Skip to content

ci: fail over between ubuntu mirrors via a reverse proxy#1106

Draft
cpuguy83 wants to merge 1 commit into
project-dalec:mainfrom
cpuguy83:cpuguy83/ubuntu-archive-failover-proxy
Draft

ci: fail over between ubuntu mirrors via a reverse proxy#1106
cpuguy83 wants to merge 1 commit into
project-dalec:mainfrom
cpuguy83:cpuguy83/ubuntu-archive-failover-proxy

Conversation

@cpuguy83

Copy link
Copy Markdown
Collaborator

The runner spoofed archive.ubuntu.com and security.ubuntu.com to a single azure.archive.ubuntu.com IP so container builds would use the faster azure mirror. That mirror is now intermittently unreachable, and DNS alone cannot recover from it: apt only retries another address on a TCP connect failure (not on timeouts or 5xx), and azure's Traffic Manager returns a single IP per lookup, so there is no sibling address to fall back to.

This points the spoof at a local nginx reverse proxy instead. nginx proxies to the azure mirror first and fails over to us.archive.ubuntu.com on connect errors, timeouts, and 5xx/429 responses — the failure modes plain DNS misses — so a flaky primary no longer breaks apt in container builds.

Notes:

  • Both mirrors serve the archive and -security pockets by path (host-agnostic), so forwarding the original Host through a single default_server covers both archive.ubuntu.com and security.ubuntu.com.
  • dnsmasq matches subdomains, which would otherwise redirect the mirror hostnames the proxy dials (azure.archive.ubuntu.com, us.archive.ubuntu.com) back to the proxy itself; more-specific server= rules keep those resolving through real DNS to avoid a self-proxy loop.
  • nginx and dnsmasq are installed before the spoof is active so apt and nginx upstream resolution still use normal DNS.

Trade-off: adds an nginx install and an extra hop on the runner, in exchange for surviving an intermittent upstream mirror.

Validated locally: nginx -t syntax ok, dnsmasq --test ok, shellcheck clean on the embedded scripts.

Copilot AI review requested due to automatic review settings June 18, 2026 23:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the CI infrastructure that makes container builds pull Ubuntu packages from a fast mirror. Previously, the dns-spoof-ubuntu-archive composite action resolved archive.ubuntu.com/security.ubuntu.com directly to a single azure.archive.ubuntu.com IP. Since that mirror is now intermittently unreachable and apt only retries another address on TCP connect failures (not timeouts/5xx), a flaky azure mirror could break apt. The action now points the DNS spoof at a local nginx reverse proxy that proxies to azure first and fails over to us.archive.ubuntu.com, with dnsmasq server= overrides to prevent the proxy's own upstream hostnames from looping back through the spoof.

Changes:

  • Replaced the direct azure-IP DNS spoof with a local nginx reverse proxy (azure primary + us.archive backup) and moved the dnsmasq/nginx install to the front so upstream resolution happens before the spoof is active.
  • Added more-specific dnsmasq server= rules for azure.archive.ubuntu.com/us.archive.ubuntu.com to avoid a self-proxy loop, and repointed archive/security spoofs at the runner's own IP.
  • Renamed the corresponding CI step from "Use azure ubuntu archive" to "Use ubuntu archive failover proxy" in both job locations.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/actions/dns-spoof-ubuntu-archive/action.yml Adds nginx reverse proxy with failover, reorders install step, repoints dnsmasq spoof to the local proxy and adds loop-prevention server= rules.
.github/workflows/ci.yml Renames the two step usages to reflect the new failover-proxy behavior (no functional/path changes).

Comment on lines +65 to +66
proxy_next_upstream_tries 2;
proxy_next_upstream_timeout 20s;
@cpuguy83 cpuguy83 marked this pull request as draft June 19, 2026 00:35
The runner spoofed archive.ubuntu.com and security.ubuntu.com to a single
azure.archive.ubuntu.com IP so container builds would use the faster azure
mirror. That mirror is now intermittently unreachable, and DNS alone can't
recover from it: apt only retries another address on a TCP connect failure,
not on timeouts or 5xx, and azure's Traffic Manager returns a single IP per
lookup, so there is no sibling to fall back to.

Point the spoof at a local nginx reverse proxy instead. It proxies to the
azure mirror first and fails over to us.archive.ubuntu.com on connect errors,
timeouts, and 5xx/429 responses, covering the failure modes DNS misses so a
flaky primary no longer breaks apt. Both mirrors serve the archive and
security pockets by path, so forwarding the original Host through one proxy
covers both names.

dnsmasq matches subdomains, which would otherwise redirect the mirror
hostnames the proxy dials back to the proxy itself; more-specific rules keep
those resolving through real DNS to avoid the loop.

Trade-off: this adds an nginx install and an extra hop on the runner, in
exchange for surviving an intermittent upstream mirror.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants