Amazon AWS Fix cloud-init in Ubuntu 12.10

Posted on Monday, April 15, 2013


This guide goes over fixing one bug in the cloud-init feature in Ubuntu 12.10.  The issue is this, when creating a user and giving them a password their password becomes "locked"


In the cloud-init version 0.7 installed with Ubuntu 12.10 AMIs there is a bug if you are trying to set the password for a user it becomes locked.   
The bug and its fix are covered here https://bugs.launchpad.net/cloud-init/+bug/1096423 [1]  So it has been fixed but the fix is not on the Ubuntu 12.10 AMI images yet (And I do not think it ever will be).   So here is my process for putting this fix into a 12.10 AMI and making your own AMI to use.

What is a locked password?


Well if you are like me you may have never locked or unlocked a password before.

To lock the password of a user named patman you would run this command.


> sudo passwd patman -l

What this really does is to put an "!" in front of your password in the /etc/shadow file

Running the following command


> sudo cat /etc/shadow | grep patman





Here you see the exclamation point.  Which indicates that this users password is locked and cannot be used.




To unlock a password run the following command



> sudo passwd patman -u



The problem


The cloud-init tool that comes with ubuntu 12.10 will always set the users password to a locked state.

To show the problem you first need an encrypted password


> mkpasswd -m sha-512

For testing purposes I entered in a password of "password"  which gives me back the encrypted password of

$6$TRm3k.CXXZYpnch$YiHrvQvf1W6GA8YMUYj1lwbN/zM4RTcY3WCfMsMqGSs/rjua0iYztKzGMF3vmvIZsMcDcbFvBFkNh3Rh.pVp./
#cloud-config
# Add groups to the system
# The following example adds the ubuntu group with members foo and bar and
# the group cloud-users.
groups:
  - patman

# Add users to the system. Users are added after groups are added.
users:
  - default
  - name: patman
    shell: /bin/bash
    gecos: Patrick Bailey
    primary-group: patman
    groups: admin
    lock-passwd: false
    passwd: $6$TRm3k.CXXZYpnch$YiHrvQvf1W6GA8YMUYj1lwbN/zM4RTcY3WCfMsMqGSs/rjua0iYztKzGMF3vmvIZsMcDcbFvBFkNh3Rh.pVp./
    ssh-import-id: None
    ssh-authorized-keys:
      - ssh-rsa AA…….

Here is the cloud-init file I created that will create the user patman and assign a password to him.  (It will also set up the ssh keys which I have omitted my actual public ssh key)

I saved this file and called it cloud-init-test.txt




If I try to create an ec2 instance using an ubuntu 12.10 ami

Using this command



> ec2-run-instances ami-0cdf4965 -b /dev/sda1=:8:true -k pats-keypair -t t1.micro  -g default --availability-zone us-east-1a --region us-east-1 -f cloud-init-test.txt

In this example it created a server at

ec2-54-224-143-80.compute-1.amazonaws.com
If I try to ssh over to it


> ssh ec2-54-224-143-80.compute-1.amazonaws.com

I can login just fine, but my password is disabled.  Logging in as the Ubuntu user I was able to see that the "!" was in the /etc/password file.





#cloud-config
# Add groups to the system
# The following example adds the ubuntu group with members foo and bar and
# the group cloud-users.
groups:
  - patman

# Add users to the system. Users are added after groups are added.
users:
  - default
  - name: patman
    shell: /bin/bash
    gecos: Patrick Bailey
    primary-group: patman
    groups: admin
    lock-passwd: false
    passwd: $6$TRm3k.CXXZYpnch$YiHrvQvf1W6GA8YMUYj1lwbN/zM4RTcY3WCfMsMqGSs/rjua0iYztKzGMF3vmvIZsMcDcbFvBFkNh3Rh.pVp./
    ssh-import-id: None
    ssh-authorized-keys:
      - ssh-rsa AA…….

runcmd:
  - [passwd, patman, '-u']

I tried to compensate for this issue by adding a command that simply unlocked my password after the fact, using the runcmd feature.




I again created another instance using the updated cloud-init-test.txt file


> ec2-run-instances ami-0cdf4965 -b /dev/sda1=:8:true -k pats-keypair -t t1.micro  -g default --availability-zone us-east-1a --region us-east-1 -f cloud-init-test.txt


This time getting


> ssh ec2-54-224-108-123.compute-1.amazonaws.com


This actually works….

But, it does not work on ec2 instances within a VPC for some unknown reason (Well at least unknown to me J )  In a VPC they user's passwords remained locked, as if the runcmd never actually ran.

The Fix


I created a new instance without using a cloud-init file.  Then I updated the cloud-init code and saved this machine as a new AMI.  Then I created a new instance from this AMI.   (this AMI will be made the west-2 region)


Create the instance


> ec2-run-instances ami-a4b83294 -b /dev/sda1=:8:true -k west-pats-keypair -t t1.micro  -g default --availability-zone us-west-2a --region us-west-2


Log into this new machine


> ssh -i west-pats-keypair.pem ubuntu@ec2-54-214-126-83.us-west-2.compute.amazonaws.com


Update the python cloud-init script


Update the /usr/share/pyshared/cloudinit/distros/_init__.py


> sudo vi +266 /usr/share/pyshared/cloudinit/distros/__init__.py


Looking at https://code.launchpad.net/~harlowja/cloud-init/fix-passwd/+merge/142019 [2]

You need to replace



        if ('lock_passwd' not in kwargs and
            ('lock_passwd' in kwargs and kwargs['lock_passwd']) or
            'system' not in kwargs):

With


        if (kwargs.get('lock_passwd', True) or kwargs.get('system', False)):




Save this file.



Create an AMI


Create an AMI from this machine (in my case the machine was called i-de7b62ec)


> ec2-create-image i-de7b62ec --name "Ubuntu 12.10 Fixed" --description "Ubuntu 12.10 Fixed" --region us-west-2

This created an AMI with an Id of ami-1eef782e
Update the cloud-init-test.txt file

#cloud-config
# Add groups to the system
# The following example adds the ubuntu group with members foo and bar and
# the group cloud-users.
groups:
  - patman

# Add users to the system. Users are added after groups are added.
users:
  - default
  - name: patman
    shell: /bin/bash
    gecos: Patrick Bailey
    primary-group: patman
    groups: admin
    lock-passwd: false
    passwd: $6$TRm3k.CXXZYpnch$YiHrvQvf1W6GA8YMUYj1lwbN/zM4RTcY3WCfMsMqGSs/rjua0iYztKzGMF3vmvIZsMcDcbFvBFkNh3Rh.pVp./
    ssh-import-id: None
    ssh-authorized-keys:
      - ssh-rsa AA…….

Basically just remove the runcmd section.




Create a new machine with this ami and the updated cloud-init-test.txt file.


> ec2-run-instances ami-1eef782e -b /dev/sda1=:8:true -k west-pats-keypair -t t1.micro  -g default --availability-zone us-west-2a --region us-west-2 -f cloud-init-test.txt


Log into the new box


> ssh ec2-54-214-125-166.us-west-2.compute.amazonaws.com


Doing a quick test


> sudo echo hi


Success!!  It worked!


I also tried this out within a VPC and it worked!   I won't show the command here as a VPC can get very specific with all its subnets and such.   

This fix to the cloud-init tool works in a VPC.



References
[1]        Password always locked?
            https://bugs.launchpad.net/cloud-init/+bug/1096423
                Accessed 04/2013
[2]        Merge lp:~harlowja/cloud-init/fix-passwd into lp:cloud-init
            https://code.launchpad.net/~harlowja/cloud-init/fix-passwd/+merge/142019
                Accessed 04/2013


Category: ,

No comments:

Post a Comment