azure locks existing user if instance id changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
Medium
|
Sam Eiderman |
Bug Description
The same bug was actually reported by someone else as a waagent bug here:
https:/
But was closed due to no followup of original user.
Cloud Provider: Azure
VM: Ubuntu 14.04 (And probably all higher versions)
When provisioning a VM on Azure, cloud-init uses /dev/sr0 to find ovf-env.xml.
Since the instance is new, cc_users_groups which runs "per instance" and adds my user which is configured with a password (not ssh-key) to the system.
Now cloud-init copies ovf-env.xml to /var/lib/waagent/ to be used as a cache.
But the password is changed to REDACTED.
Notice that on following boots, when cloud-init loads DataSourceAzure, it uses /var/lib/
https:/
So DataSourceAzure does not configure defuser[
Usually everything works and the the user never gets locked since we are using the same instance, and cc_users_groups never gets invoked (which is a per instance action), but when the instance id does change (when exporting the disks to a different machine) the user will get locked by create_user() with defuser[
I guess the correct logic should have been:
if password:
if DEF_PASSWD_
In this case create_user() will be invoked, add_user() will not do anything since the user exists and no locking will occur later on in create_user().
Related branches
- Ryan Harper: Approve
- Server Team CI bot: Approve (continuous-integration)
- Sam Eiderman (community): Needs Resubmitting
-
Diff: 44 lines (+19/-2)2 files modifiedcloudinit/sources/DataSourceAzure.py (+3/-2)
tests/unittests/test_datasource/test_azure.py (+16/-0)
Changed in cloud-init: | |
status: | New → Triaged |
Thanks for filing the bug.
Would you be able to run cloud-init collect-logs and attach the tarball it creates?
Alternatively, if you could provide a sanitized version of /var/log/ cloud-init. log; that should be sufficient to see what's going on.
Lastly, when creating a new instance with captured disks, shouldn't cloud-init find a new ovf-xml from the attached iso versus loading the previously saved xml file? Otherwise, this would set the created user's password to the redacted value rather than the original password when you created the first instance?