subiquity

autoinstall ssh:install-server:false is misleading in 22.04

Bug #1974483 reported by ov2k
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
subiquity
Fix Released
High
Unassigned
ubuntu-meta (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned
Ubuntu ubuntu-22.04.2

Bug Description

[ Impact ]
openssh-server is always installed to the target machine regardless of the user's explicit choice to not have it installed.

Backporting the fix will allow image builds to pick up it up and become available for the next point release.

The upload fixes the bug by removing ssh-import-id from the server-minimal seed and meta-package such that it's not part of the base layer copied over during install.

[ Test Plan ]

live images -- Test 1:
 1. Download the latest server installer image from https://cdimage.ubuntu.com/ubuntu-server/jammy/daily-live/
 2. Perform a regular install using the image and on the "SSH configuration" screen make sure "Install OpenSSH server" is NOT selected.
 3. Finish the install and reboot the machine.
 4. Login to the rebooted machine using the credentials provided during install.
 5. Using "apt-cache policy openssh-server" and "apt-cache policy ssh-import-id" confirm neither are installed.

live images -- Test 2:
- Perform Test 1 but instead opt-in to installing openssh-server and ensure it is installed in the target system.

live-images -- Test 3:
- Perform Test 2 but in a completely offline fashion.

pre-installed images:
- Download the latest preinstalled image from: https://cdimage.ubuntu.com/ubuntu-server/jammy/daily-preinstalled/
- Boot the image and, using the same commands as above, confirm openssh-server and ssh-import-id ARE installed

[ Where problems could occur ]
- openssh-server could be included in the build through other means than identified by the proposed upload, causing the package to be still installed by default.
- openssh-server and ssh-import-id could fail to become part of the pool, prohibiting offline install of the packages.
- Changes to the seeds could cause preinstalled images to lack the package.
- The image build(s) may produce errors if they rely on openssh-server or ssh-import-id already being available in a layer in which it's now no longer included. (I can't say it's likely but it is worth mentioning)

[ Other Info ]

 * I have built test images for ubuntu-cpc, both minimized and non-minimized, with my seed changes and verified those images will still correctly contain ssh-import-id and open-ssh-server

[ Original Description]

With 22.04, openssh-server is baked into the image curtin copies to the target. The ssh:install-server key no longer controls whether openssh-server gets installed. It should be easy enough to have the bit of code that installs openssh-server when the key is true also remove it when the key is false.

See original description

Related branches

~cpete/ubuntu/+source/ubuntu-meta:jammy-no-openssh-server-sru
Brian Murray (community): Approve
git-ubuntu import: Pending requested
Diff: 86 lines (+6/-6)
7 files modified
debian/changelog (+6/-0)
server-minimal-amd64 (+0/-1)
server-minimal-arm64 (+0/-1)
server-minimal-armhf (+0/-1)
server-minimal-ppc64el (+0/-1)
server-minimal-riscv64 (+0/-1)
server-minimal-s390x (+0/-1)
~cpete/ubuntu-seeds/+git/ubuntu:jammy-no-openssh-server
Utkarsh Gupta: Approve
Brian Murray: Needs Fixing
Diff: 21 lines (+1/-1)
2 files modified
cloud-image (+1/-0)
server-minimal (+0/-1)
~mwhudson/ubuntu-seeds/+git/ubuntu:remove-ssh-import-id
Steve Langasek: Approve
Diff: 24 lines (+1/-1)
2 files modified
cloud-minimal (+1/-0)
server-cloud-minimal (+0/-1)
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Argh, openssh-server is not supposed to be baked into the image curtin copies :(

Changed in subiquity:
status: New → Triaged
importance: Undecided → High
Revision history for this message
ov2k (ov2k) wrote :

Then I should also point out that other things like ufw are also baked in. Those are the only two I've noticed so far, but I haven't been looking very hard.

Michael Hudson-Doyle (mwhudson)
tags: added: fr-2464
Łukasz Zemczak (sil2100)
Changed in ubuntu-meta (Ubuntu Jammy):
milestone: none → ubuntu-22.04.1
Revision history for this message
Paride Legovini (paride) wrote :

Confirmed still happening on the Jammy 20220719 daily.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-meta (Ubuntu Jammy):
status: New → Confirmed
Changed in ubuntu-meta (Ubuntu):
status: New → Confirmed
Matthieu Clemenceau (mclemenceau)
tags: added: foundations-todo
Brian Murray (brian-murray)
Changed in ubuntu-meta (Ubuntu Jammy):
milestone: ubuntu-22.04.1 → ubuntu-22.04.2
Revision history for this message
Andreas Lindhé (lindhe) wrote :

It seems to me like `allow-pw: false` does not work either. Could that also be a side effect of 22.04 having the server built in?

Revision history for this message
Nobuto Murata (nobuto) wrote :

fwiw, this worked for me with 22.04 LTS ISO.

====
#cloud-config
autoinstall:
  version: 1
  identity:
    hostname: ubuntu-server
    username: ubuntu
    # password=ubuntu
    password: "$6$exDY1mhS4KUYCE/2$zmn9ToZwTKLhCw.b4/b.ZRTIZM30JZ4QrOQ2aOXJ8yk96xpcCof0kxKwuX1kqLG/ygbJ1f8wxED22bTL4F46P0"
  ssh:
    install-server: yes # https://launchpad.net/bugs/1974483
    allow-pw: no
====

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

This is fixed in the 23.10 dailies. I'm not sure it's really practical to fix this for the next 22.04 point release, unfortunately.

Changed in ubuntu-meta (Ubuntu):
status: Confirmed → Fix Released
Changed in subiquity:
status: Triaged → Fix Released
Chris Peterson (cpete)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello ov2k, or anyone else affected,

Accepted ubuntu-meta into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-meta/1.481.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-meta (Ubuntu Jammy):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-jammy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.