Ubuntu
lxc package

lxc download template needs access to hkp://pool.sks-keyservers.net

Bug #1338781 reported by Scott Moser
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I'm using a cloud instance with configured http_proxy and https_proxy.
Other than that, generally "internet" access is not available.

I run:
 lxc-create -t download --list

and I see:
$ sudo lxc-create -t download -n foo -- --list
Setting up the GPG keyring

and I see:
 gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 0xBAEFF88C22F6E216

that seems un-necessary.

I've securely downloaded and installed this package (and many others). I should have been delivered that key also.

For all practical purposes, you've given me the key (as you gave me its hash), and now I'm dependent on an external (generally not highly available) network resource to get the payload.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: lxc 1.0.4-0ubuntu0.1
ProcVersionSignature: User Name 3.13.0-30.54-generic 3.13.11.2
Uname: Linux 3.13.0-30-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
Date: Mon Jul 7 20:43:19 2014
Ec2AMI: ami-00000023
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.small
Ec2Kernel: aki-00000002
Ec2Ramdisk: ari-00000002
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf:
 lxc.network.type = veth
 lxc.network.link = lxcbr0
 lxc.network.flags = up
 lxc.network.hwaddr = 00:16:3e:xx:xx:xx

Revision history for this message
Scott Moser (smoser) wrote :
Revision history for this message
Stéphane Graber (stgraber) wrote :

The required external connection is so that if we revoke the key, gpg will refuse to validate the indices and container images, therefore letting us immediately prevent any of our user from running malicious code in the event our key is compromised.

However something seems odd in your setup because I took great care to make sure all of this does work through an http proxy and it's indeed what we do on all our CI servers (no outside access, everything goes through a squid proxy) where fetching the key works perfectly fine.

Could you paste your environment and ideally proxy logs to try and figure out why things ended up hanging?

Revision history for this message
Stéphane Graber (stgraber) wrote :

Looking at the code, it looks like you don't have http_proxy set in your environment:

# Deal with GPG over http proxy
if [ -n "${http_proxy:-}" ]; then
    DOWNLOAD_KEYSERVER="hkp://p80.pool.sks-keyservers.net:80"
fi

Instead you said you were using hkp://pool.sks-keyservers.net which is the pool of server we use for machines that aren't being an http proxy.

Stéphane Graber (stgraber)
Changed in lxc (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for lxc (Ubuntu) because there has been no activity for 60 days.]

Changed in lxc (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.