VMs hardening with the noexec option in /tmp and /var/tmp which is causing issues to get an IP with cloud-init , reason why the VM takes like 25 min to start
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
High
|
Alberto Contreras |
Bug Description
Hardening Azure VM - Ubuntu 18.04 with the noexec option in /tmp and /var/tmp is causing issues with the dhclient to get an IP with cloud-init , reason why the VM takes like 25 min to start
Hardening:
root@ubu1804rep
# CLOUD_IMG: This file was created/modified by the Cloud Image build process
UUID=5b1ab5d4-
UUID=91B6-4BB7 /boot/efi vfat umask=0077 0 1
UUID="fadc7d49-
/tmp /var/tmp none rw,noexec,
/dev/disk/
Error:
[ OK ] Reached target System Time Synchronized.
[ OK ] Started AppArmor initialization.
Starting Load AppArmor profiles managed internally by snapd...
Starting Initial cloud-init job (pre-networking)...
[ 8.062136] sh[795]: + [ -e /var/lib/
[ OK ] [ 8.097225] sh[795]: + echo cleaning persistent cloud-init object
Started Load AppArmor profiles managed internally by snapd.
[ 8.100207] sh[795]: cleaning persistent cloud-init object
[ 8.106214] sh[795]: + rm /var/lib/
[ 8.112706] sh[795]: + exit 0
[ 14.435302] cloud-init[813]: Cloud-init v. 21.4-0ubuntu1~
[ 14.445225] cloud-init[813]: 2022-02-25 17:18:56,105 - dhcp.py[WARNING]: dhclient did not produce expected files: dhcp.leases, dhclient.pid
[ 14.453129] cloud-init[813]: 2022-02-25 17:18:56,107 - azure.py[WARNING]: exception while getting metadata:
[ 14.460876] cloud-init[813]: 2022-02-25 17:18:56,109 - azure.py[ERROR]: Could not crawl Azure metadata:
[ 19.626878] cloud-init[813]: 2022-02-25 17:19:01,297 - dhcp.py[WARNING]: dhclient did not produce expected files: dhcp.leases, dhclient.pid
[ 19.664700] cloud-init[813]: 2022-02-25 17:19:01,333 - azure.py[ERROR]: Failed to read /var/lib/
[ 19.674221] cloud-init[813]: 2022-02-25 17:19:01,333 - azure.py[WARNING]: No lease found; using default endpoint: a8:3f:81:10
Cloud-Init Version :
root@ubu1804rep
/usr/bin/cloud-init 21.4-0ubuntu1~
root@ubu1804rep
OS version:
root@ubu1804rep
Linux ubu1804repro 5.4.0-1069-azure #72~18.04.1-Ubuntu SMP Mon Feb 7 11:12:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@ubu1804rep
root@ubu1804rep
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https:/
SUPPORT_URL="https:/
BUG_REPORT_URL="https:/
PRIVACY_
VERSION_
UBUNTU_
root@ubu1804rep
Workaround : Remove the noexec option from /tmp and /tmp/var entries in /etc/fstab.
Changed in cloud-init: | |
assignee: | nobody → Alberto Contreras (aciba) |
Changed in cloud-init: | |
status: | Triaged → Fix Committed |
Thank you for filing this bug and improving Ubuntu and cloud-init.
I confirm this looks to be a problem from your attached cloud-init.log
Looks like cloud-init should be a bit more resilient in determining the appropriate temporary directory from which to execute a preliminary dhclient call prior to network being setup on the system.
the module function where we'd likely need to address this is cloudinit. temp_files. _tempfile_ dir_arg.
A preflight check of util.mounts() can inform cloud-init if it's temporary directory choice would lead to noexec type errors.