cloud-init may hang OS boot process due to grep for the entire ISO file when it is attached

@Peter,

You're correct that ds-identify both that ds-identify does grep through
and entire cdrom if attached with an ISO9660 filesystem. The reason for this hack
is that
a.) the OVF specification does not indicate the filesystem label for ISO transport.
If it did, we could require that. As it is, there is no easy way to positively
identify the OVF transport cdrom.
b.) when this code was developed I asked a vmware contact if I could rely on
any such label in practice and was told no.
c.) we did not want to attempt a mount in ds-identify and cannot rely on the
filesystem being mounted at that point in time.

Note that commit 530850f971e improves the situation on vmware to
*not* do the grep if the filesystem has a label 'OVF ENV'. In some recent
experience I've seen this label provided by vmware.

If we can rely on that label on VMWare OVF systems, then I think I would be
fine with dropping the grep.

Note that the grep is protected from executing in many ways. It will only
execute if:
 a.) the ISO9660 filesystem is on a device named /dev/sr[0-9] or /dev/hd[a-z].
 b.) the label is not one of case insensitive: OVF-Transport OVFENV, OVF ENV, config-2, rd_rdfe_stable*, cidata.

If we cannot drop the grep all together because VMware/OVF spec does not provide
us a filesystem label to match on, then we could potentially further limit the
grep to only occur if the device attached was very small (perhaps < 10M ?).
That way we would not grep through DVD or 700M install ISOs.

Thoughts?

In the case of OVF customization the protection could work. However, if a user choose to install an OS from the installation ISO image then it could not. In our example we were trying to install a SLES15 OS from its installer DVD attached by virtual CDROM(/dev/sr0).

It is the OS vender's choice for what the ISO's lable is, usually "XXX installer DVD". "XXX package DVD"...

If we can not just check if certain config file exists on the ISO image, then I think your suggestion for limiting the ISO file size before grep seems a solution. As the config iso file will defenitely be a small one.

@Peter,

I think I'm happy to drop the 'grep' if you tell me that vmware installations will always label the OVF transport 'OVF ENV' which is my current experience with a vSphere Client 6.0.0 and vCenter Server 6.0.0.

if we cannot rely on that, then other heuristic checks is all we can do.

well, not *all* we can do, but without adding either a 'mount' or a dependency on something like 'isoinfo'.

Let me check with OVF team internally and update you if we use fixed name for the iso lable.

Hi Scott,

If only consider to speed up VMware guest customization process, could we move if ovf_vmware_guest_customization check to be in front of "is_cdrom_ovf" in dsCheckOVF()?
https://github.com/cloud-init/cloud-init/blob/12bc76cebf69a1c8cf9eba78431333842ed170cf/tools/ds-identify#L772

Not sure if there is side-effect to do this change.

Thanks,
Pengpeng

it does seem like that would improve things, pengpeng. Much better
would be for vmware to promise (at least with new versions) that the
attached OVF cdrom would have a specific label.

On Fri, Feb 22, 2019 at 3:30 AM Pengpeng Sun <email address hidden> wrote:
>
> Hi Scott,
>
> If only consider to speed up VMware guest customization process, could we move if ovf_vmware_guest_customization check to be in front of "is_cdrom_ovf" in dsCheckOVF()?
> https://github.com/cloud-init/cloud-init/blob/12bc76cebf69a1c8cf9eba78431333842ed170cf/tools/ds-identify#L772
>
> Not sure if there is side-effect to do this change.
>
>
> Thanks,
> Pengpeng
>
> --
> You received this bug notification because you are subscribed to cloud-
> init.
> https://bugs.launchpad.net/bugs/1806701
>
> Title:
> cloud-init may hang OS boot process due to grep for the entire ISO
> file when it is attached
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cloud-init/+bug/1806701/+subscriptions

@Scott, agree with you. While I checked the current versions, the Label contains no fixed string. If you attached a VMTools ISO, then LABEL=VMware Tools, TYPE=iso9660.
If you attached a RHEL7.6 installer ISO, then LABEL=RHEL-7.6 Server.x86_64, TYPE=iso9660.
so LABEL depends on what's ISO attached.
We will try to get an official answer from OVF team internally, but the answer could be 'no specific label'.

Thanks,
Pengpeng

>Note that commit 530850f971e improves the situation on vmware to
>*not* do the grep if the filesystem has a label 'OVF ENV'. In some recent
>experience I've seen this label provided by vmware.

As Scott mentioned, got the label 'OVF ENV' when attached OVF cdrom which need enable vApp options on a VM.
While the vApp options are not enabled by default on a VMware VM, so can NOT reply on it to check if current is a VMware installation.
To solve this issue, checking size might be the best option, that grep entire cdrom size only if it's size is small (ex: <=10MB).
And to speed up VMware guest customization, could move if ovf_vmware_guest_customization check to be in front of "is_cdrom_ovf" in dsCheckOVF()? , see https://bugs.launchpad.net/cloud-init/+bug/1806701/comments/6

Copy Ryan and Dan on this.

*** An article on how to enable vApp options on a VM: https://www.virtuallyghetto.com/2012/06/ovf-runtime-environment.html

Post a merge request:
https://code.launchpad.net/~pengpengs/cloud-init/+git/cloud-init/+merge/368959

This bug is fixed with commit d9769c47 to cloud-init on branch master.
To view that commit see the following URL:
https://git.launchpad.net/cloud-init/commit/?id=d9769c47

This bug is believed to be fixed in cloud-init in version 19.2. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

We got recurring problems with cloud-init/ds-identify process. It spawns sub-processes "blkid -c /dev/null -o export" which gets stuck in the "D" uninterruptible sleep state.

The processes cannot be killed, so the only solution is to reboot the affected server.

root 3839 0.0 0.0 4760 1840 ? S Dec05 0:00 /bin/sh /usr/lib/cloud-init/ds-identify
root 3844 0.0 0.0 11212 2836 ? D Dec05 0:00 \_ blkid -c /dev/null -o export
root 6943 0.0 0.0 4760 1880 ? S Dec05 0:00 /bin/sh /usr/lib/cloud-init/ds-identify
root 6948 0.0 0.0 11212 2844 ? D Dec05 0:00 \_ blkid -c /dev/null -o export
root 6111 0.0 0.0 4760 1916 ? S Dec12 0:00 /bin/sh /usr/lib/cloud-init/ds-identify
root 6149 0.0 0.0 11212 2940 ? D Dec12 0:00 \_ blkid -c /dev/null -o export
root 8765 0.0 0.3 926528 24968 ? Ssl Dec12 0:12 /usr/lib/snapd/snapd
root 9179 0.0 0.0 4760 1892 ? S Dec12 0:00 /bin/sh /usr/lib/cloud-init/ds-identify
root 9185 0.0 0.0 11980 3552 ? D Dec12 0:00 \_ blkid -c /dev/null -o export

Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

5.0.0-36-generic #39~18.04.1-Ubuntu SMP Tue Nov 12 11:09:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

@Nicklas, I think the /var/run/cloud-init/ds-identify.log is helpful to investigate the problem.
And could you please file a new bug with above log file, it's a different issue with the one in this bug.

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3293