fix bug preventing public_keys from being imported for to-be-created users

If a user hadn't been created in the image, when the public_key was to be injected by cc_ssh into the user's account, it didn't exist yet. This moves the population of the authorized_keys from the metadata service into user_groups, and puts that before cc_ssh runs. moving before cc_ssh means that when ssh comes up, the users will be ready. ssh-import-id then handles any ssh-import-id users after networking is up. LP: #1042459
author: Scott Moser <smoser@ubuntu.com> 2012-08-27 20:17:33 -0400
committer: Scott Moser <smoser@ubuntu.com> 2012-08-27 20:17:33 -0400
commit: e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167 (patch)
tree: a10bb1d3576df6796e47472acb1f9cf22231d76e
parent: b81d5ed43e7ebed1d11d4b4109e22e9954316d4c (diff)
parent: e57e4524133c819a65730060c515b048fcb09c2f (diff)
download: vyos-cloud-init-e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167.tar.gz
vyos-cloud-init-e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167.zip
4 files changed, 132 insertions, 34 deletions
diff --git a/cloudinit/config/cc_ssh_import_id.py b/cloudinit/config/cc_ssh_import_id.py
index cd97b99b..1625c8e0 100644
--- a/cloudinit/config/cc_ssh_import_id.py
+++ b/cloudinit/config/cc_ssh_import_id.py
@@ -19,42 +19,68 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from cloudinit import util
+import pwd
 
 # The ssh-import-id only seems to exist on ubuntu (for now)
 # https://launchpad.net/ssh-import-id
 distros = ['ubuntu']
 
 
-def handle(name, cfg, cloud, log, args):
+def handle(_name, cfg, cloud, log, args):
+
+    # import for "user: XXXXX"
     if len(args) != 0:
         user = args[0]
         ids = []
         if len(args) > 1:
             ids = args[1:]
-    else:
-        user = cloud.distro.get_default_user()
 
-        if 'users' in cfg:
-            user_zero = cfg['users'].keys()[0]
+        import_ssh_ids(ids, user, log)
+        return
+
+    # import for cloudinit created users
+    elist = []
+    for user in cfg['users'].keys():
+        if user == "default":
+            user = cloud.distro.get_default_user()
+            if not user:
+                continue
+            import_ids = util.get_cfg_option_list(cfg, "ssh_import_id", [])
+        else:
+            if not isinstance(cfg['users'][user], dict):
+                log.debug("cfg['users'][%s] not a dict, skipping ssh_import",
+                          user)
+            import_ids = util.get_cfg_option_list(cfg['users'][user],
+                                                  "ssh_import_id", [])
 
-            if user_zero != "default":
-                user = user_zero
+        if not len(import_ids):
+            continue
 
-        ids = util.get_cfg_option_list(cfg, "ssh_import_id", [])
+        try:
+            import_ssh_ids(ids, user, log)
+        except Exception as exc:
+            util.logexc(exc, "ssh-import-id failed for: %s %s" % (user, ids))
+            elist.append(exc)
 
-    if len(ids) == 0:
-        log.debug("Skipping module named %s, no ids found to import", name)
-        return
+    if len(elist):
+        raise elist[0]
 
-    if not user:
-        log.debug("Skipping module named %s, no user found to import", name)
+
+def import_ssh_ids(ids, user, log):
+    if not (user and ids):
+        log.debug("empty user(%s) or ids(%s). not importing", user, ids)
         return
 
+    try:
+        _check = pwd.getpwnam(user)
+    except KeyError as exc:
+        raise exc
+
     cmd = ["sudo", "-Hu", user, "ssh-import-id"] + ids
     log.debug("Importing ssh ids for user %s.", user)
 
     try:
         util.subp(cmd, capture=False)
-    except util.ProcessExecutionError as e:
+    except util.ProcessExecutionError as exc:
         util.logexc(log, "Failed to run command to import %s ssh ids", user)
-        raise e
+        raise exc
diff --git a/cloudinit/distros/ubuntu.py b/cloudinit/distros/ubuntu.py
index 4b3f8572..cb93f971 100644
--- a/cloudinit/distros/ubuntu.py
+++ b/cloudinit/distros/ubuntu.py
@@ -32,21 +32,3 @@ class Distro(debian.Distro):
 
     distro_name = 'ubuntu'
     default_user = 'ubuntu'
-
-    def create_user(self, name, **kargs):
-
-        if not super(Distro, self).create_user(name, **kargs):
-            return False
-
-        if 'sshimportid' in kargs:
-            cmd = ["sudo", "-Hu", name, "ssh-import-id"] + kargs['sshimportid']
-            LOG.debug("Importing ssh ids for user %s, post user creation."
-                        % name)
-
-            try:
-                util.subp(cmd, capture=True)
-            except util.ProcessExecutionError as e:
-                util.logexc(LOG, "Failed to import %s ssh ids", name)
-                raise e
-
-        return True
diff --git a/config/cloud.cfg b/config/cloud.cfg
index 2744c940..9c475251 100644
--- a/config/cloud.cfg
+++ b/config/cloud.cfg
@@ -29,6 +29,7 @@ cloud_init_modules:
  - update_etc_hosts
  - ca-certs
  - rsyslog
+ - users-groups
  - ssh
 
 # The modules that run in the 'config' stage
@@ -37,7 +38,6 @@ cloud_config_modules:
 # this can be used by upstart jobs for 'start on cloud-config'.
  - emit_upstart
  - mounts
- - users-groups
  - ssh-import-id
  - locale
  - set-passwords
diff --git a/doc/examples/cloud-config.txt b/doc/examples/cloud-config.txt
index 56a6c35a..9d073db5 100644
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
@@ -167,6 +167,96 @@ mounts:
 # complete.  This must be an array, and must have 7 fields.
 mount_default_fields: [ None, None, "auto", "defaults,nobootwait", "0", "2" ]
 
+# add groups to the system
+# The following example adds the ubuntu group with members foo and bar and
+# the group cloud-users.
+groups:
+  ubuntu: [foo,bar]
+  cloud-users
+
+# add users to the system. Users are added after groups are added.
+users:
+  foobar:
+    gecos: Foo B. Bar
+    primary-group: foobar
+    groups: users
+    expiredate: 2012-09-01
+    ssh-import-id: foobar
+    lock-passwd: false
+    passwd: $6$j212wezy$7H/1LT4f9/N3wpgNunhsIqtMj62OKiS3nyNwuizouQc3u7MbYCarYeAHWYPYb2FT.lbioDm2RrkJPb9BZMN1O/
+  barfoo:
+    gecos: Bar B. Foo
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    groups: users, admin
+    ssh-import-id: None
+    lock-passwd: true
+    ssh-authorized-keys:
+      - <ssh pub key 1>
+      - <ssh pub key 2>
+  cloudy:
+    gecos: Magic Cloud App Daemon User
+    inactive: true
+    system: true
+
+# Valid Values:
+#   gecos: The user name's real name, i.e. "Bob B. Smith"
+#   homedir: Optional. Set to the local path you want to use. Defaults to
+#           /home/<username>
+#   primary-group: define the primary group. Defaults to a new group created
+#           named after the user.
+#   groups:  Optional. Additional groups to add the user to. Defaults to none
+#   lock-passwd: Defaults to true. Lock the password to disable password login
+#   inactive: Create the user as inactive
+#   passwd: The hash -- not the password itself -- of the password you want
+#           to use for this user. You can generate a safe hash via:
+#               mkpasswd -m SHA-512 -s 4096
+#           (the above command would create a password SHA512 password hash
+#           with 4096 salt rounds)
+#
+#           Please note: while the use of a hashed password is better than
+#               plain text, the use of this feature is not ideal. Also,
+#               using a high number of salting rounds will help, but it should
+#               not be relied upon.
+#
+#               To highlight this risk, running John the Ripper against the
+#               example hash above, with a readily available wordlist, revealed
+#               the true password in 12 seconds on a i7-2620QM.
+#
+#               In other words, this feature is a potential security risk and is
+#               provided for your convenience only. If you do not fully trust the
+#               medium over which your cloud-config will be transmitted, then you
+#               should use SSH authentication only.
+#
+#               You have thus been warned.
+#
+#   no-create-home: When set to true, do not create home directory.
+#   no-user-group: When set to true, do not create a group named after the user.
+#   no-log-init: When set to true, do not initialize lastlog and faillog database.
+#   ssh-import-id: Optional. Import SSH ids
+#   ssh-authorized-key: Optional. Add key to user's ssh authorized keys file
+#   sudo: Defaults to none. Set to the sudo string you want to use, i.e.
+#           ALL=(ALL) NOPASSWD:ALL. To add multiple rules, use the following
+#           format.
+               sudo:
+                   - ALL=(ALL) NOPASSWD:/bin/mysql
+                   - ALL=(ALL) ALL
+#           Note: Please double check your syntax and make sure it is valid.
+#               cloud-init does not parse/check the syntax of the sudo
+#               directive.
+#   system: Create the user as a system user. This means no home directory.
+#
+# Default user creation: Ubuntu Only
+# Unless you define users, you will get a Ubuntu user on Ubuntu systems with the
+# legacy permission (no password sudo, locked user, etc). If however, you want
+# to have the ubuntu user in addition to other users, you need to instruct
+# cloud-init that you also want the default user. To do this use the following
+# syntax:
+users:
+  default: True
+  foobar: ...
+#
+# users[0] (the first user in users) overrides the user directive.
+
 # add each entry to ~/.ssh/authorized_keys for the configured user or the
 # first user defined in the user definition directive.
 ssh_authorized_keys:
author	Scott Moser <smoser@ubuntu.com>	2012-08-27 20:17:33 -0400
committer	Scott Moser <smoser@ubuntu.com>	2012-08-27 20:17:33 -0400
commit	e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167 (patch)
tree	a10bb1d3576df6796e47472acb1f9cf22231d76e
parent	b81d5ed43e7ebed1d11d4b4109e22e9954316d4c (diff)
parent	e57e4524133c819a65730060c515b048fcb09c2f (diff)
download	vyos-cloud-init-e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167.tar.gz vyos-cloud-init-e0179ea4ba8f7024d9ce4e74c48f5ed95cd17167.zip