Page MenuHomePhabricator

Backports are enabled in new Trusty instances
Closed, ResolvedPublic

Description

Previously, the backports repository was not enabled in Labs instances by default. I therefore wrote a patch (https://gerrit.wikimedia.org/r/#/c/238662/) to enable it for Toolforge instances, but when I tested it I found that new Ubuntu Trusty instances have the repository enabled in /etc/apt/sources.list:

[…]
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://nova.clouds.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
[…]

That's useful, because it removes the necessity for my patch :-), on the other hand it appears to be random because this configuration does not seem to be set in the labs_vmbuilder module (or elsewhere). The top of /etc/apt/sources.list reads:

## Note, this file is written by cloud-init on first boot of an instance
## modifications made here will not survive a re-bundle.
## if you wish to make changes you can:
## a.) add 'apt_preserve_sources_list: true' to /etc/cloud/cloud.cfg
##     or do the same in user-data
## b.) add sources in /etc/apt/sources.list.d
## c.) make changes to template file /etc/cloud/templates/sources.list.tmpl
#

but I don't see anything pertinent in modules/labs_vmbuilder/files/cloud.cfg et al.

So:

  1. Should the backports be enabled in default Labs (have not tested: Precise/)Trusty instances? (For Jessie instances, this is done in modules/apt/manifests/init.pp.)
  2. Depending on 1., that policy should be coded somewhere so that new images reliably conform to it.

Event Timeline

scfc assigned this task to Andrew.
scfc raised the priority of this task from to Needs Triage.
scfc updated the task description. (Show Details)
scfc added projects: Cloud-VPS, Toolforge.
scfc added a subscriber: scfc.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript

I agree that the ways of cloud-init are mysterious. I dug in the source a bit but don't see where the default behavior is described... The current default behavior is fine though, right?

The current behaviour is fine with me, but it is a change compared to the previous behaviour and thus has the potential to surprise people.

I looked where the change came from, and it was in:

cloud-init (0.7.5-0ubuntu1.13) trusty; urgency=medium

 * d/patches/lp-1177432-enable_backports.patch: Enable backports apt pocket
   (LP: #1177432).

-- Ben Howard <ben.howard@ubuntu.com>  Mon, 02 Nov 2015 08:52:09 -0700

The rationale in https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1177432 is that Ubuntu bare-metal servers have backports also enabled by default. My working knowledge was that at least WMF Ubuntu bare-metal servers had backports disabled.

So if backports should now be enabled in Labs images, Ubuntu will now do so reliably, solving item #2, if the answer to #1 is "yes".

Andrew added subscribers: MoritzMuehlenhoff, csteipp.

@MoritzMuehlenhoff, @csteipp, what is the policy on the backports repo for production servers?

Labs team agrees that having this turned on is just fine. Moritz, pleaes re-open if this worries you.

My only concern would be if were backporting security fixes there that were private (like we've done in the past with hhvm patches)