← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1885527] Re: cloud-init regenerating ssh-keys

 

This bug was fixed in the package cloud-init - 20.4-0ubuntu1

---------------
cloud-init (20.4-0ubuntu1) hirsute; urgency=medium

  * d/control: add gnupg to Recommends as cc_apt_configure requires it to be
    installed for some operations.
  * New upstream release.
    - Release 20.4 (#686) [James Falcon] (LP: #1905440)
    - tox: avoid tox testenv subsvars for xenial support (#684)
    - Ensure proper root permissions in integration tests (#664) [James Falcon]
    - LXD VM support in integration tests (#678) [James Falcon]
    - Integration test for fallocate falling back to dd (#681) [James Falcon]
    - .travis.yml: correctly integration test the built .deb (#683)
    - Ability to hot-attach NICs to preprovisioned VMs before reprovisioning
      (#613) [aswinrajamannar]
    - Support configuring SSH host certificates. (#660) [Jonathan Lung]
    - add integration test for LP: #1900837 (#679)
    - cc_resizefs on FreeBSD: Fix _can_skip_ufs_resize (#655)
      [Mina Galić] (LP: #1901958, #1901958)
    - DataSourceAzure: push dmesg log to KVP (#670) [Anh Vo]
    - Make mount in place for tests work (#667) [James Falcon]
    - integration_tests: restore emission of settings to log (#657)
    - DataSourceAzure: update password for defuser if exists (#671) [Anh Vo]
    - tox.ini: only select "ci" marked tests for CI runs (#677)
    - Azure helper: Increase Azure Endpoint HTTP retries (#619) [Johnson Shi]
    - DataSourceAzure: send failure signal on Azure datasource failure (#594)
      [Johnson Shi]
    - test_persistence: simplify VersionIsPoppedFromState (#674)
    - only run a subset of integration tests in CI (#672)
    - cli: add --system param to allow validating system user-data on a
      machine (#575)
    - test_persistence: add VersionIsPoppedFromState test (#673)
    - introduce an upgrade framework and related testing (#659)
    - add --no-tty option to gpg (#669) [Till Riedel] (LP: #1813396)
    - Pin pycloudlib to a working commit (#666) [James Falcon]
    - DataSourceOpenNebula: exclude SRANDOM from context output (#665)
    - cloud_tests: add hirsute release definition (#662)
    - split integration and cloud_tests requirements (#652)
    - faq.rst: add warning to answer that suggests running `clean` (#661)
    - Fix stacktrace in DataSourceRbxCloud if no metadata disk is found (#632)
      [Scott Moser]
    - Make wakeonlan Network Config v2 setting actually work (#626)
      [dermotbradley]
    - HACKING.md: unify network-refactoring namespace (#658) [Mina Galić]
    - replace usage of dmidecode with kenv on FreeBSD (#621) [Mina Galić]
    - Prevent timeout on travis integration tests. (#651) [James Falcon]
    - azure: enable pushing the log to KVP from the last pushed byte  (#614)
      [Moustafa Moustafa]
    - Fix launch_kwargs bug in integration tests (#654) [James Falcon]
    - split read_fs_info into linux & freebsd parts (#625) [Mina Galić]
    - PULL_REQUEST_TEMPLATE.md: expand commit message section (#642)
    - Make some language improvements in growpart documentation (#649)
      [Shane Frasier]
    - Revert ".travis.yml: use a known-working version of lxd (#643)" (#650)
    - Fix not sourcing default 50-cloud-init ENI file on Debian (#598)
      [WebSpider]
    - remove unnecessary reboot from gpart resize (#646) [Mina Galić]
    - cloudinit: move dmi functions out of util (#622) [Scott Moser]
    - integration_tests: various launch improvements (#638)
    - test_lp1886531: don't assume /etc/fstab exists (#639)
    - Remove Ubuntu restriction from PR template (#648) [James Falcon]
    - util: fix mounting of vfat on *BSD (#637) [Mina Galić]
    - conftest: improve docstring for disable_subp_usage (#644)
    - doc: add example query commands to debug Jinja templates (#645)
    - Correct documentation and testcase data for some user-data YAML (#618)
      [dermotbradley]
    - Hetzner: Fix instance_id / SMBIOS serial comparison (#640)
      [Markus Schade]
    - .travis.yml: use a known-working version of lxd (#643)
    - tools/build-on-freebsd: fix comment explaining purpose of the script
      (#635) [Mina Galić]
    - Hetzner: initialize instance_id from system-serial-number (#630)
      [Markus Schade] (LP: #1885527)
    - Explicit set IPV6_AUTOCONF and IPV6_FORCE_ACCEPT_RA on static6 (#634)
      [Eduardo Otubo]
    - get_interfaces: don't exclude Open vSwitch bridge/bond members (#608)
      [Lukas Märdian] (LP: #1898997)
    - Add config modules for controlling IBM PowerVM RMC. (#584)
      [Aman306] (LP: #1895979)
    - Update network config docs to clarify MAC address quoting (#623)
      [dermotbradley]
    - gentoo: fix hostname rendering when value has a comment (#611)
      [Manuel Aguilera]
    - refactor integration testing infrastructure (#610) [James Falcon]
    - stages: don't reset permissions of cloud-init.log every boot (#624)
      (LP: #1900837)
    - docs: Add how to use cloud-localds to boot qemu (#617) [Joshua Powers]
    - Drop vestigial update_resolve_conf_file function (#620) [Scott Moser]
    - cc_mounts: correctly fallback to dd if fallocate fails (#585)
      (LP: #1897099)
    - .travis.yml: add integration-tests to Travis matrix (#600)
    - ssh_util: handle non-default AuthorizedKeysFile config (#586)
      [Eduardo Otubo]
    - Multiple file fix for AuthorizedKeysFile config (#60) [Eduardo Otubo]
    - bddeb: new --packaging-branch argument to pull packaging from branch
      (#576) [Paride Legovini]
    - Add more integration tests (#615) [lucasmoura]
    - DataSourceAzure: write marker file after report ready in preprovisioning
      (#590) [Johnson Shi]
    - integration_tests: emit settings to log during setup (#601)
    - integration_tests: implement citest tests run in Travis (#605)
    - Add Azure support to integration test framework (#604) [James Falcon]
    - openstack: consider product_name as valid chassis tag (#580)
      [Adrian Vladu] (LP: #1895976)
    - azure: clean up and refactor report_diagnostic_event (#563) [Johnson Shi]
    - net: add the ability to blacklist network interfaces based on driver
      during enumeration of physical network devices (#591) [Anh Vo]
    - integration_tests: don't error on cloud-init failure (#596)
    - integration_tests: improve cloud-init.log assertions (#593)
    - conftest.py: remove top-level import of httpretty (#599)
    - tox.ini: add integration-tests testenv definition (#595)
    - PULL_REQUEST_TEMPLATE.md: empty checkboxes need a space (#597)
    - add integration test for LP: #1886531 (#592)
    - Initial implementation of integration testing infrastructure (#581)
      [James Falcon]
    - Fix name of ntp and chrony service on CentOS and RHEL. (#589)
      [Scott Moser] (LP: #1897915)
    - Adding a PR template (#587) [James Falcon]
    - Azure parse_network_config uses fallback cfg when generate IMDS network
      cfg fails (#549) [Johnson Shi]
    - features: refresh docs for easier out-of-context reading (#582)
    - Fix typo in resolv_conf module's description (#578) [Wacław Schiller]
    - cc_users_groups: minor doc formatting fix (#577)
    - Fix typo in disk_setup module's description (#579) [Wacław Schiller]
    - Add vendor-data support to seedfrom parameter for NoCloud and OVF (#570)
      [Johann Queuniet]
    - boot.rst: add First Boot Determination section (#568) (LP: #1888858)
    - opennebula.rst: minor readability improvements (#573) [Mina Galić]
    - cloudinit: remove unused LOG variables (#574)

 -- James Falcon <james.falcon@xxxxxxxxxxxxx>  Tue, 24 Nov 2020 12:32:00
-0600

** Changed in: cloud-init (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1885527

Title:
  cloud-init regenerating ssh-keys

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released

Bug description:
  Hi,

  I made some experiments with virtual machines with Ubuntu-20.04 at a
  german cloud provider (Hetzner), who uses cloud-init to initialize
  machines with a basic setup such as ip and ssh access.

  During my installation tests I had to reboot the virtual machines
  several times after installing or removing packages.

  Occassionally (not always) I noticed that the ssh host keys have
  changed, ssh complained. After accepting the new host keys (insecure!)
  I found, that all key files in /etc/ssh had fresh mod times, i.e. were
  freshly regenerated.

  This reminds me to a bug I had reported about cloud-init some time
  ago, where I could not change the host name permanently, because
  cloud-init reset it to it's initial configuration at every boot time
  (highly dangerous, because it seemed to reset passwords to their
  original state as well.

  Although cloud-init is intended to do an initial configuration for the
  first boot only, it seems to remain on the system and – even worse:
  occasionally – change configurations.

  I've never understood what's the purpose of cloud-init remaining
  active once after the machine is up and running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1885527/+subscriptions