Project

General

Profile

Actions
Copy link

Bug #13918

open

dreamcompute: unsigned Ubuntu packages

Added by Loïc Dachary over 8 years ago. Updated over 8 years ago.

Status:
Fix Under Review
Priority:
Normal
Assignee:
-
Category:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

When a pristine ubuntu 14.04 boots, it gets unsigned packages, either because the dns redirects to dreamhost repositories or because of a transparent proxy (not so transparent).

WARNING: The following packages cannot be authenticated!
  ntp git-man git
E: There are problems and -y was used without --force-yes

Possible workaround:

diff --git a/teuthology/openstack/openstack-ubuntu-user-data.txt b/teuthology/openstack/openstack-ubuntu-user-data.txt
index e05f1ad..907af8a 100644
--- a/teuthology/openstack/openstack-ubuntu-user-data.txt
+++ b/teuthology/openstack/openstack-ubuntu-user-data.txt
@@ -1,5 +1,6 @@
 #cloud-config
 bootcmd:
+ - apt-get install -y --force-yes python wget git ntp
  - apt-get remove --purge -y resolvconf || true
  - echo 'prepend domain-name-servers {nameserver};' | sudo tee -a /etc/dhcp/dhclient.conf
  - echo 'supersede domain-name "{lab_domain}";' | sudo tee -a /etc/dhcp/dhclient.conf
@@ -11,9 +12,4 @@ preserve_hostname: true
 system_info:
   default_user:
     name: {username}
-packages:
- - python
- - wget
- - git
- - ntp
 final_message: "{up}, after $UPTIME seconds"

Another workaround is to run a resolver and not rely on the DNS provided by the provider to avoid unexpected resolutions (should it turn out to be the problem).

Actions
Copy link
 #1

Updated by Loïc Dachary over 8 years ago

as bootcmd

echo 'APT::Get::AllowUnauthenticated "true";' | sudo tee /etc/apt/apt.conf.d/99disablesigs
Actions
Copy link
 #2

Updated by Ken Dreyer over 8 years ago

This seems like a large issue. Why are the packages unsigned?

Is this an issue with DreamHost?

Actions
Copy link
 #3

Updated by Loïc Dachary over 8 years ago

@Ken @Zack it actually was a temporary issue with the official ubuntu repositories. That being said, all these machines are short lived and it should not matter at all if packages are signed or not.

Actions
Copy link
 #4

Updated by Loïc Dachary over 8 years ago

  • Status changed from New to Fix Under Review
Actions
Copy link
 #5

Updated by Ken Dreyer over 8 years ago

For better or worse, lab users often enable SSH agent forwarding when connecting to hosts in the lab. If these hosts are compromised by an attacker, the attacker can authenticate to other systems with the user's ssh-agent.

If Ubuntu is breaking their repositories on a regular basis, we need to talk with someone @ Ubuntu about that?

Actions
Copy link

Also available in: Atom PDF