Since it might affect the ability to log into a new spawned system I think this could be release-critical for Impish. Therefore I flagged it like that for now - please feel free to downgrade once the root cause is known and you think a lower rating is appropriate.
** Description changed: Hi, I got to this by my systems complaining to be unable to do ssh-keygen after deployment. Example: $ uvt-kvm ssh --insecure impish-kvm 'ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N '\'''\''' Saving key "/home/ubuntu/.ssh/id_rsa" failed: Permission denied I found that is due to permissions after guest spawning: + /home/ubuntu/.ssh changed Old: drwx------ 2 ubuntu ubuntu 4096 Aug 17 08:20 .ssh/ New: drwxr-xr-x 2 root root 4096 Aug 17 08:17 .ssh/ - That beaks later things like ssh-keygen. uvt-kvm only does instruct cloud-init to place a key. This uses ssh_authorized_keys from https://cloudinit.readthedocs.io/en/latest/topics/modules.html?highlight=ssh_authorized_keys#authorized-keys Checked a few guests: I've seen this on - impish x86 - impish s390x I've not seen this on - bionic - focal - impish You might say - wait a minute impish in both lists. But it is the date: Bad com.ubuntu.cloud.daily:server:21.10:amd64 20210815 cloud-init 21.2-69-g65607405-0ubuntu1 Good com.ubuntu.cloud.daily:server:21.10:amd64 20210706 cloud-init 21.2-3-g899bfaa9-0ubuntu2 - And either this cloud-init version is broken or the underlying new impish image. I mounted the underlying cloud-image (without customization by cloud-init) and found that /home is empty (true for all those images). So to me that seems to be an issue in the new cloud-init that now is in those images. ** Also affects: cloud-init (Ubuntu) Importance: Undecided Status: New ** Changed in: cloud-init (Ubuntu) Importance: Undecided => Critical ** Tags added: rls-ii-incoming ** Description changed: Hi, I got to this by my systems complaining to be unable to do ssh-keygen after deployment. Example: $ uvt-kvm ssh --insecure impish-kvm 'ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N '\'''\''' Saving key "/home/ubuntu/.ssh/id_rsa" failed: Permission denied I found that is due to permissions after guest spawning: /home/ubuntu/.ssh changed Old: drwx------ 2 ubuntu ubuntu 4096 Aug 17 08:20 .ssh/ New: drwxr-xr-x 2 root root 4096 Aug 17 08:17 .ssh/ That beaks later things like ssh-keygen. uvt-kvm only does instruct cloud-init to place a key. This uses ssh_authorized_keys from https://cloudinit.readthedocs.io/en/latest/topics/modules.html?highlight=ssh_authorized_keys#authorized-keys Checked a few guests: I've seen this on - impish x86 - impish s390x I've not seen this on - bionic - focal - impish You might say - wait a minute impish in both lists. But it is the date: Bad com.ubuntu.cloud.daily:server:21.10:amd64 20210815 cloud-init 21.2-69-g65607405-0ubuntu1 Good com.ubuntu.cloud.daily:server:21.10:amd64 20210706 cloud-init 21.2-3-g899bfaa9-0ubuntu2 And either this cloud-init version is broken or the underlying new impish image. I mounted the underlying cloud-image (without customization by cloud-init) and found that /home is empty (true for all those images). So to me that seems to be an issue in the new cloud-init that now is in those images. + + Steps to reproduce + # if your host has no keys to push to the guest run ssh-keygen + # sync the latest broken images + $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=impish + # spawn guest + $ uvt-kvm create --password=ubuntu i release=impish arch=amd64 label=daily + # wait for it and check the permissions + $ uvt-kvm wait i + $ uvt-kvm ssh i "ls -laF /home/ubuntu/" + drwxr-xr-x 2 root root 4096 Aug 17 08:17 .ssh/ -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1940233 Title: cloud-init in impish makes /home/ubuntu/.ssh root.root Status in cloud-init: New Status in cloud-init package in Ubuntu: New Bug description: Hi, I got to this by my systems complaining to be unable to do ssh-keygen after deployment. Example: $ uvt-kvm ssh --insecure impish-kvm 'ssh-keygen -b 2048 -t rsa -f ~/.ssh/id_rsa -q -N '\'''\''' Saving key "/home/ubuntu/.ssh/id_rsa" failed: Permission denied I found that is due to permissions after guest spawning: /home/ubuntu/.ssh changed Old: drwx------ 2 ubuntu ubuntu 4096 Aug 17 08:20 .ssh/ New: drwxr-xr-x 2 root root 4096 Aug 17 08:17 .ssh/ That beaks later things like ssh-keygen. uvt-kvm only does instruct cloud-init to place a key. This uses ssh_authorized_keys from https://cloudinit.readthedocs.io/en/latest/topics/modules.html?highlight=ssh_authorized_keys#authorized-keys Checked a few guests: I've seen this on - impish x86 - impish s390x I've not seen this on - bionic - focal - impish You might say - wait a minute impish in both lists. But it is the date: Bad com.ubuntu.cloud.daily:server:21.10:amd64 20210815 cloud-init 21.2-69-g65607405-0ubuntu1 Good com.ubuntu.cloud.daily:server:21.10:amd64 20210706 cloud-init 21.2-3-g899bfaa9-0ubuntu2 And either this cloud-init version is broken or the underlying new impish image. I mounted the underlying cloud-image (without customization by cloud-init) and found that /home is empty (true for all those images). So to me that seems to be an issue in the new cloud-init that now is in those images. Steps to reproduce # if your host has no keys to push to the guest run ssh-keygen # sync the latest broken images $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=impish # spawn guest $ uvt-kvm create --password=ubuntu i release=impish arch=amd64 label=daily # wait for it and check the permissions $ uvt-kvm wait i $ uvt-kvm ssh i "ls -laF /home/ubuntu/" drwxr-xr-x 2 root root 4096 Aug 17 08:17 .ssh/ To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1940233/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
