Handle latest iso's not being immutable

AverageMarcus commented 8 months ago

Is your feature request related to a problem? Please describe.

For our providers that build based on top of an iso image we've seen a problem several times now with Ubuntu (maybe others?) where the latest release is only available as a non-specific URL that is updated as new releases are made.

For example, Ubuntu 23.04 is currently (at time of writing) only available at the following location:

https://releases.ubuntu.com/23.04/ubuntu-23.04-live-server-amd64.iso

When a new release of Ubuntu 23.04 is made, this image is replaced but the URL remains the same. There isn't a location to get the specific patch version of the release that we've been able to find.

This causes the following problems:

checksums become out of date so we need to keep updating them even though the URL isn't changing
breaking changes could possibly be introduced into a new release of Ubuntu that could break for users of image-builder without there being any changes made to image-builder or the provided variables. This means image-builder can't guarentee reproducible builds.

Describe the solution you'd like

Ideally there would be a location where we can get the patch versions of Ubuntu images but I'm not aware of such a place existing.

Describe alternatives you've considered

We could fetch the checksum on the fly from the https://releases.ubuntu.com/23.04/SHA256SUMS file but this doesn't solve the reproducibility issue.

Additional context

For old releases, they become available at a different URL (e.g. https://old-releases.ubuntu.com/releases/jammy/ubuntu-22.04.2-live-server-amd64.iso) but the same doesn't seem to be possible with the latest patch release.

/kind feature

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

AverageMarcus commented 5 months ago

/remove-lifecycle stale

AverageMarcus commented 3 months ago

A little more investigation...

The current latest Ubuntu release is available at:

https://releases.ubuntu.com/22.04.4/ubuntu-22.04.4-live-server-amd64.iso

With curl:

curl https://releases.ubuntu.com/22.04.4/ubuntu-22.04.4-live-server-amd64.iso
HTTP/1.1 200 OK
Date: Fri, 05 Apr 2024 07:23:52 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 16 Feb 2024 23:52:36 GMT
ETag: "7d6eb800-61188703a4abd"
Accept-Ranges: bytes
Content-Length: 2104408064
Content-Type: application/x-iso9660-image

+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+

The previous Ubuntu release can be fetched using:

https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso

But this actually returns a HTTP 302 redirect to https://old-releases.ubuntu.com/releases/22.04.2/ubuntu-22.04.2-live-server-amd64.iso

With curl:

curl https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://old-releases.ubuntu.com/releases/22.04.2/ubuntu-22.04.2-live-server-amd64.iso">here</a>.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at releases.ubuntu.com Port 443</address>
</body></html>
HTTP/1.1 301 Moved Permanently
Date: Fri, 05 Apr 2024 07:46:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://old-releases.ubuntu.com/releases/22.04.2/ubuntu-22.04.2-live-server-amd64.iso
Content-Length: 379
Content-Type: text/html; charset=iso-8859-1

I'm going to check if Packer correctly follows these redirects. If so, this should be resolved as long as we use the full version in the URL.

If that doesn't work, I have discovered that at least some Packer builders support a iso_urls property in place of iso_url which can be used to support multiple URLs. This will try the next in the list if one fails. We could use this to supply both the releases.ubuntu.com and the old-releases.ubuntu.com URLs so it should fallback when needed.

AverageMarcus commented 3 months ago

I just confirmed that this works by using the following vars with make build-qemu-ubuntu-2204:

{
  "boot_command_prefix": "c<wait>linux /casper/vmlinuz --- autoinstall ds='nocloud-net;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/22.04/'<enter><wait><wait><wait>initrd /casper/initrd<enter><wait><wait><wait>boot<enter>",
  "build_name": "ubuntu-2204",
  "distribution_version": "2204",
  "distro_name": "ubuntu",
  "guest_os_type": "ubuntu-64",
  "iso_checksum": "5e38b55d57d94ff029719342357325ed3bda38fa80054f9330dc789cd2d43931",
  "iso_checksum_type": "sha256",
  "iso_url": "https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso",
  "os_display_name": "Ubuntu 22.04",
  "shutdown_command": "shutdown -P now",
  "unmount_iso": "true"
}

So as long as we use the https://releases.ubuntu.com/XX.XX.X/ style URLs (needs the patch value) we should be ok.

AverageMarcus commented 3 months ago

It seems this is only true of the recent LTS releases and doesn't apply to 23.04 yet as it's still in beta.

AverageMarcus commented 3 weeks ago

😩

So, the patch version URLs are only available from the first patch version. The initial release of Ubuntu 24.04 (e.g. 24.04.0) doesn't have an immutable URL and is only available from the one that points to the latest for that version. 😞

kubernetes-sigs / image-builder

Handle latest iso's not being immutable #1334