SnoFox | Hello. I have an Amazon Linux 2 VM that seems to have removed the cloud-init binary and systemd units. I feel like I'm misunderstanding the purpose of the tool - I don't see anything funny in userdata to cause that nor am I finding anything in the docs about persistence. Is this expected or is Amazon doing weird things? | 00:51 |
---|---|---|
MKS2020 | Hello, i’d like report a bug at line https://github.com/canonical/cloud-init/blame/8116493950e7c47af0ce66fc1bb5d799ce5e477a/cloudinit/ssh_util.py#L260 not sure if this IRC channel is the right place. | 13:50 |
MKS2020 | cloud-init’s code by default makes a wrong assumption that all users using private .ssh folder for authorized_keys. | 13:52 |
gnulnx | meena: Chef isn't even being installed. The inital directories are created, but there is no chef-client binary, and the logs just say "running module chef ... failed", and "Ran chef but it failed!" | 13:57 |
gnulnx | The cloud-init logs ^ | 13:57 |
MKS2020 | But `AuthorizedKeysFile` directive in sshd_config could be used to have a system-wide folder with user keys which are managed by configuration management systems, for example puppet. The idea is to have configuration like `AuthorizedKeysFile /etc/ssh/authorized_keys/%u` to prevent users manage their authorized_keys or to rootkit other users from user who had a sudo permissions on host. Folder `/etc/ssh/authorized_keys/` and all files inside are owned b | 13:58 |
MKS2020 | root because user shouldn’t be able to modify this files. When cloud-init change mode to 700 for such folder it breaks whole consept. | 13:58 |
MKS2020 | so before applying 700 to folder defined in `AuthorizedKeysFile` cloud-init needs to validate that that folder located within user’s HOME folder. | 14:07 |
meena | gnulnx: how is chef being installed? | 14:30 |
gnulnx | meena: `install_type: "omnibus"` | 14:32 |
meena | MKS2020: do you think you can patch that? | 14:32 |
meena | gnulnx: ooohhh, aah? okay? | 14:32 |
gnulnx | One sec, I'm pasting my config | 14:32 |
MKS2020 | meena: yes, https://github.com/canonical/cloud-init/pull/149 | 14:32 |
meena | MKS2020: i haven't looked all day at GitHub, i'm in a new paid job… and i…'ve mostly been busy setting up my laptop, 😆 | 14:33 |
meena | MKS2020: did you look at https://github.com/canonical/cloud-init/blob/master/HACKING.rst ? | 14:34 |
MKS2020 | hehe, it can wait right now we’re fixing this issue with runcmd: "awk '/^AuthorizedKeysFile/ {print $2}' /etc/ssh/sshd_config | xargs dirname | xargs chmod 755" in our code but it really hard to use our own AMIs across different accounts and departments :) | 14:35 |
gnulnx | meena: https://gist.github.com/kylejohnson/e44a1d72b634dd7fade4fc830f2a7ae6 is what I have | 14:36 |
MKS2020 | meena: yep, i’m at the middle of https://ubuntu.com/legal/contributors/agreement now | 14:36 |
meena | MKS2020: oh. that was simpler than i thought… also: can you show us your cloud-init config that let's you do / break that? (as a comment to PR perhaps) | 14:37 |
MKS2020 | meena: ok, i’ll describe steps to reproduce a bug | 14:38 |
MKS2020 | meena: what should i write in `Please add the Canonical Project Manager or contact` ? | 14:40 |
meena | MKS2020: that would be powersj | 14:40 |
meena | gnulnx: we don't even capture if anything goes wrong in the installer: https://github.com/canonical/cloud-init/blob/master/cloudinit/config/cc_chef.py#L308 | 14:44 |
meena | gnulnx: so, i'd start by toggling that Flag, and seeing if you get more useful output. | 14:44 |
gnulnx | Just toggle Capture and re-run? | 14:45 |
meena | gnulnx: set capture=True; run cloud-init clean --logs --reboot ; and enjoy the show | 14:47 |
gnulnx | thank ya | 14:50 |
gnulnx | I've been doing rm -rf sem; cloud-init -d single --name chef | 14:51 |
gnulnx | Would that get me (close to) the same result? | 14:51 |
gnulnx | meena: https://gist.github.com/kylejohnson/1a157062f1bccc7106e9de2ed5cd639e | 14:54 |
gnulnx | That's interesting. It doesn't like any of my cef keys | 14:55 |
MKS2020 | meena: i’ve submited agreement and added steps to reproduce into MR. Let me know if some information is needed/missed from my side. | 14:55 |
=== tds3 is now known as tds | ||
meena | 15:51 <gnulnx> Would that get me (close to) the same result? ⬅️ no. clean nukes /var/lib/cloud-init and /run/cloud-init | 19:02 |
meena | https://cloudinit.readthedocs.io/en/latest/topics/modules.html#chef this documentation seems to be incomplete, and, confusing | 19:09 |
gnulnx | meena: Yeah, that's what I found too. The documentation doesn't look up to date. | 19:19 |
meena | gnulnx: which version are you on, btw? | 19:22 |
gnulnx | meena: 19.3-41 | 19:23 |
meena | let's open… at least one bug, gnulnx . | 19:24 |
gnulnx | Oh what's that? | 19:27 |
gnulnx | So I added `validation_name: test` and it actually installed chef this time | 19:27 |
gnulnx | Installed, daemonized and forked | 19:28 |
meena | gnulnx: so that's that then | 19:55 |
gnulnx | yup | 20:03 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!