yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1781039] Re: GCE cloudinit and ubuntu keys from metadata to ubuntu authorized_keys

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1781039@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Oct 2018 09:55:28 -0000
Reply-to: Bug 1781039 <1781039@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package cloud-init - 0.7.5-0ubuntu1.23

---------------
cloud-init (0.7.5-0ubuntu1.23) trusty; urgency=medium

  - debian/control: added python-six dependency.
  - debian/patches/lp-1781039-gce-datasource-update.patch:
    Backport GCE datasource functionality from Xenial (LP: #1781039).

 -- Shane Peters <shane.peters@xxxxxxxxxxxxx>  Tue, 06 Sep 2018 17:57:23
-0400

** Changed in: cloud-init (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1781039

Title:
  GCE cloudinit and ubuntu keys from metadata to ubuntu authorized_keys

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Trusty:
  Fix Released

Bug description:
  [Impact]

   * Per documentation at
  https://wiki.ubuntu.com/GoogleComputeEngineSSHKeys ssh keys for
  cloudinit and ubuntu users should both be added to the 'ubuntu' users
  authorized_keys file.

   * This works fine in Xenial (16.04) and higher, but doesn't work for
  Trusty (14.04).

  
  [Test Case]

   * Create a file that contains ssh public keys

     $ cat googlekeys
     test:ssh-rsa <one example key> test@xxxxxxxxxxx
     ubuntu:ssh-rsa <a second example key> test@xxxxxxxxxxx
     cloudinit:ssh-rsa <a third example key> test@xxxxxxxxxxx
    
    * Create an ubuntu 14.04 instance
    
      gcloud compute instances create ubuntu1404cloudinit --image-family ubuntu-1404-lts --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=googlekeys --metadata=block-project-ssh-keys=True
    
    * Create an ubuntu 16.04 instance
    
      gcloud compute instances create ubuntu1604cloudinit --image-family ubuntu-1604-lts --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=googlekeys --metadata=block-project-ssh-keys=True
      
    * Notice that the ubuntu user in the ubuntu 14.04 instance contains no keys from cloud-init (the keys there are added by the google daemon):
      
      $ sudo cat /home/ubuntu/.ssh/authorized_keys
      # Added by Google
      ssh-rsa <the second example key but added by google daemon> test@xxxxxxxxxxx
    
    * However, in 16.04,
    
      $ sudo cat /home/ubuntu/.ssh/authorized_keys
      ssh-rsa <the third example key added by cloud-init> test@xxxxxxxxxxx
      ssh-rsa <the second example key added by cloud-init> test@xxxxxxxxxxx
      # Added by Google
      ssh-rsa <the second example key added by the google daemon> test@xxxxxxxxxxx

  
  [Regression Potential] 

   * DatasourceGCE.py is heavily modified to fix this behavior in 14.04.
  That said, there is a medium amount of regression potential when using
  the GCE datasource. More specificallly, there is now stricter checking
  of the metadata source when used(platform_check=True).

   * Significant testing has been completed via the Google Compute
  platform as well as other none-GCE datasources (lxd) to confirm
  functionality and to test for possible regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1781039/+subscriptions

References

[Bug 1781039] [NEW] GCE cloudinit and ubuntu keys from metadata to ubuntu authorized_keys
From: Shane Peters, 2018-07-10