blackboxsw
commented
2 months ago @MggMuggins thank you for filing this bug and improving cloud-init.
We originally thought we may treat this as won't fix for a couple of reasons:
- This feature
package_upgrade: trueshould attempt to upgrade all packages installed by any active package manager present within the environment 2.. This particular environment is unique in that the sandboxed limited network which doesn't permit an available package manager to run properly and there is no way in snap tooling or local environmental artifacts to query the status of outbound connectivity so that cloud-init can determine it shouldn't callsnap refresh. - This "supplemental feature" was released in 23.4 and is already consumed and used in stable releases, so removing that feature now as part of a new SRU would break admins which now depend on snap refresh happening as part of
package_upgrade: true
What we originally thought here was that workarounds would be possible by modifying the user-data provided to the machines to prevent the side-effect of calling snap refresh due to the #cloud-config package_upgrade: true option:
User-data workaround 1: Instead of this user-data for a snap-limited network environment
#cloud-config
package_upgrade: trueProvide the alternative which focus on apt upgrades and avoid triggering snap refresh
#cloud-config
runcmd: [apt-get upgrade --assume-yes]But, instead of this non-specific workaround above, we've come around to a proposal of a more specific way that user-data can inform cloud-init that it shouldn't call snap refresh due to the blanket package_upgrade: true in cloud-config.
One can basically set snap refresh --hold to tell snappy not to automatically refresh packages in general, this is enough of an indicator to cloud-init that snap refreshes and generally unwanted it shouldn't attempt to invoke this command.
What this requires from cloud-init is a preliminary call to snap get system refresh.hold to see if this configuration is set.
This functionality will be provided in this TBD PR.
To configure this with user-data add the appropriate snap command to your user-data:
#cloud-config
package_upgrade: true
snap:
commands:
00: snap refresh --hold
Bug report
4202 introduces a hard requirement on snap store connectivity when using the following in the user/vendor data:
This may or may not be a concern in cloud-init upstream, but the changes were included in 23.4 which was SRU'd to Jammy. This is a regression for users with restrictive firewalls preventing access to the snap store.
Steps to reproduce the problem
Create a vm with userdata containing:
Enable Proposed in the vm
Install cloud-init
24.1.3-0ubuntu1~22.04.4Create a lxd ACL preventing access to the snapd network requirements
for name in "${snap_reqs[@]}"; do for ip in $(dig +short "${name}"); do lxc network acl rule add stop-snap egress action=reject destination="${ip}" done done
Rerun cloud-init:
Cloud-init fails as
snap refreshcan't get out to api.snapcraft.io.Downgrade to cloud-init
23.1.2-0ubuntu0~22.04.1:Rerun cloud-init:
Cloud-init succeeds (no hard requirement on snap store)
Environment details
23.4-0ubuntu1~22.04.1and later