Page MenuHomePhabricator
Create Task
Maniphest T291168

[Debian bullseye image] APT source-list file is not up to date
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce:

What happens?
HTTP 404 on the Debian security repository.

What should have happened instead?
a proper APT update.

Details:

deb {{security}} {{codename}}/updates main
deb-src {{security}} {{codename}}/updates main
  • for some reason, there are no Wikimedia mirrors for the Debian security repos

Details

SubjectRepoBranchLines +/-
cloud-vps: puppetize /etc/apt/sources.listoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Hjfocs created this task.Sep 16 2021, 10:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 16 2021, 10:25 AM
taavi added a project: cloud-services-team.Sep 16 2021, 10:29 AM
taavi removed a subscriber: cloud-services-team.
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptSep 16 2021, 10:29 AM
Maintenance_bot added a project: Wikidata.Sep 16 2021, 10:45 AM
RhinosF1 merged a task: T292540: Invalid Bullseye security repo on newly provisioned Bullseye VMs.Oct 9 2021, 12:32 PM
RhinosF1 added subscribers: fgiunchedi, RhinosF1, Andrew.
bd808 triaged this task as High priority.Nov 8 2021, 6:54 PM
bd808 subscribed.

Bullseye instances are not getting security patches via auto-update as a result of this.

bd808 added a comment.Nov 9 2021, 1:19 AM
In T292540#7414548, @RhinosF1 wrote:

rOPUP96a3cc3f6899: Adapt name of security suite for bullseye and later was the production fix

Tim-moody subscribed.Jan 3 2022, 3:39 PM
Tim-moody mentioned this in T298466: puppet failure on unknown instance.Jan 3 2022, 3:42 PM
Andrew added a comment.Jan 4 2022, 8:36 PM

I've just confirmed that this still happens

Andrew added a parent task: T264311: Prepare for puppetizing /etc/apt/sources.list.Jan 4 2022, 9:01 PM
gerritbot added a comment.Jan 4 2022, 9:43 PM

Change 751498 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] cloud-vps: puppetize /etc/apt/sources.list

https://gerrit.wikimedia.org/r/751498

gerritbot added a project: Patch-For-Review.Jan 4 2022, 9:43 PM
gerritbot added a comment.Jan 5 2022, 3:13 AM

Change 751498 merged by Andrew Bogott:

[operations/puppet@production] cloud-vps: puppetize /etc/apt/sources.list

https://gerrit.wikimedia.org/r/751498

Andrew closed this task as Resolved.Jan 5 2022, 3:31 AM
Andrew claimed this task.
Andrew added subscribers: taavi, Dzahn.

@Majavah reminded me about this issue and caught me up with the latest. A few points:

  • there are no Wikimedia mirrors for the Debian security repos for any version, and that's the recommended practice by the Debian folks. So no issue there.
  • our version of cloud-init doesn't know about the new naming scheme, which is why we get the wrong source entries
  • the latest version of cloud-init DOES know about the new naming scheme but, weirdly, this version of cloud-init doesn't ship with bullseye even though bullseye needs it

at this point @Dzahn chimed in to point out that prod has correct templates for handling sources.list for bullseye and busted. This led us around to T264311, the neglected goal of unifying prod sources.list puppet manifests with cloud-vps.

So, I was bold/reckless and pushed ahead on T264311 which has also resolved this issue.

I don't love that we have a cloud-init-determined sources.list for the first few apt actions and then a slightly different sources.list subsequently, but as far as I can tell it's harmless in practice (and mostly unavoidable.)

Maintenance_bot removed a project: Patch-For-Review.Jan 5 2022, 4:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits