1865715 – user lockout with cloud-init RHEL8

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1865715 - user lockout with cloud-init RHEL8

Summary: user lockout with cloud-init RHEL8

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cloud-init
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Eduardo Otubo
QA Contact:	Huijuan Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-03 23:46 UTC by Dan
Modified:	2024-11-20 07:51 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-08-20 11:53:06 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dan 2020-08-03 23:46:36 UTC

Description of problem:

We are seeing multiple cases due to customers snapshotting their VMs and restoring them, such as backup and restore, also they are creating new specialized images, from images previously created generalized images.
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/imaging#generalized-and-specialized

On the restore of VM, a customers does not go through provisioning, when a customer tries to ssh in, the pwd auth fails.

cloud-init commit:https://github.com/canonical/cloud-init/commit/e1b4b8c903fed3b69e57ec08c17ce94097d55901#diff-e0eb215db26e21dbe2d98455fea68595

Launchpad bug:https://bugs.launchpad.net/cloud-init/%2Bbug/1849677

Details:

When provisioning a VM on Azure, cloud-init uses /dev/sr0 to find ovf-env.xml.
Since the instance is new, cc_users_groups which runs "per instance" and adds my user which is configured with a password (not ssh-key) to the system.

Now cloud-init copies ovf-env.xml to /var/lib/waagent/ to be used as a cache.
But the password is changed to REDACTED.

Notice that on following boots, when cloud-init loads DataSourceAzure, it uses /var/lib/waagent/ovf-env.xml and the password is REDACTED, and therefore is considered as no password:
https://github.com/cloud-init/cloud-init/commit/8af1802c9971ec1f2ebac23e9b42d5b42f43afae#diff-e0eb215db26e21dbe2d98455fea68595R601
So DataSourceAzure does not configure defuser["lock_passwd"] = False, it is True by default and now the defuser configuration contains a directive to lock this user account.

Usually everything works and the the user never gets locked since we are using the same instance, and cc_users_groups never gets invoked (which is a per instance action), but when the instance id does change (when exporting the disks to a different machine) the user will get locked by create_user() with defuser["lock_passwd"] = True.


Ask: Can this commit be added to the existing cloud-init package to avoid the increase of support cases?

Comment 1 Yuxin Sun 2020-08-06 07:22:27 UTC

Hi Eduardo,

I think this patch is already in cloud-init-19.4-7.el8. Could you please double confirm that? Thanks!


I can reproduce this issue in cloud-init-18.5-12.el8_2.1 but cannot reproduce it in cloud-init-19.4-7.el8。

Steps:
1. Create a VM on Azure with password authentication
# az vm create --name wala82ondpwtest208050913-vm2 --resource-group wala82ondpwtest208050913 --image "RedHat:RHEL:8.2:latest"             --size "Standard_DS1_v2" --admin-username "azureuser"        --admin-password <password> --boot-diagnostics-storage wala82ondpwtest208050913  --use-unmanaged-disk --storage-account wala82ondpwtest208050913 --storage-container-name vhds
2. Remove the instance cache folder
# rm -rf /var/lib/cloud/instances/<id>
* Suggest to add a user account manually with sudo permission. Or you cannot login after the following steps.
3. Reboot
4. Try to login with "azureuser" and <password>

Actual result:
Cannot login. Check the /etc/shadow and find that the azureuser password has been locked.

Comment 3 Eduardo Otubo 2020-08-20 11:53:06 UTC

(In reply to Yuxin Sun from comment #1)
> Hi Eduardo,
> 
> I think this patch is already in cloud-init-19.4-7.el8. Could you please
> double confirm that? Thanks!
> 
> 
> I can reproduce this issue in cloud-init-18.5-12.el8_2.1 but cannot
> reproduce it in cloud-init-19.4-7.el8。
> 
> Steps:
> 1. Create a VM on Azure with password authentication
> # az vm create --name wala82ondpwtest208050913-vm2 --resource-group
> wala82ondpwtest208050913 --image "RedHat:RHEL:8.2:latest"             --size
> "Standard_DS1_v2" --admin-username "azureuser"        --admin-password
> <password> --boot-diagnostics-storage wala82ondpwtest208050913 
> --use-unmanaged-disk --storage-account wala82ondpwtest208050913
> --storage-container-name vhds
> 2. Remove the instance cache folder
> # rm -rf /var/lib/cloud/instances/<id>
> * Suggest to add a user account manually with sudo permission. Or you cannot
> login after the following steps.
> 3. Reboot
> 4. Try to login with "azureuser" and <password>
> 
> Actual result:
> Cannot login. Check the /etc/shadow and find that the azureuser password has
> been locked.

Yes, I can confirm the patch is in the repository, closing the bug.

Note You need to log in before you can comment on or make changes to this bug.