Old versions of cloud-init might end up with invalid sudoers

Question

Old versions of cloud-init might end up with invalid sudoers

afbjorklund opened this issue 3 months ago · comments

Description

The instance won't come up, due to inserting duplicate entries and NUL bytes into sudoers...

[   15.374317] cloud-init[1950]: >>> /etc/sudoers.d/90-cloud-init-users: syntax error near line 8 <<<
[   15.375940] cloud-init[1950]: sudo: parse error in  near line 8
[   15.377178] cloud-init[1950]: sudo: no valid sudoers sources found, quitting
[   15.378069] cloud-init[1950]: sudo: unable to initialize policy plugin

/ # hexdump -C /tmp/sudoers.d/90-cloud-init-users 
00000000  23 20 43 72 65 61 74 65  64 20 62 79 20 63 6c 6f  |# Created by clo|
00000010  75 64 2d 69 6e 69 74 20  76 2e 20 32 31 2e 31 2d  |ud-init v. 21.1-|
00000020  31 39 2d 67 62 61 64 38  34 61 64 34 2d 30 75 62  |19-gbad84ad4-0ub|
00000030  75 6e 74 75 31 7e 31 36  2e 30 34 2e 32 20 6f 6e  |untu1~16.04.2 on|
00000040  20 57 65 64 2c 20 30 35  20 4a 75 6e 20 32 30 32  | Wed, 05 Jun 202|
00000050  34 20 30 37 3a 32 36 3a  33 31 20 2b 30 30 30 30  |4 07:26:31 +0000|
00000060  0a 0a 23 20 55 73 65 72  20 72 75 6c 65 73 20 66  |..# User rules f|
00000070  6f 72 20 61 6e 64 65 72  73 0a 61 6e 64 65 72 73  |or anders.anders|
00000080  20 41 4c 4c 3d 28 41 4c  4c 29 20 4e 4f 50 41 53  | ALL=(ALL) NOPAS|
00000090  53 57 44 3a 41 4c 4c 0a  0a 23 20 55 73 65 72 20  |SWD:ALL..# User |
000000a0  72 75 6c 65 73 20 66 6f  72 20 61 6e 64 65 72 73  |rules for anders|
000000b0  0a 61 6e 64 65 72 73 20  41 4c 4c 3d 28 41 4c 4c  |.anders ALL=(ALL|
000000c0  29 20 4e 4f 50 41 53 53  57 44 3a 41 4c 4c 0a 00  |) NOPASSWD:ALL..|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 00 00 00 00 00 0a 23  20 55 73 65 72 20 72 75  |.......# User ru|
00000110  6c 65 73 20 66 6f 72 20  61 6e 64 65 72 73 0a 61  |les for anders.a|
00000120  6e 64 65 72 73 20 41 4c  4c 3d 28 41 4c 4c 29 20  |nders ALL=(ALL) |
00000130  4e 4f 50 41 53 53 57 44  3a 41 4c 4c 0a 0a 23 20  |NOPASSWD:ALL..# |
00000140  55 73 65 72 20 72 75 6c  65 73 20 66 6f 72 20 61  |User rules for a|
00000150  6e 64 65 72 73 0a 61 6e  64 65 72 73 20 41 4c 4c  |nders.anders ALL|
00000160  3d 28 41 4c 4c 29 20 4e  4f 50 41 53 53 57 44 3a  |=(ALL) NOPASSWD:|
00000170  41 4c 4c 0a                                       |ALL.|
00000174

This is not lima's fault, but maybe there could be some cleanup in the boot scripts to recover?

Since part of start requires sudo.

Anders Björklund · Answer 1 · Thu Jun 06 2024 00:45:10 GMT+0800 (China Standard Time)

canonical/cloud-init#4048

Race condition corrupting the file is not mentioned separately, but seen with Ubuntu 16.04

Jan Dubois · Answer 2 · Thu Jun 06 2024 01:26:37 GMT+0800 (China Standard Time)

What do you suggest, something like this:

# cloud-init may end up writing an invalid sudoer file?
if [ -f /usr/local/etc/sudoers.d/90-cloud-init-users ]; then
    echo "(ALL) NOPASSWD: ALL" >/usr/local/etc/sudoers.d/90-cloud-init-users
fi

And then have a comment in user-data that explains that the setting there is essentially ignored, and any changes must be duplicated in the boot script?

Personally I'm not too keen to put hacks like this into Lima unless it affects more recent OS releases as well. Not sure where to draw the line, but 16.04 seems very obsolete; I would think even 18.04 is borderline.

Jan Dubois · Answer 3 · Thu Jun 06 2024 01:29:41 GMT+0800 (China Standard Time)

Couldn't this just be done in a system provisioning script in a template for the 16.04 instance? If it can't, then isn't it too late to do it in the boot scripts too, which run immediately before the provisioning scripts?

Anders Björklund · Answer 4 · Thu Jun 06 2024 16:02:48 GMT+0800 (China Standard Time)

I think it was more of reports of various things that happened when we tried to install Kubernetes and friends from 8-10 years ago

Most of it has been fixed in newer releases... The workaround for this corruption was to use docker (since sudo was broken)