Connection issues with apt-get from archive.ubuntu.com

Over the past couple of days we’re seeing a large number of build jobs fail with messages like:

E: Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/libw/libwebp/libwebp6_0.6.1-2ubuntu0.20.04.2_amd64.deb  Connection failed [IP: 185.125.190.36 80]

or:

E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd-sysv_249.11-0ubuntu3.9_amd64.deb  Could not connect to archive.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to archive.ubuntu.com:80 (185.125.190.36), connection timed out Could not connect to archive.ubuntu.com:80 (185.125.190.39), connection timed out

I’ve seen some posts in the past, like Could not connect to archive.ubuntu.com:80 and Can't apt-get update reliably in builds. Usually they go along with an Ubuntu outage, but I’ve checked the status page and no active or recent outages are showing.

Sometimes a retry will fix it. Sometimes multiple retries.

Images where we’ve encountered these include cimg/node:16.13.2, cimg/node:16.18.1-browsers. I can see at least the newer one is using apt 2.4.8, and I understand apt 2.3.2 and newer already use 3 retries by default.

Does anyone have experience with this? It seems to mainly affect CircleCI jobs: when we try the same commands locally, they work, but are likely hitting different mirrors, or taking different routes.

I’ve seen some references to configuration like:

echo 'Acquire::Retries "5";' > /etc/apt/apt.conf.d/80-retries

… but it seems like something is quite broken if it takes 5 retries to download a file.

We are seeing this today with urls like: http://archive.ubuntu.com/ubuntu/pool/universe/n/node-get-stream/node-get-stream_6.0.1-1_all.deb

The URLs resolve fine locally but are failing in our CircleCI builds. Archive domain on Ubuntu’s status page does not show any active issues at the time we are experiencing this. https://status.canonical.com/

It seems like a network issue? Also seeing what looks like 3 retries in our logs based on Ign prefix lines.

We have got the similar issue with connection timed out Could not connect to archive.ubuntu.com:80 today on our side…

Same here, getting this issue consistently today

same here. Is there any work around?

E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/libs/libsepol/libsepol-dev_3.3-1build1_amd64.deb 403 Forbidden [IP: 91.189.91.83 80]
E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/libs/libselinux/libselinux1-dev_3.3-1build2_amd64.deb 403 Forbidden [IP: 91.189.91.83 80]
…

We’re also experiencing this issue and curious if there any workarounds. Had limited success with

  use-apt-repository-mirror:
    steps:
      - run:
          name: Use Ubuntu mirror auto-selection
          command: |
            echo "deb mirror://mirrors.ubuntu.com/mirrors.txt $(lsb_release -cs) main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/mirror.list

But still seeing periodic failures

We’re also seeing this variant (403s rather than timeouts), preceded by a warning about a legacy key used by apt-key:

W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/p/python-roman/python3-roman_3.3-1_all.deb  403  Forbidden [IP: 185.125.190.82 80]
...

This is out of my wheelhouse but wanted to share the additional context in case it’s helpful.

We’re also seeing this issue starting from yesterday evening (May 29th around 5pm PT)

Image:

Using the v2 container runtime. For more details see: https://discuss.circleci.com/t/docker-executor-infrastructure-upgrade/52282
docker-agent version: 1.0.43532-eff6964
task-agent version 1.0.279773-0f4906f4
Downloading task-agent: success after 414.295004ms.
System information:
 Server Version: 5.5.0
 Storage Driver: overlay
  Backing Filesystem: xfs
 Cgroup Driver: systemd
 Cgroup Version: 2
 Kernel Version: 6.8.0-1029-aws
 Operating System: ubuntu
 OSType: linux
 Architecture: amd64

Starting container public.ecr.aws/eks-distro/kubernetes/pause:3.6
  image is cached as public.ecr.aws/eks-distro/kubernetes/pause:3.6, but refreshing...
8389103237f2: Already exists 
23d07b917726: Already exists 
3c69a9ca2c95: Download complete 
Starting container cimg/node:18.12.1
Warning: No authentication provided, using CircleCI credentials for pulls from Docker Hub.
  image cache not found on this host, downloading docker.io/cimg/node:18.12.1
9d5a29a12b14: Already exists 
07a263cdc41b: Already exists 
45547161523e: Already exists 
301a8b74f71f: Already exists 
560f8b954700: Already exists 
573e5075c506: Already exists 
4f4fb700ef54: Already exists 
3a115dde664b: Already exists 
26f0368a0a07: Download complete 
c9d953911cc0: Download complete 
ed2897b544ac: Download complete 
b2abce1d2ab8: Download complete 
cimg/node:18.12.1:
  using image docker.io/cimg/node@sha256:45826c38fb365c2848f3f595443b3086b1df4256d659b380bb9b666141eceadd
  pull stats: download 6.866MiB in 169ms (40.59MiB/s)
  time to create container: 49ms
Time to upload agent: 1.707763858s
Time to start containers: 359.373766ms

#!/bin/bash -eo pipefail
sudo apt-get update -y
sudo apt-get install -y libjpeg-dev libpng-dev libgl-dev libxi-dev

Get:1 https://download.docker.com/linux/ubuntu jammy InRelease [48.8 kB]
Get:2 https://download.docker.com/linux/ubuntu jammy/stable amd64 Packages [60.7 kB]
Get:3 https://packagecloud.io/github/git-lfs/ubuntu jammy InRelease [29.2 kB]  
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease               
Ign:5 http://archive.ubuntu.com/ubuntu jammy InRelease                         
Ign:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease              
Ign:7 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:8 https://ppa.launchpadcontent.net/git-core/ppa/ubuntu jammy InRelease [24.6 kB]
Get:9 https://packagecloud.io/github/git-lfs/ubuntu jammy/main amd64 Packages [2,213 B]
Get:10 https://ppa.launchpadcontent.net/git-core/ppa/ubuntu jammy/main amd64 Packages [4,109 B]
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:5 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:7 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:5 http://archive.ubuntu.com/ubuntu jammy InRelease
Ign:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:7 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Err:4 http://security.ubuntu.com/ubuntu jammy-security InRelease               
  Could not connect to security.ubuntu.com:80 (185.125.190.82). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.83). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.81). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.36). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.39). - connect (111: Connection refused)
Err:5 http://archive.ubuntu.com/ubuntu jammy InRelease                         
  Could not connect to archive.ubuntu.com:80 (185.125.190.82). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.81). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.36). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.83). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.39). - connect (111: Connection refused)
Err:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease                 
  Unable to connect to archive.ubuntu.com:http:
Err:7 http://archive.ubuntu.com/ubuntu jammy-backports InRelease               
  Unable to connect to archive.ubuntu.com:http:
Fetched 170 kB in 7s (22.9 kB/s)                                               
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease  Could not connect to archive.ubuntu.com:80 (185.125.190.82). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.81). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.36). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.83). - connect (111: Connection refused) Could not connect to archive.ubuntu.com:80 (185.125.190.39). - connect (111: Connection refused)
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease  Could not connect to security.ubuntu.com:80 (185.125.190.82). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.83). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.81). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.36). - connect (111: Connection refused) Could not connect to security.ubuntu.com:80 (185.125.190.39). - connect (111: Connection refused)
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package libjpeg-dev
E: Unable to locate package libpng-dev
E: Unable to locate package libgl-dev
E: Unable to locate package libxi-dev

Exited with code exit status 100

Canonical doesn’t give much info, but their status site confirms things are down on their end: https://status.canonical.com/#/incident/KNms6QK9ewuzz-7xUsPsNylV20jEt5kyKsd8A-3ptQGnu9-UhZcQUtDmIVRYTQMx6Vt0EjSxe6Bz4_D89gPRLg==

We’ve had success using a combination of what this article and this stack overflow answer.

We just put the following before apt-get update:

        # Automatic mirror selection
        sudo sed -i 's|http://archive.ubuntu.com/ubuntu/|mirror://mirrors.ubuntu.com/US.txt|g' /etc/apt/sources.list
        sudo sed -i 's|http://archive.ubuntu.com/ubuntu|mirror://mirrors.ubuntu.com/US.txt|g' /etc/apt/sources.list
        sudo sed -i 's|http://security.ubuntu.com/ubuntu/|mirror://mirrors.ubuntu.com/US.txt|g' /etc/apt/sources.list
        sudo sed -i 's|http://security.ubuntu.com/ubuntu|mirror://mirrors.ubuntu.com/US.txt|g' /etc/apt/sources.list

Thx! This helped us resolve our issue too. We ended up having to use the following:

       sudo sed -i 's|http://archive.ubuntu.com|http://mirrors.rit.edu/ubuntu/|g' /etc/apt/sources.list
       sudo sed -i 's|http://security.ubuntu.com|http://mirrors.rit.edu/ubuntu/|g' /etc/apt/sources.list
            
       sudo apt update

We still had some instability when it picked a bad mirror from that US.txt mirrors file so we also used a retry function like the following:

function retry_command() {
  local retries="$1"
  local command="$2"
  local options="$-" # Get the current "set" options

  # Disable set -e
  if [[ $options == *e* ]]; then
    set +e
  fi

  # Run the command, and save the exit code
  $command
  local exit_code=$?

  # restore initial options
  if [[ $options == *e* ]]; then
    set -e
  fi

  # If the exit code is non-zero (i.e. command failed), and we have not
  # reached the maximum number of retries, run the command again
  if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then
    retry_command $(($retries - 1)) "$command"
  else
    # Return the exit code from the command
    return $exit_code
  fi
}

Then in the job:

retry_command 5 "sudo apt-get update -y"

I guess the issue is gone by now?

It still happens for us off and on but the retries usually catch it. Sometimes one of the mirrors will hang and cause the “context deadline exceeded” error in circleci.