Merge ~sameid/cloud-init:azure-user-locked-on-instance-id-change into cloud-init:master

Proposed by Sam Eiderman
Status: Merged
Approved by: Ryan Harper
Approved revision: 4e418c0f53a5d23ea1b8329aa529c80e10340e17
Merge reported by: Server Team CI bot
Merged at revision: not available
Proposed branch: ~sameid/cloud-init:azure-user-locked-on-instance-id-change
Merge into: cloud-init:master
Diff against target: 44 lines (+19/-2)
2 files modified
cloudinit/sources/ (+3/-2)
tests/unittests/test_datasource/ (+16/-0)
Reviewer Review Type Date Requested Status
Ryan Harper Approve
Server Team CI bot continuous-integration Approve
Sam Eiderman (community) Needs Resubmitting
Review via email:

Commit message

azure: Do not lock user on instance id change

After initial boot ovf-env.xml is copied to agent dir
(/var/lib/waagent/) with REDACTED password.
On subsequent boots DataSourceAzure loads with a configuration where the
user specified in /var/lib/waagent/ovf-env.xml is locked.
If instance id changes, cc_users_groups action will lock the user.

Fix this behavior by not locking the user if its password is REDACTED.

LP: #1849677

To post a comment you must log in.
Revision history for this message
Ryan Harper (raharper) wrote :

Thank you for contributing to cloud-init.

To contribute, you must sign the Canonical Contributor License Agreement (CLA) [1].

If you have already signed it as an individual, your Launchpad user will be listed in the contributor-agreement-canonical launchpad group [2]. Unfortunately there is no easy way to check if an organization or company you are doing work for has signed. If you are unsure or have questions, email <email address hidden> or ping powersj in #cloud-init channel via freenode.

For information on how to sign, please see the HACKING document [3].

Thanks again, and please feel free to reach out with any questions.


Revision history for this message
Ryan Harper (raharper) wrote :

Thanks for providing more background details in the linked bug.

I'd like to add a unittest for this scenario, something like this

% git diff tests/unittests/test_datasource/
diff --git a/tests/unittests/test_datasource/ b/tests/unittests/test_datasource/
index 3547dd9..6251a42 100644
--- a/tests/unittests/test_datasource/
+++ b/tests/unittests/test_datasource/
@@ -769,6 +769,23 @@ scbus-1 on xpt0 bus 0

+ def test_user_not_locked_if_password_redacted(self):
+ odata = {'HostName': "myhost", 'UserName': "myuser",
+ 'UserPassword': dsaz.DEF_PASSWD_REDACTION}
+ data = {'ovfcontent': construct_valid_ovf_env(data=odata)}
+ dsrc = self._get_ds(data)
+ ret = dsrc.get_data()
+ self.assertTrue(ret)
+ self.assertTrue('default_user' in dsrc.cfg['system_info'])
+ defuser = dsrc.cfg['system_info']['default_user']
+ # default user should be updated username and should not be locked.
+ self.assertEqual(defuser['name'], odata['UserName'])
+ self.assertIn('lock_passwd', defuser)
+ self.assertFalse(defuser['lock_passwd'])

When you've signed the CLA and added a unittest, please move this branch back from WIP to Needs Review.

review: Needs Fixing
Revision history for this message
Sam Eiderman (sameid) wrote :


Added the unittest, it was spot on - without the change in it failed, with it - passes.

Also signed the CLA.

review: Needs Resubmitting
Revision history for this message
Ryan Harper (raharper) wrote :


I've pointed our CI at this; I'll follow up and let you know what, if any, failures occur.
Once CI is happy, we can land.

Revision history for this message
Server Team CI bot (server-team-bot) wrote :

PASSED: Continuous integration, rev:4e418c0f53a5d23ea1b8329aa529c80e10340e17
Executed test runs:
    SUCCESS: Checkout
    SUCCESS: Unit & Style Tests
    SUCCESS: Ubuntu LTS: Build
    SUCCESS: Ubuntu LTS: Integration
    IN_PROGRESS: Declarative: Post Actions

Click here to trigger a rebuild:

review: Approve (continuous-integration)
Revision history for this message
Ryan Harper (raharper) wrote :


review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/cloudinit/sources/ b/cloudinit/sources/
2index 4984fa8..cdf49d3 100755
3--- a/cloudinit/sources/
4+++ b/cloudinit/sources/
5@@ -1193,9 +1193,10 @@ def read_azure_ovf(contents):
6 defuser = {}
7 if username:
8 defuser['name'] = username
9- if password and DEF_PASSWD_REDACTION != password:
10- defuser['passwd'] = encrypt_pass(password)
11+ if password:
12 defuser['lock_passwd'] = False
13+ if DEF_PASSWD_REDACTION != password:
14+ defuser['passwd'] = encrypt_pass(password)
16 if defuser:
17 cfg['system_info'] = {'default_user': defuser}
18diff --git a/tests/unittests/test_datasource/ b/tests/unittests/test_datasource/
19index 3547dd9..80c6f01 100644
20--- a/tests/unittests/test_datasource/
21+++ b/tests/unittests/test_datasource/
22@@ -769,6 +769,22 @@ scbus-1 on xpt0 bus 0
23 crypt.crypt(odata['UserPassword'],
24 defuser['passwd'][0:pos]))
26+ def test_user_not_locked_if_password_redacted(self):
27+ odata = {'HostName': "myhost", 'UserName': "myuser",
28+ 'UserPassword': dsaz.DEF_PASSWD_REDACTION}
29+ data = {'ovfcontent': construct_valid_ovf_env(data=odata)}
31+ dsrc = self._get_ds(data)
32+ ret = dsrc.get_data()
33+ self.assertTrue(ret)
34+ self.assertTrue('default_user' in dsrc.cfg['system_info'])
35+ defuser = dsrc.cfg['system_info']['default_user']
37+ # default user should be updated username and should not be locked.
38+ self.assertEqual(defuser['name'], odata['UserName'])
39+ self.assertIn('lock_passwd', defuser)
40+ self.assertFalse(defuser['lock_passwd'])
42 def test_userdata_plain(self):
43 mydata = "FOOBAR"
44 odata = {'UserData': {'text': mydata, 'encoding': 'plain'}}


People subscribed via source and target branches