← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #86994

[Bug 1940233] Re: cloud-init in impish makes /home/ubuntu/.ssh root.root

  Thread PreviousDate PreviousThread Next 
While this is important and fixed in the SRU upload of bug 1940871 - the bad code never reached Bionic/Focal/Hirsute as it was in the interim 21.3 versions. Therefore the bug starte for these releases is invalid (it isn't there now, and won't be added in the ongoing SRU).
Setting the states to invalid.

** Changed in: cloud-init (Ubuntu Bionic)
       Status: New => Invalid

** Changed in: cloud-init (Ubuntu Focal)
       Status: New => Invalid

** Changed in: cloud-init (Ubuntu Hirsute)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1940233

Title:
  cloud-init   in impish makes /home/ubuntu/.ssh root.root

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Bionic:
  Invalid
Status in cloud-init source package in Focal:
  Invalid
Status in cloud-init source package in Hirsute:
  Invalid
Status in cloud-init source package in Impish:
  Fix Released

Bug description:
  Hi,
  I got to this by my systems complaining to be unable to do ssh-keygen
  after deployment. Example:
  $ uvt-kvm ssh --insecure impish-kvm 'ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N '\'''\'''
  Saving key "/home/ubuntu/.ssh/id_rsa" failed: Permission denied

  I found that is due to permissions after guest spawning:
  /home/ubuntu/.ssh changed

  Old:
  drwx------ 2 ubuntu ubuntu 4096 Aug 17 08:20 .ssh/

  New:
  drwxr-xr-x 2 root   root   4096 Aug 17 08:17 .ssh/

  That beaks later things like ssh-keygen.

  uvt-kvm only does instruct cloud-init to place a key.
  This uses ssh_authorized_keys from
  https://cloudinit.readthedocs.io/en/latest/topics/modules.html?highlight=ssh_authorized_keys#authorized-keys

  Checked a few guests:
  I've seen this on
  - impish x86
  - impish s390x

  I've not seen this on
  - bionic
  - focal
  - impish

  You might say - wait a minute impish in both lists.
  But it is the date:

  Bad
  com.ubuntu.cloud.daily:server:21.10:amd64 20210815
  cloud-init     21.2-69-g65607405-0ubuntu1

  Good
  com.ubuntu.cloud.daily:server:21.10:amd64 20210706
  cloud-init     21.2-3-g899bfaa9-0ubuntu2

  And either this cloud-init version is broken or the underlying new impish image.
  I mounted the underlying cloud-image (without customization by cloud-init)
  and found that /home is empty (true for all those images).

  So to me that seems to be an issue in the new cloud-init that now is in
  those images.

  Steps to reproduce
  # if your host has no keys to push to the guest run ssh-keygen
  # sync the latest broken images
  $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=impish
  # spawn guest
  $ uvt-kvm create --password=ubuntu i release=impish arch=amd64 label=daily
  # wait for it and check the permissions
  $ uvt-kvm wait i
  $ uvt-kvm ssh i "ls -laF /home/ubuntu/"
  drwxr-xr-x 2 root   root   4096 Aug 17 08:17 .ssh/

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1940233/+subscriptions

References

  Thread PreviousDate PreviousThread Next