-
Notifications
You must be signed in to change notification settings - Fork 831
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On FreeBSD 13 password is not set after initial reboot with "set-passwords, always" on CloudStack Datasource #4231
Comments
This is not how the the module is designed to work, so I'm not sure where this expectation came from. This module only sets passwords statically and doesn't involve the IMDS. Documentation for the module is available at https://cloudinit.readthedocs.io/en/latest/reference/modules.html#set-passwords . Given this, I'm going to close this, but feel free to re-open or comment if I have misunderstood something. |
This is a bit confusing for me, since the documentation for Cloudstack directly refers to this module setting the passwords every boot: https://docs.cloudstack.apache.org/en/latest/adminguide/templates/_cloud_init.html#linux-with-cloud-init Also, it clearly sets it on the first boot, so something is taking the password from metadata in the Cloudstack data source. |
@loth , sorry for the misunderstanding and thanks for the additional info. It looks like this is a feature specific to CloudStack and implemented entirely within in the CloudStack datasource. Does it work if you change If that doesn't work, please attach |
Logs are already in the OP, but I will try your suggestion |
Booted into my existing template with [ set-passwords, always ], logged in with the generated password, changed to [ set_passwords, always ]. Shut down VM, Issued password reset, started VM. Still had the original root password. Log attached. |
@loth in the updated cloud-logs I see |
I've been digging into this for a couple days now and found a few things.
I have found the reason for (2) is because of two things: So basically, the password reset function that has been working for me is actually due to the firstboot scripts running every time because it cannot read the existence of the cache. FreeBSD can read the cache and it works properly but no longer runs the password get functions. |
So this is partially related to #4180 |
I'd say so, changing to the ephemeral run directory would make it more aligned to the Linux way. I've confirmed setting the path to
now whether we should be calling |
Can confirm that the above works on With this variable as # /usr/local/lib/python3.9/site-packages/cloud_init-23.3-py3.9.egg/cloudinit/helpers.py
self.run_dir: str = path_cfgs.get("run_dir", "/run/cloud-init") But once the #/usr/local/lib/python3.9/site-packages/cloud_init-23.3-py3.9.egg/cloudinit/helpers.py
self.run_dir: str = path_cfgs.get("run_dir", "/var/run/cloud-init") it works perfectly fine. Unfortunately it takes 2 reboots in a row, or logging in over the serial console/VNC and restarting the networking service to update the IP address. I guess it has more to do with how static IP and |
By default, in Linux, we expect for most datasources to see check_instance_id == False which generates the log message I think awaiting a Fix for BSD ephemeral treatment of
I think we want the "cache invalid" log behavior which triggers _get_data again to refresh your passwords from metadata per boot. But, I' not sure what you mean by running firstboot executions every boot. Do you have the updated cloud-init.log here indicating that? Let's peek at cloud-init.log for "previous iid" logs. I expect we should be seeing only one
the
I'm understanding it from the log snippets you provided that the _get_data function is called to updated metadata every boot because of the "Invalid cache" value which tells cloud-init "don't trust your local metadata cache, you should _get_data and compare latest metadsata to obtain instance-id information". It seems like our fix here is to await a fix for #4180 on BSD which should resolve the non-ephemeral nature of /run on BSD by targeting and ephemeral |
On *BSD, `/run` is not ephemeral, but the way cloud-init behaves, it expects it to be. This is hack is partial fix for canonicalGH-4180 / canonicalGH-4231. But to be good Unix citizens, we should still make /run relocatable in the code and in the installer. Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
On *BSD, `/run` is not ephemeral, but the way cloud-init behaves, it expects it to be. This is hack is partial fix for canonicalGH-4180 / canonicalGH-4231. But to be good Unix citizens, we should still make /run relocatable in the code and in the installer. Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231 Co-authored-by: Brett Holman <brett.holman@canonical.com>
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231 Co-authored-by: Brett Holman <brett.holman@canonical.com>
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
on BSD, /run is not ephemeral. relocate BSDs config to /var/run Sponsored by: The FreeBSD Foundation Fixes canonicalGH-4180 Fixes canonicalGH-4231
Bug report
If set-passwords, always is configured, it is expected that cloud-init will retrieve the new password from the metadata server on boot and set it, however it seems to set the same password over again without retrieving the new one.
Steps to reproduce the problem
Start FreeBSD 13 instance with cloud-init
Configure cloud-init to use the "root" user and " - [ set-passwords, always ]"
After initial boot, test and save password
Stop instance in cloudstack
Reset password in cloudstack
Start instance
New password given from cloudstack will not work
Environment details
cloud-init logs
cloud-init.tar.gz
The text was updated successfully, but these errors were encountered: