Closed ubuntu-server-builder closed 1 year ago
Launchpad user Jeffrey Walton(noloader) wrote on 2021-04-05T05:06:18.843487+00:00
Launchpad attachments: /etc/iptables/rules.v4
Launchpad user Lucas Albuquerque Medeiros de Moura(lamoura) wrote on 2021-04-05T13:22:47.708036+00:00
Hello Jeffrey and thanks for this bug report. Could you please run on the machine:
cloud-init collect-logs
and attach the generated tarball to this bug? I think this is a valid request, but additional logs/context will help us confirming the hypothesis here. Thanks!
Launchpad user Launchpad Janitor(janitor) wrote on 2021-06-05T04:17:17.549917+00:00
[Expired for cloud-init because there has been no activity for 60 days.]
Launchpad user Jeffrey Walton(noloader) wrote on 2021-06-05T05:10:13.951209+00:00
Closing the report is unfortunate. It would have been nice to get the requirements documented.
Launchpad user James Falcon(falcojr) wrote on 2021-06-07T13:53:54.211591+00:00
The ports necessary are going to be dependent on the datasource and configuration you're using. Clouds that use an instance metadata service (IMDS) will require port 80 (though that is also sometimes configurable), but datasources that don't use an IMDS won't require it. If you don't have a static network configuration, then you'll likely need DHCP, otherwise no. If you're using SSH, then port 22, otherwise no.
On an LXD instance (which has no IMDS and allows me entry without SSH), I can run cloud-init with no problems having all ports blocked.
This bug was originally filed in Launchpad as LP: #1922530
Launchpad details
Launchpad user Jeffrey Walton(noloader) wrote on 2021-04-05T05:06:18.843487+00:00
Hi Everyone,
We are renting an Ubuntu 20 VM from IONOS. The VM is a webserver with LAMP stack and a wiki. The machine has an external IPv4 address, but no external IPv6 address. There's not much to it.
I'm trying to clamp the machine down using iptables. The initial iptables was empty. I added some INPUT chain rules to allow SSH (22), DHCP (68), HTTP (80), and HTTPS (443). The machine booted fine.
When I added a DROP rule at the end the machine took about 2:00 minutes to boot. After the 2 minute delay the machine was fine.
Most of the time during the long boot was spent in cloud-init.service.
iptable rule that causes the 2 minute boot
tail -n 3 /etc/iptables/rules.v4
-A INPUT -j DROP COMMIT
systemd-analyze critical-chain
The time when unit became active or started is printed after the "@" character. The time the unit took to start is printed after the "+" character.
graphical.target @2min 9.162s └─multi-user.target @2min 9.162s └─apache2.service @2min 2.715s +6.446s └─basic.target @2min 2.704s └─sockets.target @2min 2.703s └─uuidd.socket @2min 2.702s └─sysinit.target @2min 2.686s └─cloud-init.service @11.358s +1min 51.325s └─networking.service @6.079s +5.275s └─network-pre.target @6.071s └─cloud-init-local.service @3.401s +2.668s └─open-vm-tools.service @3.391s └─vgauth.service @3.376s └─systemd-tmpfiles-setup.service @3.214s +88ms └─local-fs.target @3.141s └─boot.mount @3.099s +41ms └─systemd-fsck@dev-disk-by\x2duuid-0905f2a6\x2d8b> └─dev-disk-by\x2duuid-0905f2a6\x2d8b1e\x2d438d>
I assume cloud-init needs to listen for something since adding the DROP affects the boot time.
I went to lookup the port numbers used by cloud-init, but I could not find them. The docs I found are at https://cloudinit.readthedocs.io/en/latest/.
My request is, please document the ports needed by cloud-init.