CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 03:35:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): use HTTP for Hetzner apt mirror (base image lacks ca-certificates)

Browse Source 
Previous commit switched to https://mirror.hetzner.com/... which proved the
mirror is reachable and routes correctly (no more 90s timeouts), but exposed
a chicken-and-egg: ubuntu:24.04 ships without ca-certificates, and that's
exactly the package we're installing. Result: "No system certificates
available. Try installing ca-certificates."

Fix: use http:// for the Hetzner mirror. Apt's security model verifies
package integrity via GPG-signed Release files, not TLS, so HTTP here is
no weaker than the upstream defaults (Ubuntu's official sources also
default to HTTP for the same reason).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-17 14:44:46 +08:00
parent 5b3588493d
commit 8e51fafb3a
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/docker/Dockerfile.ci
+8 -3
View File
@@ -4,15 +4,20 @@ FROM ubuntu:24.04
ENV DEBIAN_FRONTEND=noninteractive
# Switch apt sources to Hetzner's public mirror over HTTPS.
# Switch apt sources to Hetzner's public mirror.
# Ubicloud runners (Hetzner FSN1-DC21) hit reliable connection timeouts to
# archive.ubuntu.com:80 — observed 90+ second outages on multiple builds.
# Hetzner's mirror is publicly accessible from any cloud and route-local for
# Ubicloud, so this fixes both reliability and latency. Ubuntu 24.04 uses
# the deb822 sources format at /etc/apt/sources.list.d/ubuntu.sources.
#
# Using HTTP (not HTTPS) intentionally: the base ubuntu:24.04 image ships
# without ca-certificates, so HTTPS apt fails with "No system certificates
# available." Apt's security model verifies via GPG-signed Release files,
# not TLS, so HTTP here is no weaker than the upstream defaults.
RUN sed -i \
-e 's|http://archive.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \
-e 's|http://security.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \
-e 's|http://archive.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \
-e 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \
/etc/apt/sources.list.d/ubuntu.sources
# System deps (retry apt-get update — even Hetzner can blip occasionally)