[DISCUSS] Issues with Ubuntu instance creation

[Tim Mackey <tm...@gmail.com>]

I've been working through a series of issues getting Ubuntu 12.04 LTS
templates to provision correctly, and I *think* most are really doc issues,
but before I run off and update docs I wanted to confirm that I'm doing the
right thing.  Here's my list of issues, and what I did to get past my
"issue".  My documentation source is:
http://cloudstack-administration.readthedocs.org/en/latest/templates.html.
My CloudStack is 4.4.

1. The docs make no mention of an Ubuntu change password script, and Google
returns Shankar's GitHub scripts as option #4.  Unfortunately, that script
has a user of "ubuntu" hardcoded into it, so unless your template has an
"ubuntu" user, its not going to work.  I haven't tried to use the stock
CloudStack password change script in my template, but have found references
to it not working as expected.  For my purposes, I changed Shankar's script
to use a "root" user, but this leaves the following questions open:

- Does the current CloudStack script work with Ubuntu 12.04 and later?  If
so, I vote the docs be updated to reflect support for Ubuntu 12.04 and
later; with the objective of both clarifying the docs and helping boost our
docs to a higher rank than Shankar's GitHub.

- If the current CloudStack script doesn't work with Ubuntu 12.04 LTS,
should a JIRA ticket be entered to resolve this, or should we have multiple
scripts available and effectively incorporate Shankar's work more
officially?

2. The docs recommend setting the password to expire, but when the change
password script runs, that flag is cleared and the user isn't promoted to
reset the root password.  That leaves the following question in my mind.

- Is our password intended to be a one-time use password.  If so, then the
password change script should reset expiration forcing a new one to be
set.  If not, then should we not remove the "expire password"
recommendation from the docs?

3. The script in the docs covering clearing the logs (step 6) doesn't
include clearing syslog.  Recommend updating the script to include:  cat
/dev/null > /var/log/syslog 2>/dev/null

4. The script in the docs covering clearing of command history (step 9)
doesn't clear the in memory history.  Recommend updating the script to
become:  cat /dev/null > ~/.bash_history && history -c && unset HISTFILE &&
halt -p.  This would also remove the the shutdown step (step 10).

5. The script to set the hostname has a race condition which effectively
means it rarely sets the hostname correctly on initial boot.  I've attached
the script I used.  It doesn't depend upon the leases file being present,
and took care of some alternate "blank" hostname cases I encountered while
debugging.

I'm happy to update the docs, but want to make certain what I've
encountered as issues are things we care about updating.

-tim

Re: [DISCUSS] Issues with Ubuntu instance creation

[John Kinsella <jl...@stratosec.co>]

> On Dec 8, 2014, at 8:10 AM, Tim Mackey <tm...@gmail.com> wrote:
> 
> I've been working through a series of issues getting Ubuntu 12.04 LTS templates to provision correctly, and I *think* most are really doc issues, but before I run off and update docs I wanted to confirm that I'm doing the right thing.  Here's my list of issues, and what I did to get past my "issue".  My documentation source is: http://cloudstack-administration.readthedocs.org/en/latest/templates.html.  My CloudStack is 4.4.
> 
> 1. The docs make no mention of an Ubuntu change password script, and Google returns Shankar's GitHub scripts as option #4.  Unfortunately, that script has a user of "ubuntu" hardcoded into it, so unless your template has an "ubuntu" user, its not going to work.  I haven't tried to use the stock CloudStack password change script in my template, but have found references to it not working as expected.  For my purposes, I changed Shankar's script to use a "root" user, but this leaves the following questions open:
> 
> - Does the current CloudStack script work with Ubuntu 12.04 and later?  If so, I vote the docs be updated to reflect support for Ubuntu 12.04 and later; with the objective of both clarifying the docs and helping boost our docs to a higher rank than Shankar's GitHub.

See [1]. It should work with 12.04LTS.

> - If the current CloudStack script doesn't work with Ubuntu 12.04 LTS, should a JIRA ticket be entered to resolve this, or should we have multiple scripts available and effectively incorporate Shankar's work more officially?
> 
> 2. The docs recommend setting the password to expire, but when the change password script runs, that flag is cleared and the user isn't promoted to reset the root password.  That leaves the following question in my mind.  
> 
> - Is our password intended to be a one-time use password.  If so, then the password change script should reset expiration forcing a new one to be set.  If not, then should we not remove the "expire password" recommendation from the docs?

Some providers and cloud mgmt platforms keep a copy of the “current” root password as set by the reset script. That type of functionality is why there’s probably no “expire” in the change passed script. I think you confusion is coming from the template section is not closely tied to the password management section - if one is making templates, they should reset the password so first login requires new password. This saves us from having thousands of VMs on the Internet with a default password. If a shop is making templates, and using password management - the password should be generated at VM creation and shouldn’t be an issue.

Either way - you really shouldn’t be logging into systems (VMs or physical) as root on a regular basis.

> 3. The script in the docs covering clearing the logs (step 6) doesn't include clearing syslog.  Recommend updating the script to include:  cat /dev/null > /var/log/syslog 2>/dev/null
> 
> 4. The script in the docs covering clearing of command history (step 9) doesn't clear the in memory history.  Recommend updating the script to become:  cat /dev/null > ~/.bash_history && history -c && unset HISTFILE && halt -p.  This would also remove the the shutdown step (step 10).

Good points, although I’m not sure if “halt” is as safe as shutdown...

> 5. The script to set the hostname has a race condition which effectively means it rarely sets the hostname correctly on initial boot.  I've attached the script I used.  It doesn't depend upon the leases file being present, and took care of some alternate "blank" hostname cases I encountered while debugging.

Unfortunately ASF lists strip out attachments. 

> I'm happy to update the docs, but want to make certain what I've encountered as issues are things we care about updating.

Would love to have your changes. At the minimum, please create Jira tickets, but if/where possible we’d happily take either submitted code review requests or pull requests on github.

John

1: http://cloudstack-administration.readthedocs.org/en/latest/templates.html#adding-password-management-to-your-templates