[SRU] Handle changing UUID endian-ness on Azure in cloud-init
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
cloud-init (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | |||
Trusty |
Fix Released
|
Undecided
|
Dan Watkins | |||
Vivid |
Invalid
|
Undecided
|
Unassigned | |||
linux (Ubuntu) |
Invalid
|
Critical
|
Unassigned | |||
Trusty |
Fix Released
|
Critical
|
Luis Henriques | |||
Vivid |
Fix Released
|
Critical
|
Luis Henriques | |||
linux-keystone (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | |||
Trusty |
Fix Released
|
Critical
|
Luis Henriques | |||
Vivid |
Invalid
|
Undecided
|
Unassigned | |||
linux-lts-utopic (Ubuntu) | ||||||
Trusty |
Fix Released
|
Critical
|
Luis Henriques |
Bug Description
On Azure, cloud-init relies on the system-uuid as based by SMBIOS a unique ID for a cloud instance. If this ID ever changes, then cloud-init will attempt to reprovision the VM.
This recent kernel patch in the Ubuntu kernel incorrectly modifies the endianness for some SMBIOS fields, which has the effect causing cloud-init to think that the system-uuid has changed: http://
cloud-init needs to consider both the reported UUID and the "first three fields endian-reversed" UUID as the same, so that users shifting between unaffected kernels and affected kernels, or affected kernels and fixed kernels do not see their instances reprovisioned.
[Impact]
The impact is that cloud-init attempts to reprovision VMs when they reboot to use the new kernel, often causing the customer to lose access to their VM.
Once the kernel is fixed, rebooting from an affected kernel to the new kernel will have the same effect.
[Test Case]
Failure:
1) Boot an Azure instance using an image with a pre-broken kernel (e.g. b39f27a8b8c64d5
2) Upgrade the kernel and reboot.
3) SSH to the instance; you will observe that you are prompted to change SSH host keys because cloud-init has run again.
Success (upgrade from not broken->broken):
1) Boot an Azure instance using an image with a pre-broken kernel (e.g. b39f27a8b8c64d5
2) Install the new version of cloud-init.
3) Upgrade the kernel and reboot.
4) Observe that you are not prompted when SSHing to instance, as cloud-init has not run again.
5) Make a note of the instance ID in use (i.e. the target of /var/lib/
6) Reboot again.
7) Observe that the instance ID has not changed.
Success (upgrade from broken->fixed):
1) Boot an Azure instance using an image with a broken kernel (e.g. b39f27a8b8c64d5
2) Install the new version of cloud-init.
3) Upgrade to the fixed kernel (once it is available) and reboot.
4) Observe that you are not prompted when SSHing to instance, as cloud-init has not run again.
Success (upgrade from not broken->fixed):
1) Boot an Azure instance using an image with a pre-broken kernel (e.g. b39f27a8b8c64d5
2) Install the new version of cloud-init.
3) Upgrade to the fixed kernel (once it is available) and reboot.
4) Observe that you are not prompted when SSHing to instance, as cloud-init has not run again.
[Regression Potential]
The change is limited to the Azure data source. It affects how instance IDs are determined, but the change does so in a limited way.
CVE References
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
affects: | linux (Ubuntu) → cloud-init (Ubuntu) |
tags: | added: kernel-da-key |
Changed in cloud-init (Ubuntu): | |
assignee: | nobody → Dan Watkins (daniel-thewatkins) |
Changed in cloud-init (Ubuntu): | |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
assignee: | Dan Watkins (daniel-thewatkins) → nobody |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | New → Fix Committed |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu Vivid): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Luis Henriques (henrix) |
Changed in linux (Ubuntu Vivid): | |
assignee: | nobody → Luis Henriques (henrix) |
Changed in linux-lts-utopic (Ubuntu Vivid): | |
status: | New → Invalid |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
status: | New → Fix Committed |
assignee: | nobody → Luis Henriques (henrix) |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
importance: | Undecided → Critical |
Changed in linux-keystone (Ubuntu Vivid): | |
status: | New → Invalid |
Changed in linux-keystone (Ubuntu): | |
status: | New → Invalid |
Changed in linux-keystone (Ubuntu Trusty): | |
status: | New → Fix Committed |
assignee: | nobody → Luis Henriques (henrix) |
importance: | Undecided → Critical |
description: | updated |
Changed in cloud-init (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Dan Watkins (daniel-thewatkins) |
Changed in cloud-init (Ubuntu): | |
status: | In Progress → Invalid |
assignee: | Dan Watkins (daniel-thewatkins) → nobody |
Changed in cloud-init (Ubuntu Vivid): | |
status: | New → Invalid |
summary: |
- Fix UUID endianness patch breaks cloud-init on Azure + [SRU] Fix UUID endianness patch breaks cloud-init on Azure |
summary: |
- [SRU] Fix UUID endianness patch breaks cloud-init on Azure + [SRU] Handle changing UUID endian-ness on Azure in cloud-init |
tags: | added: patch |
Changed in linux (Ubuntu): | |
status: | Confirmed → Invalid |
no longer affects: | linux-lts-utopic (Ubuntu) |
no longer affects: | linux-lts-utopic (Ubuntu Vivid) |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1551419
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.