podvm: allow only safe cloud-init modules

[snir911]

Usually ssh and scripts injection modules are enabled by default, with this patch we allow only subset of modules that are considered safe or essential for cloud-providers.
Makefiles reverts back to the original distribution cloud-init settings when DEBUG is set or by running make image-debug

This was tested on AWS and Azure with rhel podvm only as i failed to build working Ubuntu podvm from upstream (also with main) due to unrelated issue.
This is related also to #1962 , as a main goal is to disable ssh

[bpradipt]

The code looks good to me.
I haven't got the opportunity to test it yet.

@mkulke @liudalibj are you ok with this approach to disable ssh for packer based images? Not sure if this will help with mkosi images for s390x as well since afaik s390x uses cloud-init.

[beraldoleal]

Hi @snir911 , this lgtm, thanks.

[snir911]

added hold as it seems there's some issue with ubuntu & libvirt

[liudalibj]

When I try to build UBUNTU s390x image with packer from this PR. I found that the image-debug task seems doesn't work as expected:

I update https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/Dockerfile.podvm#L60 to make image-debug
And then run ARCH=s390x make podvm-image from the log I found:

...
#14 24.93 Processing triggers for libc-bin (2.31-0ubuntu9.16) ...
#14 DONE 25.9s

#15 [podvm_builder 9/9] RUN make image-debug
#15 1.054 Makefile.inc:49: A foreign ARCH was passed, but no CC alternative. Using s390x-linux-gnu-gcc as best guess
#15 1.120 ln -s -f "99_allowed_modules.cfg.template" "/src/cloud-api-adaptor/podvm/files/etc/cloud/cloud.cfg.d/99_allowed_modules.cfg"
#15 1.125 cd "./../" && ARCH=s390x make agent-protocol-forwarder
#15 1.129 make[1]: Entering directory '/src/cloud-api-adaptor'
#15 1.809 go: downloading github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f
...

Which is not expected, if we are using make image-debug the 99_allowed_modules.cfg file should be removed?
https://github.com/snir911/cloud-api-adaptor/blob/disable_cloudinit5/src/cloud-api-adaptor/podvm/Makefile.inc#L123 seems doesn't work well.

[liudalibj]

And another found that start vm from the built the podvm image from this PR ARCH=s390x make podvm-image without any modification.
From the built out image I can make sure 99_allowed_modules.cfg is there.

tree /mnt/iso/etc/cloud/cloud.cfg.d/
/mnt/iso/etc/cloud/cloud.cfg.d/
├── 05_logging.cfg
├── 90_dpkg.cfg
├── 99_allowed_modules.cfg
└── README

0 directories, 4 files

But from the VM start console log, I can found that the OpenBSD Secure Shell server is started.

[root@a3elp66 liudali-se]# virsh console liudali-ubunut-ssh-test-debug
Connected to domain 'liudali-ubunut-ssh-test-debug'
Escape character is ^] (Ctrl + ])
Begin: Loading essential drivers ... [    2.820502] raid6: vx128x8  gen() 14064 MB/s
[    2.939051] raid6: vx128x8  xor() 12597 MB/s
[    2.939057] raid6: using algorithm vx128x8 gen() 14064 MB/s
[    2.939057] raid6: .... xor() 12597 MB/s, rmw enabled
[    2.939058] raid6: using s390xc recovery algorithm
[    2.940270] xor: automatically using best checksumming function   xc
done.
Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... done.
Begin: Running /scripts/local-premount ... [    2.974825] Btrfs loaded, crc32c=crc32c-vx
Scanning for Btrfs filesystems
done.
Begin: Will now check root file system ... fsck from util-linux 2.34
[/usr/sbin/fsck.ext4 (1) -- /dev/vda1] fsck.ext4 -a -C0 /dev/vda1
cloudimg-rootfs: clean, 63128/768000 files, 561949/1572603 blocks
done.
[    3.016098] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
done.
Begin: Running /scripts/local-bottom ... done.
Begin: Running /scripts/init-bottom ... done.
[    3.137977] systemd[1]: systemd 245.4-4ubuntu3.19 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
[    3.138316] systemd[1]: Detected virtualization kvm.
[    3.138318] systemd[1]: Detected architecture s390x.

Welcome to Ubuntu 20.04.5 LTS!

[    3.190897] systemd[1]: Set hostname to <ubuntu>.
[    3.191828] systemd[1]: Initializing machine ID from random generator.
[    3.191856] systemd[1]: Installed transient /etc/machine-id file.
[    3.243218] systemd[357]: /usr/lib/systemd/system-generators/s390-cpi-vars failed with exit status 1.
[    3.310463] systemd[1]: Created slice system-modprobe.slice.
[  OK  ] Created slice system-modprobe.slice.
[    3.310768] systemd[1]: Created slice system-netns.slice.
[  OK  ] Created slice system-netns.slice.
[    3.311013] systemd[1]: Created slice system-serial\x2dgetty.slice.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[    3.311241] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[    3.311325] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password R…uests to Wall Directory Watch.
[    3.311560] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[  OK  ] Set up automount Arbitrary…s File System Automount Point.
[    3.311655] systemd[1]: Reached target User and Group Name Lookups.
[  OK  ] Reached target User and Group Name Lookups.
[    3.311725] systemd[1]: Reached target Slices.
[  OK  ] Reached target Slices.
[    3.311791] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    3.311890] systemd[1]: Listening on Device-mapper event daemon FIFOs.
[  OK  ] Listening on Device-mapper event daemon FIFOs.
[    3.311997] systemd[1]: Listening on LVM2 poll daemon socket.
[  OK  ] Listening on LVM2 poll daemon socket.
[    3.312081] systemd[1]: Listening on multipathd control socket.
[  OK  ] Listening on multipathd control socket.
[    3.312203] systemd[1]: Listening on Syslog Socket.
[  OK  ] Listening on Syslog Socket.
[    3.312279] systemd[1]: Listening on fsck to fsckd communication Socket.
[  OK  ] Listening on fsck to fsckd communication Socket.
[    3.312358] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.312523] systemd[1]: Listening on Journal Audit Socket.
[  OK  ] Listening on Journal Audit Socket.
[    3.312610] systemd[1]: Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket (/dev/log).
[    3.312710] systemd[1]: Listening on Journal Socket.
[  OK  ] Listening on Journal Socket.
[    3.312852] systemd[1]: Listening on Network Service Netlink Socket.
[  OK  ] Listening on Network Service Netlink Socket.
[    3.312965] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.313045] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.313601] systemd[1]: Mounting Huge Pages File System...
         Mounting Huge Pages File System...
[    3.314108] systemd[1]: Mounting POSIX Message Queue File System...
         Mounting POSIX Message Queue File System...
[    3.314682] systemd[1]: Mounting Kernel Debug File System...
         Mounting Kernel Debug File System...
[    3.315204] systemd[1]: Mounting Kernel Trace File System...
         Mounting Kernel Trace File System...
[    3.315918] systemd[1]: Starting Journal Service...
         Starting Journal Service...
[    3.317054] systemd[1]: Starting Set the console keyboard layout...
         Starting Set the console keyboard layout...
[    3.317524] systemd[1]: Starting Create list of static device nodes for the current kernel...
         Starting Create list of st…odes for the current kernel...
[    3.317958] systemd[1]: Starting Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling...
         Starting Monitoring of LVM…meventd or progress polling...
[    3.318426] systemd[1]: Starting Load Kernel Module chromeos_pstore...
         Starting Load Kernel Module chromeos_pstore...
[    3.318860] systemd[1]: Starting Load Kernel Module drm...
         Starting Load Kernel Module drm...
[    3.319336] systemd[1]: Starting Load Kernel Module efi_pstore...
         Starting Load Kernel Module efi_pstore...
[    3.319826] systemd[1]: Starting Load Kernel Module pstore_blk...
         Starting Load Kernel Module pstore_blk...
[    3.320324] systemd[1]: Starting Load Kernel Module pstore_zone...
         Starting Load Kernel Module pstore_zone...
[    3.320867] systemd[1]: Starting Load Kernel Module ramoops...
         Starting Load Kernel Module ramoops...
[    3.320955] systemd[1]: Condition check resulted in OpenVSwitch configuration for cleanup being skipped.
[    3.322148] systemd[1]: Condition check resulted in Set Up Additional Binary Formats being skipped.
[    3.322179] systemd[1]: Condition check resulted in File System Check on Root Device being skipped.
[    3.325145] systemd[1]: Starting Load Kernel Modules...
         Starting Load Kernel Modules...
[    3.325988] systemd[1]: Starting Remount Root and Kernel File Systems...
         Starting Remount Root and Kernel File Systems...
[    3.328917] systemd[1]: Starting udev Coldplug all Devices...
         Starting udev Coldplug all Devices...
[    3.329561] systemd[1]: Starting Uncomplicated firewall...
         Starting Uncomplicated firewall...
[    3.330704] systemd[1]: Mounted Huge Pages File System.
[  OK  ] Mounted Huge Pages File System.
[    3.330778] systemd[1]: Mounted POSIX Message Queue File System.
[  OK  ] Mounted POSIX Message Queue File System.
[    3.330848] systemd[1]: Mounted Kernel Debug File System.
[  OK  ] Mounted Kernel Debug File System.
[    3.330903] systemd[1]: Mounted Kernel Trace File System.
[  OK  ] Mounted Kernel Trace File System.
[    3.331171] systemd[1]: Finished Create list of static device nodes for the current kernel.
[  OK  ] Finished Create list of st… nodes for the current kernel.
[    3.331383] systemd[1]: modprobe@chromeos_pstore.service: Succeeded.
[    3.331522] systemd[1]: Finished Load Kernel Module chromeos_pstore.
[  OK  ] Finished Load Kernel Module chromeos_pstore.
[    3.331694] systemd[1]: modprobe@efi_pstore.service: Succeeded.
[    3.331828] systemd[1]: Finished Load Kernel Module efi_pstore.
[  OK  ] Finished Load Kernel Module efi_pstore.
[    3.332081] systemd[1]: Finished Uncomplicated firewall.
[  OK  ] Finished Uncomplicated firewall.
[    3.339846] systemd[1]: Finished Load Kernel Modules.
[  OK  ] Finished Load Kernel Modules.
[    3.340352] systemd[1]: Mounting FUSE Control File System...
         Mounting FUSE Control File System...
[    3.340813] systemd[1]: Mounting Kernel Configuration File System...
         Mounting Kernel Configuration File System...
[    3.341246] systemd[1]: Starting Apply Kernel Variables...
         Starting Apply Kernel Variables...
[    3.342243] systemd[1]: Mounted FUSE Control File System.
[  OK  ] Mounted FUSE Control File System.
[    3.343374] systemd[1]: Mounted Kernel Configuration File System.
[  OK  ] Mounted Kernel Configuration File System.
[    3.346555] EXT4-fs (vda1): re-mounted. Opts: (null)
[    3.347431] systemd[1]: Finished Remount Root and Kernel File Systems.
[  OK  ] Finished Remount Root and Kernel File Systems.
[    3.347675] systemd[1]: Condition check resulted in Rebuild Hardware Database being skipped.
[    3.348079] systemd[1]: Starting Load/Save Random Seed...
         Starting Load/Save Random Seed...
[    3.348540] systemd[1]: Starting Create System Users...
         Starting Create System Users...
[  OK  ] Finished Load Kernel Module pstore_blk.
[  OK  ] Finished Load/Save Random Seed.
[  OK  ] Finished udev Coldplug all Devices.
         Starting udev Wait for Complete Device Initialization...
[  OK  ] Finished Apply Kernel Variables.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Finished Load Kernel Module ramoops.
[  OK  ] Finished Load Kernel Module pstore_zone.
[  OK  ] Finished Create System Users.
         Starting Create Static Device Nodes in /dev...
[  OK  ] Finished Load Kernel Module drm.
[  OK  ] Finished Create Static Device Nodes in /dev.
         Starting udev Kernel Device Manager...
[  OK  ] Finished Flush Journal to Persistent Storage.
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Finished Set the console keyboard layout.
[  OK  ] Started Dispatch Password …ts to Console Directory Watch.
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Finished Monitoring of LVM… dmeventd or progress polling.
[  OK  ] Found device /dev/ttysclp0.
         Mounting Arbitrary Executable File Formats File System...
[  OK  ] Mounted Arbitrary Executable File Formats File System.
[  OK  ] Finished udev Wait for Complete Device Initialization.
         Starting Device-Mapper Multipath Device Controller...
[  OK  ] Started Device-Mapper Multipath Device Controller.
[  OK  ] Reached target Local File Systems (Pre).
         Mounting Mount unit for /run/kata-containers...
         Mounting Mount unit for core20, revision 1780...
         Mounting Mount unit for lxd, revision 24063...
         Mounting Mount unit for snapd, revision 17887...
[  OK  ] Mounted Mount unit for /run/kata-containers.
[  OK  ] Mounted Mount unit for core20, revision 1780.
[  OK  ] Mounted Mount unit for lxd, revision 24063.
[  OK  ] Mounted Mount unit for snapd, revision 17887.
[  OK  ] Reached target Local File Systems.
         Starting Load AppArmor profiles...
         Starting Set console font and keymap...
         Starting Apply Control Program Identification (CPI)...
         Starting Create final runt…dir for shutdown pivot root...
         Starting Initial cloud-init job (pre-networking)...
         Starting Tell Plymouth To Write Out Runtime Data...
         Starting Commit a transient machine-id on disk...
         Starting Create Volatile Files and Directories...
[  OK  ] Finished Create final runt…e dir for shutdown pivot root.
[  OK  ] Finished Set console font and keymap.
[  OK  ] Finished Create Volatile Files and Directories.
         Starting Network Time Synchronization...
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Finished Tell Plymouth To Write Out Runtime Data.
[  OK  ] Finished Commit a transient machine-id on disk.
[  OK  ] Finished Update UTMP about System Boot/Shutdown.
[  OK  ] Finished Apply Control Program Identification (CPI).
[  OK  ] Finished Load AppArmor profiles.
         Starting Load AppArmor pro…managed internally by snapd...
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Time Set.
[  OK  ] Reached target System Time Synchronized.
[  OK  ] Finished Load AppArmor pro…s managed internally by snapd.
[   17.494752] cloud-init[584]: Cloud-init v. 22.4.2-0ubuntu0~20.04.2 running 'init-local' at Thu, 22 Aug 2024 03:12:11 +0000. Up 4.36 seconds.
[   17.495445] cloud-init[584]: 2024-08-22 03:12:24,540 - url_helper.py[ERROR]: Timed out, no response from urls: ['http://169.254.169.254/openstack']
[   17.513666] cloud-init[584]: 2024-08-22 03:12:24,559 - util.py[WARNING]: No active metadata service found
[  OK  ] Finished Initial cloud-init job (pre-networking).
[  OK  ] Reached target Network (Pre).
         Starting Network Service...
[  OK  ] Started Network Service.
         Starting Wait for Network to be Configured...
         Starting Network Name Resolution...
[  OK  ] Started Network Name Resolution.
[  OK  ] Reached target Network.
[  OK  ] Reached target Host and Network Name Lookups.
[  OK  ] Finished Wait for Network to be Configured.
         Starting Initial cloud-ini… (metadata service crawler)...
[   29.522172] cloud-init[644]: Cloud-init v. 22.4.2-0ubuntu0~20.04.2 running 'init' at Thu, 22 Aug 2024 03:12:26 +0000. Up 19.44 seconds.
[   29.522526] cloud-init[644]: ci-info: ++++++++++++++++++++++++++++++++++++++Net device info++++++++++++++++++++++++++++++++++++++
[   29.524343] cloud-init[644]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
[   29.524558] cloud-init[644]: ci-info: | Device |  Up  |          Address           |      Mask     | Scope  |     Hw-Address    |
[   29.524618] cloud-init[644]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
[   29.524662] cloud-init[644]: ci-info: |  enc2  | True |      192.168.122.203       | 255.255.255.0 | global | 52:54:00:17:e6:de |
[   29.524707] cloud-init[644]: ci-info: |  enc2  | True | fe80::5054:ff:fe17:e6de/64 |       .       |  link  | 52:54:00:17:e6:de |
[   29.524751] cloud-init[644]: ci-info: |   lo   | True |         127.0.0.1          |   255.0.0.0   |  host  |         .         |
[   29.524799] cloud-init[644]: ci-info: |   lo   | True |          ::1/128           |       .       |  host  |         .         |
[   29.524843] cloud-init[644]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
[   29.524879] cloud-init[644]: ci-info: ++++++++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++++++
[   29.524926] cloud-init[644]: ci-info: +-------+---------------+---------------+-----------------+-----------+-------+
[   29.524966] cloud-init[644]: ci-info: | Route |  Destination  |    Gateway    |     Genmask     | Interface | Flags |
[   29.525014] cloud-init[644]: ci-info: +-------+---------------+---------------+-----------------+-----------+-------+
[   29.525054] cloud-init[644]: ci-info: |   0   |    0.0.0.0    | 192.168.122.1 |     0.0.0.0     |    enc2   |   UG  |
[   29.525098] cloud-init[644]: ci-info: |   1   | 192.168.122.0 |    0.0.0.0    |  255.255.255.0  |    enc2   |   U   |
[   29.525156] cloud-init[644]: ci-info: |   2   | 192.168.122.1 |    0.0.0.0    | 255.255.255.255 |    enc2   |   UH  |
[   29.526108] cloud-init[644]: ci-info: +-------+---------------+---------------+-----------------+-----------+-------+
[   29.526190] cloud-init[644]: ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++
[   29.526269] cloud-init[644]: ci-info: +-------+-------------+---------+-----------+-------+
[   29.526317] cloud-init[644]: ci-info: | Route | Destination | Gateway | Interface | Flags |
[   29.526980] cloud-init[644]: ci-info: +-------+-------------+---------+-----------+-------+
[   29.527567] cloud-init[644]: ci-info: |   1   |  fe80::/64  |    ::   |    enc2   |   U   |
[   29.527636] cloud-init[644]: ci-info: |   3   |    local    |    ::   |    enc2   |   U   |
[   29.527682] cloud-init[644]: ci-info: |   4   |  multicast  |    ::   |    enc2   |   U   |
[   29.527721] cloud-init[644]: ci-info: +-------+-------------+---------+-----------+-------+
[   29.527763] cloud-init[644]: 2024-08-22 03:12:36,568 - url_helper.py[ERROR]: Timed out, no response from urls: ['http://169.254.169.254/openstack']
[   29.527825] cloud-init[644]: 2024-08-22 03:12:36,568 - util.py[WARNING]: No active metadata service found
[  OK  ] Stopped Wait for Network to be Configured.
         Stopping Wait for Network to be Configured...
         Stopping Network Service...
[  OK  ] Stopped Network Service.
         Starting Network Service...
[  OK  ] Started Network Service.
         Starting Wait for Network to be Configured...
[   31.031975] cloud-init[644]: 2024-08-22 03:12:38,078 - activators.py[WARNING]: Running ['netplan', 'apply'] resulted in stderr output: Failed to connect system bus: No such file or directory
[   31.032116] cloud-init[644]: Falling back to a hard restart of systemd-networkd.service
[  OK  ] Finished Wait for Network to be Configured.
[  OK  ] Finished Initial cloud-ini…ob (metadata service crawler).
[  OK  ] Reached target Cloud-config availability.
[  OK  ] Reached target Network is Online.
[  OK  ] Reached target System Initialization.
[  OK  ] Started Monitor for the Confidential Data Hub socket.
[  OK  ] Started Monitor for the Attestation Agent socket.
[  OK  ] Started Periodic ext4 Onli…ata Check for All Filesystems.
[  OK  ] Started Discard unused blocks once a week.
[  OK  ] Started Refresh fwupd metadata regularly.
[  OK  ] Started Daily rotation of log files.
[  OK  ] Started Daily man-db regeneration.
[  OK  ] Started Message of the Day.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Started Ubuntu Advantage Timer for running repeated jobs.
[  OK  ] Reached target Paths.
[  OK  ] Reached target Timers.
[  OK  ] Listening on cloud-init hotplug hook socket.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Listening on Open-iSCSI iscsid Socket.
[  OK  ] Listening on Socket unix for snap application lxd.daemon.
         Starting Socket activation for snappy daemon.
[  OK  ] Listening on UUID daemon activation socket.
[  OK  ] Reached target Remote File Systems (Pre).
[  OK  ] Reached target Remote File Systems.
         Starting Availability of block devices...
[  OK  ] Listening on Socket activation for snappy daemon.
[  OK  ] Finished Availability of block devices.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
         Starting Accounts Service...
         Starting LSB: automatic crash report generation...
         Starting Deferred execution scheduler...
         Starting Apply the settings specified in cloud-config...
[  OK  ] Started Regular background program processing daemon.
[  OK  ] Started D-Bus System Message Bus.
[  OK  ] Started Save initial kernel messages after boot.
         Starting Configure dump on panic for System z...
         Starting Remove Stale Onli…t4 Metadata Check Snapshots...
[  OK  ] Started irqbalance daemon.
         Starting [email protected]...
         Starting Dispatcher daemon for systemd-networkd...
         Starting Authorization Manager...
         Starting System Logging Service...
[  OK  ] Reached target Login Prompts (Pre).
         Starting OpenBSD Secure Shell server...
         Starting Login Service...
         Starting Permit User Sessions...
         Starting Disk Manager...
[  OK  ] Started Deferred execution scheduler.
[  OK  ] Finished [email protected].
[  OK  ] Finished Permit User Sessions.
         Starting Hold until boot process finishes up...
         Starting Terminate Plymouth Boot Screen...
[  OK  ] Finished Hold until boot process finishes up.
[  OK  ] Started Serial Getty on ttysclp0.
         Starting Set console scheme...
[  OK  ] Finished Terminate Plymouth Boot Screen.
[  OK  ] Finished Configure dump on panic for System z.
[  OK  ] Finished Set console scheme.
[  OK  ] Started System Logging Service.
[  OK  ] Created slice system-getty.slice.
[  OK  ] Started Getty on tty1.
[  OK  ] Reached target Login Prompts.
         Starting Hostname Service...
[  OK  ] Started Login Service.
[  OK  ] Started Unattended Upgrades Shutdown.
[  OK  ] Started Authorization Manager.
         Starting Modem Manager...
[  OK  ] Started LSB: automatic crash report generation.
[  OK  ] Started Accounts Service.
[  OK  ] Started Modem Manager.
[  OK  ] Started OpenBSD Secure Shell server.
[  OK  ] Started Hostname Service.
[  OK  ] Started Dispatcher daemon for systemd-networkd.
[  OK  ] Finished Remove Stale Onli…ext4 Metadata Check Snapshots.
[  OK  ] Started Disk Manager.
[   31.692550] cloud-init[819]: Cloud-init v. 22.4.2-0ubuntu0~20.04.2 running 'modules:config' at Thu, 22 Aug 2024 03:12:38 +0000. Up 31.64 seconds.
[  OK  ] Finished Apply the settings specified in cloud-config.
         Starting Process user data...

Ubuntu 20.04.5 LTS ubuntu ttysclp0

ubuntu login: [   92.189738] cloud-init[928]: Cloud-init v. 22.4.2-0ubuntu0~20.04.2 running 'modules:final' at Thu, 22 Aug 2024 03:13:39 +0000. Up 92.13 seconds.
[   92.189949] cloud-init[928]: Cloud-init v. 22.4.2-0ubuntu0~20.04.2 finished at Thu, 22 Aug 2024 03:13:39 +0000. Datasource DataSourceNone.  Up 92.18 seconds
[   92.190009] cloud-init[928]: 2024-08-22 03:13:39,236 - cc_final_message.py[WARNING]: Used fallback datasource

ubuntu login:

And if I ssh to the ip for this VSI

ssh 192.168.122.203
The authenticity of host '192.168.122.203 (192.168.122.203)' can't be established.
ECDSA key fingerprint is SHA256:Ck3xEYmnDtPEMxFML2HpHXHJWT5lTpx8rilsmP25Ktk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.203' (ECDSA) to the list of known hosts.
[email protected]'s password:

Is this expected?

[snir911]

Thanks for testing it @liudalibj , indeed this is not expected, firstly the link should be removed when it's in debug as you mentioned, and ssh also should be disabled when it's not in debug.
On my side it CAA couldn't communicate with the agent when the file is set, I'll push another version once I'll figure this out.
(FWIW the original version worked well on rhel, i couldn't test on Ubuntu at the time..)