squid-deb-proxy

maas proxy prevent nodes access cloud archive

Bug #1087145 reported by julian wang
34
This bug affects 4 people
Affects Status Importance Assigned to Milestone
squid-deb-proxy
Fix Released
Undecided
Unassigned
squid-deb-proxy (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Andres Rodriguez
Quantal
Fix Released
Undecided
Andres Rodriguez

Bug Description

[Impact]

Users cannot enable the Ubuntu Cloud Archive using squid-deb-proxy without changing its configuration by hand.

[Test Case]

$ export http_proxy=http://localhost:8000
$ wget -O/dev/null http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release

This command should succeed, but if the problem is present then it fails with 403 Forbidden.

[Development Fix]

Fixed in upstream trunk and in Raring 0.6.7.

[Stable Fix]

Merge proposal attached. This just tweaks mirror-dstdomain.acl the same way as in the development fix.

[Regression Potential]

Only access to archives in archive.canonical.com will be affected. I have verified that ".archive.canonical.com" also matches "archive.canonical.com" by getting a 404 (and not a 403) if I hit it with this change applied.

[Original Description]

To setup OpenStack Folsom on Ubuntu 12.04 LTS by MAAS+JuJu, it needs access ubuntu cloud archive:
deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/folsom main

But by default, it's not ok. Error logs from juju shows apt-get update failed by 403 forbidden.

======================================LOG=========================================================
2012-12-05 14:34:28,960 unit:keystone/1: hook.executor DEBUG: started
2012-12-05 14:34:29,003 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition install (None -> installed) {}
2012-12-05 14:34:29,003 unit:keystone/1: statemachine DEBUG: unitworkflowstate: execute action do_install
2012-12-05 14:34:29,050 unit:keystone/1: hook.output DEBUG: Cached relation hook contexts: []
2012-12-05 14:34:29,051 unit:keystone/1: hook.executor DEBUG: Running hook: /var/lib/juju/units/keystone-1/charm/hooks/install
2012-12-05 14:34:29,972 unit:keystone/1: unit.hook.api DEBUG: Get unit setting: 'private-address'
2012-12-05 14:34:30,443 unit:keystone/1: unit.hook.api DEBUG: Get unit setting: 'private-address'
2012-12-05 14:34:30,523 unit:keystone/1: hook.output INFO: Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /tmp/tmp.YQ7MyOjrEG --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA

2012-12-05 14:34:30,527 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:30,528 unit:keystone/1: hook.output ERROR: requesting key EC4926EA from hkp server keyserver.ubuntu.com

2012-12-05 14:34:34,702 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,703 unit:keystone/1: hook.output ERROR: key EC4926EA: "Canonical Cloud Archive Signing Key <email address hidden>" not changed

2012-12-05 14:34:34,704 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,704 unit:keystone/1: hook.output ERROR: Total number processed: 1

2012-12-05 14:34:34,705 unit:keystone/1: hook.output ERROR: gpg:
2012-12-05 14:34:34,705 unit:keystone/1: hook.output ERROR: unchanged: 1

2012-12-05 14:34:51,882 unit:keystone/1: unit.hook.api INFO: FATAL ERROR: ERROR: command apt-get update return non-zero.

2012-12-05 14:34:51,920 unit:keystone/1: hook.output DEBUG: hook install exited, exit code Traceback (most recent call last):
Failure: juju.errors.CharmInvocationError: Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
.
2012-12-05 14:34:51,921 unit:keystone/1: hook.executor DEBUG: Hook error: /var/lib/juju/units/keystone-1/charm/hooks/install Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
2012-12-05 14:34:51,922 unit:keystone/1: statemachine DEBUG: unitworkflowstate: executing error transition error_install, Error processing '/var/lib/juju/units/keystone-1/charm/hooks/install': exit code 1.
2012-12-05 14:34:51,954 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition error_install (None -> install_error) {}
2012-12-05 14:34:52,001 unit:keystone/1: statemachine DEBUG: unitworkflowstate: transition complete error_install (state install_error) {}
2012-12-05 14:34:52,015 unit:keystone/1: juju.agents.unit DEBUG: Configuration Changed
2012-12-05 14:34:52,015 unit:keystone/1: juju.agents.unit DEBUG: Configuration updated on service in a non-started state
2012-12-05 14:34:52,032 unit:keystone/1: juju.agents.unit INFO: No upgrade flag set.

W: Failed to fetch http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/main/binary-amd64/Packages 403 Forbidden

W: Failed to fetch http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/main/binary-i386/Packages 403 Forbidden

E: Some index files failed to download. They have been ignored, or old ones used instead.
===================================================================================================

The solution is:
Change /etc/squid-deb-proxy/mirror_dstdomain.acl,
line 14:
--archive.canonical.com
++.archive.canonical.com

Restart squid-deb-proxy service.

See original description

Related branches

lp:~racb/ubuntu/precise/squid-deb-proxy/cloud-archive
James Page: Approve
Diff: 26 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
mirror-dstdomain.acl (+1/-1)
lp:~nobuto/squid-deb-proxy/allow-ubuntu-cloud-archive
Michael Vogt: Approve
Diff: 12 lines (+1/-1)
1 file modified
mirror-dstdomain.acl (+1/-1)
lp:ubuntu/precise-proposed/squid-deb-proxy
Revision history for this message
julian wang (zeratul-j) wrote :

Fix attached

Julian Edwards (julian-edwards)
affects: maas → squid-deb-proxy
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fix attached" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Robie Basak (racb) wrote :

This appears to have been fixed on 6 December by mvo, in 0.6.7 in raring. Am I mistaken?

Changed in squid-deb-proxy (Ubuntu):
status: New → Fix Released
Robie Basak (racb)
description: updated
Revision history for this message
Dave Russell (drussell) wrote :

racb - yes, but need to ensure 12.04/cloud archive are taken care of too.

Revision history for this message
Robie Basak (racb) wrote :

My proposed SRU for 12.04 is in the queue, awaiting a sponsor.

Revision history for this message
James Page (james-page) wrote :

Robie; I've uploaded to precise-proposed; however I do think its worth fixing this in quantal as well as folk might be using squid-deb-proxy on Quantal to deploy precise servers using MAAS.

Daniel Holbach (dholbach)
Changed in squid-deb-proxy (Ubuntu Precise):
assignee: nobody → Andres Rodriguez (andreserl)
Changed in squid-deb-proxy (Ubuntu Quantal):
assignee: nobody → Andres Rodriguez (andreserl)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid-deb-proxy (Ubuntu Precise):
status: New → Confirmed
Changed in squid-deb-proxy (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Nobuto Murata (nobuto) wrote :

As commented above, upstream already has the fix in 0.6.7.

Changed in squid-deb-proxy:
status: New → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Hello julian, or anyone else affected,

Accepted squid-deb-proxy into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/squid-deb-proxy/0.6.3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in squid-deb-proxy (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Javier López (javier-lopez) wrote :

After testing the -proposed package, I can see the issue is fixed:

$ export http_proxy=http://localhost:8000
$ wget -O/dev/null http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release
--2013-05-24 20:59:53-- http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/precise-updates/folsom/Release
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 5510 (5.4K) [text/plain]
Saving to: `/dev/null'

100%[========================================================================================>] 5,510 --.-K/s in 0s

2013-05-24 20:59:54 (161 MB/s) - `/dev/null' saved [5510/5510]

$ apt-cache policy squid-deb-proxy
squid-deb-proxy:
  Installed: 0.6.3.1
  Candidate: 0.6.3.1
  Version table:
 *** 0.6.3.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     0.6.3 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid-deb-proxy - 0.6.3.1

---------------
squid-deb-proxy (0.6.3.1) precise-proposed; urgency=low

  * Allow caching of Canonical's cloud archive (LP: #1087145).
 -- Robie Basak <email address hidden> Mon, 07 Jan 2013 10:13:44 +0000

Changed in squid-deb-proxy (Ubuntu Precise):
status: Fix Committed → Fix Released
Andres Rodriguez (andreserl)
Changed in squid-deb-proxy (Ubuntu Quantal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.