply launch an instance in EC2. The + rendered sources.list will contain references to + us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com . + the default/fallback case was previously to use archive.ubuntu.com + and there was no changing of security.ubuntu.com at all. The result was + that offline, an 'apt-get update' was guaranteed to fail even if the + user specified 'apt_mirror'. + + You can demonstrate the fixed path by booting an instance with + user-data like the following: + |#cloud-config + |system_info: + | package_mirrors: + | - arches: [i386, amd64] + | failsafe: + | primary: http://my.archive.mydomain.com/ubuntu + | search: + | primary: [] + | security: [] + + You will see in /etc/sources.list, that there is no reference to + "ubuntu.com" any more. + + [Regression Potential] + * The change in behavior could change mirror selection in undefined + ways. We've not seen any issues with this path in quantal, though. + This code is basically the same as is running in quantal just + backported. + + === End SRU Information === + + + cloud-init will attempt to update /etc/apt/sources.list from its template, and allows the user to set 'apt_mirror'. However, it does not allow the user to set the security.ubuntu.com entry. This has issues in 2 places: a.) internal and disconnected operation (no access to security.ubuntu.com) b.) arm. For arm, there is no security.ubuntu.com - Related bugs: - * bug 1028501: cloud-init selects wrong mirrors for arm + Related bugs: + * bug 1028501: cloud-init selects wrong mirrors for arm
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1006963 Title: sources.list configuration does not cover security To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
