EvanCarroll(question about hostnames/fqdn and not getting the hostname set to fqdn)00:41
jorjickHi all. Do I understand correctly that scripts/per-instance does not work with NoCloud data source (iso)?00:42
EvanCarrolloh my god.01:01
EvanCarrollthat's a bu.01:01
jorjickAlready found. It's not implemented yet. Thanks all.01:01
EvanCarrollfiled the bug here https://bugs.launchpad.net/cloud-init/+bug/196653301:19
ubottuLaunchpad bug 1966533 in cloud-init "fqdn does not accept terminal dot" [Undecided, New]01:19
minimaljorjick: look at logs for a machine using NoCloud (ISO) I do see log entries for "Running module scripts-per-instance"01:22
minimaljorlick: in your /etc/cloud/cloud.cfg, in the cloud_final_modules section does the list include screipts-per-instance?01:23
jorjickminimal: Thank You, but I already see log entries, try adding scripts-per-instance. And recently found that https://github.com/canonical/cloud-init/blob/main/cloudinit/sources/DataSourceNoCloud.py looks only "meta-data", "user-data", "vendor-data" and "network-config"01:27
minimaljorjick: the only DataSources that make any mention of scripts are OVF and SmartOS02:23
minimalI believe you are supposed to place the per-instance script in the /var/lib/cloud/scripts/per-instance/ directory of the OS image you are booting, not to supply them as part of the NoCloud ISO02:24
minimaljorjick: ah, this looks more relevant: https://cloudinit.readthedocs.io/en/latest/topics/format.html?highlight=per-instance#examples02:28
minimalcreating a multi-part MIME encoded user-data file...02:28
jorjickminimal: With trying multi-part MIME encoded user-data get tthis error: fileUnhandled unknown content-type (text/x-shellscript-per-instance) userdata: 'b'#!/usr/bin/env bash04:07
EvanCarrollWould someone tell me if this is sane and good practice (installing a user's private and public keys with terraform/cloud-init) https://devops.stackexchange.com/q/15628/1896518:59
minimalEvanCarroll: which DataSource are you using?19:21
minimalthe problem is that in general user-data is not very "secure" - if its being obtained from a metadata server then potentially someone else could query that, if it is coming from an ISO (i.e. NoCloud) then how is the ISO secured?19:23
EvanCarrollI'm supplying user-data (which is a cloud-init) I'm providing values that I read from file(), produced externally by a makefile.19:24
minimaland how do you provide those? which cloud-init DataSource is being used? NoCloud?19:25
EvanCarrollI'm not using any datasource.19:26
minimalyou must be, cloud-init uses datasources...19:26
minimalhow else can cloud-init get user-data?19:26
EvanCarrollFrom a template variable...19:26
minimala template where?19:27
minimallook at the /var/log/cloud-init.log on the machine do see which DataSource is being used19:27
EvanCarrollresource "openstack_compute_instance_v2" "test-server" { user_data  = data.template_file.user_data.rendered }19:27
minimalthat sounds like you are using the OpenStack DataSource then...19:27
EvanCarroll2022-03-26 06:30:25,599 - stages.py[INFO]: Loaded datasource DataSourceOpenStackLocal - DataSourceOpenStackLocal [net,ver=2]19:27
minimalso you are using that as your DataSource19:28
EvanCarrollis that a problem?19:29
minimalso the point, in that scenario, I'm making is that the user-data can be access via
minimaland so if you are embedding private keys in the user-data then some other person/program could potentially fetch them from that url19:30
EvanCarrolloh, that's terrifying19:30
EvanCarrollso what's the right way to do this?19:31
minimalthat's why I would say it would be better to generate keys on the machine and then use something like the phone-home module to "post" the public keys to another server (like your Git server)19:31
EvanCarrollYea, but that's just putting off the problem. How will the server that genreates the keys know how ot authenticate with the git server?19:33
minimalI meant that you use phone_server to trigger something to copy the public keys into authorized_keys in any other machines (such as Git server) that needs to trust the user on the cloud-init configured machine19:35
EvanCarrollI'm not sure I understand. So terraform is provisioning a new box Foo, and Foo generates keys and uses phone home to send them to an end-point which stores them in the authorized_keys?19:39
EvanCarrollHow do I make this end-point (which stores the keys in authorized_keys) authenticated such that a hostile user can't post new keys to it, and get access to the trusted resource?19:40
minimalyou mentioned a git server - so on the new machine Foo if you've used user-data to create a user "evan" then I assume you want that account to get able to access git via SSH. So therefore you need to get the public key created for user "evan" into the ~/.authorized_keys file for whichever user is used on the git server19:42
minimalhow you do this is up to you. I suggested as phone-home module as one way to get the public key out, there are multiple other possible methods.19:42
minimale.g. if you use something like Ansible/Puppet/Salt to manage boxes then they could retrieve it as part of their initial work on the box19:43
minimalor in the user-data you could use "runcmd" to run some command to push it out, or you could pull it from another box19:44
EvanCarrollYes, but I don't want a new user on machine Foo to be able to post their own keys to the post-home end point and then obtain access to the SSH box.19:44
minimalOk. I merely pointed out that user-data is not a very secure method to provide *private* keys via19:45
EvanCarrollRight but all of these are just begging the question: whether I push the key _itself_ to the box, or the authentication secret to end point that phone-home users to supply a key, how do I get either that key or that authentication secret on the box?19:45
minimalyou could push it via Ansible/Puppet etc if you use those already19:46
minimalor via a another mechanism (i.e. rsync) etc19:46
EvanCarrollI mean, that's one method that would work, and I guess I could rsync it too with like a local-command.19:46
EvanCarrollor whatever in terraform19:46
EvanCarrollso yeah, that's undesirable but that makes sense to me ansible/rsync.19:46
minimalin an AWS context, Amazon have this to say about user-data:19:47
minimal"Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data."19:47
minimalnote the last sentence19:48
EvanCarrollSo just to be clear, when provisioning a machine there is no method `openstack_compute_instance_v2` provides to send private data to the machine that doesn't proxy it to a publically available meta-data end point19:48
minimalthe meta-data, network-config, and user-data is provided via the (metadata server) url19:49
EvanCarrollyep, well. That's perfect, I wish https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2 had a notice like that.19:49
minimalI guess its a general "well known fact" (i.e. not so well known) that user-data isn't secure19:50
EvanCarrollYeah, well I'm pretty new to terra-form, but I thought the only vulnerability was that it was stored in tfstate19:51
EvanCarrollI didn't realize it was publically available and unencrypted.19:51
minimalits ok for ssh *public* keys, just not for private keys19:51
EvanCarrollGood thing I ask first!19:51
minimalI'm not sure what, if any, security features Openstack may have to reduce the access to it19:52
minimalah, here we go: https://docs.openstack.org/nova/rocky/admin/security.html19:52
minimal"OpenStack supports encrypting Compute metadata traffic with HTTPS"19:52
minimalthat seems to rely on TLS client certs (unless you set "nova_metadata_insecure" to True)19:53
minimalso then its a question of how to handle client certs in your VMs (i.e. you'd need to have them already in the VM image in order for metadata server requests to work)19:54
minimalEvanCarroll: I see you're getting similar opinions in the terraform channel20:15

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!