GCE cloudinit and ubuntu keys from metadata to ubuntu authorized_keys #3208
Comments
|
Launchpad user Shane Peters(shaner) wrote on 2018-08-06T20:50:20.625111+00:00 Launchpad attachments: lp-1781039-gce-datasource-update.patch |
|
Launchpad user Shane Peters(shaner) wrote on 2018-08-06T20:55:39.256855+00:00 I've tested a "first boot" scenario using a customised image with this patched cloud-init and it works as expected (you can see both cloudinit and ubuntu keys above the 'Added by google' comment). $ cat googlekeys USING CUSTOM IMAGE WITH UPGRADED CLOUD-INIT############################################# Added by Googlessh-rsa AAAAB....65Otq/ shaner@ubuntu USING EXISTING IMAGE################################ $ ssh ubuntu@${IP} cat .ssh/authorized_keys Added by Googlessh-rsa AAAAB.....z65Otq/ shaner@ubuntu $ scp cloud-init_0.7.5-0ubuntu1.23_all.deb ubuntu@${IP}:~/ Added by Googlessh-rsa AAAAB....65Otq/ shaner@ubuntu You'll notice in this second example, the 'ubuntu' key from my googlekeys file isn't added on top like you would expect if the image had an upgraded cloud-init. This is because the code is duplicate checking and won't add a key if it already exists. |
|
Launchpad user Scott Moser(smoser) wrote on 2018-08-07T14:29:04.997617+00:00 Hi Shane, please feel free to ping me if what i'm asking isn't clear. Scott. |
|
Launchpad user Scott Moser(smoser) wrote on 2018-08-07T14:30:42.469362+00:00 Bah. similar to described in Also, you will need to do the change as a "quilt 3.0" format... |
|
Launchpad user Shane Peters(shaner) wrote on 2018-08-07T16:08:00.000679+00:00 Hi Scott, |
|
Launchpad user Scott Moser(smoser) wrote on 2018-09-10T22:25:49.536502+00:00 uploaded. 0.7.5-0ubuntu1.23 Thanks Shane. |
|
Launchpad user Robie Basak(racb) wrote on 2018-09-12T11:38:22.327428+00:00 12:36 smoser: could you add SRU information to bug 1781039 please? 12:36 smoser: in particular Regression Potential. Looks like the entire cloudinit/sources/DataSourceGCE.py file has been rewritten or wholesale backported? Or are you intending to follow the full process documented at https://wiki.ubuntu.com/CloudinitUpdates? |
|
Launchpad user Scott Moser(smoser) wrote on 2018-09-12T12:56:07.559341+00:00 Shane, https://wiki.ubuntu.com/StableReleaseUpdates Thanks. |
|
Launchpad user Shane Peters(shaner) wrote on 2018-09-12T19:47:08.735220+00:00 Updated SRU template. Let me know if there's anything I'm missing. |
|
Launchpad user Brian Murray(brian-murray) wrote on 2018-09-27T19:04:03.521077+00:00 Hello Shane, or anyone else affected, Accepted cloud-init into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.5-0ubuntu1.23 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. |
|
Launchpad user David Coronel(davecore) wrote on 2018-10-24T15:20:27.306365+00:00 I tested the package cloud-init 0.7.5-0ubuntu1.23 from trusty-proposed and confirm it works as expected. TEST KEYS$ cat googlekeys CREATE THE INSTANCE$ gcloud compute instances create ubuntu1404cloudinittest --image-family ubuntu-1404-lts --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=googlekeys --metadata=block-project-ssh-keys=True --zone us-central1-a BEFORE THE UPDATE$ gcloud compute --project "ubuntu-os-support" ssh --zone "us-central1-a" ubuntu1404cloudinittest $ sudo cat /home/ubuntu/.ssh/authorized_keys Added by Googlessh-rsa AAAA[...]+2LRl test@example.com AFTER THE UPDATE$ sudo sh -c 'echo deb http://us-central1.gce.archive.ubuntu.com/ubuntu/ trusty-proposed main restricted universe multiverse >> /etc/apt/sources.list' $ sudo apt update $ sudo apt install cloud-init $ sudo sh -c 'cat /dev/null > /home/ubuntu/.ssh/authorized_keys' $ sudo rm -rf /var/lib/cloud/instance* $ sudo reboot $ gcloud compute --project "ubuntu-os-support" ssh --zone "us-central1-a" ubuntu1404cloudinittest $ sudo cat /home/ubuntu/.ssh/authorized_keys Added by Googlessh-rsa AAAA[...]+2LRl test@example.com cloud-init now works the same way as Ubuntu 16.04 does. Thanks! Bonus test: I tested that oslogin also works well: $ gcloud compute instances add-metadata ubuntu1404cloudinittest --metadata enable-oslogin=TRUE --zone "us-central1-a" $ gcloud compute --project "ubuntu-os-support" ssh --zone "us-central1-a" ubuntu1404cloudinittest |
|
Launchpad user Łukasz Zemczak(sil2100) wrote on 2018-10-29T09:45:24.259578+00:00 The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions. |
|
Launchpad user Launchpad Janitor(janitor) wrote on 2018-10-29T09:55:28.428004+00:00 This bug was fixed in the package cloud-init - 0.7.5-0ubuntu1.23 cloud-init (0.7.5-0ubuntu1.23) trusty; urgency=medium
-- Shane Peters shane.peters@canonical.com Tue, 06 Sep 2018 17:57:23 -0400 |
This bug was originally filed in Launchpad as LP: #1781039
Launchpad details
Launchpad user Shane Peters(shaner) wrote on 2018-07-10T19:21:44.235303+00:00
[Impact]
Per documentation at https://wiki.ubuntu.com/GoogleComputeEngineSSHKeys ssh keys for cloudinit and ubuntu users should both be added to the 'ubuntu' users authorized_keys file.
This works fine in Xenial (16.04) and higher, but doesn't work for Trusty (14.04).
[Test Case]
Create a file that contains ssh public keys
$ cat googlekeys
test:ssh-rsa test@example.com
ubuntu:ssh-rsa test@example.com
cloudinit:ssh-rsa test@example.com
Create an ubuntu 14.04 instance
gcloud compute instances create ubuntu1404cloudinit --image-family ubuntu-1404-lts --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=googlekeys --metadata=block-project-ssh-keys=True
Create an ubuntu 16.04 instance
gcloud compute instances create ubuntu1604cloudinit --image-family ubuntu-1604-lts --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=googlekeys --metadata=block-project-ssh-keys=True
Notice that the ubuntu user in the ubuntu 14.04 instance contains no keys from cloud-init (the keys there are added by the google daemon):
$ sudo cat /home/ubuntu/.ssh/authorized_keys
Added by Google
ssh-rsa test@example.com
However, in 16.04,
$ sudo cat /home/ubuntu/.ssh/authorized_keys
ssh-rsa test@example.com
ssh-rsa test@example.com
Added by Google
ssh-rsa test@example.com
[Regression Potential]
DatasourceGCE.py is heavily modified to fix this behavior in 14.04. That said, there is a medium amount of regression potential when using the GCE datasource. More specificallly, there is now stricter checking of the metadata source when used(platform_check=True).
Significant testing has been completed via the Google Compute platform as well as other none-GCE datasources (lxd) to confirm functionality and to test for possible regressions.
The text was updated successfully, but these errors were encountered: