livecd-rootfs

Merge lp:~tribaal/livecd-rootfs/add-vagrant-user into lp:livecd-rootfs

  1. add-vagrant-user
  2. Merge into trunk
Proposed by Chris Glass
Status: Merged
Merged at revision: 1504
Proposed branch: lp:~tribaal/livecd-rootfs/add-vagrant-user
Merge into: lp:livecd-rootfs
Diff against target: 65 lines (+23/-11)
1 file modified
live-build/ubuntu-cpc/hooks/042-vagrant.binary (+23/-11)
To merge this branch: bzr merge lp:~tribaal/livecd-rootfs/add-vagrant-user
Reviewer Review Type Date Requested Status
Adam Conrad (community) Approve
Francis Ginther (community) Approve
Philip Roche (community) Approve
Review via email: mp+329598@code.launchpad.net

Description of the change

This branch changes the behavior for default users on the vagrant image, according to much of https://www.vagrantup.com/docs/boxes/base.html

Specifically, this adds a new "vagrant" user with a know password on top of the already existing ubuntu user.

This conforms to the expectations of the Vagrant community, despite some security concerns. Vagrant images are not used for production systems but for development environments, and the absence of the "standard" vagrant user has been hurting ubuntu adoption on that platform.

To post a comment you must log in.
Revision history for this message
Chris Glass (tribaal) wrote :

A vagrant image with this patch applied can be found here:

https://launchpad.net/~cloudware/+livefs/ubuntu/artful/cpc-development/+build/107944/+files/livecd.ubuntu-cpc.vagrant.box

Revision history for this message
Chris Glass (tribaal) wrote :

New image with the latest changes (not requiring password entry on "vagrant ssh"): https://launchpad.net/~cloudware/+livefs/ubuntu/artful/cpc-development/+build/108198/+files/livecd.ubuntu-cpc.vagrant.box

Revision history for this message
Philip Roche (philroche) wrote :

Works as expected. +1

-------------------------
(scratch) philroche@bomek:~/Working/scratch/vagrant-scratch$ vagrant box add --name cpc-ubuntu-vagrant livecd.ubuntu-cpc.vagrant-rev2.box
==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'cpc-ubuntu-vagrant' (v0) for provider:
    box: Unpacking necessary files from: file:///home/philroche/Working/scratch/vagrant-scratch/livecd.ubuntu-cpc.vagrant-rev2.box
==> box: Successfully added box 'cpc-ubuntu-vagrant' (v0) for 'virtualbox'!
(scratch) philroche@bomek:~/Working/scratch/vagrant-scratch$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'cpc-ubuntu-vagrant'...
==> default: Matching MAC address for NAT networking...
==> default: Setting the name of the VM: vagrant-scratch_default_1503908977046_11325
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default:
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default:
    default: Inserting generated public key within guest...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
==> default: Mounting shared folders...
    default: /vagrant => /home/philroche/Working/scratch/vagrant-scratch
(scratch) philroche@bomek:~/Working/scratch/vagrant-scratch$ vagrant ssh
Welcome to Ubuntu Artful Aardvark (development branch) (GNU/Linux 4.12.0-11-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

vagrant@ubuntu-artful:~$

review: Approve
Revision history for this message
Francis Ginther (fginther) wrote :

What restricts this change to artful? My understanding is that we're only introducing the vagrant:vagrant setup for artful and newer releases.

There is a comment on line 105 of this file:
# Vagrant needs a base user. We either inject the well-known SSH key
# or use password authentication. Both are ugly. So we'll use a password
# and make it random. This obviously is insecure...but at least its
# better than the alternatives.

This is no longer true now that we are adding the well-known SSH key.

review: Needs Information
Revision history for this message
Chris Glass (tribaal) wrote :

> What restricts this change to artful? My understanding is that we're only
> introducing the vagrant:vagrant setup for artful and newer releases.

Nothing in code - landing this in trunk only means that it will be part of the artful branch and the next ones as well.

> There is a comment on line 105 of this file:
> # Vagrant needs a base user. We either inject the well-known SSH key
> # or use password authentication. Both are ugly. So we'll use a password
> # and make it random. This obviously is insecure...but at least its
> # better than the alternatives.
>
> This is no longer true now that we are adding the well-known SSH key.

Good point! Fixed.

lp:~tribaal/livecd-rootfs/add-vagrant-user updated
1502. By Chris Glass

Remove ubuntu user customisations.

Let's just do the absolute minimum here, the default is what people expect.

Revision history for this message
Chris Glass (tribaal) wrote :

Updated the code again. I removed the build-time generation of a password for the ubuntu user altogether, along with password ssh connections.

Vagrant replaces the found insecure key with a per-instance key at "up" time, allowing vagrant users to login securely, while users of this image as a "local cloud image" will have a working use-case as well.

Revision history for this message
Chris Glass (tribaal) wrote :

(a box generated with the latest version of the code can be found here: https://launchpad.net/~cloudware/+livefs/ubuntu/artful/cpc-development/+build/108301/+files/livecd.ubuntu-cpc.vagrant.box )

Revision history for this message
Chris Glass (tribaal) wrote :

Francis,

I removed the setting of a hard-coded ubuntu password from this entirely, leaving using/setting the ubuntu user as an excercise for the end-user's cloud-init (or other provisionning method).

Vagrant users on the other hand can login automagically with "vagrant ssh".

Revision history for this message
Francis Ginther (fginther) wrote :

Thanks for solving the 'how does this restricted to artful' question over IRC. While testing, I found one file ownership problem, otherwise, this looks good.

review: Needs Fixing
lp:~tribaal/livecd-rootfs/add-vagrant-user updated
1503. By Chris Glass

Fix file permission problem - the authorized_keys file was still owned by root since the chown call came before its creation.

Revision history for this message
Chris Glass (tribaal) wrote :

All comments should be fixed.

Thanks for the catch!

Revision history for this message
Francis Ginther (fginther) wrote :

Cool, thanks!

review: Approve
lp:~tribaal/livecd-rootfs/add-vagrant-user updated
1504. By Chris Glass

Fixed review comments by Adam.

- use adduser instead of useradd.

1505. By Chris Glass

Make sure the .ssh directory has the right permissions.

Revision history for this message
Adam Conrad (adconrad) wrote :

LGTM after the live review this morning. Will merge shortly. Please remember to follow-up with the discussed MOTD snippet.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'live-build/ubuntu-cpc/hooks/042-vagrant.binary'
2--- live-build/ubuntu-cpc/hooks/042-vagrant.binary 2017-06-14 16:25:11 +0000
3+++ live-build/ubuntu-cpc/hooks/042-vagrant.binary 2017-09-01 16:26:23 +0000
4@@ -67,6 +67,29 @@
5 # avoid pulling into a cloud image.
6 chroot ${mount_d} apt-get install --no-install-recommends -y virtualbox-guest-utils
7 chroot ${mount_d} apt-get clean
8+
9+# Create and setup users inside the image.
10+# Vagrant users expect a "vagrant" user with a "vagrant" username.
11+# See https://www.vagrantup.com/docs/boxes/base.html
12+# Note: We decided NOT to allow root login with a default password.
13+chroot ${mount_d} adduser vagrant
14+echo "vagrant:vagrant" | chroot ${mount_d} chpasswd
15+
16+# The vagrant user should have passwordless sudo.
17+cat << EOF > ${mount_d}/etc/sudoers.d/vagrant
18+vagrant ALL=(ALL) NOPASSWD:ALL
19+EOF
20+
21+# Add the insecure vagrant pubkey to the vagrant user, as is expected by the
22+# vagrant ecosystem (https://www.vagrantup.com/docs/boxes/base.html)
23+chroot ${mount_d} chmod 0440 /etc/sudoers.d/vagrant
24+chroot ${mount_d} mkdir -p /home/vagrant/.ssh
25+cat << EOF > ${mount_d}/home/vagrant/.ssh/authorized_keys
26+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
27+EOF
28+chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
29+chroot ${mount_d} chmod 700 /home/vagrant/.ssh
30+
31 umount_disk_image "$mount_d"
32 rmdir "$mount_d"
33
34@@ -80,12 +103,6 @@
35 vmdk_f="${box_d}/${prefix}.vmdk"
36 create_vmdk ${derivative_img} ${vmdk_f}
37
38-# Vagrant needs a base user. We either inject the well-known SSH key
39-# or use password authentication. Both are ugly. So we'll use a password
40-# and make it random. This obviously is insecure...but at least its
41-# better than the alternatives.
42-ubuntu_user_pass=$(openssl rand -hex 12)
43-
44 ####################################
45 # Create the ConfigDrive
46 # This is a cloud-init piece that instructs cloud-init to configure
47@@ -98,9 +115,6 @@
48 # except via local host.
49 cat > ${seed_d}/user-data <<END
50 #cloud-config
51-password: ${ubuntu_user_pass}
52-chpasswd: { expire: False }
53-ssh_pwauth: True
54 manage_etc_hosts: localhost
55 END
56
57@@ -141,8 +155,6 @@
58
59 Vagrant.configure("2") do |config|
60 config.vm.base_mac = "${macaddr}"
61- config.ssh.username = "ubuntu"
62- config.ssh.password = "${ubuntu_user_pass}"
63
64 config.vm.provider "virtualbox" do |vb|
65 vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]

Subscribers

People subscribed via source and target branches