[SRU] CloudStack data source will always set password to "HTTP/1.0 200 OK" on CloudStack 4.5.1 and later

Bug #1464253 reported by Dan Watkins
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Undecided
Dan Watkins
cloud-init (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Dan Watkins
Trusty
Fix Released
Undecided
Dan Watkins
Utopic
Won't Fix
Undecided
Dan Watkins
Vivid
Fix Released
Undecided
Dan Watkins
Wily
Fix Released
Undecided
Unassigned

Bug Description

First reported in https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1440263/comments/6

Older versions of CloudStack return the password as the first thing on the socket after an HTTP request (eschewing the tradition of HTTP response headers), which is what we take and use.

This lack of proper HTTP headers has been fixed in ACS 4.5.1, which means we will always use the status line of the HTTP response as the password.

[Impact]
Ubuntu instances deployed on more recent versions of CloudStack will always set the root password to "HTTP/1.0 200 OK".

[Test Case]
Launch an instance in a recent CloudStack environment and try to log in using "HTTP/1.0 200 OK" and the password provided by the environment. The former should fail and the latter should work.

[Regression Potential]
This change moves to using wget rather than our own custom client, which is more inline with CloudStack's own scripting around this. We shouldn't regress on new or old CloudStack environments.

Related branches

Dan Watkins (oddbloke)
Changed in cloud-init (Ubuntu):
assignee: nobody → Dan Watkins (daniel-thewatkins)
description: updated
Dan Watkins (oddbloke)
Changed in cloud-init (Ubuntu):
status: New → In Progress
status: In Progress → New
assignee: Dan Watkins (daniel-thewatkins) → nobody
Changed in cloud-init:
status: New → In Progress
assignee: nobody → Dan Watkins (daniel-thewatkins)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cloud-init (Ubuntu):
status: New → Confirmed
Scott Moser (smoser)
Changed in cloud-init (Ubuntu Precise):
status: New → Confirmed
Changed in cloud-init (Ubuntu Trusty):
status: New → Confirmed
Changed in cloud-init (Ubuntu Utopic):
status: New → Confirmed
Changed in cloud-init (Ubuntu Vivid):
status: New → Confirmed
Dan Watkins (oddbloke)
Changed in cloud-init (Ubuntu Precise):
assignee: nobody → Dan Watkins (daniel-thewatkins)
Changed in cloud-init (Ubuntu Trusty):
assignee: nobody → Dan Watkins (daniel-thewatkins)
Changed in cloud-init (Ubuntu Utopic):
assignee: nobody → Dan Watkins (daniel-thewatkins)
Changed in cloud-init (Ubuntu Vivid):
assignee: nobody → Dan Watkins (daniel-thewatkins)
Dan Watkins (oddbloke)
Changed in cloud-init:
status: In Progress → Fix Committed
Dan Watkins (oddbloke)
Changed in cloud-init (Ubuntu Vivid):
status: Confirmed → In Progress
Changed in cloud-init (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in cloud-init (Ubuntu Precise):
status: Confirmed → In Progress
Changed in cloud-init:
status: Fix Committed → Fix Released
Dan Watkins (oddbloke)
description: updated
summary: - CloudStack data source will always set password to "HTTP/1.0 200 OK" on
- CloudStack 4.5.1 and later
+ [SRU] CloudStack data source will always set password to "HTTP/1.0 200
+ OK" on CloudStack 4.5.1 and later
Revision history for this message
Scott Moser (smoser) wrote :

marking as fix-committed in cloud-init trunk. fix-released will go with the 0.7.7 release.

Changed in cloud-init:
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.7~bzr1127-0ubuntu1

---------------
cloud-init (0.7.7~bzr1127-0ubuntu1) wily; urgency=medium

  [ Scott Moser ]
  * d/README.source, debian/cherry-pick-rev: improve packaging tool

  [ Daniel Watkins ]
  * d/cloud-init.templates: Include SmartOS data source in the default list
    and choices. (LP: #1398997)

  [ Scott Moser ]
  * New upstream snapshot.
    * check for systemd using sd_booted symantics (LP: #1461201)
    * fix importing of gpg keys in python3 (LP: #1463373)
    * fix specification of devices to growpart (LP: #1465436)
    * reliably detect and use Azure disks using udev rules (LP: #1411582)
    * support selection of Ubuntu mirrors on GCE (LP: #1470890)
    * ssh: generate ed25519 host keys if supported (LP: #1461242)
    * test fixes and cleanups
    * fix reading of availability-zone on GCE (LP: #1470880)
    * fix cloudsigma datasource with python3 (LP: #1475215)
    * fix rightscale user-data
    * fix consumption of CloudStack passwords on newer CloudStack platforms
      (LP: #1440263, #1464253)

 -- Scott Moser <email address hidden> Wed, 22 Jul 2015 17:06:18 -0400

Changed in cloud-init (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Dan, or anyone else affected,

Accepted cloud-init into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.7~bzr1091-0ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in cloud-init (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Dan, or anyone else affected,

Accepted cloud-init into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.5-0ubuntu1.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Dan, or anyone else affected,

Accepted cloud-init into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.6.3-0ubuntu1.18 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Utopic):
status: Confirmed → Won't Fix
Revision history for this message
Dan Watkins (oddbloke) wrote :

Thomas,

Would you be able to perform validation that this is fixed in the new package? I don't have access to an appropriate CloudStack environment to do so.

Thanks,

Dan

Chris J Arges (arges)
information type: Private Security → Public Security
Revision history for this message
Dan Watkins (oddbloke) wrote :

I have verified that we have not broken password on pre 4.5 versions of CloudStack.

I haven't been able to confirm that this is fixed on 4.5+, because we haven't been able to find such a test environment. It certainly won't have regressed (as it was already broken), so I'm marking this as verification-done.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.7~bzr1091-0ubuntu4

---------------
cloud-init (0.7.7~bzr1091-0ubuntu4) vivid; urgency=medium

  * d/patches/lp-1456684-eu-central-1.patch: Add central as a direction for
    EC2 availability zones (LP: #1456684).
  * d/patches/lp-1464253-handle-new-cloudstack-passwords.patch: Handle both
    old and new CloudStack password servers (LP: #1464253).
  * d/patches/lp-1475215-fix-cloudsigma-cepko.patch: Fix CloudSigma datasource
    under Python 3 (LP: #1475215).
  * d/patches/lp-1463373-fix-apt-gpg-key-fetching.patch: Fix a Python 3
    problem with the writing out of the script that fetches GPG keys for apt
    repos (LP: #1463373).

 -- Daniel Watkins <email address hidden> Mon, 29 Jun 2015 12:48:33 +0100

Changed in cloud-init (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.5-0ubuntu1.7

---------------
cloud-init (0.7.5-0ubuntu1.7) trusty; urgency=medium

  * d/patches/lp-1456684-eu-central-1.patch:
    - Add central as a direction for EC2 availability zones (LP: #1456684).
  * d/patches/lp-1464253-handle-new-cloudstack-passwords.patch:
      - Handle both old and new CloudStack password servers (LP: #1464253).
  * Add python-serial to Build-Depends (LP: #1381776).

 -- Daniel Watkins <email address hidden> Thu, 16 Jul 2015 17:34:01 +0100

Changed in cloud-init (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.6.3-0ubuntu1.18

---------------
cloud-init (0.6.3-0ubuntu1.18) precise; urgency=medium

  * d/patches/lp-1456684-eu-central-1.patch:
      - Add central as a direction for EC2 availability zones (LP: #1456684).
  * d/patches/lp-1464253-handle-new-cloudstack-passwords.patch:
      - Handle both old and new CloudStack password servers (LP: #1464253).
  * Add python-serial to Depends (LP: #1381776).

 -- Daniel Watkins <email address hidden> Thu, 16 Jul 2015 17:14:18 +0100

Changed in cloud-init (Ubuntu Precise):
status: Fix Committed → Fix Released
Dan Watkins (oddbloke)
Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.