** Description changed: [Impact] Since Jammy, desktop metapackages have gained a Recommends: cloud-init, which means that cloud-init will be installed on upgrades to Noble. On the first boot following the upgrade, cloud-init will run because as far as cloud-init can detect, this is the first boot. However, this is wrong, and we do not want cloud-init to run after the upgrade. One practical impact of this is that by default, cloud-init creates user `ubuntu` with `lock_passwd: true`. If the upgraded machine already has a user `ubuntu`, they will be locked out. [Test Plan] The proposed patch is for ubuntu-release-upgrader to disable cloud-init if it is being installed for the first time during the upgrade. This is done by creating /etc/cloud/cloud-init.disabled. Test #1: This test must be done on 22.04 desktop where cloud-init is not installed. 1. Confirm that cloud-init is not installed $ apt policy cloud-init 2. Do an upgrade $ do-release-upgrade -d 3. After the upgrade, confirm that /etc/cloud/cloud-init.disabled was created by ubuntu-release-upgrader $ cat /etc/cloud/cloud-init.disabled 4. Reboot, and confirm that cloud-init does not run - $ systemctl status cloud-init.service - - It should be skipped because the ConditionPathExists=!/etc/cloud/cloud- - init.disabled is not satisfied. + $ systemctl status cloud-init.target + $ cat /run/cloud-init/ds-identify.log Test #2: This test must be done on 22.04 server where cloud-init is installed. A LXD container works. 1. Confirm that cloud-init is installed: $ apt policy cloud-init 2. Do an upgrade $ do-release-upgrade -d 3. After the upgrade, confirm that cloud-init was not disabled by ubuntu-release-upgrader $ stat /etc/cloud/cloud-init.disabled [Where problems could occur] It is important that the correct file is created to correctly disable cloud-init. Regressions would be related to whether or not this file is created in the correct circumstances. [Original Description] After performing an upgrade, and then rebooting, I am no longer able to login with my user "ubuntu". I get an authentication failure with both the graphical login screen, and when attempting to login on a non- graphical tty. Dropping to a rescue shell, I can see this in the logs: root@xubuntu:~# journalctl -b --grep pam Aug 02 11:52:45 xubuntu systemd[1]: systemd 255.4-1ubuntu8.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OP> Aug 02 11:53:00 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session opened for user lightdm(uid=115) by (uid=0) Aug 02 11:53:00 xubuntu (systemd)[1472]: pam_unix(systemd-user:session): session opened for user lightdm(uid=115) by lightdm(uid=0) Aug 02 11:53:00 xubuntu lightdm[1422]: gkr-pam: couldn't unlock the login keyring. Aug 02 11:53:01 xubuntu lightdm[1584]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu" Aug 02 11:53:40 xubuntu lightdm[1584]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=ubuntu Aug 02 11:53:42 xubuntu lightdm[1604]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu" Aug 02 11:53:49 xubuntu lightdm[1604]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=ubuntu Aug 02 11:53:51 xubuntu lightdm[1605]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ubuntu" Aug 02 11:53:58 xubuntu lightdm[1607]: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "root" Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: unable to locate daemon control file Aug 02 11:53:59 xubuntu lightdm[1607]: gkr-pam: stashed password to try later in open session Aug 02 11:53:59 xubuntu lightdm[1422]: pam_unix(lightdm-greeter:session): session closed for user lightdm Aug 02 11:53:59 xubuntu lightdm[1607]: pam_unix(lightdm:session): session opened for user root(uid=0) by (uid=0) Aug 02 11:54:00 xubuntu (systemd)[1614]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0) Aug 02 11:54:00 xubuntu lightdm[1607]: gkr-pam: unlocked login keyring Aug 02 11:54:10 xubuntu (sd-pam)[1473]: pam_unix(systemd-user:session): session closed for user lightdm Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0) Aug 02 11:55:01 xubuntu CRON[2417]: pam_unix(cron:session): session closed for user root Other notes: (1) During the upgrade, the screen saver was disabled. I know this has been a bug in the past, but I do not believe it is the cause here. (2) A work around for this is to drop into a rescue shell, and from root, run e.g. `passwd ubuntu` to reset the user's password. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: libpam-modules 1.5.3-5ubuntu5.1 ProcVersionSignature: Ubuntu 6.8.0-39.39-generic 6.8.8 Uname: Linux 6.8.0-39-generic x86_64 ApportVersion: 2.28.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: XFCE Date: Fri Aug 2 11:55:51 2024 InstallationDate: Installed on 2024-07-30 (3 days ago) InstallationMedia: Xubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240216.1) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> SourcePackage: pam UpgradeStatus: Upgraded to noble on 2024-08-02 (0 days ago) mtime.conffile..etc.init.d.apport: 2024-04-23T07:30:10
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2075968 Title: cloud-init locks out user `ubuntu` after upgrade from 22.04 to 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/2075968/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
