ci(apt): harden apt with retries + Azure mirror + archive fallback (#7028)

xmfcx · web-flow · commit 3f0d5c930de1 · 2026-04-17T18:27:43.000+03:00
Transient TCP timeouts to archive.ubuntu.com have intermittently failed apt installs in both the docker-new base image (during ansible's `apt install` step) and the self-hosted `setup-universe` GHA job (running on bare ubuntu:22.04 / ubuntu:24.04 containers). Apply the same two complementary reliability measures in both places, before the first apt call so the initial `apt-get update` already benefits. - `Acquire::Retries "5"` with 30s HTTP(S) timeouts via `/etc/apt/apt.conf.d/99-retries`. Survives transient TCP flakes; inherited by every downstream stage in the docker-new graph. - `mirror+file:///etc/apt/ubuntu-mirrors.list` replacing each `http://archive.ubuntu.com/ubuntu` reference in `sources.list` (classic jammy / humble base) and `sources.list.d/ubuntu.sources` (deb822 noble / jazzy base). The mirrorlist pins `azure.archive.ubuntu.com` (`priority:1`) as the primary source and `archive.ubuntu.com` (`priority:2`) as the failsafe. `priority:` annotations are load-bearing: without them `apt-transport-mirror` treats peer URLs as equal and spreads requests across them, which combined with `mirror+file://` can produce the "File has unexpected size - Mirror sync in progress?" error when InRelease and Packages.gz come from different mid-sync hosts. The annotations ensure every request hits azure first. `security.ubuntu.com` is left untouched (separate host, not mirrored on Azure). File-existence guard uses `if [ -f "$f" ]; then ...; fi` rather than `[ -f "$f" ] && sed ...`: under `sh -e` (the default for GHA `run:` steps) the `&&` chain short-circuits and returns 1 when the file doesn't exist, tripping errexit. Only one source format is present on any given Ubuntu version. Secondary throughput win: GHA runners live inside Azure's network, so azure.archive.ubuntu.com is an order of magnitude faster than the public archive.ubuntu.com. Pinning azure as primary turns the mirror list from a load-balancing pessimization into a first-win config. Signed-off-by: Mete Fatih Cırıt <mfc@autoware.org>
diff --git a/.github/workflows/setup-universe.yaml b/.github/workflows/setup-universe.yaml
@@ -29,6 +29,18 @@ jobs:
         run: |
           df -h
 
+      - name: Configure apt retries and mirror fallback
+        run: |
+          echo 'Acquire::Retries "5";' > /etc/apt/apt.conf.d/99-retries
+          echo 'Acquire::http::Timeout "30";' >> /etc/apt/apt.conf.d/99-retries
+          echo 'Acquire::https::Timeout "30";' >> /etc/apt/apt.conf.d/99-retries
+          printf 'http://azure.archive.ubuntu.com/ubuntu\tpriority:1\nhttp://archive.ubuntu.com/ubuntu\tpriority:2\n' > /etc/apt/ubuntu-mirrors.list
+          for f in /etc/apt/sources.list /etc/apt/sources.list.d/ubuntu.sources; do
+            if [ -f "$f" ]; then
+              sed -E -i 's|http://archive\.ubuntu\.com/ubuntu/?|mirror+file:///etc/apt/ubuntu-mirrors.list|g' "$f"
+            fi
+          done
+
       - name: Install dependencies
         run: |
           apt-get update
diff --git a/docker-new/base.Dockerfile b/docker-new/base.Dockerfile
@@ -10,7 +10,16 @@ ARG USERNAME=aw
 RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
     echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
     echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/99-no-recommends && \
-    echo 'APT::Install-Suggests "false";' >> /etc/apt/apt.conf.d/99-no-recommends
+    echo 'APT::Install-Suggests "false";' >> /etc/apt/apt.conf.d/99-no-recommends && \
+    echo 'Acquire::Retries "5";' > /etc/apt/apt.conf.d/99-retries && \
+    echo 'Acquire::http::Timeout "30";' >> /etc/apt/apt.conf.d/99-retries && \
+    echo 'Acquire::https::Timeout "30";' >> /etc/apt/apt.conf.d/99-retries && \
+    printf 'http://azure.archive.ubuntu.com/ubuntu\tpriority:1\nhttp://archive.ubuntu.com/ubuntu\tpriority:2\n' > /etc/apt/ubuntu-mirrors.list && \
+    for f in /etc/apt/sources.list /etc/apt/sources.list.d/ubuntu.sources; do \
+      if [ -f "$f" ]; then \
+        sed -E -i 's|http://archive\.ubuntu\.com/ubuntu/?|mirror+file:///etc/apt/ubuntu-mirrors.list|g' "$f"; \
+      fi; \
+    done
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
     apt-get update && \
