[Bug 494185] Re: ec2-init selects us-east-1 mirror when running in us-west-1 region

Scott Moser ssmoser2 at gmail.com
Mon Dec 14 15:30:54 GMT 2009 

** Description changed:

  Binary package hint: ec2-init
  
  ec2-init has the following code:
  
  |    def get_mirror_from_availability_zone(self, availability_zone):
  |       if availability_zone.startswith("us"):
  |            return 'http://us.ec2.archive.ubuntu.com/ubuntu/'
  |        elif availability_zone.startswith("eu"):
  |            return 'http://eu.ec2.archive.ubuntu.com/ubuntu/'
  |
  |       return 'http://archive.ubuntu.com/ubuntu/'
  
  The above incorrectly sets the archive to us.ec2.archive.ubuntu.com
  which is in us-east-1 region.
  
  Currently that host is not accessible from inside the us-west-1 region.
  
  ProblemType: Bug
  Architecture: amd64
  Date: Tue Dec  8 20:24:36 2009
  DistroRelease: Ubuntu 10.04
  Ec2AMI: ami-133c6d56
  Ec2AMIManifest: ubuntu-images-testing-us-west-1/ubuntu-lucid-daily-amd64-server-20091207.manifest.xml
  Ec2Kernel: aki-0d3c6d48
  Package: ec2-init 0.4.999-0ubuntu7
  PackageArchitecture: all
  ProcEnviron:
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: User Name 2.6.32-300.1-ec2
  SourcePackage: ec2-init
  Uname: Linux 2.6.32-300-ec2 x86_64
+ 
+ ================
+ SRU Report (ec2-init):
+ 
+ Background: The UEC Images have code that runs at "first boot" and
+ customizes an images to the region upon which it is being run.  One of
+ the customizations done is to attempt to select an archive mirror in the
+ same region that this instance is running in.   For example, Canonical
+ runs 3 archive mirrors in ec2, {us-west-1,us,eu}.ec2.archive.ubuntu.com
+ .  The us and eu mirrors have aliases "us-east-1" and "eu-west-1".  The
+ short names are largely historic now.  To limit cost and access to the
+ ec2 archive mirrors they are configured to only allow systems inside
+ their region to access them.
+ 
+   An instance is assigned a 'availability zone' within an instance.
+ These availability zones are currently consistently named as
+ '<region>[a-z]' (Example: us-east-1a, eu-west-1d).  The previous logic
+ was to select 'us.ec2.archive.ubuntu.com' if the availability zone
+ started with 'us' and 'eu.ec2.archive.ubuntu.com' if it started with
+ 'eu'.  The failure is that availability zones in both us-east-1 and us-
+ west-1 start with 'us', and would select the 'us.ec2.archive.ubuntu.com'
+ mirror.
+ 
+ Impact: Instances started in the us-west-1 region incorrectly select the
+ 'us.ec2.archive.ubuntu.com' mirror.  That mirror is not accessible
+ outside of the us-east-1 region, and 'apt-get update' or 'install'
+ cannot be run without manual modification of /etc/apt/sources.list.
+ 
+ Changes:
+  Please see the attachment [http://launchpadlibrarian.net/36703733/bug-494185.diff].  The code change is the final hunk of that patch.  We modify the 'get_mirror_from_availability_zone' method.  The new code selects a mirror based on naming convention of availability zones.  Failure or Exception in the logic will selects 'archive.ubuntu.com' as a mirror.  Exception in the previous code would end up with no /etc/apt/sources.list.
+ 
+ Test Case:
+ - Start an instance in us-west-1 region
+ - ssh to instance, run 'apt-get update'.  
+ - grep "us-west-1" /etc/apt/sources.list
+   # you *should* see entries for the us-west-1.  Currently, there the list shows 'us.ec2.archive.ubuntu.com'
+ - run 'apt-get update' to verify that the mirrors are functional.
+ - To verify there is no regression, we should a.) test multiple instance b.) verify that instances in us-east-1 and eu-west-1 do not regress the 'apt-get update' function.
+ 
+ Regression potential:
+ - The biggest cause for regression is that we are changing logic inside the image.  Previously it was all self contained.  The change makes the mirror selection depend on dns resolution of a hostname that is dependent upon meta-data available to the image.   
+ This leaves two possible failure paths:
+ a.) False positive: If the availability zone is named such that a dns entry *does* exist in the .ec2.archive.ubuntu.com subdomain, but there is no mirror running there, the code will falsely write /etc/apt/sources.list to connect to that mirror.  This is somewhat unlikely as the availability zones are currently consistently named, and canonical has control over the ec2.archive.ubuntu.com domain.
+ b.) False negative: Failure in the logic (dns resolution timeout, or temporary un-availability) could result in failure to select the correct mirror.  This is mitigated by a selection of 'archive.ubuntu.com' on Exception or failure.
+ 
+ Notes:
+ - The changes suggested here also reduce the likelyhood that images run in UEC to incorrectly select a ec2 mirror.  There is still a possibility of that, but it has been reduced 
+ Previously the code in UEC would fail if the user defined availability zone started with 'us' or 'eu'.  Now, the possibility for error is reduced to availability zone names where the folowing is a valid hostname:
+    "%s.ec2.archive.ubuntu.com" % availability_zone[:-1]
+ =====

-- 
ec2-init selects us-east-1 mirror when running in us-west-1 region
https://bugs.launchpad.net/bugs/494185
You received this bug notification because you are a member of Ubuntu
Sponsors for main, which is a direct subscriber.

More information about the Ubuntu-main-sponsors mailing list