[Bug 2075968] Re: cloud-init locks out user `ubuntu` after upgrade from 22.04 to 24.04

Łukasz Zemczak 2075968 at bugs.launchpad.net
Thu Aug 22 08:22:17 UTC 2024 

Hello Nick, or anyone else affected,

Accepted ubuntu-release-upgrader into noble-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:24.04.22
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags removed: verification-done verification-done-noble
** Tags added: verification-needed verification-needed-noble

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2075968

Title:
  cloud-init locks out user `ubuntu` after upgrade from 22.04 to 24.04

Status in cloud-init package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  Invalid
Status in cloud-init source package in Noble:
  New
Status in ubuntu-release-upgrader source package in Noble:
  Fix Committed

Bug description:
  [Impact]

  Since Jammy, desktop metapackages have gained a Recommends: cloud-
  init, which means that cloud-init will be installed on upgrades to
  Noble. On the first boot following the upgrade, cloud-init will run
  because as far as cloud-init can detect, this is the first boot.
  However, this is wrong, and we do not want cloud-init to run after the
  upgrade.

  One practical impact of this is that by default, cloud-init creates
  user `ubuntu` with `lock_passwd: true`. If the upgraded machine
  already has a user `ubuntu`, they will be locked out.

  [Test Plan]

  The proposed patch is for ubuntu-release-upgrader to disable cloud-
  init if it is being installed for the first time during the upgrade.
  This is done by creating /etc/cloud/cloud-init.disabled.

  Test #1:

  This test must be done on 22.04 desktop where cloud-init is not
  installed.

  1. Confirm that cloud-init is not installed

  $ apt policy cloud-init

  2. Do an upgrade

  $ do-release-upgrade -d

  3. After the upgrade, confirm that /etc/cloud/cloud-init.disabled was
  created by ubuntu-release-upgrader

  $ cat /etc/cloud/cloud-init.disabled

  4. Reboot, and confirm that cloud-init does not run

  $ systemctl status cloud-init.target
  $ cat /run/cloud-init/ds-identify.log

  Test #2:

  This test must be done on 22.04 server where cloud-init is installed.
  A LXD container works.

  1. Confirm that cloud-init is installed:

  $ apt policy cloud-init

  2. Do an upgrade

  $ do-release-upgrade -d

  3. After the upgrade, confirm that cloud-init was not disabled by
  ubuntu-release-upgrader

  $ stat /etc/cloud/cloud-init.disabled

  [Where problems could occur]

  It is important that the correct file is created to correctly disable
  cloud-init. Regressions would be related to whether or not this file
  is created in the correct circumstances.

  [Original Description]

  After performing an upgrade, and then rebooting, I am no longer able
  to login with my user "ubuntu". I get an authentication failure with
  both the graphical login screen, and when attempting to login on a
  non-graphical tty.

  Dropping to a rescue shell, I can see this in the logs:

  root at xubuntu:~# journalctl -b --grep pam
  Aug 02 11:52:45 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OP>
  Aug 02 11:53:00 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session opened for user lightdm(uid=115) by (uid=0)
  Aug 02 11:53:00 xubuntu (systemd)[1472]: pam_unix(systemd-user:session): session opened for user lightdm(uid=115) by lightdm(uid=0)
  Aug 02 11:53:00 xubuntu lightdm[1422]: gkr-pam: couldn't unlock the login keyring.
  Aug 02 11:53:01 xubuntu lightdm[1584]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:40 xubuntu lightdm[1584]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=ubuntu
  Aug 02 11:53:42 xubuntu lightdm[1604]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:49 xubuntu lightdm[1604]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=ubuntu
  Aug 02 11:53:51 xubuntu lightdm[1605]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu"
  Aug 02 11:53:58 xubuntu lightdm[1607]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "root"
  Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: unable to locate daemon control file
  Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: stashed password to try later in open session
  Aug 02 11:53:59 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session closed for user lightdm
  Aug 02 11:53:59 xubuntu lightdm[1607]: pam_unix(lightdm:session): session opened for user root(uid=0) by (uid=0)
  Aug 02 11:54:00 xubuntu (systemd)[1614]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
  Aug 02 11:54:00 xubuntu lightdm[1607]: gkr-pam: unlocked login keyring
  Aug 02 11:54:10 xubuntu (sd-pam)[1473]: pam_unix(systemd-user:session): session closed for user lightdm
  Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
  Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session closed for user root

  Other notes:

  (1) During the upgrade, the screen saver was disabled. I know this has been a bug in the past, but I do not believe it is the cause here.
  (2) A work around for this is to drop into a rescue shell, and from root, run e.g. `passwd ubuntu` to reset the user's password.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: libpam-modules 1.5.3-5ubuntu5.1
  ProcVersionSignature: Ubuntu 6.8.0-39.39-generic 6.8.8
  Uname: Linux 6.8.0-39-generic x86_64
  ApportVersion: 2.28.1-0ubuntu3
  Architecture: amd64
  CasperMD5CheckResult: pass
  CloudArchitecture: x86_64
  CloudID: none
  CloudName: none
  CloudPlatform: none
  CloudSubPlatform: config
  CurrentDesktop: XFCE
  Date: Fri Aug  2 11:55:51 2024
  InstallationDate: Installed on 2024-07-30 (3 days ago)
  InstallationMedia: Xubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240216.1)
  ProcEnviron:
   LANG=en_US.UTF-8
   PATH=(custom, no user)
   SHELL=/bin/bash
   TERM=xterm-256color
   XDG_RUNTIME_DIR=<set>
  SourcePackage: pam
  UpgradeStatus: Upgraded to noble on 2024-08-02 (0 days ago)
  mtime.conffile..etc.init.d.apport: 2024-04-23T07:30:10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2075968/+subscriptions

More information about the foundations-bugs mailing list