Public bug reported:
[Availability]
The package azure-proxy-agent is already in Ubuntu universe.
The package azure-proxy-agent build for the architectures it is designed to
work on (amd64 and arm64).
It currently builds and works for architectures: amd64 and arm64.
Link to package https://launchpad.net/ubuntu/+source/azure-proxy-agent
[Rationale]
- The package azure-proxy-agent is required in Ubuntu main for securing
Azure's IMDS service for Ubuntu on Azure.
- The package azure-proxy-agent will generally be useful for a large part of
our user base as it will be seeded on all our Ubuntu images on Azure.
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this. netfilter can be used to broadly
restrict the access to the IMDS service from the VM but more fine grain
control requires this service.
- The binary packages azure-proxy-agent needs to be in main to seed it in all
Ubuntu images on Azure in order to secure the IMDS service endpoint by
preventing unauthorized users from accessing the service.
- The source package only produced one binary package.
- The package azure-proxy-agent is required in Ubuntu main no later than July
1st 2025
due to an expectation from Microsoft to better secure their IMDS service on
Ubuntu.
[Security]
- No CVEs/security issues in this software in the past (note that the software
is failing new).
- no `suid` or `sgid` binaries
- Binary azure-proxy-agent in sbin is no problem because TBD
- Package does install services but no timer or recurring job
(service installed: azure-proxy-agent.service)
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
- Package uses systemd isolation features to restrict namespaces and
capabilities.
See
https://git.launchpad.net/ubuntu/+source/azure-proxy-agent/tree/proxy_agent_setup/src/linux/azure-proxy-agent.service
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does contain extensions to security-sensitive software.
The package filters network traffic between the local machine and the Azure
IMDS
endpoint and proxy this traffic to block requests from unauthorized local
users.
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well Upstream and does
not have too many, long-term & critical, open bugs
- Upstream's bug tracker: https://github.com/Azure/GuestProxyAgent
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail:
https://launchpadlibrarian.net/795867619/buildlog_ubuntu-questing-amd64.azure-proxy-agent_1.0.30-0ubuntu1_BUILDING.txt.gz
- The package runs an autopkgtest, and is currently passing on
amd64 and arm64: https://autopkgtest.ubuntu.com/packages/azure-proxy-agent
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https://launchpad.net/ubuntu/+source/azure-proxy-agent/1.0.30-0ubuntu2
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug:
The output is empty.
- Lintian overrides are present and documented:
# the package includes a BPF binary
azure-proxy-agent: binary-from-other-architecture
# These spelling errors comme from vendored libraries that
# are unlikely to be shown to the user.
azure-proxy-agent: spelling-error-in-binary
# This seem to be a common issue with Rust packages
azure-proxy-agent: hardening-no-fortify-functions
- This package does not rely on obsolete or about to be demoted
packages.
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging is somewhat complex because it it built in rust. However, it uses
a similar debian/rules as other rust packages in main:
https://git.launchpad.net/ubuntu/+source/azure-proxy-agent/tree/debian/rules?h=ubuntu/questing-devel
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be CPC Azure and I have their acknowledgement for
that commitment: https://launchpad.net/~cpc-azure
- The future owning team is already subscribed to the package
- The team cpc-azure is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team cpc-azure is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the package (at /usr/share/doc/azure-proxy-agent/Cargo.lock (in
1.0.30-0ubuntu2) - might be
compressed), refreshing that code is outlined in debian/README.source
- This package uses vendored code, refreshing that code is outlined
in debian/README.source
- This package is rust based and vendors all non language-runtime
dependencies
- The package has been built within the last 3 months in the archive
- Build link on launchpad:
https://launchpad.net/ubuntu/+source/azure-proxy-agent/1.0.30-0ubuntu1
[Background information]
The Package description explains the package well
Upstream Name is GuestProxyAgent
Link to upstream project https://github.com/Azure/GuestProxyAgent
GuestProxyAgent doesn't mean much, since this package is only usefull on Azure,
naming it azure-proxy-agent makes more sense and is easier to understand.
** Affects: azure-proxy-agent (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2112359
Title:
[MIR] azure-proxy-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-proxy-agent/+bug/2112359/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
