Bug #13918
opendreamcompute: unsigned Ubuntu packages
0%
Description
When a pristine ubuntu 14.04 boots, it gets unsigned packages, either because the dns redirects to dreamhost repositories or because of a transparent proxy (not so transparent).
WARNING: The following packages cannot be authenticated! ntp git-man git E: There are problems and -y was used without --force-yes
Possible workaround:
diff --git a/teuthology/openstack/openstack-ubuntu-user-data.txt b/teuthology/openstack/openstack-ubuntu-user-data.txt index e05f1ad..907af8a 100644 --- a/teuthology/openstack/openstack-ubuntu-user-data.txt +++ b/teuthology/openstack/openstack-ubuntu-user-data.txt @@ -1,5 +1,6 @@ #cloud-config bootcmd: + - apt-get install -y --force-yes python wget git ntp - apt-get remove --purge -y resolvconf || true - echo 'prepend domain-name-servers {nameserver};' | sudo tee -a /etc/dhcp/dhclient.conf - echo 'supersede domain-name "{lab_domain}";' | sudo tee -a /etc/dhcp/dhclient.conf @@ -11,9 +12,4 @@ preserve_hostname: true system_info: default_user: name: {username} -packages: - - python - - wget - - git - - ntp final_message: "{up}, after $UPTIME seconds"
Another workaround is to run a resolver and not rely on the DNS provided by the provider to avoid unexpected resolutions (should it turn out to be the problem).
Updated by Loïc Dachary over 8 years ago
as bootcmd
echo 'APT::Get::AllowUnauthenticated "true";' | sudo tee /etc/apt/apt.conf.d/99disablesigs
Updated by Ken Dreyer over 8 years ago
This seems like a large issue. Why are the packages unsigned?
Is this an issue with DreamHost?
Updated by Loïc Dachary over 8 years ago
@Ken @Zack it actually was a temporary issue with the official ubuntu repositories. That being said, all these machines are short lived and it should not matter at all if packages are signed or not.
Updated by Loïc Dachary over 8 years ago
- Status changed from New to Fix Under Review
Updated by Ken Dreyer over 8 years ago
For better or worse, lab users often enable SSH agent forwarding when connecting to hosts in the lab. If these hosts are compromised by an attacker, the attacker can authenticate to other systems with the user's ssh-agent.
If Ubuntu is breaking their repositories on a regular basis, we need to talk with someone @ Ubuntu about that?