stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
607ce619fee70a7904b3dad5bd7d49f4b29b6845
git.stella-ops.org/docs/modules/concelier/operations/connectors/ubuntu.md
master 607ce619fe feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials) 
Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:05:53 +03:00

2.0 KiB
Raw Blame History

Concelier Ubuntu USN Connector - Operations Runbook

Last updated: 2026-04-21

1. Overview

The Concelier Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.

The same public notice feed also backs the default Excititor VEX mirror bootstrap. Ubuntu does not currently publish native CSAF for this path, so Excititor synthesizes deterministic CSAF documents from the notice JSON while preserving the upstream source URI in metadata.

2. Authentication

  • No authentication required for public feeds.

3. Configuration (concelier.yaml)

concelier:
  sources:
    ubuntu:
      baseUri: "<ubuntu-usn-base>"
      maxDocumentsPerFetch: 20
      fetchTimeout: "00:00:45"
      requestDelay: "00:00:00"

4. Excititor default public VEX bootstrap

  • Index URI: https://ubuntu.com/security/notices.json
  • Notice detail base URI: https://ubuntu.com/security/notices/
  • Default page size: 20
  • Default max notices per fetch: 60
  • Default resume overlap: 3.00:00:00

Operational guidance:

  • Keep the small page size and bounded fetch count unless Canonical publishes a stronger bulk-ingest contract. This avoids burst-fetching the full notice history during mirror bootstrap.
  • Keep the resume overlap enabled so the mirror rechecks recently updated notices without needing a full backfill.
  • Mirror both the paged notices.json index responses and the per-notice USN-xxxx-x.json documents for offline kits.

5. Offline and air-gapped deployments

  • Mirror USN feeds into the Offline Kit and repoint baseUri to the mirror for advisory ingestion.
  • For Excititor mirror bootstrap, mirror the notices.json index plus the per-notice JSON documents under the same path layout so synthesized CSAF documents remain deterministic.

6. Common failure modes

  • USN schema updates or missing release references.
  • Per-notice JSON documents lagging behind the index update window.
  • Overly aggressive page sizes or fetch counts causing avoidable upstream pressure during first-run bootstrap.