/srv/irclogs.ubuntu.com/2014/09/24/#maas.txt

=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== CyberJacob|Away is now known as CyberJacob
=== CyberJacob is now known as CyberJacob|Away
=== jfarschman is now known as MilesDenver
=== kickinz1|afk is now known as kickinz1
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
rvbablake_r: I know this is very much in flux still but Jeroen and I filed a couple of bugs related to the work you're doing on the new import image stuff: https://bugs.launchpad.net/maas/+bugs?field.tag=boot-images12:38
=== jfarschman is now known as MilesDenver
=== jfarschman is now known as MilesDenver
blake_rrvba: thanks13:18
=== jfarschman is now known as MilesDenver
lamontjuju status14:24
lamontWARNING discarding API open error: read tcp 127.0.0.1:37017: i/o timeout14:24
lamontERROR Unable to connect to environment "maas".14:24
lamontany hints as to why the machine is mad?14:24
bladernr_Hey, I was wondering, is there an way to tell MAAS to NOT disable the ubuntu user password?  Is it MAAS or is it cloud-init/curtin that disables the user PW for Ubuntu?15:48
rbasakbladernr_: http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/view/head:/doc/examples/cloud-config.txt#L55415:50
rbasakDefine "disable" though.15:50
rbasakSince cloud images ship with no ubuntu user password set, what do you mean by MAAS disabling it?15:52
rbasakIt ships that way.15:52
bladernr_I have custom spun fast-path images that are built from a d-i preseed that include an ubuntu user and default password.  However, once the image is installed via MAAS (no juju here), using fast-path, when I ssh in and check /etc/shadow, the password for Ubuntu has been prepended with a '!' which disables it.15:58
bladernr_^^ I'll add that I'm blaming MAAS for now, I haven't had a chance to actually break into the FP image I created to verify for certain that it's not being munged during installation.  But I'm 80% sure it's not the image itself.15:59
bladernr_FWIW, the custom-spun bit is just "Boot a VM from an ubuntu ISO, d-i w/ pressed to install what I need, then tar the filesystem up so I can later pass it to MAAS"16:00
rbasakSo you're trying to introduce a vulnerability in your deployments, and something's stopping you? :)16:01
rbasakIt might be cloud-init. Or curtin. Nothing else will mess with the system that I'm aware of.16:01
rbasak(unless instructed via cloud-init or curtin)16:01
bladernr_It's not necessarily a vulnerability, it's for cert testing so the systems are only installed long enough to run tests16:01
rbasakOh, I see.16:01
bladernr_unfortunately, I need to be able to pass a sudo password to checkbox to authenticate when it needs root access on its own16:01
rbasakThen just using cloud-init is getting in your way here. But MAAS sort of assumes that.16:02
bladernr_checkbox runs root tests in a subshell on the system, so ssh key auth doesn't work.16:02
bladernr_mkay...  I'll do more digging on cloud-init then.  I looked at curtin and couldn't find anything yesterday that would do it. so that gives me a place to start.  Thanks!16:03
rbasaksmoser might know16:03
bladernr_^^ or a much better place to start at least.16:03
rbasakI wonder if there's a better way to do this though.16:03
rbasakMaybe supply a password at the time you request the machine, and let cloud-init set it up as designed instead of fighting it?16:03
rbasak(via userdata - see my link above)16:04
bladernr_maybe... another thing I didn't try was setting it directly in userdata.  That was going to be my next experiment, but I ran out o ftime and won't be able to get back to it until next week16:04
rbasakI would try that first, since that's the "regular" expected way of achieving this.16:05
bladernr_so one thing not clear in that link... it says By default in the UEC images password authentication is disabled16:05
bladernr_# Thus, simply setting 'password' as above will only allow you to login16:05
bladernr_# via the console.16:05
bladernr_so does that imply that setting the password there will disable the use of ssh keys for ssh logins?  so you would also need to set the ssh stuff in the next few lines?16:06
rbasakI think what it's saying is that _ssh_ password auth is disabled by default.16:06
bladernr_ahhh ok16:06
rbasakSo in addition to setting the password you need to explicitly enable ssh password auth.16:07
rbasakIn your images you may not need that.16:07
smoserbladernr_, its cloud-init that *creates* the ubuntu user.16:07
* rbasak did not know that16:08
bladernr_smoser: ok... so my images already have an ubuntu user, with a default password for certification.  so looks like in that case, cloud-init just preserves the user but disables the existing password16:08
smoserbladernr_, you can probably disable it. but i wonder why you care that it lets password auth in.16:09
smoserwhen in a working path, you'd have non-password auth, which is magically better.16:09
bladernr_smoser: because of checkbox.  I'm happy with ssh key auth for logging in via ssh, but when I run checkbox on test machines, it needs an active local password for root escalation because it runs some jobs in a subshell16:10
smoserwell, in that same working path, cloud-init would have set up passwordless sudo for the user :)16:10
smoserwhat i might suggest is that you just tell cloud-init that its default user is something other than ubuntu.16:11
smoserand then it will create and manage that user and not touch yours.16:11
smoser(alternatively, you could rename yours)16:11
bladernr_right, but even that didn't work. (it DID set up passwordless sudo) but, and I think it's policykit doing this, roadmr and zyga would know more, when checkbox runs, it still requires the password to work... :/16:11
smoserbladernr_, well, so 2 options then.16:12
bladernr_and you're right, actually just changing the default we use from ubuntu to certification or something would be far simpler a workaround16:12
smosera.) you don't create 'ubuntu', you use "fubuntu"16:12
roadmrbladernr_: if the user running checkbox has authorization for passwordless sudo, that should suffice for checkbox purposes16:12
bladernr_roadmr: it didn't yesterday :(16:12
bladernr_checkbox still prompted me and failed the auth...16:13
smoserb.) in user data or /etc/cloud/cloud.cfg you change 'name: ubuntu' to 'name: fubuntu'16:13
roadmrbladernr_: could you show me a screen cap of the prompt it used?16:13
bladernr_roadmr: not really, ive already torn the node down and packed up my maas server (and I'm in the air anyway, so not able to fire it up)16:13
smoseri guess also16:13
bladernr_roadmr: changing the user from 'ubuntu' to certification would be a much better solution anyway.16:14
smoserc.) you change /etc/cloud/cloud.cfg to have 'lock_passwd: False'16:14
bladernr_roadmr: simple and non-invasive.16:14
bladernr_smoser: rbasak thanks... I'll keep that in mind when I get back to playing with these custom images.  and thanks for helping me understand better how this all works together.16:14
roadmrbladernr_: that can be done in the curtinator preseed (I'm assuming that's what you used to generate the image). Look at passwd/username; or you could add an additional user in the late_command16:15
=== bladernr_ is now known as bladernr_30kFeet
bladernr_30kFeetroadmr: yeah, I know and that's what I'll do.  (plus play around a bit more with coud-config to better learn how it works.16:16
roadmrbladernr_30kFeet: ok... do let me know when you're on the ground, we can definitely figure this one out16:16
=== roadmr is now known as roadmr_afk
gmballenap: Do you have any advice for testing stuff done with callLater()? At  the moment I’m just mocking the reactor, but that seems like not a very good test.19:13
gmbs/seems like/is/19:13
allenapgmb: twisted.internet.task.Clock19:24
allenapgmb: You might have used it before. It implements IReactorTime, which is a subset of what a whole reactor provides, but it’s probably enough.19:25
gmballenap: Sorry, I’m not quite getting what you’re suggesting I do with Clock there.19:26
allenapgmb: Create an instance of Clock and pass it into whatever you’re calling, pretending that the clock is the reactor.19:26
gmballenap: OIC. With you now. Thanks.19:27
allenapgmb: There are some examples around the codebase. You get to choose when the delayed calls are called. Otoh, you could also use reactor.getDelayedCalls() to see what’s pending (and cancel if you want), or use reactor.runUntilCurrent() to actually call things (assumes that the call you’re interested in is the only delayed call).19:30
gmballenap: Okay, thanks.19:31
gmballenap: Whichever of those approaches I choose, I end up with an UncleanReactorError19:32
gmb(So I’m probably doing something rong)19:33
gmbhang on, lemme paste the test case…19:33
=== CyberJacob|Away is now known as CyberJacob
gmbs/TestCase/diff/19:33
gmballenap: http://paste.ubuntu.com/8420350/ line 212ish19:34
allenapgmb: Okay, I can recreate it, I’ll see what I can figure out.19:40
gmballenap: Much obliged squire. I’ll check back in a bit later.19:41
allenapgmb: Try using: callLater(0, …)19:54
allenapi.e. zero delay.19:54
allenapgmb: Actually, there’s something else going on…19:55
=== roadmr_afk is now known as roadmr
allenapgmb: Here’s what I’ve come up with: http://paste.ubuntu.com/8420574/20:21
gmballenap: Grand! Thanks.20:28

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!