cloudfoundry · selzoc · May 1, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/bosh-stemcell/lib/bosh/stemcell/builder_options.rb b/bosh-stemcell/lib/bosh/stemcell/builder_options.rb
@@ -61,7 +61,7 @@ def ovf_options
     def environment_variables
       {
         "UBUNTU_ISO" => environment["UBUNTU_ISO"],
-        "UBUNTU_MIRROR" => environment["UBUNTU_MIRROR"],
+        "UBUNTU_DEBOOTSTRAP_MIRROR" => environment["UBUNTU_DEBOOTSTRAP_MIRROR"],
         "UBUNTU_ADVANTAGE_TOKEN" => environment["UBUNTU_ADVANTAGE_TOKEN"],
         "UBUNTU_FIPS_USE_IAAS_KERNEL" => environment["UBUNTU_FIPS_USE_IAAS_KERNEL"]
       }

diff --git a/bosh-stemcell/spec/bosh/stemcell/builder_options_spec.rb b/bosh-stemcell/spec/bosh/stemcell/builder_options_spec.rb
@@ -64,7 +64,7 @@ def self.it_sets_correct_environment_variables
           let(:env) do
             {
               "UBUNTU_ISO" => "fake_ubuntu_iso",
-              "UBUNTU_MIRROR" => "fake_ubuntu_mirror",
+              "UBUNTU_DEBOOTSTRAP_MIRROR" => "fake_ubuntu_mirror",
               "RUBY_BIN" => "fake_ruby_bin"
             }
           end
@@ -76,7 +76,7 @@ def self.it_sets_correct_environment_variables
             expect(result["stemcell_infrastructure"]).to eq(infrastructure.name)
             expect(result["stemcell_hypervisor"]).to eq(infrastructure.hypervisor)
             expect(result["UBUNTU_ISO"]).to eq("fake_ubuntu_iso")
-            expect(result["UBUNTU_MIRROR"]).to eq("fake_ubuntu_mirror")
+            expect(result["UBUNTU_DEBOOTSTRAP_MIRROR"]).to eq("fake_ubuntu_mirror")
             expect(result["ruby_bin"]).to eq("fake_ruby_bin")
             expect(result["image_create_disk_size"]).to eq(default_disk_size)
             expect(result["os_image_tgz"]).to eq("fake/os_image.tgz")

diff --git a/bosh-stemcell/spec/support/os_image_linux_kernel_modules_shared_examples.rb b/bosh-stemcell/spec/support/os_image_linux_kernel_modules_shared_examples.rb
@@ -83,4 +83,10 @@
       its(:content) { should match "install floppy /bin/true" }
     end
   end
+
+  context "prevent algif_aead module from being loaded" do
+    describe file("/etc/modprobe.d/blacklist.conf") do
+      its(:content) { should match "install algif_aead /bin/true" }
+    end
+  end
 end
diff --git a/ci/pipelines/builder.yml b/ci/pipelines/builder.yml
@@ -248,6 +248,7 @@ jobs:
     params:
       OPERATING_SYSTEM_NAME: ubuntu
       OPERATING_SYSTEM_VERSION: (@= data.values.stemcell_details.os_short_name @)
+      UBUNTU_DEBOOTSTRAP_MIRROR: http://mirrors.edge.kernel.org/ubuntu
     privileged: true
     vars:
       image_os_tag: (@= data.values.stemcell_details.os_short_name @)

diff --git a/ci/tasks/os-images/build.yml b/ci/tasks/os-images/build.yml
@@ -19,3 +19,4 @@ params:
   OPERATING_SYSTEM_VERSION:   replace-me
   ESM_TOKEN:
   UBUNTU_ADVANTAGE_TOKEN:
+  UBUNTU_DEBOOTSTRAP_MIRROR:
diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,22 +1,22 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">4d63eb6d8d7eba07628372c969bfdf3a778a66ef77e85616a84f900c603dc53c63c314bb2ded2e073f81e5243507fb3d58ad8f9d84fde0e16bc01f6d2221c616</hash>
-    <hash type="sha-256">8bf6a4b8a98d71b4c26f41ce4b8622c939de05d82dabdd0ea8e03d44de843db6</hash>
-    <hash type="sha-1">d21ab0b19c1a3f52bb7e348b69b28663ee676503</hash>
-    <hash type="md5">f0210c187eb07d66f8ea31f796a4aa76</hash>
-    <size>434793371</size>
+    <hash type="sha-512">68d2f0ac85cd492f6c7e23dcac164721d735ae394025a1331bec7e2167cd658bc15fe229af0f2b9eb957519a1a804859b3f2b89faf48542b8dfa6cc6324991c1</hash>
+    <hash type="sha-256">56ba95d41f6984503e9ca04f104e7c0b358653b72ba1650b7967c608d5a15f16</hash>
+    <hash type="sha-1">4c863bb345840c4c2686400fdd233321fdbfbc6e</hash>
+    <hash type="md5">e3bd1cf7e2dc5f37cdf8ede1600ae642</hash>
+    <size>434854192</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1043.0.0</version>
+    <version>1046.0.0</version>
   </file>
   <file name="usn-log.json">
-    <hash type="sha-512">ca3e99837fae81c10f5522a623fab715b1e430f7895b1f202bae32ccfe3a6f80ad79cffcbd789adcf099de7b00f7cc8c31ebbb3aeb5c0e13aa7decea88bc1559</hash>
-    <hash type="sha-256">d12b345d3cf6c8127c05e8f702efd18966bf59378830efc14cef784a5248a88e</hash>
-    <hash type="sha-1">ade2522e3d639fff8df5117dea1870b605ed52a6</hash>
-    <hash type="md5">6c72c53f5bb8d8d05dd9b377f3beb937</hash>
-    <size>869</size>
+    <hash type="sha-512">dfdcf7bff8522d3dd4aa5a1dc46cb68dff60bc961fb78d98326625a9e35049dbbd257e9d70212cabee076366d4b899071395f114139d1a4ec89aabe7cc741051</hash>
+    <hash type="sha-256">4fad258c0f94d5ad1c9f7bfa3e588d62ce7077b2f4d524021d79667a29c191dc</hash>
+    <hash type="sha-1">b008c5d31a9edd422fcd78f97a17222bdba30f05</hash>
+    <hash type="md5">e777c9f1cf0d6ee4797c2f93edd551d3</hash>
+    <size>2246</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1043.0.0</version>
+    <version>1046.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-04-24T23:46:02.968990444Z</published>
+  <published>2026-04-30T22:35:40.051014265Z</published>
 </metalink>
diff --git a/stemcell_builder/lib/prelude_apply.bash b/stemcell_builder/lib/prelude_apply.bash
@@ -22,16 +22,23 @@ fi
 # Mark /opt/bosh as a safe git repo to avoid "fatal: unsafe repository ('/opt/bosh' is owned by someone else)"
 git config --global --add safe.directory /opt/bosh
 
+# Apt retry / timeout options applied to every apt-get invocation during the
+# build. Passed via -o so nothing leaks into the resulting OS image, and so
+# that flaky upstream mirrors (notably snapshot.ubuntu.com) don't take down
+# multi-hour builds on a single transient 503. Acquire::Retries::Delay=true
+# enables exponential backoff (apt >= 2.0).
+APT_RETRY_OPTS='-o Acquire::Retries=10 -o Acquire::Retries::Delay=true -o Acquire::http::Timeout=120 -o Acquire::https::Timeout=120'
+
 function pkg_mgr {
-  run_in_chroot $chroot "apt-get update"
-  run_in_chroot $chroot "export DEBIAN_FRONTEND=noninteractive; apt-get --fix-broken --no-install-recommends --assume-yes $*"
+  run_in_chroot $chroot "apt-get $APT_RETRY_OPTS update"
+  run_in_chroot $chroot "export DEBIAN_FRONTEND=noninteractive; apt-get $APT_RETRY_OPTS --fix-broken --no-install-recommends --assume-yes $*"
   run_in_chroot $chroot "apt-get clean"
 }
 
 # checks if an OS package with the given name exists in the current database of available packages.
 # returns 0 if package exists (whether or not is is installed); 1 otherwise
 function pkg_exists {
-  run_in_chroot $chroot "apt-get update"
+  run_in_chroot $chroot "apt-get $APT_RETRY_OPTS update"
   result=`run_in_chroot $chroot "if apt-cache show $1 2>/dev/null >/dev/null; then echo exists; else echo does not exist; fi"`
   if [[ "$result" == *"exists"* ]]; then
     return 0

diff --git a/stemcell_builder/lib/prelude_fips.bash b/stemcell_builder/lib/prelude_fips.bash
@@ -22,7 +22,7 @@ fi
 function ua_attach() {
     echo "Setting up Ubuntu Advantage ..."
 
-    DEBIAN_FRONTEND=noninteractive run_in_chroot ${chroot} "apt-get install --assume-yes ubuntu-pro-client"
+    DEBIAN_FRONTEND=noninteractive run_in_chroot ${chroot} "apt-get $APT_RETRY_OPTS install --assume-yes ubuntu-pro-client"
 
     run_in_chroot ${chroot} "ua attach --no-auto-enable ${UBUNTU_ADVANTAGE_TOKEN}"
 }
@@ -117,7 +117,7 @@ PSUEDO_GRUB_PROBE
 
 function mock_grub_probe() {
     # make sure /usr/sbin/grub-probe is installed in the chroot
-    DEBIAN_FRONTEND=noninteractive run_in_chroot ${chroot} "apt-get install --assume-yes grub-common"
+    DEBIAN_FRONTEND=noninteractive run_in_chroot ${chroot} "apt-get $APT_RETRY_OPTS install --assume-yes grub-common"
     gprobe="${chroot}/usr/sbin/grub-probe"
     if [ -f "${gprobe}" ]; then
         mv "${gprobe}" "${gprobe}.dist"

diff --git a/stemcell_builder/stages/base_debootstrap/apply.sh b/stemcell_builder/stages/base_debootstrap/apply.sh
@@ -76,7 +76,7 @@ cleanup_debootstrap() {
 }
 trap cleanup_debootstrap EXIT
 
-debootstrap --arch="$base_debootstrap_arch" "$base_debootstrap_suite" "$chroot" ""
+debootstrap --arch="$base_debootstrap_arch" "$base_debootstrap_suite" "$chroot" "${UBUNTU_DEBOOTSTRAP_MIRROR:-}"
 
 cleanup_debootstrap
 trap - EXIT

diff --git a/stemcell_builder/stages/base_debootstrap/config.sh b/stemcell_builder/stages/base_debootstrap/config.sh
@@ -13,9 +13,9 @@ then
   persist UBUNTU_ISO
 fi
 
-if [ ! -z "${UBUNTU_MIRROR:-}" ]
+if [ ! -z "${UBUNTU_DEBOOTSTRAP_MIRROR:-}" ]
 then
-  persist UBUNTU_MIRROR
+  persist UBUNTU_DEBOOTSTRAP_MIRROR
 fi
 
 base_debootstrap_arch=amd64

diff --git a/stemcell_builder/stages/system_kernel_modules/apply.sh b/stemcell_builder/stages/system_kernel_modules/apply.sh
@@ -19,7 +19,8 @@ install hfsplus /bin/true
 install squashfs /bin/true
 install udf /bin/true
 install rds /bin/true
-install floppy /bin/true' >> $chroot/etc/modprobe.d/blacklist.conf
+install floppy /bin/true
+install algif_aead /bin/true' >> $chroot/etc/modprobe.d/blacklist.conf
 
 echo '# prevent nouveau from loading
 blacklist nouveau