2411780 – nmap-ncat prevents cloud-init from running

Bug 2411780 - nmap-ncat prevents cloud-init from running

Summary: nmap-ncat prevents cloud-init from running

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cloud-init
Sub Component:
Version:	43
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Jeremy Cline
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-01 19:46 UTC by Brian Cunnie
Modified:	2025-11-03 19:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-11-03 19:28:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Brian Cunnie 2025-11-01 19:46:59 UTC

The wrong variant of netcat can derail cloud-init because it doesn't have the expected option "-W".

There are two RPM packages of netcat: netcat (the original) and nmap-ncat (Nmap's Netcat replacement). The latter does not implement the -W flag, which is used by the cloud-init systemd files:

grep -- -W /etc/systemd/system/cloud-init.target.wants/cloud-*
  /etc/systemd/system/cloud-init.target.wants/cloud-config.service:ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/config.sock -s /run/cloud-init/share/config-return.sock | sh'
  /etc/systemd/system/cloud-init.target.wants/cloud-final.service:ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/final.sock -s /run/cloud-init/share/final-return.sock | sh'
  /etc/systemd/system/cloud-init.target.wants/cloud-init-local.service:ExecStart=sh -c 'echo "start" | nc -Uu -W1 /run/cloud-init/share/local.sock -s /run/cloud-init/share/local-return.sock | sh'

When the wrong netcat is selected (e.g. "sudo alternatives --config nc"), then the cloud-init scripts will not run, but will emit an error in the boot log.

From /var/log/boot.log

[    4.893038] sh[1025]: nc: invalid option -- 'W'
[    4.893261] sh[1025]: Ncat: Try `--help' or man(1) ncat for more information, usage options and help. QUITTING.

Reproducible: Always

Steps to Reproduce:
1. Fedora 43:  with nmap-ncat as the default
   sudo alternatives --config nc
   choose "/usr/bin/ncat"
2. sudo systemctl restart cloud-config
2. sudo journalctl -xeu cloud-config
   nc: invalid option -- 'W'

Actual Results:
The VM that's deployed using cloud-init doesn't have any customizations, not even network addresses.

Expected Results:
A properly configured VM with cloud-init customizations.

Additional Information:
The default Fedora 43 Server install includes both variants of netcat, and unfortunately defaults to the one that breaks cloud-init.

Comment 1 Jeremy Cline 2025-11-03 19:28:57 UTC

Hi Brian,

This should actually work in Rawhide Server images (and so also in Fedora 44 when it arrives) due to https://github.com/canonical/cloud-init/pull/6339. Unfortunately the ship has sailed for Fedora 43 Server images since they aren't refreshed after release. I do know cloud-init does work in the Fedora Cloud images since that's where all the testing happens, so you can use those for your Fedora 43 VMs.

Comment 2 Brian Cunnie 2025-11-03 19:52:39 UTC

Nice work, Jeremy! Thanks.

Note You need to log in before you can comment on or make changes to this bug.