[Bug 2070320] Re: Autoinstall with apt deb822 source on noble does not override '/etc/apt/sources.list.d/ubuntu.sources' despite 'preserve_sources_list: false'

Fabio Augusto Miranda Martins 2070320 at bugs.launchpad.net
Thu Nov 14 12:26:07 UTC 2024 

Thanks for the details, Chris.

In my use case, the objective was to never use the original/default
sources, as we don't wanted to point to archive.ubuntu.com at all, but
rather to use an internal mirror (which had been set up with aptly, and
hence had a non-default GPG key).

I originally bumped into
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2076943 when
trying to configure the key.

As a workaround to the aforementioned problem, we tried configuring the
local repository in the ubuntu.sources section and also provide the GPG
key.

After that, what happened is that during the installation, a couple of
squashfs are mounted in an ephemeral /tmp location (ubuntu-server-
minimal.squashfs and ubuntu-server-minimal.ubuntu-server.squashfs) and
that is then copied over to /target, that will be the installed system,
and several different apt commands are executed with chroot inside
/target.

The problem is that the source provided in the autoinstall yaml is
appended in /target/etc/apt/sources.list.d/ubuntu.sources, so you have
both the default http://archive.ubuntu.com/ubuntu/ configured and also
the internal apt mirror you provided in the autoinstall yaml, which is
not the desired approach. The http://archive.ubuntu.com/ubuntu/ mirror
is used both during the installation and also in the installed system
(/etc/apt/sources.list.d/ubuntu.sources is left configured with both
mirrors, which is not the intention), which again is not the desired
behavior.

After some code review, Tiago found a way to provide the configuration
that we needed in the first bug (2076943), which is by using a template
to render sources files, as we can see here:
https://github.com/canonical/curtin/blob/master/curtin/commands/apt_config.py#L589

What happens is that, if we do not provide a template, curtin will use
the original sources files, which have the Signed-By yaml key pointing
to the default ubuntu archive key. If we provide our own template, we
can tell it, through the sources_list yaml key, to use our key, like
this:

    apt:
      primary:
      - arches: [amd64, i386, default]
        uri: http://192.168.148.3/ubuntu
      security:
      - arches: [amd64, i386, default]
        uri: http://192.168.148.3/ubuntu
      ...
      sources_list: |
        Types: deb
        URIs: $PRIMARY
        Suites: noble noble-updates noble-backports noble-security
        Components: main
        Signed-By: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
          ... our key ...
          -----END PGP PUBLIC KEY BLOCK-----
      ...
 

In this example, curtin will render this template replacing the $PRIMARY
value to the primary repository configured before. The resulting
ubuntu.sources file looks like this:

Types: deb
URIs: http://192.168.148.3/ubuntu
Suites: noble noble-updates noble-security
Components: main
Signed-By: |
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  ... our key ...
  -----END PGP PUBLIC KEY BLOCK-----
  


So, with that, we end up avoiding bumping into the problem reported in the current bug.

Tiago is pursuing some documentation improvement through this PR:
https://code.launchpad.net/~tiago.pasqualini/curtin/+git/curtin/+merge/473478

I believe that will clear things up.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to subiquity in Ubuntu.
https://bugs.launchpad.net/bugs/2070320

Title:
  Autoinstall with apt deb822 source on noble does not override
  '/etc/apt/sources.list.d/ubuntu.sources' despite
  'preserve_sources_list: false'

Status in subiquity package in Ubuntu:
  Invalid

Bug description:
  When using the following apt section on autoinstall, it does not
  replace the existing ubuntu sources despite the preserve_sources_list
  variable being set to false. It does appear to replace
  /etc/apt/sources.list, but this file is no longer used in Ubuntu
  24.04.

  ======
  apt:
    preserve_sources_list: false
    fallback: abort
    geoip: false
    sources:
      landscape.sources:
        source: |
          Types: deb
          URIs: http://landscape.home/repository/standalone/ubuntu/
          Suites: noble noble-updates noble-security
          Components: main universe restricted multiverse
          Signed-By: 16234E77E46C9DE644E1F4F4DA787C193976C85B
          Architectures: amd64
        key: |
          -----BEGIN PGP PUBLIC KEY BLOCK-----
          ...
          -----END PGP PUBLIC KEY BLOCK-----
  ======

  What ends up happening is the system will install from the Landscape
  mirror, but the other sources are not removed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2070320/+subscriptions

More information about the foundations-bugs mailing list