group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1569237] Re: vagrant xenial box is not provided with vagrant/vagrant username and password

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Chris Glass <tribaal@xxxxxxxxx>
Date: Sat, 13 Jan 2018 08:20:14 -0000
Reply-to: Bug 1569237 <1569237@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: xenial-backports
Status: New => Fix Released

--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1569237

Title:
vagrant xenial box is not provided with vagrant/vagrant username and
password

Status in cloud-images:
Fix Released
Status in cloud-images trunk series:
Fix Released
Status in cloud-images x-series series:
Fix Released
Status in vagrant:
Invalid
Status in Xenial Backports:
Fix Released
Status in livecd-rootfs package in Ubuntu:
Fix Released
Status in livecd-rootfs source package in Xenial:
Fix Released

Bug description:
It is Vagrant convention that the default user is named "vagrant"[0],
and a whole host of scripts assume this to be the default.

The xenial box is substantially less useful to Vagrant users with the
"ubuntu" user as the default.

[0] Search for "user to SSH" in
https://www.vagrantup.com/docs/boxes/base.html.

------------

Xenial SRU:

[impact]

* An additional "vagrant" user is available in the created image once
the proposed patch is applied. The normal "ubuntu" user is also
available, and is conforming to the "ubuntu experience" (it requires
cloud-init or another mechanism to be given keys/a password).

* The vagrant boxes produced by livecd-rootfs hooks do not conform to
the vagrant community's guidelines for box creation, leading vagrant
users to use non-official (unaudited) boxes instead, where a "vagrant"
user can be found.

* A large portion of vagrant automation (3rd party tools, scripts)
rely on the presence of a "vagrant" user conforming to the above
guidelines. The official ubuntu images are ones of the very few not
conforming to the expected user layout.

* The official Ubuntu trusty image previously offered a "vagrant"
user, and that was lost or omitted when migrating xenial+ to a new
build system. This could be considered a regression, although
historical context of that change is unfortunately not available
anymore.

[test case]

From a fresh Ubuntu install:

* sudo apt install vagrant

* vagrant init ubuntu/xenial64

* vagrant up

* vagrant ssh

notice the user being logged in as is "ubuntu"

With either ubuntu/artful64 or ubuntu/trusty64, the same steps log the
user in as "vagrant".

An image with the proposed changes was built and uploaded as
"tribaal/xenial64".

[Regression potential]

* Users who worked around this behavior in their automation are the
most at-risk. They might not be able to login to their boxes anymore,
if they worked around by extracting the ubuntu password from the box
metadata. If they worked around the problem using cloud-init, no
regression will be visible.

* The changes introduce a new insecure user, users having worked
around the problem on their own might be be unaware of this.

* The general consensus in the vagrant community is to install third-
party boxes instead of spending time to try and workaround the
problems with the official ubuntu boxes, so it is likely to be a
limited real-world impact.

* The change might affect exotic systems where people for some reason
decided to build a non-vagrant machine out of our official vagrant
image

Note that these regressions will apply to users upgrading their
installations to future releases (artful, bionic, and later).

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1569237/+subscriptions